PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 1 of 24

1.0 STATEMENT OF PURPOSE:

1.1 Hamad Medical Corporation (HMC) aims to develop a systematic and comprehensive risk
management process throughout the corporation in order to identify and manage all risks
that may impact on the delivery of the organization’s vision and objectives.

1.2 Risk management is the process of creating and implementing strategies directed at
minimizing the adverse effects of accidental loss of human, physical, and financial assets
through the identification and assessment of potential loss and selection of appropriate
control mechanisms.

1.3 Risk is about uncertainty of outcome. Good risk management awareness and practice at
all levels is a critical success factor for the organization. Risk is found in everything that the
organization does. It impacts upon determining priorities, taking decisions concerning
future strategies, as well as developing and delivering high quality and safe services.

1.4 The Risk Management Program is designed to support the mission and vision of Hamad
Medical Corporation as it pertains to clinical risk and patient safety as well as visitor, third
party, volunteer, and employee safety and potential business, operational, and property
risks.

2.0 DEFINITIONS:

2.1 Control : A control is a mechanism or process that minimizes the risk of the hazard
becoming actual so that it protects people, property or the environment from the identified
hazard

2.2 Corporate / Significant Risk Register – List of all identified serious risks at any HMC
facility with a score of 15+ (please see appendix D for risk scores). These risks are
escalated to CQC (Corporate Quality Council), corporate QPS (Corporate Quality and
patient safety) committee then HMC Executive Management Committee (HMC-EMC) to
obtain the expertise and resources required to mitigate the risk.

2.3 Impact or severity – A strong influence or effect which is (scored on a 1-5 scale)

2.4 Likelihood (how often): A reflection of how likely it is that the adverse consequence
described shall occur (scored on a 1-5 scale).

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 2 of 24

2.5 Residual Risk – The level of risk that reflects the effect of all current controls in operation.

2.6 Risk – The effect of uncertainty on the achievement of HMC’s corporate objectives

2.7 Risk Management – The coordinated clinical and administrative activities designed to
identify and mitigate risks of failure to achieve corporate objectives. These activities
include risk identification; assessment; response and reporting.

2.8 Risk assessment: Activities undertaken in order to identify potential risks and unsafe
conditions inherent in the organization or within targeted systems or processes.

2.9 Adverse event or incident: An undesired outcome or occurrence, not expected within
the normal course of care or treatment, disease process, condition of the patient, or
delivery of services.

2.10 Loss control/loss reduction: The minimization of the severity of losses through methods
such as claims investigation and administration, early identification and management of
events, and minimization of potential loss of reputation.

2.11 Failure mode and effects analysis (FMEA): A proactive method for evaluating a process
to identify where and how it might fail and for assessing the relative impact of different
failures in order to identify the parts of the process that are most in need of improvement.

2.12 Risk analysis: Determination of the causes, potential probability, and potential harm of an
identified risk and alternatives for dealing with the risk. Examples of risk analysis
techniques include failure mode and effects analysis, systems analysis, root-cause
analysis, and tracking and trending of adverse events and near misses, among others.
2.13 Risk avoidance: Avoidance of engaging in practices or of hazards that expose the
organization to liability.

2.14 Risk control: Treatment of risk using methods aimed at eliminating or lowering the
probability of an adverse event (i.e., loss prevention) and eliminating, reducing, or
minimizing harm to individuals and the financial severity of losses when they occur (i.e.,
loss reduction)

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 3 of 24

2.15 Risk financing: Analysis of the cost associated with quantifying risk and funding for it.
It is dealing with providing funds to cover the financial effects or unexpected losses
experienced by the organization.

2.16 Risk identification: The process used to identify situations, policies, or practices that
could result in the risk of patient harm and/or financial loss. Sources of information
include proactive risk assessments, closed claims data, adverse event reports, past
accreditation or licensing surveys, medical records, clinical and risk management
research, walk-through inspections, safety and quality improvement committee reports,
insurance company claim reports, risk analysis methods such as failure mode and
effects analysis and systems analysis, and informal communication with healthcare
providers.

2.17 Risk transfer: Techniques involving the process of shifting the financial burden of
losses to an external party or parties (e.g., insurance, contracts).

3.0 SCOPE AND FUNCTIONS OF THE PROGRAM

3.1 The Hamad Medical Corporation Patient Safety and Risk Management Program
interfaces with many operational departments and services throughout the
organization.

3.2 Risk Management Program Functions

3.2.1 Overseeing the organizational EIRS (Electronic Incidents Reporting System)

for data collection and processing, information analysis, and generation of
statistical trend reports for identification and monitoring of adverse events, and
effectiveness of the risk management program.

3.2.2 Facilitating and ensuring the investigation of all adverse events, near misses,
and potentially unsafe conditions; providing feedback to providers and staff;
and using this data to facilitate systems improvements to reduce the probability
of occurrence of future related events. Root-cause analysis can be used to
identify causes and contributing factors in the occurrence of such events.

3.2.3 Ensuring compliance with data collection and reporting requirements of

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 4 of 24

governmental, regulatory, and accrediting agencies.

3.2.4 Facilitating and ensuring the implementation of patient safety initiatives such
as improved tracking systems for preventive screenings and diagnostic tests,
medication safety systems, and falls prevention programs.

3.2.5 Facilitating and ensuring staff participation in educational programs on patient

safety and risk management, Facilitating a culture of safety in the organization
that embodies an atmosphere of mutual trust in which all staff members can
talk freely about safety problems and potential solutions without fear of
retribution. This ordinarily involves performing safety culture surveys and
assessments.

3.2.6 Proactively advising the organization on strategies to reduce unsafe situations

and improve the overall environmental safety of patients, visitors, staff, and
volunteers.

