The Risk Management Function in Healthcare:
A
Simplified Risk Management Matrix
Our claim is simple: the time has come for physicians to recognize that they face many of the same kinds of risks that hospitals and insurers have. These are the risks which, when identified and managed, improve the quality of their practice as an enterprise, and so ultimately their effectiveness in clinical medicine. Hospitals and insurers have enjoyed the art of risk management, in one form or another, for most of this past century. Physicians are lately come to class. We are a long time healthcare risk management con sultant (DLT) and a physician who teaches about the risks of healthcare documentation, fraud and abuse (DB). Our goals are to evaluate this claim, present some basic information about risk management, and then introduce a schema that can be followed by physician and hospital to improve the risk management function in an organization.
Every participant in health care is constantly involved in the identification and management of risk. Each patient, for example, evaluates his own lifestyle and determines which are the significant perils and hazards that he must deal with. He places these in the context of his life within his own milieu – cognitive, emotional, and social – and he both chooses and learns how to balance risks and benefits in continuous adjustment (Bateson, 1972). In a clinical situation, for example, he may try to find out something about physicians and hospitals, illnesses and medications, and the procedures that are performed. His decisions may be based on personal and shared experiences, books, magazines, supermarket counter displays, and of course the Internet.
But like the blind men and the elephant, individuals who participate in a shared nexus of events generally go through similar processes, and quite likely rely on many of the same sources of information but with those different interpretations that reflect their individual contexts. This causes misunderstandings and asymmetries of information, all of which result in risk in those relationships. The incredible growth of information over the past 25 years has not seen the simultaneous development of a risk-responsive perspective. This has left each participant in the healthcare nexus vulnerable to threat, responsible for events over which there may be little control, and often fully accountable to both society and the law. We refer specifically to physicians and other immediate clinical practitioners as well as hospitals and insurers. We repeat: there is simply no alternative to the identification and management of risk for each participant in healthcare.
An infrastructure of risk management for patients is implicit in healthcare; that is the purpose of healthcare in some sense. In a clinical setting, risk is managed by the patient’s acceptance of Compliance in exchange for a statement of faith from the provider: the doctrine that has come down to us as primum non nocere. If the clinical paradigm is defined to include more active patient participation, then consents and authorizations provide landmarks. But there are indeed many other components of this sub vocal infrastructure: from considerations of patient queueing to the choice of floor wax, laminar air flow system, examination table height, and positioning of a computer screen in medical office and hospital (Knowles, 1973). We do not typically ask the patient if he agrees with our choice of room location or gown design, for example. Providers, whether clinical or hospital, believe that they have identified the relevant perils and hazards, and these elements are a given. Their criticality in the system is expected, hence predictable, much as we all expect the design of bridges and roads to be equal to our varying driving abilities. For patients, mechanisms of risk management have been put in place and – for whatever the reason – are in constant refinement. And of course, patients do not have the same risk exposures as physicians and hospitals.
Some programs in risk management specific to physicians have been developed over the past few years. It seems, however, that these are more concerned with the legal risks of malpractice. Issues of physician fraud and abuse have become equally important (Withrow, 1999). But physicians face other significant risks as well precisely because the discharge of their fundamental obligation as clinicians is contingent on the management of these other risks. Physicians, indeed all healthcare providers, fabricate the very complex and nebulous product that we call ‘health’: “Health economists take the view that health involves a production process. Much as a firm uses various inputs, such as capital and labor, to manufacture a product, an individual uses medical inputs and other factors…to produce health” (Santerre & Neun, 1996, p. 26; see also Reagan, 1999). Clinicians have long thought – and continue to think – that if they ‘just practice good medicine, the rest will take care of itself’, and they scrupulously never define the rest. Sir William Osler, for example, in his address before the New York Academy of Medicine in 1897, observed
I have heard the fear expressed that in this country the sphere of the physician proper is becoming more and more restricted, and perhaps this is true; but I maintain (and I hope to convince you) that the opportunities are still great, that the harvest truly is plenteous, and the labourers scarcely sufficient to meet the demand.
