Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
Risk approaches and standards used in hospitals: a survey of industry views
(USC Thesis Other)
Risk approaches and standards used in hospitals: a survey of industry views
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
RISK APPROACHES AND STANDARDS USED IN HOSPITALS:
A SURVEY OF INDUSTRY VIEWS
By
Haven McCall
A Dissertation Presented to the
FACULTY OF THE USC SCHOOL OF PHARMACY
UNIVERSITY OF SOUTHERN CALIFORNIA
In Partial Fulfillment of the
Requirements for the Degree
DOCTOR OF REGULATORY SCIENCE
December 2013
Copyright 2013 Haven McCall
2
DEDICATION
I would like to dedicate this dissertation to my beloved family members. To my beautiful
and loving wife, Brittany, who has supported me throughout this educational journey.
And to my loving children Peyton, Brylee, Braydon, Kaylee, Mayson and Bryson who
had all the patience and understanding a father could ask for as I worked on this
doctorate degree. I am thankful for a mother who instilled a passion of learning within
me and for a father who taught me to set life-long goals and achieve them. Finally, I
dedicate this to my late mother-in-law, LaSchelle Schneider (1958 – 2012), who wasn’t
here to see my finished work.
3
ACKNOWLEDGEMENTS
I would like to thank everyone who has supported and encouraged me in making this
dissertation a reality. I would like to thank Dr. Frances Richmond for the many hours she
spent working with me throughout the last few years. Her guidance, mentorship,
encouragement, feedback and patience helped my dream of obtaining a doctorate
degree a reality. I would also like to thank my committee members; Dr. Gerald Loeb, Dr.
Ron Alkana, Dr. Eunjoo Pacifici and Dr. Michael Hamrell for providing many valuable
comments and insights that helped improve the overall contents of this thesis and
helped define the overall goals and direction for my doctoral research. I am also grateful
for all the feedback and advice that Dr. Michael Jamieson gave me over the last three
years. In addition, I would like to thank the other students in the 2010 Doctoral Cohort
and all the supporting staff of the Regulatory Science program for their support over the
last three years.
4
TABLE OF CONTENTS
DEDICATION ................................................................................................................. 2
ACKNOWLEDGEMENTS ............................................................................................... 3
LIST OF TABLES ........................................................................................................... 8
LIST OF FIGURES ......................................................................................................... 9
ABSTRACT ...................................................................................................................11
Chapter 1: Overview of the Study ..................................................................................12
1.1 Introduction ....................................................................................................... 12
1.2 Statement of the Problem ................................................................................. 14
1.3 Purpose of the Study ........................................................................................ 15
1.4 Importance of the Study .................................................................................... 16
1.5 Limitations, Delimitations, Assumptions ............................................................ 17
1.6 Organization of Thesis ...................................................................................... 18
1.7 Acronyms .......................................................................................................... 19
Chapter 2: Literature Review .........................................................................................20
2.1 Introduction ....................................................................................................... 20
2.2 History of Public Hospitals in the United States................................................. 20
2.2.1 The Emergence of Hospitals .....................................................................20
2.2.2 Danger in Hospitals ...................................................................................21
2.2.3 Development of Risk Management in Hospitals ........................................22
2.3 Risk Management in the Twenty-First Century.................................................. 26
2.3.1 Broadening the Scope of Risk Management .............................................26
2.3.2 Integrating Risk Management with Quality ................................................29
2.4 Drivers and Tools for Hospital Risk Management ............................................. 30
2.4.1 Hospital Accreditation Organizations .........................................................31
2.4.1.1 The Joint Commission ......................................................................31
5
2.4.1.2 Det Norske Veritas ...........................................................................32
2.4.1.3 Healthcare Facilities Accreditation Program .....................................32
2.4.2 Food and Drug Administration ...................................................................33
2.4.3 Benchmarking Standards ..........................................................................33
2.4.3.1 ISO 31000 ........................................................................................34
2.4.3.2 ISO 14971 ........................................................................................37
2.4.3.3 Enterprise Risk Management ...........................................................39
2.4.4 Risk Management Tools............................................................................40
2.4.4.1 Failure Modes and Effects Analysis ..................................................41
2.4.4.2 Fault Tree Analysis ...........................................................................41
2.5 Lessons from Risk Management in Other Industries ......................................... 43
2.6 Frameworks for Studying Risk Management ..................................................... 46
2.6.1 Examples of Process Models ....................................................................47
2.6.1.1 Risk Management Models of Valsamakis and Colleagues ................47
2.6.1.2. Project Management Risk Model by Gray and Larson .....................48
2.6.1.3 Project Management Problem-Solving Model (Karis, 2012) ..............50
2.6.1.4 Risk Management Model for Tourism ...............................................51
2.6.2 Risk Management from a Systems Perspective ........................................52
2.6.2.1 FDA Framework for Risk Management .............................................53
2.6.2.2 Risk Management Framework (Shortreed, Hicks, & Craig, 2003) .....54
2.6.3 The Organizational Triangle (Guldenmund, 2010) .....................................56
2.6.4 The Conceptual Model (Sullivan & Beach, 2009) ......................................58
2.6.5 Research Model for Risk Management Implementation ............................60
Chapter 3: Methodology ................................................................................................62
3.1 Introduction ....................................................................................................... 62
3.2 Development of Initial Survey ........................................................................... 62
6
3.3 Focus Group Conduct ....................................................................................... 62
3.4 Survey Deployment and Analysis...................................................................... 64
Chapter 4: Results .........................................................................................................66
4.1 Analysis of the Survey Results .......................................................................... 66
4.2 Profile of Respondents ...................................................................................... 69
4.3 Profile of Hospitals ............................................................................................ 74
4.4 Profile of Risk Management Departments/Systems .......................................... 77
4.5 Profile of Staffing Patterns ................................................................................ 79
4.6 Top Risks .......................................................................................................... 81
4.7 Risk Management Items and Tools ................................................................... 85
4.8 Risk Management Standards ............................................................................ 91
4.9 General Opinions ............................................................................................ 100
4.10 Levels of Satisfaction .................................................................................... 106
Chapter 5: Discussion ................................................................................................. 108
5.1 Summary................................................................................................... 108
5.2 Consideration of Limitations, Delimitations, and Assumptions ................... 108
5.3 Consideration of Results ........................................................................... 117
5.4 Are current risk management approaches in hospitals adequate? ............ 117
5.5 Focus of retrospective rather than proactive issues ................................... 120
5.6 Structure and Support of Risk Management Departments ......................... 121
5.7 The restricted resource allocation to education ......................................... 126
5.8 The restricted resource allocation for risk management tools .................... 128
5.9 Interest in a standalone risk management standard .................................. 130
5.10 Conclusions and Future Considerations .................................................... 136
References .................................................................................................................. 138
Appendix A – Survey Instrument, Pre-Focus Group – October 31, 2012 ..................... 148
7
Appendix B – Survey Instrument, Post-Focus Group – December 14, 2012 ................ 153
8
LIST OF TABLES
Table 1: Features of Risk Management enunciated by ISO 31000. ...............................35
Table 2: Features and Comments on Three Kinds of Proactive Risk Assessment
Methods. .......................................................................................................................43
Table 3: Participants in the focus group .........................................................................64
Table 4: Classification of questions to describe the profiles of the respondents, the
hospitals, risk management systems/departments, and staffing of the associated
organization. ..................................................................................................................67
Table 5: Classification of questions to describe top risks, the use of risk management
items and tools, and the use of risk management standards. ........................................68
Table 6: Questions to elicit opinions and measure levels of satisfaction with risk
management systems. ..................................................................................................69
Table 7: Activities of the respondents ............................................................................74
Table 8: Top risks perceived by management ...............................................................82
Table 9: Additional risks perceived by management ......................................................83
Table 10: Top risks perceived by the respondents .........................................................85
Table 11: Ranking of risk management items that the hospitals use to define success .86
Table 12: Ranking of the frequency of tools used to identify risk. Boxes in blue indicate
the most frequent choice made......................................................................................89
Table 13: Thematic analysis of other tools needed to perform the job as risk manager .90
Table 14: What might a standalone risk management standard include? ......................97
Table 15: How is knowledge and experience transferred from employees leaving the
hospital? ........................................................................................................................98
Table 16: General opinions of the respondents ........................................................... 101
Table 17: What respondents would need to help manage risk that is not currently
included in standards, policy or guidance? .................................................................. 102
Table 18: How to track lessons learned ....................................................................... 104
Table 19: Levels of satisfaction of the respondents ..................................................... 107
9
LIST OF FIGURES
Figure 1: Product Liability Lawsuits and Average Awards in Federal and District Courts
in the United States. ......................................................................................................23
Figure 2: Risk Management and Quality Improvement Functions Overlap in Patient
Safety. ...........................................................................................................................29
Figure 3: ISO 31000 Risk Management Process. ..........................................................37
Figure 4: ISO 14971 Risk Management Process. ..........................................................38
Figure 5: Fault tree representation of a series structure. ................................................42
Figure 6: Risk Management Model of Valsamakis. ........................................................47
Figure 7: Risk Control Model of Valsamakis. .................................................................48
Figure 8: Risk Management Model from Gray and Larson. ............................................49
Figure 9: Project Management Problem-solving Model. .................................................50
Figure 10: Risk Management Model for Tourism. ..........................................................52
Figure 11: FDA’s View on Managing the Risk of Pre-Market and Post-Market Product
Risks. ............................................................................................................................54
Figure 12: Risk Management Framework. .....................................................................55
Figure 13: The Organizational Triangle. .........................................................................57
Figure 14: The Conceptual Model. .................................................................................59
Figure 15: Research Model for Medical Device Risk Management Implementation. ......60
Figure 16: Profile of the respondent’s job titles. The bar graph below identifies the most
common titles, and below are the titles supplied by the respondents who self-identified
“Other”. ..........................................................................................................................70
Figure 17: Profile of the respondent’s educational background. .....................................71
Figure 18: Profile of the respondent’s experience in risk management, A: overall, and B:
in current position ..........................................................................................................72
Figure 19: Main areas of responsibilities of the respondents ........................................73
Figure 20: The total number of beds where the respondents worked .............................75
Figure 21: Cross tabulation of hospital beds >200 and Risk Management FTE .............76
Figure 22: Accreditation body used by the hospital ........................................................77
Figure 23: How the hospital structures the risk management department ......................78
Figure 24: How long has the current risk management system been in place? ..............79
Figure 25: Number (A) and retention times (B) for full-time equivalent employees in risk
management .................................................................................................................80
Figure 26: How often mandatory risk management training is provided? .......................81
10
Figure 27: Risk management tools used by respondents...............................................87
Figure 28: Risk management standards used by the respondents .................................92
Figure 29: If a standard were created for risk management in hospitals, what
organization should develop it? .....................................................................................93
Figure 30: Value in having a standalone risk management standard for hospitals ........94
Figure 31: Advantages that might be gained from a standalone risk management
standard ........................................................................................................................95
Figure 32: Disadvantages there might be in a standalone risk management standard ...96
Figure 33: Have a process for retention of knowledge ................................................. 100
Figure 34: Total Number of Physicians vs. Truly Independent Physicians. .................. 110
Figure 35: Distribution of Database Hospitals and Respondents by Bed Size Compared
With AHA-Registered Hospitals. .................................................................................. 116
Figure 36: Overview of a Quality risk management process. ....................................... 131
11
ABSTRACT
Risk management is an important tool to decrease medical errors and to improve overall
quality of care in US hospitals. To gain insight into current practices in US hospitals,
survey methods were used to explore the extent to which risk management systems in
hospitals have the tools, resources and staffing appropriate to handle and improve risk
management. A survey instrument was developed by reference to a research framework
based on the "conceptual" model of Sullivan and Beach as modified by Chan that
emphasizes the importance of a triad of elements, including resources, competence and
memory. The purpose of the survey was to determine current approaches and hiring
practices in risk management within the hospital industry. It further probed the focus of
risk management activities performed by risk managers, their views of risk management
standards and approaches being used in hospitals and the use of methodologies. It was
clear from both a voluminous literature on this topic and the survey that hospitals still
have many challenges with regard to implementing risk management systems and
processes. Most hospitals had only one or a few risk management personnel who had
little ongoing training and background preparation in risk management methodology.
They performed a large variety of tasks and were faced with a large range of risks.
Nevertheless, they typically expressed satisfaction with their work, with mixed views on
the level of support that they received from senior management. Typically missing from
the system was a systematic set of standards for identifying, prioritizing and controlling
areas of greatest risk based on their performance metrics. Although the framework used
for this study was primarily oriented to assessing performance, results suggested that
hospital culture and behaviors often seemed to contribute to key concerns, such as the
willingness to hire individuals with little background in formal risk management and to
accept as standard practice the use of only very risk management tools.
12
Chapter 1: Overview of the Study
1.1 Introduction
A central goal for any hospital is to provide the best possible care for patients. However, such
care must be provided in a system under strain, as described colorfully by Lee in his book, “If
Disney Ran your Hospital”:
The healthcare industry faces obstacles of monumental proportions. Hospitals lose
money on most of their patients. Staffing shortages and under-capacity exist in virtually
every community. The average American feels vulnerable to financial disaster because
of inadequate or unaffordable insurance coverage. Young people are not choosing
nursing as a desirable profession or hospitals as desirable places to work. Hospitals
teeter on the edge of bankruptcy because of reimbursement that is constantly adjusted
downward. Meanwhile the costs of drugs and technology are skyrocketing. The
constant threat of malpractice suits is driving physicians out of business and creating
volumes of regulations and paperwork. And this is just a partial list! (Lee, 2004)
It is in this challenging environment that hospitals must ensure a system that can increase the
overall quality of care and decrease the risks to patients.
An appreciation for the importance of health-care quality is almost as old as the hospital system
itself. However, approaches to manage quality have evolved more gradually, from systems in
which quality was improved in a piecemeal fashion to newer approaches that have focused on
identifying problems and prioritizing solutions in a more holistic way. One important part of more
recent approaches is the incorporation of "risk management”:
Risk management is the identification, assessment, and prioritization of risks followed by
coordinated and economical application of resources to minimize, monitor, and control
the probability and/or impact of unfortunate events. (Hubbard, 2009)
Risk management is designed to deal proactively with risks that are under the control of the
organization. Such an approach acknowledges that hazards and their associated risks cannot
always be avoided, but, through proper risk management, they can be prioritized and mitigated.
13
Risk management in a healthcare setting has been promoted historically by some as a way to
reduce liability exposure. However, such methods are now seen as central to developing and
maintaining a quality system in which areas of focus are chosen based on the criticality of those
areas to patient or worker safety.
The implementation of a systematized and effective risk management system throughout all
areas of a hospital can have many positive outcomes. It has been identified as an important
driver to decrease medical errors and hospital acquired infections, and to improve overall quality
of the care. It ultimately should strengthen a hospital's financial health and reputation amongst
its satisfied patients and partners (Buchholz, 2000). The benefits of a quality system that
reduces expensive problems should at first glance seem to be a sufficient "carrot" to motivate
improvements in hospital quality. However, it has been difficult to ensure successful initiatives in
risk management in the hospital. Most early approaches depended on voluntary compliance or
set modest goals that were tied to hospital accreditation, but such approaches have had
insufficient impact in the eyes of most analysts. Widespread agreement exists across the
political spectrum that the health care system needs to move toward paying doctors and
hospitals for the quality rather than the quantity of care that they provide (Boulton, 2009). Failure
to satisfy these requirements can result in heavy fines and punishments (Kavilanz, 2010). One
of the reform proposals being considered by Congress is rewarding doctors and hospitals that
provide the best quality care at the lowest cost (Boulton, 2009). These new measures have
increased the urgency to regard poor quality outcomes as both legally and financially
problematic, and have caused hospitals to pay more attention to risk management approaches
and to hire individuals, called “risk managers”, who are responsible for this aspect of quality.
As the name might suggest, the “risk manager” is typically the hospital employee who is
responsible for ensuring that risk is being addressed appropriately and proactively. The position
and its typical associated job description are relatively new. A hospital risk manager must work
14
with medical staff to increase support for the risk management program. In most healthcare
settings, physicians and hospital executives are often too busy to be “bothered” with risk
management programs. Many do not take time to understand what risk management
professionals hope to accomplish. Physicians who are not aware of the benefits and goals of a
risk management program tend to view risk managers negatively (Buchholz, 2000). It is perhaps
not surprising, then, that the positions are filled by individuals who come from different
backgrounds and experience. Some risk managers may have experience that is outside of the
hospital environment. Risk managers who come from the hospital environment may derive
much of their experience from other roles; they may have many years of practice as clinicians,
and very commonly are drawn from the ranks of nurses who understand certain specific types of
risks through their direct contacts with patients. Because so much diversity can be present in
the skill sets of risk managers in hospitals, these managers may approach risk management
within their respective facilities using different approaches and frameworks. Typical risk
management standards selected by a hospital may range from adopting certain requirements
from the FDA 21 CFR 820-Preamble, to using ISO 31000 or ISO 14971, to creating internal
standards tailored specifically for that facility. An additional resource for risk standards would be
professional societies in which risk managers participate. The largest and most recognizable
risk society in the U.S. is the American Society for Healthcare Risk Management (ASHRM).
Since 1980, this has been a society that risk managers have recognized as a central resource
for support, information and collaboration (Zimmerman & Clark, 2010).
1.2 Statement of the Problem
Hospitals in the USA do not yet have a recommended standalone risk management standard or
framework that addresses the hospital environment uniquely. Certain risk specific requirements
are in place that relate to particular procedures such as handling medical product recalls or
reporting adverse events to the Food and Drug Administration (FDA). However, for risk
15
management processes more generally, institutions have the option to implement one or more
of several risk management approaches and tools known in the healthcare and health product
sector. The Joint Commission (TJC) (previously the Joint Commission on Accreditation of
Healthcare Organizations – JCAHO), an organization that accredits most U.S. hospitals, does
not clearly mandate specific approaches to risk management. In fact, there are very few risk
management requirements within TJC standards (Phelps, 2007). Thus, no one accepted
approach or a benchmark exists for small, mid-sized, or large sized hospitals to follow. Such
flexibility may be important given the diversity of hospital sizes and specialties. What works for a
large, urban tertiary care center may not be appropriate for a small rural clinic. Because no
specific standard or regulation governs risk management in hospitals, managers have
considerable flexibility and latitude in their initiatives and risk management approaches.
However, the negative outcome may be that poor risk management approaches can be adopted
if the hospital that lacks sufficient oversight and internal expertise to identify that the approaches
are inadequate or even problematic. Further, even if the most appropriate risk management
framework is adopted, tight fiscal constraints could reduce the resources and training needed to
ensure that the approach is implemented adequately. Poor risk management at the systems
level can have a ripple effect across multiple areas of hospital practice. As hospital quality
becomes a focal point for federal government and industry watchdogs, having an effective risk
management approach in the hospital will be central to compliance and reimbursement as well
as the safety and success of patient therapies. However, it is not clear from the literature
whether most hospitals are unifying around certain standards or approaches in order to facilitate
compliance and quality improvement. Further it is not clear what level of background
preparation and additional training are typical for risk managers currently employed in hospitals.
1.3 Purpose of the Study
This thesis was designed as an exploratory study regarding the risk management approaches
16
that hospitals were using to ensure health-care quality. This study used survey approaches to
investigate the structures and views of hospital management with regard to risk management. In
the first stage of the research, literature relating to hospital risk management was analyzed to
identify whether trends are apparent in suggested choices for risk management methodologies
in hospitals. In a second stage, a survey tool for hospital risk managers was developed. This
survey was examined critically by a focus group that included researchers and risk management
experts. The feedback from the focus group was used to fine-tune the survey. The survey was
administered to risk managers who were responsible for risk management in a broader range of
hospitals who worked in the U.S. hospital and healthcare industry. The responses were
compared in order to assess the external validity of the survey.
In the survey, questions were asked about the size of the hospitals at which respondents
worked; hospital size was assessed according to the number of beds. The sampling of hospitals
attempted to include a range of hospital sizes from small (10 beds) to large (200+ beds). The
survey attempted to capture information about the approaches that risk managers were taking
at their hospitals and the references that they were using to frame and anchor their activities. It
evaluated the risk standards that were being used and queried the perceived adequacy of those
tools by their practitioners. The survey also examined where risk managers perceived areas on
which more standards, guidance or tools could be developed in order to facilitate their jobs, and
investigated those areas of risk management that were considered by the risk managers to be
most challenging.
1.4 Importance of the Study
To date, most of the information that we have about risk management in hospitals is anecdotal
and qualitative. The research conducted here provided a more systematic insight into the risk
approaches and standards used within the hospital healthcare systems in the U.S. It hopefully
17
provides a beginning level of information regarding the relative degree to which different
management tools are used in American hospitals and thus help to establish benchmarks for
risk management practices. Such benchmarks can serve as a resource for risk managers in
hospitals to gauge the effectiveness of their risk management approach and evaluate the need
to modify their internal processes and systems. This study may also open the door for the
hospital industry to engage in discussions on whether current practices for recruitment and
training are adequate and whether a stand-alone risk standard or approach is needed.
1.5 Limitations, Delimitations, Assumptions
This study focused only on risk approaches and standards in the hospital industry within the
U.S. It did not attempt to evaluate risk management practices in other industries or in health
care settings such as doctor's offices, schools or prisons not considered to be "hospitals". This
study did not focus on outpatient sites, clinics, ambulatory centers, or surgery centers that are
not part of a main hospital. It did not investigate practices outside of the U.S. where hospital
delivery systems can differ substantially. Further, it was delimited to the study of risk
management practices through input obtained from only one type of job function, the risk
manager job function, rather than a cross-section of hospital employees more generally.
The study was limited by a number of constraints that may be predicted or may be unknowable
at the time. Amongst the predicted limitations were the challenges of obtaining the cooperation
of most risk managers to participate in interviews and to complete the survey. It is well known
that survey participation is generally low in professions such as healthcare where practitioners
are busy and see little advantage to taking part in a survey. This caused the survey results to be
skewed toward responses from hospitals with larger risk management teams, who were more
motivated to improve the system though participation in such exercises. Thus we needed to
consider this source of bias in the evaluation of the responses. The potential bias of the
18
investigator was also acknowledged, because he worked in a role that offers audit preparation
services for hospitals to prepare them for accreditation audits. This may affect judgment with
respect to the areas surveyed. Though the investigator works in this industry, effort was made to
control this potential source of bias by having secondary review processes in place to evaluate
the survey questions. Another class of limitation relates to the limited experience of the
investigator with regard to risk management in the hospital setting. The investigator had over
ten years of experience relating to risk management in the medical device industry, but he had
been responsible for ensuring compliance to hospital accreditation standards in the area of
medical equipment management for only 3 years.
1.6 Organization of Thesis
This study contains multiple chapters. Chapter 1 provides an overview and background of the
research question. Chapter 2 focuses more into the current state of knowledge with respect to
the literature as it pertains to approaches and standards in the hospital. Chapter 3 outlines the
methods used in the survey that will explore what approaches and standards associated with
risk succeed in the hospital. Chapter 4 contains an analysis of the survey results. Chapter 5
contains a discussion of survey results, limitations and delimitations and directions for further
research.