3.2.7 Reducing the probability of events that may result in losses to the physical
plant and equipment (e.g., biomedical equipment maintenance, fire
prevention).

3.2.8 Preventing and minimizing the risk of liability to the organization, and
protecting the financial, human, and other tangible and intangible assets of the
organization.

3.2.9 Decreasing the likelihood of claims and lawsuits by developing a patient and
family communication and education plan. This includes communicating and
disclosing errors and events that occur in the course of patient care with a plan
to manage any adverse effects or complications.

3.2.10 Decreasing the likelihood of lawsuits through effective claims management,

and investigating and assisting in claim resolution to minimize financial
exposure in coordination with the liability insurer and its representatives.

3.2.11 Implementing risk management programs that fulfill regulatory, legal, and
accreditation requirements.

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 5 of 24

3.2.12 Establishing an ongoing patient safety/risk management committee composed

of representatives from key clinical and administrative departments and
services.

3.2.13 Evaluating the effectiveness and performance of risk management and patient
safety actions.

3.2.13.1 Performance monitoring data may include:

3.2.13.1.1 Culture of safety surveys

3.2.13.1.2 Event trending data
3.2.13.1.3 Ongoing risk assessment information
3.2.13.1.4 Patient’s and/or family’s perceptions of how well the
organization meets their needs
and expectations (patient satisfaction Survey).
3.2.13.1.5 Quality performance data
3.2.13.1.6 Research data
3.2.13.1.7 Staff satisfaction Survey.

4.0 OBJECTIVES:

4.1 HMC’S ENDURING STRATEGIC OBJECTIVES:

4.1.1 Clinical Care: To deliver evidence based practice and safest integrated, patient
centered, and multi-disciplinary clinical care system in the region.
4.1.2 Research: To be the leading health research organization in the region.
4.1.3 Education & Development: To have a workforce fully equipped with the right
number of people equipped with the right skills and motivation to deliver world
class healthcare and research
4.1.4 Human Resources: To be the employer of choice for the best clinicians,
biomedical scientists and all other healthcare professionals
4.1.5 Information Systems: To achieve every aspect of work being enabled and
supported by access to relevant, high quality, secure and timely data and
information it requires.
4.1.6 Facilities: To operate state of the art facilities which support the delivery of
clinical excellence.

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 6 of 24

4.1.7 Community Engagement: To be recognized and respected as an organization,

which engages with patients and the wider community and responds to their
needs.
4.1.8 Organizational Capabilities: To optimally structure, manage and govern HMC.

4.2 HMC RISK MANAGEMENT OBJECTIVES 2018-19:

The Patient Safety and Risk Management Program goals and objectives are to:

4.2.1 Continuously improve patient safety and minimize and/or prevent the occurrence of
errors, events, and system breakdowns leading to harm to patients, staff, volunteers,
visitors, and others through proactive risk management and patient safety activities.

4.2.2 Minimize adverse effects of errors, events, and system breakdowns when they do
Occur.

4.2.3 Minimize losses to the organization overall by proactively identifying, analyzing,

preventing, and controlling potential clinical, business, and operational risks.

4.2.4 Facilitate compliance with regulatory, legal, and accrediting agency requirements (e.g.,
international Joint Commission JCI).

4.2.5 Protect human and intangible resources (e.g., reputation).

5.0 RESPONSIBILITIES:

The specific responsibilities of personnel and committees in relation to risk are described below:

5.1 Managing Director

5.1.1 Maintains the overall responsibility for the management of risks jeopardizing the
quality of care and services provided by Hamad Medical Corporation.

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 7 of 24

5.2 Chiefs

5.2.1 Responsible for disseminating this document across corporate departments and all
hospitals and entities within HMC. The Chief / chairman /or designees have overall
accountability for HMC’s or facility risk management policy/procedure and chairs the
corporate or facility Risk Management Committee.

5.2.2 The Chief Medical Officer, Chief Nurse and Chief Quality Officer have shared
accountability corporately for professional standards of care and for all aspects of
clinical governance including clinical risk management and incident reporting.

5.3 Hospital / Entity Chief Executives

5.3.1 CEOs shall ensure that each hospital has an effective Hospital Risk Management
Committee. The CEO shall chair the committee or determine which senior member
of staff shall be the chair.

5.3.2 The Hospital Risk Management Committee reviews all risks for that hospital scored
8+. In the event of a risk scoring 8+ the committee shall choose the most
appropriate course of action to manage and reduce the risk. The committee shall
assign responsibility to a relevant manager or director for the management of the risk
and the development of mitigation plans.

5.3.3 Implements the necessary processes to comply with Risk Management Program
requirements and, addresses any deficiency where necessary.

5.4 All HMC Staff: All staff are responsible for:

5.4.1 Understanding, accepting and implementing risk management processes.

5.4.2 Reporting incidents, accidents and near misses in accordance with the relevant HMC
policies and procedures.
5.4.3 Report inefficient, ineffective, unnecessary or unworkable controls.
5.4.4 Maintaining awareness of their duty to take reasonable care for their own safety and
for the safety of patients and others.
5.4.5 Cooperate with management in the investigation of incidents.

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 8 of 24

5.5 HMC Executive Management Committee

5.5.1 Identifies and supports investment in time and resources required to comply with
the risk management program.
5.5.2 Links the corporate/significant risk profile in a meaningful way to strategic and
operational priority setting, business planning and resource allocation.
5.5.3 Understands and reflects the impact of the external environment and the
expectations of stakeholders.
5.5.4 Seeks assurance from the HMC Risk Management Committee on the management
of significant risks (those scoring 15+).
5.5.5 Maintains overall responsibility for the management of the organisation during a
crisis.

