Risk management in healthcare aims to detect, monitor, and prevent risks to patients through clinical and administrative systems and processes. In response to the IOM report "To Err is Human," healthcare organizations implement numerous risk management practices. The Patient Safety and Quality Improvement Act established duties like certifying Patient Safety Organizations to collect and disseminate information on medical errors and establish a patient safety database, with the goal of improving patient safety through confidential reporting of adverse events. Risk management follows five basic steps: establishing the context, identifying risks, analyzing risks through root cause analysis, evaluating risks by scoring likelihood and impact, and treating risks through actions to reduce likelihood and impact.

2. Risk management in healthcare is a complex set of clinical and
administrative systems, processes, procedures, and reporting
structures designed to detect, monitor, assess, mitigate, and prevent
risks to patients.
Currently, the numerous risk management practices and processes
that occur in healthcare organizations are a response to The Institute
of Medicine’s ("IOM") report entitled "To Err is Human: Building a Safer
Health System." This activity reviews the evaluation of risks and
highlights the interprofessional team's role in managing and
minimizing risks in the healthcare setting.

3. LEGAL COMMENTATORS REVIEWED THE IMPACT OF
THE ACT AND ARTICULATED SEVERAL OF ITS KEY
PRINCIPLES AND RESPONSIBILITIES. THESE DUTIES
INCLUDE:
Provision for the certification and recertification of Patient Safety
Organizations (“PSO’s”)
Collection and dissemination of information related to patient safety
Establishment of a patient safety database
Facilitation of the development of consensus among healthcare providers,
patients, and other interested parties concerning patient safety and
recommendations to improve patient safety
Provision of technical assistance to states that have (or are developing)
medical-error reporting systems
Provision of assistance to the states in developing standardized methods for
data collection and data collection from state reporting systems for inclusion
in the patient safety database.

4. The fundamental goal of this act was to increase the nation’s overall
patient safety by encouraging confidential and voluntary reporting of
adverse events that affected patients. Policymakers theorized that the
systematic collection of medical-error data could achieve improved
patient safety. The awareness of such error-data by health care
providers and administrators would lead to the prevention of errors
and the global reduction of their recurrence.

5. Relevant Definitions
Sentinel Event: Defined by the Joint Commission as “a patient safety event that
results in death, permanent harm, or severe, temporary harm” (The Joint
Commission 2017). These events are typically unrelated to the patient’s
illness/underlying condition. It is important to note that the Joint Commission
requires each accredited organization to establish its own definition for a
sentinel event to prevent, review, and respond to these occurrences.
Medical Error: The failure of a planned action to be completed as intended or
using a wrong plan to achieve an aim. In the context of this article, medical
errors may fall under the definition of sentinel events if the error is severe
enough.
Root Cause Analysis: The process for identifying the basic or causal factor(s)
underlying variation in performance. Also established by the Joint Commission,
this multi-step process is crucial to identify and fix systemic problems in patient
safety and care.
Risk Management: Clinical and administrative activities undertaken to identify,
evaluate, and reduce the risk of injury to patients, staff, and visitors and the risk
of loss to the organization itself (The Joint Commission 2017).

14. FIVE BASIC STEPS OF RISK
MANAGEMENT
The five basic steps of risk management
are:
Step 1: Establish the context
Step 2: Identify risks
Step 3: Analyze risks
Step 4: Evaluate risks
Step 5: Treat/Manage Risks

15. STEP 1: ESTABLISH THE
CONTEXT
Context is very important in risk
identification and management.
ICU (Intensive care unit), O.R (Operation
room), E.R (Emergency room), blood
transfusion services, CCU (coronary care
unit), medication management including
medication administration are contextually
high priority areas for risk management in
relation to patient care.

16. STEP 2: IDENTIFY RISKS
Risk identification is the process whereby the
healthcare professional and the healthcare
employees become aware of the risks in the
health care services and environment. The risks
identified are entered in the Risk Management
Tool (RMT) as depicted in Figure below , also
sometimes known as the Risk Register.

17. STEP 2: IDENTIFY RISKS
(CONT.)
Sources of risk identification
1. Discussions with department chiefs, managers and
staff
2. Patient Tracer Activity (Tracing the journey of a
patient from admission till discharge)
3. Retrospective screening of patient records
4. Reports of accreditation bodies
5. Incident reporting system & sentinel events
6. Healthcare associated infections (HAI) reports

18. 7. Executive committee reports
8. Facility management & safety
committee report
9. Patient complaints and satisfaction
survey results
10. Specialized committee reports
(such as Morbidity and mortality
committee, medication
management and use, Infection
control, blood utilization, facility
management and safety
committee).

