Table of Contents About this manual and our workshop - - PDF document

Patient Safety Workshop 2:

Healthcare risk management

(solid foundations to manage uncertainties that matter)

Workshop resource and reference manual

• Dr. Luke Feeney

Page 2 of 23 LF, July 2017

Table of Contents

About this manual and our workshop ................................................................................... 3 Workshop outline ................................................................................................................. 3 Activity 1: Setting workshop objectives ................................................................................ 4 A risk management framework ............................................................................................ 5 A risk management process ................................................................................................ 6 Activity 2: Learn by watching - the basics of risk management ............................................ 7 Activity 3: TEAM-based risk identification 1 ......................................................................... 8 Activity 4: TEAM-based risk identification 2 ....................................................................... 10 Activity 5: TEAM-based risk identification 1 - revisited ....................................................... 11 Activity 6: TEAM-based risk estimation .............................................................................. 11 Activity 7: TEAM-based risk evaluation (Facilitator-led) ..................................................... 15 Activity 8: TEAM-based risk control ................................................................................... 16 Activity 9: Workshop reflection and commitments .............................................................. 18 Final thoughts .................................................................................................................... 19 References ........................................................................................................................ 20 Appendix A: Risk metalanguage guidance ........................................................................ 21 Appendix B: The PRACT guide to critical control option assessment ................................ 22

Page 3 of 23 LF, July 2017

About this manual and our workshop

This workshop resource manual accompanies the HMC Patient Safety Awareness Week practical, facilitator-led “Healthcare risk management” workshop. In our workshop today you will work in Teams to practically apply an evidence-based, international risk management framework (adapted from ISO/IEC, 2011) within a healthcare case study context using a selection of evidence-based methodologies (adapted from Hillson, 2010; ISO, 2009; ISO/IEC, 2011; National Patient Safety Agency, 2006) to promote/evolve your critical understanding of how risk management can truly be the foundation for effective patient safety. I hope you will also gain "insider" tips and techniques for potentially improving your existing risk management approaches, irrespective of their current frameworks and methodologies.

Enjoy!

Workshop outline

1300 - 1715

(with a break!)

• 1. Workshop introduction, context, definitions and why managing risk is one of the most

effective, proactive patient safety activities you can carry out…

• 2. An evidence-based risk management process (step-by-step) appropriate to meet the

requirements of a healthcare organisation facilitated through team-based practical hands-on activities, exercises and debate.

• 3. Workshop review, reflection and close.

Please note: Not all of the activities presented in our manual may be completed in our workshop today as it has been designed to be highly practical, participant-centred with critical questioning and debate hugely encouraged!

Page 4 of 23 LF, July 2017

Activity 1: Setting workshop objectives

This activity is designed to identify what are the workshop objectives of you and your fellow participants (INDIVIDUAL and TEAM-agreed). We are “beginning with the end in mind”, the 2nd habit of the “7 Habits of Highly Effective People” according to (Covey, 1989). INDIVIDUALLY reflect and identify what are your objectives for attending our risk management workshop. Share INDIVIDUAL expectations and work together to produce a single, TEAM-agreed objective: [Please note: Each of TEAM-agreed objective shall be recorded by your facilitator to act as guiding “performance scoreboard” for our workshop]. [5 minutes to complete]

Page 5 of 23 LF, July 2017

A risk management framework

The evidence-base suggest that organisational risk management activities MUST be an integral part of the way that your healthcare organisation delivers its services to the extent that it is embedded in the very values and culture of your organisation - "just the way we do things around here!" (Health Services Executive, 2011; ISO, 2009; National Patient Safety Agency, 2006). The careful implementation of an evidence-based organisational (enterprise-wide) risk management framework can embed the key values and principles of risk management throughout your healthcare

• rganisation - from senior management to the “sharp end” - as well as provide the solid foundations for its

continuous effectiveness (ISO, 2009). Such a framework is presented in Figure 1. Figure 1: A best practice risk management framework (Adapted from ISO, 2009)

