An experience in integrated management of clinical risks

Fernández-Castelló, A.I.; Valle-Pérez, P.; Pagonessa-Damonte, M.L.; Blazquez-Muñoz, M.; Tomás, J.F.

doi:10.1016/j.jhqr.2018.09.002

Article information

Abstract

Full Text

Bibliography

Download PDF

Statistics

Figures (2)

Tables (3)

Table 1. 4×4 risk matrix.

Table 2. Number of risks and recommended control pre- and post-validation per area of application and totals.

Table 3. Examples of risks, controls and categorisation.

Show moreShow less

Abstract

Background

Manage clinical risks under the integrated risk management model of the BUPA organization (British United Provident Association).

Materials and methods

BUPA is an international group that provides health insurance and healthcare services. The project has been limited to Europe and Latin America (ELA) and this article presents the results related to hospitals.

The integral risk management model was based on a governance structure, a risk management framework and the risk management itself (continuous process of identification, evaluation, management, monitoring and reporting).

For the latter, a catalog of potential clinical risks was drawn up, using the Joint Commission International (JCI) standards as a reference and applied to a hospital to identify the risk to which they were exposed in their daily activity. An evaluation was conducted, based on its impact and probability of occurrence and depending on the residual and inherent score obtained, the action on each risk and the effectiveness of the controls were determined.

A continuous monitoring of the risk profile and the information to share with the Board was defined.

Results

The catalog consisted of 126 risks and 479 controls, divided by areas of application.

In the assessment of the inherent risk, 84% of the risks were at an acceptable and assumable level, and in 16% it was necessary to establish an action plan.

Conclusions

Under the conditions of the study, we believe the benefits of implementing an integrated management of clinical risk system consisted in providing services that meet the legal requirements and standards of good practice (in our case, the JCI's standards). They allowed us to advance in the organization's management of, improving its efficiency in the allocation of resources for risk management and adaptation to the environment and the patient. In addition, this strategy can facilitate decision-making and encourage the organization's transformation capacity.

Keywords:

Enterprise risk management

Clinical risk management

Safety management

FMEA

Risk register

High reliability organizations

Resumen

Objetivo

Gestionar los riesgos clínicos bajo el modelo de gestión de riesgo integral de la organización BUPA (British United Provident Association).

Materiales y métodos

BUPA es un grupo internacional que proporciona servicios de seguros de salud y asistencia sanitaria. El proyecto se ha circunscrito a Europa y América Latina (ELA) y en este artículo se presentan los resultados relativos a hospitales.

El modelo de gestión de riesgo integral se basó en una estructura de gobierno, el marco de gestión de riesgo y la propia gestión de los riesgos (proceso continuo de identificación, evaluación, gestión, seguimiento y notificación).

Para esto último, se elaboró un catálogo de riesgos clínicos potenciales, utilizando como referencia los estándares de Joint Commission Internacional y se aplicó en un hospital para identificar el riesgo al que estaba expuesto en su actividad diaria. Se realizó una evaluación a partir de su impacto y probabilidad de ocurrencia, y en función de la puntuación residual e inherente obtenida, se determinó la actuación sobre cada riesgo y la eficacia de los controles.

Se estableció el seguimiento continuo del perfil de riesgo y la información a compartir con el Consejo.

Resultados

En el catálogo constó de 126 riesgos y 479 controles, divididos por ámbitos de aplicación.

En la evaluación del riesgo inherente se obtuvo un 84% de los riesgos en unos niveles aceptables y asumibles, y en el 16% fue necesario establecer un plan de acción.

Conclusiones

En las condiciones del estudio, creemos que los beneficios de la implementación fueron la capacidad para proporcionar servicios que satisfagan los requisitos legales y los estándares de buenas prácticas, avanzar en la gestión de la organización mejorando su eficacia en la asignación de recursos para la gestión del riesgo y la adaptación al entorno y al paciente.

