Risk Mitigation Techniques: Avoidance, Reduction, Transfer, and Acceptance

Welcome back to the Community Health Management podcast! I'm your host, Dr. Tami Moser, and you're tuning into the second part of our series on risk assessment and management planning. In our last episode, we explored how to identify and assess risks within community health programs. Today, we'll dive into developing strategies for risk mitigation and crafting a comprehensive risk management plan. I'll guide you through the four main strategies: avoidance, reduction, transfer, and acceptance. We'll discuss practical examples, such as mitigating data breach risks, and tackle common challenges in risk mitigation. Stay with us as we outline best practices and walk you through creating your own detailed mitigation strategy. Remember, effective risk management isn't about eliminating all risks, but being prepared to navigate challenges successfully. Let's get started!

Tami Moser [00:00:01]:
Welcome back to the community health management podcast. I'm your host doctor Tami Moser and this is the second part of our series on risk assessment and management planning. In our previous episode, we discussed how to identify and assess risks and community health programs. Today, we'll focus on developing strategies for risk mitigation and creating a comprehensive risk management plan. Let's start by reviewing the 4 main strategies for dealing with identified risks. The first is avoidance. So eliminating the risk by changing your approach or not engaging in the risky activity. So an example of this in pharmacy would be the risk associated with delivery.

Tami Moser [00:00:40]:
To avoid that risk, I stopped delivering. Right? Reduction, implementing measures to decrease the likelihood or impact of risk, and this is where we'll spend a lot of time. Right? Is and and patient safety, especially, spend a lot of time on reduction on a regular basis. The third is transfers. So this is shifting the risk to another party often through insurance or outsourcing and then accepting. So outsourcing would mean we bring in a consultant to do that, and so any of their work is covered by their consulting insurance. And then we have acceptance, acknowledging the risk and preparing to deal with its consequences if it occurs. And that is also where we spend a lot of time.

Tami Moser [00:01:23]:
And you also can use multiples. It's not uncommon to transfer as much of the risk as possible while at the same time trying to work to reduce any likelihood of it happening or decrease the impact if it is or will happen. And at the same time, accepting the fact that we could still have that occur like a medication, an error medication error, which means that we need to know how we're gonna deal with that and what that will look like for us. So in that instance, we're gonna be using 3 of those. Right? We're not gonna avoid it because we're not gonna stop doing whatever would allow us to avoid the risk. So we use the other 3 in the combination that makes the most sense to mitigate the risk and its impacts. The strategy you choose depends on the nature of the risk, its potential impact, and the resources available to address it. I mean, one of the reasons why the HVA can be such a powerful tool is because you end up with a prioritized list.

Tami Moser [00:02:23]:
Then you can work on addressing costs associated with addressing each risk in the way in which it needs to be. And then those two things combined often have tell the story of where you're gonna spend those resources to address those risks, and you have to start with prioritized lists to get a good feel for what that's gonna mean for your organization. But often, there is not a way to address all risk, so the cost can be just too expensive. That's why the prioritized list helps a great deal. Now let's walk through the process of developing a risk management plan. Right? You know, numbering doing the math. Right? You know, numbering and then doing the mathematical formula and then getting your outcome for that. And then you're gonna stack them by highest to lowest number for a priority list.

Tami Moser [00:03:28]:
Use your HVA results to focus on the most critical risks first. And then you assign ownership. So designate a responsible person for a team. So it can be a person or a team for each risk. Then they're going to work to develop mitigation strategies for each risk. They'll determine the most appropriate strategy and specific actions to implement it based on the work that they do because they own that risk. Then the next step would be to establish monitoring procedures to define how you'll track the effectiveness of your mitigation efforts and any changes in risk levels that might occur. You'll create response plans so you'll develop step by step procedures for responding to risks if they occur.

Tami Moser [00:04:13]:
So if someone walks into your pharmacy and there's they say, my husband's in the hospital because we had his prescription filled 2 days ago and they say at the hospital you gave them the wrong drug and they're now in intensive care. Do your techs know what to do if someone walks up and says that? That's defining how people are supposed to respond by putting together step by step procedures for responding to that risk. And, you can translate that across different healthcare systems and components within the systems. Right? Everybody needs some training on whatever would be their part in that step by step procedure to respond. Then you allocate resources. So ensure you have the necessary budgets, staff, and tools to implement whatever plan you've put in place, and then you communicate that plan. You make sure all stakeholders understand their roles and responsibilities in risk management in that particular risk. In other words, their responsibilities may be higher or lower depending on who they are and the context of their work in relationship to the context of the risk.