(Osler, 1947, p. 131)
“The harvest” has perhaps seen its best years; increases in physician purchasing power have only just matched those of other professionals over the last 20 years while overhead has increased, at least judging by the decrease in solo practitioners and newfound economies of scale enjoyed by larger practices (Santerre & Neun, 1996, chapter 13). Physicians and other providers of care, therefore, have had to re-evaluate their role in the business of healthcare. They have had to learn practice management, and as part of this, how to identify and manage those risks to which every enterprise is vulnerable.
Hospitals have recognized the necessity to understand the business of ‘agriculture’ that produces “the harvest” that is the condition for quality “labour”(!). They were founded as charitable institutions in several different cultures, but did not develop a corporate structure until well into this century (Reagan, 1999; Knowles, 1973; Vogel, 1980; White, 1990). As industrial America expanded, so did ‘scientific’ principles of management in order to maximize industrial efficiency: it was the era of the Taylor study (Duncan, 1989). These principles were applied to hospitals, and hospitals ultimately adopted some of the tools of analysis and risk management originated by insurers (White, 1990; Fein, 1986). A crucial development was Workers’ Compensation; by 1912, Vogel notes that
As a result of workmen’s compensation, a powerful outside force was aggressively concerned about the nature of hospital treatment. To minimize their costs and secure the employee’s quick return to his work, the private insurance companies administering the program supported and encouraged the efforts of scientifically oriented practitioners in following up cases and measuring the efficacy of treatment by the results obtained.
(Vogel, 1980, p. 121)
The role of the hospital as a dominant force in directing the orientation of healthcare was complete by the middle of the 20th century. The hospital, as a corporate entity, determined its need for more structured and specialized administration: in the early 1960’s, 4% of daily hospital cost went to administration, but within 10 years, this had more than doubled (Knowles, 1973). Hospitals had by necessity undertaken the same exposures to risk as any other enterprise.
Thus, in the endeavor of healthcare, patients, physicians, hospitals and insurers face risks. Patient risk is based in the clinical exposure, and typically ceases with that exposure, except perhaps for the risk of loss of privacy. The clinical experience itself is structured and controlled both explicitly (e.g., physician credentialing and scientific protocols) and implicitly (e.g., construction codes for hospital and physician office). Insurers have well-developed mechanisms for identifying their risks; the long experience of one of us (DLT) shows that these are often the basis of the hospital’s approach, for good or ill. Physicians and hospitals, however, face the same risks since their work product is the same: the intangible consumable called ‘health’ by some (apparently economists and insurers) but probably thought of as ‘cure’ by others (those who mediate the patient’s return to function and who are the immediate providers of this health: hospitals, physicians, etc.)
The difference between ‘health’ and ‘cure’ is not trivial since each of these terms implies different risks and different risk-takers. Hospitals have had the benefit of a production-based risk management approach for much of this century. Physicians, however, could really benefit from a standardized approach to risk management that emphasizes the production of their services, an approach that demonstrates the interests they share with hospitals. If there was doubt about these shared interests in the past (see Knowles, 1973; Vogel, 1980), then current developments should put the matter to rest. For example, the Balanced Budget Act of 1997 links hospital case mix index (a severity-adjusted measurement of its ‘DRG productivity’) with physician staff Relative Value Units (a measurement of physician ‘procedure productivity’), and the two parameters are judged together. The past decade has also seen the rise of various kinds of physician – hospital organizations (PHOs) to achieve common goals, and deal with common risks (Reagan, 1999; Robinson, 1999).
The basic principles of risk management in general have been systematized by, among others, the Insurance Institute of America. (This section is based on: Head, 1995; Head, Elliott, & Blinn, 1996; Head & Horn, 1997). The essential exposures that create risk are: property (e.g., buildings, equipment, medical records, and even reputation); liability (i.e., considerations of contracts, laws, and regulations); personnel (especially key members of an organization whose loss might critically affect others); and, net income (or, revenue less expense; this is also a function of the effectiveness of the organization’s management of risk). A risk manager dealing with these exposures proceeds in exactly the same way as a physician looking at disease. First, the risk manager identifies and analyzes potential sources of loss contingent on the exposure: there is a differential diagnosis based on data gathered, both subjective and objective. Second, the risk manager considers alternative approaches to preventing or dealing with loss: diagnostic tests may be performed and various therapies discussed. Third, the risk manager selects the best approach: there is a final assessment and plan. Fourth, that approach is implemented: orders are written, therapy is begun, or the patient is taken to surgery. Last, the risk manager monitors results: legible and systematic progress notes following the critical variables identified in the first stage describe the patient’s response to treatment.
