Risk Management in Executive Levels of Healthcare Organizations: Insights from a Scoping Review (2018)

Abstract

Background

This study attempted to present a framework and appropriate techniques for implementing risk management (RM) in executive levels of healthcare organizations (HCOs) and grasping new future research opportunities in this field.

Methods

A scoping review was conducted of all English language studies, from January 2000 to October 2018 in the main bibliographic databases. Review selection and characterization were performed by two independent reviewers using pretested forms.

Results

Following a keyword search and an assessment of fit for this review, 37 studies were analyzed. Based on the findings and considering the ISO31000 model, a comprehensive yet simple framework of risk management is developed for the executive levels of HCOs. It includes five main phases: establishing the context, risk assessment, risk treatment, monitoring and review, and communication and consultation. A set of tools and techniques were also suggested for use at each phase. Also, the status of risk management in the executive levels of HCOs was determined based on the proposed framework.

Conclusion

The framework can be used as a training tool to guide in effective risk assessment as well as a tool to assess non-clinical risks of healthcare organizations. Managers of healthcare organizations who seek to ensure high quality should use a range of risk management methods and tools in their organizations, based on their need, and not assume that each tool is comprehensive.

Introduction

Given the World Health Report (2000), the significance of healthcare organizations(HCOs) has grown in global health discourse.¹ However, in the last decade, HCOs have faced two contradictions: first, healthcare costs have increased due to population aging, the introduction of advanced technologies, and increased medical errors.^2,3 On the other hand, HCOs have become more complicated due to such factors as efficient customers, biomedical developments, the complexity of services and an increasing number of healthcare users.^2,3 Therefore, demand for healthcare is significantly higher than the human capacity and resources available in healthcare departments.⁴ Corresponding to these limits, three interventional approaches have been developed at various levels of the HCOs: (i) quality management, (ii) risk management, and (iii) patient safety.⁵

In particular, risk management (RM) is a process-oriented method providing a structured framework for identifying, assessing, and reducing risk at appropriate times for HCOs.⁶ RM approach protects healthcare providers against unfavorable incidents.⁷ This way, RM plays a major role in shrinking uncertainties and enhancing rich opportunities for different areas of the health system.⁸ Development of RM helps HCOs and providers to reduce damage due to the probable occurrence of defective processes through identifying error, rooting, and strategy development.⁹ Implementing RM in HCOs improves allocation of health resources,¹⁰ process management, decision-making, reduced organizational losses,¹¹ patient safety,¹¹ continuous quality improvement,² customer satisfaction,² organizational performance,¹² hospital reputation,¹¹ and better community creation.²

A general framework for RM needs to be identified before implementing the risk process. This framework determines the strategy of organization for identifying risk, risk assessment, and risk reduction.¹³ This strategy outlines how the RM process should be implemented in the organization. It determines the resources that are needed, the key roles and responsibilities for that, the ways risk needs to be identified. It shows how the decision-making process looks like while using those strategies.¹³ The available evidence suggests that despite the existence of a large number of RM techniques, a few of them have been employed so far in the HCOs.^14–16

Risk management is one of the emerging areas in management systems; there are several reports that have provided an overview of risk management inHCOs; however, it is difficult to find studies that have systematically synthesized risk management models at the executive levels of healthcare organizations.^17–19 This sector is far behind the rest of the industry in terms of using these techniques. Nowadays, there is a consensus in the healthcare sectors that the knowledge, experience, and expertise of other industries in RM can improve the quality of services provided in the healthcare sectors.³ Therefore, reviewing the selection of RM techniques seems indispensable. These instruments need to be tailored to the complexities of the healthcare system and the causes affecting incidents in this sector.^20,21

The organizational structure of the healthcare system has been classified into executive, administrative and operational, each of which is exposed to some risks.²² This limited study aims to identify those risks that happen in executive levels. The study would not consider those risks that may happen in the operational levels of healthcare organizations and can be considered as a clinical risk. Mention should be made that the executive levels of healthcare organizations are the headquarters and deputies of the HCOs that provides counseling and control over healthcare delivery units.²² Therefore, the aim of this review is to scope published different organizational RM models, identify the strengths and weaknesses of each model, and this way, propose a framework for implementing RM in the executive levels of HCOs.

The applied purpose of this study was to integrate existing research on the various areas of RM cycle (risk identification, risk assessment, & risk management) and ultimately provide a centralized knowledge base for future research in the executive levels of HCOs. It is of note that the executive levels of HCOs are the headquarters and deputies of the HCOs that provides counseling and control over healthcare delivery units.

Methods

The methodological framework of the scope review described below was guided by such methodologies, which have been published elsewhere.^23,24

Scoping Review Question

The first phase was represented by the definition of the scope of the study in compliance with the objectives and the underlying research hypotheses.

Based on preliminary studies, the research questions developed for scoping review are as follows:

• RQ1: How are organizational risks identified and categorized within the executive levels of HCOs?

• RQ2: What is the proposed framework for organizational risk management in the executive levels of HCOs? Also, what is the status of risk management in the executive levels of HCOs based on the proposed framework?

• RQ3: What techniques and tools are available for implementing organizational risk management in the executive levels of HCOs?

Inclusion and Exclusion Criteria

To obtain and include relevant and important documents to concentrate on, a series of inclusion and exclusion criteria should be defined. The selection of the studies was done according to the following inclusion criteria:

(i) Studies on organizational RM and assessment techniques and framework in healthcare organizations or related organizations appropriate for imitation in the healthcare organization; (ii) articles in English; (iii) 2000 to October 2018.

The following studies were excluded: (i) in the format of letters, editorials, news, professional commentaries, and reviews; (ii) without available abstracts or full text or references; (v) Models that cannot be imitated in healthcare organizations; (vi) Published in languages other than English.

Identifying Locating Sources and Relevant Articles

This study was conducted in October 2018 through consulting such databases as Pub Med, ISI, Emerald, Scopus, IEEE, Springer, ProQuest, Cochrane, and Wiley from 2000 to May 2018. The search strategy was the same for all the databases.

The identification of the keywords related to the subjects and the objectives of the study are as follows: initially, keywords were identified by the authors through a brainstorming process. The identified keywords were refined and validated by a team composed of two university academic members and two healthcare managers. The search strategy was formulated using Boolean operators. The formula was searched in the field of title and abstract in online databases. The search strings used are shown in Table 1, a search for each research question was performed. Also, the search was repeated two times with the following search string. In addition, the references were retrieved from the studies included in the first iteration. The keywords of references that matched with the search keywords were chosen.

Table 1.

Search Strings for Research Questions and Studies

Code	Search Strings	Online Databases	Field	Quantity
RQ1	(risk OR failure* OR error* OR event*) AND (source* OR classification* OR identify* OR category* OR epidemiology) AND (organization* OR system* OR administration*) NOT clinical*	PubMed	Title, Mesh, and Abstract	164
		ISI	Title, Topic, and Abstract	495
		Scopus	Title, Abstract, keywords	284
		Emerald	Title, Abstract, keywords	114
		ProQuest	Title, Abstract, keywords	102
		Cochrane	Title, Abstract, keywords	28
		Wiley	Title, Abstract, keywords	49
		Springer	Title, Abstract, keywords	30
		IEEE	Title, Mesh, and Abstract	21
RQ2 And RQ3	(“risk management*” OR “risk assessment*” OR “management risk*” OR “assessment risk” OR “ risk analysis*”) AND (model* OR approach* OR technique* OR method* OR structure* OR tool* OR process* OR framework*) AND (organization* OR system* OR administration*)	PubMed	Title, Mesh and Abstract	387
		ISI	Title, topic, and Abstract	273
		Scopus	Title, Abstract, keywords	838
		Emerald	Title, Abstract, keywords	235
		ProQuest	Title, Abstract, keywords	61
		Cochrane	Title, Abstract, keywords	24
		Wiley	Title, Abstract, keywords	215
		Springer	Title, Abstract, keywords	63
		IEEE	Title, Abstract, keywords	191

Study Selection and Data Abstraction

The two authors (YMT and MF) independently performed level 1 (titles and abstracts) and level 2 (full article texts) screening forms. All screening and extraction were completed in duplicate. Disagreements were discussed between the two reviewers and a third-party reviewer (R R) was contacted if disagreements could not be resolved. After independent reading of the full texts, the content analyzed and selected the articles that answer the respective research questions. Study quality was not assessed during the scoping review as the objective of a scoping review is to identify gaps in the literature and highlight future areas for systematic review.^23,24 The required information extracted based on the research questions and placed in the designed templates.