5.6 Hospital / Entity Executive Committees

5.6.1 Responsible for identifying key business risks, scrutinising risk registers and
overseeing the delivery of mitigation plans.

5.6.2 Receive reports and information from designated sub-committees to include Quality
Improvement and Patient Safety Committees, Infection Prevention and Control
Committees better FMS and EMC on potential new risks and the effective reduction
of existing risks.

5.6.3 Establish the necessary mechanisms to escalate risks in accordance with this
policy/procedure, providing assurances to the relevant Chief and corporate
Committee as necessary.

5.7 Corporate Risk Management Department

5.7.1 HMC’s corporate Risk Management Department is responsible for supporting

hospitals and entities to develop their specific risk management program in
alignment with the corporate risk management program.

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 9 of 24

5.7.2 Develops specific courses for training, skills and knowledge building in areas of risk
prioritization, mitigation and the strategy to manage Threats, Redundant. Overall
control on RL solution.

5.7.3 Uses the tools of risk management to identify, assess and determine the risk, then
finding solutions to reduce risks, prioritize risks and implement reduction measures

5.8 Legal Affairs Department

5.8.1 The corporate legal affairs department is responsible for the management of all claims
made by patients, patient’s relatives, visitors and staff and for ensuring that there is
effective liaison with the relevant hospital, entity or department and that information is
shared with the corporate Risk Management Department to ensure that actions to
improve patient care are developed from the lessons learned.

6.0 PROCEDURES:

6.1 Culture

6.1.1 HMC has adapted a proactive approach to risk management and the risk management
processes must be integrated into the culture of HMC with an effective program led by
the leaders. It must translate the strategy into tactical and operational objectives,
assigning responsibility throughout HMC and the hospitals with each manager and
employee responsible for the management of risk as part of their job description. It
supports accountability, performance measurement and reward, thus promoting
operational efficiency at all levels.

6.1.2 Effective employee engagement is essential to the achievement of the priorities set out
in this plan. The Code of Leadership describes HMC core values under four themes:

6.1.2.1 Patient first

6.1.2.2 Take responsibility
6.1.2.3 Advance and inspire
6.1.2.4 Integrate and shape

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 10 of 24

6.2 RISK MANAGEMENT PROCESS:

A summary of the HMC risk management process to accompany the following description is
shown in Appendix A.

6.2.1 Step 1: Establish the context

Context is very important in risk identification and management for clinical and non-
clinical risks. Example: ICU (Intensive care unit), O.R (Operation room), E.R
(Emergency room), blood transfusion services, CCU (coronary care unit), medication
management including medication administration are contextually high priority areas,
and hand over of patients, for risk management in relation to patient care.

6.2.2 Step 2: Identify risks

Risk identification is the process whereby the healthcare professional and the healthcare
employees become aware of the risks in the health care services and environment. The risks
identified are entered in the Risk Management Tool (RMT), also sometimes known as the
Risk Register.
Appendix D: HMC standard Risk Registry template.

6.2.2.1 SOURCES OF RISK IDENTIFICATION :

.Discussions with department Chiefs, managers, staff and leadership rounds.

6.2.2.1.1 Patient Tracer Activity (Tracing the journey of a patient from

admission till discharge)
6.2.2.1.2 Retrospective screening of patient records
6.2.2.1.3 Reports of accreditation bodies

6.2.2.1.4 Incident reporting system & Sentinel events

6.2.2.1.5 Healthcare associated infections (HAI) reports

6.2.2.1.6 Executive committee reports

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 11 of 24

6.2.2.1.7 Facility management & safety committee report

6.2.2.1.8 Patient complaints and satisfaction survey results
6.2.2.1.9 Specialized committee reports (such as Morbidity and mortality committee,
medication management and use, Infection control, blood utilization, facility
management and safety committee).
6.2.2.1.10 Hospital patient safety culture survey.

6.2.3 Step 3: Analyze & Evaluate risks

6.2.3.1 Risk analysis:

Is about developing an understanding of the risks identified. It includes the following:

6.2.3.1.1 Level of the risk or Risk score

6.2.3.1.1.1 Underlying causes
6.2.3.1.1.2 Existing control measures

 Risk score calculation

Risk score is calculated by multiplying the likelihood score with the severity of impact
score as below:

Risk score (R) = Likelihood (L) × Severity of impact (S)

Appendix C. showed a summary of the HMC standard Risk

Assessment Scoring Matrix.

6.2.3.2 Severity of impact (S) [5]

Severity of impact indicates the impact of harm to service users, employees,
service provision, environment or the organization. The scoring ranges from 1
(Negligible impact) to 5 Extreme impact or (catastrophic) as depicted in Table
1. One of the ways in which impact grades can be defined is the severity of
the injury.

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 12 of 24

6.2.3.1 Likelihood assessment (L) [5]

6.2.3.2.1 Likelihood scoring is based on the expertise, knowledge and actual
experience of the group scoring the likelihood. In assessing likelihood, it
is important to consider the nature of the risk. Risks are assessed on the
probability of future occurrence; how likely is the risk to occur? How
frequently has this occurred?
6.2.3.2.2 It should be noted that in assessing risk, the likelihood of a particular risk
materializing depends upon the effectiveness of existing controls.
Consideration should be given to the number and robustness of existing
controls in place, with evidence available to support this assessment.
Generally the higher the degree of controls in place, the lower the
likelihood.
6.2.3.2.3 The assessment of likelihood of a risk occurring is assigned a number
from 1–5, with 1 indicating that there is a remote possibility of its
occurring and 5 indicating that it is almost certain to occur. as depicted in
Table 2.

