Risk management planning is a foundation for all the remaining risk management processes. It provides details on how risk management processes will be implemented, monitored, critically reviewed, and continually improved in order to handle key organizational risks effectively and efficiently. Right from the start, it is important to establish whether the organization will be addressing inherent risks or residual risks. Inherent risks are assessed without consideration of any internal controls and mitigation strategies that may be in place. Residual risks are the remaining risks after internal controls and mitigation strategies are put in place. Depending on the specific circumstances, it may be useful to assess both inherent and residual risks but most organizations focus on residual risks. Understanding the organization’s risk tolerance levels and attitudes towards risk is an important aspect of risk management planning. Different organizations, teams and individuals have varying degrees of risk tolerance and willingness to accept certain organizational risks often depends on the perceived balance between the risks and potential benefits. Risk management functions have to be planned and optimized to manage risks within defined tolerance thresholds. The exact makeup of risk management functions depends not only on the risk tolerance levels, but also on the size and complexity of the organization, scope of services, location, clinical and research activities, management system maturity level, and available resources. Although there is considerable overlap with patient safety, process improvement and quality management functions, there are many distinctive functions associated with risk management.
It is necessary to define and develop ERM structural elements that help the organization maximize strategic opportunities and minimize the probability and potential impact of undesirable events. The ERM structural elements may include:
- Purpose and scope of the risk management program
- Links to the strategic directions
- Formal risk management plan
- Defined risk tolerance thresholds
- Leadership and organization
- Accountabilities, roles and responsibilities
- Allocation of resources
- Methodology for identifying and analyzing loss exposures
- Risk management definitions, tools and techniques
- Information systems and communication networks
- Decision-making, integration and coordination mechanisms
- Process for sharing potentially sensitive risk information
- Tracking and reporting formats
- Frequency and timing of risk management activities
- Written policies and procedures