Wiener klinische Wochenschrift

, Volume 127, Issue 1–2, pp 1–11 | Cite as

Systematic implementation of clinical risk management in a large university hospital: the impact of risk managers

  • Gerald Sendlhofer
  • Gernot Brunner
  • Christa Tax
  • Gebhard Falzberger
  • Josef Smolle
  • Karina Leitgeb
  • Brigitte Kober
  • Lars Peter Kamolz



For health care systems in recent years, patient safety has increasingly become a priority issue. National and international strategies have been considered to attempt to overcome the most prominent hazards while patients are receiving health care. Thereby, clinical risk management (CRM) plays a dominant role in enabling the identification, analysis, and management of potential risks. CRM implementation into routine procedures within complex hospital organizations is challenging, as in the past, organizational change strategies using a top-down approach have often failed. Therefore, one of our main objectives was to educate a certain number of risk managers in facilitating CRM using a bottom-up approach.


To achieve our primary purpose, five project strands were developed, and consequently followed, introducing CRM: corporate governance, risk management (RM) training, CRM process, information, and involvement. The core part of the CRM process involved the education of risk managers within each organizational unit. To account for the size of the existing organization, we assumed that a minimum of 1 % of the workforce had to be trained in RM to disseminate the continuous improvement of quality and safety. Following a roll-out plan, CRM was introduced in each unit and potential risks were identified.


Alongside the changes in the corporate governance, a hospital-wide CRM process was introduced resulting in 158 trained risk managers correlating to 2.0 % of the total workforce. Currently, risk managers are present in every unit and have identified 360 operational risks. Among those, 176 risks were scored as strategic and clustered together into top risks. Effective meeting structures and opportunities to share information and knowledge were introduced. Thus far, 31 units have been externally audited in CRM.


The CRM approach is unique with respect to its dimension; members of all health care professions were trained to be able to identify potential risks. A network of risk managers supported the centrally coordinated CRM process. There is a strong commitment among management, academia, clinicians, and administration to foster cooperation. The introduction of CRM led to a visible shift with regard to patient safety culture throughout the entire organization. Still, there is a long way to go to keep people engaged in CRM and work on national and international patient safety initiatives to continuously decrease potential hazards.


Risk management Training/education Design for safety 

Systematische Einführung vom Klinischen Risikomanagement in einem Universitätsklinikum: Bedeutung von Risikomanagern



Das Thema Patientensicherheit hat in den letzten Jahren im Gesundheitswesen zunehmend an Bedeutung gewonnen. Nationale und internationale Strategien wurden entwickelt, um die häufigsten Risiken, die während des Behandlungsprozesses auftreten können, bestmöglich zu vermeiden. In diesem Kontext nimmt das Klinische Risikomanagement (KR) eine wichtige Rolle ein, um Risiken zu identifizieren, zu analysieren und zu bearbeiten. Die Implementierung des KR in bestehende Routineprozesse innerhalb eines komplex organisierten Krankenhauses ist jedoch eine Herausforderung, da organisatorische Veränderungen mit einem Top-down Ansatz in der Vergangenheit oft nicht funktionierten. Unser Ziel war es daher, eine gewisse Anzahl an Risikomanagern auszubilden, um das Thema KR im Bottom-up Ansatz aufzubauen.


Um das primäre Ziel der Implementierung des KR zu erreichen, wurden fünf Stoßrichtungen entwickelt und konsequent verfolgt: Unternehmensführung, Risikomanagement-Training, Prozess KR, Information und Beteiligung. Einen großen Anteil am Prozess KR nahm die Ausbildung von Risikomanagern in jeder Organisationseinheit ein. Die Größe des Krankenhauses berücksichtigend, war die Ausbildung von zumindest 1 % der Mitarbeiter im KR vorgesehen, um das Thema wie auch die Verbesserungsmaßnahmen in Bezug auf Qualität und Sicherheit angemessen zu verbreiten. Gemäß Roll-out-Plan wurde das KR in jeder Organisationseinheit eingeführt und Risiken wurden identifiziert.


Neben Änderungen in der Unternehmensführung wurde ein krankenhausweiter KR-Prozess mit insgesamt 158 ausgebildeten Risikomanagern eingeführt, dies entspricht 2,0 % der Mitarbeiter. Risikomanager sind auf allen Organisationseinheiten vorhanden und identifizierten insgesamt 360 operative Risiken. Davon wurden 176 Risiken als strategische Risiken bewertet und zu Top-Risiken gruppiert. Zusätzlich wurden neue Meeting-Strukturen und Möglichkeiten zum Informationsaustausch eingeführt. Bislang wurden 31 Organisationseinheiten im KR extern auditiert.


Der eingeführte KR-Prozess ist einzigartig in seiner Ausprägung, Mitarbeiter aus allen Berufsgruppen wurden ausgebildet und identifizierten potentielle Risiken. Ein Netzwerk von Risikomanagern unterstützt den zentral gesteuerten KR-Prozess. Die kollegiale Führung, die Medizinische Universität, die Mitarbeiter der Kliniken und das Management unterstützen das KR. Im Krankenhaus führte der KR-Prozess zu spürbaren Veränderungen hinsichtlich der Patientensicherheitskultur. In den kommenden Jahren konzentrieren wir uns darauf, die Mitarbeiter auch weiterhin im KR einzubinden, um nationale und internationale Patientensicherheitsinitiativen umzusetzen.