Palabras clave:

Gestión integral riesgos

Gestión riesgo clínico

Seguridad del paciente

AMFE

Mapa de riesgo

Organizaciones de alta confiabilidad

Full Text

Introduction

The combination of processes, technologies and human interactions that make up healthcare services entails an unavoidable risk that adverse events may occur. Studies in countless countries and health systems have shown that patients in hospitals – and at other levels of healthcare – are subject to potentially preventable adverse events (AEs).1 These AEs have notable consequences such as an increase in hospital stays and direct and indirect costs2 that make patient safety an area of growing interest.

Despite the fact that many advances have been throughout 15 years of work towards improving patient safety more explicitly, the improvements made in the healthcare sector cannot be compared to those achieved by other organisations considered to be high risk (safety critical industries)3 that have established control systems to avoid catastrophic situations, thus transforming them into high reliable organisations (HROs) such as the aviation, nuclear or petrochemical industries in the past.4 From these examples we have learned that the problem is approachable in a positive way, establishing the bases for a corporate policy oriented to the assessment of risks in all the organisation's processes.5

Identifying and understanding the risks that any organisation could face, and how to manage them, helps minimise the uncertainty it is exposed to when decisions are made.6 The framework is a tool in itself, which allows risks to be identified in order to adopt measures to reduce and manage them.7

Risk management must be part of the organisation's management, to verify that the activity is carried out with an acceptable level of risk, given the control measures; and that in those cases where the risk is assessed as being unacceptable, additional measures are established to mitigate it.8

There are two different management approaches: (1) “retrospective or reactive” approach, based on the detailed analysis of the incidents occurring in the organisation itself or in others with similar characteristics, and (2) a priori “prospective or predictive” approach, which attempts to estimate the risk by identifying possible events that could occur in the services rendered.9 This second approach has proven its effectiveness in HRO and is beginning to be applied in healthcare sector.1

Given that this practice is less mature in the health field, the introduction of regulatory-based approaches could contribute to their more structured and stricter application. At the same time, the necessary risk management culture would be generated in the health sector.5

The aim was not a break up with the path followed for more than two decades, but instead, to introduce well-proven industry best practices. For this purpose, in 2016, the BUPA group (British United Provident Association) set itself the goal of managing clinical risks under the organisation's integrated risk management model and in accordance with the requirements of European Solvency Directive II on the internal assessment of risks and solvency.10,11

Materials and methods

BUPA is an international group that provides health insurance, health, dental and long term care (residences mostly for seniors). It was established as a company limited by guarantee, therefore, it does not have shareholders, and not having to pay dividends it reinvests its profits in its own activities.

The risk management plan considered the following factors:

-
Context: the organisation's environment, in its internal and external scope.
-
Risk assessment: defining the elements that generate the risk, its cause and effects.
-
Treatment: once the risks have been established and their effects analysed, the organisation must propose strategies to manage them, or whenever possible, eliminate them.

The project covered all of BUPA's care organisations in Europe and Latin America (ELA), according to their care activity sectors, but this article only presents the results related to hospitals.

Study period: 2017–18

The integrated risk management model was based on a governance structure, the risk management framework and the management of the risks per se. All the risks, including the clinical risks, are managed under the same model, although this article only refers to clinical risks.

The purpose of the organisational or governance structure was to support the functioning of the model and is made up of different committees that report to the Board of directors and guarantee the model's effectiveness. This structure was completed with the description of responsibilities and obligations in risk management at all levels of the organisation, along the so-called Three Lines of Defence model12 (LoD). The LoD model offers a simple and effective way of communication and risk management applicable to any organisation regardless of its size or complexity:

-
The first line of defence, formed by all the workers, teams and positions not included in the 2nd and 3rd lines, had the following functions: detecting, managing and notifying the risks and monitoring and verifying the effectiveness of the controls and compliance with external policies and regulations.
-
The second line of defence corresponded to the Medical Management department, for the clinical risk, tasked with advisory and support functions to the first line, and with independent supervision and control of the risk management actions performed by the first line.
-
The third line was formed by the BUPA's Internal Audit team. It offered independent guarantees of compliance with the risk management model to the Board of Directors.

Risk management framework

Detailed the main activities to ensure a reliable and continuous risk management system.

