The document discusses enterprise risk management (ERM) in healthcare organizations. It begins by explaining how ERM has evolved from a traditional reactive approach focused on patient safety to a comprehensive proactive framework. ERM takes a holistic view of risk across the entire organization, including clinical, operational, financial, strategic, and other risk domains. It aims to maximize both value protection and creation by managing risk and uncertainty in an integrated manner. The document then examines the key steps in implementing an ERM program, such as risk identification, analysis, evaluation, and continuous monitoring. It emphasizes that managing risk requires a cooperative effort across the entire organization.
3. “A ship in harbor is safe,
but that is not what ships are
built for”
John Augustus Shedd (1859 – 1928)
4. "any uncertainty that, if it occurs, could have a positive or
negative effect on achievement of one or more
organizational aims and objectives and is assessed through
the combination of magnitude of potential injury (impact)
and the probability (likelihood) that the uncertainty will
occur".
Hillson, D. (2005). When is a risk not a risk? International Project Management Association.
Central Board of Accreditation for Healthcare Institutions. (2011). Hospital Standards (2nd ed.).
Jeddah, Saudi Arabia: CBAHI Accreditation Dept.
5. “Any uncertainty which can affect achievement of
objectives either positively or negatively”
Key point: Link risks to organisational objectives…
Objectives Uncertainty
versus
What must happen What might happen
Hillson, D. (2005).When is a risk not a risk? International Project Management Association.
6.
7. “The only alternative to risk
management is crisis management
JAMES LAM
Enterprise Risk Management: From Incentives to Controls, 2003
--- and crisis management is much
more expensive, time consuming
and embarrassing”
8. Delivering safe care of high quality is the
professional, legal and ethical duty of all healthcare
professionals
10. “The whole process of initiation, risk identification,
evaluation, response development, implementation,
continuous monitoring & review to reduce the risk of
injury to patients, staff and visitors and the risk of loss to
the organization itself".
Feeney, L. & Murphy D. (2013), CBAHI guide to risk management. Jeddah, Saudi Arabia: CBAHI
Accreditation Dept.
Its is an anticipatory (proactive) process
11. TheTraditional Risk Management (TRM) was established
in the early 70s focusing on the acute care settings, these
programs stayed reactive and generated in response to
incidents that were ultimately patient safety-centred.
The process was fragemented into silos of resposiblities
and accountabilities with no overlap or relationship
between different business units.
12. ERM in healthcare promotes a
Comprehensive framework for making
risk management decisions which maximize
value protection and creation by managing risk and
uncertainty and their connections to total value.
ASHRM ERM Pearl, p.7
13. Managing UncertaintyValue CreationValue
Protection
Comprehensive
Framework
•Reduce risks
•Eliminate loss
•Promote standardization
•Use evidence-based
practice
•Decrease variability
•View the impact of risk
holistically not in silos
(eliminate silo mentality)
•Understand chaos theory
•Eliminate/minimize lost
opportunities
•Captures the positive or
upside
•Increased market
share
•Competitive edge
•Financial strength
•Improved ROI
•Increased margins
•Enhanced
reputation
•Improved
satisfaction scores
•Quality outcomes
•Credible
•Respected
•Reduce
uncertainty
•Reduce
variability
•Duplication
•Separation
•Shield assets
•Efficient use
of resources
•Quality
outcomes
•Safe
practices
•Organizationwide
•Holistic
•Broad perspective
•Synergistic effect
•Comprehensive
•Strategic
•Thorough
•Robust
•Structured
14. ERM: A framework of activities that helps an organization
identify and manage risk holistically by considering all forms of
risk across the organization.
An integrated approach to risk management that connects silos
so that the organization understands all risks facing the
organization and enables the organization to be more strategic
Process that supports concept that risks do not exist or behave
in “isolation” but can be identified, grouped and catalogued in
risk domains
v. 1 pp. 7-8; ASHRM ERM Pearl, pp. 7-8
15. ContrastingTraditional RM with Enterprise RM
ERMTRM
ProactiveFocusReactive
Value creationOutcomeAsset preservation
Organizational-wideBreadth/ DepthDepartmental/silos
Risk preventionActivitiesRisk mitigation
Clinician/staffEngagementBoard/C-Suite
16. Source: J. Conway, F. Federico, K. Stewart and M. Campbell, Respectful Management of Serious
Clinical Adverse Events, Institute for Healthcare Improvement (IHI), IHI Innovation Series White
Paper, Cambridge, MA, 2010, citing N. Augustine, “Managing the CrisisYouTried to Prevent,”
Harvard Business Review, Vol. 73, No. 6, 1995, pp. 147-158.
