Enterprise Risk Management
Agenda
•
Definition & Risk Response
•
Environment Scan – news from Insurance
•
Confusion Reduction – Lessons Learned from
Others with an ERM program
Enterprise Risk Management
•
Defined
: Measures to minimize risk of medical or accidental loss or injuries. A risk is an issue yet to be
realized. An unplanned outcome. A continuous, proactive and systematic process to understand, manage,
and communicate risk organization-wide making strategic decisions to achieve overall corporate objectives
•
Defined: A process affected by Board of Directors & Management, strategically applied, designed to
identify potential events, manage risk (within their risk appetite), and provide reasonable assurance of an
organizations objectives achievement
1•
Focus
: Reducing threats & impact.
•
Risk
: identification of exposure e.g. property, income, liability, personnel, operational, financial, strategic,
legal, regulatory, technological, etc.
•
Methods
:
–
Early Identification
–
Effective Trending
–
Appropriate Recommendations
–
Promote Quality and Process Improvements to diminish risk of future incidents or occurrences
•
How
?
–
Promotion and education of Incident Reporting system (including protocols & policy for the unexpected)
–
Risk assessments, consultation, and sharing of information
–
Integrated critical incident policy and reporting with partners
–
Facilitation of adverse / unanticipated event disclosure
3
Risk Assessment Categories
4
Patient
Quality of Care
Outcomes
Satisfaction
Security
People & Projects
Credentialing Labour Relations Staffing
Training / Education
Occ Health / Safety
Operations & Environmental
High Risk Clinical Programs and Activities
Environment of Care
Supply Chain
Finance
Insurance
Contracts
Funding
Budgeting
Purchasing
Investments
Technology
Information Systems Security Continuity
Data Integrity Capacity Failure
Legal/Reg
Statutes, Policies, Standards, Regulations
Compliance and Accreditation
Strategy
Mission, Vision, Values
Leadership
Reputation
New Projects
Risk Response
•
Actions
–
Accept and tolerate the risk
–
Share and transfer the risk
–
Reduce the risk: change likelihood. Change consequences.
–
Avoid and eliminate the risk
•
Best Practices
–
Governance: policies, practices
–
Development: plan for the realization of benefits
–
Operations: plan for change testing, capacity, security
–
Acquisition: plan for partner management
–
Others:
•
Focus on what is important to control, not what is easy
INSURANCE PROVIDER INFORMATION
2010 U.S. Healthcare Enterprise Risk Survey – Top Risks
•
Financial
–
Revenue increases consistently below medical inflation
–
Unfunded mandates for the provision of services
–
Increasing capital costs and gaps between needed and available
capital
•
Physician relationships – ability to control the direction and level of
alignment of physicians and institutions
•
Preparedness for clinical automation: inadequate I.T. requiring
investment in more sophisticated systems – e.g. Inability to develop
a fully operational electronic health record.
•
Improving performance in the midst of accelerating regulatory and
marketplace change
•
Employee dissatisfaction – e.g. Nurses strike, resignations
7
Emerging Risks / Trends / Class Actions
•
Nosocomial Infections
•
Pathology and Lab Issues (ID, interpretation, false pos/neg,
result communication)
•
Sterilization: effectivity of equipment, staff certification
•
Clinical Trials
•
Treatment of Foreign Patients: Governing Law and
Jurisdiction Agreement needs to be in place
•
Disclosure: transparency and communication with patients
and families
•
Privacy: custody and control
•
Cyber Risk: personal devices and virtual wards
8
HIROC Top Risks
HIROC High Risk Management Factors
1
1. Documented Board approval of the Risk Management program, including a description of formal reporting relationship to the Board. 2. Committee with Patient Safety/Risk Management responsibilities.
3. Committee activity relating to Risk Management activity including: Infection Control, Occupational Health and Safety, Morbidity and Mortality, Pharmacy and Therapeutics, Quality Management, Utilization Review, etc.
4. Health Records policy advising Claims Manager of potential medical-legal issues. 5. Staff and medical staff awareness of Safety Reporting (RMPro)
6. Awareness of staff and medical staff of policy regarding lending and borrowing of equipment.
7. Loss control procedures including guidelines for identifying pertinent personnel/departments and for requesting the identification, location and look-up of records etc. related to an incident.
8. Responsibility for coordination of risk management delegated to one individual.
9. Managers in Patient Safety department possess a level of authority that allows them to influence change in policies and standards which govern potential loss.
10. Patient Safety Dept. receives copies of all reports and any follow-up documentation (incident reports, medication IV therapy reports, complaints)
11. Claims Manager aware of any statement of claim served upon the institution.
12. Patient Safety Manager receives medical device recalls, and alerts, and has a system in place to disseminate the information, and feedback process to ensure recommendations are adhered to.
13. Compliance with universal precautions/body substance precautions is monitored. 14. Procedure for retention of outdated policies and standards.
15. Security issues are addressed by management, medical staff and at all department levels. 16. Any breach of security is reported as a safety report.
