Managing Risk in Complex Healthcare Organisations: Use of a Risk Register

Risk is inherent in all aspects of life, and healthcare is no exception to this. Healthcare provision is a complex business, with numerous interactions with outside agencies and, of course, ill patients, many of which are unplanned and involve several healthcare professionals.

Whilst risk cannot be excluded, it is crucial to the success of any healthcare provider that they have a systematic process whereby risks of all types may be identified, assessed, and recorded. Once identified, actions to mitigate these risks should be undertaken and recorded, with clear mechanisms for escalation, and there should be an organisational infrastructure that ensures there is central overview, or governance, of these processes.

However, it is crucial to bear in mind that managing risk comes at a significant cost, and it is the balancing of these risks and costs that defines the success of an organisation in terms of its ability to deliver high quality healthcare within a financially constrained environment.

Categories of Risk 

Risks in healthcare may be categorised into several major groups:

• Potential harm to staff;

• Potential harm to patients;

• Potential loss of a service or facility;

• Unsafe staffing levels;

• Financial loss;

• Loss of personally identifiable information;

• Unfavourable media coverage

• And threat of litigation.

Given the sheer number and variety of risks to the organisation, it is imperative that there is an agreed, uniform system in which different types of risks may be graded and catalogued, in order that they be compared and prioritised. In order to achieve this, we utilise a common risk register across the entire hospital.

The Risk Register Scoring System 

The risk register in use in our organisation comprises a simple two-part scoring system. First, we ask the question “what is the likelihood of an event / harm occurring?” This is termed the likelihood score, and is graded 1 (rare) through to 5 (will undoubtedly happen or recur, possibly frequently), as shown in Table 1.

Second, the consequence of the harm is assessed (consequence score), also graded from 1 (no harm/ negligible) through to  (death / catastrophic), an abbreviated version of which is presented in Table 2. A grading chart is produced for each of the major areas of risk listed above. The product of the likelihood and consequence scores produces a relative risk rating number (RRN), from 1-25, for each individual potential risk. Risks are then categorised into low (RRN 1-7), moderate (RRN 8-15) or high (RRN 16-25). These may be alternatively referred to as green, orange and red risks, as shown in Table 3.

The level of risk identified is linked with the risk review frequency such that red risks require review every 3 months, whereas green risks require annual review.

Managing the Risk Register

The entire process is managed electronically, with an online risk register accessed through the hospital intranet system. Users register on the system and have a unique password. They may then add new risk assessments, or search for, view, edit, and update existing risk assessments, which are stored electronically in a central data base which is fully auditable.

Structuring different risks from across a large and complex organisation in this manner allows comparison of risks that vary greatly in nature. Each area of the organisation should be aware of, and have mechanisms for, dealing with risks pertaining to their department. This tool helps organise and prioritise these into a manageable structure, which can be utilised in departmental and organisational governance meetings.

Mitigating Risk

Many risks may be mitigated through attention to departmental practice and processes. For example, risks regarding the loss of patient identifiable data may be significantly reduced through staff education and training, adherence to clear departmental procedures, and the provision of confidential waste bins.

Similarly, embedding a routine, safety first approach has long been the bedrock of good surgical practice.

Ensuring that hospital notes are available, obtaining informed written consent well in advance of the procedure, marking the site of surgery in advance, and counting the swabs and instruments in use, are just a few examples of this. Diversion from these routine practices undoubtedly will lead to substantial risks.

Whilst some risks may be dealt with within a particular department, others may require escalation to more senior boards within the organisation. Examples of this might include the need for significant investment or involvement with other departments, and these risks can be readily highlighted for escalation within the risk register and brought to the attention of the appropriate authority.

The Role of the Risk Register in Resource Allocation

In the current financial environment, there will always be a greater demand for investment from the various departments within the healthcare organisation than there is money available. Clearly, investment boards and others with financial responsibility will need to consider many competing issues in deciding how these limited funds are distributed. A balance will need to be struck between delivering the organisational strategy and plans moving forward, and mitigating the risks identified within the current system.

In our organisation, the risk register plays a central role in such decisions. Within radiology, this can play a significant role in securing the often sizeable capital investments required to replace ageing or failing equipment. For example, an ultrasound machine that has been in use for several years may start to suffer a significant deterioration in image quality such that subtle lesions are no longer identified. Hence, although the basic service can be maintained, there remains a significant risk that an important lesion may be missed, leading to significant patient harm in the longer term. The risk register helps to convey this to non-specialist teams deciding on resource allocation, and compare with other risks in the system.

Moreover, where reorganisation of services is proposed, the register can be applied to each project to identify the potential risks that they may carry, whether they may be financial, reputational or otherwise.

As with all systems, this is potentially open to an element of ‘gaming’, overplaying the likelihood or consequences of a risk in order to achieve the desired outcome. Whilst this may produce short term gains within a particular department, it is likely to be detrimental to the organisation as a whole as this will lead to inappropriate resource allocation and consequently limit the opportunities elsewhere. For this reason, ‘red risks’ requiring significant resource may be investigated further to confirm their rating status.

Conclusion

In summary, the risk register enables the organisation to have oversight of all risks within the organisation, covering all areas of practice, and monitor progress against them. The risk register plays a key role in deciding the allocation of resources, both human and financial, in a transparent fashion, and we have found this invaluable in managing the complex, high risk environment in which we work.