A Guide to Risk Management in Healthcare

How to Create a Risk Management Plan

Diamond-shaped flammable sign.

Risk management advisors have the responsibility of creating a plan that includes all practices and procedures and meets the demands of all interested parties. This means that as the advisor, you’ll need to review the needs of each of the organization’s stakeholders — including the leadership, staff, patients, visitors, and community you serve.

While no single plan applies to all types of practice environments, using the steps below can help you create a plan unique to your specific needs and the risks specific to your organization and practice. For example, if your facility is a college health clinic, your risks will be different from those of a dental office.

Remember: This structure is just a sample recommendation. You must design a plan that’s tailored specifically to your organization and its needs. That may require additional topics and categories not listed here, or the revision or removal of items we included. Here are the steps to take to create a risk management plan and process for your organization.

The 5-Step Process for Creating a Risk Management Plan in Healthcare

Step #1: Create a formal document that describes your plan in detail.

The plan should begin with a list of these elements:

  • Name of Your Organization
  • Location of Your Organization
  • Plan’s Purpose
  • Your Organization’s Mission Statement
  • Person(s) Acting as Risk Manager(s)
  • Key Leaders of the Organization
  • Person(s) Designated to Communicate Information About Possible Risks or Actual Events
  • How Information Will Be Communicated
  • Person(s) to Whom the Info Will Be Told (e.g., staff, leadership, the community, government agencies, etc.

You will want to consult with your organization’s leadership and/or legal department for guidance as you develop and finalize your plan. You may also want to consider scheduling recurring reviews of the final plan once it’s complete (e.g., at least once a year).

Step #2: Identify the actual/potential risks within your organization, practice, department, or project.

The strategies you’ll use to identify risks should depend largely on the focus and scope of your organization. Methods used to identify risk can be as simple as interviewing your staff to compile a list of past events that occurred or as complex as implementing diagrammatic identification techniques, like a Fault Tree Analysis or Ishikawa and Fishbone’s Cause and Effect.

The goal of this step is not only to determine as many possible and actual risks as possible, but also to include the policies, procedures, general practices, and organizational structure of the physical environment so that risks are identified and planned for.

Step #3: Analyze the risk.

Once you determine what your risks are, you’ll then want to assess the probability of an adverse event actually happening. Analyzing the probability of each risk is done both qualitatively and quantitatively.

  • Qualitative Risk Analysis: Done first by the risk manager or planner, this analysis determines the probability of each negative outcome happening. Risks are separated into one of three categories: “Low” (i.e., a 30 percent or less chance of happening); “Medium” (between 30 and 70 percent); or “High” (more than 70 percent chance).
  • Quantitative Risk Analysis: A quantitative risk analysis involves assigning a numeric value (e.g., 1-4 or 1-5) to each established risk that categorizes how severe its impact could be if it happened. For this step, risk assessors or planners may choose to assign descriptive words (e.g., “low,” “medium, “high”) instead of a number scale.

From these assessments, you’ll be able to decide where to prioritize your risk prevention efforts, starting first with the high qualitative risks that also have high quantitative impacts.

Step #4: Respond to the risk.

Once you’ve analyzed each established risk in Step 3, plan your responses to the possible risk in the processes below. It’s also helpful to delegate each risk to a particular staff person to take precautionary (mitigation) and reactionary (contingency) measures. That way, if the adverse event does happen, your team knows who owns the risk and how to respond.

  • Mitigation: Document how you will take action to lower the probability of the particular risk.

    • Example: "Patient fall
      • Train all staff to keep bed rails up when patients are in bed.
      • Ensure floors are clean and dry; add signage when floors are wet."
  • Contingency: List specific steps to take if the adverse event occurs so you can minimize the size and scope of any negative outcomes from the event.

    • Example: "Patient fall
      • Notify a physician.
      • Apply comfort measures to patient.
      • Provide diagnostics tests for injury."
  • Transfer: Move some financial responsibility of the risk to another entity, such as the an insurance company or the bed rail manufacturer.

