Enterprise Risk Management in Healthcare

  • James M. Levett
  • James M. Fasone
  • Anngail Levick Smith
  • Stanley S. Labovitz
  • Jennifer Labovitz
  • Susan Mellott
  • Douglas B. Dotan


Enterprise risk management (ERM) may be thought of as a process imbedded into an organization that is devoted to finding and managing all the types of risks encountered. This chapter provides an overview of risk management principles and how organizational risk is assessed in a practical manner using risk domains and the Risk Score. Topics in this chapter include the importance of culture and creating a culture of prevention; the risk assessment survey; the role of the chief risk officer and risk manager; disclosure and informed consent; information technology, security, and the Health Insurance Portability and Accountability Act; formal risk reporting and Patient Safety Organizations; and patient safety evaluation systems (PSES).


Enterprise risk management (ERM) ISO 31000 Risk domain Patient safety Failure mode effect analysis (FMEA) Key risk indicator (KRI) Surgical risk Safety culture Risk assessment Disclosure Risk officer Risk manager Patient safety organization (PSO) Patient safety evaluation system (PSES) HIPAA Business associate Covered entity Common formats 


  1. 1.
    Carroll RL et al. Enterprise risk management: a framework for success [Internet]. American Society for Healthcare Risk Management.
  2. 2.
    International Organization for Standardization [Internet]. Geneva, Switzerland.
  3. 3.
    Seiden S, Barach P. The risk management handbook for health professionals, review. Risk Manag. 2003;3(5):59–61.Google Scholar
  4. 4.
    Lilford R, Chilton PJ, Hemming K, Brown C, Girling A, Barach P. Evaluating policy and service interventions: framework to guide selection and interpretation of study end points. BMJ. 2010;341:c4413.Google Scholar
  5. 5.
    Flink M, Ohlen G, Hansagi H, Barach P, Olsson M. Beliefs and experiences can influence patient participation in handover between primary and secondary care—a qualitative study of patient perspectives. BMJ Qual Saf. 2012:1–8. doi: 10.1136/bmjqs-2012-001179.
  6. 6.
  7. 7.
    Kaplan H, Barach P. Incident reporting: science or protoscience? Ten years later. Qual Saf Health Care. 2002;11(2):144–5.CrossRefPubMedPubMedCentralGoogle Scholar
  8. 8.
    Baker D, Battles J, King H, Salas E, Barach P. The role of teamwork in the professional education of physicians: current status and assessment recommendations. Jt Comm J Qual Saf. 2005;31(4):185–202.Google Scholar
  9. 9.
    Phelps G, Barach P. Why the safety and quality movement has been slow to improve care? Int J Clin Pract. 2014;68(8):932–5.Google Scholar
  10. 10.
    Amalberti R, Auroy Y, Berwick DM, Barach P. Five system barriers to achieving ultra-safe health care. Ann Intern Med. 2005;142(9):756–64.CrossRefPubMedGoogle Scholar
  11. 11.
    Barach P, Cantor M. Adverse event disclosure: benefits and drawbacks for patients and clinicians. In: Clarke S, Oakley J, editors. The ethics of auditing and reporting surgeon performance. Cambridge Press; 2007. pp. 76–91. ISBN: 13:9780521687782.Google Scholar
  12. 12.
    Small DS, Barach P. Patient safety and health policy: a history and review. Hematol Oncol Clin North Am. 2002;16(6):1463–82.CrossRefPubMedGoogle Scholar
  13. 13.
    Joint Commission on Accreditation of Healthcare Organizations. Disclosing medical error: a guide to an effective explanation and apology. Joint Commission Resources. Oakbridge Terrace, IL; 2007, 36p.Google Scholar
  14. 14.
    Cohen JR. Toward candor after medical error: the first apology law. Harv Health Policy Rev. 2004;51:21–4.Google Scholar
  15. 15.
    Cantor M, Barach P, Derse A, Maklan C, Woody G, Fox E. Disclosing adverse events to patients. Jt Comm J Qual Saf. 2005;31:5–12.Google Scholar
  16. 16.
    Aaltonen M, Vainio H. Foreward. In: Proceedings of the International Symposium on Culture of Prevention-Future Approaches. Helsinki: Finnish Institute of Occupational Health; 2014Google Scholar
  17. 17.
    Suomaa L. Symposium opening speech. In: Proceedings of the International Symposium on Culture of Prevention-Future Approaches. Helsinki: Finnish Institute of Occupational Health; 2014.Google Scholar
  18. 18.
    Barach P, Berwick D. Patient safety and the reliability of health care systems. Ann Intern Med. 2003;138(12):997–8.Google Scholar
  19. 19.
  20. 20.
    Cyber Risk Management in Healthcare TMGMA Coastal Bend [Internet]. 2015.
  21. 21.
    Health and Human Services Office for Civil Rights. Understanding Health Information Privacy [Internet].
  22. 22.
    Health and Human Services Office for Civil Rights HIPAA Rules for Covered Entities and Business Associates [Internet].
  23. 23.
    Health and Human Services Office for Civil Rights. HIPAA Privacy, Security, and Breach Notification Program [Internet].
  24. 24.
    Boston Children’s Hospital Settles Breach Allegations [Internet].
  25. 25.
    Health and Human Services Office for Civil Rights. Data Breach Results in $4.8 Million HIPAA Settlements [Internet].
  26. 26.
    Health and Human Services Office for Civil Rights. How OCR Enforces HIPAA Privacy Rules [Internet].
  27. 27.
    Tony Scott, CISA, Technical Financial Solutions (TFS) Presentation at Health Connect Partners Conference in Los Angeles, October 2015.Google Scholar
  28. 28.
    PSO AHRQ Program Brief Network of Patient Safety Databases [Internet].
  29. 29.
    Health and Human Services Office for Civil Rights PSQIA Statute and Rule [Internet].
  30. 30.
    Common Formats for Surveillance—Hospital [Internet].
  31. 31.
  32. 32.
    Cassin B, Barach P. Making sense of root cause analysis investigations of surgery-related adverse events. Surg Clin N Am. 2012;92(1):101–15. doi: 10.1016/j.suc.2011.12.008.
  33. 33.
    Barach P, Small DS. Reporting and preventing medical mishaps: lessons from non-medical near miss reporting systems. Br Med J. 2000;320:753–63.Google Scholar
  34. 34.
    Health and Human Services Office of the Inspector General. Hospitals incident reporting systems do not capture most patient harm [Internet].
  35. 35.
    Cullen DJ, Bates DW, Small SD, Cooper JB, Nemeskal AR, Leape LL. The incident reporting system does not detect adverse drug events: a problem for quality improvement. Jt Comm J Qual Improv. 1995;21(10):541–8.PubMedGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2017

Authors and Affiliations

  • James M. Levett
    • 1
  • James M. Fasone
    • 2
  • Anngail Levick Smith
    • 3
  • Stanley S. Labovitz
    • 4
  • Jennifer Labovitz
    • 5
  • Susan Mellott
    • 6
  • Douglas B. Dotan
    • 7
  1. 1.Department of SurgeryUnityPoint St. Luke’s HospitalCedar RapidsUSA
  2. 2.CRG MedicalHoustonUSA
  3. 3.OperationsCRG MedicalHoustonUSA
  4. 4.Riviera BeachUSA
  5. 5.BostonUSA
  6. 6.Department of NursingTexas Woman’s UniversityHoustonUSA
  7. 7.Patient Safety Evaluation ITCRG Medical, Inc.HoustonUSA

Personalised recommendations