Risikomanagement Training/Ausbildung Sicherheitsdesign 


Within nuclear, oil, and aerospace industries, there exists a long tradition of risk management (RM) to ensure safe environments and products [1]. In health care systems, clinical risk management (CRM) is a specific form of RM focusing on clinical processes directly and indirectly related to the patient [2]. CRM is process based and enables the creation of patient safety strategies. The importance of CRM in enhancing patient safety has been recognized for many years and has increasingly become a priority issue for European policy makers since the early 2000s [2, 3, 4, 5, 6, 7]. However, despite several patient safety initiatives and tools that can all be seen as elements of CRM, there is a lack of knowledge concerning the systematic implementation of CRM in large university hospitals [2].

The University Hospital Graz is the second largest in Austria and offers hospital treatment for more than 400,000 outpatients and 88,000 inpatients per year. As a central university hospital, we take care of more than 1,000,000 people in the south of Austria. To cater for this, the university hospital consists of 20 departments with 43 divisions, 10 intensive care units with 135 beds, 58 nursing wards with 1381 beds, 44 operating theaters, and 16 outpatient clinics.

The traditional overall governance structure in an Austrian university hospital is two dimensional. There is one management board for aspects of teaching and research, and there is a separate management board for all aspects of clinical care. To reach their objectives, both legal entities follow defined strategies principally stipulated either by the federal department responsible for medical universities or by the provincial department responsible for governing health care services. In 2009, both legal entities exchanged their aims, resulting in a hospital- and university-wide goal of implementing comprehensive CRM to continuously improve the accountability for safe environments in two complex organizations. Thereby, the primary challenge in developing CRM in a university hospital with a tripartite mission originates from the interaction of structures and processes with respect to quality governance at two board levels while coordinating strategic patient safety initiatives.

Next to the complex organization, the University Hospital Graz primarily runs a non-insurance principle with regard to patient claims. In the past, it was calculated that expenses for insurance are even higher than yearly liability costs for court judgments or arbitrations. If claims come up, compensations are paid out of appropriated earnings of the provider. However, this strategic-based system drives the interest of the legal entity to implement a CRM-driven process having safe procedures in place.

In the past, succeeding in improving CRM and patient safety was based on the emphasis of two determinants: (i) demand for safety through external channels such as judicial, market, and professional, and (ii) appropriate organizational responses depending on internal factors such as leadership, governance, and professional culture [8].

Taking the external factors into consideration, in 2009, the European Commission (EC) released a council recommendation on patient safety [9]. The EC estimated that in member states, between 8 and 12 % of patients admitted to hospital suffer from adverse events while receiving health care. The EC suggested implementing national strategies to ensure patient safety. In line with the European Union, in 2013, the Austrian Federal Ministry of Health published a nationwide strategy on patient safety for the years 2013–2016 [10].

With regard to organizational responses, Battles and Lilford [5] and Eisenberg [11] identified three stages necessary to embed a strong patient safety culture, namely, (i) identify risks and hazards that have the potential to cause health care-associated injury or harm; (ii) design, implement, and evaluate patient safety practices that eliminate hazards, reduce the risks of injury to patients, and create a positive safety culture; and (iii) maintain vigilance to ensure that a safe environment is sustained and patient safety culture remains in place. This induces a two-dimensional approach, namely a “top down” leading to standardized processes and “bottom up” to develop a patient safety culture [12].

Recently, the Austrian Standards Institute issued comprehensive guidelines for embedding RM in organizations and systems [13, 14, 15, 16, 17, 18]. With these guidelines, qualification for risk managers, methodologies for efficient risk assessment, and guidance for emergency and crisis management were put in place. In addition, ISO/DIS 31000 norm, principles, and guidelines for RM was released [19].

The preconditions for implementing CRM in our university hospital have been good, as currently, quality management systems such as ISO 9001 and the European Foundation for Quality Management (EFQM) are in place within both organizations. In addition, the medical university has been awarded for “Human Resources for Excellence in Research (HR Excellence in Research),” and the entire higher education sector has been certified according to the Austrian Agency for Quality Assurance. These quality initiatives are supported by quality managers within each department and controlled by third-party bodies that together push us toward continuous improvement.

However, the attempt to integrate CRM might be a different type of task entirely, as the term quality management tends to evoke positive associations, whereas RM elicits negative connotations [20, 21]. Moreover, in the past, organizational change strategies in a top-down approach have often failed [2]. To overcome fears associated with RM, it is essential to reduce prejudices as well as to create a no-blame culture. Therefore, for a safety culture to work, it must involve everyone to ensure an open-minded and constructive value toward excellence [22, 23]. With the support of a critical mass, RM may then start to take on a life of its own and drive itself ahead [24]. It was for this reason that we considered implementing a centrally coordinated, standardized CRM process meant to educate risk managers within each department using an interdisciplinary approach to support the process from the bottom-up. The resulting goal should be for CRM and patient safety to become a main focus within our complex organization.

The aim of this study is to report on the development of a hospital-tailored CRM process and its subsequent systematic implementation. Three main initiatives will be taken:

  1. i.

    The education and support of risk managers using safety-relevant information and risk tools. Risk managers are present throughout the organization and utilize their acquired skills as part of their daily work routine.

  2. ii.

    The implementation of CRM incorporating academic, clinical, and administrative services.

  3. iii.

    The improvement of clinical leadership through engagement in the CRM process and the identification of potential risks by risk managers.