6.2.3.2 Evaluate the Risk (Rank the Risk):

The purpose of risk evaluation is to determine the risk magnitude to prioritize the risks
based on risk analysis score and to decide which risks is acceptable and which
requires treatment and the mode of treatment.

6.2.3.4 Accepting the Risk: Accepting a risk does not imply that the risk is insignificant,
Risks in a service may be accepted for a number of reasons:

6.2.3.4.1 The level of the risk is so low that specific treatment is not
appropriate within available resources.
6.2.3.4.2 The risk is such that no treatment option is available.

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 13 of 24

6.2.4 Step 4: Treat/Manage Risks: (Also known as Risk reduction, Risk mitigation):

The decisions in risk treatment should be consistent with the defined internal, external
and risk management contexts and taking account of the service objectives and goals.
Risk treatment plan should have:

6.2.4.1 Proposed actions

6.2.4.2 Resource requirements
6.2.4.3 Person/s responsible for action
6.2.4.4 Timeframes (Dates for actions to be completed and date for review.

6.2.4.5 Risks can be mitigated in one of four ways: treat, transfer, terminate or
tolerate. These strategies are described in more detail below.

6.2.4.5.1 Treat - This strategy is most appropriate for risks that

can be reduced or eliminated by prevention or other
control action. It seeks to reduce the risk probability
or its impact by taking early action to reduce the
occurrence of the risk to an acceptable level.

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 14 of 24

6.2.4.5.2 Transfer - This strategy is appropriate where another

party can take on some or all of the risk more
economically or more effectively, e.g. sharing risk with
a contractor. Risk transfer seeks to move the
consequence of a risk to a third party together with
ownership of the response. Transferring the risk does
not eliminate it; it gives another party responsibility for
its management. This is the most effective way of
dealing with financial risk exposure and can be by a
contract to another party or by payment of a premium
in the case of insurance.

6.2.4.5.3 Terminate - This strategy is most appropriate for

intolerable risks, but only where it is possible for the
organization to exit. Risk termination or avoidance
centers on changing the project plan to eliminate the
risk or to protect the project objectives from its impact.

6.2.4.5.4 Tolerate -Tolerating risk may occur where it is not

possible to identify any other suitable strategy, where
the risk is unavoidable or as mild or remote as to make
avoidance action disproportionate or unattractive.

6.2.4.5.5 Controlling the Risk: The most effective methods of risk

control are those which redesign the systems and processes
so that the potential for an adverse outcome is reduced.
Other methods of controlling the risk include reducing the
likelihood of the risk and/or reducing the severity of the impact
of the risk.

Reduce the Likelihood of the risk occurring - e.g. by

preventative maintenance, audit & compliance programs,
supervision, policies and procedures, testing, training of staff,
technical controls and quality assurance programs.

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 15 of 24

Reduce the Severity of Impact of the risk occurring - through

contingency planning (contingency plan is a back-up plan in
case the identified risk actually takes place), disaster recovery
plans, off-site back-up, emergency procedures, staff training,
etc.

6.2.4.5.6 Avoiding the risk: This is achieved by either deciding not to

proceed with the activity that contains an unacceptable risk,
choosing an alternate more acceptable activity.

6.2.5 Step 5: Monitor & Review:

Once the risk management is in place, monitoring and reviewing of the process/system
which was taken care of, is an integral part of the risk management cycle.

6.2.5.1 Monitoring and Reviewing utilizes the following sources of information:

6.2.5.1.1 Incident reporting

6.2.5.1.2 Clinical Audit indicators
6.2.5.1.3 Patient Tracers
6.2.5.1.4 Safety rounds
6.2.5.1.5 Patient complains
6.2.5.1.6 Satisfaction survey
6.2.5.1.7 Staff complains
6.2.5.1.8 Medical records

5.2.5.2 Residual Risk: Residual risk is the risk that remains after we apply controls. It's not
always feasible to eliminate all the risks. Instead, we take steps to reduce the risk
to an acceptable level. The risk that's left is residual risk.

Residual Risk = Total Risk - Controls

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 16 of 24

5.2.5.3 Challenges of Risk management

Risk management in healthcare is done by organizations which are conscious of
the fact that healthcare interface poses risk. Organizations actively pursuing risk
management are therefore a step higher in the ladder in ensuring safety of
services and striving for quality of care as compared to the organizations that don’t
have. Risk management is advanced and pro-active methodology of tackling
healthcare risks; however it is challenging the following sense:

5.2.5.3.1 Leadership commitment for ensuring risk management.

5.2.5.3.2 Risks are proactively identified and prioritized
5.2.5.3.3 Risks are not ignored
5.2.5.3.4 Pro-active involvement of the risk management team with the
employees and processes
5.2.5.3.5 Expertise availability in the team
5.2.5.3.6 Resources for risk treatment/mitigation adequate
5.2.5.3.7 Change in the process/system is accepted when indicated
5.2.5.3.7 Monitoring and control systems are in place

6.3 Risk Assessment Steps:

6.3.1 Step 1: Identify the hazards (what can go wrong?)

6.3.1.1 To prevent harm it is important to understand not only what is likely to go

wrong but also how and why it may go wrong.
6.3.1.2 Consider the activity within the context of the physical and emotional
environment, and the culture of the organization and the staff who perform the
activity. Take into account things that have gone wrong in the past and near-
miss incidents.
6.3.1.3 The process of risk identification, assessment and control of their own risks
and the subsequent entry into the Risk Register is the responsibility of all HMC
hospitals, entities and corporate departments.
6.3.1.4 Walk around the workplace or clinical area and talk to patients and staff.
6.3.1.5 Map or describe the activity to be assessed.
6.3.1.6 The risk assessment may require a multi-disciplinary team.

