Article Text

Download PDFPDF

The need for risk management to evolve to assure a culture of safety
  1. A M Kuhn1,
  2. B J Youngberg2
  1. 1Director of Risk Management and Patient Safety, University of Chicago, Illinois, USA
  2. 2Vice President Insurance, Risk, Quality and Legal Services, University Health System Consortium, Oak Brook, Illinois, USA
  1. Correspondence to:
 Ms M Kuhn, Director of Patient Safety Department, University of Chicago Hospitals, Chicago, IL 60637, USA;


There is a need for the traditional risk management model, which focuses on department based risk assessment, loss management and risk financing, to evolve to enable it to become more responsive to the increasing demands for safety and accountability imposed on the current US healthcare system. The risk management focus must become more strategic and systems based, and less crisis orientated and individual provider based, in order to provide its greatest value to the organization and the patients those organizations serve.

  • risk management
  • patient safety

Statistics from

Request Permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.

Healthcare risk management has been an important component of hospital administration in the US since the malpractice insurance crisis of the 1970s. Many thought that great progress was being made in managing the risks that contributed to patient harm and error, but important questions have recently been raised about the real impact of risk management on the risk of patient harm. Many patients continue to be harmed, often as a result of problems and processes long identified as being faulty. Recent data published by the insurance industry suggest that malpractice verdicts and settlements are also, once again, on the rise.

The Institute of Medicine's report “To err is human: building a safer health care system1 published in November 1999 has been billed by many as a breakthrough report, exposing the frailties and the realities of the current US healthcare delivery system. To many in risk management this report did not contain new information. It did, however, create a sense of real frustration and sadness for many.

  • How could it be that we have worked so hard and for so long and have seemingly accomplished so little?

  • How can it be that the problems identified by risk managers over the years that contributed to patient harm and cost the organizations millions of dollars have not yet been solved?

  • What is it about the way our organizations are managed that makes change so difficult?

  • How can these systems problems be fixed so that more patients are not harmed?


Risk management in health care emerged as a result of the malpractice crisis of the 1970s. Healthcare institutions realized that the corporate world had a way of addressing the financing or transfer of risk through the purchase of insurance and created a specific position for a risk manager to manage the relationships around those decisions. As malpractice verdicts and settlements continued to rise, healthcare administrators recognized the potential value of developing a more proactive approach. Even as the insurance crisis was coming to an end, there was an increased sense of the importance of managing or eliminating the clinical risks that had resulted in a rise in the costs of insurance. Professionals with clinical experience were hired with the hope that they could identify the systemic problems in specific clinical areas (primarily obstetrics, anesthesia, and the emergency department), engage clinicians and educate them about the need to modify specific behaviors, and work collaboratively with others on the clinical and administrative teams to help design environments that would be more conducive to the delivery of safe care. Although at times successful—for example, the dramatic changes in safety associated with the delivery of anesthesia and the enhancement of patient quality in that specialty—generally the hard work did not pay off. The insurance market softened, as cyclical markets do, and many risk managers were again able to demonstrate their value by successfully negotiating risk transfer arrangements with steadily declining costs.

Now we are faced with even more significant challenges: the insurance market is again tightening in response to a dramatic escalation in malpractice verdicts and settlements,2 some appropriately attributed to juries with no real understanding of the issues they are being asked to evaluate and others seemingly closely related to an industry under considerable stress. Many markets are consolidating, becoming insolvent, or electing to cease their underwriting of medical malpractice risk. Others are increasingly selective and costly when making a decision about offering coverage.3 In addition, the events that occurred on 11 September 2001 in the US caused many markets to reconsider their business strategy. In all likelihood this event will further increase prices and decrease the amount of insurance protection available. In the light of these dramatic changes, we propose that, rather than trying to rely on what has been learned from the past, risk managers should attempt to chart a new future.

Although the hairsplitting continues around the data presented in the first IOM report, and healthcare practitioners and researchers continue to argue about the precise numbers of patients who die from or suffer medical errors annually,4 many would suggest that the actual number is less important than the fact that anyone dies needlessly from preventable medical error.

The Institute of Medicine's most recent report “Crossing the quality chasm5 helps answer these questions associated with the difficulty in creating safer health care by pointing out the obvious: “Trying harder will not work. Changing systems of care will”. The US healthcare system has continued safety and quality problems because it relies on outmoded systems of work. Poor designs set the work force up to fail—regardless of how hard they try—and the fragmentation and hierarchical structure of most healthcare organizations impedes the ability of our organizations to make true and lasting progress. These barriers may be compounded by the fact that risk management often performs its function in a manner that is not fully integrated into the structure of the organization, so changes may be episodic and unit or incident focused and not sustained and organization wide. No one will argue that we all seem to be working harder, but are we working smarter, are we prioritizing effectively and doing the work that really matters to our organizations and the patients they serve, and are we able to create a business case justifying the need for change based on a sound and realistic economic analysis?