Results

Three thousand five hundred and seventy-four studies were screened, excluded 761 duplicates, 1556 on title review, 1081 on abstract review and 144 in a full-text review. In total, leaving 37 papers (32 papers first iteration on the database and five studies from hand searching) search for critical appraisal. Table 2 shows the flowchart for the study selection.

Table 2.

Paper Selection Process

	Phase	Number of Imported	Number of Excluded	Exclusion Criteria
Identification	First iteration on data base Question 1: 1287 (36.1%) Question 2, 3: 2287 (63.9%)	3574	–	R0: Disproportionate to the goals and research questions R1: letters, editorials, news, professional commentaries, and reviews R2: No outcome reported R3: Poor study design R4: No abstract or full text available R5: Unclear description R6: Not applicable for healthcare organizations. R7: No systematic approach to error
Screening	Duplicate citations	–	761
	Title screening Reason excluding papers on the basis of titles: R0: 998 (64.1%) R1: 198(12.7%) R6: 286(18.3%) R8:74(4.7%)	2813	1556
	Abstract screening Reason excluding papers on the basis of abstract: R0: 450 (41.6%) R1: 127 (11.7%) R2: 42 (3.9%) R3: 39 (3.6%) R4: 36 (3.3%) R5: 25 (2.3%) R6: 309 (28.6%) R8: 53 (4.9%)	1257	1081
Eligibility	Full-text eligibility (Agreement rate: 85%). Reason excluding papers on the basis of full text: R0: 39(27.4%) R1: 8(5.6%) R2: 10(6.94%) R3: 18(12.5%) R4: 7(4.9%) R5: 6 (4.2%) R6: 27(19%) R7: 29(20.4%)	176	144
Included	Relevant papers found from the search on database Responsiveness rate of studied divided by each research question: Question 1: 10(14.7%) Question 2: 27(39.7%) Question 3: 31(45.6%)	32	-
	Relevant references on references of relevant papers Responsiveness rate of studied divided by each research question: Question 1: 1(20%) Question 2: 3 (30%) Question 3: 5 (50%)	5	-
	Achieving the relevant papers Responsiveness rate of studied divided by each research question: Question 1: 11(14.3%) Question 2: 30(38.9%) Question 3: 36(46.8%)	37	-

Note: Each study may answer several research questions.

Characteristics of Articles Reviewed

Bibliographical information about the 36 articles included in this review can be obtained from Table 3.

Table 3.

Bibliographical Sources of the Studies Included in the Literature Review

Code	First Author	Year of Publication	Research Designs of the Articles Included in the Literature Review				Answering Which Research question
			Article Type*	Data Collection*	Country/Setting of the Studies	Context/Study Population
1	Molavi Taleghani25	2016	4	1,2,3,4,5	Iran	Emergency surgery ward in hospital	2,3
2	Gervais26	2012	3	2,4,5	Ireland	Pharmaceutical manufacturing environment	2,3
3	Bernardini27	2013	3	2	Italy	Complex and mission-critical systems	2,3
4	Cagliano8	2011	3	6	Italy	Pharmacy department in a large hospital	2,3,1
5	Parand28	2017	4	1,4,5	England+ Italy	Medication administration within homecare	1,2,3
6	Sendlhofer29	2015	3	2,6	Austria	Large university hospital	2,3
7	Lopez30	2010	4	2,3	USA	Clinical cell therapy in regenerative medicine	2,3
8	Emblemsvag31	2002	3	6,2	Norway	Manufacturing environment	1,2,3
9	Jaberidoost32	2015	4	1,2,3,5	Iran	Pharmaceutical industry	2,3
10	Wierenga33	2009	3	5,3	Netherlands	Two hospital	2,3
11	Niel-Laine34	2011	2	2,5	France	A central sterile supply department	2,3,1
12	Trucco35	2006	2	1,2,4,3	Italy	Drug therapy management process	2,3
13	Emre Simsekler36	2018	4	1,2,6	England	Gastroenterology Unit in Hospitals	1,3
14	Bonnabry37	2005	4	5	Switzerland	Pediatric parenteral nutrition process	2,3
15	Rezaei38	2018	4	2,5,1,3	IRAN	Surgery ward in hospital	2,3
16	Domanski39	2016	3	1,2,3	Poland	Nonprofit Organizations	1,2,3
17	Ramkumar40	2016	4	2,5,6	India	E-procurement systems	1,2,3
18	Beauchamp-Akatova41	2013	3	2,3,6	Netherlands	Air transport systems	2,3
19	Faiella42	2017	4	2,3,6	Uk	Administration of medication in the home setting	2,3
20	Usman Tariq43	2013	3	6,2	Saudi Arabia	Iodine development industry	1,2,3
21	Famiyeh44	2015	4	3,1,5,4	Ghana	Mining organization	2,3
22	Choo45	2015	4	6,1,3,4,5	USA	Business unit within a large high-tech organization	1,2,3
23	Apostolopoulos 46	2016	4	3,5,6	UK	Various industries	1,2,3
24	Delcea47	2016	1	2,6	Romania	Clinical Emergency County Hospital	1,3
25	Abdi48	2016	4	6,4,3,5	Iran	Intensive care unit	2,3
26	Chu49	2014	4	5,6	Taiwan	E-healthcare architecture and syndrome test	2,3
27	Prijatelj50	2012	3	5,3	Slovenia	Selected clinical departments	2,3
28	Kerckhoffs51	2013	2	1,5	Netherlands	Intensive Care Unit of in hospital	2,3
29	Vahidnia52	2017	2	1,3,6,2,4	Turkey	Small software company in a University	2,3
30	Leung53	2008	3	1,2,3,5	Canada	Public sector research	2,3
31	Zeng54	2013	3	2	USA	Enterprise resource planning (ERP) systems	2,3
32	MC Emre Simsekl55	2015	4	1,2,4	UK	University Hospitals Foundation Trust	1,3
33	M. C. Emre Simsekler36	2018	2	3,1	UK	Health-care Foundation Trust	3
34	Jun56	2010	4	2,6,3,1	UK	Health service	3
35	Card20	2014	1	5,1	USA	Healthcare organization	3
36	Potts57	2014	4	1,5,3,2,4	UK	Community-based anticoagulation clinic	2,3
37	Kessels-Habraken58	2009	4	1,2,4,5	Netherlands	General hospital	2,3

Notes: *Type of study included 1) Empirical quantitative; 2) Empirical qualitative 3) Conceptual/theoretical 4) mixed method. Data collection methods included 1) Survey (questionnaires or checklists); 2) Database, Documents & Records; 3) Interviews; 4) observation; 5) Focus Groups; 6) Ethnographies, Oral History, & Case Studies.

According to Table 3, 11 articles (14.3%) were used to answer the first research question, 30 articles (38.9%) were used to answer questions 2, and finally, 36 articles (46.8%) were used to answer research question 3. (Total papers >36 because each paper may be classified into two or more study types, or may address two or more review questions.) Also, it could be recognized that all but four articles were published in 2009 or later, this is due to the complexity of environment and type of services provided by organizations and, consequently, use of the RM and risk assessment process as a tool for reducing errors and incidents in recent years.

