Getting Risks Under Control: Improving Organizational Prosperity

Healthcare is a risky business; particularly in heavily regulated environments such as nursing homes and home health and hospice.  The fact that a certain level of risk is omnipresent means that the opportunity constantly exists for an organization that improperly identifies and manages its risks, to suffer expensive damages ranging from financial loss to loss of reputation to ongoing compliance problems.  All too often, organizations tend to rely on industry normative practices such as committees, policies and procedures and audit tools as means of combatting risk exposure.  This information sharing and gathering process coupled with the “hoped for” Hawthorne effect (watched people tend to be compliant is the desired outcome) in reality, falls quite a bit short of performing the optimal function – that of mitigating large risk exposure.  In reality, the steps of information sharing and gathering and auditing can have almost a somnambulant effect – putting the organization to sleep under the false pretense that all is well.

Taken apart, the flaws or gaps if you will, in this normative style of risk management are many.  The first is the assumption that what the organization is auditing is actually where the real risk begins.  For example, auditing charted documentation assumes that the age old adage of, “its documented its done” is correct.  What occurs in reality is that charting and documentation becomes the focus of compliance and without a methodology in place to correlate the activity of charting to a specific completed event, the risk actually lies in the documentation.  In other words, it is entirely possible (and I have seen it happen) where the charting or documentation doesn’t really reflect the care being delivered or the condition of the patient point-in-time creating an enormous legal and compliance risk.

A second and equally flawed assumption is that the results of audits and information shared actually is put to use by the people who receive the information.  Meetings filled with reports about one risk area or the other are only as productive and beneficial as the willingness or the requirement of the people in the room to do something with the information.  All too often, the wrong people receive the information; they lack the authority or the organizational standing to actually address the points functionally, that are identified as risks.

A third and final flaw is the notion that activity, no matter what it is (auditing, committees, reports) alleviates risk (e.g., we have a system in-place to identify and deal with risk).  What typically happens is the activity breeds only a system of non-reporting, over-documentation, compliant behavior ( the biggest potential area of risk) and a false sense that whatever it might be, will be detected and corrected by “our program”.  As John Dewey would say, the only activity that is beneficial is purposeful activity and to have purposeful activity, one needs to have a process in place of hypothesis, inquisition, testing and final analysis.

In order to develop a more functional organization-wide approach to risk management, certain assumptions of where risk begins need to be clarified and understood.  I like to use the following categories.

  • Management: Ineffective management and managers improperly trained and tasked then not held accountable is undoubtedly, the largest risk area for an organization.  Managers at any level that are illegitimate in terms of their organizational authority or their training will consistently either miss areas of risk or fail to seek and act on identified risk areas, causing enormous levels of ongoing risk.
  • Employees: Similar in many regards to management in so much that ill-trained, ill-equipped employees are an enormous risk to the organization.  In many regards, employee risk is a by-product of ineffective management and a dysfunctional organizational structure.  All too often, organizations incur unnecessary employee risk by not addressing bad employees and bad employee habits quickly and efficiently for a whole host of specious reasons.
  • Organizational Structure and Culture: Mitigating risk is an enterprise wide endeavor and organizations that realize this address the totality of the risk profile.  In the best of cases,  culture evolves around identifying and solving problems, improving processes, consistently learning and engaging the totality of the organization in “doing the right thing”.  In order for this to occur however, the organization must provide training, reward, resources, and support across all levels.
  • External Environment: All too often, organizations view risk as something that is within their purview, within their walls.  In reality, the world beyond the walls constantly creates new levels of risk that need to be addressed, analyzed, and re-addressed again. 

Starting to craft or perhaps, re-design an organization’s risk profile logically starts with the development of a structure and culture that by its nature, mitigates risks.  Crafted correctly, an organizational structure can address the risks associated with management, employment and the external environment.  Below are some (not an exhaustive list) key structural elements that are important in developing a structure that better identifies and mitigates risk.

