STANDARD 10: Risk Management

10.1 Planning, Assessment, and Treatment

1. The healthcare organization shall establish a policy, framework, procedure, and documented process that addresses risk management related to safety of all personnel, and the strategic, operational, and financial integrity of the healthcare organization. This shall be used to identify, analyze, prioritize, mitigate, eliminate, or otherwise accept known (or unknown) events which will or might likely create an impact upon patients, staff, and other interested parties.

2. The healthcare organization shall provide adequate resources for risk management, including the assignment of trained personnel.

3. When identifying the risk, the healthcare organization shall address the following aspects of patient safety:

a) medical errors and adverse patient and/or staff events;

b) patient "near-miss";

c) sentinel events;

d) medication errors (see also STANDARD 21.2.2. and 21.2.3.);

e) opioid associated mal-occurrences;

f) errors associated with blood and blood products;

g) low volume, high risk procedures;

h) grievance and other claims;

i) infection prevention and control issues as described in STANDARD 22;

j) research and clinical trials if applicable;

k) risk associated with food and dietetic;

l) risk associated with medical equipment;

m) roles and responsibilities for the management of the risk assessment process;

n) training requirements related to risk management and adverse event reporting;

o) other risk, acute or long term, associated with patient, staff, facility, and physical environment integrity as determined necessary.

4. When analyzing the risk, the healthcare organization shall address the following:

a) the likelihood of events and consequences;

b) the nature of consequences;

c) complexity and connectivity;

d) time-related factors and volatility;

e) the effectiveness of existing controls.

5. The healthcare organization shall develop risk treatment plans to mitigate risks. The treatment

plan shall include the following information:

a) the proposed actions;

b) responsibilities for approving and implementing the plan;

c) the resources required;

d) the performance measures;

e) when actions are expected to be undertaken and completed.

NOTE 1 There are many defined methodologies and approaches available for conducting hazard identification, risk assessment and control and the approach taken will vary depending upon the nature of the situation and the level of detail required.

10.2 Monitoring and Review

1. The healthcare organization shall have ongoing risk management monitoring and review by

designated authority.

2. Annual review of all the risks shall be conducted. Necessary change shall be made when indicated.

10.3 Reporting

1. The healthcare organization shall establish a Risk Register. This Risk Register shall be maintained as documented information.

2. Top management of the healthcare organization shall receive a timely report of these assessments to:

a) review and analyze the associated results;

b) develop action plans and to implement changes as deemed necessary including determined

corrections or corrective actions as needed;

c) monitor and measure the results of changes to ensure desired outcomes;

d) consider opportunities to improve and enhance related processes within the healthcare

organization;

e) inform patients and or their families of adverse events or medical errors as required;

f) manage associated claims as required by this standard.

NOTE 1 Factors to consider for reporting include, but are not limited to:

a) differing stakeholders and their specific information needs and requirements;

b) cost, frequency and timeliness of reporting;

c) method of reporting;

d) relevance of information to organizational objectives and decision-making.

To use this or similar tools effectively, the healthcare organization’s leaders must adopt and learn the approach, to agree on a list of high-risk processes in terms of patient and staff safety, and then to use the tool on a priority risk process. Following analysis of the results, the healthcare organization’s leaders take action to redesign the process or similar actions to reduce the risk in the process. This risk-reduction process is carried out at least once per year and documented.