Page 6 of 23 LF, July 2017

A risk management process

Implementing risk management, often described as the "risk management process" itself, is a key component of your organisational risk management framework and activities. The risk management process fits into the integrated and inter-dependent risk management framework presented in “Figure 1” as component "3. Implementation of risk management based on a best practice methodology". Figure 2 details an evidence-based risk management process component which commences with establishing context, then executing risk assessment (incorporating risk identification, estimation and evaluation), identifying and applying risk controls and culminating in ensuring appropriate risk acceptance, with key decision points indicated in the process. The entire process is wrapped in continual monitoring and review to ensure rigor and consistency, with communication and consultation a crucial requirement throughout to ensure the engagement and involvement of/with the key, relevant stakeholders. Figure 2: A best practice risk management process (Adapted from ISO/IEC, 2011) Risk monitoring & review

• 2. Risk assessment
• 1. Establish context

2.1 Risk identification 2.2 Risk estimation 2.3 Risk evaluation

• 3. Risk control

Risk communication & consultation

• 4. Risk acceptance

Decision point #1: Assessment satisfactory? Decision point #2: Control satisfactory?

YES NO NO YES

Page 7 of 23 LF, July 2017

Activity 2: Learn by watching - the basics of risk management

Hillson D. (2012), “Risk management basics: What exactly is it?” http://www.youtube.com/watch?v=BLAEuVSAlVM&feature=youtube_gdata_player, accessed 24.02.2017. “The Risk Doctor” explains how to structure risk processes by asking (and answering) six simple questions.… YOUR thoughts, top of mind, as you watch the video: TEAM-agreed key learning: [5 minutes to complete]

Page 8 of 23 LF, July 2017

Activity 3: TEAM-based risk identification 1

3.1 Context: Laparoscopic surgery:

Laparoscopic or “minimally invasive” surgery is a specialized technique for performing surgery which uses several 0.5cm - 1cm incisions called “ports”. At each port a tubular instrument known as a “trocar” is inserted (a trocar is a pen-shaped instrument with a sharp triangular point at one end, typically used inside a hollow tube, known as a cannula or sleeve, to create an opening into the body through which the sleeve may be introduced to provide an access port during surgery). A camera (laparoscope) and specialized surgical instruments are then passed through the trocars to facilitate completion of the procedure. The “closed-entry” (classic) laparoscopic technique involves creating a “pneumoperitoneum” by inflating the patient’s abdomen with carbon dioxide to create separation between organs as well as increase the internal space available for manipulation of surgical instruments. This “insufflation” process is often performed using a Veress needle prior to placement of the primary trocar. The Veress needle is inserted in the umbilical area, in the midsagittal plane, with or without stabilizing or lifting the anterior abdominal wall. Once insufflation is complete and the primary trocar inserted, a laparoscope is introduced and thereafter secondary trocars can be placed under direct laparoscopic observation to minimise risk of injury.

3.2 Identify 3 x risks:

Critically consider and debate the risks associated with the “closed-entry” laparoscopic technique described in “3.1 Context” and, as a TEAM, agree and record what you believe to be the TOP THREE (3) highest priority patient safety risks which will need to be addressed to ensure reliable, consistent and safe laparoscopic surgery will take place. Please record your risks in row 3.1A, 3.2A and 3.3A respectively on the next page (P.9).

Page 9 of 23 LF, July 2017

TOP THREE (3), TEAM-agreed, highest priority patient safety risks associated with the “closed-entry” laparoscopic technique (please ensure you record in rows 3.1A, 3.2A and 3.3A only!)

3.1.

A B

3.2.

A B

3.3.

A B [7 minutes to complete]

Page 10 of 23 LF, July 2017

Activity 4: TEAM-based risk identification 2

Critically review the risks recorded in the risks presented register below and indicate whether your TEAM believes the risk statement is actually describing a risk or not ("Yes/No" column). Please also indicate the reason for your TEAM choice ("Rationale" column).

