Human-Factor-based Risk Management to improve Patient Safety
Managing risks and chances with RiDeM by using HFdFMEA
THÈSE
présentée à la Faculté d’Economie et de Management de l’Université de Genève par
Barbara Streimelweger
sous la codirection de Prof. Katarzyna Wac Prof. Dimitri Konstantas
pour l’obtention du grade de
Docteur ès Économie et Management mention Systèmes d’Information
Membres du jury de thèse:
Prof. Bernard Morard (Université de Genève, Président du jury), Prof. Katarzyna Wac (Co-directrice de these, Université de Genève) Prof. Dimitri Konstantas (Co-directeur de these, Université de Genève)
Prof. Giovanna di Marzo Serugendo (Université de Genève), Prof. Dimitris Assimakopoulos (EMLYON Business School),
Rainer Herzog (HIMSS Europe GmbH)
Thèse N° 29
Genève, le 28 Juin 2016
La Faculté d’Economie et de Management, sur préavis du jury, a autorisé l’impression de la présente thèse, sans entendre, par là, émettre aucune opinion sur les propositions qui s’y trouvent énoncées et qui n’engagent que la re- sponsabilité de leur auteur.
Genève, le 4 Juillet 2016 La Doyenne
Maria-Pia VICTORIA FESER
Impression d'après le manuscrit de l'auteur
List of Content
List of Content ... i
Foreword... v
Résumé ... vii
Abstract... viii
Kurzfassung ... ix
Acknowledgements ... xi
List of Figures ... xiii
List of Tables ... xv
1 Introduction ... 1
1.1 Background ... 1
1.1.1 Legal general conditions ... 1
1.1.2 What does Risk Management stand for? ... 2
1.1.3 Improvement of patient safety ... 2
1.2 Motivation and Objectives ... 3
1.3 Thesis Organisation ... 3
2 Research Proposal ... 5
2.1 Purpose ... 5
2.2 Problem Statement ... 5
2.3 Expected Result ... 6
2.4 Summary ... 6
3 Research Review ... 7
3.1 The Healthcare Industry ... 7
3.2 Quality Management ... 9
3.2.1 Quality Management in the healthcare sector ... 9
3.2.2 Patient Safety ... 17
3.3 Risk Management ... 18
3.3.1 Areas of Risk Management ... 19
3.3.2 Risk Management - Terms and Definitions ... 22
3.3.3 Risk - formal notation ... 23
3.3.4 Risk Management Process ... 24
3.3.5 The changing nature of risks ... 26
3.3.6 Understanding risks ... 27
3.4 Introduction into Risk Assessment Methods ... 31
3.4.1 Risk identification and risk assessment techniques ... 31
3.4.2 One of the most established risk assessment methods today -
FMEA ... 33
3.4.3 FMEA and healthcare ... 37
3.5 The „Human Factor” Approach ... 42
3.5.1 Human error and categories of human failures ... 43
3.5.2 Human Error - Models and Management ... 45
3.5.3 Failures happen where humans are - risk and safety in clinical medicine ... 48
3.6 Risk indicators in high-risk domains ... 52
3.7 The Safety Management approach ... 58
3.7.1 Approaches to safety management ... 59
3.7.2 Safety-Management-System ... 59
4 Human-Factor-based Risk Management RiDeM-H ... 61
4.1 RiDeM-H - General basics ... 61
4.1.1 Research Questions... 61
4.1.2 The Hypothesis claims ... 62
4.2 The RiDeM-H Concept with HFdFMEA ... 63
4.2.1 Human factors – How human factors can be identified, categorised and measured? ... 65
4.2.1.1 CIRSmedical.de ... 66
4.2.1.2 CIRS-health-care.de ... 71
4.2.1.3 The contributory Factors - human factors ... 75
4.2.1.4 Weighting of human factors ... 77
4.2.2 The proposed HFdFMEA model... 83
4.2.3 Risk-Matrix - Rating of occurrence, severity and detection ... 84
4.2.4 HFdFMEA in practice ... 86
5 Evaluation Setting and Results ... 90
5.1 Defining the human factors ... 90
5.2 Weighting the human factors ... 90
5.3 Evaluation of HFdFMEA model via Regression ... 91
5.3.1 The three steps ... 91
5.3.2 Three measurements ... 92
5.3.3 The six test assumptions ... 92
5.3.4 Interpretation of the results ... 93
5.4 Monitoring and Supervision of the proposed Model RiDeM-H ... 97
5.4.1 RiDeM-H - strategies and tools ... 98
5.4.2 COSO II - The components control activities and monitoring ... 98
5.4.3 Cybernetic Management Model ... 100
6 Discussion ... 107
7 Conclusion and Perspective ... 112
7.1 Conclusion of the research ... 112
7.1.1 RiDeM and HFdFMEA in practice ... 112
7.2 Perspectives on further researches ... 115
8 Annex A ... 117
8.1 Abbreviations ... 117
8.2 Parameters ... 117
8.3 Glossary ... 118
9 Annex B - Bibliography... 122
10 Annex C - Papers, Conference Papers, Articles ... 132
Foreword
Biomedical engineering and healthcare have always been fascinating topics to me. In 2004 I was the Project Coordinator of HealthService24, a European pro- ject under the e-ten framework. The project was about a mobile patient monitor- ing system (Konstantas, et al., 2006), (Herzog, et al., 2006), (Streimelweger &
Konstantas, 2006). The system was developed with the intention to help people to support them in their daily life, amongst others people with COPD (Chronic Obstructive Pulmonary Disease, e.g. monitoring oxygen saturation), people with heart problems (e.g. monitoring electrocardiogram – ECG) and pregnant women (e.g. monitoring cardiotocography – CTG). This was also the first time working together with Dimitri Konstantas, who was the Scientific Officer of the project, and Katarzyna Wac. Both patient safety and Risk Management were important topics to us in reference to the mobile patient monitoring system. Another im- portant discussion point was the aspect of human factors. For example the monitored data were sent to a healthcare centre. What could happen to a pa- tient, if the operator in a healthcare centre was neither a doctor nor a medical professional? How good would the service or help have been?