To our knowledge, this is the first report of its type describing in detail the implementation of RM according to available standards and its attempt to implement CRM in a large university hospital.


We emphasized that the introduction of CRM into daily routine procedures can be considered successful if (i) risk managers are available in all departments; (ii) risks are identified through a bottom-up approach; and (iii) CRM was externally audited. To achieve our main purposes, five project strands were followed within our organization (Fig. 1).

Fig. 1

Five strands to implement clinical risk management (CRM) into routine hospital procedures (CIRS critical incident reporting system)

Corporate governance

It was determined that CRM becomes a strategic undertaking within corporate governance defined by good acceptance of change. Consequently, board members from both legal entities signed a project agreement and committed the top-down approach to implement CRM by using a bottom-up approach. Pertinent processes were explored to identify and share key RM strategies within both legal entities. According to the non-insurance principle, it was decided that in case of an implemented RM process, the university hospital will waive compensation.

Milestones were carefully considered over a period of 5 years (Table 1). Alongside the milestone plan, one of the key elements implementing sustainable CRM was the allocation of resources.

Table 1

Milestone plan to integrate clinical risk management into daily routine procedures



1) Agreement

1) Project agreement between board members of both organizations to implement clinical risk management into daily routine procedures

Available:December 2010

2) Clinical risk management process

2a) Develop a clinical risk management process according to existing guidelines and standards

Available: April 2011

2b) Create an information and communication plan

Available: April 2011

3) Roll-out plan

3) Educate risk managers to support the implementation of clinical risk management and define high-risk areas

Available: May 2011

4) External audits

4) Clinical risk management process is implemented and externally audited according to roll-out plan

Available: March 2012 to December 2014

5) Top risks

5) Risks are identified and strategies to reduce risks are initiated

Available: December 2012; December 2013; December 2014

RM training

Taking the large scale of our organization into consideration, we assumed that according to the square root of 7828 employees, a minimum of 1.1 % of the workforce should be committed to and educated in RM to support CRM [24]. It was generally acknowledged that clinical staff would be best placed to identify, analyze, and manage patient-related risks; therefore, one of our primary objectives was to educate clinical employees on the front line [25]. With respect to the focus of work within a particular department, we aimed to educate a team of physicians, nurses, medical technical assistants, and administrative professionals. It was the goal that within each unit, a RM team should be available.

In Austria, several providers offer RM training, and it was agreed that Austrian Standards, which provide national RM standards, should also provide the training. RM trainings at Austrian Standards were open to all academic, clinical, and administrative employees and lasted for 6 days. Essential contents of the instruction included

  1. i.

    introduction to CRM and overview of standards,

  2. ii.

    CRM and its application,

  3. iii.

    case examples and scenario analysis,

  4. iv.

    legal regulations, liability law, and behavior in the event of an error,

  5. v.

    RM in the field of medical devices,

  6. vi.

    experiences of learning and reporting systems,

  7. vii.

    introduction to process management,

  8. viii.

    overview of error possibilities and effect analysis,

  9. ix.

    failure mode and effects analysis (FMEA), scenario analysis, London protocol, route cause analysis, and Ishikawa, and

  10. x.

    emergency and crisis management.


CRM process

A CRM process based on all available standards and literature had to be drawn up. Clearly documented guidelines and templates were required to facilitate the CRM process and had to be developed. The main requirement for making the CRM process work was ensuring the availability of risk managers within each organizational unit. The implementation of risk managers was first initiated in a pilot unit to test run the CRM process. Thereafter, we followed a roll-out plan starting with high-risk areas such as surgical units, intensive care, and obstetrics. According to the CRM process, educated risk managers should identify and analyze risks using tools such as FMEA or scenario analysis. Retrospective analysis takes sources such as complaints, errors, and survey results into account. Risk analyses have to be approved by risk owners and board members. To monitor progress, the CRM process will be internally audited in each organizational unit according to an audit schedule. The CRM process will be supported for approximately 1 year until the external audit takes place. Thereafter, the CRM process will be transferred into daily routine.


Communicating risks may not have been an easy task in the past; therefore, we worked on building an open-minded environment as the basis for success. We adapted the Framework for Spread to our needs and focused on communication and knowledge management [26]. We identified meeting structures to facilitate the sharing of information on best practices, reporting, and feedback mechanisms.


With respect to CRM and a patient safety culture to work, health care professionals must be involved. When risks are identified and new improvement initiatives are introduced, employees should be able to see the results fast to ensure that they remain motivated and committed to the initiatives [27]. Therefore, we had three fundamental expectations for achieving a particular involvement:

  1. i.

    It is well known that for learning and reporting systems to function in daily routines, health care workers need an open, fair, and non-punitive environment [9]. By means of the engagement in CRM in past years, the implementation of a learning and reporting system (critical incident reporting system (CIRS)) was scheduled a reasonable amount of time after the introduction of CRM.

  2. ii.

    Publish the so-called safety alerts to inform employees about anonymized errors while still taking reasonable measures into account.

  3. iii.

    Involve employees in supporting safety initiatives originating from local- and nationwide strategies.



Corporate governance

In 2009, to best support CRM, a decision was taken to combine RM and quality management into one department to ensure the optimum use of resources.