19
1.7 Acronyms
Term Definition
ACO Accountable Care Organization
AHA American Hospital Association
ASHRM American Society for Healthcare Risk Management
CAS Casualty Actuarial Society
CMS Centers for Medicare and Medicaid Services
DNV Det Norske Veritas
EPA Environmental Protection Agency
ERM Enterprise Risk Management
FDA Food and Drug Administration
FMEA Failure Mode and Effects Analysis
FTA Fault Tree Analysis
HAI Hospital Acquired Infections
HIPAA Health Insurance Portability and Accountability Act
HFAP Healthcare Facilities Accreditation Program
HRO High Reliability Organizations
IEC International Electrotechnical Commission
IOM Institute of Medicine
ISO International Organization for Standardization
JAMA Journal of the American Medical Association
JCAH Joint Commission on Accreditation of Hospitals
JCAHO Joint Commission on Accreditation of Healthcare Organizations
RM Risk Manager
TJC The Joint Commission
USA United States of America
WHO World Health Organization
20
Chapter 2: Literature Review
2.1 Introduction
The health care system in the U.S. is under siege. Little more than half of U.S. patients appear
to receive “best practice” treatments for their illness and less than half of physician practices use
recommended processes for care (Casalino, 2003). An estimated thirty to forty cents of every
dollar spent on health care, or more than half a trillion dollars per year, is claimed to be spent on
costs associated with “overuse, underuse, misuse, duplication, system failures, unnecessary
repetition, poor communication, and inefficiency” (Lawrence, 2005). These numbers suggest
that risks are not well managed in the health care environment. Hospitals in particular have
come under scrutiny, for it is here that the most vulnerable and sickest individuals go for care.
How did the hospital system get into such a state?
2.2 History of Public Hospitals in the United States
2.2.1 The Emergence of Hospitals
In the early 19
th
century, most Americans gave birth, endured illness and even underwent
surgery at home. They belonged to a largely rural society; few among them would even have
had occasion to visit a hospital. Hospitals in the United States emerged from institutions such as
almshouses that provided care and custody for the ailing poor. Rooted in a tradition of charity,
the public hospital traces its ancestry to the development of cities, where more systematic
methods became needed to shelter and care for the chronically ill, deprived, and disabled. The
first known hospital in the U.S. was traced back to a six-bed ward, founded in 1736 in New York
City (NAPH, 2009c). The American hospital as we know it today began to emerge around the
time of the Civil War. Physician-staffed hospitals, with professional nursing and specialized
departments and services, were products of urbanization and economic expansion during the
21
Second Industrial Revolution. They coevolved with massive immigration and rapid strides in
medicine itself. In the period around 1880, the identification of asepsis as important to surgical
outcomes opened broad new horizons for surgeons. As physicians looked to the future with a
new sense of hope to improve the health outcomes of patients, hospitals became symbolic of
their new optimism and authority. By the 1920s, the hospital was considered by most to be a
place where illness might be treated and even cured using better methods than could be
obtained from visiting physicians (NAPH, 2009b). Not surprisingly, hospitals opened at a steady
rate throughout the 20
th
century, to maintain a growth rate consistent with population growth. In
one statistical analysis, between 1929 and 1933, when living standards and public health
deteriorated during the Great Depression, public hospitals saw an increase of 21% in patient
load with an average occupancy rate of 90% in 1933 (NAPH, 2009a). Today, a majority of the
U.S. populace has visited a hospital at one time or another. Most Americans are born in
hospitals. Hospitals provide care after serious injuries and during episodes of severe sickness
or disease. Hospitals are the primary places to which our loved ones go to die. In 2011, the
American Hospital Association (AHA) listed 5,754 registered hospitals in the U.S., housing
942,000 beds and supporting 36,915,331 admissions. More than 1 in 10 Americans were
admitted to a hospital in 2011 (Houle, 2012). Thus safety in the hospital is an important public
health issue.
2.2.2 Danger in Hospitals
Hospitals are regarded as an important source of refuge in the face of serious health
challenges, but hospitals can also be a dangerous place to stay. It has been estimated that
98,000 people die from medical errors in U.S. hospitals each year (Starfield, 2000). In fact
hospitals might be considered to be one of the most dangerous places to be. Three times as
many people die every year from medical errors in hospitals than from accidents on highways –
22
roughly 100,000 deaths compared to 34,000. Of this group, 80,000 died from hospital acquired
infections (HAI), many of which could have been prevented. A medical error will cause or
contribute to the death of 1 out of every 370 people admitted to a hospital (Houle, 2012). The
U.S. has such a poor record of medical treatment in hospitals that it has been ranked by a
World Health Organization (WHO) study as 15th among 25 industrialized countries (WHO,
2000).
The challenges associated with ensuring patient safety are particularly problematic because the
management of various hospitals is not transparent. Thus it is difficult for patients to differentiate
a good hospital from a poor one. For this reason, it is important that hospitals have systems in
place to manage risks that are largely beyond the control of the patient to identify and avoid. In
2000, an article in the Journal of the American Medical Association (JAMA) said that doctors are
the third leading cause of death, behind heart disease and cancer. Doctors kill 680 people every
day with wrong treatments. A colorful image of this problem has been painted by Starfield, who
has equated this situation to one in which two large jet airplanes crash daily (Starfield, 2000).
2.2.3 Development of Risk Management in Hospitals
Risk management in the hospital setting did not gain widespread attention in the U.S. until the
1970s when medical malpractice suits rose dramatically. Figure 1 depicts the increasing trend of
product liability lawsuits from 1973 – 1991 (Hirose, 1996). The use of the courts to settle
malpractice conflicts is not however, new. According to Stuart Speiser, medical malpractice
emerged in English common law in the 19th century. This body of law involves torts, which are
wrongful acts that result in injury. Generally, medical malpractice is rooted in the idea of
negligence, defined as a failure to exercise a duty of care over a patient by behaving in a way
that does not rise to an appropriate professional standard. If a person or institution fails to
exercise reasonable care, that entity might be liable if the injury could be reasonably foreseen
23
as a consequence of the substandard conduct or lack of conduct (Speiser, 1987).
Figure 1: Product Liability Lawsuits and Average Awards in Federal and District Courts in the
United States.
Reprinted with permission (Hirose, 1996)
Negligence is particularly common as a theory of liability when a healthcare professional is
involved, because such individuals by virtue of their education and licensure are given special
permission by society to determine treatments for patients who are often unable to escape the
consequences if the treatments are not given or are carried out inappropriately.
Claims subsequent to medical malpractice increased throughout much of the 20th century, and
particularly in the latter part of the century. These claims placed considerable strain on the
financial health of hospitals and their personnel. Thus, hospitals and physicians looked to
legislators to intervene before they were forced into bankruptcy. Legislative committees at state
levels began to introduce regulations to help manage risk and medical errors in an attempt to
reduce the number of medical malpractice cases being filed and the size of payments being
made to the patients or defendants in these cases.
24
The State of Florida appeared to be one of the first states to see an escalation in lawsuits, and
these were causing many of its physicians to leave the state. Not surprisingly, then, Florida
took the lead in many initiatives relating to medical malpractice. In 1971, the Florida legislature
passed a law setting the statute of limitations for malpractice actions at 2 years from discovery.
In 1975, the Medical Malpractice Reform Act was implemented and shortly afterwards, an
omnibus malpractice bill followed. One of the requirements was for all hospitals to implement
risk management programs as a condition of licensure (USF, 2008).
The 1980s were a period in which risk management requirements and regulations became more
consolidated. Challenged by the AIDS pandemic in the 1980s, hospitals recognized the need to
manage clinical risk in a systematic way. The introduction of formal risk identification and loss
prevention programs was matched by intense legislative activity to achieve tort reform. Further,
in 1980, the American Society for Healthcare Risk Management was formed. This created the
first professional society for risk managers giving risk managers an organization that could
centralize and standardize expectations for risk management in healthcare. This organization
has since become the global leader in healthcare risk management and has been involved in
many of the risk related policy changes over the last few decades.
The drive to develop risk management approaches saw another powerful ally, the Joint
Commission on Accreditation of Hospitals (JCAH), through its initiatives to create new
standards for risk reduction in hospitals. Compliance to these new standards was expected by
January 1, 1989. Because failure to meet the expectations of JCAH for accreditation would
seriously damage the financial viability and public reputation of a hospital, preparing for
implementation of JCAH risk management requirements became a priority for risk managers in
the late 1980s. The evolution of JCAH standards for long-term and home healthcare also
presented new challenges for risk managers more familiar with acute care risk management.
The proliferation of standards afforded new tools with which to manage risk, but they also
25
strained the hospital system by generating a tremendous need for new risk education programs,
new policies and procedures, and new data reporting and analysis systems to maintain
compliance (Zimmerman & Clark, 2010).
The 1990s continued to see a focus on legislation related to patient safety and risk. Though
hospitals were viewed to be safer in the 1990s (Zimmerman & Clark, 2010), areas needing
attention still remained. The FDA brought visibility to these problems when they released the
report, "To Err is Human". That report stated:
Human beings, in all lines of work, make errors. Errors can be prevented by designing
systems that make it hard for people to do the wrong thing and easy for people to do the
right thing. In health care, building a safer system means designing processes of care to
ensure that patients are safe from accidental injury. When agreement has been reached
to pursue a course of medical treatment, patients should have the assurance that it will
proceed correctly and safely so they have the best chance possible of achieving the
desired outcome. (IOM, 1999).
At the same time, patients had high expectations and often assumed that hospital care was of
high quality. Their perceptions of risk in the hospital appeared out of proportion to their much
lower level of risk tolerance in other activities of life, such as air travel for example, as illustrated
by this scenario:
Ladies and gentlemen, welcome aboard Sterling Airline’s Flight Number 743, bound for
Edinburgh. This is your captain speaking. Our flight time will be two hours, and I am
pleased to report both that you have a 97% chance of reaching your destination without
being significantly injured during the flight and that our chances of making a serious error
during the flight, whether you are injured or not, is only 6.7%. Please fasten your
seatbelts, and enjoy the flight. The weather in Edinburgh is sunny. (Berwick & Leape,
1999)
Berwick and Leape (1999) ask the question, why would anyone choose to travel on that flight?
Yet this scenario describes the actual risks that patients could face with hospitalization.
26
2.3 Risk Management in the Twenty-First Century
2.3.1 Broadening the Scope of Risk Management
What is apparent from the foregoing summary of risk management history is that even at the
turn of the twenty-first century, risk management in health care was fragmented and challenging
to implement. The presence of many state and federal laws, oversight bodies and government
reports had provided a legislative and administrative basis for overseeing hospital risk
management but did not manage to address fully the problems that were faced by the health
care system. Risk management in hospitals is particularly complex, because no one approach
for risk management will fit every establishment. Every hospital has unique policies and
procedures, state-based regulations, and community priorities to which its risk management
systems must be adapted.
Risk management programs have been regarded as a principal approach to reduce institutional
liability and financial loss control (Troyer, 1986). Since the 1970s, many hospitals put risk
management departments in place and staffed them with risk managers. For some, the
activities of these departments continued to reflect the 70s’ mindset of mitigating the risk of
being sued by patients. Most discussions of risk management revolved around preventing
medical errors. Such a focus is not misplaced; preventable injuries have been estimated to
affect between three to four percent of hospital patients (Brennan, 1991). Such problems can
presumably be prevented by designing systems and reengineering processes that make it hard
for people to do the wrong thing and easy for people to do the right thing (IOM, 1999). However,
risk management is evolving from a view that risk management is about error prevention, to a
more holistic view that risk can take many forms, and may not be entirely confined to specific
errors of commission or omission. Hundreds of types of potential hazards exist and most of
these hazards are multifactorial, affected by the interactions between people, facilities and
27
products. A good example of the challenges presented by hospital-based risk can be illustrated
by one type of serious hospital risk, that of hospital acquired, or nosocomial, infection (HAI).
Nosocomial infections are carried by people with poor sanitary habits, who work in buildings that
are hard to clean and sanitize, and who work with products that can be difficult to use without
contamination across multiple patients. The ability of hospitals to cope with nosocomial
infection was studied by an organization named “The Leapfrog Group”. Leapfrog is a member-
supported nonprofit organization representing a consortium of major private and public
purchasers of health care benefits that covers more than 37 million Americans in all 50 states.
Leapfrog members are together responsible for tens of billions of dollars in annual health care
expenditures. Leapfrog was named for its mission – to trigger giant “leaps” forward in the safety,
quality and affordability of health care. In 2008, Leapfrog surveyed 1,282 acute care hospitals
across 37 regions in 44 states and representing more than 50% of targeted inpatient beds in
these regions. The survey showed that one out of 20 people who obtain care at an American
hospital, or two million people each year, contract an infection during their stay, and 90,000 die.
To put that into graphic context, hospital acquired infections kill almost twice as many people as
breast cancer and AIDS combined. These results are especially disappointing, since they
suggest that even Leapfrog hospitals, considered to be the nation’s highest performing hospitals
overall, lag behind in implementing the steps recommended to prevent infection (Leapfrog,
2008). Further, this same survey indicated that 65% of hospitals do not have all the
recommended policies in place to prevent many of the most common HAIs. In problems such as
these, reducing risk in one area, such as medical error prevention, may not be as successful as
an approach that addresses the multiple contributing factors more comprehensively.
In many progressive institutions, the aims and approaches of risk management have moved
considerably from the rather narrow goal of reducing medical errors. Not only are the
approaches aimed at evaluating the risk challenges more systematically, they also embrace a
28
large set of stakeholders in the process. For example, new approaches acknowledge that the
concept of the patient as a passive recipient of the beneficence of health care providers appears
outdated. By understanding the patients’ attitudes, perceptions, culture and experience, quality
becomes a more holistic concept that centers on meeting patients’ expectations. Gupta and
Kant, for example, have summarized this view by saying that quality is never an accident; it is
always the result of good intentions, and further state that “quality is not a number, rather a
function of positive perceptions” (Gupta & Kant, 2001). As a result, efforts have been made to
move the focus of risk management from narrow concerns about financial loss and institutional
liability to a broader integration with the quality of patient care. Hospital leaders began to
recognize that poor quality of care can affect the organization’s financial health in ways that do
not necessarily involve the legal system and that failure to integrate risk management and
quality efforts across systems can yield incomplete and ineffective solutions (ECRI, 2009).
Today, most hospitals have a risk manager and/or a risk management committee that has a
very wide scope of responsibility. Nevertheless, these individuals or groups are not by
themselves sufficient to assure patient safety. The risk manager who typically chairs the risk
management committee may have to accomplish their objectives indirectly by interacting with
corporate officers, chiefs of staff, directors, and health care professionals who have direct
contact with patients. However, risk managers in many hospitals occupy relatively junior
positions in the organization. They may not have access to individuals with executive functions
on a regular basis, and the goals and methods that they use to assure patient safety are not
typically reviewed at regular meetings between the risk manager and the governing board’s
executive committee or at corporate headquarters (IOM, 1990). Further they are often under
resourced and unable to exert the type of influence needed to secure more funding for risk-
related projects.
29
2.3.2 Integrating Risk Management with Quality
Almost everything that has been written about risk management identifies it as an aspect of
quality assurance. Thus, it would seem obvious that risk management and quality departments
in a healthcare facility must cooperate extensively to improve patient safety. Surprisingly,
however this often does not occur. Typically, quality and risk management are two separate
departments in most hospitals as shown in Figure 2 (ECRI, 2009). Because the two different
departments may differ in the scope of their activities, reporting structure and responsibilities,
they may react to the same issue with actions that are independent and even counterproductive.
Nevertheless, good practice would suggest that the two departments should have some overlap
to ensure that risks are handled appropriately and efficiently, and that the focus remains on
patient safety.
Figure 2: Risk Management and Quality Improvement Functions Overlap in Patient Safety.
Reprinted with permission (ECRI, 2009)
There are many advantages to implementing a quality management program that overlaps with
the risk management program. An integrated and proactive risk management and quality
program has been suggested to benefit the hospital in ways that include an overall decrease in
30
medical errors and a higher level of satisfaction by the purchasers of healthcare (ECRI, 2009).
Ultimately such satisfaction should result in higher sales and profits and the establishment of
better long term relationships with its customers.
In 2002, the World Health Organization recommended that improvements in patient safety will
only happen if health care organizations undertake a complex system-wide effort involving a
wide range of actions. There was a general concern that strategies and initiatives have failed
because narrower views underestimate the impacts and values of process improvement, clinical
practices, environmental safety, and risk management (WHO, 2002). This narrowness might
have reduced the resource allocations, planning and training needed to put adequate systems
in place. Concerns about "organizational capability" for risk management are therefore
considered to be one significant contributor to the problems in hospital systems, but relatively
little is known about the current state of organizational capability in U.S. hospitals. The focus of
the current research is directed at gaining a better understanding of this organizational
capability.
2.4 Drivers and Tools for Hospital Risk Management
To understand the current state of risk management practices in hospitals, it is useful to look at
the standards and tools that are available currently to assist the risk manager. As mentioned
earlier, hospital standards-setting bodies have been key drivers of risk management and have
typically been the bodies to which risk managers look for guidance and recommendations with
regard to best practices. In a more restricted way, FDA has had some role in establishing
requirements in certain areas under their rather narrow jurisdiction. Additionally, standards have
been developed in other fields that can potentially be used to augment the risk management
"toolbox".
31
2.4.1 Hospital Accreditation Organizations
U.S. hospitals have the option to pursue accreditation, defined as, “a self-assessment and
external peer assessment process used by health care organizations to accurately assess their
level of performance in relation to established standards and to implement ways to continuously
improve” (Rawlins, 2001). Through accreditation, hospitals demonstrate they have implemented
and maintained safety initiatives related to quality and risk management. The organizations
responsible for accrediting hospitals have been significant players in the drive to improve risk
management systems in hospitals. Three major accrediting bodies exist in the U.S., including
the Joint Commission, Det Norske Veritas, and Healthcare Facilities Accreditation Program.
These vary in the depth to which they have focused attention on risk management practices,
and the methods that they advocate for approaching risk management activities. The process of
going through accreditation is felt to drive better risk management processes and by extension
improves the safety and quality of care (TJC, 2012a). A majority of state governments have
come to recognize accreditation as a condition for licensure and for the receipt of Medicaid
reimbursement (TJC, 2012b).
2.4.1.1 The Joint Commission
The Joint Commission is the largest accreditation organization in the U.S. hospital industry,
responsible for more than 19,000 health care organizations and programs. Since July 1, 2001,
TJC has required hospitals to conduct proactive risk assessments on self-identified high-risk
processes (Coles et al., 2010). Specifically, TJC Standard LD.04.04.05 states:
The hospital has an organization-wide, integrated patient safety program within its
performance improvement activities. Element of Performance 10: At least every 18
months, the hospital selects one high-risk process and conducts a proactive assessment
(LD-34 – LD-36).
Typically, such proactive risk assessments are carried out by using a particular tool, FMEA. In
32
this method, a single situation that poses risk is identified by the hospital and then evaluated
with the goal of designing mitigations for the principal risks. By proactively performing risk
assessments, future problems could be avoided that would presumably improve safety and
quality of care (Adachi & Lodolche, 2005). However, the use of FMEA (described in more detail
in FMEA section below) is typically focused on a specific issue, and is therefore appositional to
the notion of systems-wide, holistic risk control approaches.
2.4.1.2 Det Norske Veritas
An alternative route to accreditation, used by about 3% of U. S. hospitals, relies on an EU-
based system, called “Det Norske Veritas (DNV)”. DNV was established in 1864 in Norway as a
foundation to inspect and evaluate the technical condition of Norwegian merchant vessels. DNV
describes itself as a provider of services for managing risk, with the objective of “safeguarding
life, property, and the environment” (DNV, 2012). The core competence of DNV has been to
identify, assess, and advise on how to manage risk, through a focus on compliance and
education. As the basis for its quality assessments, DNV uses integrated standards from the
internationally recognized ISO 9001 quality management system requirements to base
recommendations for best practices related to risk mitigation.
2.4.1.3 Healthcare Facilities Accreditation Program
The third option for the hospital certification accreditation route is through Healthcare Facilities
Accreditation Program (HFAP). It used by about 10% of U.S. hospitals and is a nationally
recognized healthcare facility accreditation organization. HFAP standards include CMS and
other nationally recognized standards, as well as evidence based best practice and selected
patient safety initiatives (HFAP, 2012).
33
2.4.2 Food and Drug Administration
Accreditation organizations play an impactful role in risk management for hospitals across a
wide spectrum of activity. The FDA has a narrower, but nonetheless important role as well. The
FDA has limited authority to govern the practice of medicine, but it does have the responsibility
to oversee the safety, including the post-market safety, of pharmaceutical products and medical
devices. In this regard, many of the pharmaceutical products and medical devices have
reporting requirements for adverse events. These programs have significance for the hospital
because the hospital is often the place where serious adverse events are recognized and
reported. FDA develops the forms for reporting adverse events and collects the reports into
databases that can be mined for safety signals. The FDA is also a source of considerable
information about risk management because it has active programs to assist medical product
manufacturers when they develop and implement mandated risk management plans (FDA,
2009). However, FDA does not have its own stand-alone standard or specific tools to
benchmark and manage risks in a hospital. It relies primarily by reference to standards
developed outside of the Agency, and provides guidance documents that direct companies to
what it feels are the most appropriate of those standards.
2.4.3 Benchmarking Standards
The accrediting and oversight agencies described above typically recommend specific risk
management tools to their constituents. However, no single stand-alone standard exists to
guide risk management for hospitals. Risk managers can pick and choose from a number of
tools and standards that might vary in their fit for the hospitals in which they work. Such
flexibility can be used to advantage by a sophisticated risk manager but can overwhelm less
experienced practitioners.
34
To provide a background for the work to be carried out here, it is useful first to consider the most
common standards promoted for risk management activities. Standards typically define either a
systematic process or desirable outcome of care. As an example of the former definition, the
Occupational Safety and Health Act of 1970 identifies a safety and health standard in which it:
requires conditions, or the adoption or use of one or more practices, means, methods,
operations or processes, reasonably necessary or appropriate to provide safe or
healthful employment and places of employment. (OSHA, 1995)
As an example of the latter, in 1990, the Institute of Medicine defined a quality standard as:
a minimum level of acceptable performance or results or excellence levels of
performance or results or the range of acceptable performance or results. (IOM, 1990)
Standards can be written as a result of public, private, voluntary and/or regulatory initiatives,
and can be developed to address issues in many areas of interest to healthcare organizations.
At a systems level, standards for healthcare organizations are typically set to provide
benchmarks for licensure, accreditation and in some circumstances, reimbursement through
Medicare. At a more granular level, standards are used to accomplish specific functions or to
address narrower issues, such as the management of personnel or the assurance of safe
access to therapeutic products such as drugs and medical devices. It is beyond the scope of
this thesis to detail all of the thousands of standards that can affect various aspects of the
healthcare system. An overview of the principal standards that might be usefully employed to
guide hospital risk management systems are described in order to detail the principal standards
that are available to a well-informed risk manager in that system.
2.4.3.1 ISO 31000
A well-recognized source for standards in general, and risk management standards in particular,
is the International Organization for Standardization (ISO). Its recently developed ISO 31000
35
risk management standard is the most broadly based of the risk management standards in its
collection. This standard was designed to be applied generically to many types of industries and
organizations. Thus it emphasizes a set of core features of risk management that would be
valuable to any company. These features are listed in Table 1 (ISO, 2008).
Table 1: Features of Risk Management enunciated by ISO 31000.
Modified from the Committee Draft of ISO 31000 Risk Management (ISO, 2008).
