Risk - Concepts and Misconceptions
Service:
Risk Management
Subject:
Risk and Safety Theory
Setting:
IRM and Risk Register
Type:
Risk Notes
Overview of Issue
Effective risk management requires a thorough understanding of risk concepts and misconceptions.
Refer to related Risk Notes:
- Risk Identification, Risk Assessment, Risk Management and IRM/ERM.
Key Points
- Risks are a function of likelihood and impact.
- Clinical risks result from the disease process, treatment, and medical decision making.
- The most important and strategic risks in healthcare are those that could result in harm to patients.
Things to Consider
Definition of risk
- Risk is defined as the possibility of loss or injury (Merriam-Webster, 2017).
- The terms risk and hazard are not interchangeable. A hazard is a source of potential damage or harm (e.g. water on the floor), while a risk is the potential that harm will occur if exposure to the hazard occurs (e.g. visitor fall).
Two components of risk – likelihood and impact
- Risks are understood in terms of the (1) likelihood or probability of an event occurring and (2) impact or consequences of the event should it occur; risks can have multiple causes that influence likelihood and multiple types of impacts.
- The most significant types of impacts in healthcare are patient harm, staff harm, loss of resources/funds, service interruptions or closures, regulatory non-compliance, and reputational harm.
- Probability is determined as either frequency of occurrence (e.g. once/month, once/year) or possibility of failure (e.g. %) within a defined time period, such as for strategic projects (NHS, 2008).
Patient care risks
- Understanding and measuring the risk of harm to patients is made more complex given the interplay of disease process risks, treatment risks, and medical decision making/error risks (Amalberti, 2005).
- Risks related to decision making/medical error include events that shouldn’t happen that do (commission) and events that should happen that don’t (omission).
Common Misconceptions
Strategic versus operational risk
- In not-for-profit healthcare organizations, strategic risks are those that pose major threats to achieving an organization’s vision and strategic objectives, particularly related to patient care. (This is in contrast to for-profit organizations where strategic risks typically relate to share price and market share).
- In healthcare, strategic and operational risks are not mutually exclusive. Strategic risks/strategic crises often arise from key operational service failures that result in significant patient or staff harm, or major loss of resources/services/information (Audit Commission, 2009).
Upside versus downside of risk
- Risks are sometimes described as “upside” (a potential outcome that is better than expected) or “downside” (an event that could give rise to a loss or injury in the future). However, this unnecessarily complicates the risk management process (Fraser, 2007).
- Given their overwhelming prevalence and the industry-wide focus on patient safety, healthcare organizations should focus on downside risks. In order to promote organizational mindfulness and maintain a sense of urgency, risks should be described in plain language and as events or failures to be avoided.
Risk appetite or tolerance
- Risk appetite/tolerance is a concept that originated in the financial sector to assess the willingness of investors to risk funds for a higher return. There is considerable confusion about the use of the term in other settings (Fraser, 2007).
- It is not possible for healthcare organizations to establish an overarching risk tolerance/appetite statement other than to say the organization is risk averse; particularly related to risks that could lead to patient or staff harm where the only acceptable risk appetite would be zero harm.
- In practice, tolerance plays out on a risk by risk basis, as organization make decisions on whether there is a need for additional action to address a particular risk.
References
• HIROC. (2017). Taxonomy of healthcare organizational risks.
• Amalberti R, Auroy Y, Berwick D, et al. (2005). Five system barriers to achieving ultrasafe health care. Ann Intern Med. 142:756-764.
• Fraser J, Simkins B. (2007). Ten common misconceptions about enterprise risk management. J Applied Corporate Finance. 19(4):75-81.
• Audit Commission. (2009). Taking it on trust: A review of how boards of NHS trusts and foundation trusts get their assurance.
• NHS - National Patient Safety Agency. (2008). A risk matrix for risk managers.
• Merriam-Webster. (2017). Definition of risk.