Tami Moser [00:05:20]:
So that communication and training plan starts with all stakeholders, but I would even say you can prioritize the stakeholders and the types of communications and trainings they need. So let's look at a practical example. Remember the data breach risk we assessed in our last episode? Here's how we might approach mitigating this risk. So we want to look at reduction first. So our actions could look like this. We're gonna implement robust cybersecurity measures. Those, of course, would have to be what does robust mean and what kind of measures are we gonna put in place. So as an action item there would be sub action items.

Tami Moser [00:06:00]:
The next would be to conduct regular staff training on data protection. So what does regular mean and what staff would be involved in that? And then perform periodic security audits. So who will be performing those audits and how will they do it and how do we know that that actually is testing the system the way we need it to. So there's each of these action steps has many parts to it and questions you'll ask. Next, we're gonna monitor. Right? We need a monitoring plan. So monthly security reports and annual third party assessments is how we're gonna monitor this. So we're gonna look at those reports every month, our team or the individual responsible depending on how you've structured it.

Tami Moser [00:06:40]:
And then annually, we're gonna contract out to a 3rd party to actually, you know, test our data security. And then the resources well, let's go back one. I skipped response plan because you need detailed steps for containing a breach. So if a breach of data occurs, what are you gonna do about it? Who needs to be notified? How are you gonna restore your systems? How are you gonna test those systems so you can trust those systems? So you need detailed steps in that response plan that in terms of broad strokes will deal with each of those areas. Then we have the resources. So you budget for cybersecurity software and staff training. I mean, that's necessary. If you're not gonna put the resources behind it, most of this probably won't occur.

Tami Moser [00:07:30]:
So that would be an example of how we would take one mitigation strategy for one specific type of risk and break it down in those areas. So, again, depending on the risk and the complexity of working through those steps, I might just ask one person to take responsibility, or it might be more effective to put a team together. You might have one person start the start the planning and then have a team come together to review that plan and add their 2¢, if you will. Now let's address some common challenges in risk mitigation. 1st, overreliance on a single mitigation strategy. Combination often works best. 2nd would be failing to update the risk management plan regularly. Things change.

Tami Moser [00:08:16]:
Right? They change in our environments all the time. And what we originally set up may have been perfectly acceptable and helpful at that time, but now that's not how it looks. Right? Things have shifted in the environment. New types of, worms have been created, and that's over in the cyber area. Right? Trojan horses, lockdowns of data, ransomware. I mean, as things shift in that space, the safety of your data can fluctuate. So you want to update the plan regularly based on the shifting environments you're working with. Neglecting to practice response plans.

Tami Moser [00:09:01]:
You know, testing out your plans is is a really good idea. In the military, there's a saying, and if I get this wrong, I'm sure someone can correct me, but that, you know, when no plan survives contact with the enemy. And so once you engage in your program, the plan you have for risk mitigation, more than likely, won't hold up with the realities of how your plan is working because our plans shift, change, adapt. We need them to be flexible to adapt to the environments we're in, but that also means that risks shift. And so and what we designed as a response plan may look great on paper, but in reality we can't make that work. So you need to test it. And then inadequate communication of risk management procedures. You know, And I asked this question.

Tami Moser [00:10:02]:
I'm gonna use my farm college of pharmacy in the as an example here. I asked this question in every 3.2 class. 3.2 is the semester before pharmacy students go out on rotations. And so they've been through all of the didactic curriculum almost at this point by the time I get them in 3.2. So last semester of that. And most of them have worked in pharmacies the whole time through school. And so I always when we get to this section, I ask how many of you have seen or been trained on how you're supposed to respond if a patient comes in or a patient's spouse comes in and says my spouse is in the ICU because of a drug you gave them. And fill in the blanks, that story, of course, would be longer.

Tami Moser [00:10:47]:
And, you know, I never get one person raise their hand. Not one student who works at the counters as a tech in a in pharmacies has been trained on what to do if someone walks in says that. They have no idea. And so that's an inadequate communication of risk management procedures. You know, they they could because they could handle it so poorly and think they should that it can do some real damage. And this idea that they'll just automatically know that that's not something they should deal with. I mean, how do they ask the patient to wait for a pharmacist to come talk to them? Where do they put them? You know? What can they say? A lot of times people think if they say, I'm sorry, that's admitting guilt. It's not.

Tami Moser [00:11:31]:
I'm sorry that happened to you is a perfectly acceptable first statement, and that I'm sorry can go a really long way to calming people down. But if they're not trained to do that and they don't know what to do, you don't know what's gonna come out of their mouth. So that's inadequate communication of risk management procedures, and it's not uncommon, for that to be an error. Right? So it's a common challenge that you just need to think through. To overcome these, ensure your approach is diverse, dynamic, and well communicated throughout your organization. It's not rocket science. It's not hard to do, but it can be time consuming. And that's often the the challenge with it.

