Close Close icon Closes a section of a page

A Guide to Healthcare Risk Management Planning

How Do You Create a Risk Management Plan?


Risk management advisors have the responsibility of creating a plan that includes all practices and procedures and meets the demands of all interested parties. This means that as the advisor, you’ll need to review the needs of each of the organization’s stakeholders — including the leadership, staff, patients, visitors, and community you serve.

While no single plan applies to all types of practice environments, using the steps below can help you create a plan unique to your specific needs and the risks specific to your organization and practice. For example, if your facility is a college health clinic, your risks will be different from those of a dental office.

Remember: This structure is just a sample recommendation. You must design a plan that’s tailored specifically to your organization and its needs. That may require additional topics and categories not listed here, or the revision or removal of items we included. Here are the steps to take to create a risk management plan and process for your organization.


The 5 Steps to Creating a Healthcare Risk Management Plan

Step #1: Create a formal document that describes your plan in detail.

The plan should begin with a list of these elements:

  • Name and location of your organization
  • The plan’s purpose
  • Your organization’s mission statement
  • Person(s) acting as risk manager(s)
  • Key leaders of the organization
  • Person(s) designated to communicate information about possible risks or actual events
  • How information will be communicated
  • Person(s) to whom the info will be told (staff, leadership, the community, government agencies, etc.

You will want to consult with your organization’s leadership and/or legal department for guidance as you develop and finalize your plan. You may also want to consider scheduling recurring reviews of the final plan once it’s complete. (e.g., at least once a year)

Step #2: Identify the actual/potential risks within your organization, practice, department, or project.

The strategies you’ll use to identify risks should depend largely on the focus and scope of your organization. Methods used to identify risk can be as simple as interviewing your staff to compile a list of past events that occurred or as complex as implementing diagrammatic identification techniques, like a Fault Tree Analysis or Ishikawa and Fishbone’s Cause and Effect.

The goal of this step is not only to determine as many possible and actual risks as possible, but also to include the policies, procedures, general practices, and organizational structure of the physical environment so that risks are identified and planned for.

Step #3: Analyze the risk.

Once you determine what your risks are, you’ll then want to assess the probability of an adverse event actually happening. Analyzing the probability of each risk is done both qualitatively and quantitatively.

  • Qualitative Risk Analysis: Done first by the risk manager or planner, this analysis determines the probability of each negative outcome happening. Risks are separated into one of three categories: “Low” (i.e., a 30 percent or less chance of happening); “Medium” (between 30 and 70 percent); or “High” (more than 70 percent chance).
  • Quantitative Risk Analysis: A quantitative risk analysis involves assigning a numeric value (e.g., 1-4 or 1-5) to each established risk that categorizes how severe its impact could be if it happened. For this step, risk assessors or planners may choose to assign descriptive words (e.g., “low,” “medium, “high”) instead of a number scale.

From these assessments, you’ll be able to decide where to prioritize your risk prevention efforts, starting first with the high qualitative risks that also have high quantitative impacts.

Step #4: Respond to the risk.

Once you’ve analyzed each established risk in Step 3, plan your responses to the possible risk in the processes below. It’s also helpful to delegate each risk to a particular staff person to take precautionary (mitigation) and reactionary (contingency) measures. That way, if the adverse event does happen, your team knows who owns the risk and how to respond.

  • Mitigation: Document how you will take action to lower the probability of the particular risk.

    • Example: "Patient fall
      • Train all staff to keep bed rails up when patients are in bed.
      • Ensure floors are clean and dry; add signage when floors are wet."
  • Contingency: List specific steps to take if the adverse event occurs so you can minimize the size and scope of any negative outcomes from the event.

    • Example: "Patient fall
      • Notify a physician.
      • Apply comfort measures to patient.
      • Provide diagnostics tests for injury."
  • Transfer: Move some financial responsibility of the risk to another entity, such as the an insurance company or the bed rail manufacturer.

  • Avoidance: Eliminate the risk entirely, if possible (e.g., faulty equipment is removed).

  • Acceptance: Accept the reality of the risk and don’t take any further action.

Step 5: Manage the risk.

Once a risk occurs, you have to allow for reporting, controlling, and monitoring the events that follow. Ongoing assessment of these planned responses is required, as well as continuously evaluating all risk. This includes:

  • Creating reporting forms
  • Establishing reporting procedures
  • Establishing the flow of communication between all involved parties
  • Monitoring responses

Image courtesy of Sutton

The views expressed in this article are those of the author and do not necessarily reflect those of Berxi™ or Berkshire Hathaway Specialty Insurance Company. This article (subject to change without notice) is for informational purposes only, and does not constitute professional advice.

How we use your email address