ISO Features of Risk Management
Create value – resources expended to mitigate risk should be less
than the consequence of inaction the gain should exceed the pain
Be an integral part of organizational processes
Be part of decision making
Explicitly address uncertainty and assumptions
Be systematic and structured
Be based on the best available information
Be tailor able
Take into account human factors
Be transparent and inclusive
Be dynamic, iterative and responsive to change
Be capable of continual improvement and enhancement
Be continually or periodically re-assessed
ISO 31000 is only a few years old at this time, and is the first of a family of proposed standards
relating to risk management. ISO says,
The purpose of ISO 31000 is to provide a universally recognized paradigm for
practitioners and companies that could be adaptable for “any public, private or
community enterprise, association, group or individual.” (ISO, 2009)
Because of its generic approach and cross-functional appeal, the standard has a particular
strength for hospital systems in that it can support various departments at the institution, so that
they can together work toward a common set of risk management objectives. Such an
36
approach can foster the integration of existing risk management systems and thus reduce "silo
mentality" that can develop if different departments have more specific risk management
standards.
ISO 31000 is intended to provide a common approach to incorporate standards dealing with
specific risks and/or sectors, rather than replacing those standards (ISO, 2009). The general
approach of the standard is based on an interactive process model as shown in Figure 3.
Because a broadly-based, process management standard is absent in the hospital industry, ISO
31000 could be a foundation on which future hospital systems may build. It may be particularly
valuable to address the multiple needs of diverse constituencies in the hospital setting and is felt
by some to better equip hospitals to manage the changing healthcare environment (Mai, 2011).
However, this standard is still poorly recognized in the U.S. hospital industry; it is possible that
only a small percentage of risk managers have studied this standard and adopted this approach
into their risk management process at their respective hospitals.
37
Figure 3: ISO 31000 Risk Management Process.
Source ISO 31000:2009, Risk Management—Principles and Guidelines. (ISO, 2009)
2.4.3.2 ISO 14971
The ISO 14971 “Application of Risk Management to Medical Devices” is another international
risk management standard that was precedent to ISO 31000, and was developed quite
specifically for risk management with respect to medical devices. It has become the primary
recognized standard worldwide for satisfying regulatory requirements related to medical product
safety. Several countries have formally recognized this standard including the U.S. Food and
Drug Administration (FDA) and Health Canada. The European Union has adopted it as a
38
harmonized standard, Japan has designated it as a Japanese Industrial Standard, and Australia
has made it their "de facto" standard for risk management (ISO, 2007b). Although the standard
was never intended for a broader use in hospitals, the fact that it was the "only game in town"
for several years made it an influential standard in other parts of the health care industry.
Figure 4: ISO 14971 Risk Management Process.
Source ISO 14971 - Risk Management for Medical Devices. (ISO, 2007a)
ISO 14971 is a much narrower standard than ISO 31000. Its purpose is to assist medical
device manufacturers in establishing, documenting and maintaining a systematic risk
management process. This process is based on a step-wise approach to: 1) identify hazards
RISK ANALYSIS
• INTENDED USE identification
• HAZARD identification
• RISK estimation
• HACCP plus ISO/IEC 14971
RISK EVALUATION
• RISK acceptability decisions
RISK CONTROL
• Option analysis
• Implementation of measures
• Critical Control Points
• RESIDUAL RISK EVALUATION
• Overall RISK acceptance
Post-production Information
• Post-production experience
• Review of RISK MANAGEMENT
experience
Risk
Assessment
Risk
Management
RISK ANALYSIS
• INTENDED USE identification
• HAZARD identification
• RISK estimation
RISK EVALUATION
• RISK acceptability decisions
RISK CONTROL
• Option analysis
• Implementation of measures
• RESIDUAL RISK EVALUATION
• Overall RISK acceptance
Post-production Information
• Post-production experience
• Review of RISK MANAGEMENT
experience
Risk
Assessment
Risk
Management
39
and hazardous conditions; 2) estimate and evaluate the associated risks; 3) control those risks;
and 4) continually monitor the effectiveness of the controls put in place throughout the product
life cycle, as shown in Figure 4.
Although ISO 14971 is a standard directed at manufacturers, the principles contained within it
are equally applicable to other endeavors such as medical equipment risk management within
the hospital (Phelps, 2007). Further, its tenets are not dissimilar to the more globally directed
processes in ISO 31000, so that its approach could easily be generalized to other activities. The
standard is also valuable because it provides extensive guidance on specific analytical tools
such as Failure Mode and Effects Analysis (FMEA) and Fault Tree Analysis (FTA) (see below),
that have been suggested for application in risk management planning by accreditation bodies
such as the Joint Commission (Coles, 2005).
2.4.3.3 Enterprise Risk Management
ISO is not the only organization to develop useful standards for risk management. In fact,
organizations have long practiced various parts of what has come to be called enterprise risk
management (ERM). ERM is one of the more recognized and utilized disciplines being used in
hospitals today. Like ISO 31000, ERM was envisioned as a system that would be embraced by
risk managers throughout all industries as a tool to mitigate risk in a way that ensured public
safety and reduced the likelihood of failure.
ERM has been promoted by several stakeholders in the healthcare sector. For example, the
American Health Lawyers Association (AHLA), the nation's largest educational organization
devoted to health care legal issues, formed a task force dedicated to understanding how ERM
could be implemented in a healthcare environment. According to the task force,
The premise of healthcare enterprise risk management is that by evaluating all risk
exposures confronting an organization and addressing these risks proactively, the
40
organization will optimize its ability to provide safe, efficient, and effective patient care
while preserving the organizational assets required to deliver such care. The scope of
healthcare enterprise risk management is broad, and encompasses all risk domains
(categories): operational, financial, technology, human capital, strategic, legal and
regulatory. The ERM approach facilitates the development and implementation of
pragmatic, reasonable, and realistic solutions to managing risk for healthcare
organizations and providers (AHLA, 2012).
The value of ERM relates primarily to its well-established reputation, and to its broad
applicability throughout many industries, including hospitals. ERM is a tool designed to expose
system wide trends and allows hospitals an opportunity to establish best practices within their
hospitals to manage risk in a proactive way. ERM identifies risks throughout the hospital
environment and escalates them in a way that allows risk managers or staff members to prevent
or correct them. Most importantly, ERM emphasizes the usefulness of tracking and trending
risks within their hospitals.
2.4.4 Risk Management Tools
Standards provide a high-level approach to the process of risk management from risk
identification to risk control. Risk management tools are more logistical, and are used to
accomplish sub processes with these risk management frameworks. In a recent review, for
example, Chan (Chan, 2012) has identified at least 9 tools that have been recommended in
some capacity for certain types of risk analysis and mitigation. However, many of these
methods are seldom used even in medical device companies where risk management methods
are considered to be relatively sophisticated compared to those used in hospitals. The tools that
are most commonly suggested and are most likely to be used in a hospital environment include
two methods, failure modes and effects analysis and fault tree analysis that are discussed or
recommended in some of the standards or by accrediting bodies described above.
41
2.4.4.1 Failure Modes and Effects Analysis
Failure Mode and Effects Analysis is described in the international standard, IEC 60812. It is
typically one of the most common methods that are used for risk management, and is often
used as a framework to prioritize risks that can be analyzed further with quantitative or other
labor intensive techniques. According to the American Society for Quality (ASQ), FMEA is a
systematized group of activities to recognize and evaluate the risks of a potential failure of a
product or process and its effects on the patient or system. It then systematizes the
documentation of actions that could eliminate or reduce the occurrence of the potential failure.
From this analysis, a risk priority number is calculated so that actions can be prioritized, and
efforts can be directed at putting in place remedial actions to mitigate the problems (ASQ,
2012). FMEA is a common tool used extensively in the hospital environment, in no small part
because the accrediting agency, TJC, insists on that accredited hospitals routinely conduct
proactive risk assessments on self-identified high-risk hazards (Coles et al., 2010).
2.4.4.2 Fault Tree Analysis
Fault Tree Analysis (FTA) is described in detail in the international standard, IEC 61025.
According to the International Electrotechnical Commission (IEC),
Fault tree analysis (FTA) is concerned with the identification and analysis of conditions
and factors that cause or may potentially cause or contribute to the occurrence of a
defined top event. FTA is often applied to the safety analysis of systems (such as
transportation systems, power plants, or any other systems that might require evaluation
of safety of their operation). (IEC, 2006)
It is a top down approach used to trace the events contributing to a specified failure, in order to
identify their basic or root causes. This analysis can be used to determine the probability of an
accident or failure related to risk or patient safety. A simplified example of this approach is
depicted in Figure 5.
42
Figure 5: Fault tree representation of a series structure.
Source IEC 61025 (IEC, 2006)
Not all hospitals are in a position where they can apply FMEA. In fact, this approach may prove
to be difficult without a defined process in place. In situations like this, there are other risk
assessment tools that can be used to assess risk proactively. Table 2 highlights the features of
three of the most common alternative methods: FTA, event tree analysis (ETA), and hazard
identification. There are advantages and disadvantages to using any one of these assessments,
so that careful review of the tools must be performed when making a decision on which one to
use. FMEA considers the effect of one failure at a time. FTA and ETA take into consideration
the effect of multiple failures. Hazard identification looks at the hazards causing the risks. These
tools are employed more frequently in high-risk industries such as aerospace and nuclear
energy but have not been commonly adopted yet within healthcare related processes (AIChE,
2002).
43
Table 2: Features and Comments on Three Kinds of Proactive Risk Assessment Methods.
Reprinted with permission (Meldi, Rhoades, & Gippe, 2009)
2.5 Lessons from Risk Management in Other Industries
Over the last few decades safety science has developed rapidly, driven by the need to respond
to disasters in areas such as chemical manufacturing, nuclear power generation and civil
aviation, where failures are considered to be intolerable by the public and government. These
occasional but catastrophic failures and disasters were lessons for these industries that
motivated them to modify their risk management systems (Van der Schaaf, 2002). Several
protective mechanisms have resulted from such responses. These industries ensure public
safety by strict regulations, clear benchmarks, and effective audits. They also have robust risk
44
management systems, from which valuable insights might be gained to guide hospital systems
trying to improve their risk management performance.
It is beyond the scope of this thesis to survey all of the literature related to risk management in
other industries, but a high-level evaluation of their histories and current state point to several
factors that have fostered robust risk management programs.
1. Oversight: In certain highly regulated industries such as transportation, aviation and
nuclear power management, the ability to control risk through regulation would
appear to have been assisted because specifically targeted governmental agencies
were designated to oversee the effectiveness of risk management. As a result,
significant resources were available to set and communicate priorities related to
public health risks, to monitor progress in achieving goals, to direct resources toward
areas of need, and to bring visibility to important issues. A similar system of oversight
does not appear to exist in the hospital system. Various agencies and organizations
in health care may contribute to certain of types of risk-related activities, but there is
no focal point for raising and sustaining attention to patient safety. Without it, many
have expressed the belief that health care is unlikely to achieve the degree of safety
improvements achieved in other industries (IOM, 1999). Even today, health-care
facilities must develop their own methods to manage risk within a system in which
risk management is monitored in a much less prescriptive way. Developing effective
controls over risk is made difficult both by the level of complexity of the problem, and
by the relatively modest development of people and tools capable of dealing
effectively with that complexity.
2. Public visibility: Policy actions are often spurred by public awareness and protest.
Safety in commercial aviation provides a good illustration of this potent force. In the
1940s, strenuous efforts were undertaken to ensure safety and to implement risk
45
management systems in aviation. In large part the development was spurred by two
essential elements: 1) the sensationalism of a spectacular crash that caused public
fear and 2) a subsequent exhaustive investigation in response to public pressure that
helped to ensure the allocation of resources and the implementation of stringent
oversight. As a result of this effort, we rarely see plane crashes today. In the
absence of such sensationalism, aviation would not likely have reached its current
level of sophistication in only 60 years. In a healthcare system, however, public
image and liability are often managed by limiting disclosure, and therefore removing
the key weapon of public pressure that might increase the motivation to change the
status quo in the hospital (Appel, 2012).
3. Increasing sophistication of models and frameworks: Many high-risk industries have
invested heavily in risk management research and tooling. Another advantage of
looking outside of the healthcare community for risk management insights is the
ability to identify general theoretical models and frameworks that might be helpful to
study or improve hospital risk management systems. Such frameworks or models
are important because they can help to systematize the study and subsequent
improvement of a system. They help to control for the bias of the risk management
practitioner or researcher and to ensure that the areas of interest are covered in a
balanced way.
This literature review has previously highlighted that risk management frameworks for
healthcare are in early stages of development. However, it is important that the framework
selected to guide the research or analysis be aligned as closely as possible to the problem at
hand, and that the limitations of any framework be recognized. Thus, what follows is an analysis
of a number of models that have been promulgated in the field of risk management more
generally, in order to identify how and when these previously developed approaches will have
46
value for understanding the current state of hospital risk management. From this list of sampled
methods/frameworks, one, the Capability model of Sullivan and Beach (Sullivan & Beach,
2009), will be suggested as a framework for the research in this thesis.
2.6 Frameworks for Studying Risk Management
The foregoing literature underscores the need for robust risk management systems if hospitals
are to manage risk effectively. It also provides evidence that our understanding of current
practices regarding risk management systems in hospitals is incomplete. If risk management
systems are to be improved, it is important to understand better the way that they are currently
configured as a benchmark to identify areas that might be weak. A number of approaches are
available to frame such research more systematically. These approaches appear from review
of the literature to fall into two main classes that rely on studying risk management processes
and risk management systems respectively. Most of the risk management models or
frameworks examined in this study could be considered to be PROCESS models; they focus on
the action steps needed to make a risk management decision or series of decisions about a
specific incident or process. Their structure is much like that of the sequential models for risk
management described in a number of risk management standards, including ISO 14971 for
medical devices. These process models are described only briefly below, not because they lack
value for risk management activities in hospitals, but because they are perhaps too focused on
the practice of risk management than on the structure of the system in which the risk
management is carried out. The other approaches, based on SYSTEMS models, are then
described and one of these approaches is suggested for use in the current study.
47
2.6.1 Examples of Process Models
2.6.1.1 Risk Management Models of Valsamakis and Colleagues
The risk management model presented by Valsamakis and colleagues (Valsamakis, Vivian, &
du Toit, 2000) is similar to that described in ISO standards outlined earlier for specific risk
management activities. It proposed a risk management model for risk control in the financial
industry. Figure 6 depicts the essential features of this model. The cycle begins with risk
identification, and then progresses to risk evaluation. At the level of risk evaluation, the model
differs from that in ISO 31000 or 14971 in that a bifurcation is introduced at which an explicit
decision must be made to identify whether to direct the next stage of activity toward risk control
or risk financing.
Figure 6: Risk Management Model of Valsamakis.
Reprinted with permission (Valsamakis et al., 2000)
This risk control model was then extended by Valsamakis et al. (Valsamakis, Vivian, & du Toit,
2005) to elaborate on the risk control and risk financing elements within the risk management
process, as shown in Figure 7. This model is interesting because it adds a financial dimension
that can be an important component for any risk management process, where decisions are
48
often prioritized according to resource availability. Although it was designed for a different
industry than that under consideration here, it could be used in the hospital industry, where
some decisions must be affected by considerations of the cost to mitigate a risk or avoid the
consequences of legal proceedings. However, the model is not comprehensive with regard to
the overall risk management process. For example, the typical elements of risk identification
and evaluation are not explicitly identified.
Figure 7: Risk Control Model of Valsamakis.
Reprinted with permission (Valsamakis et al., 2005)
2.6.1.2. Project Management Risk Model by Gray and Larson
A more traditional model of risk management not unlike that of ISO 14971 was described by
Gray and Larson (2010) (Figure 8). This model is not remarkable for its innovative nature but it
does emphasize that a balanced risk management approach like that described in more
specialized standards is in fact applicable to a broad range of industries in which project
49
management principles are typically applied (Gray & Larson, 2010). There are four steps in this
iterative framework.
Figure 8: Risk Management Model from Gray and Larson.
Reprinted with permission (Gray & Larson, 2010)
Much like previous models described in this chapter, risk must initially be identified (step 1) and
followed by an assessment of the risk based on its severity and likelihood of recurrence (step 2).
At this point, a risk control plan can be developed by identifying mitigation strategies and new
risks associated with changes in the product (step 3). Risk response control is the last step (4)
in the process, when strategies are implemented. The model captures the important feedback
50
mechanisms to monitor, track, and trend the effectiveness of the risk control implementation to
ensure that the risk is in a state of control and to make adjustments as needed.
2.6.1.3 Project Management Problem-Solving Model (Karis, 2012)
An even more general decision-making model that could be used to deal with risk was
described by Karis (Karis, 2012) (Figure 9). In this model, a series of steps were identified to
increase the chances of success in decision making.
Figure 9: Project Management Problem-solving Model.
Reprinted with permission (Karis, 2012)
This model has many of the elements of the other frameworks described above, but uses
different names for the elements and illustrates them in a different manner. Nevertheless, like
other process models, it starts with an identification step, followed by a problem definition step
that parallels the risk identification stage of most risk models. However, the model separates the
decision to act and the analysis of risks and further divides these steps into specific sub
51
processes (Figure 9). The third step, of deciding if and when to act is broadly similar to the risk
evaluation phase, but it adds considerations of stakeholder interests and alternative strategies.
What then follows is an unusual step called “selling the solution”. This element is interesting
because most models neglect the importance of buy-in when attempting to implement a control
strategy. This element may be especially useful in a hospital environment where many voices
must be heard. Only then does the model proceed to an implementation and then an evaluation
phase.
2.6.1.4 Risk Management Model for Tourism
Not all process models follow the typical waterfall sequence of typical risk management
frameworks. One such model designed specifically for the tourism industry was described by
Shaw (2010). Figure 10 depicts a model that tries to capture the multidimensional nature of risk
management in the tourism industry. The model has certain advantages by deemphasizing risks
as singular entities and showing how multiple risks may have to be analyzed concurrently.
52
Figure 10: Risk Management Model for Tourism.
Reprinted with permission (Shaw, 2010)
2.6.2 Risk Management from a Systems Perspective
The aforementioned models of risk management are useful because they assist practitioners to
understand how to make decisions, but they do not address the way that an organization, such
as a healthcare system, should staff its team and benchmark its preparedness for effective risk
management at a systems level. Thus the aforementioned models were considered to be at
best limited and perhaps even inappropriate as frameworks to explore the questions of interest
in this study, that is, to understand how hospitals were implementing teams and systems for
their risk management activities. Fewer higher level models or frameworks for this kind of
systems-level study were found in the risk management literature, but three potential models
were explored as candidate frameworks for the present study proposed here.
53
2.6.2.1 FDA Framework for Risk Management
The FDA has made several attempts to identify methods to control risk. As early as the 1960s,
concerns over patient safety led FDA to introduce Good Manufacturing Practices (GMP). The
GMP system was a novel idea at the time but appeared with experience to be insufficient to
control all classes of risk. In particular, the agency was disturbed that more than 40% of the
post-market medical device problems came from faults in the actual design of medical devices
and thus could not be easily remedied by attention to manufacturing alone (FDA, 1990). Since
that time, an increased focus on risk management can be recognized in revisions to the
regulations, but most of these efforts were concerned with processes, such as the introduction
of design controls as part of the 1996 regulation, 21 CFR 820 – Quality System Regulation
(FDA, 2009).
However, not all of FDA's efforts have been focused on process models of risk management.
The most notable high-level model of risk management was that described in a report titled
"Managing the Risks from Medical Product Use" , suggesting the need for a systemic framework
to structure the risk management of medical products (FDA, 1999). Figure 11 reveals the risk
management framework created by the committee. It highlights the stakeholders involved in this
process which include risk managers, clinicians, and patients. What this model does is bring a
higher level perspective to understanding risk management systems. However, because the
jurisdiction of FDA is limited to medical products and foods, the model is directed at medical
product risk rather than hospital risk, and does not generalize easily to the study of hospital
systems.
54
Figure 11: FDA’s View on Managing the Risk of Pre-Market and Post-Market Product Risks.
Source: U.S. Department of Health and Human Services, Managing the Risks from Medical
Product Use (FDA, 1999)
2.6.2.2 Risk Management Framework (Shortreed, Hicks, & Craig, 2003)
A risk management framework that focuses more generally on the steps to organize a risk
management system was designed by Shortreed and colleagues (Shortreed et al., 2003). They
suggested that a good risk management framework should enhance and improve risk
management by making it more transparent, more efficient, and more interactive across
functional working groups. Such a goal demands a stronger emphasis on systems level
organization. Figure 12 shows their proposed risk management framework as a set of three
elements: decision making, operations to reduce risk, and risk assessment and treatment
55
options.
Figure 12: Risk Management Framework.
Reprinted with permission (Shortreed et al., 2003)
"Decision making" represents the place or entity where the decisions are made. Commonly this
element reflects the role of senior management and aligns with the corporate vision or strategy
of the organization. The stakeholders affected by the decisions are engaged in this step and
appropriate decisions are made to reduce risk related issues.
“Operations to reduce risk” is a placeholder for the place or entity where internal processes are
implemented, standards are created, and education of the employees is carried out. Through
exercising these initiatives, perhaps by using any one of the process-oriented risk management
models described above, specific risks may be reduced.
”Risk assessment and treatment options” is a placeholder for the place or entity responsible for
56
assessing risk. This group may be responsible for decisions about how to mitigate risks and to
benchmark progress toward risk control.
2.6.3 The Organizational Triangle (Guldenmund, 2010)
A recently introduced model of risk management, the Organizational Triangle by Guldenmund
(2010), also recognizes the importance of individuals rather than processes. It focuses on the
importance of culture as part of the system that affects safety. Guldenmund describes culture as
follows:
culture is an intangible, fuzzy concept encompassing acquired assumptions that is
shared among the members of a group and that provides meaning to their perceptions
and actions and those of others (Guldenmund, 2010).
"Culture" typically encompasses the prevailing ideas, values, attitudes, and beliefs that guide
the way in which its employees think, feel, and act. For some, culture is the “glue” that holds an
organization together and for others, the “compass” that provides direction (Tharp, 2009).
Guldenmund places culture in relation to two other aspects of the organization, its structure and
processes, as shown in Figure 13.
57
Figure 13: The Organizational Triangle.
Reprinted with permission (Guldenmund, 2010)
"Structure" is the organization that dictates how activities such as task allocation, coordination
and supervision, will be accomplished in order to achieve the goals of the organization (Pugh,
1984). The way in which each organization is structured shapes the way that individuals work
and interact (Jacobides, 2007).
"Processes" are the patterns of activity taking place throughout an organization, often divided
into three levels: the primary processes, which deal with the main output(s) of an organization,
such as software integration and hardware installation; the secondary processes, which support
the primary ones, for example, management and quality control; and the tertiary processes, for
example, the formulation of policies and strategies designed to drive and support both the
primary and secondary processes (Guldenmund, 2010).
58
2.6.4 The Conceptual Model (Sullivan & Beach, 2009)
Sullivan and Beach (2009) described an alternative conceptual model to explain how
operational capabilities are achieved and maintained in organizations such as nuclear power
stations, chemical processors, and military and medical care providers, where environments are
dangerous and the risk of failure is often catastrophic. Sullivan and Beach suggested that the
capability of an organization is defined by two elements, competence and resources (Figure 14).
In this model, "Resources" typically include elements such as time, money, people, technology,
and information. "Competences" typically include elements such as proprietary process
knowledge, unique skills and experiences (Sullivan & Beach, 2009). Competence includes the
skills, procedures, knowledge and experience of an organization’s members. An organization
may not succeed unless it allocates people who are competent and capable to perform in their
assigned roles.
59
Figure 14: The Conceptual Model.
Reprinted with permission (Sullivan & Beach, 2009)
In this model, operational reliability is portrayed as a scale held in equilibrium by five interacting
forces: expectations, risk factors, resources, competence factors, and consequences. If the
weight of capability is sufficient to counteract the weight of risk, the scale remains in balance,
and the organization’s systems continue to operate reliably (Sullivan & Beach, 2009).