Tami Moser [00:12:09]:
Right? And here are some best practices for effective risk management and community health programs. 1, foster a culture of safety. Encourage open communication about risks and near misses. People shouldn't be afraid to open their mouth to talk about this. Because if you really want to have a culture where safety is a primary point of concern and focus, people need to be able to have open communication about the risks and things that almost were external errors that were caught. Yay. And you can celebrate. Hey.

Tami Moser [00:12:45]:
It was caught. I'm so appreciative it was caught and didn't make its way out to the patient. That protected the patient. And so, you know, our double checks helped here. Now let's look at where did it go wrong? You know, Why did it go wrong here? And more than likely, you're gonna run into multiple things. Sometimes it may be that there was just something odd that happened. Other times, what happened might be really normal. You just didn't think about it being something that could occur.

Tami Moser [00:13:19]:
The next would be to integrate risk management. Make it a part of all planning and operational processes. You're gonna talk about this. So you talk about it in your manager meetings, whether it's a monthly, a quarterly. I mean, it wouldn't be bad to revisit the plans every quarter or, at that time, take one, planned response and test it. Do a tabletop exercise if people need to be able to understand what steps they're supposed to take and they're responsible for. I mean, just make it a part of the overall planning, strategic planning, financial planning. It's just another risk management planning.

Tami Moser [00:13:55]:
It integrates in. 3rd, learn from incidents. Conduct thorough post incident reviews and apply lessons learned because that is the gold. Right? We learn more from the mistakes that we make than the things that work out perfectly. And that's unfortunate for all of us, but that does tend to be the reality. So when you look at near misses and other things or and it's medication error occurred, conduct a thorough post incident review. And once you're done with that, then you learn from it. And so you may adjust training plans.

Tami Moser [00:14:33]:
You may adjust communication plans with different stakeholder groups. I mean, there's many different ways that the lessons can impact what you do in the future, but start there. Then stay informed. Keep up with emerging risks and best practices in risk management. So this is best done by people that are responsible for a particular area that they stay informed in that area. So if I have an IT department and they're responsible for control and safety and protection of our data, then they would be the ones I expect to stay informed and keep up with emerging risks and best practices and bring it to the table when we have those monthly risk management meetings. Right? Then collaborate. Work with other community health organizations to share knowledge and resources.

Tami Moser [00:15:22]:
Go to, conferences where this is a topic of conversation. Right? Learn how to collaborate and share not just the actual program components itself, but actually share and think through what others are learning or doing in the space and what they've identified as emerging risks. And last on this is regularly review and update. Your risk management plan should also be a living document. You don't just write it and then throw it in a drawer and walk away. It should be something that, you know, if you're maybe every month, you round robin who you're gonna talk to. So this month, we've got these 3 that are gonna talk about the risk they're responsible for. Next month, it's gonna be these other 3.

Tami Moser [00:16:09]:
And every quarter, we get through everybody's area of concern and review and update the document as needed or requested or suggested depending on our policies. Right? Our step step procedures really will make a difference here in how we handle that, but knowing that we should is part of this. Now here's your action item for this podcast. Based on the risk assessment you conducted last podcast, you're gonna develop a detailed mitigation strategy for your top three identified risks across all the domains. Right? So you identified 3 risk per domain. Now you're gonna take the top three out of all of those domains. Include specific actions, actions, monitoring procedures, and response plans. And we are now gonna be moving into module 5.

Tami Moser [00:17:02]:
And so we'll discuss how to start wrapping everything up and pulling your entire plan together for presentation. So thank you for tuning in to the community health management podcast. Remember, effective risk management is not about eliminating all risks, but about being prepared to navigate challenges successfully. Until next time, this is doctor Tami Moser encouraging you to stay proactive and resilient in your community health endeavors.

References:

[1] World Health Organization. (2023). Risk Management Framework for Health Programs.

[2] Joint Commission on Accreditation of Healthcare Organizations. (2022). Risk Assessment in Healthcare Settings.

[3] Federal Emergency Management Agency. (2023). Hazard Vulnerability Analysis Toolkit.

[4] Institute for Healthcare Improvement. (2022). Common Pitfalls in Healthcare Risk Assessment.

[5] American Society for Healthcare Risk Management. (2023). Risk Mitigation Strategies in Healthcare.

[6] National Association of Community Health Centers. (2022). Developing Comprehensive Risk Management Plans.

[7] Journal of Healthcare Risk Management. (2023). Overcoming Challenges in Implementing Risk Mitigation Strategies.

[8] Agency for Healthcare Research and Quality. (2023). Best Practices in Healthcare Risk Management.