Risk life cycle management

Continuous process of identification, assessment, management, monitoring and notification:

1.
Identifying the organisation's clinical risks

A catalogue of potential clinical risks was prepared to facilitate their identification among hospitals, using the manual of standards of the Joint Commission International (JCI)13 as reference.

In order to assess the catalogue's apparent validity (of context), work groups formed by first-line health personnel (doctors, pharmacists, nurses, quality managers, etc.) were established to validate the content.

A second validation was performed, reviewing the root cause analysis of the critical clinical incidents reported from 2016 to May 2018 (30 months) to confirm that the root causes had been included in the catalogue as risks. The third validation was carried out to confirm whether the failures of the Failure Mode Effects Analysis (FMEA) of the surgical process in a hospital of the group had been included in the catalogue (Fig. 1).

Figure 1.

Risks catalogue validation process.

(0.1MB).

Once validated, the catalogue was applied in a hospital of the group to identify the risk it was exposed to in its daily activity. Evaluating whether or not the risk was applicable to the hospital. And if applicable, that risk was assessed.

2.
Assessment

The identified risks were assessed according to their impact and probability of occurrence in one year (scale 1–4). The assessment was conducted from an inherent point of view, without taking into account the controls implemented by the hospital, and the residual, actual risk level, taking into account the established controls. The result of impact and probability allowed each risk to be rated, on two levels (inherent and residual) using a 4×4 matrix (Table 1). This score (range 16–1), is associated with a risk level. The higher the score, the greater the risk.

3.
Management and monitoring

Table 1.

4×4 risk matrix.

The action on each risk and the effectiveness of the controls were determined based on the residual and inherent scores. From these scores, the continuous monitoring of the risk profile and the information to be shared with the Board was established.

Results

The governance structure for clinical risk management in BUPA was formed by a Clinical Governance Committee reporting to the organisation's Risk Committee, which informed the Board of Directors. The Committee is formed by ELA Medical Management, the Medical/Healthcare Directors of all the ELA business units, and the Legal Advice and Risk and Compliance departments.

The risk management framework developed was based on:

-
Risk appetite, establishing the risk limits that BUPA was willing to assume to obtain the best results for the customer and safely maintain growth. This was transmitted to the entire organisation, evaluated quarterly and the results were presented to the Risk Committee and Board of Directors.
-
Risk map, presents the risks to which the organisation was exposed and the controls that mitigated them.
-
Corporate policies that guaranteed good governance and functioning. The compliance with the policies was evaluated annually, and if they were not 100% fulfilled (“fully met”) the corresponding improvement plans were established (“path to Green”), defining actions and a schedule.

Life cycle of the risk

The catalogue, prepared by Medical Management, listed the possible clinical risks which a healthcare organisation could face in hospital care, and the controls to minimise them were recommended. It contained 126 risks and 479 controls validated by the group of professionals. It was divided into areas of application: maternal-neonatal, anaesthesia and surgical block, drug safety, control and management of infections and a general section (Table 2).

Table 2.

Number of risks and recommended control pre- and post-validation per area of application and totals.

	Pre-validation		Post-validation		Variation %
	Risks	Controls	Risks	Controls	Risks	Controls
Maternal–neonatal	29	113	19	66
Anaesthesia and surgical block	29	127	28	111
Drug safety	59	101	27	91
Control and management of infections	23	75	21	78
General Hospital Care	29	115	31	133

Total	169	531	126	479	25.5%	9.8%

The main causes for modification in the number of risks and controls were related to:

-
Grouping of risks and controls.
-
Similar risks included in all areas of application that were grouped as a single general risk.
-
Elimination of risks and controls.

In the area of drug safety, the number of risks after validation fell almost 56% according to the following causes:

-
51 risks were grouped into 27 risks.
-
5 risks became part of general Hospital Care.
-
3 risks were eliminated.

The average number of risk controls after validation was 3.8 (21% higher than in pre-validation).

With regard to the other two validations to review incidents and perform an FMEA, 96% of the root causes of the critical clinical incidents and 75% of the failures detected in the FMEA of the surgical process were contained in the catalogue.

Of the 126 risks, 92% were classified as patient safety risks and the rest as patient experience risk.

Table 3 shows examples of risks and their controls, categorisation and area.

