Article Text


Institutional resilience in healthcare systems
  1. J Carthey1,
  2. M R de Leval1,
  3. J T Reason2
  1. 1Cardiothoracic Unit, Great Ormond Street Hospital for Children NHS Trust, London WC1N 3JH and the Institute of Child Health, London WC1N 1EH, UK
  2. 2Psychology Department, The University of Manchester, Manchester M13 9PL, UK
  1. Dr J Carthey, Cardiothoracic Unit, Great Ormond Street Hospital for Children NHS Trust, London WC1N 3JH, UK j.carthey{at}

Statistics from


A recent report for the President of the United States described the impact of preventable medical errors as a “national problem of epidemic proportions”.1 Similar concerns have been echoed in the report of an expert group chaired by the Chief Medical Officer.2 In this report it was estimated that 400 people in the UK die or are seriously injured each year in adverse events involving medical devices, and that harm to patients arising from medical errors occurs in around 10% of admissions—or at a rate in excess of 850 000 per year. The cost to the NHS in additional hospital stays alone is estimated at around £2 billion a year.

The positive face of safety

Safety has two faces. The negative face is very obvious and is revealed by adverse events, mishaps, near misses, and so on. This aspect is very easily quantified and so holds great appeal as a safety measure. The other, somewhat hidden, aspect offers a more satisfactory means of assessing safety. This positive face can be defined as the system's intrinsic resistance to its operational hazards. Some organisations will be more robust in coping with the human and technical dangers associated with their daily activities. This will be as true for healthcare institutions as it is for other systems engaged in hazardous activities. In short, some organisations will be in better “safety health” than others.

The safety space

The ideas of resistance and vulnerability can be represented as the extremes of a notional space termed the “safety space” (fig 1). The horizontal axis of the space runs from an extreme of maximum attainable resistance (to operational hazards) on the left to a maximum of survivable vulnerability on the right. A number of hypothetical organisations are located along this resistance vulnerability dimension. The cigar-shaped space shows that most organisations will occupy an approximately central position with very few located at either extreme.

Figure 1

A number of hypothetical organisations distributed through the safety space.

Organisations are free to move along this space in either direction. In so doing, they are subject to two kinds of forces: those existing within the space itself and those emanating from inside the organisation. The “currents” within the space act inwards from either extreme (fig 2). If the organisation “drifts” too close to the vulnerable end, it is likely to suffer adverse events. These, in turn, will bring about internal and external pressures to become more resilient. However, these safety enhancing measures are not always sustained, so that the organisation will drift once again towards the vulnerable extreme. When subject solely to the forces acting within the space, organisations will tend to drift to and fro between the extremes of the space.

Figure 2

Forces acting away from the extremes of the safety space.

Managing system safety in health care

The only realistic goal of safety management is to achieve, not zero adverse events, but the maximum degree of intrinsic resistance consistent with the organisation's reasons for existence (fig 3). There are two requirements in order to drive the organisation towards the resistant end of the safety space, and then to keep it there. Firstly, effective navigational aids are needed to indicate its current location within the space. Two kinds of navigational aids are necessary: reactive outcome measures and proactive process measures. Secondly, it needs some motive force to overcome the external forces and to maintain a fixed heading. Three cultural drivers provide the necessary engine: commitment, competence, and cognisance (the three `C's). These in turn should inform and direct the institution's principles, policies, procedures, and practices (the four `P's).

Figure 3

Summary of the driving forces and navigational aids necessary to propel an organisation towards the region of maximum resistance.

Navigational aids

Reactive safety measures are derived from the collection and analysis of critical incident and near miss data. The advantages and disadvantages of these navigational aids have been discussed in detail elsewhere.23 All such data suffer the disadvantage of being collected after the event. Nonetheless, they provide a rich variety of valuable information.

Proactive measures identify in advance those factors likely to contribute to some future accident. As with the tests used to diagnose a patient's state of health—for example, blood pressure, glomerular filtration rate, haemoglobin and cholesterol levels—safety indicators help to identify the latent conditions that are an intrinsic part of any high technology system. Proactive measures involve making regular checks upon the organisation's defences and upon its various essential processes—planning, forecasting, scheduling, budgeting, maintaining, training, creating procedures, and so on. There is no single comprehensive measure of the organisation's overall “safety health”. A more detailed consideration of these diagnostic indicators has been given elsewhere.4

Effective safety management requires the use of a combination of both reactive and proactive measures. Together they provide essential information about the system's resilience, and hence its position within the safety space. The main elements of their integrated usage are summarised in table 1.

Table 1

Summarising the interactions between reactive and proactive measures

The cultural drivers


Commitment has two components: motivation and resources. The motivational issue hinges on whether an organisation strives to be a domain model for good safety practices or whether it is content merely to keep one step ahead of regulatory sanctions or litigants. The resource issue is not just a question of money, though that is important. It also concerns the calibre and status of those people assigned to manage system risk and how they are perceived within the organisation.


An organisation must also possess the technical competence necessary to achieve enhanced safety. Previous research has shown that competence is a product of several factors, including the methods used to identify hazards and safety critical activities, diversity and redundancy in the defences,45 a sufficiently flexible and adaptive organisational structure,67 and the collection, analysis, dissemination and implementation of safety related information.89


Cognisance refers to how the organisation makes sense of its inherent risks and hazards—that is, its sensemaking processes.10 Cognisant organisations maintain a state of intelligent wariness even in the absence of bad outcomes. This “collective mindfulness” of the ever present risks is one of the defining characteristics of high reliability organisations.11


Commitment, competence, and cognisance are illustrated in the following two hypothetical examples.

