Risk Management Strategies for the Outpatient Setting: Enterprise Risk Management

Download PDF

Introduction to Enterprise Risk Management

Healthcare continues to evolve, creating predictable and unpredictable risks that are most effectively addressed on an enterprise-wide basis. By taking a global view of liability, healthcare leaders are better positioned to fulfill organizational mandates and attain strategic objectives, while promoting patient safety, minimizing loss and protecting organizational reputation.

The Enterprise Risk Management (ERM) model provides a process to identify complex and interconnected activities across the outpatient setting that affect one another positively or negatively. The ERM framework can be adopted and designed to fit any size and type healthcare organization and modified to address the unique characteristics and needs within outpatient settings.

A critical step toward implementing the ERM model is to adopt a clear and concise definition of ERM. This definition will communicate to the organization the purpose and commitment of leadership to the ERM process.

ERM represents a continuous process applied across the outpatient setting and is influenced by staff conduct at every level. In a solo practice, the provider is responsible for developing and facilitating a risk-conscious culture among staff. In an outpatient setting, the medical director and practice manager collaborate to educate staff members on the ERM process and implement an integrated risk management program. For the ERM process to be effective, all staff members in the outpatient setting must be aware of what ERM encompasses and demonstrate a commitment to its implementation.

The ERM process includes the following major components:

Risk identification, i.e., detecting exposures within each of the risk domains, a process that typically includes staff interviews.
Prioritization and scoring of risks, i.e., analyzing the likelihood, causes and consequences of specific exposures. The potential severity of each risk is multiplied by its probability to determine the “risk score.”
Risk response, i.e., developing and implementing an action plan to avoid, accept, reduce, segregate, and/or risk transfer, as defined below:
- Risk avoidance denotes actions that prevent the risk from occurring such as eliminating a service or procedure.
- Risk acceptance means assuming responsibility for any loss associated with an identified risk. Risks with minimal effect are customarily accepted.
- Risk reduction involves activities to reduce the likelihood of a risk from occurring such as universal protocols, infection control practices, or equipment maintenance programs. Other risk reduction activities involve reducing the probability or severity, through process and system design, without eliminating the service or activity.
- Risk segregation involves moving assets across multiple locations, offices, or units to reduce the likelihood of a loss of supplies, equipment, or records stored in one location.
- Risk transfer refers to covering potential losses by transferring risk to a commercial insurance policy or by retaining risk through alternative mechanisms such as high deductibles, self-insured retentions, surety bonds or trust fund accounts.
Control and monitoring, i.e., measuring the effectiveness of selected risk responses.

The ERM process is dynamic, involving several steps that may occur simultaneously. It serves as a useful framework for organizing risk management activities.

Mapping Risks

The first step in creating a risk management program is to classify and assess organizational risks. The following chart lists risk categories common to many healthcare settings. Risks in these categories reflect absent, inadequate or failed internal processes or systems to control the risk. There is flexibility in the specific activities assigned to each category and should be modified to complement your organizational structure. Examples of specific functions, issues, requirements and risks that fall within the various categories are provided below.

Common Risk Categories and Descriptions

Operational - Operational risks are derived from an organization’s core activities: provider credentialing, research activities, professional medical services, performance improvement, risk management, appointment tracking, environment of care, emergency preparedness, policy and procedure development process.
Legal/regulatory - Legal and regulatory risks emanate from federal and state requirements, licensure/certification, reimbursement rules, fraud/abuse, compliance, contracts, patient rights, informed consent, HIPAA privacy and confidentiality provisions, Clinical Laboratory Improvements Act (CLIA) regulations, patient termination, contract management, closing or leaving a practice.
Clinical - Clinical risks involve the delivery of care to patients such as adverse events, evidence based standards of care, safety protocols, universal precautions, preventive care/screening, medication/pain management, referrals/ consultations, drug/device recalls, patient education.
Strategic - Strategic planning involves an organization’s ability to grow and evolve its brand and reputation. Examples include joint ventures, marketing activities, clinical service expansion, mergers and acquisitions, capital needs, and enterprise risk management.
Financial - Financial risks reflect an organization’s ability to earn, raise and access capital. These risks include insurance denial of care, billing and collections, Medicare/Medicaid reimbursement, credit rating, assets and liabilities.
Human Capital - Human capital risks relate to workforce management, hiring practices, recruitment, retention, employment practices, scope of practice, background checks, competency assessments, in-service education.
Technology - Technology risks are associated with computer hardware/software, storage/retrieval of information, digital health, wearable technology/sensors, cyber exposures, electronic health records, data privacy and security, email, social media, facsimile, texting, telephone and other remote consultation.
Hazards/business interruption - Hazard risks relate to predictable risks associated within and outside the building. These include construction/renovation, earthquake, fires, tornado, hurricane/floods, facility management, plant age, parking (e.g., lot lighting, condition, security), securing valuables.