17. Medicine used to be simple,
ineffective & relatively safe…
now it is complex, effective &
potentially dangerous!
Chantler, C. (1999),The role and education of doctors in
the delivery of healthcare, Lancet, 53(9159), 1178–1181.
Medicine used to be simple,
ineffective & relatively safe…
Chantler, C. (1999),The role and education of doctors in
the delivery of healthcare, Lancet, 53(9159), 1178–1181.
18. Change in patient demographics
Enhanced expectations by variety of stakeholders
Increased use of internet
Movement towards a paperless environment
Changing line of authority
Market share competition
Variability in clinical care
Changing reimbursement methodologies
Enterprise Risk Management For Health Care Entities, 3rd Edition, PP 23
29. v. 1 pp. 108, 223, ASHRM ERM Pearl, pp. 19-27
Identifying and analyzing loss exposures
Identification Analysis
Types of
exposures
Mothods
of
identifying
exposures
Organizational
objectives
Significance
30. v. 1 pp. 108, 223, ASHRM ERM Pearl, pp. 19-27
Examining feasibility of alternative techniques
Risk control to
stop losses
Risk financing to
pay for losses
Retention Transfer
31. v. 1 pp. 108, 223, ASHRM ERM Pearl, pp. 19-27
Selecting apparently best techniques
Choosing selection
criteria
Decision rules
applying criteria
32. v. 1 pp. 108, 223, ASHRM ERM Pearl, pp. 19-27
Implementing the selected risk techniques
33. v. 1 pp. 108, 223, ASHRM ERM Pearl, pp. 19-27
Monitoring & improving the RM program
Purposes Control program
34. v. 1 p. 223
The Risk
Management
Process
Identification and
Analysis of
Exposures
Treatment of
Exposures
Risk Control Risk Financing
Retention Transfer
35. Risk Ranking Overview
Provide an initial means of prioritizing assessed risks
based upon assessments of Impact and Likelihood.
▪ Risks were assessed assuming the effectiveness of
existing risk management activities.
Used to identify a risk’s position on a Risk Map.
Risk Ranking Calculation Steps
Multiply the Impact assessment and the Likelihood
assessment for each risk.
Reference the product against a range of values.
Assign one of four risk rankings (very high, high,
medium or low) based upon referenced range.
RangeRank
Greater than 17.0Very high
Greater than 10.0, but less than 17.0High
Greater than 5, but less than 10.0Medium
Less than 5.0Low
Risk Ranking Matrix
Critical
Impact
InsignificantModerate
Potential LikelyUnlikely
Likelihood
RiskRanking
37. Likelihood x Impact = Risk Score
(a value 1 to 5)(a value 1 to 5)
1 x 1 = 1 (lowest possible score)
5 x 5 = 25 (highest possible score)
(Likelihood + Velocity) x Impact = Risk Score
(a value 1 to 5) (a value 1 to 3) (a value 1 to 5)
(1 + 1) x 1 = 2 (lowest possible score)
(5 + 3) x 5 = 40 (highest possible score)
39. Risk ID Description of Risk
Risk Assessment
Risk
Rating
(I x L)Impact (I)
Likelihood
(L)
40.
41.
42.
43. Provide the right level of detail to facilitate
understanding and risk based decision making,
without oversimplifying.
The right level of details depends on your goal.