The Department of Quality Management was re-organized and renamed the Department of Quality and Risk Management, and two additional trained risk managers were dedicated to it. The first issue, designing a CRM framework, was finalized in September 2009 and externally audited by a third-party body within an EFQM initiative. The CRM framework addressed strategic objectives, including

  1. i.

    establishing a CRM process,

  2. ii.

    educating risk managers,

  3. iii.

    communicating with and continuously updating employees,

  4. iv.

    third-party auditing of the CRM process, and

  5. v.

    implementing a learning and reporting system (CIRS).


We also aimed to build improvement capability from the inside out to ensure the consistent collaboration of employees and leaders. For this reason, expectations regarding CRM were articulated in the existing quality policy. Academic, clinical, and administrative leaders’ expectations were identified and offered a comprehensive, open-minded, and constructive revision. The new quality and risk policy was released with the following objectives:

  1. i.

    to ensure that quality and RM are strategic undertakings,

  2. ii.

    to establish and maintain quality-enhancing infrastructure,

  3. iii.

    to focus on error prevention, and

  4. iv.

    to plan and drive continuous improvement.


Leaders were committed to the CRM process and its implementation in each unit. To best support them in their coming functions, roles and responsibilities of leaders, staff, and the quality and RM committee were clearly defined. A roll-out plan for the entire organization was released (Table 2) and strictly followed. To date, all milestones have been reached, and no deviations are anticipated for the future.

Table 2

Clinical risk management roll-out plan with numbers (n) of educated risk managers




Department of Quality and Risk management



Piloting unit: Division of Nuclear Medicine Radiology



Department of Anesthesiology and Intensive Care Medicine (three divisions)


Department of Obstetrics and Gynecology (two divisions)


Department of Environment and Engineering including Medical Devices Security


Department of Clinical Medical Nutrition Therapy



Clinical Institute of Medical and Chemical Laboratory Diagnostics


Department of Orthopedic Surgery


Department of Neurosurgery


Department of Dermatology and Venereology


Department of Surgery (six divisions)


Department of Ophthalmology


Department of Pediatrics and Adolescent Medicine (five divisions)



Department of Pediatrics and Adolescent Surgery (two divisions)


Department of Neurology with (two divisions)


Department of Therapeutic Radiology and Oncology


Department of Trauma Surgery


Department of Internal Medicine (nine divisions)


Department of Otorhinolaryngology (three divisions)


Department of Radiology (five divisions)


Department of Psychiatry


Department of Blood Group Serology and Transfusion Medicine


Department of Urology


Department of Dentistry and Maxillofacial Surgery (four divisions)




Management board and further non-clinical units


RM training

Financial resources for external RM training as well as human resources to provide central guidance and follow-up throughout the CRM process were allocated. Potential risk managers were identified after individual “kick-off” meetings within each department within the professional groups of physicians, nurses, medical–technical assistants, and administrative staff with patient-related concerns. Professional groups such as documentation secretaries and trainees were not considered for RM training in this project.

All clinical and relevant non-clinical units established risk managers, and the minimum goal of 1.1 % of the overall workforce being trained was exceeded and resulted in a total of 2.0 % of 7828 employees. High-risk areas were allocated a higher number of risk managers. A total of 158 certified risk managers (61 nurses, 61 physicians, 20 medical technical assistants, and 16 administrators) were trained (Table 3). These numbers correspond to 4.5 % of the professional group of physicians, 2.6 % of nurses, 2.7 % of medical technical assistants, and 0.9 % of administrative staff.

Table 3

Risk managers since 2009 with regard to their profession


Risk manager





Number of employees





Educated risk managers



6 (0.4)

6 (0.3)

6 (0.3)


7 (0.5)

3 (0.1)

4 (0.5)

1 (0.1)


11 (0.8)

13 (0.6)

5 (0.7)

5 (0.3)


10 (0.7)

12 (0.5)


22 (1.6)

22 (0.9)

7 (0.9)

3 (0.2)


5 (0.4)

5 (0.2)

4 (0.5)

1 (0.1)

Number or risk managers (%)

61 (4.5)

61 (2.6)

20 (2.7)

16 (0.9)

aExcluding non-clinical scientific professionals, documentation secretaries, trainees, and further staff such as nursery, dining facility, and cleaning service

MTA Medical technical assistants

Risks covered a broad spectrum including clinical, financial, and legal aspects. Risks were assigned a score based on the combination of the likelihood of the risk and the consequences should the risk occur. An overview of measurements of the likelihood and consequences of risk were presented in a risk matrix. Identified risks were centrally documented in an RM software (R2C_risk to chance; Schleupen AG). Currently, 360 risks with more than 2000 measures for improvement have been identified. Among those, 176 risks were centrally scored as strategic and clustered into the so-called top risks (Fig. 2). To counteract top risks, the Department of Quality and Risk Management supported the implementation of well-known safety tools.

Fig. 2

Identified top risks in a bottom-up approach out of 360 individual risk assessments

Still, risk analyses are ongoing, and we expect approximately 500 operational risks by the end of 2014. Due to the huge number of identified potential improvements, operational risks with their follow-up measures were decentralized, whereas strategic risks remain centrally managed.