Table 3.

Examples of risks, controls and categorisation.

Risks	Categorisation	Controls and recommended mitigation actions	Areas
Risk of conducting procedures with sedation when the units do not have the necessary guarantees.	Customer Safety	1. The centre defines the areas in the hospital where sedation can be administered. 2. The centre guarantees the specialised skills or training of staff involved in the sedation process. 3. The centre has specialised medical technology and the necessary medical supplies available in the sedation areas. 4. The procedure is available, known to and applied by the staff.	Anaesthesia and surgical block
Risk of loss of biopsies and tissues due to lack of traceability of intraoperative records.	Customer Safety	1. The centre has procedures to collect intraoperative biopsies or tissues, that define activities to be carried out by those responsible for each stage of the process. 2. The centre has a procedure to establish the minimum records related to surgeries, including the record of biopsies or tissue samples taken. 3. Both procedures are available, known to and applied by the staff. 4. The centre assures that it can identify (trace) biopsy or tissue sample throughout the stages of the process.	Anaesthesia and surgical block
Risk of insufficient care of terminal patients. (Comfort and dignity, care and control of symptoms, spiritual help, and management of terminal pain and suffering).	Customer Care Experience	1. The centre has a specific care procedure for terminal patients, in which it addresses the all-round care of the terminal patient. It ensures control of symptoms, care of the person's suffering and needs, including spiritual aspects (facilitating their management if necessary). 2. The procedure is available, known to and applied by the staff. 3. The centre's professionals evaluate whether the continuity of hospital care can be transferred to the home. If possible, care is provided or managed without leaving the patient unattended at any time. 4. The professionals are trained to deal with terminal patients.	General care
Risk of adverse event due to administration of drug samples.	Customer Safety	1. The centre does not accept medical samples or otherwise, it accepts them and has a reception procedure in which the state of the medication, conservation, batch, expiration, etc. is considered. The form of distribution and dispensing of medicines is also controlled. 2. The centre has a procedure to trace 100% of the centre's drugs according to the batch identifier.	Drug safety

The assessment of inherent risk returned a score of 84% with acceptable levels of risk (in green) and assumable levels (in yellow) (Fig. 2).

Figure 2.

Hospital residual risk profile.

(0.05MB).

Management

With the results of the residual assessment, the reaction to each risk was determined:

-
Avoid: when the activity that generated the risk ceased or was not performed.
-
Mitigate: when measures were taken to limit the impact and/or probability of the risk. A detailed action plan was established to reduce the residual exposure to acceptable levels by indicating the person responsible for the risk and the schedule. The progress was monitored and reported to the second line of defence until its completion. An action plan was established for 16% of the risks.
-
Transfer: partial or total transfer of the exposure to third parties.
-
Assuming exposure to the risk when its management was adequate and the levels did not exceed the tolerance to risk. In this case, 84% of the risks were assumed because they did not exceed the established tolerance threshold.

Monitoring

The following supervision activities were carried out:

-
Periodic review of the risk profile to ensure that it was updated at all times and included the risk record and the assessment of risks and controls.
-
Verification of the effectiveness of the controls according to the inherent assessment level.
-
Supervision of the Key Risk Indicators (KRIs) reported in the risk profile.
-
Annual verification of compliance with the risk policies.
-
Quarterly verification of the risk tolerance thresholds.

Notification

Minimum information requirements were established on the effectiveness of the risk management life cycles, to ensure that they were managed within the established tolerance thresholds:

-
Risk profile.
-
Key risk indicators.
-
Inadequacy of the controls.
-
Progress with respect to the established plans.
-
Incidents detected.

Discussion

The risk management concepts and tools in organisations go beyond the continuous improvement methodology; they allow reorienting the management as a whole, forming a culture that reduces the chances of failure and that responds when an incident occurs.4 Therefore, it is now considered an ethical duty to establish strategies to implement them in health organisations, and to guarantee patient safety, either through the implementation of safe practices or risk management plans applied to the prevention of AEs. This approach can be applied both in the clinical and in the non-healthcare field, with some experiences in our area14 and in our environment.15

The establishment of an Integrated Risk Management System in healthcare organisations15,16 favours the identification of threats, obstacles and opportunities; facilitates the development of standardised processes with improved monitoring and control; and promotes proactivity.