Hospital A invests in patient safety, as evidenced by a well resourced and highly skilled risk management team. The Chief Executive has an open door policy for patient safety, allowing staff to raise issues directly with the highest level of management; he also goes round the wards on a weekly basis. The perception of staff is that he is well informed and responds quickly to any problems that are raised. Trust board and directorate management meetings dedicate time to discussing safety issues alongside financial and business goals. There are formal and informal communication links for patient safety throughout the organisation; in each directorate senior nurses have set up “error focus groups” where they discuss candidly, in an open forum, errors that have recently occurred. These focus groups are carried out in the spirit of learning systems lessons about safety. Similarly, adverse events and near misses are discussed at mortality and morbidity meetings which have cross professional representation (that is, nurses, surgeons, anaesthetists, radiologists, physiotherapists, technicians, etc). A combination of reactive and proactive navigational aids are used. There is a positive incident reporting culture; staff understand the importance of filling in incident reports, and reporting rates are high for both clinicians and nurses. Staff receive feedback on any reports they have made and deadlines are set for the implementation of incident report recommendations. These deadlines are adhered to religiously. Research and audit projects are carried out on different areas of clinical governance, including communication interfaces between teams, the consent process, and starvation practices prior to elective surgery. Error analysis methods used in other high technology industries are applied to identify proactively weaknesses in the system.

In hospital B the approach to patient safety is very different. Trust board and directorate management meetings focus exclusively on financial and business goals. Management has a tendency to compartmentalise safety as the responsibility of the risk manager. The risk manager, who has had no formal risk assessment training and whose work load prevents him/her from being released to attend training courses, is viewed as the safety policeman. His/her role is to ensure that staff are disciplined when errors are made. The only navigational aid used is incident reporting and the focus of such analyses is to determine which nurses and clinicians committed errors and to discipline them. Error provoking conditions in the organisation—that is, the number of shifts worked, nursing shortages, lack of training—are not considered in the analysis process because the risk manager views medical error as the result of inattention or carelessness on the part of the staff involved. Consequently, incident reporting rates are low and clinicians and nurses do not feel able to raise patient safety issues or discuss their errors openly. The hospital has the false belief that the low rate of reported incidents is a reflection of the organisation's excellent safety performance. The Chief Executive believes that by identifying and weeding out the “bad apples” in his organisation he has created a safer system. Hospital staff exhibit a sense of learned helplessness about the unsafe system processes in which they work. Previous attempts to raise these issues have resulted in management externalising problems as “…beyond our control …”. Thus, in contrast to hospital A, hospital B is not cognisant of its errors and hazards because it has a misguided philosophy that error is the fault of the individual. The hospital's lack of commitment to patient safety is evidenced by the under-resourced, undertrained risk manager and the tendency by top management to externalise systems problems as beyond the control of the institution. Hospital B's pathological thinking about patient safety places it in the vulnerability zone of the safety space.

Checklist for assessing institutional resilience (CAIR)

The time has come to develop methods to assess institutional resilience. Table 2 contains a 20 item checklist for assessing institutional resilience (CAIR). CAIR was devised by considering the impact of each of the three `C's (commitment, competence, cognisance) upon the four `P's (principles, policies, procedures, practices). For each `C', examples of positive and negative indicators of institutional resilience are given.

Table 2

Checklist for assessing institutional resilience (CAIR)

CAIR is designed so that healthcare workers can begin to gauge their own institution's intrinsic resistance to adverse events. This is not a tried and tested measure, but it does cover most of the important factors discussed in this paper (and a few more besides). It is not expected that any one institution should possess all the attributes of resilience listed here; indeed, if that were the case it would strain credibility. The CAIR items constitute a “wish list” of most of the desirable features of a high reliability healthcare organisation for combatting the dangers to patients posed by human fallibility and systemic shortcomings. The list is neither definitive nor comprehensive—our present state of knowledge does not permit this—but it does outline a model of system resilience towards which institutional managers and staff might reasonably aspire.

Each item is scored 1, 0.5, or 0. As indicated earlier, a score of 16–20 is probably too good to be true; scores of 8–15 indicate a moderate to high level of intrinsic resistance to human and organisational hazards, and anything less than 5 suggests a moderate to high level of vulnerability. It is also recommended that the responses of people at different levels of the organisation and in different professional groupings (within the same institution) are compared with one another. Wide discrepancies between the scoring profiles of these groups should provide important clues to some major areas of concern.

Finally, a health warning. Good scores on CAIR provide no guarantee of immunity from patient mishaps. Even the “healthiest” institutions can still have bad events. A total score of 8–15 suggests that you are striving hard to achieve a high degree of patient safety while still meeting your other institutional objectives. However, the price of patient safety is chronic unease. Complacency is the worst enemy. Human fallibility will not go away, so there will be no final victories in the struggle for patient safety.


Research at the Institute of Child Health and Great Ormond Street Hospital for Children NHS Trust benefits from Research and Development funding received from the NHS Executive.


View Abstract

Request permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.