Objective: To transport blood products using a contracted 3rd party driver and car (external

supplier) from YOUR HOSPITAL to Hospital B. at 1400 today. Recorded risk Yes/No? Rationale

4.1. The blood products will not get from your Hospital to Hospital B. 4.2. The driver could be late and miss the pick-up from your Hospital. 4.3. The driver may skip lunch due to the timing of pick-up and delivery, and therefore may get hungry during the delivery journey. 4.4. As your Blood Bank is short-staffed, the blood products may not be prepared/ready in time for the pick-up and hence the transfer to Hospital B. will miss the delivery deadline of 1400 today. 4.5. Very busy road traffic will significantly delay the driver in reaching Hospital B. by the appointed time of 1400 today. [5 minutes to complete]

Page 11 of 23 LF, July 2017

Activity 5: TEAM-based risk identification 1 - revisited

Based on your evolving knowledge of an evidence-based method for risk identification, please review the construction of your TEAM’s risk statements/descriptions recorded in rows 3.1A, 3.2A and 3.3A of “Activity 3” and re-write using "risk meta-language" (for guidance please refer to Appendix A) to ensure high quality risk statements. Please record your re-constructed risk statements/descriptions in rows 3.1B, 3.2B and 3.3B respectively on P.9. [10 minutes to complete]

Activity 6: TEAM-based risk estimation

Following the risk estimation guidance provided below, critically apply the adapted National Patient Safety Agency (2006) risk assessment and management program to carry out a risk estimation exercise for the THREE (3) highest priority risks identified in Activity 5 using the template provided in “Table 6.1. 6.1. Assign a unique “Risk ID” in the 1st column (this allows tracking through a risk management system). 6.2. Assign a “Risk owner” in the 2nd column (the context of your healthcare organisation is important). 6.3. Record your risks in the “Description of Risk” column (as re-written in “Activity 5”). 6.4. Using “Table 6.2: Risk impact estimation (grading, rating)”, collaboratively determine your impact score (I) for the risks identified and record in the “Impact (I)” column. 6.5. Using “Table 6.3: Risk likelihood of occurrence estimation (grading, rating)”, collaboratively determine your likelihood score (L) for the risks identified and record in the “Likelihood (L)” column. 6.6. Calculate (“estimate”) your risk ratings by risk multiplying your impact (I) score by the likelihood (L) score in the “Table 6.1” and detail in the “Risk estimation (I x L)” column. [15 minutes to complete]

Page 12 of 23 LF, July 2017

Table 6.1: Risk identification and assessment template

(Health Services Executive, 2011; ISO, 2009; Adapted from National Patient Safety Agency, 2006) Risk ID Risk owner Description of risk (risk statement) Risk assessment Risk estimation (I x L) Risk evaluation (L, M, H, EH) Impact (I) Likelihood (L)

Page 13 of 23 LF, July 2017

Table 6.2: Risk impact estimation (grading, rating):

(Adapted from National Patient Safety Agency, 2006) Work along the columns to assess the severity of your risk on the scale from 1 to 5 to determine the impact score (number indicated at the top of the column).

IMPACT DOMAIN Negligible (1) Minor (2) Moderate (3) Major (4) Extreme (5)

Impact on the safety

• f our patients, our

staff or the public (includes physical and/or psychological harm) Event (adverse or

• therwise) resulting in a

minor injury which:

• Requires minimal

intervention or treatment.

• Does not require any

time off work for the injured person.

• Does not impair

psychosocial functioning - that is aspects of the injured person’s social and psychological behaviour. Minor injury or illness requiring first aid treatment and potentially resulting in:

• Less than three (3)

days off work or debilitation.

• One (1) to three (3)

days stay in hospital.

• Impaired

psychosocial functioning greater than three (3) days and less than one (1) month. An event which impacts a small number of patients, staff or the public and/or may also result in moderate injury requiring:

• Professional medical

intervention or treatment e.g. a fracture, counselling, etc.

