Risk - Concepts and Misconceptions

Overview of Issue

Effective risk management requires a thorough understanding of risk concepts and misconceptions.

Refer to related Risk Notes:

  • Risk Identification, Risk Assessment, Risk Management and IRM/ERM.

Key Points

  • Risks are a function of likelihood and impact.
  • Clinical risks result from the disease process, treatment, and medical decision making.
  • The most important and strategic risks in healthcare are those that could result in harm to patients.


Things to Consider


Definition of risk

  • Risk is defined as the possibility of loss or injury (Merriam-Webster, 2017).
  • The terms risk and hazard are not interchangeable. A hazard is a source of potential damage or harm (e.g. water on the floor), while a risk is the potential that harm will occur if exposure to the hazard occurs (e.g. visitor fall).

Two components of risk – likelihood and impact

  • Risks are understood in terms of the (1) likelihood or probability of an event occurring and (2) impact or consequences of the event should it occur; risks can have multiple causes that influence likelihood and multiple types of impacts.
  • The most significant types of impacts in healthcare are patient harm, staff harm, loss of resources/funds, service interruptions or closures, regulatory non-compliance, and reputational harm.
  • Probability is determined as either frequency of occurrence (e.g. once/month, once/year) or possibility of failure (e.g. %) within a defined time period, such as for strategic projects (NHS, 2008).

Patient care risks

  • Understanding and measuring the risk of harm to patients is made more complex given the interplay of disease process risks, treatment risks, and medical decision making/error risks (Amalberti, 2005).
  • Risks related to decision making/medical error include events that shouldn’t happen that do (commission) and events that should happen that don’t (omission).

Common Misconceptions

Strategic versus operational risk

  • In not-for-profit healthcare organizations, strategic risks are those that pose major threats to achieving an organization’s vision and strategic objectives, particularly related to patient care. (This is in contrast to for-profit organizations where strategic risks typically relate to share price and market share).
  • In healthcare, strategic and operational risks are not mutually exclusive. Strategic risks/strategic crises often arise from key operational service failures that result in significant patient or staff harm, or major loss of resources/services/information (Audit Commission, 2009).

Upside versus downside of risk

  • Risks are sometimes described as “upside” (a potential outcome that is better than expected) or “downside” (an event that could give rise to a loss or injury in the future). However, this unnecessarily complicates the risk management process (Fraser, 2007).
  • Given their overwhelming prevalence and the industry-wide focus on patient safety, healthcare organizations should focus on downside risks. In order to promote organizational mindfulness and maintain a sense of urgency, risks should be described in plain language and as events or failures to be avoided.

Risk appetite or tolerance

  • Risk appetite/tolerance is a concept that originated in the financial sector to assess the willingness of investors to risk funds for a higher return. There is considerable confusion about the use of the term in other settings (Fraser, 2007).
  • It is not possible for healthcare organizations to establish an overarching risk tolerance/appetite statement other than to say the organization is risk averse; particularly related to risks that could lead to patient or staff harm where the only acceptable risk appetite would be zero harm.
  • In practice, tolerance plays out on a risk by risk basis, as organization make decisions on whether there is a need for additional action to address a particular risk.


• HIROC. (2017). Taxonomy of healthcare organizational risks.

• Amalberti R, Auroy Y, Berwick D, et al. (2005). Five system barriers to achieving ultrasafe health care. Ann Intern Med. 142:756-764.

• Fraser J, Simkins B. (2007). Ten common misconceptions about enterprise risk management. J Applied Corporate Finance. 19(4):75-81.

• Audit Commission. (2009). Taking it on trust: A review of how boards of NHS trusts and foundation trusts get their assurance.

• NHS - National Patient Safety Agency. (2008). A risk matrix for risk managers.

• Merriam-Webster. (2017). Definition of risk.