Implementing Enterprise Risk Management across NHG Designated Risk Lead Training 8 February 2010 Stuart Emslie, UK
Stuart Emslie BSc(Hons) MSc CEng FIHM MIMechE • Independent UK-based healthcare consultant specialising in corporate and clinical governance, board development, risk management and patient safety • Formerly Department of Health head of controls assurance (governance/risk management) for the NHS in England • World Health Organisation consultant to Malaysian Ministry of Health • Adviser to Health Service Executive (Ireland), Hong Kong Hospital Authority and NHG, Singapore • Honorary Fellow, Flinders University School of Medicine, Australia • Visiting Fellow, Loughborough University Business School, England • Fellow of the Institute of Healthcare Management (FIHM) and, by original profession (in the 1980’s), a chartered mechanical engineer • Editor of www.healthcaregovernancereview.org
Learning and other objectives • Understand the concept of enterprise risk management (ERM) • Gain familiarity with ISO 31000:2009 Risk management: Principles and guidelines • Be able to identify risk by a number of means • Be able to construct and maintain a Risk Register • Understand the principles underlying the setting of risk management priorities • Understand the difference between governing risk and managing risk • Contribute to the ongoing development of ERM in NHG
‘Designated person’ attributes • Thorough understanding of the organisation and management of NHG and, in particular, the hospital/facility within which they work. • Preferably working at middle-senior management or clinician level with sufficient authority (or having direct access to authority) to help ensure successful implementation and maintenance of the ERM system. • A genuine interest in helping manage risk. • Preferably with an interest in quality management and patient safety. • A working knowledge of Microsoft Office software, especially Word, Powerpoint and Excel.
Enterprise risk management (ERM) “[A] US term coined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004) and defined as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” The concept and practice of enterprise risk management is fully addressed by the requirements of ISO 31000:2009 in all but name.” Draft NHG Risk management policy
Risk Management Policy Senior Management/Board Risk Management Plan Board/Senior Management/board Risk Register Guidelines Designated risk leads
5.3.2 Risk management policy Therisk management policy should clarify the organization's objectives for and commitment to risk management and should specify the following: • links between the risk management policy and the organization’s objectives and other policies; • the organization's rationale for managing risk; • accountabilities and responsibilities for managing risk; • the way in which conflicting interests are dealt with; • the organization’s risk appetite or risk aversion; • processes, methods and tools to be used for managing risk; • resources available to assist those accountable or responsible for managing risk; • the way in which risk management performance will be measured and reported; • commitment to the periodic review and verification of the risk management policy and framework and its continual improvement; and • the means by which the risk management policy will be communicated appropriately.
5.3.3 Integration into organizational processes [Risk management plan] • Risk management should be embedded in all the organization’s practices and business processes so that it is relevant, effective and efficient. The risk management process should become part of and not separate from those organizational processes. In particular, risk management should be embedded into the policy development, business and strategic planning and change management processes. • There should be an organization-wide risk management plan to ensure that the risk management policy is implemented and that risk management is embedded in all the organization’s practices and business processes.
Departments, etc. Staff NHG Board 7 Audit Risk etc. Board committees CEO 6 CRO 5 M1 M2 M3 Mn CEOs Members/Institutions 4 Designated Risk Lead 3 2 1
Q3 - In your opinion, what do you think the key BENEFITS might be of implementing ERM across NHG?
INTRODUCTION TO RISK MANAGEMENT IN HEALTHCARE Stuart Emslie
Risk management processAS/NZS 4360:2004 - Risk management Establish Context Identify Risks Analyse Risks RISK ASSESSMENT Monitor and review Communicate and Consult Evaluate Risks Treat Risks
HORMC Aggregation Cluster Filtering/ Escalation Aggregation Information Resources/Action/Improvement Hospital Aggregation Depts. ‘Front line’
RISK QUANTIFICATION MATRIX Consequence Insignificant 1 Minor 2 Moderate 3 Major 4 Extreme 5 Likelihood Almost certain - 5 Likely - 4 Possible - 3 Unlikely - 2 Remote - 1 RISK Low Medium High
RISK QUANTIFICATION MATRIX Consequence Insignificant 1 Minor 2 Moderate 3 Major 4 Extreme 5 Likelihood 5 10 15 20 25 Almost certain - 5 4 8 12 16 20 Likely - 4 3 6 9 12 15 Possible - 3 2 4 6 8 10 Unlikely - 2 1 2 3 4 5 Remote - 1 RISK Low Medium High
The healthcare risk ‘universe’ Environment Patient care and safety Financial Occupational safety & health Legal Human Resource Physical resources IT Integrity Information for decision making etc.
