New Marketplace

What Is Risk Management in Healthcare?

Article · April 25, 2018

Risk management in healthcare comprises the clinical and administrative systems, processes, and reports employed to detect, monitor, assess, mitigate, and prevent risks. By employing risk management, healthcare organizations proactively and systematically safeguard patient safety as well as the organization’s assets, market share, accreditation, reimbursement levels, brand value, and community standing.

The Value and Purpose of Risk Management in Healthcare Organizations

Deployment of healthcare risk management has traditionally focused on the important role of patient safety and the reduction of medical errors that jeopardize an organization’s ability to achieve its mission and protect against financial liability. But with the expanding role of healthcare technologies, increased cybersecurity concerns, the fast pace of medical science, and the industry’s ever-changing regulatory, legal, political, and reimbursement climate, healthcare risk management has become more complex over time.

Moreover, with the value-based care movement and today’s risk-bearing models such as bundled payments and CMS’s pay for performance programs, financial risk is increasingly shifting from payers to providers and requires a broader view of risk management. In May of 2017, Moody’s Investor Services released a report highlighting the link between risk management and a hospital’s operating margins: “Maintaining high clinical quality will increasingly impact financial performance and reduce the risk of brand impairment as reimbursement moves away from a fee-for-service model and towards a greater emphasis on value and outcomes.”

For these reasons, hospitals and other healthcare systems are expanding their risk management programs from ones that are primarily reactive and promote patient safety and prevent legal exposure, to ones that are increasingly proactive and view risk through the much broader lens of the entire healthcare ecosystem.

While members of the industry understand the significance of expanding risk management in healthcare beyond patient safety and medical liability, the transition has been slow. According to the Healthcare Financial Management Association (HFMA), “Despite the growing importance of programs today, and the raised awareness of their importance, many healthcare providers have been slow to adopt a more sophisticated approach . . . . The current state for most providers falls between ‘basic’ and ‘evolving’ maturities for ERM programs.”

Evolution of Healthcare Enterprise Risk Management (ERM)

To expand the role of risk management across the organization, hospitals and other healthcare facilities are adopting a more holistic approach called Enterprise Risk Management. ERM includes traditional aspects of risk management including patient safety and medical liability and expands them with a “big picture” approach to risk across the organization.

ERM encompasses eight risk domains:

  1. Operational
  2. Clinical & Patient Safety
  3. Strategic
  4. Financial
  5. Human Capital
  6. Legal & Regulatory
  7. Technological
  8. Environmental- and Infrastructure-Based Hazards.


Healthcare Risk Management 8 Risk Domains: Operational/Patient-Safety/Strategic/Financial/Human/Regulatory/Technology/Hazards

Healthcare Risk Management: The Eight Domains of Risk. Click To Enlarge.

According to the American Society for Healthcare Risk Management (ASHRM), “Enterprise risk management in healthcare promotes a comprehensive framework for making risk management decisions which maximize value protection and creation by managing risk and uncertainty and their connections to total value.”

ERM also stresses the use of technology to synchronize risk mitigation efforts across the entire organization and remove risk associated with siloed departments or business units. Additionally, data analytics are embedded to support decision-making, departmental cohesiveness, risk prioritization, and resource allocation. Analytics are important for monitoring benchmarks as a way of showing value (what costs were prevented) for ERM initiatives. These elements of ERM are built on top of a governance structure that aligns business operations with the risk management program.

The role of the healthcare risk manager has evolved alongside this new governance structure to oversee and facilitate the ERM framework. Risk managers proactively identify risks and estimate potential consequences and upsides. They also develop response plans incase risks become reality. On the flip side, to mitigate organizational exposure, they respond and execute containment plans when adverse and unforeseen situations transpire.

Due to the dynamic and multifaceted nature of risk management in healthcare, the role is constantly evolving. Some of the current responsibilities of the healthcare risk manager include communicating with stakeholders, documenting and reporting on risk and adverse circumstances, and creating processes, policies, and procedures for responding to and managing risk and uncertainty. Additionally, risk managers must continually monitor the ever-shifting landscape of the healthcare risk continuum.