Recently, the Sullivan and Beach model that relied on two capability factors was reexamined by
Chan in a study of risk management in the medical device industry (Chan 2012). Chan pointed
out what had been observed in many recent analyses of catastrophes, that the ability to learn
from mistakes and incorporate that learning when facing new problems was also important to
improving outcomes. He therefore found it useful to add a third element, that he called
60
"Memory", to this model (Figure 15). In principle, it might be possible to subsume this third
element under the two other headings with artful distribution of some of the memory elements
into the other two categories, but the importance of institutional memory was sufficiently great in
his estimation to merit explicit identification as a third element (Chan, 2012).
Figure 15: Research Model for Medical Device Risk Management Implementation.
Reprinted with permission (Chan, 2012)
2.6.5 Research Model for Risk Management Implementation
Both the framework of Guldenmund and of Sullivan and Beach can be viewed as
complementary and might be combined to look broadly at risk management systems, as
suggested by Chan (2012). However, for the present work, the principal goal was to understand
more specifically the "capability" of risk management systems in hospitals. Thus it seemed
reasonable to select only one of the frameworks as a basis to structure an exploratory study that
addresses the intent stated in the first chapter, to understand the extent to which risk
61
management systems in hospitals had the tools, resources and staffing appropriate to handle
and improve risk management. Thus we will use the model of Sullivan and Beach, as modified
by Chan (2012), to frame the survey in this research. Aligned with this approach, the three
elements of resources, competence and memory, will be explored. Resources will be
considered to include not only financial and staffing aspects of support but also tools that are
recognized and used by the risk management teams. Competence will be considered to include
the training, experience and appropriateness of responsibilities of the individuals tasked with
making risk management decisions. Under this element we have also included considerations
of the competence of the organization more generally, as reflected in its reporting structure and
level of management involvement. Memory will be considered to include features such as the
tenure of staff, the rate at which systems evolve in response to lessons learned, and the way in
which those lessons are captured and used for future reference.
62
Chapter 3: Methodology
3.1 Introduction
The exploratory study was directed at probing the views of risk managers with regard to the way
that risk management is conducted within their hospitals. The research had three stages. The
first stage was carried out to analyze the literature related to the tools and practices associated
with hospital risk management. This review was summarized in Chapter 2. In the second stage,
a survey instrument was developed to capture information about 1) demographics, 2) capability
with regard to tools, job descriptions, resource allocation and staffing, and 3) attitudes toward
the current state of risk management in the hospital. In the third stage, the survey was delivered
to a group of risk managers.
3.2 Development of Initial Survey
The purpose of the survey was to determine current approaches and hiring practices in risk
management within the hospital industry. It further probed the level of satisfaction expressed by
risk managers with regard to hospital and regulatory standards and guidelines in place at this
time. The survey was developed and deployed using the web-based survey tool, Qualtrics
(www.qualtrics.com), which is a respected provider of online survey software.
3.3 Focus Group Conduct
Before the survey was sent to study participants, a focus group was formed to examine and
discuss the quality of the survey questions prior to circulation of the survey. The focus group
was comprised of 12 professionals who worked in biomedical product industries, quality-
centered consulting companies, certification organizations or hospitals throughout the U.S.
(Table 3). These individuals had affiliations with medical-products industries, quality-centered
consulting companies, certification organizations or hospitals throughout the U.S. and had deep
63
domain knowledge of survey methodology and/or risk management appropriate to provide a
meaningful review of the survey. The initial survey instrument included in Appendix A, “Pre-
Focus Group – October 31, 2012” was developed before the focus group took place. The
investigator developed this survey instrument based on the research model described in
Chapter 3. The focus group was held on November 20, 2012.
The focus group met for 90 minutes to review each question in the survey and provide
commentary on how to better phrase or configure each question. Typically their suggestions
included creating a better flow to the survey, removing several redundant questions that were
considered to add little additional value, and adding several questions surrounding the capture
of “lessons learned” and the “retention of knowledge” elements of interest. The focus group was
also encouraged to give feedback on the appropriateness of the depth and content of questions
aimed at probing certain elements of the framework. Most of the discussion period was spent on
questions relating to the memory element of the research model, which they considered to be
incomplete. They suggested adding a few more questions to this part of the survey. The
results of these deliberations were incorporated in the final survey contained in Appendices A
and B, where both the draft survey and modified survey are included for comparison.
64
Table 3: Participants in the focus group
Name Title
Frances Richmond, PhD
Director, International Center for Regulatory Science
USC School of Pharmacy
Gerald Loeb, MD
Professor of Biomedical Engineering, University of Southern
California
Susan Rose, PhD
Executive Director, Office for the Protection of Human Subjects,
University of Southern California
Patrick Locke
Compliance and Risk Management Coordinator, St. Joseph
Hospital, Eureka, CA
Thomas Bates, RN
Legal Nurse Consultant, Risk Management, Keck Hospital of
University of Southern California
Karen Chapman, MHA
Associate Administrator, Safety & Support Services, Keck
Hospital of University of Southern California
Ellen Whalen, DRSc
ACGME Institutional Coordinator for Keck Medical Center of
University of Southern California
Ronald Alkana, PhD Professor of Pharmacy, University of Southern California
Tony Chan, DRSc Fellow, US Food and Drug Administration
Eunjoo Pacifici, PhD
Assistant Professor of Clinical Pharmacy, University of Southern
California
Caroline Mosessian, PhD
Vice Chair, Administration and Finance Executive Administrator,
Keck Hospital, University of Southern California
Benson Kuo, PhD
Associate Director, Regulatory Consulting Center, University of
Southern California
3.4 Survey Deployment and Analysis
A survey web-based link was sent by email on January 9, 2013 to a group of 340 selected risk
managers who worked in hospitals throughout the USA. This group was selected from
individuals known to or introduced to the investigator so that the sample of respondents could
be selected more carefully and could be approached personally to participate in the survey.
The majority of survey respondents had no concerns about taking the survey and responded to
more than 80% of the questions. Eight respondents who initially committed to taking the survey
65
had to rescind their participation because corporate policies of their employer prevented them
from participating in 3
rd
party surveys. A small percentage of participants initially identified that
they did not receive a link to the survey, usually because it was automatically sent to their junk
or spam folders through a corporate automated filter. After conversing with these participants on
the phone or via email about this problem, a survey link was sent to their personal email
address. No recompense was offered to the participants, but a summary of the survey was
circulated to participants who took the survey and expressed an interest in seeing the results.
Anonymity of their comments was guaranteed and assurance was given that their identities
would be concealed.
In the survey, questions were asked about the size of the hospitals at which respondents
worked; hospital size was assessed according to the number of beds. The survey attempted to
capture information about the approaches that risk managers take at their hospitals. It evaluated
the risk standards that are being used to frame and anchor their activities and query the
perceived adequacy of those tools by their practitioners. The survey also questioned the risk
managers with regard to areas in which more standards, guidance or tools could be developed
in order to facilitate their jobs, and explored those areas of risk management that were
considered by the risk managers to be most challenging.
Questions of yes/no or multiple choice formats were graphed and analyzed to determine the
major trends in the topic areas covered by the survey. Questions that solicited open-ended
responses were examined for information content and were used to supplement or clarify
responses in the multiple choice answers. Information regarding the number of individuals to
whom the email is sent was compared to the number of returned surveys to estimate the
response rate. After data was analyzed, it was presented to ASHRM.
66
Chapter 4: Results
4.1 Analysis of the Survey Results
The responses to the questionnaire are analyzed in nine sections. Sections 4.2 to 4.5 outline
the demographic information and profiles of the respondents, the hospitals, the risk
management systems/departments, and the hospital employees, with questions grouped as
shown in Table 4. Sections 4.6 to 4.8 describe responses to questions regarding the types of
risks faced by practitioners, and the tools and standards used to implement risk management,
with questions grouped as in Table 5. Sections 4.9 to 4.10 consider the general opinions and
levels of satisfaction of the respondents with respect to their approaches to risk management in
Table 6.
67
Table 4: Classification of questions to describe the profiles of the respondents, the hospitals,
risk management systems/departments, and staffing of the associated organization.
Section Questionnaire Items
4.2 Profile of
respondents
1. What is your job title?
2. How long have your been in risk management?
3. How long have you been in your role?
4. What is your primary level of responsibility?
5. What is your educational background?
6. For what other areas do you have responsibility?
14. Indicate the frequency in which you participate in the following activities:
4.3 Profile of
hospitals
29. What is your hospital affiliation?
30. What type of hospital do you work in?
31. The total number of beds for which you are responsible?
32. What type of accreditation body does your hospital use?
34. Does your hospital have a process for the retention of knowledge and
experience?
4.4 Profile of
departments/
systems
8. How does your hospital structure the risk management department?
9. How long has your current risk management system been in place?
12. Rank the following risk management items that your hospital used to
define success:
4.5 Profile of
employees
7. How many full time equivalent (FTE) employees are dedicated to risk
management?
10. What is the average amount of time an employee stays in their risk
management position at your facility?
11. How often is mandatory risk management related training provided to the
professional caregivers?
68
Table 5: Classification of questions to describe top risks, the use of risk management items and
tools, and the use of risk management standards.
Section Questionnaire Items
4.6 Top risks
15. What are the top 3 risks at your hospital perceived by management?
16. What are the top 3 risks at your hospital perceived by you?
4.7 Risk
management
items and tools
12. Rank the following risk management items that your hospital uses to define
success:
13. What risk management tools do you use?
19. Rank in order of frequency the tools used to identify risk:
17. Do you feel you have adequate tools to perform your job?
18. If no, then what tools do you need to perform your job?
4.8 Risk
management
standards
20. What risk management standards do you use for risk management?
21. If a standard were created for risk management in hospitals, what organization
should develop it?
22. Do you feel there would be value in having a standalone risk management
standard for hospitals?
23. What might a standalone risk management standard include?
24. What advantages might there be in a standalone risk management standard?
25. What disadvantages might there be in a standalone risk management
standard?
69
Table 6: Questions to elicit opinions and measure levels of satisfaction with risk management
systems.
Section Questionnaire items
4.9 General
opinions
26.1 Does your hospital require you to obtain the Certified Professional in
Healthcare Risk Management (CPHRM) certification?
26.2 Is there a general awareness at your hospital that Risk Management could
impact patient safety?
26.3 Does your hospital have internal procedures that define risk management
activities, procedures, and processes?
26.4 Do you feel your hospital management perceives risk management as a
positive return on investment as opposed to a mandated expense?
26.5 Does your hospital adopt lessons learned from the past into the risk
management system?
27. What do you need to help manage risk that is not currently included in
standards, policy or guidance?
33. Can you describe how you track lessons learned or near misses?
36. How is knowledge and experience transferred from employees leaving the
hospital?
4.10 Levels of
satisfaction
28.1 The amount of emphasis your hospital places on patient safety and risk.
28.2. How corporate leadership values the function of risk management.
28.3 The support you are given from senior management to perform your duties
as a risk manager.
28.4 The budget you have to perform your duties as a risk manager.
28.5 The way that your hospital captures risk issues for future reference.
4.2 Profile of Respondents
The survey was sent to 340 risk managers at hospitals throughout the USA, and 108
responded, providing a response rate of 32%. The majority of the respondents (56%) were
Managers. A further one-quarter of the respondents self-identified as “other”, and within this
second category, most indicated they were Risk Managers (Fig.16).
70
Figure 16: Profile of the respondent’s job titles. The bar graph below identifies the most
common titles, and below are the titles supplied by the respondents who self-identified “Other”.
Other (Please specify)
Patient safety and Risk manager Risk Manager/Data Analyst
Risk Manager Risk Manager/Patient Advocate (Oxymoron)
Risk Analyst Risk Manager
Risk management consultant Risk manager
Risk Manager Clinical Risk Analyst
Corporate Risk Manager for Clinics, Practice
Plan and Health Plans
Risk Manager & Compliance Officer
Legal Nurse Consultant Clinical Risk Manager
Consultant Risk Manager & Patient Safety Officer
Risk Manager Risk Manager/Patient Safety Officer
Risk Manager Risk Manager
Risk Manager Risk Management Coordinator
Risk Management duties Risk Manager
Risk Manager Risk Manager
Respondents had a variety of academic qualifications. The most common qualifications were
Registered Nursing (RN) degrees (72%), followed by certifications (30%) or undergraduate
nonclinical degrees (29%). Relatively few individuals had a clinical undergraduate degree (27%)
71
(Figure 17).
Figure 17: Profile of the respondent’s educational background.
Other (Please specify)
Nursing School Diploma
ARM, CPHRM
CLNC
Undergraduate – health information management
Current Graduate Student – MJ in Health Law
Barton Certificate – OHIC CRM course
BS Criminology
Legal Nurse Consultant
Most had over 2 years of experience and nearly half had over 10 years of experience (44%) in
risk management (Figure 18A). Their experience in current roles ranged from less than 2 years
(23.9%) to over 10 years (25.7%) (Figure 18B).
72
Figure 18: Profile of the respondent’s experience in risk management, A: overall, and B: in
current position
A:
B:
Most respondents (58%; 61/106) were responsible for a single facility but 10% (11/106) of the
respondents were responsible for 2 facilities and a third (34/106) were responsible for 3 or more
facilities. Respondents identified responsibility in a variety of roles including, most commonly,
adverse event reporting (92%); legal, lawsuits and litigation (88%); policy development (76%);
training and education (60%) and risk financing/claims (54%) (Figure 19).
73
Figure 19: Main areas of responsibilities of the respondents
The respondents were asked how often they participated in specified risk management activities
(Table 7). Analysis of the modal values of the responses ranging from "Never" to "All of the
time” indicated that respondents were involved most frequently in managing claims under
$5000, litigation, and depositions (mode = all the time). The next most frequent activities were
policy development, recalls, insurance, meetings with patients and families, complaints and
grievances (mode = often). Less frequent activities were related to plant operations, security,
HIPAA enforcement, and corporate compliance.
74
Table 7: Activities of the respondents
# Question
Never
Rarely
Sometimes
Often
All of the
Time
Total
Mean
1 Policy Development 0 3 22 52 19 96 3.91
2 Finance 15 31 30 15 5 96 2.63
3 Plant Operations 14 25 33 19 5 96 2.75
4 Security 3 13 43 28 8 95 3.26
5 Recalls 2 8 25 42 19 96 3.71
6 Claims under $5K 7 10 11 27 41 96 3.89
7 Litigation 2 8 12 20 54 96 4.21
8 Depositions 5 14 16 23 37 95 3.77
9 Insurance 6 10 21 31 28 96 3.68
10
Meetings with Patients/
Families
2 17 24 36 17 96 3.51
11 Complaints/Grievances 1 5 21 41 28 96 3.94
12 Lost and Found 26 25 21 14 9 95 2.53
13 HIPAA Enforcement 4 18 36 30 8 96 3.21
14 Corporate Compliance 2 19 31 24 20 96 3.43
15
Clinical Competence
(clinical peer review)
14 28 21 20 13 96 2.90
16
Professional Standards
(behavior review)
18 27 31 11 9 96 2.65
17 HR/Personnel Issues 10 35 38 10 3 96 2.59
18
Environment Health
and Safety
3 20 36 26 11 96 3.23
4.3 Profile of Hospitals
Most respondents were employed by a health system (60%); the least frequently reported
75
affiliation was with a hospital group (15%). Over two thirds of the respondents (84%) worked in
a not-for-profit hospital and only 15% in a for-profit hospital. The total number of beds in their
hospitals ranged from less than 50 (7%) to over 600 (21%) (Figure 20). A little over one third
(40%) worked at hospitals with 200-599 beds.
Figure 20: The total number of beds where the respondents worked
A cross tabulation of data between the number of beds in a hospital compared to the number of
employed risk managers at the hospital showed that 62% of the participants worked in hospitals
with more than 200 beds but less than one-fifth of these large hospitals employed as many as 5
or more individuals in their risk management team (Figure 21).
76
Figure 21: Cross tabulation of hospital beds >200 and Risk Management FTE
The large majority (83%) of hospitals in which the respondents worked used the Joint
Commission (TJC) as its accreditation body (Figure 22).
77
Figure 22: Accreditation body used by the hospital
Other (Please specify)
American Osteopathic Association
CMS
CMS
CMS
None
Department of Health/CMS
CARF, TJC
4.4 Profile of Risk Management Departments/Systems
Figure 23 presents an outline of the risk management departments/systems at the hospitals in
which the respondents worked. Over one third (39%) had an independent risk management
department. A similar proportion (38%) combined risk management with the quality assurance
department, and one tenth (10%) combined risk management with the legal department of the
hospital. A variety of other structures for risk management were reported by 12% of
respondents. These included combinations within a quality division, employee health
department, or human resources department.
78
Figure 23: How the hospital structures the risk management department
Other (Please specify)
1 person responsible for Joint Commission and Risk Management, reports to VP for Medical
Affairs
Patient Safety and Risk Management
Combined with Quality Management and Data Management
Part of a corporate department with risk managers at each of 10+ hospitals
Combined with HR (used to be combined with Legal)
But we report to the Quality Division VP
Combined with Employee Health Department
Also dotted line to legal
Loosely tied to legal and work with outcomes
Provided by large medical systems’ self-insurance program
Independent, but under Hospital System Risk Management Department
Most of the risk management systems had been in place for a number of years. Over half of the
respondents (58%) reported that their current risk management system has existed for over 10
years, and only 4 respondents were associated with few systems younger than 1 year (4%) or
1-3 years (11%) (Figure 24).
79
Figure 24: How long has the current risk management system been in place?
4.5 Profile of Staffing Patterns
Risk management departments in hospitals appear to be relatively small. Most frequently, only
one full-time employee was reported to be dedicated to risk management (38%) but numbers
ranged from less than 1(14%) to five or more (21%) (Figure 25). The level of experience in risk
management also varied, from 1-10 years, but most respondents in this group appeared to have
more than 4 years of experience.
80
Figure 25: Number (A) and retention times (B) for full-time equivalent employees in risk
management
A:
B:
Training did not appear to be a significant focus for the risk management offices (Figure 26).
Most of the respondents who could answer this question (57%) reported that mandatory risk
management training is provided annually. Monthly or quarterly training (6%) was performed
much less frequently (15% and 6% respectively). Several respondents did not know (22%) how
81
often such training was provided.
Figure 26: How often mandatory risk management training is provided?
4.6 Top Risks
The respondents identified a cumulative total of 171 top risks that they believed would be
recognized by their upper management. The top 20 risks that were identified by 2 or more
respondents are listed in Table 8. The 3 most frequent risks focused on patient safety. Injuries
(e.g. falls) were most frequently identified (20% of total), as were hospital acquired infections
(12%) and medication errors (9%). Claims/litigation, communication issues, and
readmissions/premature discharges represented 3% of the risks identified by management.
Patients with pressure ulcers/sores, patient complaints, Emergency Department issues,
preventable events/errors, staffing issues, surgical events, and patient violence/aggression each
represented about 2%. Bad publicity, challenges of regulatory compliance, evidence- based
care, hand-offs/transitions, management of behavioral health patients, and obstetric claims
related to obstetrical treatments represented 1%.
82
Table 8: Top risks perceived by management
Risk Frequency
Patient injuries (e.g., falls)
35 (20%)
Hospital acquired infections
20 (12%)
Medication errors
16 (9%)
Claims/litigation
5 (3%)
Communication issues between staff and patients
5 (3%)
Readmissions/Premature discharges
5 (3%)
Patients with pressure ulcers/sores
4 (2%)
Patient complaints
4 (2%)
Emergency Department issues
3 (2%)
Preventable events/errors
3 (2%)
Staffing issues
3 (2%)
Surgical events
3 (2%)
Patient violence/aggression
3 (2%)
Bad publicity
2 (1%)
Regulatory compliance
2 (1%)
Evidence based care
2 (1%)
Hand-offs/transitions
2 (1%)
Management of behavioral health patients
2 (1%)
Obstetric related claims
2 (1%)
Patient satisfaction
2 (1%)
Many additional risks were identified by single respondents. These included risks related to
facilities and equipment, general or specific issues related to quality of patient care, and issues
related to regulatory, legal or certification issues (Table 9).
83
Table 9: Additional risks perceived by management
Additional Risks
Aging facility Infiltrations
Alarm fatigue Issues related to mortality
Allergies Loss of revenue
Care coordination/planning Loss of statutory caps
Care quality Maintaining silos
Compliance with TJC Medication Errors
Computer frequently goes down Never events
Consent Issues New processes/services
Cost reduction Oxygen
Delay in treatment Peer review
Documentation errors Recruitment of physicians
Electronic/hybrid medical record
documentation
Renovation/construction
Electronic medical records Resident supervision
Environment of Care Snow and ice
Equipment failure Specimen labeling
Electronic records Staff injury
Escalation Staffing shortages
Failure to treat and recognize Standards (SCIP, CAUTI etc.)
Financial Streamlining
Financial associated with HCAHPS Training of personnel
Financial loss Unfriendly venue
Financial risks due to healthcare reform Unrealistic patient experience
Financial/billing accuracy Visit from state agency
Increasing acuity of patients
84
The respondents identified that they also had risks that they considered personally important,
with more than 190 individual areas or elements mentioned at least once. The top 26 risks that
were identified by 2 or more respondents are listed in Table 10. The 3 most frequent risks
included patient injuries (e.g. falls) representing 13% of the total, followed by communication
issues (7%) and medication errors (5%). Emergency Department issues, electronic medical
records, hospital acquired infections, obstetric issues, difficulties implementing standards each
accounted for 4% and staffing issues for 3%. Documentation issues, management of behavioral
health patients, staff education/training/competency requirements, and surgical events/errors
each represented 2%. Accountability, claims/litigation, computer issues, hand-offs/transitions,
patient complaints, patient identification errors, and pressure ulcers each represented 2%. Care
coordination, lack of critical thinking/clinical judgment skills, resident supervision, safety issues,
specimen labeling, and failure to assess/monitor/treat patients each accounted for 1%.
85
Table 10: Top risks perceived by the respondents
Risk Frequency
Patient injuries 24 (13%)
Communication issues between staff and patients 13 (7%)
Medication errors 9 (5%)
Emergency Department issues 7 (4%)
Electronic medical records 7 (4%)
Hospital acquired infections 7 (4%)
Obstetric issues 7 (4%)
Difficulties implementing standards 7 (4%)
Staffing issues 6 (3%)
Documentation issues 4 (2%)
Management of behavioral health patients 4 (2%)
Staff education/training/competency requirements 4 (2%)
Surgical events/errors 4 (2%)
Accountability 3 (2%)
Claims/litigation 3 (2%)
Computer issues 3 (2%)
Hand-offs/transitions 3 (2%)
Patient complaints 3 (2%)
Patient identification errors 3 (2%)
Patients with pressure ulcers/sores 3 (2%)
Care coordination 2 (1%)
Lack of critical thinking/clinical judgment skills. 2 (1%)
Resident supervision 2 (1%)
Safety issues 2 (1%)
Specimen labeling 2 (1%)
Failure to assess/monitor/treat patients 2 (1%)
4.7 Risk Management Items and Tools
The respondents were asked to rank the risk management items that their hospitals use to
define success, on a scale from 1 to 7. Their responses, in Table 11, are highlighted according
to most frequent ranking. Analysis of the modes (i.e., the highest frequencies in the distributions
86
among the responses ranked between 1 and 7, in blue, Table 11) indicated the main trends in
how the respondents ranked the specified items.