CRM process

From 2009 to 2011, the CRM process (Table 4), including an information and communication plan, was issued. Prior to its first use, the CRM process was audited by an external expert to attest to its practicability and compliance with national and international standards. Pursuant to the roll-out plan and the strict procedures laid down in the CRM process, 31 organizational units (departments and divisions) passed the external audit. Further organizational units will finalize their external audits throughout 2014. According to the audit plan, the following tasks were assessed:

Table 4

Clinical risk management (CRM) process

CRM process

1.Kick-off meeting in a unit

• Provide general information on the goals of CRM to leaders within the department/division

• Commitment of risk owners to supporting the emphasis of CRM within their units

• Determine the time frame of the implementation in a department/division

• Appoint interested staff for the CRM training

2.Clinical risk managent training

• Training of physicians, nurses, and medical technical assistants, where appropriate, within clinical units

• Train experts within non-clinical units

3.Risk manager

• Identify individual risks together with risk owners and department for quality and risk management

• Analyze risks using standardized approaches and assess risks

• Risk owners and the members of the executive board approve risk analysis

• Manage risks to reduce or eliminate them

• Document risks in the software (R2C_risk to chance®; Schleupen AG) to enable follow-up

4.Engage employees

• Inform all employees of identified risks and opportunities and communicate measures to be taken

• Evaluate effectiveness of implemented measures and re-evaluate the risks

• Communicate improvements

5.Internal and external audit

• Internal audit according to standards and guidelines

• External audit to confirm CRM standards

6.Transfer into daily routine

• Risk owners and risk managers supports operational and strategic safety issues

• If any, risk owners and risk managers analyze critical incident reports or claims

• In regular intervals, risk owners and risk managers keep staff informed

• Regular meetings between risk owners, risk managers, and members of department of quality and risk management to evaluate risk analyses until completion

  1. i.

    commitment of the management,

  2. ii.

    management of resources,

  3. iii.

    implementation of RM into daily routine, and

  4. iv.

    continuous improvement.


The implementation of CRM within a unit was externally audited approximately 1 year after the kick-off meeting. It was not the goal to have every risk reduced or eliminated by that time; instead, the approach was to ensure that

  1. i.

    CRM was known within the organizational unit,

  2. ii.

    participation was recognizable,

  3. iii.

    risks were identified,

  4. iv.

    priorities were set, and

  5. v.

    work on it had begun.



From an organizational point of view, various approaches helped us to disseminate information within the network of risk managers and staff (Table 5). Meeting structures within a particular unit ensured that risk managers and risk owners dealt with their operational and strategic risks. In monthly or bimonthly meetings, risk analyses were discussed and addressed until measures were implemented. Risk treatment plans were recorded in the RM software, and in the event that measures were overdue, the responsible unit received an electronic note. Risk owners and risk managers were also encouraged to regularly inform their employees in meetings about success stories and future tasks.

Table 5

Clinical risk management (CRM) information plan

Hospital-wide information

Type of document

Quality and risk policy


Manual for risk owners


CRM process


Job description for risk managers


Risk assessment (failure mode and effects analysis, scenario analysis, London protocol, route cause analysis, and Ishikawa)


CRM checklist for internal audits


Audit program (overview of internal and external audits)

Intranet-based calendar

Manual for crisis management


Claim management


Waiver of recourse claims


Critical incident reporting system—manual


Electronic newsletter

Intranet-based document

Hospital journal


Patient safety alerts

Intranet-based document

Critical incident reports

Intranet-based document

Quality and risk management forum for risk managers


Quality and risk management committee


Annual open-access “Risk management Conference”


Annual risk management report


Jour fixe Department of Quality and Risk Management with


 Risk owners and risk managers

Monthly or bimonthly

 Legal department




 Executive board and board of directors


To approach organization-wide awareness of CRM initiatives, new communication tools were introduced to manage the sharing of knowledge. These have been as follows:

  1. i.

    an electronic newsletter for quality and RM,

  2. ii.

    the hospital journal covering patient safety success stories, which is sent home to all employees, and

  3. iii.

    in public annual conferences, sharing knowledge with internal and external experts.



The corporate governance facilitated the necessary environment for RM. Leaders, risk managers, and employees supported the implementation of CRM, which due to the size of the university hospital is an evolving work in progress. With regard to the dissemination of safety concerns, CIRS was introduced in a pilot unit in 2012. Transparent procedures with respect to actions and communication of critical reports quickly led to hospital-wide acceptance in 2013. Within a half-year period, more than 60 critical incidents were reported, analyzed, and managed. Furthermore, if an incident report or error showed potential for improvement, patient safety alerts, including measures to be taken, were published as means to spread information within our organization. In the meantime, six patient safety alerts have been distributed to caution employees.


Although CRM is not new within the health care system [25, 26, 27, 28], there remains, however, a lack of knowledge concerning CRM implementation into routine procedures within complex hospital organizations. In health care systems, it has always been the task to avoid errors and have safe procedures in place. In the past 2 decades, a certain amount of progress has been made, and more patient safety initiatives have started around the world [29, 30, 31, 32, 33]. It is obvious that in health care systems, a variety of managerial tools, practices, and traditional methodologies are available to attract patient safety issues. “How to manage risks to patient safety and quality in European health care” was the latest topic in the Hope Exchange Programme 2013. During the evaluation meeting of 20 participating countries, it emerged that many European hospitals have developed multiple patient safety strategies with different RM initiatives [6]. Positive reports are available on safety initiatives such as the World Health Organization surgical safety checklist; however, it is still not self-evident that even tools demonstrating evidence-based benefits will be accepted and used appropriately [34]. Reason for that could be low knowledge in CRM within an organization, which results in weak participation and compliance of employees [28]. Therefore, a systematic approach and common understanding on CRM and patient safety within an organization and their employees are required.

