Journal of Epidemiology and Preventive Medicine

Steps in the Process of Risk Management in Healthcare

Download PDF

Published Date: October 03, 2016

Steps in the Process of Risk Management in Healthcare

Ali Yawar Alam

Project Management Office (PMO), Strategic Management Office, Directorate of Health Affairs Alahsa, Ministry of Health, Saudi Arabia

Corresponding author: Ali Yawar Alam, Project Management Office (PMO), Strategic Management Office, Directorate of Health Affairs Alahsa, Ministry of Health, Saudi Arabia, E-mail:

Citation: Ali Yawar Alam (2016) Steps in the Process of Risk Management in Healthcare. J Epid Prev Med 2(2): 118.


Risk is a probability/threat of damage, injury, liability loss that is caused by vulnerabilities and that may be avoided through pre-emptive action/s. Interaction of humans with health systems pose a threat to them mainly because of the; complex technology, intensely complex procedures, high demand on services, time pressure, high expectations from the service users, hierarchical by nature of training and responsibilities. W.H.O estimates show that in developed countries as many as 1 in 10 patients is harmed while receiving hospital care [1]. According to AHRQ national health disparities report 2013, rate of harm associated with hospital stays in U.S hospitals is 25.1 per 100 admissions [1]. Major contributors to these  hospital-acquired conditions (HACs) were;  adverse drug events, catheter associated urinary tract infections, patient falls, pressure ulcers, surgical site infection, central line associated infections, venous thrombo-embolism and ventilator associated pneumonia [2]. According to Institute for Healthcare improvement (IHI), medical errors have become the third leading cause of death in the United States each year, behind cancer and heart disease [1]. A 13.5 percent rate of harm was identified within the US Medicare population by the Office of Inspector General using the Institute for Healthcare Improvement’s Global Trigger Tool [3].

Predominantly the underlying causes of medical errors are; communication problems, inadequate information flow, human related problems, organizational transfer of knowledge, staffing patterns and work flow, inadequate policies and procedures and technical failures [2].

Hospitals are a common setting for hospital acquired conditions in part because of the clinically compromised state of many patients admitted to the hospital and high volume of care transactions and interventions that take place during a hospital stay. Investigations into incidents frequently stop with identifying the human error and designating the practitioners as the “cause" of the event [1]. Hindsight bias occurs when the investigators work backward from their knowledge of the outcome of the event. This linear analysis makes the path to failure look as though it should have been foreseeable or predictable, although this is not the case. Often this determination is made without any evaluation of systems or processes that might have contributed to the error [4].

Organizational leaders must become “systems thinkers" who demand in-depth analyses of safety concerns, replace punitive reactions to mistakes with an open environment and proactively address any risks; there will be an opportunity to build safer health care organizations. However there is no room for reckless behavior in the healthcare environment.

Probability is the measure of the likelihood that an event will occur. Threat is any activity that represents a possible danger. Vulnerability is a weakness. Loss results in a compromise to functions, life or assets. HACs are Hospital Acquired Conditions. Incident is an undesired outcome or occurrence, not expected within the normal course of care or treatment, disease process, condition of the patient, or delivery of services. Near miss is an event or process variation that could have resulted in injury but did not, either by chance or timely intervention. Sentinel event is an unexpected occurrence involving death or serious physical or psychological injury, or the risk thereof, not related to the natural course of a patient's illness or underlying condition.

Top ↑

Scope of the Risk Management


Risk Management can be Beneficial in the Following Contexts

  1. Enterprise Risk Management (ERM): Comprehensive risk management of the organization from top down including financial and business viability.
  2. Patient care (Clinical)
  3. Medical staff (Such as; credentialing, privileging, job description, employee insurance, trainings, medical coverage)
  4. Non-medical staff (Such as; job description, training, medical coverage)
  5. Financial (Budgeting, cost-benefit and cost-effectiveness analysis, insurance coverage)
  6. Managerial (Such as; organogram, Job descriptions, delegation of work)
  7.  Project risk management (Such as scope, time, cost, human resources, operational, procedural, technical, natural and political)
  8. Facility Management and safety  (Such as building safety, security of the facility, hazardous materials and waste disposals (HAZMAT), emergencies internal and external, fire safety, medical equipment maintenance plan and maintenance plan for each of the utility system.
Risk Management Information System (RMIS)


Risk Management Information system (RMIS) is a computerized system used for data collection and processing, information analysis and generation of statistical trend reports for the identification and monitoring of events, claims and finances.