An important initial step in the promotion and understanding of patient safety will be to develop a reporting tool that can be used by all staff to report adverse events and near misses and simultaneously to create a culture in which such reporting is encouraged and rewarded.

“. . . medical errors are inherent in the work of healthcare providers”

Historically, one of the most significant sources of risk management was the patient incident or the lawsuit that often followed. Even proactive risk management activities often were instituted only after a problem, or a provider was identified as high risk. When an adverse event was reported it was the top priority to meet with all parties involved in the treatment of the patient, record the information, and counsel them not to repeat the information to anyone else. Protecting the financial security of the hospital and the reputation of the hospital was the number one goal. Risk managers were primarily focused on managing the adverse events. In some organizations occurrence reports were evaluated and trends were identified, but the goal was not necessarily to develop corrective action proactively based on the identified trends. What is now increasingly clear and has been a theme in many of the discussions related to patient safety and medical error is that medical errors are inherent in the work of healthcare providers. “The evidence is overwhelming. Medical errors most often result from a complex interplay of multiple factors; only rarely are they due to the carelessness or misconduct of single individuals. Yet, in the past, rather than addressing those underlying system design (emphasis added) faults, error prevention strategies have relied almost exclusively on enhancing the carefulness of the caregiver.”6 What needs to change is the way in which risk management is orientated. We must be part of a team that constructs a root cause analysis of systems and structures in advance of those risks actually materializing, so embedding a risk management discipline into the fabric of healthcare operations and corporate and strategic planning.

The value of occurrence reporting in risk management has long been debated. Many risk managers did not believe that there was any value in reviewing hundreds of reports each month. “What value are they? The really significant adverse occurrences are “phoned in” immediately after they happen. Why waste time reviewing all of the minor occurrences that didn't result in anything bad happening to the patient?” These risk managers were not looking at the reports as the “horoscope” of what was to come. Instead of identifying the “near misses” and performing a root cause analysis and criticality analysis on the near misses, they dismissed these reports as “just numbers” and some even said “a waste of time”.

When an adverse event occurred

Following the occurrence of an adverse event, the risk manager began to develop the points that could be used by defense counsel in the event that a claim or lawsuit was filed. Interviews with staff were held one on one. There was no team meeting to discuss the occurrence and the possible cause. There was no attempt to bring everyone together to discuss each person's role in the patient's care and in the end result. Each person was brought into a room, interviewed, and reminded not to discuss the “case” with anyone. The caregivers were advised about how to talk to the patient about the unexpected outcome. Any discussions were too brief and vague. No one was told to be dishonest when speaking with the patient but, on the other hand, no one was told to be completely and totally honest and forthright. Even with statistics showing that more patients were motivated to sue because they did not believe that the physician had given a full explanation of what occurred, complete disclosure is a difficult sell for the risk manager and for legal counsel for the hospital. Although legal counsel do not advocate dishonesty when talking to the patient, they are reluctant to agree to a formal policy that dictates that the caregiver discloses any medical error or any treatment that results in an unexpected outcome. This fear is grounded in the belief that disclosure could erode the protection of that information from discovery—that protection historically provided under state peer review law and the attorney client privilege. An official policy may not be necessary, but it offers a method of communicating what the hospital wants its staff to do in the event of an unexpected outcome.


The major dysfunctions cited in one report (and consistent with many other reports including the second IOM report) are listed in box 1 and could provide a starting point for risk managers to assess their challenges for the future.7

Box 1 Major dysfunctions of health care7

  • Insufficient safety and quality of care.

  • Debilitating fragmentation: because the components of the healthcare system share no clear alignment of goals, no common terminology and no overlying communication system to facilitate the pursuit of common objectives, lack of coordination among constituencies is the norm, resulting in astounding inefficiencies and poor quality of care. This challenge, though significant, is not discussed in this review.

  • Inefficiency and lack of scale: inefficient processes, structures, and methods of resource deployment driven by perverse payment mechanisms pervade every clinical and administrative aspect of healthcare service provision. This challenge will also not be discussed in this review since its solution rests primarily with external payment and regulatory agencies.

  • Insufficient investment in information technology or ineffective information systems.

  • Absence of true accountability.

  • Work force shortages.


The Joint Commission on Accreditation of Healthcare Organization (JCAHO), an independent organization that evaluates and accredits healthcare organizations and healthcare programs throughout the US, has recently promulgated patient safety standards that took effect on 1 July 2001.8 Critical areas of focus of these standards relate to (1) providing leadership, (2) improving organizational performance, and (3) information management and patient rights, training and education. While the JCAHO standards are typically not the driving motivator for risk management activities, the moral and business case for making these areas of focus central to any risk management strategic plan seems evident. They provide a good template for beginning to create a culture of safety.