In recent years, RM and quality improvement functions often operated independently [35]; therefore, within our organization, one of the key elements in ensuring that RM topics are addressed in a coordinated manner was combining RM and quality improvement functions into one department. In addition, the alliance between both areas resulted in one common strategy on patient safety within two legal entities. This facilitated a homogeneous university hospital- and university-wide CRM standard with appropriate tools for all units and reduced duplication of effort, thus optimizing the use of available resources.

The CRM process is based on existing quality management elements as well as recently published strategies, standards, and guidelines. However, if one of the key elements for the existence of a successful safety culture, such as personnel’s attitudes or unified thoughts and behaviors within an organization, is missing, CRM might fail in routine [36]. Therefore, engagement of leadership was crucial, as much of the action in patient safety flows from decisions made by leaders of the hospital [37]. The management boards set clear goals for RM throughout corporate governance and emphasized the importance of RM [38]. The non-insurance principle, and with it, the linkage of implemented RM and waiving of compensation, had been a further stimulus to leaders and employees and resulted in concerted efforts on RM implementation. The existence of yearly defined RM objectives assisted the process by ensuring that hospital leaders were accountable for creating and maintaining a culture of safety and quality [35].

To succeed in CRM and to achieve a sustained safety culture, Briner et al. [2] highlighted the most important elements. Among them, a systematic approach to clinical risk, education, and staff participation are needed. We considered these topics from the beginning and concentrated on ensuring the comprehensive involvement of employees. We focused on RM training and identifying system failures using a bottom-up approach [29, 39]. Members of all health professions were trained with a particular focus on well-known RM tools. Through the trainings, risk managers gained an understanding of and competence in supporting patient safety issues. With respect to fostering team spirit, an interdisciplinary RM team where appropriate was implemented into each organizational unit that gained the ability to develop and promote patient safety within their environment. With respect to human resources, the introduction of training and implementation of CRM in a unit followed a specific roll-out plan over a certain period throughout both organizations. This enabled the continuous assistance of risk managers and risk owners during the RM process by the Department of Quality and Risk Management.

Hints were available on the number of risk managers needed to facilitate CRM and patient safety [24]; however, so far, it was not proven in routine. One of our main goals of educating a certain percentage of the workforce was achieved within 5 years. Taking into consideration that risk managers received no incentives for taking part in CRM, the willingness of participation exceeded our expectations and resulted in an even higher percentage of trained workforces. However, in daily routine, we realized that occasionally risk managers were not able to spend appropriate time for the new topic or dropped out. On the contrary, over the years, already trained risk managers changed to our university hospital and were encouraged to support CRM.

Since CRM implementation, risk managers have identified 360 operational risks; however, in scrutinizing them carefully, 10 top risks for the whole organization stood out. Not surprisingly, the overview of top risks demonstrates homogeneity with already known safety issues in the literature [6, 9, 10, 40, 41, 42]. However, one of the greatest values of our tailored CRM process is that risks were identified through a bottom-up approach prospectively and retrospectively [43]. This is essential to an organizational change strategy, as the implementation of top-down change has often failed in the past [2]. Based on the number of identified risks, for the future, there has to be a realistic mix between managing the resulting action plans to minimize re-occurrence in a centralized or decentralized approach according to the categorization of the risk and with respect to available human resources.

As previously stated, effective communication is crucial; thus, following the RM training, the focus was to spread information and knowledge to involve everyone in CRM. Thereby, in recent years, we paid attention to maintaining an open-minded and no-blame culture. This helped us to share and exchange information and knowledge between staff and organizational units as well as to address outside perspectives. In regular micro-system meetings, individual conditions for improvement were discussed between risk managers, employees, and risk owners and were centrally guided. This unified approach ensured that measures already identified somewhere else as well as lessons learned could be shared. In a macro-system approach, numerous communication procedures were introduced to inform employees and the public about patient safety standards, risks, and safety measures already in place. At a strategic level, the commitment of the organization boards in recent years to creating a no-blame system has led to the CIRS being introduced and continues to provide feedback to employees with the aim of improving care delivery.

Finally, taking the council and Austrian recommendations on general patient safety issues into consideration, CRM has already become a central topic within our organization. Within 5 years of commencing this untiring efforts, CRM has become strategic, self-evident, system based, and less crisis orientated, and delivers its greatest value both to the organization and the patients it serves [44]. We believe that to succeed in implementing CRM, it is essential to educate a critical mass of workforce in RM so as to gain support through a bottom-up approach. The risk manager-driven introduction of CRM can provide a practical guidance to support others in the health care system in implementing CRM, and with it, a broad understanding for upcoming patient safety initiatives.


CRM, and with it, patient safety, has become a priority topic within the University Hospital Graz. Our strategy was to facilitate CRM through organizational development and training in a combined top-down and bottom-up approach [10]. With respect to its dimension with 158 trained risk managers operating using a cascade approach within the organization, this CRM approach is unique. Considering all current results together, we are convinced that the tailored CRM process and its use of risk managers have enabled a common understanding of all aspects of patient safety. The active involvement of the management boards, senior managers, and employees within the designed CRM process led us to conclude that CRM is widely accepted. CRM has facilitated awareness, transparency, and involvement in patient safety topics within both organizations. In all, 31 external audits led us to believe that the CRM process, as it has been currently tailored, fits readily into existing hospital routine procedures.