Risk Management and Safety as well as the aspect of the human factors have been my motivation drivers to write the thesis Improving Patient Safety through Human-Factor-based Risk Management – Managing risks and chances with RiDeM. The results of the enhanced model named Human-Factor dependent FMEA (HFdFMEA), which is based on the well-known method FMEA (Failure Mode and Effects Analysis), has been published (Streimelweger, Wac, &
Seiringer, 2015) and presented. In this work in terms of the proposed model, the results of the analysis and the conclusions are referred to the corresponding points of the publication.
Résumé
La gestion des risques basée sur des facteurs humains pour améliorer la sécurité des patients - La gestion des risques et des chances avec RiDeM en utilisant HFdFMEA.
Le concept « sécurité des patients » est primordial pour garantir pas seulement la sécurité personnelle mais aussi la transparence pour les patients et profes- sionnels. Les flux de traitement dans le secteur des soins de santé deviennent de plus en plus complexes, pendent que le temps et l’argent restent des ressources limitées dans ce domaine. En conséquence, la sensibilisation aux risques, la gestion de pannes et les aspects qualitatifs gagnent en importance.
L’AMDE (Analyse des modes de défaillance et de leurs effets) qui est connue en anglais sous l’acronyme FMEA (Failure Mode and Effect Analysis) est une méthode bien connue pour évaluer les risques dans plusieurs industries.
L’AMDE traditionnel utilise le système de classification Nombre Prioritaire de Risque (NPR) afin d'identifier et d’évaluer l’importance du risque et de prioriser les actions nécessaires.
Néanmoins, il existe des lacunes importantes pour obtenir des estimations de qualité pour les taux de défaillance avec la méthode AMDE, spécialement quand les facteurs humains jouent un rôle important. Ainsi la méthode HFdFMEA (Hu- man Factor dependent FMEA), une technique AMDE avancée qui prend en considération le facteur humain, est proposée pour remédier aux inconvénients.
Abstract
National and international efforts under the initiative patient safety aim for more safety and transparency within healthcare systems for both patients and profes- sionals in healthcare facilities (ANetPAS). Within the healthcare sector process- es have become more and more complex, but on the other hand time and mon- ey are lacking. As a consequence, risk awareness, fault management and quali- ty aspects in general become more important (Streimelweger, Wac, & Seiringer, 2015).
One of the most established risk assessment methods is Failure Mode and Ef- fects Analysis (FMEA). “FMEA is a widely used reliability analysis and risk as- sessment tool in various industries. In traditional FMEA, Risk Priority Number (RPN) ranking system is used to evaluate the risk level of failures, to rank fail- ures, and to prioritize actions”, (Vikramjit, Harish, Sarabjeet, & Simranpreet, 2013). Even though this approach is simple there are some shortcomings in obtaining a quality estimate of the failure ratings with FMEA, especially when human factors play a role, as it is in healthcare. Thus, a new risk assessment method named HFdFMEA (Human Factor dependent FMEA) based on depend- ency of used parameters and observation of human factors is proposed to deal with these drawbacks. The results of the analysis of a case study are presented to demonstrate that the HFdFMEA does not only increase risk level of failures based on the inclusion of human factors but also gives the possibility to reduce the risk level of failures through means of addressing human factors via train- ings, motivation, etc. (Streimelweger, Wac, & Seiringer, 2015). Furthermore, the opportunity of how to improve patient safety as result of the proposed HFdF- MEA, used as technique for Human-Factor-based Risk Management (RiDeM) in Healthcare (RiDeM-H), is discussed. In the final outline some conclusions are shown and also further possible investigations and possibilities of the use of HFdFMEA are given.