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 17 of 24

6.3.2 Step 2: Assess the risk, Decide who might be harmed and how
(What can go wrong? who is exposed to the hazard?)

6.3.2.1 People shall make mistakes. It is necessary to anticipate some degree of

human error and try to prevent the error from resulting in harm.

6.3.2.2 Consider the number of patients that might be affected over a stated period of
time. When quoting the number of patients affected you should always state
the length of the assessment period.

6.3.2.3 Remember that the most vulnerable patients are more likely to suffer harm.

6.3.2.4 The purpose of this step is to determine the level of exposure to risk and
improve decision-making. This step assists management in deciding where to
reduce risk and where it can be exploited for the benefit of patients and other
stakeholders.

6.3.2.5 Also it involves the analysis of individual risks to identify the consequences,
likelihood, controls and assurances about those controls being effective. All
departments, units and managers have some delegated risk management
responsibility. They shall receive appropriate training on the risk management
process in order to validate the accuracy of risk assessments; overview the
quality of assessment; ensure that controls are appropriate and proportionate;
and that action plans exist to address gaps in control or gaps in assurance.

6.3.2.6 The HMC standard risk assessment steps are shown at Appendix B. The
template addresses every aspect of the risk and its control, including a detailed
description of the risk, the active controls in place, the current risk rating, any
proposed further controls to be implemented and the target risk rating.

6.3.2.7 All units, departments and directorates shall keep under constant review risks
within their service areas, but shall formally undertake and or review risk
assessments at least annually or more frequently if required.

6.3.3 Step 3: Evaluate the risks (Establish Control Measures)

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 18 of 24

(How bad? how often?) And decide on the precautions

(Is there a need for further action?)

6.3.3.1 Consider both consequence (how bad?) and likelihood (how often?).
Is there a need for additional action? This requires everyone providing
a service to do everything reasonably practicable to protect patients
from harm.

6.3.3.2 Decide on the precautions (controls) that shall most effectively reduce
consequence and/or likelihood.

6.3.3.3 Re-evaluate the risks assuming the precautions (controls) have been
taken.

6.3.3.4 Existing risk responses, including controls and retained residual risk,
shall be logged against each risk to clarify the residual risk to which
HMC is exposed. Residual risk reflects the effect of all current controls
in operation.

6.3.3.5 The reason for establishing controls is to improve resilience. Controls

may be actions that are repeated, either regularly in response to
events, or they may be one-off actions or decisions to do, or not to do
something. A control may: avoid risk; seek risk (take opportunity);
modify risk; transfer risk; or retain risk.

6.3.3.6 It is the responsibility of relevant managers to verify controls and

action plans relating to each risk in areas of their own responsibility
and to ensure the quality of the information entered into the Risk
Register is accurate; that scores are reasonable and that gaps in
control are being addressed.

6.3.4 Step 4: Record/ Report the Risk findings:

6.3.4.1 Record the findings of your assessment and inform those at risk of the controls

6.3.4.2 Proposed action and identify who shall lead on what action.

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 19 of 24

6.3.4.3 Record the date of implementation Risk assessments and action planning
should be reviewed and changed when necessary. This is easy only if the
assessment is well recorded and the logic behind the decisions transparent.
An efficient and succinct system of documentation is essential.

6.3.4.4 The HMC standard Risk registry is set out in Appendix D. Risks are scored
by the person undertaking the risk assessment and validated by a relevant
manager depending on the residual risk score. The procedure for escalating
risks is outlined below.

6.3.4.5 The Executive Management Committee receives the minutes of the Corporate
Quality & Patient Safety Committee to inform them of all significant risk
exposures, the nature of controls and action plans. The significant risk profile
shall cover the risk source, a description of the risk, the residual risk score,
main controls and the date of review.

6.3.4.6 The Corporate Quality & Patient Safety Committee/ corporate Risk
Management shall receive detailed reports to inform members of the
distribution of all risk exposures across HMC, details of all significant risk,
material changes to the significant risk profile and progress with action plans.

6.3.4.7 Corporate departments and entity / hospital risk management committees shall
provide summary reports detailing significant risks on their risk registers to
Corporate QIPS, This shall provide an overview of the identification of risks
within these respective areas and services, so that adequate controls can be
confirmed as being in place and actions are being implemented.

6.3.4.8 The facilities Executive Committee must be informed by facility QIPS, CEOs
and Chiefs of any new significant risk arising.

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 20 of 24

Risk
Procedure for Escalating Risks
Rating
Low Risk
(Rating The employee should attempt to assess and treat the risk.
≤ 3)
The employee should attempt to assess and treat the risk with the
Moderate
guidance of their line manager. If the risk remains between 4 and 6
Risk
following the assessment there is no need to escalate further. The risk
(Rating
should be entered formally on to the department level Risk Register.
4 - 6)
If the risk cannot be reduced to <8 the risk should be escalated to the
hospital/entity level, Risk Management committee, CRMC, QIPS /
High Risk Corporate Quality Council Committee or equivalent governing
(Rating committee; providing the risk assessment and recommended treatment
8 - 12) plan as supporting evidence. The risk should be entered formally on to
the entity Risk Register.

If the risk cannot be reduced to <15 the risk should be escalated to the
Significant risk Corporate QPS Committee; providing the risk assessment and
Risk recommended treatment plan as supporting evidence. The risk should
(Rating be entered formally on to the corporate Risk Register. The HMC
≥ 15) Executive Management Committee should be notified within 24 hours of
any new risks scoring ≥20.