Key Components of Performing Risk Management in Healthcare

To navigate the healthcare risk continuum healthcare organizations and risk managers need to:

  • Identify Risk
    Since risk management involves managing uncertainty and new risk is constantly emerging, it is challenging to recognize all the threats a healthcare entity faces. However, through the use of data, institutional and industry knowledge, and by engaging everyone — patients, employees, administrators, and payers—healthcare risk managers can uncover threats and potentially compensatory events that otherwise would be hard to anticipate.
  • Quantify & Prioritize Risk
    Once identified, it is vital to score, rank, and prioritize risks based on their likelihood and impact of occurrence and then allocate resources and assign tasks based on these measures. To accomplish this, risk matrices and heat maps can be deployed that will also help to visualize risks and promote communication and collaborative decision-making.
  • Investigate & Report Sentinel Events
    Coined by the Joint Commission, Sentinel Events are “any unanticipated event in a healthcare setting resulting in death or serious physical or psychological injury to a patient or patients, not related to the natural course of the patient’s illness.” When a sentinel event occurs, quick response and thorough investigation address immediate patient safety issues and reduce future risk. Having an established plan in place promotes calm and measured response and transparency by staff and ensures that corrective actions can be implemented and evaluated. Sentinel events are not always the result of errors. However, achieving transparency and thorough evaluation requires healthcare organizations to establish an atmosphere of respect, trust, and cooperation between staff and leadership.
  • Perform Compliance Reporting
    As with the Joint Commission, Federal, state, and other oversight bodies mandate reporting of certain types of incidents including sentinel events, medication errors, and medical device malfunctions. Incidents such as wrong-site or patient surgery, workplace injuries, medication errors, etc. need to be documented, coded, and reported.
  • Capture & Learn from Near Misses & Good Catches
    When mistakes or adverse events are avoided due to luck or intervention, “near misses” and “good catches” occur. These are often the best way to identify and prevent risk. Healthcare providers should develop a culture that encourages reporting so that prevention measures and best practices can be instituted.
  • Think Beyond the Obvious to Uncover Latent Failures
    Active failures are obvious and easily-identified — when a nurse gives the wrong medication dose to a patient for example. Latent failures, on the other hand, are often hidden and only uncovered through analysis and critical examination. Did poor lighting make it hard to read the patient’s chart? Was the nurse rushing because he had too many high-acuity patients? When exploring the causes of an unfavorable episode, consider underlying and less-readily-apparent reasons.
  • Deploy Proven Analysis Models for Incident Investigation
    Models for analyzing accidents are used to understand latent failures and causes as well as relationships among risks. For example, understaffing and fatigue often lead to medical errors. Applying well-established models improves risk management effectiveness and efficiency. Two accident analysis models used in healthcare risk management are the and the Sharp and Blunt End Evaluation of Clinical Errors model. FMEA or Failure Mode and Effects Analysis, as well as Root Cause Analysis, are also deployed and involve detailed frameworks to help uncover the causes and effects of medical mistakes.
  • Invest in a Robust Risk Management Information System (RMIS)
    Multiple platforms for reporting and managing risk are on the market. These systems provide tools for documenting incidents, tracking risk, reporting trends, benchmarking data points, and making industry comparisons. Reports can be generated for losses, incidents, open claims, and lost work time for injured employees to name a few. RMIS can greatly enhance risk management by improving performance through available and reliable systems while providing overall cost reduction by automating routine tasks.
  • Find the Right Balance of Risk Financing/Transfer/Retention
    Risk financing involves an organization’s methods for efficiently and effectively funding loss that results from risk. It includes risk transfer usually through insurance policies and risk retention such as self-insurance and captive insurance.

Create a Healthcare Risk Management Plan

Healthcare organizations need to have an established and on-going risk management plan in place. The Risk Management Plan becomes the guiding document for how an organization strategically identifies, manages and mitigates risk. Hospital leadership and all department heads should be aware of and involved in the development and on-going evaluation of the plan. Healthcare risk management plans communicate the purpose, scope, and objectives of the organization’s risk management protocol. They also define the roles and responsibilities of the risk manager and other staff involved in risk mitigation. Here is an example of a Healthcare Risk Management Plan.

The format of a Risk Management Plan varies by organization and is contingent on the analysis of existing systems and historical data as well as the unique characteristics of each healthcare entity. That said, there are some fundamental components that belong in all healthcare risk management plans:

  • Education & Training
    Risk management plans need to detail employee training requirements which should include new employee orientation, ongoing and in-service training, annual review and competency validation, and event-specific training.
  • Patient & Family Grievances
    To promote patient satisfaction and reduce the likelihood of litigation, procedures for documenting and responding to patient and family complaints should be described in the Risk Management Plan. Response times, staff responsibilities, and prescribed actions need to be articulated and communicated.
  • Purpose, Goals, & Metrics
    Risk management plans should clearly define the purpose and benefits of the healthcare risk management plan. Specific goals to reduce liability claims, sentinel events, near misses, and the overall cost of the organization’s risk should also be well-articulated. Additionally, reporting on quantifiable and actionable data should be detailed and mandated by the plan.
  • Communication Plan
    While it is critical that the healthcare risk management team promote open and spontaneous dialogue, information about how to communicate about risk and with whom should be provided in the healthcare risk management plan. Next steps and follow-up activities should be documented. It is essential as well that the plan detail reporting requirements to departments and C-Suite personnel. Furthermore, the plan should promote a safe, “no-blame” culture and should include anonymous reporting capabilities.
  • Contingency Plans
    Risk management plans also need to include contingency preparation for adverse system-wide failures and catastrophic situations such as malfunctioning EHR systems, security breaches, and cyber attacks. The plan needs to include emergency preparedness for things like disease outbreaks, long-term power loss, and terror attacks or mass shootings.
  • Reporting Protocols
    Every healthcare organization must have a quick and easy-to-use, system for documenting, classifying, and tracking possible risks and adverse events. These systems must include protocols for mandatory reporting.
  • Response & Mitigation
    Plans for healthcare risk must also include collaborative systems for responding to reported risks and events including acute response, follow-up, reporting, and repeat failure prevention.