The analogy begins to break down when we look at how an organization (physician or hospital) deals with identified risk compared to how the physician diagnoses in clinical practice. First, risks may be controlled in order to minimize losses. Techniques of control involve minimizing the frequency and/or severity of losses or at least making losses more predictable. Examples of these techniques with applications include:
|
Technique |
Applications |
|
Avoidance: abandon or avoid the exposure |
Hospital and physician choose NOT to joint venture on a new office building |
|
Prevention: decrease the frequency of a loss |
Hospital and physician establish intruder alert safeguards |
|
Reduction: decrease the severity of a loss |
Hospital and physician improve their facilities to attract patients in order to deal with competition from invading PHOs |
|
Segregation/duplication of loss risks: reducing likelihood of loss by changing location of crucial exposures or by duplicating exposures |
Hospital and physician maintain their patient clinical records and billing records in separate locations or on separate computers; hospital and physician duplicate their records by using backup files |
|
Contractual transfer of risk for control: potential for loss is transferred to another entity, who assumes full responsibility |
Hospital and physician decide to contract with an independent entity to dispose of biohazardous wastes rather than maintain their own facilities. |
Table 1: Techniques of risk control, with applications
Second, risk may be financed, typically through insurance, although this may also be done contractually or even just by accepting loss (“self-insured retention”). For example, a hospital and physician may contract with another entity to bear the cost of maintaining their buildings and grounds, or they might just devote their own manpower to the task and assume all consequent responsibilities. In the latter case, there is increased chance for work-related injuries, a risk that is financed by their workers’ compensation insurance, while at the same time hospital and physician have retained the cost and liability of policing their own grounds in order to save the contractual fee for maintenance.
Insureds often hope and expect that their insurance policies will replace the management of risk. That is impossible. Hospitals and physicians must identify and manage risk if only because their cost of insurance will depend on their loss experience: poor risk management leads to greater losses, which the insurer translates into higher premiums. As exposures change (for example, a hospital adds a new piece of equipment; a physician learns a new surgical procedure to incorporate into his practice), the loss experience may change but the insurance policy may not. To presume coverage where none exists may be an even greater risk. The risk manager of an organization must also deal with the moral hazard of insurance within his organization: problems that accrue because an insuree (whether corporate entity or individual physician) might be willing to change behavior just because there is that presumed safety net (Black & Skipper, 2000; Head, Elliott, & Blinn, 1997). For example, might a physician do a riskier procedure or might a hospital utilize personnel outside their job description because “that’s what insurance is for?” In much the same way as bringing consultants in for a difficult case does not exonerate the attending physician in case of possible malpractice, insurance does not abrogate the responsibility of risk management. Insurance does not transfer risk; at best, it shares risk (Kloman, 2000).
The independent risk manager in a healthcare organization – regardless of whether it is a hospital or physician’s office – enjoys vulnerability, responsibility, and accountability. His vulnerability consists in the fact that he must be able to identify new exposures and predict newer exposures. He must be able to manage the coordinated effort necessary to control these risks, some of which may be virtual but nonetheless real. He is responsible for identifying and managing immediate risks in his organization that are inherent in the externalities of what is by necessity an imperfect healthcare market. (The market is imperfect for the following reasons: there may not be sufficient “buyers”/patients or “sellers”/providers – whether hospital or physicians – to preclude overwhelming influence by one or the other; “seller”/providers may not have freedom to enter and exit the market; not all “seller”/providers produce identical products; and, there is clear asymmetry of information among parties in healthcare. See the discussion by Black & Skipper, 2000, on perfectly competitive insurance markets.) There can be little doubt that he is responsible to all parties, not only professionally but ethically as well. He impacts the entire organization as well as his society, and may be limited by these in turn.
The physician must recognize that within his organization, whether it is a solo practice, group practice, or multispecialty clinic, he will be the risk manager. The component functions of risk management are aspects of his managerial life within the business enterprise. The question of whether or not he feels ‘comfortable’ carrying out these analyses is moot, just as the question of his comfort performing a lumbar puncture is moot. Each can – and must – be learned. Each is a necessity: one for the survival of the patient, and one for the survival of the physician. The patient will not survive if the physician does not survive.