6.3.4.9 In the event of a significant risk arising outside of the regular rhythm of
meetings of the above, the risk shall be thoroughly assessed, reviewed by the
relevant Assistant Executive Director and/or Executive Director and reported to
the CEO or Chief or their deputies within 24 hours of becoming aware of the
risk. The CEO or Chief, with support from relevant colleagues, shall then
choose the most appropriate course of action to manage the risk. The CEO or
Chief shall assign responsibility to a relevant manager or director for the
management of the risk and the development of mitigation plans. The risk
must be formally reviewed by the risk management committee / QIPS
committee then Executive Management Committee at their next weekly
meeting.

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 21 of 24

6.3.5 Step 5: Review the Risk Assessment on a regular basis

6.3.5.1 Need to show that:

6.3.5.1.1 A thorough check was made to identify all the hazards and treat all
the significant risks;

6.3.5.1.2 The precautions are reasonable and the remaining risk is acceptable

6.3.5.2.3 The solutions are realistic, sustainable and effective. It may be

reasonable to accept some degree of preventable risk, if the benefits
to be gained outweigh the risk

6.3.5.2 Review the risk assessment:

6.3.5.2.1 When you are planning a change;
6.3.5.2.2 Routinely at least on an annual basis;
6.3.5.2.3 When there has been a significant change.

6.3.5.3 The target risk score is the target level of risk which assumes that the specified
risk treatment actions shall be successful by a specified target date.

6.3.5.4 The residual risk score is the risk remaining after the risk treatment action(s)
are in place and have been successful. Depending upon the number of
treatment actions agreed to treat a risk and the length of time to implement the
actions, the end user should judge when it is useful to calculate and, if
necessary, to recalculate the residual risk rating.

6.3.5.5 Following the implementation of controls the sustainability of those controls

must be monitored over a period of at least 3 to 6 months.

6.4 RISK MANAGEMENT TOOL AND METHODS

There are three risk management tools available to HMC staff:

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 22 of 24

6.4.1 Risk Assessment

This has been developed for use in any area of HMC, to assist staff in
documenting a specific risk of a hazard or failure impacting on the
achievement of HMC objectives.

6.4.2 Risk Register

A risk register is used at each corporate department, facility and hospital. This
could be on an electronic platform or in a paper format. HMC uses information
gained from recording and investigating complaints, claims, patient feedback,
risks and incidents to proactively consider how services can be improved. All
assessments made of any risk or failure that could impact upon the
achievement of corporate objectives must be catalogued in the HMC risk
register. The standard HMC Risk Register template is included in Appendix D.

6.4.3 Training and Awareness Raising

All HMC employees have a role in reducing harm to patients, visitors and staff.

6.4.4 HMC is developing Risk Management Awareness program suitable

for all HMC colleagues. Individuals with additional roles relating specifically to
risk management shall need further training to include some or all the
following:

6.4.4.1 Incident reporting and investigation

6.4.4.2 Failure mode event analysis (FMEA) and Proactive Risk
Assessment.
6.4.4.3 Root cause analysis
6.4.4.4 Risk assessment
6.4.4.5 Developing risk registers
6.4.4.7 Use of training program (RM e- learning).
6.4.4.8 Human factors.
6.4.4.9 A just Culture.

6.4.5 Hospitals and entities shall be provided with a high level overview of the
risk management process and shall be provided with support risk
management / corporate QIPS in the development of their management
and governance structures and in the interpretation of risk reports and

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 23 of 24

risk registers.

6.5 MONITORING AND CONTINUOUS IMPROVEMENT

The Quality and Patient Safety Committee or equivalent reviews risk management
activities regularly. The risk manager reports activities and outcomes (e.g., risk and
safety assessment results, event report summaries and trends) regularly to the QPS
committee. This report informs the governing board of efforts made to identify and reduce
risks and the success of these activities and communicates outstanding issues that need
input and/or support for action or resolution. Data reporting may include event trends,
frequency and severity data, credentialing activity, relevant provider and staff education,
and risk management/patient safety activities. In accordance with the organization’s
bylaws, recommendations from the QPS Committee are submitted to facility EMC/CEO.
Performance improvement goals are developed to remain consistent with the stated risk
management and patient safety goals and objectives. Documentation is in the form of
quarterly risk management reports to the administrator/CEO and governing board on risk
management activities and outcomes.

6.6 INTEGRATION WITH BUISINESS AND FINANCIAL PLANNING

6.6.1 In 2011 HMC introduced a revised business planning framework that

requires all departments, hospitals and entities to submit proposals for
service developments and bids for new funding. All business cases are
assessed at corporate level and prioritized for funding. The risk
management program should be used to help inform the determination of
priorities to ensure that resources are directed towards those
developments that address the significant risks facing the organization.

6.6.2 Corporate RM/QPS is responsible to rise the funding of Risk management

concern to EMC.

6.7 CONFIDENTIALITY :

6.7.1 Any and all documents and records that are part of the patient safety and
risk management process shall be privileged and confidential to the extent

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
PROGRAM

ORIGINAL DATE:
TITLE: HMC RISK MANAGEMENT STRATEGIC October 2005
PROGRAM
IDENTIFICATION LAST REVISION DATE:
NUMBER: OP 4072 May 2018
NEXT REVIEW DATE:
HOSPITAL(S) ALL HMC HOSPITALS / ENTITIES May 2019
Sheet No. 24 of 24

provided by HMC and state of Qatar law. Confidentiality protections can

include attorney client privilege, attorney work product, and peer review
protections.