If patient safety is understood as the mitigation of the risks entailed in healthcare procedures, it is necessary to understand and measure them in order to react to them. Risk management should be part of any organisation because it helps its objectives to be met, in this case, to provide care of the highest quality, in conditions of maximum safety and at a reasonable cost.17 The application of these policies in BUPA from 2017, has allowed its professionals to incorporate a risk management methodology in their work dynamics,3,5 independently of their role in the organisation, thus helping to define the possible risks and controls, to quantify their consequences and probabilities, etc. with a highly practical approach transferred to clinical practice. Furthermore, an internal control system has been established, which assesses compliance with the policies.

The most commonly used quality management models follow these guidelines, ISO 9001:2015 (point 6.1) is aimed at the smooth operation of the Quality Management System, in accordance with the objectives set, and requires actions to be planned in response to all the risks and opportunities. This form of risk management replaces the preventive actions from previous versions.18 However, this standard does not establish the risk management methodology that must be used.

The involvement of Senior Management is one of the key factors in the success of this model. In different studies9,16,19 the lack of support has emerged as a clear as a limitation or barrier to its implementation. With a macro approach it is easier to direct the available resources for patient safety towards those risks that require greater attention15,20 and find a balance between resources, to mitigate the risks and the level of confidence that the organisation considers sufficient according to its acceptable level of risk.21

The direct participation of healthcare professionals, with their experience and knowledge, in the identification, assignment of controls and monitoring of risks allows for an open, active and responsible culture in among the organisation's staff.22

The catalogue used in this study for the identification of risks has a manageable number of risks compared to other studies that present a high number of risks as a constraint.15 The use of this catalogue by organisations that do not have an integrated risk management approach could represent a limitation if they leave out structural, operational and financial risks.

Obtaining a list of risks and controls streamlines the work of the first line of defence. The availability of a catalogue of risks and mitigating controls in this study has facilitated the work of the first line in the identification of risk, and will be an advantage to have lists of possible events and barriers to simplify the work and save time in the MARR project.9

Under the conditions of the study, we believe the benefits of implementing an integrated management of clinical risk system consisted in providing services that meet the legal requirements and standards of good practice (in our case, the JCI's standards). They allowed us to advance in the organisation's management of, improving its efficiency in the allocation of resources for risk management and adaptation to the environment and the patient. In addition, this strategy can facilitate decision-making and encourage the organisation's transformation capacity.

Conflict of interests

The authors declare no conflict of interests.

Acknowledgements

Validation group of the risk catalog

Laura Alvargonzalez Slater, Directora de Enfermería, Hospital Universitario Sanitas La Moraleja.
Jorge Anaya Garcia, Responsable Servicio de Farmacia, Hospital Universitario Sanitas La Moraleja.
Luis Manuel Arnaiz Aparicio, Director Médico, Hospital Universitario Sanitas La Moraleja.
Eduardo Cabrillo Rodriguez, Jefe de Servicio de Obstetricia y Ginecología, Hospital Universitario Sanitas La Moraleja.
Mariona Capdevila Subira, Enfermera, Hospital Sanitas CIMA.
Sonia Cruz Pardos, Responsable Servicio de Farmacia, Hospital Universitario Sanitas La Zarzuela.
Maria Jose Fuentes de Frutos, Jefe Servicio de Farmacia, Hospital Virgen del Mar.
Maria Carmen Garcia Batlle, Responsable Servicio de Farmacia, Hospital Sanitas CIMA.
Azahara Garcia Garabaya, Enfermera de Seguridad Clínica y Formación, Hospital Universitario Sanitas La Zarzuela.
Jose Jimenez Martinez, Jefe de Servicio Pediatría y Neonatología, Hospital Universitario Sanitas La Moraleja.
Silvia Lage Piñeiro, Supervisora de Áreas Críticas, Hospital Universitario Sanitas La Moraleja.
Blanca Nuñez de la Torre, Médico Neonatólogo, Hospital Universitario Sanitas La Moraleja.
Jose María Rivera Guzman, Especialista en Medicina Interna, Medicina Preventiva y Salud Pública.
Ana Maria Roman Guindo, Médico Ginecólogo, Hospital Universitario Sanitas La Moraleja.
Mireia Saballs Nadal, Medicina Interna, Hospital Sanitas CIMA.
Roberto Ruiz Abascal, Jefe de Servicio Anestesia y Reanimación, Hospital Universitario Sanitas La Moraleja.

