Taking Care

In the absence of an integrated approach to managing key organizational risks, serious losses can occur. In healthcare organizations where these losses can include the loss of human life, the stakes are very high. What sort of approach will allow health care organizations to manage key organizational risk?

A collaborative of healthcare organizations sought to develop a model for managing key organizational risks by developing a standardized, efficient and effective approach to integrated risk management. The effort involved an extensive review of published and tacit knowledge, development of a common taxonomy of key organizational risks, and a shared online application to support identification, assessment, management, reporting and benchmarking of risks.

NEED FOR INTEGRATED RISK MANAGEMENT

High-profile failures in the business, financial and healthcare sectors have underscored the importance of attending to serious organizational risks. Many organizations manage risks independently, much like a patchwork of activities within functional or departmental silos. As a result, some risks receive attention and resources while other more important risks go undetected or unacknowledged.

Consider, for example, the Mid Staffordshire NHS Foundation Trust, a 500-bed hospital about 250 kilometres northwest of London, England. It became the centre of an international scandal – and a cautionary case study in risk governance and management – after it was determined that more than 1,000 patients died as a result of substandard care and neglect over a four-year period.

The organization was the subject of a number of external reviews, including two high-profile public inquiries, which revealed many shortcomings in the organization and the broader system of regulation and oversight. However, the greatest failure was determined to be an ineffective board that ignored the biggest risk facing the organization – the risk to patients of poor quality care – in its focus on reaching financial and other non-care-related targets, notes a press release from the Mid Staffordshire NHS Foundation Trust Public Inquiry.

INTEGRATED RISK MANAGEMENT CHALLENGES

Integrated risk management (IRM) – a term synonymous with enterprise risk management, but more commonly used in the public sector – is defined by a Treasury Board Secretariat of Canada implementation guide as “a continuous, proactive, systematic approach to identifying, assessing, understanding, acting on and communicating risk from an organization-wide, aggregate perspective.” Unfortunately, progress towards effective IRM has been slow.

There is a great deal of uncertainty and skepticism about current frameworks and approaches, suggests the 2014 Harvard Business School Working Paper, Towards a contingency theory of enterprise risk management, and sometimes well-intentioned activities, undertaken in the name of IRM, are found in retrospect to be counterproductive. The end result is lost time and resources, with little realized benefit.

COLLABORATIVE APPROACH TO IRM

In 2014, a group of healthcare organizations from across Canada – with co-ordination and support from their shared, non-profit insurance reciprocal – formed to co-create a standardized, evidence-based, effective and efficient approach to IRM, and to develop a shared, online risk record and reporting tool.

Knowledge synthesis

The project began with an extensive review of the published literature on IRM and analysis of tacit knowledge gleaned through a number of field interviews with organizations that had more mature IRM programs. The findings confirmed that many common approaches to IRM, while helpful to some, are obstacles to many more, including the following:

• Risk domains – Standard risk domains focus attention on so-called strategic risks, such as mergers and acquisitions, over operational risks. In healthcare, however, it is failures in operations (e.g., a widely reported, poorly managed, preventable death of a patient) that pose the biggest strategic risk to organizations.

• Risk appetite/tolerance statements – Standard practice dictates that organizational leaders develop a risk appetite or tolerance statement that outlines acceptable levels of risk. In healthcare, this would theoretically entail a statement on how much harm to patients, perhaps even the number of preventable deaths, would be acceptable. This is, of course, an unpalatable and unethical proposition. Risk tolerance is operationalized, rather, on a risk-by-risk basis when decisions are made to invest resources on additional mitigation efforts or not.

• Inherent versus residual risk – It is now known that risk assessment is a highly biased and flawed process as a result of cognitive biases hard-wired into individual and group decision-making processes. Given this, coupled with the limited utility derived from such measures, measurement of inherent risk absent of controls and mitigation strategies is not supported.

• Upside versus downside risks – There has been a great emphasis in recent years on the assessment of upside risks (strategic opportunities) in addition to downside risks. It was found, however, that efforts to divert attention away from the high rates of downside risk, particularly adverse events to patients, is unacceptable.

Based on the evidence, a simplified IRM process, absent unnecessary complexity and non-value added processes, was articulated, including the following:

• ensure board and senior leader(s) engagement;

• engage a skilled co-ordinator(s);

• focus on key organizational objectives;

• start with a few key risks; and

• do not look for perfection.

Common taxonomy

Suspecting risks in healthcare organizations are largely known and consistent across all organizations, the collaborative then turned its attention to the development of a common taxonomy of healthcare organizational risks. This entailed a review of strategic plans from dozens of healthcare organizations and the discovery that all strategic objectives fell into one of 11 categories, including care, human resources, financial, leadership, external relations, information systems/technology, regulatory, teaching, research and community health.

Following this, key risks within each category were identified from a number of sources and collated into a concise taxonomy, greatly assisting in risk identification and due diligence efforts.

Risk register application

The final component of the collaborative effort was the identification and configuration of a shared online application to support documentation and reporting of key risks. A software provider with expertise in this area was selected and the team worked to configure the system to be both as intuitive and straightforward as possible. Key features of the application include the following:

• standardized coding of risks based on the common taxonomy, while at the same time supporting organizationally defined risk names;

• support of multi-site organizations;

• promotion of appropriate accountability of each risk to a senior leader and senior committee;

• assurance framework, including key controls and gaps;

• risk rating of likelihood, and impact and tracking of ratings over time;

• email actions;

• document attachments;

• progress notes;

• user access control and protections related to own risk information; and

• highly developed dashboard and reporting capabilities.

Pilot tested in late 2014, the program was made available to all organizations in the reciprocal, free of charge, this past January. In two months, more than 45 healthcare organizations have adopted the application.

BENCHMARKING AND KNOWLEDGE SHARING ACROSS ORGANIZATIONS

The program allows for sharing of a common
web-based risk register application and use of a common taxonomy to code risks. It is anticipated this will enable aggregate analysis of risk across the system yielding never-before-seen data on top risks in the healthcare system, as well as changes in top risks over time. The application will also enable identification of leading practices in the management of specific risks while supporting improvements in healthcare though the sharing of this knowledge across the system.

While the journey of implementing an IRM program may be challenging based on innate organizational differences, the new program provides a helpful grounding, with the ultimate goal being to partner to create the safest healthcare system.