6.8 RELATIONSHIP TO OTHER POLICIES

HMC Policies supporting Risk Management process are:

6.8.1 Management of Untoward Clinical Event OP 4055

6.8.2 Conducting Root Cause Analysis OP 4118
6.8.3 Reporting of Occurrences, Variances and Accidents OP 4070
6.8.4 Design hazard identification and risk assessments SA 1017
6.8.5 Physical environment risk assessment SA 1063
Safety Committee policy SA 1051

6.9 ATTACHMENTS:

6.9.1 Appendix A – HMC Risk Management Process

6.9.2 Appendix B – HMC Standard Risk Assessment Steps
6.9.3 Appendix C – HMC Standard Risk Assessment score Matrix
6.9.4 Appendix D – HMC Standard Risk Register Template

6.10 REFERENCES:

6.10.1 Healthcare risk assessment made easy by NHS.

6.10.2 2017, Sixth Edition, Joint Commission International Accreditation Standards for
Hospitals
6.10.3 2009, Australia/New Zealand AS/NZS ISO 31000 Risk Management Principles and
Guidelines.
6.10.4 ISO Guide 73 ‘Risk management – vocabulary – guidelines for use in standards

Quality Improvement and Patient Safety (QPS) Regulatory, Accreditation Compliance Services (RACS)
Appendixx A

HMC
C STANDA
ARD RISK MANAGEMN
M NT PROCES
SS STEPS::

Cl 4072 Qualityy Improvement and Patient Safety (QPS

S) Regulatory, Accreeditation Compliancce Services (RACS)
APPENDIX B
HMC STANDARD RISK ASSESSMENT STEPS

1. Identify the hazards USING INCIDENTS, COMPLAINTS,CLAIMS, PATIENT FEEDBACK, SAFETY INSPECTIONS, EXERNAL REVIEWS,
(what can go wrong?) PERFORMANCE REVIEWS, PLANNED AND AD HOC ASSEMENT
Identify the risk (what could cause harm or loss which may result in failure to achieve the safest, most effective and compassionate
care for each and every one of our patients).

2. Assess the risk, (Decide HOW SIGNIFICANT IS THE RISK?

who might be harmed and Identify the symptoms of weak controls?
how?) Who might be involved? (determine potential participants or victims)
What could go wrong? (determine potential or actual harm or loss)
When could it happen? (determine the time/s it may occur)
Where could it happen? (determine the location)
How could it happen? (determine the causes of how it may or may not occur))
Estimate the impact, likelihood and total risk score using the 5 by 5 matrix
Quantify where possible the potential for risks to combine with other risks to affect the overall level of risk
Document the assessment using the Risk Assessment Template

3. Evaluate the risks HOW IS THE RISK MANAGED?

(Establish Control Determine the best tactic to control the risk: Treat / Transfer / Terminate / Tolerate
Measures) Produce detailed plan describing the actions required to address gaps in control
Determine a target risk score
Document the risk management approach on the Risk Assessment Template
Enter the risk on the risk register if it is a new risk
Monitor the implementation of controls

4. Record/ Report the Risk KEY OUTPUTS FROM THE RISK REGISTER ARE REPORTED TO RELEVANT STAFF / COMMITTEES DEPENDING ON THE
findings: RISK SCORE
Escalate the risk to the right level

5. Review the Risk KEY OUTPUTS FROM THE RISK MANAGEMENT PROCESS ARE REVIEWED AT THE APPROPRIATE LEVEL AND
Assessment on a regular FREQUENCY
basis

OP 4072 HMC Risk Management Program Regulatory, Accreditation Compliance Services (RACS)
  

Appendix C 

HMC Standard Risk Assessment Scoring Matrix

Table 1 Consequence scores (C) (Severity) and examples of the score descriptors

Consequence score (severity levels) and examples of descriptors

1 2 3 4 5
Domains Negligible Minor Moderate Major Catastrophic
Impact on the safety Minimal injury Minor injury or Moderate injury Major injury leading Incident leading to
of patients, staff or requiring illness, requiring requiring to long-term death
public no/minimal minor intervention professional incapacity/disability
(physical/psychologi intervention or intervention Multiple permanent
cal harm) treatment. Requiring time off Requiring time off injuries or
work for >3 days Requiring time off work for >14 days irreversible health
No time off work work for 4-14 days effects
Increase in length Increase in length of
of hospital stay by Increase in length hospital stay by >15 An event which
1-3 days of hospital stay by days impacts on a large
4-15 days number of patients
Mismanagement of
RIDDOR/agency patient care with
reportable incident long-term effects

An event which
impacts on a small
number of patients

Quality/complaints/a Peripheral element Overall treatment Treatment or Non-compliance Totally

udit of treatment or or service service has with national unacceptable level
service suboptimal suboptimal significantly standards with or quality of
reduced significant risk to treatment/service
Informal Formal complaint effectiveness patients if
complaint/inquiry (stage 1) unresolved Gross failure of
Formal complaint patient safety if
Local resolution (stage 2) complaint Multiple complaints/ findings not acted
independent review on
Single failure to Local resolution
meet internal (with potential to go Low performance Inquest/ombudsman
standards to independent rating inquiry
review)
Minor implications Critical report Gross failure to
for patient safety if Repeated failure to meet national
unresolved meet internal standards
standards
Reduced
performance rating Major patient safety
if unresolved implications if
findings are not
acted on
Human resources/ Short-term low Low staffing level Late delivery of key Uncertain delivery Non-delivery of key
organisational staffing level that that reduces the objective/ service of key objective/service
development/staffing/ temporarily service quality due to lack of staff objective/service due to lack of staff
competence reduces service due to lack of staff
quality (< 1 day) Unsafe staffing Ongoing unsafe
level or Unsafe staffing level staffing levels or
competence (>1 or competence (>5 competence
day) days)
Loss of several key
Low staff morale Loss of key staff staff