Quality and Risk Department

María de las Nieves Muñoz de la Nava Chacón, Calidad y Riesgo, Bupa Europa y América Latina, Madrid, España.
Roxana Cuesta Coronel, Calidad y Riesgo, Bupa Europa y América Latina, Madrid, España.

References

[1]

E.N. de Vries, M.A. Ramrattan, S.M. Smorenburg, D.J. Gouma, M.A. Boermeester.

The incidence and nature of in-hospital adverse events: a systematic review.

Qual Saf Health Care, 17 (2008), pp. 216-223

http://dx.doi.org/10.1136/qshc.2007.023622 | Medline

[2]

J. Ovretveit.

Does improving quality save money?.

Health Foundation, (2009),

[3]

R. Bloomfield, N. Chozos, D. Embrey, J. Henderson, T. Kelly, F. Koornneef, et al.

Using safety cases in industry and healthcare.

Health Foundation, (2012),

Available from: http://www.health.org.uk/publication/using-safety-cases-industry-and-healthcare [accessed 19.09.17]

[4]

Agency for Healthcare Research and Quality.

Becoming a high reliability organization: operational advice for hospital leaders. AHRQ publication no. 08-0022.

(2008),

Available from: https://archive.ahrq.gov/professionals/quality-patient-safety/quality-resources/tools/hroadvice/hroadvice.pdf [accessed 06.08.18]

[5]

S. Mark, H. Ibrahim, K. Tim, P. Simone, J. Chris.

Should healthcare providers do safety cases? Lessons from a cross-industry review of safety case practices.

Saf Sci, 84 (2016), pp. 181-189

[6]

T. Gil Aldea, D. Comellas Batlles, I. Galdeano Larisgoitia, L.A. Hernandez Videla, A. Jimenez Jimenez, J. Jimenez Nava, et al.

Definición e implantación de apetito de riesgo.

MAPFRE Junio, (2013),

Available from: https://auditoresinternos.es/uploads/media_items/apetito-de-riesgo-libro.original.pdf [accessed 19.06.17]

[7]

I. Casares San José-Marti.

Proceso de gestión de riesgos y seguros en las empresas.

Molinuevo, Gráficos, S.L., (2013),

[8]

Federation of European risk management association. Estándares de gerencia de riesgo. Available from: http://www.ferma.eu/app/uploads/2011/11/a-risk-management-standard-spanish-version.pdf [accessed 24.09.17].

[9]

Proyecto MARR (Matrices de Riesgo en Radioterapia).

(2016),

Available from: http://sefm.es/wp-content/uploads/2017/06/1.-MARR-Documento-MARR.pdf [accessed 09.05.18]

[10]

Directiva 2009/138/CE del parlamento Europeo y del consejo, de 25 de noviembre de 2009 sobre el acceso a la actividad de seguro y de reaseguro y su ejercicio (Solvencia II). DO L 335 de 17.12.2009, p. 1. Available from: https://eur-lex.europa.eu/legal-content/ES/ALL/?uri=CELEX: 32015R0035 [accessed 03.07.18].

[11]

Reglamento delegado (UE) 2015/35 de la comisión de 10 de octubre de 2014 por el que se completa la Directiva 2009/138/CE del Parlamento Europeo y del Consejo sobre el acceso a la actividad de seguro y de reaseguro y su ejercicio (Solvencia II).

[12]

The Institute the Internal Auditors.

The three lines of defense in effective risk management and control.

(2013),

FL, EEUU

[13]

Joint Commission International.

Estándares de acreditación para hospitales de Joint Commission International.

(2014),

Barcelona

[14]

Joint Commission on Accreditation of Healthcare Organizations.