Overall, we strived to create a network and social system where it is natural to talk about risks, errors, and patient safety in general. The progress and experiences we have had so far will support all other units in finalizing their CRM implementation. Nonetheless, it is important to emphasize that in an organization with the tripartite mission of teaching, research, and clinical care, the implementation of CRM in terms of patient safety has to follow a systematic approach with appropriate tools to succeed.

As next steps to keep CRM in place and further enhance patient safety culture, we will follow the outlined goals and focus on the following strategies: (i) continue to encourage people involved in the process, (ii) continue to work on the risk portfolio and proactively identify latent failures before a serious adverse event occurs, and (iii) react to previous incidents to minimize errors in the future [41].


The authors wish to express their gratitude to the entire organization and their employees for supporting CRM and patient safety initiatives. They also would like to thank Hilary Watkins (National Health Service, United Kingdom) for her support during the Hope Exchange Programme and the Hope Agora Meeting in 2013.


There was no funding.

Conflict of interest

The authors have no competing interests.


  1. 1.
    Reason J. Managing the risks of organizational accidents. Aldershot: Ashgate; 1997.Google Scholar
  2. 2.
    Briner M, Kessler O, Pfeiffer Y, et al. Assessing hospitals’ clinical risk management: development of a monitoring instrument. BMC Health Serv Res. 2010;10:337. doi:10.1186/1472-6963-10-337.Google Scholar
  3. 3.
    Ginsburg LR, Tregunno D, Norton PG, et al. Not another safety culture survey: using the Canadian patient safety climate survey (CAN-PSCS) to measure provider perceptions of PSC across health settings. BMJ Qual Saf. 2014;23(2):162–70. doi:10.1136/bmjqs-2013-002220.Google Scholar
  4. 4.
    Kohn LT, Corrigan J, Donaldson MS. To err is human: building a safer health system. Washington, DC: National Academy Press; 1999.Google Scholar
  5. 5.
    Battles JB, Lilford RJ. Organizing patient safety research to identify risk and hazards. Qual Saf Health Care. 2003;12(Suppl. 2):ii2–7.PubMedCentralPubMedGoogle Scholar
  6. 6.
    Report on Hope Agora. Patient safety in practice: how to manage risks to patient safety and quality in European health care. Hope—European Hospital and Healthcare Federation. The Hague. 11–12 June 2013. Accessed 2 Jan. 2014.
  7. 7.
    Young PC, Tomski M. An introduction to risk management. Phys Med Rehabil Clin N Am. 2002;13(2):225–46.PubMedCrossRefGoogle Scholar
  8. 8.
    Miller RH, Bovbjerg RR. Efforts to improve patient safety in large, capitated medical groups: description and conceptual model. J Health Politics Policy Law. 2002;27(3):401–40.CrossRefGoogle Scholar
  9. 9.
    The Council of the European Union. Council Recommendation of 9 June 2009 on patient safety, including the prevention and control of healthcare associated infections. Off J Eur Union. 2009/C 151/01.Google Scholar
  10. 10.
    Federal Ministry for Health. Nationwide patient safety strategy for Austria 2013–2016. Commissioned by the Federal Ministry of Health, Vienna, March 2013.Google Scholar
  11. 11.
    Eisenberg JM. Medical error is an epidemic. A presentation of the National Summit on medical errors and patient safety research. Washington, DC: The Quality Interagency Coordination Task Force (QuIC); September 2001.Google Scholar
  12. 12.
    Charles K, McKee L, McCann S. A quest for patient-safe culture: contextual influences on patient safety performance. J Health Serv Res Policy. 2011;16(Suppl. 1):57–64.PubMedCrossRefGoogle Scholar
  13. 13.
    ONR. Risk management for organizations and systems: terms and basics. ONR 49000. Vienna: Austrian Standards; 2008.Google Scholar
  14. 14.
    ONR. Risk management for organizations and systems: risk management. ONR 49001. Vienna: Austrian Standards; 2008.Google Scholar
  15. 15.
    ONR. Risk management for organizations and systems: part 1—guideline for embedding the risk management in the management system. ONR 49002-1. Vienna: Austrian Standards; 2008.Google Scholar
  16. 16.
    ONR. Risk management for organizations and systems: part 2—guideline for methodologies in risk assessment. ONR 49002-2. Vienna: Austrian Standards; 2008.Google Scholar
  17. 17.
    ONR. Risk management for organizations and systems: part 3—guideline for emergency, crisis and business continuity management. ONR 49002-3. Vienna: Austrian Standards; 2008.Google Scholar
  18. 18.
    ONR. Risk management for organizations and systems: requirements for the qualification of the risk manager. ONR 49003. Vienna: Austrian Standards; 2008.Google Scholar
  19. 19.
    European Committee for Standardization. Risk management: principles and guidelines (ISO 13000:2009). European Committee for Standardization; 2009.Google Scholar
  20. 20.
    Firth-Cozens J. Anxiety as a barrier to risk management. Qual Saf Health Care. 2002;11:115.PubMedCentralPubMedCrossRefGoogle Scholar