As can be seen in Table 3, based on the setting of the studies, Europe had the most study with (59.5%) of the authors affiliated with European universities and institutions. Asia was the next one with (21.6%) of the studies, followed by America (13.5%), Oceania (2.7%), and Africa with 2.7%. Also, most of the studies examined in developed countries. Thus, at this point, we can already identify a need for more research into risk management in developing countries.

As for design, 2(5.4%) studies were empirical quantitative, 5 (13.5%) empirical qualitative, 12 (32.4%) conceptual/theoretical and 18 (48.7%) mix method.

How are Organizational Risks Identified and Categorized Within Executive Levels of Healthcare Organizations?

Risk identification is usually a necessary condition for later risk management.²⁵ Given dynamic and complex healthcare organizations, different risk sources can trigger hazardous situations, potentially harming the organization.³⁶ It is therefore essential to consider as many risk sources as possible within a classification to help participants familiarize themselves with the given system and potential risk sources.³⁶ Although the study strategy did not focus on risk types of healthcare organizations (see methods), the reviewed studies placed significant emphasis on identifying and discussing a variety of typical risks in similar organizations with healthcare organizations.

According to the results of Simsekler et al, risk identification Framework (RID Framework) used to identify risks of the health organizations.³⁶ The risk identification framework includes a spectrum of inputs (System familiarization), processes (Identification of risks), and outputs (Presentation of the risks) in its structure.³⁶

Results of the studies, a functional framework for identifying and classifying risks in executive levels of HCOs are presented in Table 4.

Table 4.

Identification and Classification of Risks in Executive Levels of Healthcare Organization

Input	Process	Output
Customers and stakeholders demands (patients, providers, suppliers, and buyers)8	All organizational processes (clinical and non-clinical processes, technology processes, etc.)8	Customer perceptions, costs, functions and health status8
Source of risk8	Intra-organizational	Risk8
1- Internal: 1–1 Organization or Operational: Organization structure, process, organization culture8,26,31,45,59 1–2 Physical structure and technological supports: Used by resources to perform their activities and all the tools necessary to support processes within a healthcare delivery system. (information system, information security, Technology selection and implementation related)8,31,34,40,45,60 1–3 Communication/information: As the basis of the relationships among resources and between them and technological supports. (Information exchanges, communicating variations and decisions).8,31,34,40,55,59 1–4 Human or personnel resource34,45,55,59 1–5 Financial: Form of financing, evaluation, return.31,45,59 1–6 Organization conditions or location45,55 1–7 Customer43 1–8 Administrative or task25,55 1–9 Knowledge and skill40 1–10 Material and equipment: displays/integrity/positioning/usability34,55 1–11 Collaboration and team39 2- External: 2–1 Supplying3,60,61 2–2 Financing8,43 2–3 Environment and ecological8 2–4 Regulation and Legal34,45 2–5 Logistics: Manufacturing, disruption and transportation, inventory, storage34,60,61 2–6 Commercial34 2–7 Revenue: demand, toll/tariff, development60,61 2–8 Capacity60 2–9 Social60 2–10 Volunteers39 2–11 Political and government43	A: Expert opinion(focus groups-brainstorming- Delphi technique)26,32,37,40,43,44,46 B: Results of examination of documents, reports and other records of visits29,30,52 C: Observation25	Hazard: what can go wrong? Cause: why/how it could go wrong? Effect: who/what is at risk?
	Extra-organizational
	A: Literature32,40,61 B: Stakeholder analysis43 C: Results of reports of higher organizations30 D: External audit30,43
	Retrospective
	A: Expert opinion26,32,44 B: Interviews30,46,53 C: Risk Breakdown Structure(RBS)8,46 D: Survey results29,32,40,53 E: Critical incident F: Reporting system29 G: Historical and Previous data43,52 H: Quality function deployment(QFD)43 I: Triangle method25 J: Cause and effect analysis (CEA)60 K: Event or fault tree analysis26,54,60 L: Checklists or check sheet60 M: SWOT analysis46 N: PESTEL analysis46 O: Direct observation25
Nature of hazards8,36	Prospective
A: Obvious hazard: Is apparent to the senses B: Concealed hazard: Is not apparent to the senses C: Developing hazard: Cannot be recognized immediately, and develops over time 4: Transient hazard: An intermittent or temporary hazard	A: Level of probability43 B: Failure mode and effect analysis (FMEA)60 C: Imagery60 D: Modeling60 E: Grey systems theory47 F: Hierarchical holographic modeling (HHM)26
Time8,36
A: Past: what has gone wrong the past? B: Present: what could go wrong currently? C: Future: what can go wrong due to change?

According to Table 4, risk sources are classified into two categories (internal and external), and risk identification tools classified into two categories (retrospective-prospective and intra-organizational – inter-organizational).

Which Organization RM Framework and Techniques are Used in Executive Levels of Healthcare Organizations?

A stringent risk management process may enable executive levels of HCOs to cope with the risks presented in the previous section. Once risks have been identified, a number of techniques and actions can be selected to address them.

Various models have been used by organizations to assess and manage risk, the results are which are shown in Table 5. Based on the findings in Table 5, the risk management framework that are applicable to the executive levels of HCOs are classified into basic models and combined models. In addition, risk management models are divided by cost, time, and complexity. The approaches of risk management models are also divided into qualitative or quantitative, systemic or individual, retrospective or retrospective, and holistic or partial.

Table 5.