Key Concepts in Risk Management

Risk management for healthcare entities can be defined as an organized effort to identify, assess, and reduce, where appropriate, risk to patients, visitors, staff and organizational assets. Risk management in its best form may be to use it in a pro-active manner in identifying and managing the risks. However in case an incident has happened; after the event handling, it should still be tackled in line with the risk management principles as outlined here. This review provides a concise material in risk management for healthcare professionals to quickly grasp the key concepts in risk management and implement them in the healthcare organizations where they work.

Figure 1: Steps of Risk Management in healthcare.


Risk management as a process uses a five step management decision-making model.

Five Basic Steps of Risk Management [1]:

The five basic steps of risk management are outlined below and also in Figure 1.

  • Step 1: Establish the context
  • Step 2: Identify risks
  • Step 3: Analyze risks
  • Step 4: Evaluate risks
  • Step 5: Treat/Manage Risks      

Establish the context: Context is very important in risk identification and management. ICU (Intensive care unit), O.R (Operation room), E.R (Emergency room), blood transfusion services, CCU (coronary care unit), medication management including medication administration are contextually high priority areas for risk management in relation to patient care.

Figure 2: Risk Management Tool in healthcare

Top ↑

Identify Risks: Risk identification is the process whereby the healthcare professional and the healthcare employees become aware of the risks in the health care services and environment. The risks identified are entered in the Risk Management Tool (RMT) as depicted in Figure 2, also sometimes known as the Risk Register.

Sources of risk identification

  1. Discussions with department Chiefs, managers and staff
  2. Patient Tracer Activity (Tracing the journey of a patient from admission till discharge)
  3. Retrospective screening of patient records
  4. Reports of accreditation bodies
  5. Incident reporting system & Sentinel events
  6. Healthcare associated infections (HAI) reports
  7. Executive committee reports
  8. Facility management & safety committee report
  9. Patient complaints and satisfaction survey results
  10. Specialized committee reports (such as Morbidity and mortality committee, medication management and use, Infection control, blood utilization, facility management and safety committee).

Analyze Risks: Risk analysis is about developing an understanding of the risks identified. It includes the following:

  1. Level of the risk or Risk score
  2. Underlying causes
  3. Existing control measures

Existing controls: When examining the existing control measures, consideration should be given to their adequacy, method of implementation and level of effectiveness in minimizing risk to the lowest reasonably practicable level. These include all measures put in place to eliminate or reduce the risk and may include:

  1. Policies, procedures, protocols, guidelines
  2. Alarms and beeps
  3. Engineering controls
  4. Insurance coverage programs
  5. Code teams
  6. Trainings
  7. Emergency arrangements
  8. Preventative maintenance controls

Root Cause Analysis (RCA) represents a systematic approach to identifying the underlying causes of adverse occurrences so that effective steps can be taken to modify processes and prevent future losses. Brain storming with a team of relevant and informed people still remains the best method to do Root cause analysis. An example of Root cause analysis (event already happened) has been presented in Figure 3.

Figure 3: Example of root cause analysis (post-event).

Top ↑

Risk score calculation

Risk score is calculated by multiplying the likelihood score with the severity of impact score as below:


    Risk score (R) = Likelihood (L)  × Severity of impact (S)

Likelihood assessment (L) [5]

Likelihood scoring is based on the expertise, knowledge and actual experience of the group scoring the likelihood. In assessing likelihood, it is important to consider the nature of the risk. Risks are assessed on the probability of future occurrence; how likely is the risk to occur? How frequently has this occurred? A guide to likelihood scoring is presented in Table 1.

Table 1: Guide to likelihood scoring


It should be noted that in assessing risk, the likelihood of a particular risk materializing depends upon the effectiveness of existing controls. Consideration should be given to the number and robustness of existing controls in place, with evidence available to support this assessment. Generally the higher the degree of controls in place, the lower the likelihood.

The assessment of likelihood of a risk occurring is assigned a number from 1–5, with 1 indicating that there is a remote possibility of its occurring and 5 indicating that it is almost certain to occur.

Severity of impact (S)[5]

Severity of impact indicates the impact of harm to service users, employees, service provision, environment or the organization. The scoring ranges from 1 (Negligible impact) to 5 (Extreme impact) as depicted in Table 2.