19. STEP 3: ANALYZE RISKS
Risk analysis is about developing an
understanding of the risks identified. It
includes the following:
Level of the risk or Risk score
Underlying causes
Existing control measures Existing
controls:

20. When examining the existing control measures, consideration should
be given to their adequacy, method of implementation and level of
effectiveness in minimizing risk to the lowest reasonably practicable
level.
These include all measures put in place to eliminate or reduce the risk
and may include:
Policies, procedures, protocols, guidelines
Alarms and beeps
Engineering controls
Insurance coverage programs
Code teams
Trainings
Emergency arrangements
Preventative maintenance controls

21. STEP 3: ANALYZE RISKS (
CONT.)
Root Cause Analysis (RCA) represents a
systematic approach to identifying the
underlying causes of adverse occurrences
so that effective steps can be taken to
modify processes and prevent future
losses. Brain storming with a team of
relevant and informed people still remains
the best method to do Root cause
analysis. An example of Root cause

22. STEP 4: EVALUATE RISKS
Risk score is calculated by multiplying the likelihood
score with the severity of impact score as below
Likelihood scoring is based on the expertise,
knowledge and actual experience of the group scoring
the likelihood. In assessing likelihood, it is important
to consider the nature of the risk. Risks are assessed
on the probability of future occurrence; how likely is
the risk to occur? How frequently has this occurred?

23. A guide to likelihood scoring is presented below:

24. STEP 4: EVALUATE RISKS ( CONT.)
It should be noted that in assessing risk, the likelihood
of a particular risk materializing depends upon the
effectiveness of existing controls. Consideration
should be given to the number and robustness of
existing controls in place, with evidence available to
support this assessment. Generally the higher the
degree of controls in place, the lower the likelihood.
The assessment of likelihood of a risk occurring is
assigned a number from 1–5, with 1 indicating that
there is a remote possibility of its occurring and 5
indicating that it is almost certain to occur.

25. Severity of impact indicates the impact of
harm to service users, employees, service
provision, environment or the
organization. The scoring ranges from 1
(Negligible impact) to 5 (Extreme impact)
as depicted in Table below:

26. STEP 4: EVALUATE RISKS (
CONT.)
One of the ways in which impact grades can be
defined is the severity of the injury as in Table
below.

27. In the above example Risk score (R) of 12 has
been classified as medium risk based on the
following cut-off values

28. STEP 4: EVALUATE RISKS (
CONT.)
Evaluate risks: The purpose of risk evaluation is
to prioritize the risks based on risk analysis
score and to decide which risks
require treatment and the
mode of treatment.
Accepting the Risk: Accepting a
risk does not imply that the risk
is insignificant. Risks in a

29. STEP 5: TREAT/MANAGE RISKS
(CONT.)
Risk Treatment: (Also known as Risk reduction, Risk mitigation): The
decisions in risk treatment should be consistent with the defined
internal,
external and risk management contexts and taking account of the
service
objectives and goals. Risk treatment plan should have:
• Proposed actions
• Resource requirements
• Person/s responsible for action
• Timeframes (Dates for actions to be completed and date for review.)

30. STEP 5: TREAT/MANAGE RISKS (
CONT.)
Controlling the Risk: The most effective methods of risk control
are those which redesign the systems and processes so that the
potential for an adverse outcome is reduced. Other methods of
controlling the risk include reducing the likelihood of the risk
and/or reducing the severity of the impact of the risk.
Reduce the Likelihood of the risk occurring - e.g. by
preventative maintenance, audit & compliance programs,
supervision, policies and procedures, testing, training of staff,
technical controls and quality assurance programs.
Reduce the Severity of Impact of the risk occurring - through
contingency planning (contingency plan is a back-up plan in
case the identified risk actually takes place), disaster recovery

31. STEP 5: TREAT/MANAGE RISKS (
CONT.)
Transferring the risk: Transferring the risk
involves another party bearing or sharing some
part of the risk through contractual terms,
insurance, outsourcing, joint ventures, etc.
Avoiding the risk: This is achieved by either
deciding not to proceed with the activity that
contains an unacceptable risk, choosing an
alternate more acceptable activity.

32. STEP 5: TREAT/MANAGE RISKS (
CONT.)
Monitor & Review: Once the risk management is in place, monitoring and
reviewing of the process/system which was taken care of, is an integral part
of the risk management cycle. Monitoring and Reviewing utilizes the
following sources of information.
• Incident reporting
• Clinical Audit indicators
• Patient Tracers
• Safety rounds
• Patient complains
• Satisfaction survey
• Staff complains

33. Medical records Residual Risk: Residual risk is
the risk that remains after we apply controls.
It’s not always feasible to eliminate all the risks.
Instead, we take steps to reduce the risk to an
acceptable level. The risk that’s left is residual
risk. Residual Risk = Total Risk - Controls

34. CHALLENGES OF RISK
MANAGEMENT
Risk management in healthcare is done by organizations which
are conscious of the fact that healthcare interface poses risk.
Organizations actively pursuing risk management are therefore
a step higher in the ladder in ensuring safety of services and
striving for quality of care as compared to the organizations
that don’t. Risk management is advanced and proactive
methodology of tackling healthcare risks; however it is
challenging the following sense:
• Leadership commitment for ensuring risk management.
• Risks are proactively identified and prioritized
• Risks are not ignored

35. •Pro-active involvement of the risk
management team with the employees
and processes
•Expertise availability in the team
•Resources for risk treatment/mitigation
adequate g
•Change in the process/system is accepted
when indicated
•Monitoring and control systems are in
place