Characteristics of Organization RM and Risk Analysis Techniques

Model Name	Steps		Characteristics	Output and Information						Attitude to the Risk	Applicable Type of Environment	Cost	Time	Complexity
				Establish the Context	Risk Identification	Risk Analysis	Risk Evaluation	Risk Treatment	Monitoring
1- Risk Analysis Phases
1-1- Base models
Strategic risk analysis approach (SRA)	1 - Define objectives, 2 -Brainstorm risk, and characteristics according to the SWOT axis; 3 - Calculate possibilities and consequence of the risks; 4 - Combine risks with characteristics.31		Weakness: It does not express the relationship between risks and its nature. Strength: It interrelates the organization strategic risks and organizational characteristics.	N	S	Y	Y	N	N	*Qualitative *Systemic *Prospective *Holistic	Particularly risks associated with the mission and objectives of the organization	Low-medium	Low-medium	Low-medium
Preliminary Risk Analysis method (PRA)	1. PRA team; 2. Elaborating hazardous situations mapping and priority; 3. Elaboration of potential risks scenario.34		Strength: An effective tool for identifying high-risk dangers Weakness: Error details are not mentioned	Y	S	Y	Y	Y	Y	*Holistic *Systemic *Prospective *Qualitative	All, especially the early stages of a project	Low-medium	Low-medium	Low-medium
Healthcare Failure Mode and Effect Analysis	1. Selection of a high-risk process; 2. Assembling the team; 3. Graphically describing the processes; 4. Conducting hazard analysis; 5. Actions and outcome measures.25		Weakness: 1. Use qualitative and subjective approaches to calculate error. 2. Interaction between errors is ignored. 3. Effectiveness of measures is not estimated.	Y	Y	Y	Y	S	N	*Systemic *Narrow *Prospective *Qualitative	All, especially for well-defined systems	Medium	Medium	Medium
Criticality analysis (FMECA)	1. Team formation, 2. Process mapping, 3. Risk identification, 4. Determination of error roots, 5. Criticality, 6. Analysis, 7. Determine corrective actions.37		Weakness: 1. Use qualitative and subjective approaches to calculate error. 2. Interaction between errors is ignored. 3. Effectiveness of measures is not estimated.	Y	Y	Y	Y	S	N	*Systemic *Narrow *Prospective *Qualitative	All, especially for well-defined systems	Medium	Medium	Medium
Change Risk Assessment Model (CRAMS)	1. Risk Identification; 2. Risk Assessment; 3. Risk Monitoring & Control CRAM’s Node Hierarchy.46		Weakness: Depend on the expert judgment. Strength: A method for analyzing system changes	Y	S	Y	Y	Y	Y	*Prospective *Qualitative *Systemic *Narrow	All, especially for the analysis of recent changes in systems	Low-medium	Low-medium	Low-medium
Using a GRPN-Based FMEA Model	1. Select a procedure/sub procedure for study; 2. Assemble a team; 3. Make a diagram of the procedure/subprocedure; 4. Identify the failure modes; 5. Use historical data of risk factors 6-Give α and risk weights; 6. Suggest threshold; 7.  Create an FMEA worksheet; 8. Sort the failure modes; 9. Take corrective action.49		Strength: Using quantitative parameters to estimate and prioritize errors Weakness: The effectiveness of measurable is not estimated. 2-Variables values are homogeneous for calculating SOD.	Y	S	Y	Y	Y	N	*Systemic *Narrow *Prospective *Qualitative-quantitative	All, especially for well-defined systems and critical parameters	Medium	Medium	Medium
Bow-Tie Model	1. Selection of hazards; 2. Description of the team formation; 3. Identify hazard; 4-Identify critical event; 5. Identify treat; 6. Identify consequence ;7-Identify barrier; 8. Identify escalation factor; 9. Determining recommendation and implemented.33,48,51		Weaknesses: 1. Uses qualitative and subjective approaches in calculating errors. 2. Team members should have high knowledge of their system details. 3. The effectiveness of measures cannot be estimated.	S	S	Y	Y	Y	N	*Prospective *Qualitative *Systemic *Narrow	All, especially for project in a larger safety improvement plan	medium	medium	medium
1-2 Combined Models
Analytic hierarchy process and simple additive weighting (SAW) methods	1. Risk identification; 2. Risk analysis included 2-1. Scoring hazards; 2-2. Scoring probability; 2. 3Prioritize function; 2-4. Pilot study; 2–5. Risk analysis matrix; 3. Risk evaluation included 3-1. Risk calculation; 3-2. Risk ranking.32		Strength: 1. Use of quantitative approaches to risk estimation	Y	S	Y	Y	N	N	*Qualitative-quantitative *Systemic *Prospective *Holistic	All	Medium	Medium	Medium
Evidence-based methodology	Be used by three methods: A - (HFMEA): 1. Topic definition; 2.  Assemble the team; 3. Graphical process; 4. Failure mode identification; 5. Failure moderating; 6. Identification of critical factor; 7. Cause analysis; 8. Identify actions and outcome measures B - Systematic Human Error Reduction and Prediction Analysis (SHERPA):1-HTA diagram; 2- Human error identification;3Consequence analysis and check of severity scores; 4-Recovery analysis; 5-Remedy analysis C- Systems-Theoretic Accident Model and Processes (STAMP) 1-Control structure; 2-Controls and communication problem examination.28		Strength: Combined model Weakness: uses qualitative and subjective approaches to calculate error	Y	Y	Y	Y	Y	Y	*Prospective *Systemic-humanistic *Qualitative-quantitative *Narrow	All, specially system accidents	Medium-high	High	High
Human Reliability Assessment (HRA) and FMEA	1. Context analysis; 2. Process mapping; 3. Risk identification and assessment; 4. Failure modes and waste analysis; 5. Suggested improvement actions and degree of success of already taken measures.8		Strength: Combined model Weakness: The validity of results depends on the collected data.	Y	Y	Y	N	S	N	*Systemic-humanistic *Prospective *Narrow *Qualitative-quantitative	All	Medium-high	Medium-high	Medium-high
(FMEA/FMECA)	1. Selection of the process to be studied; 2. Establishment of the team; 3. Training; 4. Process modeling flowchart; 5. Identification of potential failure mode; 6. Identification of possible consequences; 7. Identification of possible causes; 8. Estimation S, O, D; 9. Calculation of risk priority; 10. Decision; 11. Approval.30		Strength: Combined model Weakness: 1-Evaluation of external effects is limited.2. Interaction between errors is ignored	S	Y	Y	Y	Y	N	*Systemic *Narrow *Prospective *Qualitative-quantitative	All, especially for well-defined systems and critical parameters	Medium-high	Medium-high	Medium-high
CREA (Clinical Risk and Error Analysis method)	1. Activities Identification; 2. Activities; 3. Identification of error modes based HUMAN HAZOP; 4. Risk Evaluation based risk diagram; 5. Organizational Causes Analysis based VINCENT’S FRAMEWORK.35		Strength: The decision support tool is for process reengineering Weakness: 1. Is based on personal judgment. 2. requires strong documentation	N	Y	Y	Y	N	N	*Holistic (Emphasis on work procedures) *Systemic- humanistic *Prospective *quantitative	All, especially Identify possible deviations and sequential operations or procedures	High	High	High
Multiple models	Be used by three methods: A - FMEA: 1. Identify failure modes; 2. Identify severity, likelihood, and detection;3. Define failure causes B - Hierarchical holographic modeling (HHM): 1. Define the key risk issue; 2. Decompose the risk issue into different, appropriate perspectives; 3. Further decompose the head topics into a hierarchy of subtopics; 4. Crosscheck; 5. Walkthrough each topic and sub-topic to identify risk scenarios for further analysis. C- Technique for human error rate prediction (THERP): 1. Definition; 2. Screening; 3. Qualitative analysis; 4. Representation; 5. Impact assessment; 6. Quantification; 7. Documentation.26		Strength: Combined model Weakness: It analyzes all failures equally, regardless of their importance, and has difficulty dealing with data redundancies,2- expensive,3- time-consuming for complex systems,4-failure modes are considered one-at-a-time, meaning it is unable to detect common cause failures and design failures.	Y	S	Y	Y	S	Y	*Narrow *Systemic-humanistic *Prospective *Qualitative-quantitative	All	High	High	High