Table 11: Ranking of risk management items that the hospitals use to define success
Item
Rank
1 2 3 4 5 6 7
No
Reply
Decrease in number of reportable
events
40
(37%)
10
(9%)
13
(12%)
9
(8%)
10
(9%)
5
(5%)
2
(2%)
20
(18%)
Decrease in number of paid claims 23
(21%)
34
(31%)
8
(7%)
8
(7%)
5
(5%)
12
(11%)
0
(0.0%)
19
(17%)
Decrease in number of complaints 2
(2%)
6
(6%)
33
(30%)
14
(13%)
22
(20%)
11
(10%)
1
(0.9%)
20
(18%)
Number of days patient stayed in
hospital
3
(3%)
2
(2%)
5
(5%)
35
(32%)
13
(12%)
27
(25%)
4
(4%)
20
(18%)
Number of Hospital Acquired
Infections
7
(6%)
17
(16%)
13
(12%)
14
(13%)
33
(30%)
5
(5%)
0
(0.0%)
20
(18%)
Number of patient falls 9
(8%)
20
(18%)
16
(15%)
9
(8%)
6
(6%)
29
(27%)
0
(0.0%)
20
(18%)
Other 6
(6%)
0
(0.0%)
1
(1%)
0
(0.0%)
0
(0.0%)
0
(0.0%)
82
(75%)
20
(18%)
87
The respondents were asked to identify the risk management tools used by risk
managers. Their responses are recorded in Figure 27. The most frequently used tools
were Root Cause Analysis (97%), Failure Mode and Effects Analysis (73%) and
Standard checklists (56%). Fault Tree Analysis was rarely used (2%).
Figure 27: Risk management tools used by respondents
Other (Please specify)
Fishbone diagrams, flowcharts
RL Event Reporting database
Serious Safety/High Reliability programs
Transparency
Education
Common Cause Analysis
Process mapping
5 Whys and 7 Ways
Apparent Cause Analysis
Serious Safety Event tools
Claims and Patient Safety Net database
PDSA
88
The respondents were asked to rank the frequency with which they would use risk
certain tools to identify risk (Table 12). Analysis of the modes (i.e., the highest
frequencies in the distributions among the responses ranked between 1 and 6) indicated
the main trends in how the respondents ranked each tool. Based on the modes,
electronic incident reporting was ranked first, phone calls from staff were ranked second,
phone calls from patients were ranked third and fourth, referrals from committees and
medical staff was ranked fifth, and trigger tools were ranked last.
89
Table 12: Ranking of the frequency of tools used to identify risk. Boxes in blue indicate
the most frequent choice made.
Item
Rank
No reply
1 2 3 4 5 6
Electronic Incident Reporting 56
(51%)
15
(14%)
11
(10%)
2
(2%)
2
(2%)
3
(3%)
20
(18%)
Phone calls from staff 12
(11%)
34
(31%)
18
(17%)
16
(15%)
5
(5%)
4
(4%)
20
(18%)
Phone calls from patients 3
(3%)
14
(13%)
21
(19%)
21
(19%)
20
(18%)
10
(9%)
20
(18%)
Committees 9
(8%)
9
(8%)
14
(13%)
20
(18%)
25
(23%)
12
(11%)
20
(18%)
Medical staff referral 3
(3%)
2
(2%)
18
(17%)
20
(18%)
23
(21%)
23
(21%)
20
(18%)
Trigger Tools 6
(6%)
15
(14%)
7
(6%)
10
(9%)
14
(13%)
37
(34%)
20
(18%)
The respondents were asked if they had adequate tools to do their job. Over half (59%)
replied "Yes" and about one third (30%) replied "No". The remainder (11%) did not reply.
The respondents were then asked, "If no, then what tools do you need to perform your
job?”. Table 13 shows the thematic grouping of verbatim responses from the 33
respondents who replied "No". A third of the respondents identified a need for additional
staff (33%) and a fifth (21%) suggested a need for better electronic systems. About a
tenth asked for a better organized system (12%), more time (12%), or more
education (9%). Individual responses, each representing 3% of the total, called for
better job descriptions, more resources, a patient safety officer, and trigger tools.
90
Table 13: Thematic analysis of other tools needed to perform the job as risk manager
Response Theme
More staff More staff
More staff More staff
More staff More staff
More help More staff
More staff – I am a one person department More staff
Clerical support More staff
I would not call it an issue of tools but rather manpower to perform the
numerous tasks and daily crisis management.
More staff
Additional support personnel or additional 1/2 time Risk Manager (someone
to do the work while I am off)
More staff
Human resources to centralize peer review and quality monitoring. More staff
Support staff for routine but timing consuming tasks More staff
We need more risk management staff. There are only five risk managers
currently, and there is just too much to be done.
More staff
Better systems that integrate for tracking/trending patient events Better electronic system
Electronic incident reporting and data collection and reporting system Better electronic system
Software for litigation management Better electronic system
New risk information system, currently in pursuit (we do not electronic
submission yet-still on paper)
Better electronic system
Proven RM computer program Better electronic system
Statistical tools and expertise to use them Better electronic system
User friendly electronic reporting system - we use Meditech - this is not
accessible by all employees.
Better electronic system
Defined instructions or policies on what risk management should be doing
and not be doing.
Better organized system
Better organized system. Development of a safety program Better organized system
Better direction. We fly by the seat of our pants on most days. Better organized system
Tighter process with the way the department is structured; Better organized system
Full time as risk manager More time
Full time job would help----long story---hospital/budget cut-backs, etc. More time
More time More time
More time. My job is split between risk and quality. Both take considerable
time and resources.
More time
More education More education
Would benefit from more educational opportunities. More education
Ongoing continuing education, classes, seminars More education
We could also use some help creating or better defining job descriptions.
This would help all of us in understanding what our jobs are and we wouldn't
have to crossover so much into other areas where our expertise is shallow.
Better job descriptions
Not so much tools as resources to keep up with tools More resources
A patient safety officer Patient safety officer
Trigger tools Trigger tools
91
4.8 Risk Management Standards
The respondents were asked: "What risk management standards do you use for risk
management?” (Figure 28). The majority (85%) used Internal Policies and Procedures;
over two thirds used State Standards (70%) and a majority used those published by the
Agency for Healthcare Research and Quality (60%). A little over one third (38%) used
Enterprise Risk Management. Internationally recognized risk management standards,
such as ISO 14971 and the Project Management Framework for Risk were used
relatively rarely (2% and to 7% respectively).
92
Figure 28: Risk management standards used by the respondents
Other (Please specify)
American Society of Healthcare Risk Management
Corporate Standards
iHI
Joint Commission Standards as appropriate
The respondents were asked, “If a standard were created for risk management in
hospitals, what organization should develop it?" (Figure 29). Most (85%) suggested the
American Society for Healthcare Risk Management would be most appropriate. Other
organizations were mentioned only infrequently (e.g., the American Hospital Association
[1%]; Centers for Medicare and Medicaid Services [3%]).
93
Figure 29: If a standard were created for risk management in hospitals, what
organization should develop it?
Other (Please specify)
Too wide reaching for one standard
Don’t think there can be a national standard as state laws, regional trends, insurance
policies, types of hospitals (teaching, rural, urban) all vary
I don’t think one agency should be responsible for creating a standard in multi-faceted health
care environment.
I don’t believe in global standardization
The need for such a standard was not always seen to be of value by all respondents
(Figure 30). When asked "Do you feel there would be value in having a standalone risk
management standard for hospitals?” 41% replied "Yes" but nearly one fourth (22%)
replied "No". The remaining participants did not know (33%) or did not reply.
94
Figure 30: Value in having a standalone risk management standard for hospitals
The respondents were asked "What advantages might there be in a standalone risk
management standard?" (Figure 31). Two thirds (66%) suggested that such a standard
might establish a path to common practices for risk management throughout the
industry, and a little more than a half (61%) suggested that such a standard would set
clear expectations of risk management. Almost half (49%) suggested that such a
standard might increase patient safety and 43% suggested that it might define risk
management metrics are defined. Relatively few (22%) suggested that such a standard
would make it easier to train and educate employees.
95
Figure 31: Advantages that might be gained from a standalone risk management
standard
Other (Please specify)
Accountability
Consistent application of principles
Proactive framework
We can continue to be the ‘Switzerland’ and neutral parties even though we may report to a
certain department and comfort in knowing there is consistency in practice. When a RM is all
alone it sure does help to know that if I do this, this, and this, I will meet the SOC.
96
The respondents were asked "What disadvantages might there be in a standalone risk
management standard?" (Figure 32). Most frequently, concern was expressed that such
a standard would reduce flexibility (57%), would conflict with state laws (49%) or might
be challenging to maintain if it were to change routinely (42%). The least frequent
concerns included the expense associated with its support (27%) and the lack of control
in maintaining a risk management standard (24%).
Figure 32: Disadvantages there might be in a standalone risk management standard
Other (Please specify)
The role of the risk manager and responsibilities of the risk manager vary by institution.
Lack of autonomy and confidentiality in investigations.
Needs to be flexible enough to adapt to settings where resources are limited and roles are
frequently combined or shared.
Too many variables to define.
Differences between urban and rural hospitals.
Building another silo.
Lack of leadership support to implement.
The only disadvantage would be it created a MONSTER to manage.
Respondents identified a broad range of potential elements when asked what elements
should be included in such a standard (Table 14).
97
Table 14: What might a standalone risk management standard include?
Comments
Risk controls
Areas of responsibilities
Improving overall patient safety
Standard reporting measures/definitions
Concepts of enterprise risk management
Event reporting system same for all facilities
The practices used by the majority of risk managers.
Risk is a part of all. Do not create more silo behaviors!!!
Event triggers or outcomes that put the organization at risk.
Standard outline of department responsibilities and over sight.
Direct report to CEO with frequent reports to the Board members.
Metrics from evidence based practice Systems to support data analysis
At least bare minimum policies, common definitions, common job functions
Mandatory incident tracking systems. Not all hospitals have these in place.
The state of Florida has the requirement for a risk manager and some required elements
Risk Management be part of the Administrative/Leadership team to improve communication
It could mimic the joint Commission standards' headings, for example Medications, Environment of Care,
but have Risk Management content.
Since we are the 411 and 911 call center for anything and everything that staff do not know what to do
about (risk related or not), standards would be helpful.
A framework for what a risk management program should look like, data analytics (leading and lagging
indicators, scorecards, educational framework, integration principles
Has to be integrated into the state/JCAHO/Risk Management because Nursing does not have time to
research all but has to have the practices integrated in their work plan for continuum of quality care.
I am not sure what you mean by stand-alone risk management standard. Each facility is unique. I have not
been in the field for long but have worked in health care for 25 years. RM is so multifaceted that one
standard may not fit all.
Because I am now in a role where I am 'it' - and only 24 hours a week, I would like standards that are easy
to read and understand - like the 10 commandments per se or the list of Never Events. I do not want a
standard that makes more work or makes my job more difficult or confusing.
The requirements of a risk manager and what we are obligated to do in our roles. It would also be good to
understand what the expectations are when it comes to risk in a hospital. It would be very helpful if all risk
managers used a standard within the US because we would have a benchmark or a foundation for risk
management. Even a very low level or skeleton type standard would be better than what we have now,
which is nothing.
Finally, respondents were queried about the ways that knowledge and experience was
transferred from employees leaving the hospital to the remaining individuals (Table 15).
98
Table 15: How is knowledge and experience transferred from employees leaving the
hospital?
Comments
Don’t know
Don’t know
Unknown
Poorly
Poorly
It isn’t
It’s not
It is not
I don't think it is at this point
I don’t believe it is
Often not too well
Not always
Not as well as it could be
It is not usually captured
It is not unless gleamed from the documents left behind and reviewed.
Some have an exit interview but doesn't involve transfer of knowledge. I don’t think they do this.
Exit Interviews
Exit Interviews
Exit Interview with HR
Exit Interview with HR
Exit Interviews are offered
There is an exit interview conducted by HR
This needs improvement
Turnover is low
By notes or electronic files
At the discretion of the RM
Only via on the job transfer
Through records and mentoring
Policy, procedure, and practice standard
Policies and procedures; meetings to educate and transfer information.
Hope for a period of time the new employee works with the old employee.
When I retire, there will be a transition period to cover as much history and experience as possible.
If there is the opportunity an orientation takes place. In my case this did not happen. It was baptism by fire!
Orientation provided by prior manager to new manager when available, Orientation binders continuously
updated
99
Comments (cont’d)
We have exit interviews in Human Resources, but otherwise, there is no formal process. Often a position
is not filled until well after the person has left, so there is often no time for knowledge and experience
transfer. Sometimes the new person is oriented by the person leaving the position.
There is a big gap in this area. There's SO MUCH knowledge, culture and experience walking out the door
when an employee leaves the organization. Often, their book of experience is not highly valued by those
taking their place. And, there's organizational checklist of important skills, lessons learned, etc., to follow.
Finally, there's just SO MUCH to learn just in every day rote/routine tasks to accomplish that the big,
overarching lessons and experience just don't make their way into the picture until there is another failure.
In respect to handoff at a management and administrative level, handoff typically comes from the
employee leaving to a contracted interim replacement who then trains the permanent replacement. In
regards to other staff leaving, learning may be passed on from exit interviews, these are not performed
routinely.
We maintain a Risk Management SharePoint Site where all of our Risk Management knowledge and
experience is documented (Guidance documents, databases, policies, procedures, etc.) and have recently
launched a Risk Management Intranet website where a subset of this information (the exception being our
Risk Management internal policies and procedures) is available to others in the organization.
In Risk specially, the knowledge and experience lives in the occurrence reporting system, Midas. In other
positions, it is usually passed from someone who does have an answer to the new person.
We have begun a process for succession planning, however it is not fully developed. We have many
senior leaders who will soon be looking at retirement who retain a great deal of knowledge. For those that
leave on a good note, there is time built for a transition period of staff.
Exit interviews and a transfer of knowledge. When an employee leaves, they take some time to sit down
with the manager or team and review anything they have on their plate when it comes to risk. They also
transfer all their files to the manager or team. They are also required to complete a survey or questionnaire
that asks specific questions about their knowledge and experiences at the hospital. This information is
collected and used by the risk management team for future events or risk scenarios.
Hand-off communication and successor training. For example, I was mentored and trained for 4 weeks
prior to my predecessor’s retirement.
Not a clue...I can only assume that it does not happen. For example, when I took my position, the person
before me left prior to my start. And my direct supervisor, the Director of Quality and Risk Management,
was available to me but it was really learning as you go and grow the position.
Additionally, only about one fifth of the respondents (24%) reported that they worked a
hospital that had a process for retention of knowledge/experience (Figure 33). A third did
not know if there was a process for retention and the most common answer was that no
such system existed.
100
Figure 33: Have a process for retention of knowledge
4.9 General Opinions
Respondents suggested most commonly that the risks management activities in their
hospital(s) were seen to be relatively important (Table 16). Analysis of the modes (i.e.,
the highest frequencies in the distributions among the "Yes", "No" and "Do not know"
responses) indicated that a large majority of the respondents (80%); agreed with the
statement “Is there a general awareness at your hospital that Risk Management could
impact patient safety?”. A slightly lower proportion (73%) identified that their hospital(s)
had internal procedures that define risk management activities, procedures, and
processes, and a similar proportion (70%) suggested that their hospital was able to
adopt lessons learned from the past into the risk management system. However, less
than two-thirds (59%) felt that their hospital management saw risk management as a
positive return on investment as opposed to a mandated expense. The majority of the
respondents (53%) replied "No" for the question, “Does your hospital require you to
obtain the Certified Professional in Healthcare Risk Management (CPHRM)
certification?”
101
Table 16: General opinions of the respondents
Item Yes No
Do not
know
No reply
Is there a general awareness at your hospital
that Risk Management could impact patient
safety?
87
(80%)
2
(2%)
1
(1%)
19
(17%)
Does your hospital have internal procedures
that define risk management activities,
procedures, and processes?
80
(73%)
9
(8%)
1
(1%)
19
(17%)
Does your hospital adopt lessons learned from
the past into the risk management system?
76
(70%)
10
(9%)
4
(4%)
19
(17%)
Do you feel your hospital management
perceives risk management as a positive return
on investment as opposed to a mandated
expense?
64
(59%)
11
(10%)
13
(12%)
21
(19%)
Does your hospital require you to obtain the
Certified Professional in Healthcare Risk
Management (CPHRM) certification?
31
(28%)
58
(53%)
1
(1%)
19
(17%)
Additionally, the respondents were asked what they would need to help manage risk that
is not currently included in standards, policy or guidance. Their responses are included
in Table 17 below.
102
Table 17: What respondents would need to help manage risk that is not currently
included in standards, policy or guidance?
Comments
Staff
More time!
Best practice
Staff education
Staffing standard
Well defined metrics
Defined responsibilities
C-suite engagement is a must.
Updates on the latest trends.
Authority to hold staff Accountable
Checklists and protocols would help
An electronic event reporting system.
Nursing participation in risk avoidance.
Commitment to action plan implementation
More staff engagement in failure anticipation.
More time evaluate, educate and to reassess.
Standard outpatient ambulatory care practices
Shared learning, early warnings and legal consistency.
Cooperation and communication among departments.
Our program is stable. I'm not aware of any needs at this time
Appropriate electronic interface systems and additional resources
Human factors experts. Crew resource management implementation
Information and coaching on how to impact culture change with nurses.
More follow up to RCA action items and communicating lessons learned.
Proactive in identifying risk. Currently are reactive due to department size.
We have a comprehensive and well-supported program for risk management.
Support for ongoing education access to electronic reporting by all associates.
Staff to deal/work with all that needs to be improved....or more hours in the day.
Enterprise Risk Management - currently working on getting senior leadership buy-in
Recognition that we need to be proactive and non-punitive. Safety and prevention first.
Nothing; the issues are within my organization's leadership and culture of the organization.
I am a one man department and could use another full time employee since I also manage employee health.
More on ERM, templates for measuring falls, claims, suits, etc. More information on whether or not PSO
should be pushed.
Support of the executive and mid-level leadership when Risk Management recommends change in practice,
policy/procedure, or investigation.
103
Comments (cont’d)
There is nothing that tells risk managers what a developed and effective risk management program should
look like.
Support of the executive and mid-level leadership when Risk Management recommends change in practice,
policy/procedure, or investigation.
I have been in this position for 6 months and still learning the position. Not able to answer the question at
this time as I do not know yet what all is included.
Improved risk assessment tools. This is where a standard would help say for the OR. All OR's should
essentially operate in the same way. So a risk assessment for the OR, to include Clinical aspects as well as
EOC.
I like the idea of a national standard. We use a corporate standard for some of the risk management
activities and it is very generic. It would be nice to have something from a 3rd party, government agency, or
a professional institute.
Currently need additional. With RM managing all complaints, legal issues, patient events, policies etc. and
being a one-man department, there is little time to manage proactive activities and on the spot education
that could prove very beneficial.
Staffing requirements in Risk Management- I realize that we are so diverse and dependent on the size of the
hospital we vary quite a bit. I also have a Workers Compensation Coordinator that reports to me, and these
claims can be very challenging on top of the work that I do on the patient side.
People who actually do the work are the only ones who really understand how much work the WORK
entails. So for starters I need leaders / bosses who get it. I also need Software that easily helps me
complete RCA's and Safety Alerts and Lessons Learned and Swiss Cheese and Reports to Leadership - a
one-stop shop for people who do the work.
Further, the respondents were asked to describe how they tracked lessons learned or
near misses. Their responses are included in Table 18 below.
104
Table 18: How to track lessons learned
Comments
R16
Debrief
Not well
Data base mgt
Home grown database
Event reporting system
RCAs document folders
Electronic reporting notes
Incident Reporting System
Electronic incident reporting
Online occurrence reporting system
Record by event title in spreadsheet
Occurrence reporting word of mouth
Electronic occurrence reporting system
Occurrence reports, verbal communication.
Through our STARS incident tracking system
Quarterly reporting, mandatory state reporting
From the Electronic Incident Reporting System
Event Reporting System and Access Database
In electronic reporting system, but not very well
Event reports, RCA minutes and follow-up forms
Just starting to use excel sheet to track action items
Utilize rL Solutions - online Incident Reporting System
In the RL Event Reporting System and Harvard CMAPS.
Risk Management reports to various hospital committees
Electronic reporting system and various committee groups.
Manual process using excel spread sheet, summary reports
Near misses are tracked through the event reporting system
We have an online occurrence reporting and tracking system
Mostly through voluntarily-submitted unusual occurrence reports
Review of case studies that reflect near misses that have occurred
We track through our incident reporting system as well as via RCAs.
Near misses are reported in the same reporting system as actual events.
Computer system CBR Risk, I data enter all incident reports and report quarterly
Via Critical Event Evaluation Committee and electronic incident reporting system
Action plans for RCAs and IAs Scoring in "incident reports" includes "near miss"
Through our incident reporting system.. we track the lessons learned from RCA's
Our electronic reporting system permits us to design and retrieve various statistical reports.
Inefficiently.... lessons learned in an excel spreadsheet. Need a more savvy system to track.
105
Comments (cont’d)
We complete 5 Y's and 7 ways and develop lessons learned from these and change practice immediately.
We don't wait for it to go thru a committee
We have an access database (departmental) in an attempt to capture phone calls and advice given in order
to show trends where education is needed, etc…
We have a hot line extension for anyone to call and leave a message. The message is then picked up and
transcribed, shared with the staff and entered into a spreadsheet.
Utilize a database (Midas) which is integrated with our HIS for tracking/trending. Lessons learned are
communicated through Patient Safety and Quality Improvement activities.
Near misses are reported through our electronic incident reporting system. Lessons learned are brought to
our patient safety council (staff level representatives from most departments) Currently working with the
Director of Quality and Patient Safety on this.
We do not do this well, we do meet as a system once a year to discuss lessons learned and provide issues
that we feel our education staff need to work on, but with the recent go-live of EMR the education resources
were utilized in training and we have not stabilized on this front. Sometimes, it can feel like a one man
show.....
They are documented in the Event Reporting System software, ERS. Events are entered by staff and an
email alert is generated to the relevant clinical area Directors. The Director investigates less severe events.
The RM and Director investigate events with greater severity or near misses that have potential impact and
serious safety events and findings are entered into ERS. The software can produce trend reports.
Risk Management keeps a log of all reviews (RCA and others); managers share lessons learned with
individual hospital and system-wide for the benefit of implementing a system wide approach to risk
reduction. This is accomplished through email communication to all leadership; risk management does not
consider this to be a very effective approach.
All RCAs result in an action plan that is presented to the Review Board. Action plans are monitored and
audited for approximately 6 months and re-presented to the Review Board. Performance Improvement
maintains the database of action plans.
We have an electronic database that is maintained by our quality department. They capture near misses,
incident reporting, and risk management concerns. They hold routine meetings with staff in the hospital to
communicate these. They also track them and monitor to see if like events recur or not.
Report to Performance Improvement Committee; utilize trending for formation of PI groups, or in more
severe situations, RCA groups. All incident reports are trended and reported to senior management, Risk
Management Subcommittee, Patient safety, Safety, and PI Council.
Use Electronic reporting system through MIDAS to track near misses. We also have a very robust Apparent
Cause Analysis system. This process is used for near misses where there is perceived opportunity to
prevent future occurrences that are not near misses. It is also used for less serious events with minimal
temporary harm or whenever it is determined that an analysis is needed.
106
4.10 Levels of Satisfaction
The respondents appeared satisfied with most aspects of the risk management system
at their institution (Table 19). Analysis of the modal values between "Very dissatisfied" to
"Very satisfied" indicated that most respondents were satisfied (39%) or very satisfied
(23%) with the amount of emphasis that their hospital placed on patient safety and risk.