17. All staff and medical staff wear identification badges. 18. Initial and annual credentialing systems are in place.
10
CONFUSION REDUCTION
Lessons Learned
Lessons Learned
•
Traditional concerns:
– “we will worry about that if a situation arises”
– “we cannot get people to fulfill normal project tasks”
– “we don’t have time to plan projects as it is without theoretical risks piled on top”
– “risk planning is too theoretical”
– “its like we are planning for failure”
•
Practical measures
– Risk Management effectiveness and value should be measured
– Focus needs to be specific, realistic, and actionable
– For projects: 10% of resourcing on risks max.
– Regularly review risks to imbed in culture and reduce blame
– Actively manage a fixed number of risks and reprioritize others
– Multi-dimensional impact analysis (cost, schedule, quality, scope, etc.)
•
General
– Risk assessment cannot be viewed as episodic, and info needs to build vs. becoming stale w same results
– Data & Information gathered needs to be easy to interpret and use. Assess risk adjusted returns.
– Risk follow-up needs to have clarity, accountability, and ownership
– Risk response needs to be balanced to value (e.g. avoiding an excessive cost burden)
– Risk assessment needs to be built into business processes vs. being added to the day-to-day responsibilities
– Risk assessments need to be centrally coordinated vs. performed independently across the organization
– Risk assessment will not prevent a big failure – it reduces the risk and increases the responsiveness
Risk Identification
•
Identification:
–
Incident reports for the unexpected or change in anticipated disease / treatment
process of a patient / client / resident
–
Managers review and report to Risk Management
–
Severity is assessed with RM follow-up
–
Incidents are tracked and trended in a database
–
De-identified data in aggregate is distributed to managers regularly
–
Agenda item in staff meetings
–
Patient and family feedback through client representatives, care providers, etc. to RM
•
Process
–
Managers and staff develop strategies for most situations
–
Sometimes other stakeholders are engaged for action plans (e.g. policy development,
procedural changes, etc.)
–
Multi-disciplinary reviews in a non-blame environment sponsored by sr. management
Success Framework
1)
High level framework and communication tool
Single page view of business focus, milestones, activities
2)
Critical Event Trees – highest risk events
3)
Schedule Risk Analysis
Identify method of completion in time and budget
Identify issues, confidence & near critical paths
Engage in an iterative development path
4)
Develop Risk Trees and Risk Action Plans
Assume events will occur (break optimism cult). Develop plan.
Use effective tools: risk register, actions, due dates, mitigations, etc.
A materialized risk is an issue: corrective action & work-effort
5)
Frequent Consultation
6)
Transparency
Key Principles
1
•
Clearly established risk assessment governance process
–
Board and Audit Committee identify and address risk
–
Risk facilitator owns process to analyze & discuss
–
Management manages risk & engages process owners
•
Specific identification of risk assessment objectives
–
Organizational objectives define the scope of assessment
–
The appetite for risk assigns risk tolerance (acceptable variation)
•
Organizational objectives measurements should define the risk rating scales
–
Risk measure timelines should align with the achievement of objectives
–
Prioritization of resources / actions are based on assessment ratings
•
Management makes decisions using a portfolio view of risks
–
Enterprise Risk Management looks at the inter-relationships between risks
–
Correlations may expose assessment variations and change systemic response
•
Insight into potential risks come from leading indicators
–
Use Key Risk Indicators (KRI) in addition to KPIs.
–
Use Leading Indicators: measures that signal a change in the environment
–
E.g.’s: increase in late supply shipments; outbreaks; reduction in funding; etc.
15
AVAILABLE PROGRAM & TOOLS
How to proceed?
Risk Assessment Steps
•
Establish the context of risk
–
Use Patient / Client and Business objectives as a basis. Use this as a gauge for risk appetite.
–
Use strategy maps, cause & effect relationships, value assessments, etc.
•
Identify potential events threatening objectives achievement
–
Establish an event inventory using internal (survey, process, events, etc.) and external sources (benchmark, tech
breakthroughs, etc.)
–
Evaluate “risk/reward” in context of volatility affect on key business services
•
Assess potential impact and risk tolerance
–
Categorize potential event categories – opportunities (positive) or risks (negative)
–
Evaluate within a framework (see key principles, etc.) & risk map
–
Establish risk tolerance – relative importance of objectives with risk limits
•
Develop and Iteratively Refine the Response Framework
–
Regularly evaluate risk tolerance, event probabilities & impacts, backup plans, etc.
–
Actions taken should demonstrably lower risk probabilities and incrementally build
–
Consider hedging instruments: risk sharing, insurance, outsourcing, etc.
