Risk Assessment

Risk for any uncertain event or condition is a function of probability and impact. Although risk assessment is an inherently biased exercise, a scientific approach to data analysis is used to characterize the nature and magnitude of any given risk. Risk assessment is the process of estimating the potential impact or severity of the loss associated with a risk event and the probability that such a risk event will actually occur. It is very important to develop a common set of risk assessment criteria that provides the basis for meaningful differentiation, relative ranking, comparison, and prioritization of various risks across domains. Qualitative risk analysis tools and techniques such as Risk Probability and Impact Matrix are commonly used for the initial screening and assessment of risks. The probability and impact of identified risks are determined by assigning ratings on a relative scale. The overall risk level is ascertained by combining the probability and impact estimates. When using numeric values, the probability and impact scores can be either multiplied or added. The higher the combined probability and impact score, the higher the overall risk level. There are many variations of the Risk Probability and Impact Matrix, but five-point scales generally provide optimal precision and dispersion required in qualitative analysis. Colour coding is used to help visualize increasing or decreasing levels of risk.

 

Risk Probability and Impact Matrix

 

Each point on the scale has to be clearly defined, communicated and agreed to by all participants. Standardized, domain-specific risk probability and impact scales enable consistent interpretation by diverse internal and external stakeholders. The risk probability and impact scale definitions in the context of Patient Care domain are illustrated below.

 

Risk Probability and Impact Scale Definitions

 

The probability and impact ratings alone do not always provide complete and accurate characterization of organizational risks. To provide a more holistic approach to the assessment, ranking and prioritization of risks, it may also be necessary to estimate vulnerability of the organization to a risk event, speed of onset, speed of impact, and speed of response. Vulnerability is related to the overall organizational preparedness, resilience, adaptability and capability to anticipate, prevent or respond to a risk event. The speed of onset refers to the time between the occurrence of a risk event and the time when the organization begins to feel the consequences. The speed of impact refers to the total time it takes for a risk event to have full impact on the organization. The speed of response is the time it takes for the organization to respond effectively to a risk event.

Since no risk exists in isolation, it is important to break down organizational silos, assess potential risk interactions and understand the presence of mutually amplifying risks. Risk interactions are typically captured and expressed qualitatively using a simple graphical tool called Risk Interaction Map. While sophisticated quantitative techniques allow for numerical aggregation of individual risk distributions, they tend to be complex, time-consuming and expensive. Following completion of the initial qualitative risk assessment, organizations with highly developed quantitative risk assessment capabilities may still decide to use quantitative techniques for the most critical and quantifiable risks. Risk rankings and priorities should be further refined based on additional considerations such as strategic directions, level of confidence in the risk estimates, capability of human resources, ethical issues, and organizational norms and values. For example, the risks resulting in significant impact on patient safety would likely be ranked higher than the risks with significant financial impact. The overall results of the risk assessment exercise are summarized in a document or database called Risk Register. Since many existing risks shift over time or new risks come to light, the risk register should be reviewed, updated and communicated at regular intervals.