Poor staff Very low staff No staff attending

attendance for morale mandatory training
mandatory/key /key training on an
training No staff attending ongoing basis
mandatory/ key
training

OP 4072 HMC Risk Management Program Regulatory, Accreditation Compliance Services (RACS)
Page 1 of 3
  

Appendix C 

Consequence score (severity levels) and examples of descriptors

1 2 3 4 5
Domains Negligible Minor Moderate Major Catastrophic
Statutory duty/ No or minimal Breech of statutory Single breech in Enforcement action Multiple breeches in
inspections impact or breech of legislation statutory duty statutory duty
guidance/ statutory Multiple breeches in
duty Reduced Challenging statutory duty Prosecution
performance rating external
if unresolved recommendations/ Improvement Complete systems
improvement notice notices change required

Low performance Zero performance

rating rating

Critical report Severely critical

report
Adverse publicity/ Rumours Local media Local media National media National media
reputation coverage – coverage – coverage with <3 coverage with >3
Potential for public short-term long-term reduction days service well days service well
concern reduction in public in public confidence below reasonable below reasonable
confidence public expectation public expectation.
MP concerned
Elements of public (questions in the
expectation not House)
being met
Total loss of public
confidence

Business objectives/ Insignificant cost <5 per cent over 5–10 per cent over Non-compliance Incident leading >25
projects increase/ schedule project budget project budget with national 10–25 per cent over
slippage per cent over project budget
Schedule slippage Schedule slippage project budget
Schedule slippage
Schedule slippage
Key objectives not
Key objectives not met
met
Finance including Up to QR 250, 000 QR 250,000 to QR QR 1M to 5M loss QR 5M to QR 25M QR 25M+ loss or
claims loss or loss of 1M loss or loss of or loss of loss or loss of loss of opportunity
opportunity for opportunity for opportunity for opportunity for for income
income income income income
Non-delivery of key
objective/ Loss of
>1 per cent of
Purchasing failing to budget
pay on time
Failure to meet
specification/
slippage

Loss of contract /
payment by results

Service/business Loss/interruption of Loss/interruption Loss/interruption of Loss/interruption of Permanent loss of

interruption >1 hour of >8 hours >1 day >1 week service or facility
Environmental
impact Minimal or no Minor impact on Moderate impact on Major impact on Catastrophic impact
impact on the environment environment environment on environment
environment

OP 4072 HMC Risk Management Program Regulatory, Accreditation Compliance Services (RACS)
Page 2 of 3
  

Appendix C 

Table 2 Likelihood score (L)

Risk Likelihood Scores
1 2 3 4 5
Domains
Rare Unlikely Possible Likely Almost Certain

Frequency This will probably Not expected to Might happen or Will probably Will undoubtedly
never happen/ never happen/reoccur but reoccur / has happen/recur happen/reoccur,
heard of in healthcare it is possible / has occurred at least occasionally / has possibly frequently /
occurred at least once in healthcare occurred at least once occurs at least
once in healthcare or occurs yearly on at HMC or occurs yearly on average at
average in yearly on average in HMC
healthcare healthcare

Controls Very good controls in Good controls in Adequate controls Weak controls in place No effective controls
place place in place in place

Probability <1% <10% <20% ≥20% ≥50%

Table 3 Risk scoring = consequence x likelihood (C x L)

Likelihood
1 2 3 4 5
Almost
Consequence Rare Unlikely Possible Likely
certain
1 Negligible 1 2 3 4 5
2 Minor 2 4 6 8 10
3 Moderate 3 6 9 12 15
4 Major 4 8 12 16 20
5 Catastrophic 5 10 15 20 25

Table 4: Procedure for Escalating Risks

Risk Rating Procedure for Escalating Risks

Low Risk
The employee should attempt to assess and treat the risk.
(Rating ≤ 3)

The employee should attempt to assess and treat the risk with the guidance of
Moderate Risk their line manager. If the risk remains between 4 and 6 following the assessment
(Rating 4 - 6) there is no need to escalate further. The risk should be entered formally on to the
department level Risk Register.

If the risk cannot be reduced to <8 the risk should be escalated to the
hospital/entity level Risk Management Committee or equivalent governing
High Risk
committee; providing the risk assessment and recommended treatment plan as
(Rating 8 - 12)
supporting evidence. The risk should be entered formally on to the entity Risk
Register.

If the risk cannot be reduced to <15 the risk should be escalated to the risk to
HMC Risk Management Committee; providing the risk assessment and
recommended treatment plan as supporting evidence. The risk should be
Significant Risk (Rating ≥ 15)
entered formally on to the corporate Risk Register. The HMC Executive
Management Committee should be notified within 24 hours of any new risks
scoring ≥20.

OP 4072 HMC Risk Management Program Regulatory, Accreditation Compliance Services (RACS)
Page 3 of 3
  
APPENDIX  D 
HMC Standard Risk Register Template / Form 
 
 
Risk 
Area  Risk assessment  Risk mitigation 
Identification 
ID  Domain  Risk  Who  Initial/Actual Risk  Control Measures   Residual Risk  Time Frame   Status  
descriptio might be  Likelihood  Consequence  Risk scoring  Mitigation  Alternativ Responsible  Likelihood  Consequence  Risk Scoring 
n  harmed  L  C  C*L  action  e action   person   L  C  C*L 
1  1‐                          
Corporate 
Risk 
2  2‐Clinical                           
Risk 
3  3‐                          
Operation
al Risk 
4  4‐                          
Financial 
Risk 
5  5‐HR Risk                           

                             

                             

                             

Note: For estimating the likelihood, severity and Risk Value use the risk assessment matrix. 

OP 4072 HMC Risk Management Program Regulatory, Accreditation Compliance Services (RACS)