Satisfaction with the value placed by corporate leadership on risk management was
somewhat more varied (neutral, 19%; satisfied, 34%). A similar range of feelings was
expressed with regard to the support given by senior management (neither satisfied nor
dissatisfied, 18%; satisfied, 31%). Most expressed either a neutral view (30%) or a
modest satisfaction (22%) with the budget that they had to perform their duties as a risk
manager Most were neither satisfied or dissatisfied (22%) or satisfied (42%) with the
way that their hospital captures risk issues for future reference.
107
Table 19: Levels of satisfaction of the respondents
Item
Very
dissatisfied
Dissatisfied
Neither
satisfied or
dissatisfied
Satisfied
Very
satisfied
No reply
The amount of emphasis your
hospital places on patient safety and
risk.
2
(2%)
11
(10%)
8
(7%)
43
(39%)
25
(23%)
20
(18%)
How corporate leadership values the
function of risk management
1
(1%)
13
(12%)
21
(19%)
37
(34%)
17
(16%)
20
(18%)
The support you are given from
senior management to perform your
duties as a risk manager
1
(1%)
11
(10%)
20
(18%)
34
(31%)
23
(21%)
20
(18%)
The budget you have to perform your
duties as a risk manager.
6
(6%)
18
(17%)
33
(30%)
24
(22%)
8
(7%)
20
(18%)
The way that your hospital captures
risk issues for future reference.
4
(4%)
10
(9%)
24
(22%)
46
(42%)
5
(5%)
20
(18%)
108
Chapter 5: Discussion
5.1 Summary
Risk management has been defined as “the prioritization, identification and evaluation of
risks followed by economical and coordinated application of resources to control,
minimize and monitor the impact and probability of unfortunate events” (Hubbard, 2009).
Risk management was developed to deal proactively with risks that are directly
controlled by organizations. In this study, the organizations of interest are US hospitals.
The primary objective of most hospitals is to offer the best possible care for patients, not
only by providing treatments for their diseases and injuries, but also by reducing risk
from medical errors and adverse events. Nonetheless it is clear from a voluminous
literature on this topic that hospitals still have many challenges with regard to patient
safety. The goal of this work was to identify current practices of hospitals with respect to
risk management and to identify areas in which those practices might be improved. It is
perhaps not surprising that all of the hospitals investigated here have implemented some
form of risk management in an attempt to improve the quality of care and reduce medical
errors. However, results suggest that these systems are still evolving and lack some of
the formalized structures and resources that might help to make them more effective and
efficient.
5.2 Consideration of Limitations, Delimitations, and Assumptions
The survey instrument was based on a research framework from the "conceptual" model
of Sullivan and Beach as modified by Chan, that emphasizes the importance of a triad of
elements, including resources, competence and memory. This was important because
the survey would only be administered one time with the same group of people and the
109
questions had to be created in a way that would explore several areas relevant to their
roles as risk managers. Critical data associated with resourcing, employee competence
and the retention of knowledge through memory were considered important areas to
explore and capture. The use of this framework was helpful to broaden and systematize
thinking, as specific questions were developed; however, it became apparent that some
questions that were seen to be important were not easily fit into the triadic framework. In
fact the alternative framework of Guldenmund, that has its focus on behavior, might offer
an advantage for those aspects that relate to the culture and processes of the hospital.
Many responses from the survey suggests that behavior and culture might be as
important in determining the approaches taken by the institution as capability. For high-
level studies of this type, it might be important to consider the use of a blended model
like that proposed by of Chan where the two models are both represented. It is my
opinion that a combination of these two frameworks would in fact be a better approach.
This study focused only on risk approaches and standards in the hospital setting. As a
result, it provides no insight into risk management practices in other health care settings
that are not considered to be "hospitals", such as doctors’ offices, outpatient sites,
clinics, ambulatory centers, or surgery centers. However, the types of questions that
have been asked in this survey could be adapted to examine and compare practices in
other settings. Although we might predict that smaller centers and physician’s practices
would have less developed risk management systems than hospitals, it could be
important to use the hospital systems as a benchmark to look at other entities where risk
management might also add value to patient care. Such further studies could be timely
because of a recent trend for hospitals to acquire physician practices in greatly
accelerating numbers. In 2011, the consulting firm, Accenture, predicted that by 2013,
just a third of U.S. doctors would be truly independent which Accenture defines as
110
physicians who are in a partnership or have an ownership in a practice (Kitchell & Hurst,
2011). Additionally, Figure 34 below identifies that though the total number of physicians
is increasing, the percentage that are truly independent is declining. The 33% figure
compares to 57% in 2000 and 43% in 2009. In 2008 there were 125 mergers,
acquisitions, public offerings, or private equity investments involving specialty practices,
according to the firm. In 2010 there were nearly 240, and more than 260 were estimated
for 2011 (Ziskind, Ficery, & Fu, 2011).
Figure 34: Total Number of Physicians vs. Truly Independent Physicians.
Reprinted with permission (Ziskind et al., 2011).
As such acquisitions occur, many risk managers are finding themselves challenged
because they find significant gaps between the risk management system of the hospital
and the newly acquired physician practices (ECRI, 2012). According to Eldridge, one of
the first things observed after the acquisition were “major disconnects” in risk
management systems between the hospital facility and the physician practices (Eldridge,
2011). Mitchell said that “it became evident that practices were unaccustomed to
111
identifying risk in their practice settings or [to being] held accountable for risk and patient
safety” (Mitchell, 2011). This was further complicated because “each office practice has
its own culture” (Eldridge, 2011).
The study also does not examine practices elsewhere in the world, although such a
comparison in the future might be interesting. Europe in particular has always had an
emphasis on risk management in its medical product fields that some believe to lead that
in the US. Since 2004, the EU has addressed multiple health safety and risk concerns
through sectoral legislation, with an increased focus on specific sources of risk, such as
the safety of medicines, blood components, medical devices and antimicrobial
resistance (WHO, 2010). Additionally, the Council of the European Union takes patient
safety seriously and defines patient safety as freedom for a patient from unnecessary
harm or potential harm associated with health (EU, 2009). Recently, the Joint Action
European Union Network for Patient Safety and Quality of Care has been formed to
focus on patient safety and principles related to hospital risk management in European
countries (JAPASQ, 2011). It has a core focus on patient safety and risk management
and aims to strengthen cooperation between EU Member states, international
organizations and EU stakeholders on issues related to quality of health care and patient
involvement (DNV, 2013).
In comparison, some have argued that the U.S. model of regulation is more adversarial
in nature, and thus fundamentally different from that in most European countries where
consensus-based models have been more typical (Lofstedt & Vogel, 2001). The much
reduced threat of litigation in Europe, combined with a less assertive personal style
amongst Europeans, has been suggested to affect the way that risk-related systems are
developed and enforced (Brickman, Jasanoff, & Ilgen, 1985). This fundamental
difference may relate at least in part to a wider cultural and judicial difference in the US
112
where litigation is easier, especially following injury in hospitals and where Americans
typically display more assertive and confrontational behaviors. The much higher
frequency of lawsuits in the US contributes to higher healthcare costs (Svider et al.,
2013). Present results showing that US risk managers have a principal focus on
preparing for and defending against lawsuits seem consistent with the view that litigation
is a key function, and possibly the overarching function, of many US risk managers. If
these assumptions are in fact correct, we might hypothesize that a similar survey
widened to European hospitals would show differences in the way that risk managers
spend their working day. However, the fact that Europe has so many culturally different
countries, coupled with the largely local control of hospitals, may make the operations in
hospital management more diverse and hard to predict. Thus it is not obvious how the
hospital systems in different European countries would compare to the risk management
operations in the US. Beyond Europe it is even more difficult to understand the extent
and nature of risk management practices, because so little information on those
practices is accessible, especially in countries with emerging economies.
The present study was delimited to feedback regarding risk management practices from
only one type of job function, the risk manager job function. Thus it does not look at the
system through other eyes, for example, those of the hospital executive, the committees
that review adverse events, or even the staff in the hospital. This delimitation may
introduce a bias with regard to views about the adequacy of the risk management
system because the respondents are in many cases the same individuals responsible for
the design of the risk management system. Thus they might be motivated to overlook
weaknesses that would force them to confront or even question their effectiveness as
risk managers. According to Herzberg’s Two-Factor Theory of Motivation, employees
have multiple job factors that contribute to their sense of overall job satisfaction and
113
dissatisfaction (Herzberg, 1959). If the employee feels satisfied in the work in which he
or she is engaged, those perceptions may generalize and provide a halo effect to their
satisfaction in the quality of the risk management system even if that design is poor or
flawed. One way to validate if the feelings of satisfaction generalize to others in the
hospital would be to survey others who are not risk managers. Although a more
heterogeneous range of views might be instructive, such a mixed survey could also have
a downside risk of blurring the lessons that come from those best acquainted with the
system as it currently stands. An interesting direction for future work would be to
examine whether the views expressed regarding such elements as satisfaction with the
current system by risk managers would be comparable to those of others who work in
different roles in the same hospitals.
Survey research such as this has potential limitations that might affect confidence in the
results. Based on a review of survey methodology by Geert (2008), data obtained from
respondents can be affected by five relevant dimensions of the survey: survey
enjoyment, survey value, survey cost (in time as well as distraction), survey reliability,
and survey privacy (Geert, 2008). Of these features, one area of particular concern was
that of privacy. The fact that this survey was anonymous may have helped to ensure that
respondents felt safe to express views honestly. The text responses to certain questions
appeared to identify several areas of weakness in hospital systems that might not have
been volunteered if the respondents had felt coerced to temper their expression of
honest answers.
The fact that the survey was administered over the Internet may also potentially affect its
quality. Both strengths and weaknesses have been associated with an approach in
which the contact between researcher and respondent is solely electronic.
Advantageously, it might provide respondents with a further sense of confidence that the
114
survey is anonymous. However, online surveys have been found to yield differences in
the attitudes and behaviors of the respondent with respect to the researcher
(McQuilken, Katakis, & McDonald, 2005). For example, the survey methodology does
not allow the investigator to develop a relationship with the respondent, so the
investigator cannot probe areas in which responses are unclear or incomplete. Without
that personal relationship, the respondent may lack the motivation to invest time and
energy into the survey in the same way that he or she might if they were having a
conversation with an interviewer.
In the present study, the sampling of respondents and design of the survey was felt to be
key to ensuring a sufficient volume of high quality data. Such care is important, as
pointed out by (Richarme & Rogers, 2009), to be sure not only that appropriate
respondents are identified properly, but also that surveys are cognitively and affectively
meaningful to the respondents. In this regard, an important factor to achieve the
relatively high response rate (32%) in this study was considered to be the fact that the
survey was sent to risk managers with whom the researcher had interacted previously,
and with whom the researcher had a discussion in person or by telephone to introduce
the survey.
I was particularly sensitive to the response rate for the on-line survey here because
online survey participation is generally low when participation is sought from busy
practitioners who may see little advantage to taking part in a survey. Studies of survey
response rates report average response rates from 1% to 32% depending on the type of
survey and the type of participant. One major concern is the typically low response rate
for the on-line survey, because the links to the survey are easy to ignore or delete
(Archer, 2008; Miller & Smith, 1983; Wiseman, 2003). Participation in online surveys is
thought to be easier for frequent computer users (Israel, 2011) and for those with high-
115
speed Internet access (Archer, 2003). One examination of online survey response rates
showed response rates 11% below those of mail and phone surveys, and rates as low
as 2% have been reported quite commonly (Petchenik & Watermolen, 2011). In the
medical products field, these numbers can be even lower. For example, a survey
conducted in 2010 by the Pharmatech journal surveyed 34,247 participants with only
353 responses, a response rate of only 1% (Hoffman, 2010).
I was concerned at the beginning of this study that the survey results might be skewed
toward responses from hospitals with larger risk management teams, that might have
the resources and motivation to invest in systems improvement and as a result might be
more motivated to participate in a survey designed to formalize a knowledge of current
practices, which then could be used as benchmarks. Although I may still need to
consider this source of bias in the evaluation of the responses, the fact that 7% of the
responses came from relatively small hospitals with fewer than 50 beds provides at least
some level of assurance that the voice of the smaller hospital was represented.
However, the relative weighting of small and large hospitals was uneven when
compared to national statistics on the distribution of hospitals by bed size (Figure 35).
Those latter numbers suggest that hospitals with fewer than 50 beds account for just
over 30% of hospitals (AHA, 2012). Thus, responses from risk managers in small
hospitals are underrepresented when the relative proportions of small and larger
hospitals are compared.
The underrepresentation in this study could arise from two sources. It may be attributed
to the under sampling of risk managers in small hospitals that were polled. Alternatively,
it might occur if many of the risk managers in small hospitals did not have the time or
inclination to complete the survey as anticipated. The fact that this area was
underrepresented might suggest that risk managers in these small hospitals are very
116
busy and do not have discretionary time to dedicate to other activities not closely
associated with risk management.
Figure 35: Distribution of Database Hospitals and Respondents by Bed Size Compared
With AHA-Registered Hospitals.
Reprinted with permission (AHA, 2012).
A final bias that must be acknowledged is mine. Because I work in a role that offers
audit preparation services for hospitals to prepare them for accreditation audits, I am
commonly confronted by deficiencies in hospital practices and this may affect my
judgment. I also lack significant experience in the preparation of surveys for this kind of
research. To minimize this potential source of bias, the use of a focus group to review
the survey was felt to be valuable both to assure the face validity of the survey, and to
control for some of the bias that I might otherwise have been able to introduce
unknowingly.
117
5.3 Consideration of Results
The results of this study paint a picture of a risk management system that has a diversity
of important objectives that have been placed in the hands of relatively small teams of
modestly-trained risk management personnel. Almost all of the questions asked in the
survey yielded interesting insights, but a few stood out because they highlighted areas in
which results were surprising or disappointing. These areas included, though were by no
means limited to:
1. The perceived adequacy of current risk management approaches by risk
managers (Section 5.4).
2. The relative distribution of time and resources to legal or “backward-looking”
activities compared to proactive activities (Section 5.5).
3. The structure and support of risk management departments (Section 5.6).
4. The allocation of resources toward education (Section 5.7).
5. The use of risk management tools (Section 5.8)
6. The degree of interest that respondents appeared to show with respect to having
a stand-alone risk management standard for hospitals (Section 5.9).
5.4 Are current risk management approaches in hospitals adequate?
The responses in this survey provide two pieces of information that suggest a significant
challenge for hospital risk management systems today. First is the observation that
most hospitals, even the largest ones, often have only a few individuals who hold risk
management positions and these individuals may not always have the training and
ability needed to implement some of the modern tools common to risk management in
other sectors. It seemed surprising that even in larger hospitals, less than one-fifth of
118
institutions employed 5 or more individuals in their risk management teams.
Second is the observation that these risks manager have roles that span many areas of
responsibility. The finding, for example, that risk managers can identify more than 190
areas of risk suggests that risk in hospitals has a much wider interpretation than might
be typical in a manufacturing operation. Further, risk managers identified that they were
often assigned tasks that go beyond risk management - lost and found management,
plant operations, security, human resources, and environmental health and safety. How
can risk managers maintain a proactive and focused risk management system when
their time appears to be so fractionated and their task list so reactive? Smaller hospitals,
in particular, appear to have at most one individual responsible for a full range of risk
management and associated activities. This individual may or may not have had any
formal education to prepare for such a diverse and responsible role (Bokar, 2007). The
wide-ranging job responsibilities of the hospital-based risk manager would seem to make
the job difficult to do well. It is not surprising that a common need expressed by
respondents in this study was more time or staff to do the work.
Despite the pressures, most hospital risk managers appeared to be relatively satisfied
with the degree of support and respect that they enjoyed in the hospital system. This
level of satisfaction was unexpected, given that the jobs of risk managers would seem to
be stressful. The grim picture painted of hospitals by expert groups and the media
characterize the hospital as a particularly risky place where risk managers would have
difficulty to feel in control. For example, the 2011 Health Grades reinforced the concerns
described in chapter 2, by identifying that
over 40,000 harmful and/or lethal errors are
estimated to occur daily in hospitals (Makary, 2012). A recently published book by Hoffer
and colleagues (2011) highlighted several areas of concerns related to hospital stay
(Hoffer, Saul, & Hickey, 2011). In an interview on the dangers of hospital stays, Dr. Saul,
119
one of the coauthors, summed up his view of hospital safety by saying,
My number one suggestion is to avoid hospitals unless it's an absolute
emergency and you need life-saving medical attention. (Mercola, 2013)
Because hospitals pose such great risk, it is critical that risk managers have the ability to
focus on those activities that are positioned to prioritize and mitigate risks. Nevertheless
this did not seem to be the primary way in which many risk managers spent most of their
time. The fact that the most commonly identified activities, and the only activities that
are carried out “all of the time” by risk managers, were managing claims under $5000,
responding to litigation, and dealing with depositions, suggests a system in which risk
managers are still very much part of the system to protect the institution from legal
challenges. The results here may support the contention of Bokar (2007) that risk
managers are clearly differentiated from quality managers, and perhaps not in a good
way. She advances the view that risk managers
go to great lengths to protect information. They typically conduct an in-depth
investigation to assess the liability exposure to the organization and help mitigate
any future loss that may arise.
In contrast, quality managers in hospitals, as described by Bokar, look more like the risk
managers that are typical in industry, who
aim to design formal process improvement initiatives that target the underlying
causes of the event. Their focus has not necessarily included concerns over
litigation or financial loss. Rather, their primary goal has been to improve the
quality of patient care.
Bokar expresses the view that risk and quality managers do not communicate well. She
advocates a system in which there is greater interaction between the roles of risk and
quality managers. This suggestion might seem surprising to individuals from industry
where risk management is embedded deeply in quality systems both through regulation
and accepted practice and where the risk managers are typically viewed as de facto
120
quality managers (Chan, 2012). It would be interesting to know how practices compare
when risk managers report through a quality department, as about one-third appear to
do in this survey, and whether this improves the alignment between risk and quality
managers.
5.5 Focus of retrospective rather than proactive issues
As discussed in chapter 2, risk management systems in hospitals grew out of the need
to respond to the increasing numbers of legal actions initiated by patients. Thus it is
perhaps not surprising that most risk managers in this survey are still tasked primarily
with “firefighting” and responding to litigious patients who have suffered injuries from
medical errors. However, this job orientation seems appositional to recent calls for risk
management systems to focus on correction and prevention rather than on retrospective
intervention. Time spent in looking backward is time that cannot be spent improving the
system proactively. Such time is costly, especially when it is being spent in a way that
does not add overall value to an organization. However, healthcare organizations are
often felt to lack the ability to assess realistically how opportunities and risks can impact
their bottom lines (Boser, Stevens, & Meier, 2013). It is of course important that
responses to liability claims are well-investigated and properly handled to minimize
negative outcomes associated with an adverse event or injury. However, proactive effort
to improve safety practices can reduce the incidence of injuries and consequently
minimize the frequency and severity of malpractice claims. Components key to reducing
the number of medical errors in a proactive way include appropriate management of
people and data, through team work, effective communication, evidence-based decision-
making and strategies for managing uncertainty (Lester & Tritter, 2001). Similarly,
Reason has pointed out repeatedly that effect long term error reduction is difficult to
achieve without systemic cultural changes (Silow-Carrol, Alteras, & Meyer, 2007).
121
However, such high-level, socio-cultural change can be difficult to accomplish in an
environment that tends to focus on logistical and procedural activities driven by short-
term goals. In such a task-driven culture, activities that do not “solve a problem” may be
seen as less critical or visible than responses to emergencies and injuries, where action
rather than organized risk assessment and evaluation are the norm.
5.6 Structure and Support of Risk Management Departments
Project management and risk management standards repeatedly emphasize the
importance of management support as a crucial element to ensure that resources for
risk management activities are provided and to foster a culture that improves safety
(Helmreich, 2000). Bradley and colleagues (2005) found that organizational
management support for change was the most significant factor in successful
implementation of a change (Bradley, Herrin, & Mattera, 2005). Nevertheless,
organizational leaders in healthcare are often criticized for failing to link project quality
and risk management to delivered customer value, to the bottom line, to strategy, to
tactics, to cost reduction, or to revenue enhancement (Boser et al., 2013). This survey
suggests that senior managers in hospitals vary in their support of risk management. It
is promising that slightly more than half of the respondents expressed the view that risk
management is viewed by their senior management as a positive return on investment
rather than a mandated expense, but this leaves a significant number who did not. It is
also evident through the text comments that executive management teams appear to
agree with risk managers on only some of the basic fundamentals of approaching risk
management in a hospital.
Additionally, it was apparent that hospitals structure their risk management departments
in different ways. It was surprising given the importance of this activity that only 39% of
122
hospitals configure risk management as an independent department. Instead, the risk
management operations often were identified to report through the quality assurance
department or the legal department. This can have important implications. When a
function is subordinate within a parent department, its activities tend to be shaped by the
priorities of that department. Further, in situations where multiple goals exist, Vogt and
colleagues have shown experimentally that attention is oriented typically to goals with
high value compared to goals with low value (Vogt, Houwer, & Crombez, 2011), so if the
risk management department has less salience to a supervisor that another type of
responsibility, it is likely that risk management will be lower in priority. Thus, it would be
interesting in the future to examine whether those risk managers reporting through a
legal department spend more time dealing with liability issues, for example. Several risk
managers additionally identified that they report into other departments with even more
disparate roles, including human resources, medical affairs, employee health, or various
corporate departments. It would be difficult to imagine that the directors of such
departments have the background and experience in risk management that would make
them effective leaders and resource persons for the risk manager who was placed in
their department.
It is important to question whether the current structure and state of risk management
systems are adequate for the future, when we anticipate the substantial changes in the
way the health care will be funded and administered under the new legislation of
healthcare reform bill, (H.R.3962, 2010), the Preservation of Access to Care for
Medicare Beneficiaries and Pension Relief Act of 2010. Two areas will particularly
challenge the current hospital system. First, a central goal of the forthcoming system is
to broaden access to healthcare for a wider grouping of US residents regardless of age,
pre-existing health condition, or employment status. Provisions of the Act will restrict
123
health insurance companies from excluding potential plan participants on the basis of
their current health status and from setting annual or lifetime limits on coverage.
Individuals who retire between the ages of 55-64 but currently do not qualify for
government subsidized insurance plans will be covered in the reformed healthcare
system. Additionally, preventive care will be provided free for individuals covered under
Medicare as well as individuals covered under private insurance plans. Community
health centers will see an increase in funding and as a result are expected to see a
doubling of the number of patients they serve (Stark-Humphrey, 2010). All of these new
options will test the hospital industry with an increased load of patients on facilities that
even now may be overextended.
Second, new funding rules relating to hospital licensing requirements have put into place
systems in which hospitals will no longer be rewarded for medical errors or poor
practices when insurers pay for the consequent medical treatments. Instead financial
penalties can and will be levied for poor practices. A California-based example of this
new approach was seen in December, 2012, when ten hospitals were fined between
$10,000 and $100,000 for incidents that put the lives of patients at risk (CDPH, 2012).
This challenges the hospital to reduce its medical errors, a desirable end-point, but it
could also encourage underreporting of medical errors, if such reporting has negative
financial implications for the hospital. In 2010, the American Hospital Association’s
President and CEO, Rich Umbdenstock expressed his dissatisfaction in a USAToday
editorial opposing a health reform law provision that would financially penalize hospitals
reporting the highest percentage of medical errors. Rich said,
This percentage-based penalty is counterproductive…Even if every hospital
improves, a quarter of them will be penalized. (Yin, 2010)
A punishment mentality is well-known in other venues to foster underreporting. Hospitals
124
already have many reasons to keep problems secret. Secrecy surrounding bad
management in medicine is often excused as a requirement to protect patient identity
and confidentiality (Schneider, 1985-1986). Further, it is often viewed as necessary to
protect the reputation of the institution or shield healthcare professionals from the legal
consequences of their negligence. This fear of legal action is compounded by additional
fears of career threatening disciplinary actions and criticism (Itri & Krishnaraj, 2012). A
meta-analysis of this issue conducted by (Wolf & Hughes, 2008) identified that fear of
many types- fear of reprisal, fear of liability, fear of losing respect- were amongst the
most common of reasons for underreporting. However, additional reasons such as
failure to understand the reporting process, concerns about the burden of effort, and
administrative overreaction, also had a role to play (Wolf and Hughes, 2008).