integrating FMEA and RCA	1. Initial framework development; 2. Forming FDG group; 3. Selecting a process; 4. Mapping of selected process; 5. Implementation of the FMEA 6. RCA model included 6-1. Determine AE resulted from failures after 3 months of RPN calculation; 6-2. Benchmark ability of improved RPN to prioritize failure mode.38		Strength: Combined model Weakness: 1. Is based on personal judgment.	Y	S	Y	Y	S	Y	*Narrow *Systemic *Qualitative-quantitative *Retrospective- Prospective	All, especially for well-defined systems and critical parameters	Medium-high	Medium-high	Medium-high
Modified ANP and Fuzzy Inference System risk assessment	1. Construction of risk assessment group; 2. Determine risk factors; 3. Measurement of Factor index; 4. Measurement of Ringer-saline (RS) or Ringer-lactate (RL); 5. Fuzzy inference phase; 6. Defused phase; 7. Output phase.40		Strength: 1-Combined model 2. Integration of possible risk factors for more accurate decision making	Y	S	Y	Y	S	N	*Retrospective- Prospective *Systemic *Qualitative-quantitative *Narrow	All	Medium-high	Medium-high	Medium-high
a fuzzy method based tool the risk assessment analysis	1. Risk Factors, Scales and Data; 2. Identify Risk score; 3. Risk evaluation included 3-1. Risk matrix; 3-2. A decision matrix; 3-3. Obtained values as a vector of fuzzy numbers.52		Strength: is suitable for small business organizations with limited resources. 2- Combined model	S	Y	Y	Y	S	N	*Qualitative-quantitative *Prospective *Systemic *Narrow	All, specially at project bid, initiation phases and acceptance decisions	Medium	Medium	Medium
HFMEA and Structured What If Technique (SWIFT)	Be used by two methods: SWIFT method: 1. determine a hierarchical task analysis diagram; 2. a series of questions was asked at each step of the task analysis designed; 3. Identify severity HFMEA: 1. Assembling the team; 2. Graphically describing the processes; 3. Conducting hazard analysis; 4. Actions and outcome measures.57		Strength: 1-Combined model	Y	Y	Y	Y	Y	N	*Narrow *Systemic *Qualitative-quantitative * Prospective	All, especially for well-defined systems	Medium	Medium	Medium
Prospective risk analyses and retrospective incident reporting and analysis	Prospective risk analyses: 1. Assembling the team; 2. constructed flowcharts of the selected processes; 3. identified and assessed possible risks for each process step retrospective incident reporting: 1. define occurrence of reported incidents; 2. report any deviation from normal; 3. analyzed the reported incidents58		Strength: 1. Combined model 2. Integration of possible risk factors for more accurate decision making	Y	Y	Y	Y	S	N	*Narrow *Systemic *Qualitative-quantitative *Retrospective- Prospective	All	Medium	Medium	Medium
2- Risk Management Phases
2-1- Base models
Systemic Risk Management’ (SYRMA)	1. defining and managing event and recording threats and vulnerabilities; 2. tracking identified risks in a risk register; 3. performing risk assessment and risk evaluation; 4. providing the capability of registering statistical or benchmark data; 5. setting risk priorities; 6. defining and tracking risk treatment activities.27		Strength:1-address both managerial and operative staff support requirements.2-Allows users to personalize their view of the system	S	Y	Y	Y	Y	Y	*Qualitative-quantitative *Prospective *Systemic *Holistic	All, especially for healthcare sector and case of complex and mission critical systems	Medium-high	Medium-high	Medium-high
Clinical risk management (CRM)	1. Identify risks; 2. Analysis risks; 3. Assess risks; 4. Manage risks.29		Weakness: is based on subjective and intrinsic judgment	S	S	Y	N	S	Y	*Qualitative *Prospective *Systemic *Holistic	All, specially for healthcare	Medium-high	Medium-high	Medium-high
Strategic Risk Management (SRM)	1. Defining the context; 2. Risk assessment; 3. Making and Communicating the decision and Action; 4. Monitoring and course correcting.39		Weakness: is based on subjective and intrinsic judgment	Y	S	Y	Y	S	Y	*Qualitative *Prospective *Systemic *Holistic	All, specially for project management	Medium-high	Medium-high	Medium-high
System risk evaluation and management	1. Define the objectives and performance measures; 2. Workshop together; 3. Evaluate and priorities consequences for each alternative; 4. Evaluate system consequences and choose the best risk treatment; 5. Implement; 6. Monitor.41		Strength: 1 - Can understand new risks and their consequences. 2. Establish interaction between different stakeholders.	Y	S	Y	Y	Y	Y	*Systemic *Holistic (Emphasis on problem solving variables) *Prospective *Qualitative	All, specially for dynamic and changing organization	Medium-high	Medium-high	Medium-high
ISO 31000	1. Establish the context; 2. Identify risk; 3. Analysis risk; 4. Evaluate risks; 5. Treat risks; 6. Monitor and review; 7. Communication and consult.44		Weakness: is based on subjective and intrinsic judgment	Y	Y	Y	Y	Y	Y	*Qualitative *Prospective *Holistic *Systemic	All	Medium-high	Medium-high	Medium-high
ERM(enterprise risk management)	1. Establish the context; 2. -Identify risks within this context; 3. Assess risks included: 3-1. analyze risks; 3-2. Evaluate risks; 4. Develop risk treatment included 4-1. Risk mitigation; 4-2. Implement mitigation strategies.53		Weakness: The relative risk assessment matrix is used instead of a precise measurement for risk rating.	Y	Y	Y	Y	Y	N	*Qualitative *Prospective *Narrow *Systemic	All	Medium-high	Medium-high	Medium-high
ERP by fault tree analysis	1. Context analysis; 2-Risk identification; 3. Risk analysis; 4. Risk evaluation included 4-1. Enterprise resource planning decomposition and specification; 4-2. Fault tree analysis; 5. Risk Response & Treatment; 6. Risk Review, monitoring & controlling.54		Weakness: 1-We can only check one event at a specific time		Y	Y		Y		*Qualitative-quantitative *Systemic *Prospective *Narrow	All	Medium-high	Medium-high	Medium-high
2-2: Combined models
The combined approach(HFMEA, SHERPA) and (STAMP-STPA)		1. Graphical process included 1-1. Box and arrow diagram; 1–2. HTA Diagram; 1–3. Representation of the control loop; 2. Hazard analysis included 2–1. Failures identification; 2–2. Human error classification; 2–3. Failure scoring; 2–4. Consequence Analysis; 2–5. Check the coherence of severity scores; 2–6. Hazard score calculation; 2–7. Recovery Analysis; 2–8. Selection of the critical failures; 2–9. List of the existing control measures; 3. Cause analysis;4-Identification of prevention measures and controls.42	Weakness: The validity and reliability of the combined model have not been measured. Strength: 1-Combined model	S	Y	Y	Y	S	Y	*Qualitative *Prospective *Systemic-humanistic *Holistic with emphasis on duties	All, specially for health care	Medium-high	High	High
Problem-solving strategy with embedded Six Sigma methodology		1. Trained RM team; 2. The define phase; 3.  Identify, classify and prioritize risk; 4. RCA; 5-Measures process capability; 6. Prioritize, implement, control and monitor.43	Strength: The validity of the model is proven.	Y	S	Y	Y	Y	Y	*Qualitative-quantitative *Systemic *Prospective *Holistic	All	High	High	High
Adaptation of the ISO 31000:2009: Six Sigma DMAIC approach to enterprise RM (ERM)		1. Define phase(Mandate and commitment); 2. Measure phase included identify risk; 3. Analyze phase included risk analysis; 4. Improve phase including risk mitigation; 5.  Control phase including 5-1. The recommended improvement action plan be documented; 5–2. Monitor and review; 6. Communicate and consult.45	Strength: 1. Provides a more accurate decision for the organization. 2. Creates value for the stakeholders of the organization.	Y	Y	Y	Y	Y	Y	*Qualitative-quantitative *Systemic *Prospective *Holistic	All	High	High	High
Error prevention methods: (HFMEA- RCA- Structured Analysis-Dynamic systems development method (DSDM)		1.  Defining a Topic; 2. Assembling a Team; 3. Describing a process; 4.  Analyzing hazards included 4-1. To identify and assess potential vulnerabilities; 4-2. The HFMEA Decision Tree; 4-3. Identified causes of errors; 5. Identifying Actions and Expected Outcomes; 6. Build Iteration; and Implementation; 7. Renovating process.50	Strength: Is an effective way to prevent errors in organizations.	Y	Y	Y	Y	Y	Y	*Qualitative-quantitative *Systemic *Prospective *Holistic	All, special for health care	High	High	High