In order to discharge his responsibilities, the risk manager must be fully integrated into corporate structure with lines of communication to all levels and divisions. (For a physician practice, this translates into the need for the physician to be bluntly honest with himself, his partners, and all stakeholders in the practice.) There must be appropriate staff to participate in the identification, assessment, and treatment of organizational risk. (For a physician practice, this may simply mean: make the time for this!) Such staff must be able to provide specialty information relevant to unique exposures. The risk manager must participate in the design of all aspects of the risk management program, including not only the identification and disposition of perils and hazards, but also the control and financing of risk as it affects the organization. He must take the lead on the design and implementation of the information management system that will frame the questions about past activities, exposures, and losses as well as test the hypotheses and predictions that enable the management of risk. (Deming, 1986; Head & Horn, 1997).
The various functions of risk management have their own logistics, which we have schematized in a matrix capturing the demands of each workload component (Hutchinson, 1987; Ammons, 1991).
|
Category |
Score |
Hospital Risk |
Physician Risk |
|
Visibility of the Risk Management Function |
|
Is Risk Management integrated into the organization as a critical function, or is it isolated? |
The physician’s office must integrate risk sensitivity into the practice. Although there is typically the attempt to delegate this responsibility, the physician(s) always remain vulnerable and accountable. |
|
Communication |
|
Does the risk manager provide administration with critical information on a regular basis, describing trends and issues which need attention? Does he receive the same kind of information? |
The physician faces the same need for information. Do all the physicians exchange information about losses and exposures that is useful to the practice as a whole? Is there an effective incident reporting system so that the physician(s) can deal with risks across the organization? |
|
Staff |
|
Is the risk management function appropriately staffed with personnel specially trained to meet the needs of the hospital? |
In the practice, have all personnel received training to enable them to identify, communicate, and provide at least immediate control of risks? Does the physician make time? |
|
Identification, assessment and treatment of organizational risk |
|
What risks could impact the hospital’s physical assets, net income, liability, and personnel? Why are these risks here and now, and how can we deal with them? |
Physicians face precisely the same risks, and although their ultimate solutions may differ, their plans and goals must be the same. |
|
Specific Issues |
|
Are special conditions considered, e.g., food services, outlying clinics, disposal of hazardous waste, helipad, etc.? Are there uncontrolled or uninsured risks? |
Have the unique needs of individual physicians been met, e.g., instruments, diagnostic equipment, special needs or different patient populations, etc.? |
|
Design of the Risk Management Program |
|
Are appropriate people and mechanisms in place to identify and analyze hospital risks, control them if possible, and finance them if necessary, in the most cost-effective fashion? |
Once again, physicians face the same problem of program design. A major danger here is the abdication of the responsibility for program design; some try to replace this with a general insurance plan, although as noted, vulnerability and accountability remain. |
|
Immediate Safety and Loss Control with Zero Tolerance |
|
Is the hospital a maximally safe and productive workplace to allow all other functions to ensue? Does the hospital analyze pertinent data and take appropriate action to assess emerging trends, relating this to organizational risk above? |
As managers of a workplace, if not even a “professional product store”, physicians have this same responsibility to the workplace, and must respond to the immediate needs of their workforce and clients. |
|
Cost of Risk |
|
How does the hospital’s Cost Of Risk (insurance cost + deductible + cost of administration) compare with similar institutions? How is this cost apportioned through the organization, and divided among risk control, risk transfer, and risk financing? Is there regular reevaluation? |
Is the Cost of Risk for this physician or group similar to other providers who have the same exposures and patient populations? Is this reevaluated as the basis of the practice changes? |
|
Claims Management |
|
Are all incidents and claims dealt with quickly and professionally? Does the hospital continue to stay involved, or does it deny responsibility and try to shift it over to the insurer? |
Do appropriate physicians receive a periodic report on the status of each and every claim involving the 4 classes of exposures above? |
|
Information Management System |
|
Is there a functioning and effective information management system that can deal with current and projected needs? Can information be readily retrieved by those who need access? |
Physicians must deal with the same need for a flexible and effective information system. They must separate their information needs as physicians AND as producers, but remain attentive to each. |
|
Maximum Score for each category (total: 100 points) |
10 |
|
|
Our purpose in presenting this is to define and describe all the facets of the risk management function. Based on the experience of one of us (DLT), we suggest that average scores in each category of 8-10 are good, scores of 5-7 are average, and below 5 are poor. By using this matrix, we would hope that organizations grouped by similar exposures to risk (e.g., rural small group practice in the southeast) would be able to rate their approach to risk management on a regular basis, establish benchmarks, and implement change where necessary in the appropriate category.