  21. 21.
    Vincent C. Risk, safety, and the dark side of quality. BMJ. 1997;314(7097):1775–6.PubMedCentralPubMedCrossRefGoogle Scholar
  22. 22.
    Smith KL, Saavedra R, Raeke JL, et al. The journey to creating a campus-wide culture of professionalism. Acad Med. 2007;82(11):1015–21.PubMedCrossRefGoogle Scholar
  23. 23.
    Fryer-Edwards K, Van Eaton E, Goldstein EA, et al. Overcoming institutional challenges through continuous professionalism improvement: the University of Washington experience. Acad Med. 2007;82(11):1073–8.PubMedCrossRefGoogle Scholar
  24. 24.
    James BC. Perspective on safety: in conversation with…Brent C. James. AHRQ 2014. Accessed 18 Jan. 2014.
  25. 25.
    Hunter New England Health. Risk Management Framework. Hunter New England Health, NSW Health; 2007 Accessed 8 Oct 2014..
  26. 26.
    Massoud MR, Nielsen GA, Nolan K, et al. A framework to spread: from local improvements to system-wide change. IHI Innovation Series white paper. Cambridge: Institute for Healthcare Improvement; 2006. Accessed 8 Oct 2014. .
  27. 27.
    Ministerio de Sanidad y Consumo. Best practice benchmarking: risk management and clinical governance reorganization policies in the hospital setting. Executive summary. Madrid: Ministerio de Sanidad y Consumo; 2008.Google Scholar
  28. 28.
    Adibi H, Khalesi N, Ravaghi H, et al. Development of an effective risk management system in a teaching hospital. J Diabetes Metab Disord. 2012;11:15. doi:10.1186/2251-6581-11-15.PubMedCentralPubMedCrossRefGoogle Scholar
  29. 29.
    Pronovost PJ, Faden RR. Setting priorities for patient safety: ethics accountability, and public engagement. JAMA. 2009;302:890–1.PubMedCrossRefGoogle Scholar
  30. 30.
    Patient safety first: service improvement campaign. Accessed 2 Jan. 2014.
  31. 31.
    High 5s 2013 Update. Accessed 2 Jan. 2014.
  32. 32.
    Joint Action for Patient Safety. PASQ—European Union Network for Patient Safety and Quality Care. Accessed 2 Jan. 2014.
  33. 33.
    Crema M, Verbano C. Guidelines for overcoming hospital managerial challenges: a systematic literature review. Ther Clin Risk Manag. 2013;9:427–41. doi:10.2147/TCRM.S54178.Google Scholar
  34. 34.
    Berger MS, Wachter RM, Greysen SR, et al. Changing our culture to advance patient safety. J Neurosurg. 2013;119(6):1359–69.PubMedCrossRefGoogle Scholar
  35. 35.
    ECRI Institute. Risk management, quality improvement, and patient safety (executive summary). Risk and quality management strategies 4; Healthcare risk control. Vol. 2. ECRI Institute; 2009. pp. 1–15.
  36. 36.
    International Atomic Energy Agency. Basic safety principles for nuclear power plants. Safety series no. 75-INSAG-3. Vienna: International Atomic Energy Agency; 1999.Google Scholar
  37. 37.
    Wachter RM. Patient safety at ten: unmistakable progress, troubling gaps. Health Aff (Millwood). 2010;29(1):165–73. doi:10.1377/hlthaff.2009.0785.Google Scholar
  38. 38.
    Dixon-Woods M, Baker R, Charles K, et al. Culture and behaiviour in the English National Health Services: overview of lessons from a large multimethod study. BMJ Qual Saf. 2014;23(2):106–15. doi:10.1136/bmjqs-2013-001947.Google Scholar
  39. 39.
    Lawton R, McEachan RR, Giles SJ, et al. Development of an evidence-based framework of factors contributing to patient safety incidents in hospital settings: a systemic review. BMJ Qual Saf. 2012;21(5):369–80. doi:10.1136/bmjqs-2011-000443.Google Scholar
  40. 40.
    Helmreich RL. On error management: lessons from aviation. BMJ. 2000;320:781–5.PubMedCentralPubMedCrossRefGoogle Scholar
  41. 41.
    Conley DM, Singer SJ, Edmondson L, et al. Effective surgical safety checklist implementation. J Am Coll Surg. 2011;212(5):873–9.PubMedCrossRefGoogle Scholar
  42. 42.
    Vincent C, Taylor-Adams S, Chapman EJ, et al. How to investigate and analyse clinical incidents: clinical risk unit and association of litigation and risk management protocol. BMJ. 2000;320:777–81.PubMedCentralPubMedCrossRefGoogle Scholar
  43. 43.
    Kessels-Habraken M, Van der Schaaf T, De Jonge J, et al. Integration of prospective and retrospective methods for risk analysis in hospitals. Int J Qual Health Care. 2009;21:427–32.PubMedCrossRefGoogle Scholar
  44. 44.
    Kuhn AM, Youngberg BJ. The need for risk management to evolve to assure a culture of safety. Qual Saf Health Care. 2002;11:158–62.PubMedCentralPubMedCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Wien 2014

Authors and Affiliations

  • Gerald Sendlhofer
    • 1
    • 2
  • Gernot Brunner
    • 3
  • Christa Tax
    • 3
  • Gebhard Falzberger
    • 3
  • Josef Smolle
    • 4
  • Karina Leitgeb
    • 1
  • Brigitte Kober
    • 1
  • Lars Peter Kamolz
    • 2
  1. 1.Department of Quality and Risk ManagementUniversity Hospital GrazGrazAustria
  2. 2.Division of Plastic, Aesthetic and Reconstructive Surgery, Department of SurgeryMedical University of GrazGrazAustria
  3. 3.University Hospital GrazGrazAustria
  4. 4.Institute for Medical Informatics, Statistics and DocumentationMedical University GrazGrazAustria

Personalised recommendations