Providing leadership

Much has been said about the importance of strong committed leadership in advancing the principles of patient safety and risk reduction. The risk manager needs to be more fully engaged in providing leadership to the organization that will enable it to make sound business decisions that balance fiscal accountability with quality of patient care and error reduction. This can only be accomplished by the collection and aggregation of data that represent the total cost of risk presented by a specific behavior, the cost of managing or eliminating that risk, and the identification of benchmarks so that risk managers and the organizations in which they work can more precisely develop a strategic plan.

An economic analysis that considers the cost of risk to be greater and more inclusive than the total amount spent in claims and settlements and on purchasing insurance or to self-fund an insurance program are essential. Medical errors carry a high financial cost. The IOM report estimates that medical errors cost the US approximately $37.6 billion each year, about $17 billion of which is associated with preventable errors. About half of the expenditure on preventable medical errors is for direct healthcare costs.9 These costs are seldom considered when attempting to prioritize the risks facing an organization. The risk manager must take the lead in developing a strategic plan for patient safety and present this to the leadership.

Organizations such as the Leapfrog Group (box 2) have begun to develop cost/benefit analyses associated with the institution of specific safety measures.10 As part of that analysis they consider system inefficiencies and their cost both in labor and patient outcomes. The risk management process could and should include such factors.

Box 2 The Leapfrog Group

The Leapfrog Group is a coalition of more than 90 public and private organizations that provide healthcare benefits to large employer groups. The Leapfrog Group was created to help save lives and reduce preventable medical mistakes by mobilizing employer purchasing power to initiate breakthrough improvements in the safety of health care and by giving consumers information to make more informed hospital choices.

In addition, it will become increasingly important for healthcare executives (and risk managers) to establish firm epidemiological links between presumed (and accepted) causes and adverse events.11 This evidence based risk management process will force a more analytical approach to risk management principles and practices and will enable the risk manager and the organization to focus change in those areas that are clearly associated with risk of harm.

Improving organizational performance

The creation of a high reliability organization is fundamental to patient safety. High reliability organizations rely on the reduction in variability through standardization of equipment and procedures, consistent clear leadership committed to safety and excellence, and an open non-punitive reporting culture. The risk management process is grounded on these same principles. Often, however, the risk manager does not have a seat at the table when specific organizational strategies or challenges are discussed. In addition, although most risk managers have become quite adept at performing root cause analysis after an adverse event has been identified, they are not used to performing a root cause analysis on an organizational activity being contemplated before an injury occurs. In fact, they may not see the necessity of getting involved in many of the organization's most pressing strategic decisions, despite the fact that the solutions presented or contemplated may create more long term problems than they solve. As risk managers we should become increasingly involved in what has been termed “failure mode effect analysis”, an assessment process used by engineers to examine the steps in the process where there is (or might be) undesirable variation (“failure modes”). For each identified failure mode, the possible effects on patients and the potential seriousness of those effects should be analyzed. The identification of potential negative effects should then drive a process of redesign of the underlying system or process to minimize the risk of that failure mode from developing or to protect patients from the effects of the failure mode. This type of analysis is described as part of the new JCAHO safety standards.8

Information management

In the past the paper report form was sometimes the only format used to report occurrences. Risk managers found that, in order to learn about more of the near misses and the minor occurrences, other methods of reporting had to be offered.

Many patient safety programs now offer, in addition to the paper form, anonymous reporting, telephone reporting, Intranet (or web based) reporting, and paging a risk manager, giving the busy healthcare professional access to a variety of reporting methods. A telephone call is probably the easiest way to report and the risk manager can complete the paper or electronic form based on the call. Another way of gathering information is to join with the performance improvement staff and train them to identify potential problems and patient safety issues when doing prospective or retrospective audits.

There is a wealth of information to be found when reviewing charts. Others in the hospital may audit charts or identify patient safety issues in their day to day routine. It is a matter of educating the healthcare professional in what to look for and the importance of taking a role in the patient safety initiative. It is equally important to develop a common taxonomy around error reporting so that consistency is maintained both in identifying the event and summarizing the causal factors contributing to it (see Appendix).


The risk manager then has to decide what to do with the information. Risk managers and other healthcare executives have long recognized both the power and the peril of healthcare information. “Whether hospitals successfully turn the corner or find themselves reduced to rubble by information management gone awry remains to be seen. Regardless of which scenario plays out, however, bringing computers into the care process and using automation to slice through the bureaucracy are increasingly viewed as strategic and clinical imperatives.”12 On the one hand, risk managers are aware of the need to protect sensitive information to ensure patient confidentiality and to keep specific information gathered for a specific purpose out of the hands of those who might use it inappropriately or incorrectly for other purposes but, on the other, many risk managers fight the release of data that could enable enhanced learning opportunities because of the fear that more harm will be created than benefit received. The need to balance these concerns has been heightened with the recent enactment of the HIPAA.13 In addition, calls from the public mandating disclosure of error and the sharing of sensitive risk management data with state and national accrediting and licensing agencies have become the subject of much debate. Most individuals advocate that such disclosure is both operationally necessary to further the study and reduction of error and ethically necessary in keeping with the relationship that providers owe to their patients. Legislation pending in Washington that would mandate the disclosure of errors, but would also allow that information to be protected from discovery, may soon help to alleviate some of these concerns.