We claim that the management of risk must be one of the defining events for each organization, whether it is the solo practitioner’s ‘organization of one’, the group practice, or the hospital. The risk manager in every healthcare organization, regardless of who he is and which other roles he may fill, in fact becomes Kloman’s ideal of the Chief Risk Officer, “a generalist who reports to both the Chief Executive and the Board and coordinates the work of other risk specialists.” Kloman continues,
Implicit in the CRO [Chief Risk Officer] movement is the assumption that risk management is no longer the sole province of specialists. It is now the responsibility of each and every person in the organization. The new goal is to build a culture of risk understanding so that better decisions may be made at every level, every day. (Kloman, 2000, p.5)
In conclusion, there is no choice except to recognize and accept the necessity for risk management practiced by each participant in healthcare. Patients see this as part of their newfound independence. Insurers were founded on the premises of risk management, and have demanded that these principles be adopted. Hospitals already have 80 years of experience in the field. Physicians must begin to consider all aspects of their professional lives, both clinical and enterprise-related, and recognize that the management of risk plays a role in each.
Ammons, D.N. (1991) Administrative analysis for local government: practical
application of selected techniques. Athens: The University of Georgia.
Bateson, G. (1972) Steps to an ecology of mind. New York: Ballantine Books.
Black, Jr., K., & Skipper, Jr., H.D. Life & Health Insurance (13th ed.). (2000). Upper
Saddle River, NJ: Prentice Hall.
Block, D. (2001) Response to Felix Kloman. Risk Management Reports, 28(3), 3.
Deming, W.E. (1986). Out of the crisis. Cambridge, MA: Massachusetts Institute of
Technology.
Duncan, W.J. (1989) Great ideas in management. San Francisco: Jossey – Bass.
Fein, R. (1986). Medical care, medical costs. Cambridge, MA: Harvard University
Press.
Head, G. (Ed.) (1995). Essentials of Risk Control (3rd ed.). 2 vols. Malvern, PA:
Insurance Institute of America.
Head, G., Elliott, M.W., & Blinn, J.D. (1996) Essentials of risk financing (3rd ed.). 2
vols. Malvern, PA: Insurance Institute of America.
Head, G., & Horn, S. (1997). Essentials of risk management (3rd ed.). 2 vols.
Malvern, PA: Insurance Institute of America.
Hutchinson, N.E. (1987). An integrated approach to logistics management.
Englewood Cliffs, NJ: Prentice – Hall, Inc.
Kloman, H.F. (2000). An iconoclastic view of risk. Risk Management Reports, 27 (12),
1-6.
Knowles, J.H. (1973). The hospital. Scientific American, 229 (3), 128-37.
Osler, W.
(1947). Aequanimitas, with
other addresses to medical students, nurses
and practitioners of medicine (3rd ed.). Philadelphia: The Blakiston Company.
Reagan, M.D. (1999). The accidental system: health care policy in America.
Boulder, CO: The Westview Press.
Robinson, J.C.
(1999) The corporate practice
of medicine: competition and innovation
in health care. Berkeley: University of California Press.
Santerre, R.E., & Neun, S.P. (1996). Health
economics: theories, insights, and industry
studies. Chicago: Irwin.
Vogel, M. (1980). The invention of the modern hospital: Boston 1870-1930.
Chicago: University of Chicago Press.
White, W.D. (1990). The ‘corporatization’ of U.S. hospitals: what can we learn from
the nineteenth century industrial experience? IntJHealthServ, 20 (1), 85-113.
Withrow, S.C. (1999). Managing healthcare compliance. Chicago: Health
Administration Press.