• Report to an external

agency.

• Four (4) to 14 days
• ff work or

debilitation.

• Three (3) to eight (8)

days hospital stay.

• Impaired

psychosocial functioning greater than one (1) month less but than six (6) months. Mismanagement of patient, staff and/or public care with long-term effects and/or major injuries leading to long term incapacity or disability (physical or emotional) requiring:

• Medical treatment

and/or counselling.

• Fifteen (15) or more

days off work or debilitation.

• Nine (9) or more

day’s hospital stay.

• Impaired

psychosocial functioning greater than six (6) months. Incident leading to DEATH or major permanent incapacity. Event which impacts a large number of patients, staff or the public. Permanent psychosocial functioning incapacity.

Page 14 of 23 LF, July 2017

Table 6.3: Risk likelihood of occurrence estimation (grading, rating):

(Adapted from National Patient Safety Agency, 2006) What is the likelihood of the impact occurring? TIME-FRAMED-based and GENERAL frequency-based likelihood calculators are presented below which are appropriate in most circumstances.

Likelihood “TIME-FRAME-BASED” scores with descriptors and example definitions

Score: 1 2 3 4 5 Descriptor: Rare Unlikely Possible Likely Almost certain Frequency: Not expected to

• ccur for years

Expected to occur at least annually Expected to occur at least monthly Expected to occur at least weekly Expected to occur at least daily

Likelihood “GENERAL FREQUENCY-BASED” scores with descriptors and example definitions

Score: 1 2 3 4 5 Descriptor: Rare Unlikely Possible Likely Almost certain Frequency: How often might

• r could the risk
• ccur?

This will probably never happen or recur We do not expect it to happen or recur but it is possible it may do so It might happen or recur occasionally It will probably happen or recur but it is not a persisting issue It will undoubtedly happen or recur, possibly frequently

Page 15 of 23 LF, July 2017

Activity 7: TEAM-based risk evaluation (Facilitator-led)

• 1. Following the risk evaluation guidance provided below, continue to apply the adapted National Patient

Safety Agency (2006) risk assessment and management program to carry out a risk evaluation exercise for the risks identified and estimated in "Table 6.1” of “Activity 6”.

• 2. Refer to “Table 7.1: Risk estimation (rating, grading)” and "Table 7.2: Risk Evaluation (guidance)"

for guidance to collaboratively evaluate your risks and record risk evaluations outcome for each risk in the “Risk evaluation (L, M, H, EH)” column of “Table 6.1” in “Activity 6”. [5 minutes to complete]

Table 7.1: Risk estimation (rating, grading):

(Adapted from National Patient Safety Agency, 2006)

Likelihood

1 2 3 4 5

Impact score

Rare Unlikely Possible Likely Almost certain 5 Catastrophic 5 10 15 20 25 4 Major 4 8 12 16 20 3 Moderate 3 6 9 12 15 2 Minor 2 4 6 8 10 1 Negligible 1 2 3 4 5

Page 16 of 23 LF, July 2017

Table 7.2: Risk evaluation (guidance)

(Adapted from National Patient Safety Agency, 2006) Risk rating Risk evaluation descriptor Action (suggested) 1 - 3 Low risk Maintain your existing controls (review max. 12 mths.) 4 - 6 Moderate risk Ensure regular monitoring and review of existing controls (review max. 6 mths.) 8 - 12 High risk Improve existing controls and/or add further risk controls (review max 3 mths.) 15 - 25 Extreme risk Strengthen existing risk controls and/or add further risk controls immediately.

Activity 8: TEAM-based risk control

• 1. Brainstorm, critically identify and prioritise THREE (3) potential risk controls for the highest rated risk

your TEAM identified, estimated and evaluated in "Table 6.1” of “Activity 6” (for guidance please refer to Appendix B).