  • Avoidance: Eliminate the risk entirely, if possible (e.g., faulty equipment is removed).

  • Acceptance: Accept the reality of the risk and don’t take any further action.

Step 5: Manage the risk.

Once a risk occurs, you have to allow for reporting, controlling, and monitoring the events that follow. Ongoing assessment of these planned responses is required, as well as continuously evaluating all risk. This includes:

  • Creating Reporting Forms
  • Establishing Reporting Procedures
  • Establishing the Flow of Communication Between All Involved Parties
  • Monitoring Responses

Example of a Risk Management Plan in Healthcare

We created an example of a healthcare risk management plan using the steps and structure shown above. For the sake of easy reading, we've broken up the plan into two sections: Step 1 will be in bullets, while Steps 2-5 will be in a table. Ideally, this format will allow you to view each risk prevention step and reaction process in an organized layout.

Here's what an example of what Step 1 could look like:

  • Organization Name: J. Doe General Hospital
  • Organization Location: Anytown, Anystate, USA
  • Plan’s Purpose: "To create the safest environment for our patients, staff, and visitors by identifying, assessing, responding to, and learning from risks."
  • Organization’s Mission Statement: "To provide compassionate, high-quality care to the community. To treat and care for all patients and their guests as if they were our family. To educate healthcare professionals and pursue research efforts to achieve higher rates of prevention and cures."
  • Name of Risk Manager(s):
  • Names of Organization’s Leaders:
  • Person(s) Designated for Communicating Information About Possible Risks or Actual Events:
  • How Information Will Be Communicated: "Meeting to be held by June 10, with quarterly training sessions as follow-up. Determine which staff members will communicate information to and from staff and all involved in an event. This can be a risk manager, unit, or departmental managers, or other designees as appointed by the organization’ leadership. Schedule ongoing training for staff as appropriate to your organization to discuss current risk management strategies."

And here's an example of what Steps 2-5 could look like:

Risk Management Plan, Steps 2-5: Identify, Analyze, Respond, & Manage Risk

Risk/Assignee Probability Qualitative Score Quantitative Score First Response Management
  • Patient falls
Person Handling Risk:
N/A, All medical staff is trained in falls.
High in the acute care and long-term care settings, and for certain patient populations High risk 5 Mitigate:
  • Ensure bed rails are always up when patients are in bed.
  • Use bed alarms if patient is at high risk for falls.
  • Ensure wet floors are cleaned up promptly.
  • Use prominent signage warning of wet floors and block access.
  • Notify physician.
  • Apply comfort measures, ice, pillows, splint patient injury as appropriate.
  • Take patient to X-Ray as needed.
  • Notify Risk manager and family.
  • Faulty bed rail design, contact manufacturer and insurance carrier to report for possible reimbursement of costs related to patient injury.
Permanently remove faulty equipment that contributed to the event.

  • Patient broke free from bed restraints due to improper application (staff responsible for incident)--educate staff on proper use of restraints for confused or agitated patients.
  • Notify physician.
  • Notify environmental services.
  • Notify department or unit manager.
  • Notify risk manager.
  • Prompt responses to injured patient, family, and staff.
  • Re- educate staff if something they did contributed to fall.
  • Follow up with injured patient.
  • Conduct ongoing tracking of falls with a goal of reducing their frequency.
  • Ensure ongoing staff education regarding fall prevention protocols
risk management in healthcare plan on table

One example of how you can format a healthcare risk management plan.

Image courtesy of iStock.com/tzahiV

Last updated on Aug 25, 2021.

Originally published on Aug 15, 2018.

The views expressed in this article are those of the author and do not necessarily reflect those of Berxi™ or Berkshire Hathaway Specialty Insurance Company. This article (subject to change without notice) is for informational purposes only, and does not constitute professional advice.

How we use your email address