51. Barrier Name
Apply wristband upon admission to the ward
(Haz.) Operating a patient / Applying incorrect procedure // (Tht.) Wrong patient // (Br.) Apply wristband upon admission to the ward Apply wristband upon admission to the
ward
At admission on the ward: Check the patient's identity by nurse together with patient through open questions
(Haz.) Operating a patient / Applying incorrect procedure // (Tht.) Wrong patient // (Br.) At admission on the ward: Check the patient's identity by nurse
together with patient through open questions
At admission on the ward: Check the
patient's identity by nurse together with
patient through open questions
At preoperative screening: Check the anethesia tecnique by anesthesiologist together with patient in accordance with the planned procedure
(Haz.) Operating a patient / Applying incorrect procedure // (Tht.) Wrong anethesia technique // (Br.) At preoperative screening: Check the anethesia
tecnique by anesthesiologist together with patient in accordance with the planned procedure
At preoperative screening: Check the
anethesia tecnique by anesthesiologist
together with patient in accordance with
the planned procedure
At preoperative screening: Check the diagnosis and procedure by anesthesiologist together with patient twith electronic medical record
(Haz.) Operating a patient / Applying incorrect procedure // (Tht.) Wrong procedure // (Br.) At preoperative screening: Check the diagnosis and procedure by
anesthesiologist together with patient twith electronic medical record
At preoperative screening: Check the
diagnosis and procedure by
anesthesiologist together with patient
twith electronic medical record
At preoperative screening: Check the operating site and side by anesthesiologist together with patient twith electronic medical record
(Haz.) Operating a patient / Applying incorrect procedure // (Tht.) Wrong site /side // (Br.) At preoperative screening: Check the operating site and side by
anesthesiologist together with patient twith electronic medical record
At preoperative screening: Check the
operating site and side by
anesthesiologist together with patient
twith electronic medical record
At preoperative screening: Check the patient's identity by anesthesiologist together with patient through open questions
(Haz.) Operating a patient / Applying incorrect procedure // (Tht.) Wrong patient // (Br.) At preoperative screening: Check the patient's identity by
anesthesiologist together with patient through open questions
At preoperative screening: Check the
patient's identity by anesthesiologist
together with patient through open
questions
At surgery preparation room, check perioperative marking and completeness elecronic medical record by nurse and staff member with awake patient
(Haz.) Operating a patient / Applying incorrect procedure // (Tht.) Wrong procedure // (Br.) At surgery preparation room, check perioperative marking and
completeness elecronic medical record by nurse and staff member with awake patient
At surgery preparation room, check
perioperative marking and
completeness elecronic medical record
by nurse and staff member with awake
patient
(Haz.) Operating a patient / Applying incorrect procedure // (Tht.) Wrong site /side // (Br.) At surgery preparation room, check perioperative marking and
completeness elecronic medical record by nurse and staff member with awake patient
At surgery preparation room, check
perioperative marking and
completeness elecronic medical record
by nurse and staff member with awake
patient
At surgery preparation room, check the patient's identity by anesthesiologist and staff member with awake patient through open questions
(Haz.) Operating a patient / Applying incorrect procedure // (Tht.) Wrong patient // (Br.) At surgery preparation room, check the patient's identity by
anesthesiologist and staff member with awake patient through open questions
At surgery preparation room, check the
patient's identity by anesthesiologist
and staff member with awake patient
through open questions
At surgery preparation room, check the patient's identity by nurse and staff member with awake patient through open questions
(Haz.) Operating a patient / Applying incorrect procedure // (Tht.) Wrong patient // (Br.) At surgery preparation room, check the patient's identity by nurse and
staff member with awake patient through open questions
At surgery preparation room, check the
patient's identity by nurse and staff
member with awake patient through
open questions
At the start of the surgey the surgeon, anaesthesiologist, operating assistant and nurse anesthetist and awake patient - check on the basis of the electronic medical
record / - whether it is the: right patient; right site and side; appropriate intervention; adequate supplies
(Haz.) Operating a patient / Applying incorrect procedure // (Tht.) Wrong anethesia technique // (Br.) At the start of the surgey the surgeon, anaesthesiologist,
operating assistant and nurse anesthetist and awake patient - check on the basis of the electronic medical record / - whether it is the: right patient; right site and
side; appropriate intervention; adequate supplies
At the start of the surgey the surgeon,
anaesthesiologist, operating assistant
and nurse anesthetist and awake patient
- check on the basis of the electronic
medical record / - whether it is the: right
patient; right site and side; appropriate
intervention; adequate supplies
53. 3
! ! !
What if the Engineering Manager is fatigued? Or when you have a power blackout?
54.
55. The barrier functioned as planned and stopped the next event in
the incident scenario.
e.g.: High level trip operated correctly stopped the overfill
The barrier stopped the incident sequence, but there is uncertain if
it will do so in the future.
e.g.: High level trip stopped the overfill but there is evidence that it
is left in defeated state at times
The barrier functioned as intended by its design, but was unable to
stop the sequence of events.
e.g. High level trip operated but inflow was via another route
that could not be shutoff, i.e. no trip valve
The barrier was implemented, but did not function according to its
intended design.
e.g. High level trip did not operate as its was broken/defeated etc.