_{Adapted from American Society for Health Care Risk Management, Enterprise Risk Management: Implementing ERM, 2020}

Prioritization and Scoring Risks

Risk-taking is inherent to healthcare organizations. Using an objective process to evaluate the scope and magnitude of risk will enhance the organization’s ability to prioritize efforts and allocation of resources involving risk mitigation. Risks can be ranked by assigning numerical scores to the “likelihood” and “impact” the risk has on the organization. An optional third measurement is “velocity”.

Likelihood is the frequency or probability the event or risk will occur.

Impact is the severity or patient injury value, often expressed in financial terms or dollar value, of the outcome should the risk occur.

Likelihood x Impact = Risk Score

Velocity refers to the speed in which you have time to take action or “time to impact” before the outcome is realized. This is an optional measurement to enhance the risk score.

Likelihood + Velocity x Impact = Risk Score

Ranking risks using a numeric system has flexibility to evaluate an organization’s tolerance, or appetite, for risk. Risks that are highlylikely to occur with an outcome of minimal consequence to a patient or the organization, such as lost patient clothing, would have a low score (Likelihood of 5 x Impact of 1 = 5). In contrast, a risk with potential likelihood of occurring with major consequences to patient(s) and/or facility, a facility in the path of a tornado, would have a higher score (Likelihood of 3 x Impact of 5 = 15). In these examples, the facility would be guided by the risk scores and focus risk management efforts toward the more catastrophic event. Including the velocity, or time the organization has to the point of impact, will further enhance this risk scoring process.

Once the risk has been scored and prioritized, decisions around how to treat the risk must be determined: risk avoidance, risk acceptance, risk reduction, risk transfer.

Responding to Risk

Managing risk involves using the information provided through adverse event reports, survey findings and other feedback mechanisms to support these four basic initiatives:

Prevention encompasses proactive risk awareness and safety programs for patients, staff, providers, family members and visitors. The goal is to ensure that all parties are aware of the risks and know how to protect themselves and others.
Correction requires implementation of post-incident remedial actions to minimize the impact of the event and prevent future similar occurrences. The corrective measures must be documented, monitored and audited to assess their effectiveness.
Documentation is critical to effective legal defense in the event of a professional liability claim. Healthcare information records must be accurate and comprehensive. In addition, all institutional policies and procedures – including those that no longer apply or have been modified – should be carefully archived.
Education involves engaging staff through relevant, practical and meaningful in-service seminars given at orientation at least annually thereafter, and following any significant adverse event that requires an immediate change in systems or processes to prevent recurrence. Education should include both an overview of the risk management process and a detailed description of other key topics. The educational sessions should clearly explain what constitutes an adverse event, how they should be reported, and why thorough and objective incident documentation is of critical importance.

Evaluating the ERM Program

All ERM programs must be routinely evaluated and updated. As healthcare reform and other legislative and regulatory initiatives continue to transform the industry, new and unpredictable risks will emerge. Healthcare leaders responsible for risk management must remain attentive to their own unique risk situation, as well as the broader political, economic and social developments affecting the healthcare field. Any changes in the program should be promptly communicated to staff members.

Additional Resources:

Skip to next Section - Section 2 - Operational Risks

This publication is intended to inform Affinity Insurance Services, Inc., customers of potential liability in their practice. This information is provided for general informational purposes only and is not intended to provide individualized guidance. All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy. Any references to non-Aon, AIS, NSO, HPSO websites are provided solely for convenience, and Aon, AIS, NSO and HPSO disclaims any responsibility with respect to such websites. This information is not intended to offer legal advice or to establish appropriate or acceptable standards of professional conduct. Readers should consult with a lawyer if they have specific concerns. Neither Affinity Insurance Services, Inc., HPSO, nor CNA assumes any liability for how this information is applied in practice or for the accuracy of this information.

Healthcare Providers Service Organization is a registered trade name of Affinity Insurance Services, Inc., a licensed producer in all states (TX 13695); (AR 100106022); in CA, MN, AIS Affinity Insurance Agency, Inc. (CA 0795465); in OK, AIS Affinity Insurance Services, Inc.; in CA, Aon Affinity Insurance Services, Inc., (CA 0G94493), Aon Direct Insurance Administrators and Berkely Insurance Agency and in NY, AIS Affinity Insurance Agency.