How to Identify and Manage Risk

“The greatest risk to any organization is to turn a blind eye, stick its head in the sand and proceed under the assumption that ‘It can’t happen to us.’”

—Allison J. Bloom

In the new world of mobile integrated healthcare, with its new roles, collaborations and innovations quickly gaining acceptance, providers and their employers may feel anxious about their responsibilities. In this evolving world, organizations may face legal issues resulting from operating outside their traditional scopes of practice, insurance, malpractice and more. How can they mitigate their risk?

When most people think about risk, they tend to consider it in an after-the-fact, Monday-morning-quarterback type of way. For example, “Suzie took a big risk moving that heavy patient all by herself; she could have been hurt.” Or, “Dr. Jones really took a risk by leaving his work laptop in his car. What if someone had stolen it? Patient information could have been compromised.”

But the reality is that risk is anything that can derail an MIH organization or any business from accomplishing its mission, and the best time and way to contemplate and address risk is in advance of a problem, or as soon as a previously unknown or undiscovered threat becomes apparent. The mechanism to do this is risk management. Risk management is a process for identifying risks, assessing how serious they are, and determining ways to address them to avoid or minimize harm.

Risk management focuses on events that may cause harm to a business’ clients (i.e., patients), assets (including employees) or reputation. Enterprise risk management expands the focus to define risk as anything that can prevent a company from achieving its objectives.

Just as a business might design a plan to achieve its goals, a risk-management plan is similarly a way to identify risk-management goals, strategies to achieve them and measurable outcomes, as well as who will be held accountable if a risk becomes a reality. A risk-management plan may include policies a business already has or articulate goals for the future.

Risk management is an important part of business planning, and it is especially important for high-risk enterprises such as MIH. The process of risk management is designed to eliminate or reduce the risk of certain kinds of events from happening—or, if they do happen, provide a strategy to mitigate their impact. This is done by identifying, assessing and prioritizing risks of different kinds.

Once risks are identified, a plan is created to minimize or eliminate the potential impact of negative events. There are a variety of strategies available, depending on the type of risk and business. For healthcare organizations, there are associations and agencies that publish risk-management standards, best practices and resources, including the American Society for Healthcare Risk Management (ASHRM), the Health Care Compliance Association (HCCA) and the Health Resources and Services Administration (HRSA).

There are also a number of more generic risk-management standards that may be applicable to healthcare organizations, such as those developed by the Project Management Institute, the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST) and various actuarial societies, just to name a few.

A solid risk-management plan seeks to mitigate different kinds of risk across the organization, not just one particular type. Risks commonly addressed in risk-management plans include things like accidents in the workplace; fires, floods, earthquakes and other natural disasters; legal risks like fraud, theft and lawsuits; business, hiring and human-resource practices risks; revenue and reimbursement risks; credit risks; and the risks associated with the security and storage of data and records.

Many business risk-management plans focus on simply keeping the organization sustainable through the reduction of financial risks. However, solid plans should also focus on protecting employees, customers and the general public from adverse or catastrophic events, such as, in the case of healthcare organizations, errors in medications, diagnosis or treatment. In addition, consideration must be given to preserving the physical facilities, data, records and physical assets a business owns or uses. For example, a comprehensive risk-management plan will take into account not only decreases in revenue streams, which may affect the organization’s credit and financial health, but also data breaches, care errors and technology failures. 

Risk-Management Strategies

There are an infinite variety of strategies that can be employed to mitigate or eliminate risk within an organization, but the process for identifying and managing risks is fairly standard. It consists of five basic steps:

1. Risk Identification—In this step, risk events and their relationships are defined, followed by an assessment of the probability of each. As an ongoing example, let’s use congestive heart failure. A risk might be that patient discharge tracking following hospital admission for chronic CHF is not consistent, and follow-up is left to the patient.

2. Risk Impact Assessment—Identify the vulnerability of key assets (such as information or financial health) based on the threat or risk. Map the consequences of each risk, which may include cost, scheduling issues, technical performance impacts and capability or functional impacts. In the CHF example, lack of patient tracking after hospital discharge is a critical risk, because if the patient is readmitted for treatment or complications from chronic CHF within 30 days, reimbursement will be denied. 

3. Risk Prioritization Analysis—Once you’ve determined the expected consequences of specific threats, you can categorize and prioritize them based on their importance to the organization. Risk events identified as medium to high criticality might be addressed with risk-mitigation planning and implementation of risk-reduction measures, while low-acuity risks might simply be monitored and tracked (i.e., assign someone to keep an eye on trends in a particular area and report back regularly).

The risk threat level for CHF readmissions is high under the Affordable Care Act because of their negative impact on financial reimbursement. To address this risk, develop a policy and implement technology to identify patients at high risk for readmission due to chronic CHF. Work with community partners to develop strategy and care plans for patients of the healthcare organization with chronic CHF.

4. Risk Mitigation Planning, Implementation and Progress Monitoring—Once you’ve implemented risk-reduction measures, reassess existing risk events and mitigation strategies and identify new risks—all on an ongoing basis. With CHF, you’d identify and engage community partners (home health, EMS, etc.) and select technology solutions to monitor patients and act early to prevent readmissions. You’d monitor feedback data from partners and patients with an eye toward patient compliance.

5. Restart the Process—When risks escalate or new risks are identified through monitoring, restart the process from the beginning. If, say, shortages of critical CHF medications occur, and patients and caregivers face difficulties in obtaining first-choice medications to treat chronic CHF to prevent readmissions, you have a new risk to deal with.

Conclusion

In summary, there are as many different types of strategies for managing risk as there are types of risks. Most healthcare organizations have at least some form of a risk-management plan in place, even if it is not comprehensive or formal. Risk, whatever its nature, can be managed by evaluating its consequences, planning for it and taking steps to mitigate it in advance. Another option is that the risk can be transferred to another party through the means of insurance or indemnification.  

The most important things any business, especially a healthcare organization, can do to manage and mitigate risk are to develop, implement and maintain a responsible and solid risk-management plan; actively monitor risks to stay ahead of the curve; and employ a risk manager to assist with risk identification and ongoing monitoring.

This article only scratches the surface of risk-management best practices and is not intended as legal advice. Be sure to consult with an attorney or risk-management specialist to review your organization's needs and obtain appropriate counsel.

The ECRI Institute offers its Sample Risk Management Plan for a Community Health Center Patient Safety and Risk Management Program at https://bphc.hrsa.gov/ftca/riskmanagement/riskmgmtplan.pdf.

Allison J. Bloom is the CEO and founding partner of The Bloominghill Group, a healthcare coaching and consulting company dedicated to helping healthcare organizations and businesses understand and navigate the changing healthcare landscape. A coach, consultant and attorney, Bloom is a nationally recognized author on legal and healthcare reform topics, and lectures frequently on healthcare reform, legal, compliance and risk-management topics. Contact her at abloom@bloominghillgroup.com or www.bloominghillgroup.com.