The barrier was described in the organization’s SMS or was
considered an industry standard, but it was not successfully
implemented.
e.g. High level trip is required, but was not installed.
56.
57. The success of the risk management
program depends on the cooperation of all
employees.
So lets watch this 18 secs video. Do u think this incident caused by a safety issue! Or it happened because the astronaut had failed to explore and prepare 4 all risks?
In 1928 John A. Shedd an American author and a professor released a collection of sayings titled “Salt from My Attic”, and the following popular aphorism was included:
So risks r parts of doing business.
Failure to manage risks effectively can lead to harm or injury to persons as well as organizational financial losses and loss of reputation – Crises Management
It is a key part to improving the organization services aiming at achieving best practice in managing risks.
“Quality comes from Sufficient Risk Management - William E. Deming”
The organization should acknowledge its legal duty to safe Gard staff, patients, and members of the public.
The organization should acknowledge its legal duty to safe gard staff, patients,and members of the public.
Ongoing business decision-making process
Instituted & supported by Board of Directors, Executive administration and medical staff leadership
Recognises the synergistic effect of risks
Goal is to reduce uncertainty & process variability, promot patient safety, & maximize the ROI
Through asset preservation, value creation
Diversity of pateints, staff, & physicians. Aging of the population
Patients/residents, families, medical staff, BOD, Executive leadership, Professional caregivers, community
As a source for health knowlwdge, exchange, & social interaction
Promotion of electronic health/medical records, integration
Staff empowerment
Local, Regional, & National
Hesitancy to follow EBBP (GL, Algo, Pathways, Protocols)
P4P, Bundled payment
Operational: Risks resulting from inadequate or failed internal processes, people, or systems that affect business operations.
Clinical: Risks associated with the delivery of care to residents, patients and other healthcare customers, professional liability.
Strategic: Risks associated with the focus and direction of the organization—brand, reputation, competition, failure to adapt to changing times, health reform or customer priorities
Financial: Decisions that affect the financial sustainability of the organization, access to capital or external financial ratings through business relationships or the timing and recognition of revenue and expenses, and other lines of liability make up this domain
Human Capital: This domain refers to the organization’s workforce. This is an important issue in today’s tight labor and economic markets
Legal/ Regulatory: Risks are generally associated with fraud and abuse, licensure, accreditation, product liability, management liability, Conditions of Participation (CoPs) and Conditions for Coverage (CfC), as well as issues related to intellectual property.
Technology: This domain covers machines, hardware, equipment, devices and tools, but can also include techniques, systems and methods of organization.
Hazard: This ERM domain covers assets and their value. Traditionally, insurable hazard risk has related to natural exposure and business interruption. Specific risks can also include risk related to: facility management, plant age, parking (lighting, location, and security), valuables, construction/renovation, earthquakes, windstorms, tornadoes, floods, fires.
Operational: Risks resulting from inadequate or failed internal processes, people, or systems that affect business operations.
Clinical: Risks associated with the delivery of care to residents, patients and other healthcare customers, professional liability.
Strategic: Risks associated with the focus and direction of the organization—brand, reputation, competition, failure to adapt to changing times, health reform or customer priorities
Financial: Decisions that affect the financial sustainability of the organization, access to capital or external financial ratings through business relationships or the timing and recognition of revenue and expenses, and other lines of liability make up this domain
Human Capital: This domain refers to the organization’s workforce. This is an important issue in today’s tight labor and economic markets
Legal/ Regulatory: Risks are generally associated with fraud and abuse, licensure, accreditation, product liability, management liability, Conditions of Participation (CoPs) and Conditions for Coverage (CfC), as well as issues related to intellectual property.
Technology: This domain covers machines, hardware, equipment, devices and tools, but can also include techniques, systems and methods of organization.
Hazard: This ERM domain covers assets and their value. Traditionally, insurable hazard risk has related to natural exposure and business interruption. Specific risks can also include risk related to: facility management, plant age, parking (lighting, location, and security), valuables, construction/renovation, earthquakes, windstorms, tornadoes, floods, fires.
The organization should acknoledge its legal duty to safe gard staff, patients,and members of the public.