• 2. Use “Table 8.1” to record and plan the implementation of the most effective/efficient control.
• 3. You can use “Table 8.2” to calculate the risk reduction potential of your controls and hence underpin

your prioritisation. [15 minutes to complete]

Page 17 of 23 LF, July 2017

Table 8.1: Risk control implementation planner (Adapted from National Patient Safety Agency, 2006) Risk ID Assigned priority Control action required Assigned to Date for completion Date for evaluation Table 8.2: Risk control analyser (Adapted from National Patient Safety Agency, 2006) Risk ID Before risk rating Control action After risk assessment After risk rating

(I x L)

Risk reduction potential

(Before - After)

Assigned priority

• Imp. (I)
• Like. (L)

Page 18 of 23 LF, July 2017

Activity 9: Workshop reflection and commitments

As a TEAM, critically reflect on our workshop and all activities completed identifying:

• 1. A TEAM-agreed KEY learning.
• 2. A commitment that the TEAM will “sign-up to”.
• 3. How the TEAM shall hold each other accountable for this commitment?

TEAM-agreed key workshop learning: TEAM-agreed commitment: As a result of this workshop all TEAM members shall commit to: within three (3) working weeks of returning to there are of practice/work place [10 minutes to complete]

Page 19 of 23 LF, July 2017

Final thoughts

I wish you the very best of luck in all of your risk management activities and leave you with a final few words of risk management wisdom…

Be more risk-aware! Risk-awareness isn’t a technique; it’s a state of mind, be alert

to risk all the time.

Get integrated! Make risk management “built-in, not bolt-on” in your organization, “just

the way we do things around here!”.

Do take sensible "controlled" risks! Do not be paralyzed by risk, rather take

risk with our “eyes wide open”.

Get started & don’t ever give up! Risks do not disappear after you have

attended this workshop & your initial enthusiasm is gone - risk exposure is dynamic, changing frequently & hence the risk process is iterative and organic.

Page 20 of 23 LF, July 2017

References

Covey, S. R. (1989). The seven habits of highly effective people: powerful lessons in personal change. UK: Simon & Schuster. Health Services Executive. (2011). Risk Assessment Tool and Guidance (Including guidance on application). Quality and Patient Safety Directorate, HSE. Retrieved from http://www.hse.ie/eng/about/Who/qualityandpatientsafety/MeasuringandLearning/SCDQIDQIProgramme/Ris k_Assessment_Tool_and_Guidance.pdf. Hillson, D. (2010). Exploiting Future Uncertainty: Creating Value from Risk. UK and USA: Routledge.

• ISO. (2009). ISO 31000 Risk Management - Principles and guidelines. Geneva: ISO Publications.

ISO/IEC. (2011). ISO 27005 Information technology - Security techniques - Information security risk management (2nd ed.). Switzerland: ISO Publications. National Patient Safety Agency. (2006). Risk assessment programme overview. London: National Reporting and Learning Service. Office of Government Commerce. (2009). Managing Successful Projects with PRINCE2 (2009 edition). London: The Stationery Office.

Page 21 of 23 LF, July 2017

Appendix A: Risk metalanguage guidance

(Adapted from Hillson, 2010) In order to better identify risk, risk metalanguage can be used to construct risk statements composed of three (3) components - “cause” - “risk” - “effect” (Figure A.1). Figure A.1: The three (3) components required for better risk statements This methodology results in risk statements in the following (or similar) format: “As a result of/due to <definite cause>, an <uncertain event or risk> may occur, which would lead to <effect on objective(s)>.” The use of risk metalanguage can ensure that risk identification actually identifies risks as opposed to causes or effects. Without its use, risk identification can produce a list of organization risks with a mix of risks and non-risks (symptoms), leading to confusion, error and/or distraction later in a risk process. It is additionally of good value to consider the following key guidance with regard to identifying risk:

• Always state risks and not impacts (symptoms) arising from the risks.
• Avoid stating risks which do not impact on objectives.
• Avoid defining risks with statements the converse of the objectives.