A number of studies have examined the prevalence of underreporting both in the US and
more globally. For example, a survey of US Hospitals by AHRQ in 2007, which
analyzed responses from 382 participating hospitals and over 108,000 respondents,
identified that half of the respondents felt that their mistakes would be held against them,
and that medical errors that did not harm a patient are reported only about 54% of the
time (Hannah, Schade, Lomely, Ruddick, & Bellamy, 2007). A repetition on this survey
in 2011 showed results that were broadly similar (Sorra, Famolaro, Dyer, Khanna, &
Nelson, 2011). Similar studies have been carried out in many constituencies. For
example, a study at a hospital in Saudi Arabia asked physicians if they would conceal
the occurrence of a medical error to avoid punishment, and 43% agreed that they would
(Alsafi et al., 2011). Such underreporting is of concern to the US government. One effort
to induce better compliance was implemented as a Pay 4 Performance (P4P), an
incentive based program for hospitals and physicians who report quality related data in
an effort to improve quality. Nevertheless, where there is a financial incentive, individuals
125
can be quite creative at concealing medical errors. Farmer and colleagues noted that
hospitals have the ability to undermine the outcome information based on billing data,
manipulate quality metrics, and underreport adverse events (Steven, Bernard, & Robert,
2013).
At the same time as incentives to underreport appear to be increasing, counter
pressures to implement stricter reporting also appear to be growing. This trend can be
recognized, for example, by suggestions of Paul O’Neil, former US Treasury chairman
and secretary, to the President, that he use the national platform to talk about medical
errors. In a bold statement, he recommended to the President,
In your State of the Union [address], announce that you have ordered each of the
veterans’’ hospitals and U.S. based military hospitals to connect with the internet
at 8am every day to post every hospital acquired infection, every patient fall,
every medication error and every injury to a caregiver that occurred during the
previous 24 hour period. (Versel, 2013)
How can risk management be used productively to respond to the increased load on
hospitals and the need to be transparent about problems? Expectations that a flood of
new entrants will overwhelm the healthcare system have raised concerns that
insufficient physicians will be available to treat the increase in demand for healthcare.
Several major studies have warned of a looming shortage of physicians, particularly
primary care doctors (Heisler & Sarata, 2013), under the new policies associated with
health care reform.
Some efficiency in the management of these entrants may come from a recent trend to
consolidate private-practice physicians into more centralized units, termed Accountable
care Organizations, capable of providing better and more cost effective care to patients.
The ideas underlying Accountable Care Organizations can be traced to discussions at a
public meeting of the Medicare Payment Advisory Commission in 2006. The term gained
126
familiarity and acceptance throughout the healthcare industry by 2009 when it was
included in the federal Patient Protection and Affordable Care Act (CMS, 2011).
Accountable Care networks of doctors and hospitals share responsibility for providing
care to patients. Under the new law, an Accountable Care Organization would agree to
manage all of the health care needs of a minimum of 5,000 Medicare beneficiaries for at
least three years (Gold, 2011). The incentive behind this would be cost savings for both
the patient and these organizations through the consolidation. ACOs that meet the
standards of quality care while decreasing healthcare costs, they will be given incentives
through the Medicare Shard Savings Program (Strickland, 2012). Over the last three
years, trends suggest that the rate of physician entry into ACOs has tripled (Japsen,
2013). A 2013 study by Medscape that included more than 21,000 doctor respondents
across 25 specialties (Medscape, 2013) identified that about one in four doctors “were
either in an ACO or planned to be in an ACO within a year.” By comparison, only 8% of
physicians in Medscape’s 2012 report were in or planning to be in an ACO. Hospitals
have also been hiring physicians to ensure they will have adequate staff to treat the
millions of Americans projected to gain insurance during the next few years (Kirchhoff,
2013). Looking into the future, risk management and patient safety activities can be
expected to be an integral part of this movement toward efficient healthcare provision
and value-based care (Hoppes, 2011).
5.7 The restricted resource allocation to education
Results from this survey suggest that most hospital risk managers do not have extensive
formal training in risk management. The majority (72%) of risk managers who
participated in the survey were nurses. Such a career transition might not be surprising
because clinical training is generally required for positions in institutions where patients
are treated. Working first as a healthcare professional in direct contact with patients
127
gives many risk managers knowledge of the hospital system before transitioning to a
position in risk management. Similarly other risk managers appear to come to their
positions from a diversity of other job functions, usually from within the hospital system.
However, such background preparation does not provide formal training in risk
management, and therefore provides no guarantee that the individuals who enter risk
management have the tools and training necessary to conduct risk management
activities at the standard that has become “best practice” in most other sectors of
healthcare such as medical product development or manufacturing.
The lack of specific training in risk management is disappointing given that several
educational programs tailored for risk managers are offered by universities and
professional societies, either online or in traditional face-to-face classrooms. For
example, the official website of the American Society of Healthcare Risk Managers
(ASHRM) lists one Baccalaureate degree and six Graduate degrees in Healthcare Risk
Management and/or Patient Safety (ASHRM, 2013). The website also lists 15 certificate
programs in Healthcare Risk Management from reputable universities such as Stanford
and Johns Hopkins University. Another way to gain education is through certifications
specifically directed at risk managers in hospitals. The American Hospital Association
offers a nationally recognized certification for risk managers known as the Certified
Professional in Healthcare Risk Management (CPHRM). According to the American
Hospital Association, to be eligible for this certification, applicants must either possess a
combination of a college degree from an accredited college or university plus five to nine
years of experience in a healthcare setting or healthcare service provider or have 3,000
hours or 50 percent of full-time job duties within the last three years dedicated to
healthcare risk management in a healthcare setting or with a health-care service
provider. In addition to the required education/healthcare/risk management experience,
128
the applicant must pass the CPHRM examination composed of 110 multiple-choice
questions (AHA, 2013). These programs have gained favor with risk managers as
methods to show credibility and capability as a risk manager.
Formal risk management preparation is seldom required by employers who are filling
risk management positions. Nonetheless, healthcare organizations that have increased
their focus on education and training across the enterprise are beginning to report
significant improvements in the safety and quality of patient care (Condra, 2008).
Because of the demands placed on employees who work in hospitals, online learning is
particularly attractive because individuals can train anytime and anywhere. The
American Society for Training and Development reported that one-third of eLearning is
now online and is the second most frequent method used by companies to deploy
learning (ATSD, 2008). In a survey of 525 directors of quality, directors of safety, and
risk managers performed by McFadden and colleagues in 2006, ”education and training”
was given an average of 4.54 on a 5 point scale as an effective strategy to reduce errors
(McFadden, Stock, Gowen, & Cook, 2006). These findings suggest a strong need for
risk management training in healthcare organizations. However, many institutions may
see the costs of the training and the loss of the person from their day-to-day activities as
an unnecessary cost.
5.8 The restricted resource allocation for risk management tools
A variety of tools for proactive risk management have been developed over the past two
decades in diverse sectors including the medical device and pharmaceutical product
sectors, and these activities offer lessons to others. Importantly, they stress the need to
master a body of knowledge and a variety of tools to systematize and prioritize risk
management activities. For healthcare organizations to improve their performance, they
129
would be wise to implement some of these tools including for example the use of a risk
taxonomy, in this case made specific to healthcare, and the adoption of appropriate risk
assessment methodologies so that effort is directed preferentially at those activities with
the greatest impact on quality and organizational performance (Boser et al., 2013).
Within risk management frameworks, much effort is placed on proactive anticipation of
risk, using a wide range of tools. Chan (2012) identified a wide range of tools that
included flowcharts, check sheets, Failure Mode and Effects Analysis (FMEA), Failure
Mode, Effects and Criticality Analysis (FMECA), Fault Tree Analysis (FTA), Hazard
Analysis and Critical Control Points (HACCP), Hazard Operability Analysis (HAZOP),
Preliminary Hazard Analysis (PHA), risk ranking and filtering, and supporting statistical
tools (control charts, histograms, Pareto charts, and process capability analysis, for
example). Additionally, in recent years, several hospital organizations have even
undertaken lean Six Sigma initiatives to improve key areas in patient safety and overall
quality (Creasy & Ramey, 2013). An excellent review of some of the more rigorous
systems engineering tools was recently published by the National Academy of
Engineering (IOM, 2005). All of these tools can be applied to healthcare organizations
proactively to improve process outcomes, reduce risk and/or improve patient safety,
improve throughput, and reduce cost (Rath, 2008). With such incentives, why wouldn’t a
risk manager working in a hospital be enticed to learn about and use more tools?
However, the use of multiple risk management tools appears to be unusual in the
hospital setting. Results suggest that most risk managers used only a couple of
standard risk management tools. The modest level of knowledge and use of tools may
be related in part to the relatively unstandardized education/training of risk managers.
Many health care organizations do not have experienced individuals who have ever
applied risk management tools and therefore may not understand how and when to use
130
them. Rath (2008) suggests that hospital risk managers have many misconceptions
about how to use these tools, and this may cause the tools to be applied incorrectly
(Rath, 2008). However, it may also reflect the underdeveloped state of risk management
standards and tools specific for the hospital environment.
A large number of the respondents in this survey appeared to have been in their jobs for
many years, presumably entering their risk management role before the publication of
the risk management standards now being used commonly in industry. It must be
assumed that that their familiarity with tools will depend on their more recent on-the-job
training, short courses or experience, but such education seems limited for many
respondents. This may account for the fact that relatively informal or retrospective
methods, such as internal policies, or state or professional society standards, were most
often cited as the basis for their risk management activities. Further most seemed to be
familiar with root cause analysis, a retrospective tool, and with FMEA, a tool that is
extensively used in the hospital environment, in no small part because the accrediting
agency, The Joint Commission, recommends that an FMEA analysis be conducted
routinely on self-selected hazards (Coles et al., 2010). Only a minority appeared to use
any formalized risk management framework for the systematic organization of their
activities, such as those described in ISO standards.
5.9 Interest in a standalone risk management standard
Industries that deal with risk typically have a stand-alone risk management standard.
The medical device sector most commonly uses ISO 14971 as a framework whereas the
pharmaceutical sector uses the guidance document, ICH Q9, to structure activities.
Both of these risk management frameworks are similar, and offer a basic waterfall
131
design for risk management like that illustrated in Figure 36 (EMA, 2011).
Figure 36: Overview of a Quality risk management process.
Reprinted with permission (EMA, 2011).
The framework in the medical product industries is not unlike a more general framework
for risk management, ISO 31000, that is now being proposed for companies more
generally.
However, it is difficult to identify specific frameworks for hospital risk management.
There may be several reasons for this situation.
132
1) The standalone risk management standards closest to the healthcare industry,
with the exception of the more general ISO 31000, are typically written for a
specific audience of FDA regulated industries such as medical devices;
pharmaceuticals, biologics, and food. They have not been generalized for use in
hospitals, and may not have come to the attention of risk managers who have
never been employed in sectors using these more rigorous approaches.
2) Hospitals may not be convinced that a systematic approach using a formalized
framework has sufficient value. In this survey, it was surprising to find that only
41% of the respondents appeared to feel that such a standard was useful, even
though in a later question, a majority of respondents acknowledged that a
standalone standard would clarify expectations of risk management, and help to
assure common practices throughout the industry. It was telling that only about
half of the respondents felt that a risk management standard would affect patient
safety. Compared to common beliefs in other sectors where risk management
has been raised almost to the level of religion, this lukewarm support for
standardized frameworks is important to appreciate if change is to be considered.
Educational theory suggests that individuals learn and apply knowledge best
when they are convinced that the knowledge serves a useful purpose. In
particular, professional learning and educational development for adults is
considered to be most effective if they see an overall benefit or positive impact
on the work that they are performing (Moon, 1999). If a more systematic
approach is to be adopted in the hospital setting risk management practitioners
must be convinced that such an approach has value.
3) Many risk managers may be threatened by the introduction of formal
methodologies if they have little opportunity to educate themselves about risk
management methods. The fact that most hospitals have training only once or
133
twice a year gives little opportunity for in-depth acquisition of new skills. From
this survey, it is unclear what these occasional training programs include, but it is
likely that in at least some settings, the training will be more logistical than
strategic. This may leave risk managers with a feeling of insecurity if they are
challenged on their application of methods and tools with which they have only a
passing acquaintance. It would be interesting in future to explore the ways in
which risk managers are educated on the job and the value that is placed on
such education as part of performance goals for the individuals concerned.
4) Hospital accreditation systems do not insist on aggressive risk management
approaches. In medical product companies, for example, products cannot be
sold until the company has conducted a thorough risk analysis for the products
that they make, and then has prioritized risk management efforts so that the
greatest risks have been identified, analyzed and mitigated, using a range or risk
management tools appropriate for different activities. The risk management
activities are scrutinized by the regulatory agencies prior to product approval. It
is not unusual in those systems that product development is discontinued
because risks associated with a particular design or manufacturing process are
deemed to be too great. However, in hospitals, risk typically cannot be avoided
by discontinuing core or essential services to patients. This puts the patient in a
highly vulnerable position. Nevertheless, the most common hospital
accreditation system, The Joint Commission, demands a much lower standard
(TJC, 2011) for risk assessment, and no real standard for managing that
standard. Specifically, TJC Standard LD.04.04.05 states:
The hospital has an organization-wide, integrated patient safety program
within its performance improvement activities. Element of Performance
10: At least every 18 months, the hospital selects one high-risk process
134
and conducts a proactive assessment (TJC, 2011).
Without the pressure from accrediting bodies, superficial risk management
practices can survive with little negative consequence.
5) The use of proactive tools to assess risk presents legal liability, if a threat is
recognized but not addressed adequately to prevent a medical error. As noted
by Myers (2011),
A previously existing FMEA could provide potent evidence for a plaintiff in
a medical malpractice case (provided that the FMEA is subject to
discovery and is admissible in court). (Myers, 2011)
This concern has been addressed to some extent and in a piecemeal fashion in
different states that limit the ability to use materials related to quality
improvement in liability suits. Further, at the federal level, bills have been
introduced into Congress to protect materials designed solely for quality
improvement and safety, for example the Patient Safety and Quality
Improvement Act in 2002 (H.R.4889, 2002).
Despite these impediments, many have suggested that a more systematic approach to
patient safety would help reduce medical errors and injuries. A study performed by Cook
and colleagues in 2004, for example, showed that recognition of errors by healthcare
providers may be limited by professional differences in expectations and personal
beliefs. Since most of the recognized, reported, and charted errors fall within the scope
of nursing practice, patient safety has often been viewed primarily as a nursing
responsibility. Only a minority of nurses reported, however, that they have participated in
patient-safety and error-reporting processes (Cook, Hoas, & Guttmannova, 2004).
135
The development of a risk management standard appropriate for hospitals is challenging
because hospitals vary so much in size and specialty. Without specified standards
governing US hospitals, risk managers are provided with substantial latitude and
flexibility in their risk management strategies and initiatives. This flexibility could be
useful for experienced and capable risk managers but leaves the more naïve risk
manager without clear guidance. It will be interesting to see over time if professional
organizations such as the American Society for Healthcare Risk Management (ASHRM),
viewed here as the most appropriate agency for such initiatives, identify and act on the
development of a risk management standard for hospitals. Such a standard would have
value in providing a framework for approaching risk in a hospital in more of a proactive
and systematic way, to assess and evaluate the structure, processes and outcomes of
care. Because healthcare is managed by humans and humans are vulnerable to making
errors, having such a framework in place should allow organizations to benchmark and
improve continuously the quality of services and safeguarding high standards of care
(Pietra, Calligaris, Molendi, Quattrin, & Brusaferro, 2005).
The most common risk management standards emphasize the need for evaluation or
follow up of risk management interventions, and often this involves a way of transferring
knowledge over time. Effective transfer of knowledge is generally thought to be
improved when a method is available to capture lessons learned and to educate new
employees when individuals leave or change jobs. Survey data suggested that these
two areas have significant deficits. Few hospitals appear to have a systematic process
in place to capture the lessons learned in the area of risk management. Though
comments from the survey participants indicated that many track this information in
some type of database, most have no formal way to transfer that information from a
departing staff member to a replacement, and many do not have any system for
136
capturing lessons learned. In future this may be an area that could profit from more
careful examination and from the development of methods to improve the retention of
corporate memory with regard to risk management.
5.10 Conclusions and Future Considerations
Hippocrates’ famous axiom “First, do no harm” is often quoted by doctors and is included
in some translations of the Hippocratic Oath. It remains popular because of the
continuing realization that, too often, doctors do cause harm (Mercola, 2013). As a result
of the potential to cause harm to a patient, there is a need for effective risk management
systems in hospitals.
The execution of an efficient, systematic risk management system throughout the
hospital could have several positive results (Buchholz, 2000). It has been recognized as
a critical driver to minimize hospital acquired infections and medical errors while
improving the general quality of the care. Effective risk management methods should
contribute to excellence in service that should reinforce a hospital’s good reputation and
financial health amongst satisfied stakeholders. Nonetheless, there still seems to be
important work to be done in order to improve risk management systems.
Recommendations that might come out of this study, and represent to some extent the
personal view of the author, are as follows:
1) Hospitals should establish a systematic framework for identifying, prioritizing and
controlling areas of greatest risk based on their performance metrics. The more
informal approaches that are used in many institutions tend to favor retrospective
or fire-fighting approaches to the detriment of preventive and proactive measure
that might reduce patient injury.
137
2) Hospitals should expand the recruitment and education of qualified risk
management professionals who are proficient with modern risk management
methodologies and tools.
3) Hospitals should explore methods to capture experience of professionals when
they leave their positions and support these transitions with a system to capture
lessons learned. In current organizations, it is common practice to advertise a
position only after the incumbent has left. This gives no opportunity for
transitional training in a complex system with significant vulnerabilities when
personnel change.
What will be done with this information? It is my intention to share this data with the
American Hospital Association and the American Society for Healthcare Risk
Management in an attempt to spur the development of better risk management training
and standards development. It may also provide a foundation for future research into
the reasons why risk management views are held by current risk managers and how
they might contribute, positively or negatively, to the efforts to improve hospital risk
management systems.
138
References
Adachi, W., & Lodolche, A. (2005). Use of failure mode and effects analysis in improving
the safety of I.V. drug administration. American Journal of Health System
Pharmacy, 62(May 1, 2005), 917-920.
AHA. (2012). American Hospital Association Annual Survey Database. Retrieved May
18, 2013, from http://www.aha.org/research/rc/stat-studies/index.shtml
AHA. (2013). CPHRM Candidate Handbook and Application (pp. 36). Retrieved May 11,
2013, from www.aha.org/certifcenter/files/12CPHRMhandbook.pdf
AHLA. (2012). Enterprise Risk Management Task Force. Retrieved September 12,
2012, from
http://www.healthlawyers.org/MEMBERS/PRACTICEGROUPS/TASKFORCES/E
RM/Pages/default.aspx
AIChE. (2000). Guidelines for Chemical Process Quantitative Risk Analysis. New York,
NY.
Alsafi, E., Bahroon, S., Tarmim, H., Al-Jahdali, H., Alzahrani, S., & Al Sayyari, A. (2011).
Physicians' attitudes toward reporting medical errors - an observational study at
general hospital in Saudi Arabia. Journal of Patient Safety, 7(3), 144-147.
Appel, M. (2012). The necessary steps healthcare must take for patient safety.
Retrieved June 24, 2012, from KevinMD blog website
http://www.kevinmd.com/blog/2012/03/steps-healthcare-patient-safety.html
Archer, T. M. (2003). Web-based surveys. Journal of Extension, 41(4), 1-5.
Archer, T. M. (2008). Response rates to expect from web-based surveys and what to do
about it. Journal of Extension, 46(3), 12-16.
ASHRM. (2013). College Degree and Certificate Programs in Healthcare Risk
Management and/or Patient Safety. Retrieved July 10, 2013, from
http://www.ashrm.org/ashrm/education/CollegeDegreeandCertificatePrograms.ht
ml
ASQ. (2012). FMEA. Retrieved October 9, 2012, from http://asq.org/glossary/f.html
ASTD. (2008). ASTD 2008 State of the Iindustry Report. Alexandria, VA: ASTD.
Berwick, D., & Leape, L. (1999). Reducing errors in medicine. British Medical Journal,
319, 136-137.
Bokar, V. (2007). Different Roles, Same Goal: Risk and Quality Management Partnering
for Patient Safety. Retrieved June 4, 2013, from
http://www.ashrm.org/ashrm/education/development/monographs/Monograph.07
RiskQuality.pdf
139
Boser, D., Stevens, J., & Meier, R. (2013). Hospital acquired infections: risk
management assessment using quality processes and tools. The Quality
Management Forum, 39(1), 7-16.
Boulton, G. (2009). Tracking health care quality proves thorny job, Milwaukee-Wisconsin
Journal Sentinel. September 19, 2009.
Bradley, E., Herrin, J., & Mattera, J. (2005). Quality improvement efforts and hospital
performance: rates of beta-blocker prescription after acute myocardial infarction.
Medical Care, 43(3), 282-292.
Brennan, T. A., Leape, Lucian L., Laird, Nan M. (1991). Incidents of adverse events and
negligence in hospitalized patients. New England Journal of Medicine, 324(6),
370-376.
Brickman, R., Jasanoff, S., & Ilgen, T. (1985). Controlling Chemicals: The Politics of
Regulation in Europe and the United States . Ithaca, NY: Cornell University
Press.
Buchholz, S. D. (2000). Quality is Job 1 - New directions for medical risk management.
Journal of Healthcare Risk Management, 20(2), 34-38.
Casalino, L., R.R. Gillies, S.M. Shortell, J.A. Schmittdiel, T. Bodeheimer, J.C. Robinson,
T. Rundall, N. Oswald, H. Schauffler, and M.C. Wang. (2003). External
incentives, information technology, and organizaed processes to imrpve health
care quality for patients with chronic diseases. Journal of the American Medical
Association, 289(4), 434-441.
CDPH. (2012). CDPH Issues Penalties to California Hospitals. (12-070). Sacramento:
Retrieved August 7, 2013, from
http://www.cdph.ca.gov/Pages/CDPHIssues12PenaltiestoCaliforniaHospitals.asp
x.
Chan, T. C. (2012). Implementation of Risk Management in Medical Device Companies:
A Survey Analysis of Current Practices. (Doctorate in Regulatory Science),
University of Southern California.
CMS. (2011). Medicare Program; Medicare Shared Savings Program: Accountable Care
Organizations. (RIN 0938-AQ22).
Coles, G. (2005). Using failure mode effects and criticality analysis for high-risk
processes at three community hospitals. Joint Commission Journal on Quality
and Patient Safety, 31(March), 132-140.
Coles, G., Fuller, B., Nordquist, K., Weissenberger, S., Anderson, L., & DuBois, B.
(2010). Three kinds of proactive risk analyses for health care. Joint Commission
Journal on Quality and Patient Safety, 36(8), 365-375.