It’s a systematic application of management polices, procedures and practices to the tasks of establishing the context, identifying, analyzing, evaluating, treating, monitoring and communicating risk.
Communicating risks: Any purposeful exchange of information about risks between interested parties. (WHO)
Risk Management is a Proactive Strategy involving 5 steps:
Risk Management is a Proactive Strategy involving 5 steps:
Establish the Context
Risk identification
Risk analysis
Risk treatment:
Risk control
Risk financing
Monitoring and evaluation
Property, Liability, Personnel, Net income
Loss histories, Financial statements, Records & files, Personal inspections, Flowcharts, Standardised surveys/questionnaires, Experts
Profit, Continuous operation, Stable Earnings, Growth, Legal requirements, Humanitarian concerns
Loss Frequency, Loss severity
Exposure avoidance, Loss prevention, Loss reduction, Segregation of exposures (separation/duplication), Contractual transfer for risk control (nonisurance)
Current expensing of losses, Unfunded reserve, Funded reserve, Borrowing, Captive Insurer
Contractual transfer for risk financing (noninsurer hold harmless agreements), Commercial insurer, Hedging (for business risk only)
Financial criteria, Criteria related to other objectives
Risk control, Risk Financing
Technical Decisions
Managerial Decisions
To ensure proper implementation, To detect & adapt to changes
Results standards, Activities standards
There are four risk treatment activities stated in ISO 27005:2008.
A) Risk Reduction
- The level of risk should be reduced through the selection of controls so that the residual risk can be re-assessed.
B) Risk Retention
- The decision on retaining the risk without further action should be taken depending on risk evaluation.
C) Risk Avoidance
- The activity or condition that gives rise to the particular risk should be avoided.
D) Risk Transfer
- The risk should be transferred to another party that can most effectively manage the particular risk
Map of London Underground (1865) - a raw diagram
Map of London Underground today
Truth is often complex and unfathomable
Models of the truth are more comprehensible
A Bowtie is like the map – a representation of the truth that enables risks to be understood, with the risk treatment strategies
It is said that the first ‘real’ Bowtie diagrams appeared in the (Imperial Chemistry Industry) course notes of a lecture on HAZAN (Hazard Analysis) given at The University of Queensland, Australia (in 1979), but how and when the method found its exact origin is not completely clear.
The catastrophic incident on the Piper Alpha platform in 1988 awoke the oil & gas industry. After the report of Lord Cullen, who concluded that there was far too little understanding of Hazards and their accompanying risks that are part of operations, the urge rose to gain more insight in the causality of seemingly independent events and conditions and to develop a systematic/systemic way of assuring Barrier over these Hazards.
In the early nineties the Royal Dutch / Shell Group adopted the Bowtie method as company standard for analysing and managing risks. Shell facilitated extensive research in the application of the Bowtie method and developed a strict rule set for the definition of all parts, based on their ideas of best practice. The primary motivation of Shell was the necessity of assurance that appropriate risk Barriers are consistently in place throughout all worldwide operations.
Following Shell, the Bowtie method rapidly gained support throughout the industry, as Bowtie diagrams appeared to be a suitable visual tool to keep overview of risk management practices, rather than replacing any of the commonly used systems.
In the last decade the Bowtie method also spread outside of the oil & gas industry to include aviation, mining, maritime, chemical and health care to name a few.
Bowtie was created by mixing two existing risk analysis tools, namely Fault trees and Event trees.
Fault trees flow from bottom to top and show all the ways in which the Top Event, the event at the top, can happen. Fault trees have AND/OR gauges to model whether Barriers are parallel or sequential.
Event trees work the other way around. They start with a single event, and model what consequences can result from that. They do that by having combinations of conditions, and based on a particular combination, a certain consequence occurs. Often Event trees also have calculated frequencies for their consequences.
Bowtie adds the two together, and forms one diagram.
One way of doing so is by introducing the barrier concept.
This concept was popularized in the 80s with the introduction of the Swiss Cheese metaphore by James Reason.
A BowTie is like the map – a representation of the truth that enables risks to be understood, with the risk treatment strategies
The Coordination of all risk management functions is important to eliminate fragmentation, duplication and resource waste.
In Hospitals this is typically the function of the risk manager or the quality manager (if well trained on risk management functions).
If centralization is not possible, the administrative team (e.g. Director, Deputy Director and all department heads) should be assigned the responsibility for the appropriate functions.