Notes: In output and information item, the status of risk management in organization was determined based on each of the phases of proposed framework. (Y: Fully performed, S: Somewhat performed, N: Not implemented).

According to the studies’ results, a simple and comprehensive framework for RM in executive levels of HCOs was suggested. The proposed framework of the present study consists of five phases that its main phases are adapted from the ISO13000 framework. The following is a suggested framework and techniques that can be used to implement risk management processes in executive levels of HCOs. Finally, in Table 5 examines the extent to which risk management based on the key phases of the proposed framework is established in healthcare organizations.

1. Establishing the context,

2. Risk assessment (risk identification, risk analysis, and risk evaluation),

3. Risk treatment (strategy determination, designing measures and decision-making, planning, and implementation),

4. Communication and consultation, and

5. Monitoring and reviews.

In the following, RM framework and techniques in executive levels of HCOs for each organization were mentioned.

Establishing the Context (Initiation and Preparations)

The first phase in the risk management process is establishing the context. The context establishment primarily paves the way for the organizational nature of the company such as the project objective and management style or organization culture. In this step, issues such as healthcare organization background, who should conduct the RM process, Identify interested parties, formulate problems, set the objective(s) of RM and Select appropriate methods for RM are reviewed.^43,59

The organizational RM team should be multidisciplinary and comprised of various specializations, in particular, managers, process owner experts, and RM experts (consultants and facilitators).^25,33 Also, the number of team members depends on the complexity of organizational issues.^33,40,43

Risk Assessment

The second phase in the risk management process is risk assessment, which involves measuring or estimating the potential frequency of losses and the potential impact of a risk on the organizations' health care. Subsequently, the risks can be ranked according to its importance for the HCOs. In general, the following three steps (risk identification, risk analysis, and risk evaluation) proposed for risk assessment in executive levels of HCOs:

Risk Identification

Describing the Process and System Definition

According to the results, there were several methods for outlining risky processes that executive levels of HCOs can use depending on their needs: Textual system description,^8,41,53,59 activity breakdown structure (ABS),⁸ radar charts,³⁴ flow charts,^{3,25,28,30,38,45,50,56,62} process diagrams,^{34,38,45,56,58} system diagram,^8,34,62 integration definition (IDEF),³⁵ and hierarchical task analysis Diagram (HTA) or task diagram,^{26,28,35,42,57,62} communication diagram,^56,62 information diagram,^35,56,62,63 organizational diagram,^35,56,62,63 stakeholder diagrams,⁵⁶ swim lane activity diagram,⁵⁶ state transition diagram,⁵⁶ sequence diagram,⁵⁶ and data flow diagram.⁵⁶

In general, process description tools are divided into two categories of descriptive tools and process tools. Radar charts, also called Kiviat diagrams, were built in order to visualize initial and residual risks for each kind process.³⁴ ABS is process-oriented instead of being product-oriented, moreover, this method lacks time dimension.⁸ Also, a task diagram is used for describing the hierarchy of operations and plans, system mapping for how data is transmitted through activities, Information diagrams for describing information hierarchies, organizational diagrams for describing organizational roles hierarchy and Communication diagrams for displaying information flows between individuals and Business processes and IDEF for linking between inputs and outputs in organizational activities and resources, and Sequence diagrams for interacting information between stakeholders.

According to Cagliano et al, the flow chart included the name or code of both process phase and activity at issue, actors performing the activity; inputs (information, materials, preliminary actions, orders, etc.); a detailed description of operations required by the activity; duration and frequency; controls to monitor activity progress; tools necessary to perform both the activity and related controls and outputs (other activities, information, and data).⁸ Moreover, in Parand et al’s study, activities in flow chart classified based on action, retrieval, checking, selection and information, and communication.²⁸ In general, as the describing the process be stronger, the results of the risk assessment can be more effective.

According to Simsekler et al³⁶ and Jun et al.⁵⁶ Studies, specific types of diagrams were selected by stakeholders as more useful than others in identifying different sources of risks within the given system. In general, employees’ perception, the ease of use and usefulness are the main variables for choosing the most optimal system modeling tool.

Risk Identification

After drawing the process flowchart, at this stage, organizational risks or organizational process risks are determined. The applied frameworks for identifying risks in executive levels of HCOs presented in Table 4.

Cause Identification

Based on some risk assessment models, the effective causes and the root causes of the errors are identified at this stage. Based on the Eindhoven model, the classes of causes error classified into two main categories of latent errors (technical and organizational) and active errors (human errors and other factors).²⁵ Furthermore, based on the results of some studies, the causes of errors classified in the Institutional context factors, organizational and management factors, work environment factors, team factors, communication factors, individual (staff) factors, training and education factors, equipment factors, task factors, and patient factors.^35,36 In addition, based on the results of some studies, the Ishikawa cause-effect diagram can be used to determine the sources of errors.^37,45,48

Risk Analysis

At this stage, it is possible to estimate the risk, qualitatively, semi-qualitatively or quantitatively according to the probability of the risk. The following steps considered for risk analysis in executive levels of HCOs.

Risk Estimation (Severity and Consequences and Likelihood Estimation)

At this stage, it is possible to risk estimation according to the probability and severity of risk. There are numerous qualitative, semi-quantitative and quantitative methods that try to estimate individual components of risk for a result to better reflect the reality.

Using verbal descriptors (low, medium, or high),²⁶ risk weights,^{25,34,38,49,59,61} encoding,^{30,40,52,60,61} scoring tables,^{25–27,30,32,37} Bayesian methods,⁴⁶ Monte Carlo method,^46,60 and historical data,⁴⁹ suggested for estimating the severity and probability of risk in executive levels of HCOs.

In quantitative risk estimation methods (Monte Carlo and Bayesian), activities find a probabilistic form and a distribution function is specified for them.^46,60 In qualitative risk estimation methods, risks are prioritized based on their potential impacts on project objectives based on qualitative variables. Qualitative methods of risk estimation can either lead to further analysis in quantitative risk estimation or directly to risk response planning.^30,60

Interview with experts,^32,53 questionnaire design,^32,61 Delphi method or expert,⁶⁰ and focus group,^{38,44,46,49-51,53} identified an applied method for risk estimation in executive levels of HCOs.

Risk Presentation

Present-estimated risks based on risk presentation formats, included a single number index (e.g. 1/100,000),^27,37 use failure space vs success space,⁵⁴ fuzzy numbers scales,^{30,32,40,41,52,61} tables (e.g. sizes or bands of fatalities are 1–10, 11–100, and 101–1000),^30,40 risk matrix,^{25,33,43,52,53,57} graphs or diagrams (e.g. Frequency-Number (F-N) curve),^35,46 and maps (e.g. risk contour plot).⁴⁵

In sensitivity analysis, the management index (Risk Index x Sensitivity) provided further ranking for those risks that have equivalent Risk Indexes. Given its scope, this analysis may not necessarily constitute an integrated step of risk analysis.⁴⁹

Conclusion

Synthesize information about the main risk elements included risks and their causes and contributing causes, frequency or probability, consequences due to risk, and estimated risks.⁴⁹

Risk Evaluation

Risk evaluation is the process of comparing the results of the risk analysis with the risk evaluation criteria defined during the context establishment to determine whether the cyber-risks are acceptable. In this step, the following steps considered for risk evaluation in executive levels of HCOs.

Select Risk Evaluation Criteria

There was a wide range of qualitative and quantitative risk criteria or standards for evaluation of various types of errors in executive levels of HCOs. Selection of risk criteria may also depend on the results of the risk analysis and how risks are estimated.⁶⁰

Compare Estimated Risks Against the Risk Criteria and Prioritize or Rank Risks

This step concerned with making decisions about prioritization and comparison of risks to be managed, based on the outcomes of risk analysis.²⁷

A simple method for risk filtering was a Pareto analysis.^26,30,58,60 Moreover, in some studies, decision tree,^25,28,49,57 priority matrix,^25,30,35 criticality matrix,^34,44 Criticality scale,^34,38,49,60 and risk prioritization grid used to determine acceptable and unacceptable risks.²⁷ Furthermore, simple additive weighting (SAW),³² and hazard totem pole (HTP)⁶⁰ methods can be used as practical and quantitative methods for risk evaluation. SAW was a simple and most applicable multi-attribute decision method which is known as a weighted linear combination or scoring technique.³²

Risk Treatment

This phase involved defining and implementing actions for mitigating the determined risk level and verifying that the residual risk level is acceptable.²⁷

Determine Organization RM Strategies

The four common organization RM strategies options:

1. Avoid: elimination involves elimination of risks at the source.

2. Reduce: The strategy of risk reduction involves reduction, but not a complete elimination, of the frequency of occurrence of undesirable risks and/or the severity of their consequences.^53,60

These comprise two fundamental approaches to risk reduction, which were:

• Prevention

• Mitigation: Reduce the occurrence probability of the risk or the impact of the risk.

  1. SHARE (spread or transfers): sharing the risk to another entity and/or function. Risk sharing is carried out in different ways, including risk sharing by insurance and contract, risk transfer and physical transfer.
  2. Accept: Risk can be retained in cases where it cannot be avoided or transferred.^{25,44,45,53,60}

Moreover, theory of problem-solving by an inventive method,²⁵ Generating Options for Active Risk Control (GO-ARC) Technique⁶⁴ and dynamic systems development method (DSDM)⁵⁰ used to redesign the process and improve strategies.