Page 22 of 23 LF, July 2017

Appendix B: The PRACT guide to critical control option assessment

(Adapted from Office of Government Commerce, 2009) Control approach Guidance

Prevent the risk

This should always be the first option considered as risk prevention is the single most effective control available. Unfortunately the only way you can prevent a risk is to stop the activity that generates the risk in the first place - not often possible. For example when attempting to control the risk of staff shortages in an organization, risk prevention would require the organization to stop providing its services completely! Thus whilst prevention should always be the first risk control consideration, and worthy of initial critical discussion, it will often not be a feasible control for an organization

Reduce the risk

Also referred to as "risk mitigation", this is a risk control which can reduce the impact of a risk should it occur, reduce the likelihood occurrence of the risk or both. Returning to the example of controlling the risk of staff shortages in a specific Dept., broad risk reduction controls could include careful workforce planning and management and/or the use of "agency" or "contract" staff. If these control option examples are considered closely, it can be seen that neither control will reduce the impact to an organisation should the risk occur, however they both can certainly reduce the likelihood of the risk occurring in the first place. Investigating possible example risk reduction controls further, an organisation could consider the introduction of a new policy and procedure which will temporarily stop new customer activities when capacity is reached. The implementation of this control could reduce both the impact of the risk as well as the likelihood of occurrence.

Accept the risk

Also referred to as "risk retention", risk acceptance is the critically informed decision "to do nothing but monitor closely" even when he severity if a risk is beyond what an

• rganization believes is acceptable. Risk acceptance is a control choice when an
• rganization is informed through significant, compelling evidence that the "organizational

cost" to implement a control is more "costly" than any actual "loss costs" should the risk

• ccur. It is the balance of the "cost of loss" (or "lost opportunity") versus the effort to control

the risk versus the benefits derived from the activity generating the risk in the first place. For example if an organization decides that the only way to control certain physical environment risks resulting from an aging building is to build a new environment, yet it does not have the fiscal resources to do so, and has no choice but to provide its services from the existing environment, it may take the informed decision to accept such risks. In reality it is highly recommended that an organization investigates other risk controls, irrespective of how minor they may be, to attempt some control an unacceptable risk. In the physical environment risks example presented, at a minimum the control of staff awareness of the risks in their environment should be applied.

Page 23 of 23 LF, July 2017

Control approach Guidance

Contingency planning

Controlling a risk through the application of a contingency or "back-up plan" is identifying a "Plan B" if the primary "Plan A" fails and a risk occurs as an incident. An example of contingency planning as a control is to have a fully functioning "standby" piece of equipment which can be switched into operation should the first piece of equipment

• fail. One of the challenges with contingency planning control is the cost of the

implementation of the control - in the case of the fully functioning "standby" piece of equipment, both the cost of an identical piece of equipment (possibly complex and expensive) as well as the cost of having such an expensive piece of equipment standing idle.

Transfer the risk

Also referred to ask "risk sharing", risk transference "shifts" the "cost" of a risk onto another

• party. Classic risk transference include the use of insurance policies which insures an
• rganization against loss "impact" should a risk occur or the use of contracts, service level

agreements or outsourcing with associated penalty clauses. Caution is always advised when implementing risk transfer as organizations can often make the mistake of believing that they have fully transferred a risk to a 3rd party through insurance policy or 3rd party outsourcing contract when in practice they are actually "sharing" the risk; if the insurance company or 3rd party contractor goes out of business, the risk will revert back to the organization as the first party. For example, liability or indemnity insurance helps protect professionals and their

• rganizations from bearing the full cost of defending against a negligence claim, but does

not transfer the risk of negligence occurring in the first place - this risk still lies with the

• rganization. The insurance policy or 3rd party contract simply provides that if an adverse

event occurs involving the policy or contract holder, then compensation may be payable to the policy or contract holder that is commensurate to the suffering/damage.