The healthcare risk management plan needs to be a living document that is frequently updated and improved based on emerging risks, lessons learned, new information, and changes in the healthcare system and practice of medicine. The plan should have provisions for communication and training when these updates and changes are made.

Healthcare Risk Management — A Survival and Moral Imperative

Risk and uncertainty are inevitable in healthcare organizations. Human nature, the provision of intricate and multifaceted care, and the highly complex system of healthcare guarantee that healthcare entities will face adverse circumstances. But these occurrences are being mitigated with risk management tools. Ever since the 1997 IOM report which estimated that 44,000 – 98,000 individuals were dying each year as a result of medical error, it became a moral imperative to take every measure necessary to save lives. According to Tom Hellmich, physician and Minneapolis Children’s Hospital Patient Safety Council member, states in the Risk Management Handbook for Healthcare Organizations “The medical culture that silently taught the ABCs as Accuse, Blame, and Criticize is fading. Rising in its place is a safety culture emphasizing blameless reporting, successful systems, knowledge, respect, confidentiality, and trust.”

In the midst of vertical consolidation, new market entrants, and value-and performance-based payment models that impact the bottom line, rigorous risk management strategies are paramount to every healthcare organization’s viability. By establishing an ongoing and systematic approach to minimizing the risks inherently associated with the field of healthcare, more and more healthcare organizations are successfully protecting quality of care and financial strength while navigating the tumultuous era of change.

Call for submissions:

Now inviting expert articles, longform articles, and case studies for peer review


A weekly email newsletter featuring the latest actionable ideas and practical innovations from NEJM Catalyst.

Learn More »

More From New Marketplace
ED Telehealth Express Care Service Patient Room

Revolutionizing the Delivery of Care for ED Patients

How the NYP OnDemand Emergency Department Telehealth Express Care Service reduced stay times and revisit rates in one year.

Targeting Unconscionable Prescription-Drug Prices — Maryland’s Anti–Price-Gouging Law

Why, in the early 21st century, are so many drugs that were cheaply available in the 20th century becoming prohibitively expensive?

The Economics of Indication-Based Drug Pricing

What would indication-based drug pricing accomplish?

Controlling the Cost of Medicaid

Both political parties should support policies that focus on incentives as a mechanism for improving and sustaining their value.

Resetting the Nation’s Health Care Quality Agenda

Poor measures of care quality have consequences. The National Quality Forum is essential to creating measures that are valid and reliable.

Untapped Business Opportunities for Entrepreneurs in Delivery System Reform

Opportunities for Private-Sector Entrepreneurship in Health Care Transformation

Two veterans of public service say that government can do only so much — which creates attractive business opportunities for entrepreneurs.

Moving Past the EHR Interoperability Blame Game

Why can't EHRs talk to one another? We never created the right incentives, but we pretend that we did.

Emerging from EHR Purgatory — Moving from Process to Outcomes

What's the effect of the mode of physician payment when it comes to EHRs?

Reframing Analytics: Transforming Insights into Action

Centralizing clinical data for an integrated delivery system revealed a surprising lesson: sometimes predictive analytics are not enough.

Infographic: The Effects of Health Insurance on Health and Survival

There is strong evidence that expansions in health coverage have increased people’s use of health care across multiple domains of well-being and reduced deaths overall.


A weekly email newsletter featuring the latest actionable ideas and practical innovations from NEJM Catalyst.

Learn More »


From the Commonwealth to Obamacare: Reflections…

The former Executive Director of the Commonwealth Health Insurance Connector — a model for the…

Value Based Care

220 Articles

Harnessing Emerging Information Technology for Bundled…

A four-part framework developed by physicians at Partners HealthCare provides a stepwise process for assessing…

From the Commonwealth to Obamacare: Reflections…

The former Executive Director of the Commonwealth Health Insurance Connector — a model for the…

Insights Council

Have a voice. Join other health care leaders effecting change, shaping tomorrow.

Apply Now