In the GO-ARC Technique, risk control options are divided into 5 categories (elimination, design controls, administrative controls, detection/situational awareness, and preparedness). The first three consist of the 3-tiered hierarchy of risk controls. The remaining two, detection/situational awareness and preparedness help users consider risk controls to reduce the severity of harm or prevent harm in the midst of an on-going systems breakdown; they are aimed at promoting resilience, as opposed to focusing solely on preventing systems breakdowns in the first place. In general, GO-ARC improves the trend of producing risk control options. Use of the Generating Options for Active Risk Control (GO-ARC) Technique can lead to more robust risk control options.

On the other hand, the DSDM framework is complicated to become a general framework for solving task problems. At DSDM, the primary effort is to provide software that is good enough to meet the needs of the business and that it can progress to the next iteration.⁵⁰

Additionally, the SWOT matrix with four strategy areas, SO (maxi-maxi) and ST (maxi-mini) and WO (mini-maxi) and WT (mini-mini), was used to determine strategies and corrective actions.³¹

RM Measures and Decision-Making

RM strategies and measures were often difficult to compare and evaluate executive levels of HCOs. The best decision is the one that yields the greatest expected value. The interventions prioritized according to two criteria of their ability to reduce the root causes (interventional power) and perception of their implementation based on what is anticipated (reliability of intervention).^26,30

The best performance measures can be selected based on criteria such as safety, profitability, quality, efficiency, effectiveness, time, cost, available resources, performance, environmental conditions, and satisfaction.^{41,42,45,46,59} In one study, AHP/ANP and BOCR (benefits, opportunities, costs, and risks) used to select the best RM strategies.⁴¹

Planning and Implementation

Finally, a plan also defined risk ownership, roles and responsibilities, and time frames to implement mitigation strategies.⁴⁵ Risk governance structure was a useful tool for risk assessment planning. In this method, the roles and responsibilities of each employee determined in the RM plans.^39,40,45 Moreover, using the pilot study method^43,59 and simulation,^41,49 suggested before the implementation in a wide range.

These steps are typically performed as iterative cycles that controlled and triggered by two continuously running activities: risk review and monitoring, communication, and consultation.

Communication and Consultation

Communication and consultation with internal and external stakeholders needed to keep them informed of process outputs and let them provide inputs.²⁷

Risk-related information should be shared based on appropriate access levels in the exchange organization or between decision-makers and other stakeholders. These should address the issues related to risk itself, its causes, its consequences (if there is information about them), and the measures taken to deal with it.

Communication and consulting with project stakeholders can be a key factor in a favorable execution of risk management and in achieving better results. In practice, regular reporting is of important components of communication that helps senior managers identify the risks they are faced with. Summary reports prepared from risks, in fact reflect the status of the responding guidelines and the trend index of risk occurrence.⁵⁹

Work sessions,^29,59 intranet-based calendars,⁵⁹ reports and gatherings,⁵⁹ wiki page,⁴⁵ and PMBOOK software,⁴⁶ are suggested as tools for information exchange in executive levels of HCOs.

Monitoring and Review: (Re-Assessment – a Continuous and Cyclic Process)

Effective risk management requires a reporting and reviewing structure in order to ensure that risks are effectively identified and evaluated and responses and controls are in a timely manner. In this phase, policies and following of standards should be regularly verified and the performance of standards should be reviewed to identify improvement opportunities.²⁷

Various methods such as risk compliance readiness template,⁴⁵ risk project update template,⁴⁵ data management system,⁶⁰ variance analysis,⁴⁶ risk reassessment,⁴⁶ Wiki page as collaborative workspace,⁴⁵ control chart,⁴³ trend analysis,⁴⁶ risk auditing,^39,46 visual process control,⁴³ and communication plan⁴³ recognized to monitor and evaluate the effective and efficient RM cycle in executive levels of HCOs.

By conducting continuous monitoring and reviewing of risk, it is ensured that new risks are being identified and managed, and executive programs are effectively implemented and developed.⁴⁶

Discussion

Given different and dynamic nature of organizations, various frameworks and techniques are used in managing and accessing organization risks. Therefore, recognizing organization RM framework is an important step in RM in executive levels of HCOs. In this study, based on a review of studies, frameworks and tools that can be used to implement organizational risk management in the executive level of HCOs are proposed.

According to the first question of this study, healthcare organizations may be faced with risks that may prevent the mission and achievement of the organization’s objectives, so at the first step of risk management, risk resources should be identified with optimal tools.¹⁷ In the present study, using an innovative approach, a framework for identifying and classifying risks in the executive levels of HCOs was proposed. The proposed framework included three steps of input, process, and output.

Input phases considered a spectrum of inputs to help increase understanding of the system, and awareness of potential organization risks that can occur in complex and changeable healthcare systems.³⁶ Input phases consist of (Risk Sources,^8,36 Nature of Hazards,³⁶ and Time).³⁶ At the process stage, the tools that can be used as intra- or inter-organization and retrospective-prospective in the executive levels of healthcare organizations are determined.⁵⁵ Finally, in the presence of the risk stage (output stage), the identified risks were clearly registered in executive levels of HCOs.⁸

Using this framework is a helpful guide for managers to identify potential error in the executive levels of HCOs. Based on the results of the study by Pott et al⁵⁷ and Similker et al,¹⁷ different approaches should be used to identify risks in organizations, and data from different resources should be integrated to gain a general view into the risks of a system.

We have no standard answer as to which one of the risk identification tools is a more optimal tool. Each tool is used to identify a range of risks, so the best approach to identify all risks is to integrate retrospective and prospective analysis to understand a broader scope of the risks.

Based on the results of the studies, organizational risks,^{8,26,31,45,59} technological supports,^{8,31,34,40,45,60} and information and communication,^{8,31,34,40,55,59} were identified as the most important resources of risk in most studies, so treatment of these risks is of high importance in the executive levels of HCOs.

In today’s world, when being faced with healthcare organization risks, managers have realized the need to develop a risk management framework at the organization level. According to the second and third questions of this study provides a state of the art based on the review of studies and it tried to propose a framework for risk management and techniques applicable to each of the stages of risk management and risk assessment in executive levels of HCOs. The term “framework” has a broader scope than the term “technique.” The risk management framework includes guidelines for analyzing, assessing, and managing risks in healthcare organizations. In contrast, management, and risk assessment techniques considered as analytical tools for analyzing data and risk information.

In general, the risk management framework has required stability, but there is no strong and complete risk assessment and risk management techniques that can be applied completely for risk management in organizations, and managers of healthcare organizations must make the decisions necessary to determine the optimal tool for risk management and assessment at each time and based on specific conditions and position of the organization. Therefore, Table 5 presents limitations, strengths and weaknesses and factors influencing the selection of each of the models for risk management and risk assessment in executive levels of HCOs. Therefore, the content of this table can help risk analysts, healthcare managers and other stakeholders to make rational decisions about identifying risk management and risk assessment models in executive levels of HCOs.

According to the results of the studies, there was a wide range of well-known and successful tools for single and combined risk assessment and a hierarchy of risk analysis models suggested for executive levels of HCOs.

