Risk Management
Initiating risk, identifying risk, managing and responding to risk, monitoring, reporting and communicating risk.
3. Identifying Risk
The next overarching concept of risk management is the ‘identification’ phase (Wang, 1999. Bandyopadhyay et al, 1999. Lorton, 2005. Hillson & Murray-Webster, 2007. Hung, 2012. Hu et al, 2013). The Hong Kong Hospital Authorities (2004, p.7) has declared that:
“a frequently asked question by many organisations is ‘how many risks should we be identifying?’ There is no hard and fast answer. [Organisations] should attempt to identify as many ‘significant’ risks as possible, bearing in mind that risk identification is a continuous process and new risks will keep appearing”.
It is obvious; therefore, that risk identification is an on-going process and should be seen as ‘continuous’ practice.
The literature search of both academic and grey literature found three key areas where risks to business, specifically publically financed healthcare organisations, can be identified. These are: (i) audit, (ii) third parties, and (iii) public, patients and consumers. Macleod and Overall (2005) believe that the internal audit function of any business can be used to identify risks. In their study of Brisbane City Council, they found that when the Council directed its Assurance and Audit department to integrate its internal audit planning more directly with its own corporate risk management framework it not only ensured that audits assessed risks and controls in line with the framework but also this led to identifying further risks that had not hitherto been detected by project leads. This shows that audit does not have to be used solely for assurance purposes as it can also identify new risks. Audit is seen as key to the identification phase of any project and links in with The Hong Kong Hospital Authorities’ (2004) view that risk identification is a continuous process.
In addition to monitoring provider performance and quality data (as mentioned above) in order to identify risks, patients and members of the public are extremely useful resources for identifying risks. All CCGs have a patient services department to help manage information from patients. These departments can be used to find new risks. Joyce et al (2005) argue that empowering patients to monitor their own care can identify service failings within provider services. Managing risks external to organisations was first outlined in a publication named Managing Third Party Risk (Crowe Howarth, 2011 p.3) which states that due to “increased regulatory scrutiny, continuing cost pressures, active investors, and a vigilant public, businesses today must have a clear understanding of the risks that are inherent in external business relationships”.
When looking at procurement in the private sector Crowe Howarth (2011, p.4) found “in a recent study conducted by ChainLink Research, nearly 50 per cent of organisations indicated that risk assessment played a ‘critical and mandatory’ role in their service provider selection. However, more than 70 per cent of the surveyed organisations reported to having no mitigation standards to which they hold their service providers [to account]”.