Risk managers must play a role in deciding what to share and with whom, and to assist the organization in designing a policy for merging the many data sources available in healthcare organizations so that a true picture of risk and benefit can be appreciated. They can also assist in the education of their defense counsel on how to develop an affirmative defense to the potential use of error rate data by opposing counsel. Clearly, healthcare organizations must focus more aggressively on their efforts to reduce error and to share what they have learned with others. They must be willing and able to explain how they were prepared to assume the risk of some of these data being used against them in favor of creating a safer environment for patients and providers.

Changes in the focus of healthcare risk management are identified in table 1.

Table 1

Evolution of healthcare risk management

Key messages

  • Rather than relying on what has been learned from the past, risk managers should attempt to chart a new future.

  • The US healthcare system has continued safety and quality problems because it relies on outmoded systems of work.

  • What needs to change is the way in which risk management is orientated. Risk managers must be part of a team that constructs a root cause analysis of systems and structures in advance of those risks actually materializing, thus embedding a risk management discipline into the fabric of healthcare operations and corporate and strategic planning.

  • Risk management needs to be more fully engaged in providing leadership to the organization to enable it to make sound business decisions that balance fiscal accountability with quality of patient care and error reduction.

  • The creation of a high reliability organization is fundamental to patient safety.

  • It is important to develop a common taxonomy around error reporting so that consistency is maintained both in identifying the event and summarizing the causal factors contributing to it.

  • Risk managers who accept change and think of new ways to embed risk management principles into their organizations to help create meaningful and sustainable change will prosper. Those who don't should get out now. They are destined to fail and to fail their organizations.


The challenges have never been greater, the work force never smaller, the technology more complicated, the patients' demands never higher but, despite all of these tensions, healthcare professionals and those who assist them in managing the risks associated with their responsibilities must continue to remember that, every day, patients and their families entrust their lives to them. They owe it to their patients to be worthy of that trust. If they are unwilling or unable to meet the demands of the organization and the patients and, more importantly, if they fail to recognize the unique privilege that they are provided each time a patient entrusts their life to them, they are in the wrong business. Most healthcare risk managers look forward to the opportunities ahead and are dedicated to managing their organization's risk and enhancing patient safety. The future is fraught with peril and great risk but also great reward. Those risk managers who accept change and think of new ways to embed risk management principles into their organizations to help create meaningful and sustainable change will prosper. Those who don't should get out now. They are destined to fail and to fail their organizations.


Adverse event – an injury that was caused by medical management (rather than underlying disease) and that prolonged the hospitalization, produced a disability at the time of discharge, or both. [

(p 370).]

Error – the failure of a planned action to be completed as intended or use of a wrong plan to achieve an aim; the accumulation of errors results in accidents. [

] Available at:

Failure mode effect analysis – the systematic assessment of a process or product that enables one to determine the location and mechanism of potential failures. [

(p 331).]

Incident report – a form or process used to document occurrences that are not consistent with routine hospital operation or patient care. [Cullen DJ, Bates DW, Small SD, et al. The incident reporting system does not detect adverse drug events: a problem for quality improvement.

(p 541).]

Negligence – care that fell below the standard expected of like physicians practicing in a similar environment.

Patient safety – the avoidance, prevention, and amelioration of adverse outcomes or injuries stemming from the processes of health care. These events include “errors”, “deviations”, and “accidents”. [


Risk management – the term “risk management” usually refers to self-protective activities meant to prevent real or potential threats of financial loss due to accident, injury, or medical malpractice. [

(p 963).]

Root cause analysis – a process for identifying the most basic or casual factor or factors that underlie variation in performance, including the occurrence of an adverse sentinel event. [Joint Commission on Accreditation of Healthcare Organizations. Conducting Root Cause Analysis in Response to a Sentinel Event. Oakbrook Terrace, IL: Joint Commission on Accreditation of Healthcare Organizations, 1996 (p 1).]


View Abstract


  • * This article is based on a paper entitled "Meeting the challenges of patient safety through design of a new risk management process" by B Youngberg published in the Fall 2001 issue of the Journal of Healthcare Risk Management and is reproduced here with the permission of the American Society for Healthcare Risk Management ASHRM).

Linked Articles