140
Condra, M. (2008). Creating safer organizations: The essential role of high-impact,
rapidly-delivered training & education. HealthStream. Retrieved July 10, 2013,
from
http://www.healthstream.com/Libraries/whitePapers/Patient_Safety.sflb.ashx
Cook, A. F., Hoas, H., & Guttmannova, K. (2004). From here to there: Lessons from an
integrative patient safety project in rural health care settings. Agency for
Healthcare Research and Quality. Rockville, MD.
Creasy, T., Ramey, S. (2013). Don't lose patients: hybrid approach helps hospital
streamline key process. Quality Progress(February), 42-49.
DNV. (2012). Safeguarding Life, Property and the Environment. Retrieved June 20,
2012, from http://www.dnv.com/moreondnv/profile/about_us/
DNV. (2013). The Joint Action European Union Network for Patient Safety and Quality of
Care (JA PASQ) Retrieved June 2, 2103, from
http://dnv.com/moreondnv/research_innovation/programmes/healthcare/the_joint
_action_european_union_etwork.asp
ECRI. (2009). Risk management, quality improvement, and patient safety. In E. Institute
(Ed.), Healthcare Risk Control (July 2009 ed., Vol. July 2009, pp. 1-12).
ECRI. (2012). Risk managers tackle challenges of hospital-acquired physician practices.
In E. Institute (Ed.), Risk Management Reporter (Vol. 31, pp. 1-7).
Eldridge, E. (2011). Chasing your tail: risk management considerations for employed
physicians. Paper presented at the American Society for Healthcare Risk
Management. 2011 Annual Conference & Exhibition, Phoenix, AZ.
EMA. (2011). Quality Risk Management (ICH Q9). ICH Expert Working Group. Retrieved
May 22, 2012, from http://www.ich.org/search.html.
EU. (2009). European Council recommendation on patient safety, including the
prevention and control of healthcare associated infections. Brussels: Council of
the European Union. Retrieved April 13, 2011, from
http://ec.europa.eu/health/patient_safety/docs/council_2009_en.pdf.
FDA. (1990). Device Recalls: A Study of Quality Problems. Retrieved May 14, 2011,
from
http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/PostmarketR
equirements/RecallsCorrectionsAndRemovals/
FDA. (1999). Managing The Risks From Medical Product Use: Creating a Risk
Management Framework. Retrieved May 14, 2011, from
http://www.fda.gov/Safety/SafetyofSpecificProducts/ucm180325.htm
141
FDA. (2009). 21 CFR Parts 808, 812, 820: Medical Devices: Current Good
Manufacturing Practices (CGMP) Final Rule. Federal Register, 61(195).
Retrieved May 14, 2011, from
http://www.fda.gov/medicaldevices/deviceregulationandguidance/postmarketrequ
irements/qualitysystemsregulations/ucm230127.htm.
Geert, L. (2008). Measuring public opinions about surveys. International Journal of
Public Opinion Research, 20(1), 74-89.
Gold, J. (2011). Accountable care organizations, explained. Pridobljeno S Spletne
Strani, 30(4) 18-21.
Gray, C. F., & Larson, E. W. (2010). Project Management - The Managerial Process (5th
ed.). Boston, Massachusetts: McGraw-Hill.
Guldenmund, F. W. (2010). (Mis)understanding safety culture and its relationship to
safety management. Risk Analysis, 30(10), 1466-1480.
Gupta, S., & Kant, S. (2001). Quality and hospital housekeeping: emerging issues and
future dimensions. JK Science, 3(2), 94-99.
H.R.3962. (2010). Preservation of Access to Care for Medicare Beneficiaries and
Pension Relief Act of 201.
H.R.4889. (2002). Patient Safety and Quality Improvement Act.
Hannah, K., Schade, C., Lomely, D., Ruddick, P., & Bellamy, G. (2007). Hospital
Administrative Staff vs. Nursing Staff Responses to the AHRQ Hospital Survey
on Patient Safety Culture: AHRQ. Retrieved on April 10, 2012, from
http://www.ahrq.gov/downloads/pub/advances2/vol2/advances-hannah_23.pdf
Heisler, E. J., & Sarata, A. K. (2013). Physician supply and the patient protection and
affordable care act. In Washington, DC: US Congress, Congressional Research
Service. Retrieved May 23, 2013, from
http://assets.opencrs.com/rpts/R42029_20130115.pdf.
Helmreich, R. (2000). On error management: lessons from aviation. British Medical
Journal, 320(March 18), 781-785.
Herzberg, F. (1959). The Motivation to Work. New York, NY. John Wiley & Sons.
HFAP. (2012). Accreditation by HFAP. Retrieved April 13, 2012, from
http://www.hfap.org/WhyHfap/workingwithhfap.aspx
Hirose, T. T. (1996). The influence of the product liability act, governmental regulation,
and medical economics on medical devices and their clinical applications.
Artificial Organs, 20(12), 1274 - 1277.
Hoffer, A., Saul, A., & Hickey, S. (2011). Hospitals and Health: Your Orthomolecular
Guide to a Shorter, Safer Hospital Stay. Laguna Beach, CA: Basic Health
Publications, Inc.
142
Hoffman, M. (2010). New data provide insight into pharma-industry professional daily
lives. Pharmatech, 34(1), 6-9.
Hoppes, M. (2011, September 21). Healthcare reform drives demand for risk
management and patient safety innovation. [Web log post]. Retrieved from:
http://www.riskandinsurance.com/story.jsp?storyId=533321567
Houle, D., Fleece Jonathan. (2012, March 14). Why one-third of hospitals will close by
2020. [Web log post]. Retrieved from:
http://www.kevinmd.com/blog/2012/03/onethird-hospitals-close-2020.html
Hubbard, D. W. (2009). The Failure of Risk Management: Why It's Broken and How to
Fix It. John Wiley & Sons. New York.
IEC. (2006). IEC 61025: Fault tree analysis (FTA). Geneva, Switzerland., International
Electrotechnical Commission.
IOM. (1990). Clinical Practice Guidelines, Directions for a New Program. M. J. Field,
Lohr, Kathleen N. (Ed.). Washington, DC: Institute of Medicine (IOM).
IOM. (1999). To Err Is Human: Building a Safer Health System. Kohn LT, Corrigan JM,
Donaldson MS, editors. Washington, D.C: National Academy Press; 2000.
IOM. (2005). Building a Better Delivery System: A New Engineering/Health Care
Partnership. P. Reid, D. Compton, J. Grossman & G. Fanjiang (Eds.).
Washington, DC: Institute of Medicine (IOM).
ISO. (2007a). ISO 14971 Medical Devices Application of Risk Management to Medical
Devices. Geneva, Switzerland. International Organization for Standardization.
ISO. (2007b). Medical Devices - Application of Risk Management to Medical Devices,
Revised. Geneva, Switzerland. International Organization for Standardization.
ISO. (2008). Committee Draft of ISO 31000 Risk Management. Geneva, Switzerland.
International Organization for Standardization. Retrieved November 13, 2012,
from www.nsai.ie/uploads/file/N047_Committee_Draft_of_ISO_31000.pdf.
ISO. (2009). ISO 31000:2009, Risk Management—Principles and Guidelines. Geneva,
Switzerland. International Organization for Standardization. Retrieved October
11, 2012, from www.iso.org/iso/catalogue_detail.htm?csnumber=43170.
Israel, G. D. (2011). Strategies for obtaining survey responses for extension clients:
exploring the role of e-mail requests. Journal of Extension, 49(3), 121-130.
Itri, J. N., & Krishnaraj, A. (2012). Do we need a national incident reporting system for
medical imaging? Journal of the American College of Radiation, 9(5), 329-335.
Jacobides, M. G. (2007). The inherent limits of organizational structure and the
unfulfilled role of hierarchy: lessons from a near-war. Organization Science,
18(May-June 2007), 455-477.
143
JAPASQ. (2011). The Joint Action on Patient Safety and Quality of Care (PaSQ),
officially launched in Roskilde, Denmark 24-25 May Retrieved June 3, 2013,
from
http://ec.europa.eu/eahc/documents/news/PaSQ_PressRelease29_5_12%20_6_
.pdf
Japsen, B. (2013). Doctors rush to obamacare's accountable care approach. Forbes.
Retrieved May 7, 2013, from
http://www.forbes.com/sites/brucejapsen/2013/04/27/doctors-rush-to-
obamacares-accountable-care-approach/
Karis, J. (2012). A robust project management & problem solving process. Net Assets.
Retrieved August 30, 2102, from Net Assets website:
http://www.netassets.net.au/Resources/PS/02-Robust-problem-solving-
process.aspx
Kavilanz, P. (2010). U.S. to hospitals: clean up your act. Retrieved April 5, 2011, from
http://money.cnn.com/2010/04/29/news/economy/healthreform_hospital_fines/ind
ex.htm
Kirchhoff, S.M. (2013). Physician Practices: Background, Organization, and Market
Consolidation: Congressional Research Service.
Kitchell, W., & Hurst, R. (2011). Specialty physician practice trends. MANow(October
2011).
Lawrence, D. (2005). Building a Better Delivery System: Bridging the Quality Chasm.
Washington, DC: National Academy of Engineering and Institute of Medicine
(IOM).
Leapfrog. (2008). Leapfrog Hospital Survey Results 2008. Retrieved June 19, 2012,
from www.leapfroggroup.org/media/file/leapfrogreportfinal.pdf
Lee, F. (2004). If Disney Ran Your Hospital: 9 1/2 Things You Would Do Differently.
Second River Healthcare Press.
Lester, H., & Tritter, J. (2001). Medical error: a discussion of the medical construction of
error and suggestions for reforms of medical education to decrease error. Med
Educ, 35, 855-861.
Lofstedt, R., & Vogel, D. (2001). The changing character of regulation: a comparison of
Europe and the United States. Risk Analysis, 21(November), 399-416.
Mai. (2011). ISO 31000 RMS. Retrieved September 12, 2012, from
http://www.mai9000.com/ISO-31000
Makary, M. (2012). Unaccountable: What Hospitals Won’t Tell You and How
Transparency Can Revolutionize Healthcare. USA: Bloomsbury Publishing.
144
McFadden, K., Stock, G., Gowen, C., & Cook, P. (2006). Exploring strategies for
reducing hospital errors. Journal of Healthcare Management, 51(2), 123.
McQuilken, L., Katakis, O., & McDonald, H. (2005). The relationship between
respondent attitudes and intended behaviour regarding socio-demographic
questions in survey research: an empirical investigation using online surveys.
Journal of Current Research in Global Business, 7(11).
Medscape. (2013). Physician Compensation Report: 2013. Retrieved June 10, 2013,
from http://www.medscape.com/features/slideshow/compensation/2013/public
Meldi, D., Rhoades, F., & Gippe, A. (2009). The big three: a side by side matrix
comparing hospital accrediting agencies. SYNERGY (January/February 2009).
Mercola, J. (2013). What Hospitals Won't Tell You - Vital Strategies That Could Save
Your Life. Retrieved March 31, 2012, from
http://articles.mercola.com/sites/articles/archive/2012/03/31/dr-andrew-saul-
hospitals-and-health.aspx
Miller, L. E., & Smith, K. L. (1983). Handling nonresponse issues. Journal of Extension,
21(5), 34-42.
Mitchell, D. (2011). Risk Management between the hospital and hospital-owned
physician practice. Paper presented at the American Society for Healthcare Risk
Management. 2011 Annual Conference & Exhibition, Phoenix, AZ.
Moon, J.A. (1999). Reflection in Learning and Professional Development: Theory and
Practice. New York: RoutledgeFalmer
Myers, S. (2011). Patient Safety and Hospital Accreditation: A Model for Ensuring
Success. New York: Springer Pub. Co.
NAPH. (2009a). Challenges in a Changing Marketplace: 1930 - 1965 Retrieved April 12,
2012, from http://www.naph.org/Homepage-Sections/explore/History/1930.aspx
NAPH. (2009b). Emergence of Hospitals: 1860 - 1930 Retrieved April 12, 2012, from
http://www.naph.org/Homepage-Sections/Explore/History/1860.aspx
NAPH. (2009c). History of Public Hospitals in the United States Retrieved April 12,
2012, from http://www.naph.org/Homepage-Sections/Explore/History.aspx
OSHA. (1995). All About OSHA. Retrieved August 14, 2012, from www.osha.gov.
Petchenik, J., & Watermolen, D. (2011). A cautionary note on using the Internet to
survey recent hunter education graduates. Human Dimensions of Wildlife, 16(3),
216-218.
Phelps, K. a. H., William A. (2007). Risk management, the joint commission, and ISO
14971. Journal of Clinical Engineering, 32(2), 70-73.
145
Pietra, L., Calligaris, L., Molendi, L., Quattrin, R., & Brusaferro, S. (2005). Medical errors
and clinical risk management: state of art. ACTA Otorhinolaryngologica Italica,
25(6), 339-346.
Pugh, D. S. (1984). Organization Theory: Selected Readings (2nd ed.) London: Penguin.
Rath, F. (2008). Tools for developing a quality management program: proactive tools
(process mapping, value stream mapping, fault tree analysis, and failure mode
and effects analysis). International Journal of Radiation
Oncology*Biology*Physics, 71(1, Supplement), S187-S190.
Rawlins, R. (2001). Hospital accreditation is important. British Medical Journal,
(322)7287, 674.
Rogers, F., & Richarme, M. (2009). The honesty of online survey respondents: lessons
learned and prescriptive remedies. [Web log post]. Retrieved from,
http://www.decisionanalyst.com/publ_art/onlinerespondents.dai
Schneider, J. (1985-1986). Qualified privilage for peer review: physician, reveal thyself.
Pac L J, (17)2, 499-531.
Shaw, G. K. (2010). A Risk Management Model for the Tourism Industry in South Africa.
(Doctor of Philosophy), North-West University. Retrieved April 19. 2012, from
http://www.satsa.com/Downloads/A-risk-management-model-for-the-tourism-
industry-in-South-Africa.pdf
Shortreed, J., Hicks, J., & Craig, L. (2003). Basic Frameworks for Risk Management.
Final Report Prepared for The Ontario Ministry of the Environment. NERAM:
Network for Environmental Risk Assessment and Management.
Silow-Carrol, S., Alteras, T., & Meyer, J. (2007). Hospital Quality Improvement:
Strategies and Lessons from U.S. Hospitals. New York, NY: The Common
Wealth Fund.
Sorra, J., Famolaro, T., Dyer, N., Khanna, K., & Nelson, D. (2011). Hospital Survey on
Patient Safety Culture: 2011 User Comparative Database Report AHRQ.
Speiser, S. M., et al. (1987). The American Law of Torts. Rochester, NY: Co-operative
Pub. Co.
Starfield, B. (2000). Is US health really the best in the world? Journal of the American
Medical Association 284(4).
Stark-Humphrey, R. (2010). Health Care Reform Bill Explained in Simple Terms.
Retrieved July 22, 2013, from http://voices.yahoo.com/health-care-reform-bill-
explained-simple-terms-5795610.html
Steven, F., Bernard, B., & Robert, B. (2013). Tension between quality measurement,
public quality reporting, and pay for performance. JAMA, 309(4), 349-350. doi:
10.1001/jama.2012.191276
146
Strickland, B. (2012). Accountable Care Organizations: Improving Care Coordination for
People with Medicare. Retrieved August 9, 2013, from Healthcare.gov website:
http://www.credentialprotection.com/news/57-the-benefits-of-accountable-care-
organizations-acos.html
Sullivan, & Beach. (2009). Improving project outcomes through operational reliability: a
conceptual model. International Journal of Project Management, 27(8), 765-775.
Svider, P. F., Keeley, B. R., Zumba, O., Mauro, A. C., Setzen, M., & Eloy, J. A. (2013).
From the operating room to the courtroom. The Laryngoscope, 123:1849–1853.
doi: 10.1002/lary.23905
Tharp, B. M. (2009). Defining "Culture" and "Organizational Culture": From Anthropology
to the Office. Retrieved August 10, 2012, from Haworth website:
http://www.haworth.com/en-us/knowledge/workplace-library/documents/defining-
culture-and-organizationa-culture_5.pdf
TJC. (2011). Accreditation Manual for Hospitals. Joint Commission on Accreditation of
Hospitals.
TJC. (2012a). Benefits of Accreditation Retrieved June 20, 2012, from
http://www.jointcommission.org/assets/1/18/benefits_of_accreditation_8_10.pdf
TJC. (2012b). Facts About The Joint Commission Retrieved June 21, 2012, from
http://www.jointcommission.org/about_us/fact_sheets.aspx
Troyer, G. T., Salman, S.L. (1986). Handbook of Health Care Risk Management.
Rockville, MD: Aspen.
USF (Producer). (2008, 8/13/12). Overview and History of Healthcare Risk Management.
Healthcare Risk Management Certificate Program. [University of South Florida -
Power Point Presentation]
Valsamakis, A. C., Vivian, R. W., & du Toit, G. S. (2000). Risk Management (2nd ed.):
Sandton: Heinamenn.
Valsamakis, A. C., Vivian, R. W., & du Toit, G. S. (2005). Risk Management: Managing
Enterprise Risks: Sandton: Heinamenn.
Van der Schaaf, T. (2002). Medical applications of industrial safety science. Qual Saf
Health Care, 11, 205-206.
Versel, N. (2013). Obama Urged to Mandate Medical Error Reporting. Retrieved May 13,
2103, from http://www.informationweek.com/healthcare/policy/obama-urged-
tomandate-medical-error-rep
Vogt, J., Houwer, J., & Crombez, G. (2011). Multiple goal management starts with
attention. Experimental Psychology, 58(1), 55-61.
147
WHO. (2000). The World Health Report 2000: Health Systems: Improving Performance.
Geneva, Switzerland., World Health Organization.
WHO. (2002). Quality of Care: Patient Safety: Fifty Fifth World Health Assembly (Vol.
March 2002): Geneva, Switzerland., World Health Organization.
WHO. (2010). A Brief Synopsis on Patient Safety (pp. 55): World Health Organization -
Europe. Geneva, Switzerland., World Health Organization.
Wiseman, F. (2003). On the reporting of response rates in extension research. Journal
of Extension, 41(3).
Wolf, Z., & Hughes, R. (2008). Error Reporting and Disclosure. Patient Safety and
Quality: An Evidence-Based Handbook for Nurses. Agency for Healthcare
Research and Quality (US). Rockville (MD).
Yin, S. (2010). AHA opposes penalty for medical mistakes. Retrieved May 13, 2013,
from http://www.fiercehealthcare.com/story/aha-opposespenalty-medical-
mistakes/2010-11-22
Zimmerman, T., & Clark, K. L. (2010). Celebrating 30 Years, A Brief History of ASHRM:
1980-2010. Retrieved April 25, 2012, from
http://www.ashrm.org/ashrm/about/history/a_brief_history_of_ashrm/index.shtml
Ziskind, A., Ficery, K., & Fu, R. (2011, August 2011). Adapting to a new model of
physician employment. [Web log post]. Retrieved from
http://www.accenture.com/us-en/outlook/Pages/outlook-online-2011-adapting-
new-model-physician-employment.aspx
148
Appendix A – Survey Instrument, Pre-Focus Group – October 31, 2012
149
150
151
152
153
Appendix B – Survey Instrument, Post-Focus Group – December 14, 2012
154
155
156
157
158
159
Abstract (if available)
Abstract
Risk management is an important tool to decrease medical errors and to improve overall quality of care in US hospitals. To gain insight into current practices in US hospitals, survey methods were used to explore the extent to which risk management systems in hospitals have the tools, resources and staffing appropriate to handle and improve risk management. A survey instrument was developed by reference to a research framework based on the "conceptual" model of Sullivan and Beach as modified by Chan that emphasizes the importance of a triad of elements, including resources, competence and memory. The purpose of the survey was to determine current approaches and hiring practices in risk management within the hospital industry. It further probed the focus of risk management activities performed by risk managers, their views of risk management standards and approaches being used in hospitals and the use of methodologies. It was clear from both a voluminous literature on this topic and the survey that hospitals still have many challenges with regard to implementing risk management systems and processes. Most hospitals had only one or a few risk management personnel who had little ongoing training and background preparation in risk management methodology. They performed a large variety of tasks and were faced with a large range of risks. Nevertheless, they typically expressed satisfaction with their work, with mixed views on the level of support that they received from senior management. Typically missing from the system was a systematic set of standards for identifying, prioritizing and controlling areas of greatest risk based on their performance metrics. Although the framework used for this study was primarily oriented to assessing performance, results suggested that hospital culture and behaviors often seemed to contribute to key concerns, such as the willingness to hire individuals with little background in formal risk management and to accept as standard practice the use of only very risk management tools.
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
Risk management and recalls: a survey of medical device manufacturers
PDF
Implementation of risk management in medical device companies: a survey analysis of current practices
PDF
Challenges in the implementation of Risk Evaluation Mitigation Strategies (REMS): a survey of industry views
PDF
Benefits-risk frameworks: implementation by industry
PDF
FDA influence on advisory committees through documentation: a content analysis and survey of industry views
PDF
“Regulatory” due diligence: a survey investigation of best practices in the medical products industry
PDF
An integrated framework to evaluate customer service delivery: a study of electronic systems at FDA's Los Angeles Import Operations Branch
PDF
Current practices in pharmaceutical container closure development
PDF
Views on global harmonization of pharmacopeial standards: a survey of key stakeholders
PDF
Regulatory dissonance in the global development of drug therapies: a case study of drug development in postmenopausal osteoporosis
PDF
Design control for software medical devices: an industry survey of views and experiences
PDF
Regulatory team development in post-merger integration: a survey of views from medical product companies
PDF
Clinical trials driven by investigator-sponsors: GCP compliance with or without previous industry sponsorship
PDF
The role of universities in the commercialization of medical products: a survey of industry views
PDF
Incentivizing quality in the manufacture of pharmaceuticals: manufacturers' views on quality ratings
PDF
The impact of incomplete monographs on the OTC drug industry: a survey investigation of industry views
PDF
Continuity management in biobank operations: a survey of biobank professionals
PDF
Effect of GDUFA legislation on the development and approval of generic drugs: a survey of industry views and experiences
PDF
Use of natural colors: experience and views in pharmaceutical and dietary supplement industries
PDF
Contract research organizations: a survey of industry views and outsourcing practices
Asset Metadata
Creator
McCall, Richard Haven
(author)
Core Title
Risk approaches and standards used in hospitals: a survey of industry views
School
School of Pharmacy
Degree
Doctor of Regulatory Science
Degree Program
Regulatory Science
Publication Date
10/01/2013
Defense Date
09/04/2013
Publisher
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
Haven McCall,history of hospitals,history of U.S. hospitals,hospital risk management,Hospitals,OAI-PMH Harvest,risk management,risk managers
Format
application/pdf
(imt)
Language
English
Contributor
Electronically uploaded by the author
(provenance)
Advisor
Richmond, Frances J. (
committee chair
), Alkana, Ronald L. (
committee member
), Hamrell, Michael (
committee member
), Loeb, Gerald E. (
committee member
), Pacifici, Eunjoo (
committee member
)
Creator Email
havenmccall@gmail.com,havenmccall1976@hotmail.com
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-c3-333746
Unique identifier
UC11297121
Identifier
etd-McCallRich-2069.pdf (filename),usctheses-c3-333746 (legacy record id)
Legacy Identifier
etd-McCallRich-2069.pdf
Dmrecord
333746
Document Type
Dissertation
Format
application/pdf (imt)
Rights
McCall, Richard Haven
Type
texts
Source
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Access Conditions
The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the a...
Repository Name
University of Southern California Digital Library
Repository Location
USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA
Tags
Haven McCall
history of hospitals
history of U.S. hospitals
hospital risk management
risk management
risk managers