Some common sources of information used to populate a healthcare risk register INTERNAL Internal audits and inspections Patient adverse incidents Patient consultation Staff consultation General risk assessments Staff adverse incidents Other adverse incidents Suggestion scheme Complaints Specialist risk assessments Facilitated workshops Claims Risk Register PROACTIVE REACTIVE Root cause analyses FMEA External audits, reviews etc. Hazard warnings Safety alerts Accreditation standards Benchmarking Coroners reports Incidents etc. occurring ‘elsewhere’ Conferences, Seminars, etc. External stakeholder consultation EXTERNAL Inquiry reports Books
Some common sources of information used to populate a healthcare risk register INTERNAL Internal audits and inspections Patient adverse incidents Patient consultation Staff consultation General risk assessments Staff adverse incidents Other adverse incidents Suggestion scheme Complaints Specialist risk assessments Facilitated workshops Claims Risk Register PROACTIVE REACTIVE Root cause analyses FMEA External audits, reviews etc. Hazard warnings Accreditation standards Safety alerts Benchmarking Coroners reports Incidents etc. occurring ‘elsewhere’ Conferences, Seminars, etc. External stakeholder consultation EXTERNAL Inquiry reports Books
A common risk language Environment risk Government funding / policy . Laws and Regulations . Economy . Demographics . Technology. Market share . Other providers . Customer needs and expectations . Public awareness . Suppliers . External disasters . External relations . Labour market Process risk Empowerment risk Purpose . Structure . Leadership . Accountability . Authority . Boundary . Compliance . Resource allocation . Communication . Rate of change . Performance measurement Patient Care and Safety Risk Integrity risk Human resource risk Patient and family rights Information & Consent Confidentiality Security Satisfaction/complaints Privacy Participation Comfort / Convenience Access and continuity Availability / Access Appropriateness Timeliness / delay Continuity Over / under utilisation Volume / capacity Interfaces Assessment of patients Adequacy of assessment Error (laboratory / reporting / interpretation) Appropriateness Fraud Corruption Unauthorised use Unethical practice Illegal acts Reputation Conflict of interest Staff capabilities and education Qualifications /registration Proficiency Professional development Maintaining a quality workforce Loss of key staff Turnover Recruitment Remuneration Industrial relations Workforce planning Care planning Care of patients Standard of care/Bolam Competence Safety Care/Treatment accident Prescribing accident Drug admin. accident Efficacy Nosocomial Infection Clinical trial / new treatment Patient /family Educ. Clear Communication Patient compliance Other Documentation / recording Service development Legal risk Regulatory compliance Litigation Contractual Performance Productivity Efficiency Teamwork Performance Incentives Coverage / skill-mix Absence / attendance Staff morale Occupational safety and health Safe systems of work Instructions / training /supervision Security / Violence Stress Hazardous exposure Financial risk Cash flow Budget control Cash collection Bad debts Payment Investment Insurance Currency Misappropriation Value for money Physical resource risk Supplies Defective products Product /service failure Economy Supplier Stock-out Obsolescence /shrinkage Health and safety Act of God Buildings / Equipment / Grounds Fire / Explosion /Flooding Hazardous substances/ Radiation Medical equipment and supplies Food hygiene Security Infectious Disease Insects and rodents Contractor Facilities / Equipment Capacity Availability Breakdown / Interruption Utilisation Performance Efficiency / Economy Compatibility Misuse / Impairment Loss Operator Technology Utilities failure Environment Environmental Impact Conservation Waste IT risk: System failure / Availability Technology Integrity Unauth. access/use Loss of data Cost / time overruns User needs not met Information for decision making risk Clinical . Operational . Financial . Strategic P.15 Access . Availability . Accuracy . Timeliness . Completeness . Usability . Utilisation
Failure Mode and Effects Analysis(in the context of wider risk management and quality improvement activity) FMEA FMECA HFMEATM SFMEA Failure Mode and Effect Analysis Failure Modes and Effects Analysis Failure Modes, Effects and Criticality Analysis
FMEA Steps… • Select a process (topic) • Assemble your team • Describe the process steps