•
Maintain and Monitor the Program / Metrics / Framework
–
Aggregate individual residual risks together to a portfolio view (inter-dependencies and inter-connections)
–
Action plan assignment needs to have capacity, capability, and authority
•
Communicate, communicate, communicate
17
Risk Context
Identification
Assessment
Response
Maintain & Monitor
Commu
nic
at
Frameworks
18
Risk Context
Identification
Assessment
Response
Maintain & Monitor
Commu
nic
at
e
Freque
ncy
Th e n u m b er o f lo ss es /e ve n ts / like liho o d . Often- 5Occurs often, every 1-6 months
Medium 5 High 10-20 Very High 25-35 Very High 40-50 Possible – 3
Likely/known to occur, every 6 months – year Medium 3 Medium 6-12 High 15-21 Very High 24-30 Rare – 2
Could occur, once every 1-10 years Low 2 Medium 4-8 Medium 10-14 High 16-20 Never – 1
Could happen, but likely not, once every 10-100 years
Low 1 Low 2-4 Medium 5-7 Medium 8-10 Insignificant/ Near Miss/ No Harm (1)
No impact, event did not reach patient or staff member
Minor (2-4)
Could have little impact/ effect on organization/patient/ staff
Moderate (5-7)
Could have a moderate impact/effect/
exposure on
organization/ patient/ staff
Major (8-10)
Could lead to serious risk exposure for the organization/patient/ staff
Consequences / Severity
The severity/amount of a loss/event, focus on actual or potential harm
Patient
People
Operations/Env
Finance
Technology
Legal/Reg
Strategy/Rep
Risk Evaluation & Management Tools
19
Risk Category
Risk Description
Risk Category
Risk Priority
Risk Impact Assessment
Risk Category
Probability
Impact Consequences Weight (Prob * Impact)
Risk Management Tools
•
Incident Reporting Solution
•
Disaster Recovery & Business Continuity Plan
•
Emergency and Pandemic Plan
•
Occupational Health and Safety Monitoring, performance & sick management
•
Strategic Planning
•
Patient & Staff Safety, Violence, Harrassment Planning
•
Standing Agenda Item
•
Preventative Maintenance Program
•
Credentialing, consent, confidentiality, privacy, release management
•
Contract, procurement, and supply chain management
•
Exceptions, abnormals, adverse events management
•
Audits, inspections, reviews, assessments
•
Programs: Infection Control; Quality Improvement
•
Insurance, working capital, management reporting
KEY QUESTIONS AND NEXT STEPS
Now What?
Risk Review Key Questions
1)
Are any of our objectives at risk?
2)
Are we in compliance with policies and regulations?
3)
What risk events have been escalated?
4)
What trends require immediate attention?
5)
What risk areas need to be reviewed?
6)
Are these risks within acceptable limits? i.e. what is the frequency,
are there financial consequences, are there patient or staff safety
consequences?
7)
How will the risk be managed/monitored?
8)
What are the controls in place to manage high and medium risks?
9)
How will each unit/program/team be accountable for the
management of this risk?
10) How will the success be measured?
22
Enterprise Key Questions
•
Operational
– Do people with risk management accountability have the authority to change process / practices governing the potential loss?
– Are leaders oriented to risk management strategies?
– Are staff, physicians, volunteers, contractors, etc. oriented to safety reporting & policies?
– Is credentialing an ongoing process
– How is safety and security ensured?
•
High Risk Practices / Areas
– How are high risk practices addressed (meds, falls, specimens, consent, restraints, observation, etc.)?
– What is equipment and medical device prevention and maintenance program?
– What processes control, monitor, and ensure high standards of documentation and communication?
•
Legal / Regulatory:
– Are the appropriate people immediately notified?
– Are there risks to statutory / regulatory compliance, adherence with legislation, standards, accreditation, etc.
•
People Resourcing
– Clear and consistent policies re: termination, education, succession planning, recruitment, harassment, system abuse, etc.
– How is monitoring of clinical competency accomplished?
– How is privacy and confidentiality maintained?
•
Financial
– Is there a consistent process for contract agreement, development, renewal, and archiving, etc.?
•
Technology
– Are there risks associated with biomedical, IT, data integrity, systems security, disaster recovery & business continuity, etc.
•
Strategy
– Are there constraints to growth, budget, LHIN funding, quality of care, public relations, etc.
– Are there risks to culture, change response / planning, etc.
Risk Assessment Methodologies
•
Qualitative
–
Categorization of potential risks using nominal or ordinal scales
(ranked comparatively to each other)
–
External validation mitigates bias
•
Quantitative
–
Benchmarking
–
Probabilistic modeling (e.g. backtesting, loss event assessments,
and “at-risk” modeling) = likelihood and impact
–
Non-probabilistic modeling (e.g. stress tests, sensitivity analysis,
and scenario analysis) = impact
–
Used as internal event data builds and can be tracked
–
Refined through iteration
Next Steps
•
Based on our size and available resources, focus on:
–
Insurance company risk assessment checklists
–
Published Patient Safety best practice checklists
–
Standards based industry tools
•
Divvy the work up to areas of responsibility using a common tool such as
excel
•
Standardize the assessment tool (such as shown earlier) and rank the risks
according to:
–
Impact
–
Probability / Frequency
–
Order of magnitude costs to resolve
–
Area / type of risk
•
Focus resources on the top ten and develop a mitigation strategy for each
(avoid, share, reduce impact or consequence, or accept and move on)
