Risk Management


Risk is defined in ISO 31000 as the effect of uncertainty on objectives (whether positive or negative). Risk management can therefore be considered the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. Several risk management standards have been developed including the Project Management Institute, the National Institute of Science and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.

The strategies to manage risk include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.

Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk even though the confidence in estimates and decisions increase.

Risk Management is an integrated, hospital-wide program for the prevention, monitoring, and control of areas of potential liability exposure. It is the intent of University Hospital via the Risk Management program to enhance the safety of patients, visitors, and employees; and minimize the financial loss to University Hospital through Risk detection, evaluation, and prevention.

Risk Management Program[]


The department focuses on identification and prevention of risk exposures within the organization that could:

  • Cause injury to patients, visitors, and employees
  • Jeopardize the safety and security of the environment
  • Result in costly claims and lawsuits with subsequent financial loss to the organization


The Risk Management Program is a component of Hospital Administration. The Chief Operating Officer and Director of Risk Management are responsible for the implementation and operation of the Risk Management Program. III. Program Components

1. Loss control prevention, which consists of identifying potentially compensable events, medical malpractice claims, risk assessments, occurrence reporting and management of the Administrative policy and procedure manual. 2. Facilitation of Root Cause Analysis. 3. Facilitation of Failure Modes and Effects Analysis. 4. Appropriate education programs, hospital wide or department-specific, will be developed as needed. These programs will be suggested as a result of tracking and trending. 5. Hospital event and incident reporting (Department of Health, Office of Mental Health, JCAHO—Sentinel Event, and Office of Professional Discipline). 6. Support Clinical Quality Improvement Committee.


1. Loss Control and Prevention

    • Potentially Compensable Events (PCEs) - are identified through various mechanisms including, but not limited to notices of intention, claims, quality reviews, risk assessments, incident reports and survey findings.
    • Claims - Risk conducts a quality investigation on all Claims and provides essential Case information to in-house counsel and the Attorney Generals office. Information includes, but is not limited to related policies and procedures. All Claims are presented at the Clinical Quality Improvement committee (CQI), as informational.
    • Occurrence Reporting - Occurrences are recorded, quantified, and trended. Trending is submitted quarterly to leadership and annually to Quality Counsel and Patient Safety Committee (QC&PSC).
    • Risk Assessment - A variety of sources are utilized to assess Risks inherent in the environment. Sources include, but are not limited to, occurrence reports, potentially compensable events, medical malpractice claims and management of Administrative policy process. The QC & PSC are notified of any/all-identified risks.
    • Administrative Policy Manual - The Department of Risk Management is responsible to ensure Administrative policies adhere to the organizations development, revision, review and approval process guidelines. Risk coordinates the Administrative policy approval process and maintains current policies on the organizations intranet. Archival of the Administrative Policy Manual is the responsibility of the Risk Management Department.

2. Root Cause Analysis

    • Risk Management is responsible to facilitate a credible and thorough RCA, as defined by the New York State Department of Health, on any/all events where a suspected deviation from a known standard of care or an internal/external policy (i.e., JCAHO), may have been deviated from during the delivery of care. The Department of Risk Management works in collaboration with the appropriate hospital personnel to complete the RCA process required by the New York State Department of Health. See policy I-03, S-06.

3. Failure Modes and Effects Analysis (FMEA)

    • Risk Management is responsible to facilitate at least once annually a highrisk process to target for Failure Mode & Effects Analysis in an effort to proactively address patient safety, risk reduction, and loss prevention. See policy F-08/JCAHO Standard PI.3.20.

4. Education Program

    • Risk Management conducts Resident orientation education that includes an overview of liability coverage, risk services and regulatory requirements within an Article 28, Title 10 facility.

5. Hospital Event and Incident Reporting to the Department of Health New York State Patient Occurrence Reporting and Tracking System (NYPORTS): NYPORTS is an adverse event reporting system implemented pursuant to New York State Public Health Law Section 2805-I, Incident Reporting. The Department of Risk Management is responsible for reporting adverse incidents, as required by law. The Department of Risk Management in collaboration with the appropriate hospital personnel work in collaboration to complete the New York State Department of Health, Root Cause Analysis process for submission into the NYPORTS system as outlined in NYS Public Health Law Section 2805-I. See policy I-03, S-06.

  • Office of Mental Health—Risk Management is a participant in the review process for all occurrences meeting reporting requirements pursuant to Code 405, Part 524 regulations entitled “Incident Reporting and Investigations 14 NYCRR, New York State Office of Mental Health. Risk is responsible for reporting the incident to the Office of Mental Health. See policy PSYI-01.
  • JCAHO/Sentinel Events—Risk Management is responsible to ensure that the processes for identifying and managing sentinel events are defined and implemented to prevent the recurrence of similar events. See policy S-06/JCAHO Standards PI.1.10, PI.2.20, PI.2.30, and PI.3.10.
  • Office of Professional Discipline (OPD) - Risk Management provides management staff assistance with interpreting reporting requirements and facilitates the flow of necessary documents to OPD when requested. See Policy P-13.

6. Clinical Quality Improvement Committee

    • The Risk Management Department prepares all Case investigations for review at CQI.


    • The Risk Management Plan evaluation will be reported annually to the Quality Council and Patient Safety Committee.

IT Devices[]

Today, hospital organizations with medical devices are requiring manufactures to include some information in accompanying documents if medical equipment is to be connected to an IT network

ISO/IEC 60601-1: 2005 Medical Electrical Equipment requires manufactures to include some Manufacturer’s Disclosure Statement for Medical Device Security (MDS2) information in accompanying documents if medical equipment is to be connected to an IT network. [1] [2] [3][4] [5] [6] [7] [8][9]


  1. ISO/IEC 14971:2007 Application of risk management to medical devices
  2. ISO/IEC 80001-1: 2010 Application of risk management for IT-networks incorporating medical devices – Part 1: Roles, responsibilities & activities
  3. ISO/IEC 20000-1:2005 IT Service Management System
  4. Information Technology Infrastructure Library (ITIL v3)
  5. HIMSS/NEMA HN 1-2008 Manufacturer’s Disclosure Statement for Medical Device Security (MDS2)
  6. MIL-STD-882E DOD’s Standard Practice for System Safety [1]
  7. ACCE ECRI Security Guide for Biomedical Technology []
  8. Systems Engineering Guide for Systems of Systems, Version 1.0.Office of the Deputy Under Secretary of Defense for Acquisition and Technology, Systems and Software Engineering. Washington, DC: ODUSD(A&T)SSE, 2008. DOD, Aug 2008
  9. National Institute of Standards and Technology (NIST) standards[2]



See also[]