  • Lean: Organizations which fight bureaucracy and remain clean and lean are far more adept at identifying and mitigating risk than organizations heavily structured and replete with bureaucracy.  In healthcare, the tendency is for organizations to become highly bureaucratized with layers of managers and supervisors.  An organizational structure that is more functionally created with limited layers between the lowest employment level and senior or upper management is easier to navigate and quicker (if all other elements are in place) to identify and solve potential risk creating events or processes.
  • Education/Learning Based: Organizations which place a heavy emphasis on continuous learning and staff development are better equipped, from a knowledge base, to identify and address risk.
  • soliciting Information and Feedback: Organizations which place a heavy emphasis on gathering input from multiple sources via multiple methods will be in a position to quickly identify areas of possible risk.  The information loop should be through and across employees, customers, referral sources, vendors, contractors, the community at large, and any other major consistent constituency the organization deals with on a regular basis.  Tools need not be fancy but in all cases should encompass surveys, phone, face-to-face, web, and periodic focus groups.
  • Gain Sharing: Organizations that are focused on sharing the results of good and fruitful activity are more likely to gain employee buy-in; critical to reducing risk.  In an organization I led, we shared the dividends from Worker’s Comp experience with the employees – dollar for dollar.  When our self-funded health plan had better utilization experience and costs therefore reduced, employees received the benefit in lower premiums.  Ideas that saved money and improved safety or patient experience received cash prizes and/or other rewards.
  • Excellent Employee Relations: Having good employee relations is less about being “nice” to employees and more about being a good employer.  For an organization to be a good employer, it must adhere to some very basic principles and practices and consistently communicate the same to employees. 
  1. Have exceptionally clear job descriptions.
  2. Have a very simple, easily understood discipline system.
  3. Terminate employees only “for cause”.
  4. Make “reward” a liberal and frequent part of your practices.
  5. Have an extensive and paid-for orientation program.
  6. Require continuing education for all employees and pay for it.
  7. Require management to be extremely visible as often as possible.
  8. Create minimal separation between management and employees (lunch rooms, events, education, etc.)
  9. Share all information about the company, including financial data, with employees.
  10. Reward performance heavily and personally wherever possible.
  11. Be quick to discipline and terminate “for cause” – don’t allow issues to fester.
  12. Allow employees to participate in and be responsible for, QI and QA activities.
  • Effective Management: Managers must be good coaches, good inquisitors, good planners and extremely adept at confrontation.  Management that is weak in any area leaves open large areas for risks to occur.  Management must be continuously developed and provided with the challenge and the authority to constantly improve the processes and to identify and resolve, areas of inefficiency or operating problems.  Management must be similarly, rewarded for producing results and achieving high levels of safety and customer/employee satisfaction.  I personally believe that managers need to be evaluated on their ability to plan, to problem solve and to minimize turnover risk and to increase employee and customer satisfaction.  I also believe that managers need to be evaluated on how well they interact with and support the efforts of other managers; how well they cross-manage and cross-plan within the normal organizational boundaries.
  • Strategic Plan: Organizations with a high aptitude for strategic planning and a current strategic plan are far more in-tune with the external environment and the risks that are present internally and externally to the organization.  Strategic plans should be living documents, constantly reviewed and updated.  A key element in preparing and evaluating this plan is the SWOT (Strengths, Weakness, Opportunities, and Threats) exercise.  This SWOT exercise is invaluable on an ongoing basis as a means of updating and evaluating the strategic plan as well as in identifying risk.
  • Allocate Resources: Mitigating risk does not have to be expensive but it does require investments to be made.  For example, all of the above steps taken but no investments made in keeping equipment modern and in good repair leaves a major area of risk exposed.  Companies need to become accustomed to allocating resources based on a “reduction or abatement of risk” as a measurement of return.  Organizations should  understand that the prevention of risk equates to a reduction or elimination of resources that would be spent in the event of a major event (fines, legal fees, loss of reputation, etc.).  In nearly all cases, the resources used in recovering from a preventable event are far greater in cost to an organization than the cost of resources used in prevention.

 Getting risks under control and keeping them under control can be a major step forward in terms of organizational prosperity (improved profitability) and organizational prominence.  Good risk prevention leads to good compliance results, excellent reputation, employee retention, employee productivity and organizational effectiveness.  As risk “un-checked” permeates an organization’s effectiveness and ability to manage proactively, reducing and/or eliminating it only makes good business sense.

Leave a Comment