Table 2: Severity of impact scoring guide


One of the ways in which impact grades can be defined is the severity of the injury as in Table 3.

Table 3: Definitions of severity of impact grade [5].


For Example:

Risk score (R) = Likelihood (L)  x Severity of impact (S)

Risk score (R) =        4               x          3                   = 12 (Medium Risk)


In the above example Risk score (R) of 12 has been classified as medium risk based on the following cut-off values as in Table 4.

Table 4: Risk score classification cut-off values [5].


Evaluate risks: The purpose of risk evaluation is to prioritize the risks based on risk analysis score and to decide which risks require treatment and the mode of treatment. Risk evaluation can be classified as in Figure 4.

Figure 4: Risk Evaluation classification.


Accepting the Risk: Accepting a risk does not imply that the risk is insignificant. Risks in a service may be accepted for a number of reasons:

The level of the risk is so low that specific treatment is not appropriate within available resources.

The risk is such that no treatment option is available.

Risk Treatment: (Also known as Risk reduction, Risk mitigation): The decisions in risk treatment should be consistent with the defined internal, external and risk management contexts and taking account of the service objectives and goals. Risk treatment plan should have:

  • Proposed actions
  • Resource requirements
  • Person/s responsible for action
  • Timeframes (Dates for actions to be completed and date for review.)

This methodology is well depicted in the Risk management Tool (RMT) Figure 2.

Controlling the Risk: The most effective methods of risk control are those which redesign the systems and processes so that the potential for an adverse outcome is reduced. Other methods of controlling the risk include reducing the likelihood of the risk and/or reducing the severity of the impact of the risk.

Reduce the Likelihood of the risk occurring - e.g. by preventative  maintenance, audit & compliance programs, supervision, policies and procedures, testing, training of staff, technical controls and quality assurance programs.

Reduce the Severity of Impact of the risk occurring - through contingency planning (contingency plan is a back-up plan in case the identified risk actually takes place), disaster recovery plans, off-site back-up, emergency procedures, staff training, etc.

Transferring the risk: Transferring the risk involves another party bearing or sharing some part of the risk through contractual terms, insurance, outsourcing, joint ventures, etc.

Avoiding the risk: This is achieved by either deciding not to  proceed with the activity that contains an unacceptable risk, choosing an alternate more acceptable activity.

Monitor & Review: Once the risk management is in place, monitoring and reviewing of the process/system which was taken care of, is an integral part of the risk management cycle as depicted in Figure 1. Monitoring and Reviewing utilizes the following sources of information.

  1. Incident reporting
  2. Clinical Audit indicators
  3. Patient Tracers
  4. Safety rounds
  5. Patient complains
  6. Satisfaction survey
  7. Staff complains
  8. Medical records

Residual Risk: Residual risk is the risk that remains after we apply controls. It's not always feasible to eliminate all the risks. Instead, we take steps to reduce the risk to an acceptable level. The risk that's left is residual risk.

Residual Risk = Total Risk - Controls

Top ↑ 

Challenges of Risk management            


Risk management in healthcare is done by organizations which are conscious of the fact that healthcare interface poses risk. Organizations actively pursuing risk management are therefore a step higher in the ladder in ensuring safety of services and striving for quality of care as compared to the organizations that don’t. Risk management is advanced and pro-active methodology of tackling healthcare risks; however it is challenging the following sense:

  1. Leadership commitment for ensuring risk management.
  2. Risks are proactively identified and prioritized
  3. Risks are not ignored
  4. Pro-active involvement of the risk management team with the employees and processes
  5. Expertise availability in the team
  6. Resources for risk treatment/mitigation adequate
  7. Change in the process/system is accepted when indicated
  8. Monitoring and control systems are in place


  1. World Health Organization [Internet]. 10 facts on patient safety, 2014. [updated 2014 Jun; cited 2016 Jan 15]. Available from:
  2. Agency for Healthcare Research and Quality [Internet]. National healthcare disparities report 2013. [cited 2016 Jan 15]. Available from:
  3. Institute for healthcare improvement [Internet]. Patient safety. [cited 2016 Jan 16]. Available from:
  4. Risk Management Handbook for Health Care Organizations, accessed on 28th March 2016 from;
  5. Risk Assessment Tool and Guidance - Health Service Executive. [cited 2016 Mar 28]. Available from:

 Top ↑

Copyright: © 2016 Ali Yawar Alam. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.