Hierarchy of risk analysis and risk assessment models divided:

High-level tools: At this level, risk assessment tools cover a wide range of risk scenarios and provide various information for the organization based on risk scenarios. However, such tools should not be used when the details need to be emphasized in risk assessment. Some risk assessment tools employed at this level are All the combined models presented in Table 5 for analysis and risk assessment,^{30,35,38,40,42,43,45,50,52} Six Sigma,^43,45 IRMAS,⁵⁹ CREA (Clinical Risk and Error Analysis).³⁵

Mid-level tools: Implementing risk assessment tools at this level makes it possible to provide the modest information and details for the organization considering risk scenarios. Some risk assessment tools employed at this level are Health failure mode and effect analysis (HFMEA),^25,42,50 HFMEA/FMEA/FMECA,^{8,25,26,28,30,37,38,49} root cause analysis (RCA),^38,43,50 bow-tie model,^48,51 hazard and operability analysis (HAZOP).³⁵

Low-level tools: At this level, risk assessment tools evaluate the limited range of risk scenarios, but with more details for the organization. Some risk assessment tools employed at this level are: Preliminary risk analysis method (PRA),³⁴ fault tree analysis (FTA),⁵⁴ change risk assessment model (CRAMS),⁴⁶ change analysis (CHA),⁴⁶ human reliability assessment (HRA),⁸ Pareto analysis (PA),^26,30 relative ranking/risk indexing (RI),^32,60 5 whys technique,^8,36 hazard checklists (HCl),³⁵ change analysis (CA),²⁸ strategic risk analysis (SRA).³¹

Optimal implementation of the risk management process is nothing but the adoption of the most appropriate techniques and tools available in each phase. However, there is no strong and complete risk assessment and risk management techniques that can be applied completely for risk management in organizations, and managers of healthcare organizations must make the decisions necessary to determine the optimal tool for risk management and assessment at each time and based on scope of risk analysis, legal requirements, results/information needed data, resources and time available, complexity and size of risk analysis and type of activity or system and concerning issues. As a general rule, the best risk management tool is to overcome the participants’ mental judgment.

Most of the models extracted from the results of the study were somewhat similar and presented the same components. The three main factors that were found in all risk management models included measurement, management, and monitoring. Therefore, based on the results of the studies and the nature of healthcare organizations, the risk management process had one primary phase and four main phases. In the primary phase, the objectives and prerequisites for risk management are set out for execution. The main phases are as follows: Risk assessment (identifying potential risks, determining the likelihood and consequence of the identified risk and determining the level of the risk), risk treatment (how to reduce the impact of unacceptable risks and selecting appropriate responses to them), monitoring and reviewing (effectiveness of measures) and the latest activity of the process of communication and consultation with the stakeholders on the trend have been carried out.

The proposed framework of this study is very similar to the iso13000 framework, with the difference that more details are provided in the framework of the present study. The ISO13000 approach describes the organization’s risk management in a comprehensive, strategic, and holistic way.⁴⁵

Also, the model developed in the present study has several specific features compared with the previous models: 1) In the present research it was tried that the research literature be integrated in the field of risk management and provide a framework that is more comprehensive; 2) According to the search strategy, all risk management frameworks of healthcare organizations and organizations adaptable with healthcare organizations were examined and there was no particular dependence on the specific industry and from this perspective, they have more advantages compared to some frameworks that were established regarding a specific industry; 3) The proposed framework is provided based on the internal and external flows dominant on healthcare organization. Managers of healthcare organizations today need a structured and coherent approach to identify, analyze, and manage risk across a range of intra- and inter-organizational activities; 4) With the establishment of the proposed model in the organization, the basic assumptions dominant on healthcare organizations are examined in specific time periods and, if necessary, continuous improvement in healthcare organizations is done in a dynamic cycle.

Regarding the status of healthcare organizations in establishing each of the main phases of the proposed risk management framework, studies have identified and evaluated the risk, and the treatment phase and risk monitoring were neglected in most studies. However, risk management should be done throughout the life of the organization. New risks need to be identified and managed at every stage of the organization’s life. Also, based on Table 5, most studies were not done at the phase of risk assessment, process mapping, and cause identification. While many system mapping approaches have been widely used in various industries, healthcare organizations have only used a limited number of them to process mapping.⁶² Each process mapping tool has a specific application, and managers and professionals should use the most useful of them to identify sources of risk in healthcare organizations. The most important phase, guiding the risk management process, and determines the main policies in risk management is the phase of planning and setting objectives, which is done incompletely in most studies. Risk managers should pay great attention to risk planning; obviously, if this is not done in a fully transparent manner, the execution of risk management will be subject to some uncertainty.^43,46

Based on the results of Table 5, in most studies (89.6% of studies), risk management attitude was prospective and in few studies, each of prospective and retrospective risk management approaches was emphasized. Whereas, based on the results of the Kessele-Habraken et al study, the integration of prospective and retrospective analysis is important in improving the safety and optimization of organizational processes.⁵⁸

As we proposed, information about incidents and their retrospectively reported frequencies could be used as a reference point in the prospective analyses, which might facilitate frontline staff in the risk assessment. Conversely, prospectively developed failure scenarios could be used as guideline for retrospective.

Further Research Avenues and Limits

In this study, a framework for the execution of risk management in the executive levels of HCOs was proposed. Like any other management framework, successful implementation of the organization RM framework in executive levels of HCOs necessitate organizational commitment, establishing a stimulating culture, accurate planning, stakeholder engagement, strong and effective management, and use of available resources to implement the stages. Based on the results, it can be suggested that studies of risk management are increasing over time; however, there are still new cases that need further investigation and researches, some of which are mentioned below.

1. Studies evaluating the effectiveness of risk management frameworks were very scarce and the effectiveness of risk management models should be examined in the future.

2. The amount of outcome studies was not significant with respect to the investigated period (2000–2018). The outcome of most studies was also partial and lacks the necessary comprehensiveness. In most studies, the identification and assessment of risk were dealt with, and the phases of risk treatment and monitoring was neglected. Future studies, therefore, need to be implemented with a holistic view of the risk management process in healthcare organizations.

3. In most studies, the sample size was very small, and risk management was performed at a micro level in the healthcare organization and organizations adaptable with the terms of healthcare. Therefore, the risk management needs to become dominant in a more comprehensive way and in larger-scales in the healthcare organization.

4. Based on the results, various tools have been identified to achieve the risk management framework at different phases. The variety of the materials collected, together with the limited evidence for each topic, make it difficult to come to general conclusions, so it is necessary to conduct a cost-benefit analysis of risk assessment techniques.

5. In this study, risk sources have been identified theoretically and for staff areas of healthcare organizations and some risks may not have been identified, although maybe a significant threat to the health system. Therefore, we cannot claim that this framework can be extended to other organizations in the health system.

6. The volumes of the most studies of risk management in healthcare organizations are related to risk assessment, so it is recommended that all future phases of risk management in healthcare organizations be established.

7. For some phases of organization risk management, there were only conceptual studies; therefore, a feasibility study is needed to effectively implement various phases of RM in organizations.

8. Development of the organization RM framework for other areas of healthcare, development of advanced technological solutions to facilitate risk assessment, development of tools or criteria for effective and efficient implementation of organization RM frameworks, managers’ perceptions of organization RM frameworks are factors which should be considered for further research.

One limitation of this study was that the number of findings in the systemic review was dependent on the selection of keywords and input/output criteria. Therefore, more models can be extracted for organizational risk management. Also, non-English studies were not included and there may, therefore, be a bias towards inclusion of studies performed in English-speaking countries. In addition, articles were exclusively selected from journals, hence, other parts of literature, such as books, book sections, and gray literature were excluded from the process as journal articles are readily available in journal databases and are usually used as a mean of scientific communication.

Despite these limitations, this study has several strengths. First, all models of risk management and evaluation in healthcare organizations and organizations that could be modeled for the executive levels of the HCOs were examined in this study. Second, this paper contributes to the field of risk management research in healthcare. Third, the tools and techniques for risk assessment and management that are applicable to staff areas of healthcare organizations are mentioned.

Conclusion

Based on the findings and considering the ISO31000 model, a comprehensive yet simple framework for risk management is developed for the executive levels of HCOs. It includes five main phases: establishing the context, risk assessment (risk identification, risk analysis, and risk evaluation), risk treatment (strategy determination, designing corrective actions, planning, and implementation), Monitoring, and review, and communication and consultation.

Tools and techniques were also suggested for use at each phase of the proposed risk management framework. These techniques have been selected to best apply to non-clinical risks in healthcare organizations. Managers of healthcare organizations who seek to ensure high quality should use a range of risk management methods and tools in their organizations, based on their need, and not assume that each tool are comprehensive.

Disclosure

The authors report no conflicts of interest in this work.