The Risk Management Process – How to Maintain an Effective Risk Management Program

A risk management program is a complicated but necessary initiative within organizations. However, by following a distinct process, organizations can maximize the effectiveness of their risk management program.

Identifying and Analyzing

To effectively manage risk, management must first identify the risks that pose the threat of a loss.

Risk managers use a variety of methods to collect information to identify such risks, the common of which is incident reporting, which is the reporting of any incident that is NOT consistent with the standard of care. Incident reports help identify training opportunities and weak processes within operations.

Occurrence screenings, also a common used method to identify possible exposures, are often done as apart of quality assurance initiatives.

Patient feedback, such as complaints or results from patient satisfaction surveys, is also used to identify potential loss exposures.

Past data can be very valuable in identifying risk and also addressing it, as it provides lessons learned from past mistakes or near misses. By analyzing past data, risk managers can identify the root cause of an incident that lead to a loss. Past occurrences help managers analyze the potential impact of current risks, and helps managers prioritize potential exposures.

Open communication between management and staff may be considered the most effective form of risk identification, as it can produce valuable information regarding the effectiveness of processes and any potential weaknesses within processes.

Once potential risks are identified, they must be analyzed in order to determine their significance. Risk managers must prioritize risks based on their potential for financial loss. Managers should prioritize addressing potential events that could lead to substantial losses over smaller threats that would be less costly.

Evaluate Possible Risk Management Techniques

Techniques used to manage risk can be broken down into two categories:

– Risk Control: techniques that are aimed at preventing or reducing loss

– Risk Financing: techniques used to pay for losses that occurred

Risk Control Techniques


Avoidance techniques are those used to eliminate the possibility of a loss entirely. If a risk that cannot be reduced exists within a particular activity, avoiding that activity would in effect avoid the risk associated with it.

Loss Prevention

Loss prevention reduces the likelihood of a potentially compensable event from occurring.

Loss prevention practices include reviewing and implementing policies and procedures and educating staff.


Educating staff about existing regulations regarding the release of a patient’s medical records or protected health information is a loss prevention technique as it reduces the possibility of an occurrence.

Loss Reduction

Loss reduction techniques are used to reduce the potential consequences of an event that has occurred.

Diligence is key in exercising reduction strategies, as damages awarded can be much lower for an organization that exemplified diligence in attempting to prevent an occurrence or following up on an occurrence that has happened (investigating the occurrence and determining its root cause).

Another example of a loss reduction technique is if a medical facility were to use fire retardant materials during construction. This would reduce total loss considerably in the event of a fire.

Segregation of Loss Exposures

Segregating loss exposures involves arranging an organization’s operations and resources in a way that if a loss occurs, its overall effect on the organization would be minimized.


A separation technique relates to the saying, “don’t keep all of your eggs in one basket”, as it involves dispersing activities and resources over multiple locations.


Facilities and vendors may store their inventory in multiple locations in the event of a fire or any other event that would damage inventory.

Medical practices may also choose to avoid contracts with vendors and purchase through multiple vendors in case a vendor were to run out of stock on an item.


Duplication techniques are used to serve as back up in the event of a loss. Many practices keep copies of patient medical records in case of an event that damages the originals.

Duplication techniques are also used in terms of physician coverage.


It is mandatory that when chemotherapy is being administered to a patient, that a physician or mid-level is on site in case of if a patient experiences a reaction to the drug. If only one provider were available to cover, and something arose causing the provider to have to leave, then the chemotherapy treatment would NOT be able to be given or would be a violation to do so.

Contractual Transfer of Risk Control

Contractual transfer of risk control involves transferring risk from one party to another. An example of this is when a medical office leases property, thereby transferring the risk of loss or damage to the properties owner.

Risk Financing

Risk Retention

Risk retention is a technique that involves planning on how to cover losses if they were to occur.

The simplest risk retention technique is to simply pay for a loss as it occurs. This is not viable for smaller organizations, depending on the amount of the loss.

Organizations may also accrue dollars in a funded reserve which can be used to cover any future loss.

Organizations may also borrow funds to cover losses.

Physicians also carry extensive malpractice insurance policies to help cover any loss that is incurred.

Risk retention should be considered when:

• There are known risks that cannot be reduced or avoided

• A risk does not carry much potential for great loss and the organization can pay for any loss itself

• There are predictable losses

Risk Transfer

Risk transfer involves an organization transferring only the financial liabilities to another party, while still assuming the legal obligations. This is typically done by purchasing outside insurance policies.

Select a Risk Management Technique

Organizations should implement at least one risk control technique and one risk financing technique.

Selecting the most effective technique requires an organization to predict how a selected technique would affect its mission and goals (i.e. it may not be viable for a specialist to avoid risks by avoiding procedures that are necessary for that particular specialty).

The organization must also consider which technique is most cost-effective in respect to it’s operations.


Implementation requires communication between risk management, department heads, and organizational leaders. All leadership must understand the techniques chosen to be implemented and educate staff of their importance and purpose.

Communication and education ensures that implementation of any technique is smooth, effective, and understood.

Monitor and Improve the Implemented Technique

Once a technique has been implemented, its effectiveness must be closely monitored, evaluated, and improved when needed by management. Risk management techniques can be very complex in nature, and require fine tuning when put to work.