Keywords: patient safety, Risk Management, Failure Mode and Effects Analy- sis, FMEA, risk indicators, human factor, human error
Kurzfassung
Nationale und internationale Bemühungen unter dem Stichwort „Patientensi- cherheit“ verfolgen das Ziel, Gesundheitssysteme sowohl für PatientInnen als auch für MitarbeiterInnen von Gesundheitseinrichtungen sicherer und transpa- renter zu machen (ANetPAS). Abläufe im Gesundheitswesen werden immer komplexer, jedoch fehlt es andererseits an Zeit und Geld. Als Konsequenz dar- aus werden Risikobewusstsein, Fehlermanagement und generelle Aspekte hin- sichtlich Qualität zunehmend wichtiger und rücken in den Mittelpunkt (Streimelweger, Wac, & Seiringer, 2015).
Die Failure Mode and Effects Analysis (FMEA) ist eine bekannte und weitver- breitete Methode für Funktionsanalysen und zur Risikobewertung in unterschied- lichen Industriebereichen. In der FMEA wird die Risikoprioritätszahl (RPZ) als Bewertungsverfahren zur Evaluierung von Risikolevels, zur Bewertung von Feh- lern und zur Priorisierung von Maßnahmen herangezogen (Vikramjit, Harish, Sarabjeet, & Simranpreet, 2013).
Obgleich dieser Ansatz einfach ist, so weist diese Methode einige Schwächen hinsichtlich der Beschaffung der geschätzten Fehlerbewertung auf. Daher wird eine erweiterte FMEA, HFdFMEA (Human-Faktor-dependent Failure Mode and Effects Analysis), als Risikobewertungsmethode vorgeschlagen, welche die Abhängigkeit der Parameter sowie Einflüsse menschlicher Faktoren berücksich- tigt. Die erweiterte Methode wird an Hand eines Fallbeispiels verdeutlicht. Die Ergebnisse daraus zeigen wie Risiken zwar einerseits durch menschliche Fakto- ren erhöht werden, aber andererseits auch zugleich aufzeigt, dass durch ent- sprechende Maßnahmen diese Risiken reduziert werden können. Des Weiteren wird diskutiert, dass gezieltes Risikomanagement und der Einsatz effizienter Methoden die Patientensicherheit als Ergebnis von Human-Factor-based Risk Management (im Folgenden kurz RiDeM) im Gesundheitswesen (im Folgenden kurz RiDeM-H) erhöht werden kann. Im abschließenden Ausblick werden einige gezogene Schlussfolgerungen aufgezeigt sowie mögliche weitere Untersuchun- gen aufgezeigt und Möglichkeiten, wo HFdFMMEA eingesetzt werden könnte.
(Streimelweger, Wac, & Seiringer, 2015).
Keywords: Patientensicherheit, Risikomanagement, Risiko Indikatoren, Failure Mode and Effects Analysis, FMEA, Faktor Mensch, menschliches Fehlverhalten
Acknowledgements
First and foremost, I would like to express my most sincere gratitude to my fami- ly. I’d like to thank them for their encouragement, patience and mental support during these amazing years doing my Ph.D. They are part of the main reason of my success and I will never be able to thank them enough.
My most sincere thanks also go to my supervisor Prof. Katarzyna Wac and co- supervisor Prof. Dimitri Konstantas for their scientific discourses, their excellent guidance and support during the thesis. The commitment of both was inspira- tional.
Besides my supervisors, I would like to thank the rest of my thesis committee:
Prof. Bernard Morard, Prof. Giovanna di Marzo Serugendo, Prof. Dimitris As- simakopoulos and Rainer Herzog for their encouragement, time, and insightful comments.
In addition, I’d like to thank especially my colleagues Wolfgang Sturzeis and Wolfgang Seiringer for being inspiring discussion-partners. Their different per- spectives as well as their critical view on the aspect of Safety and Risk Manage- ment led to interesting discussions.
Finally I’d like to thank Prof. Walter Schwaiger for his interesting discussions, guidance and support during the first phase of my Ph.D. study at the Technical University of Vienna. The strong reference to healthcare was crucial for me to complete my thesis at the University of Geneva under the guidance of Prof.
Katarzyna Wac and Prof. Dimitri Konstantas.
Thanks to all.
Barbara Streimelweger
List of Figures
Figure 1: Research Proposal: Purpose – Problem Statement – Expected Result ... 6 Figure 2: Costs in healthcare industry; Source: Data tables from U.S.
Department of Labor, Bureau of Labor Statistics, 2009 (Langabeer, DelliFraine, & Helton, 2010) ... 8 Figure 3: Operating Efficiency, $ per FTE; Source: American Hospital
Association Annual Survey Database, 2002-2007 (Langabeer, DelliFraine, & Helton, 2010) ... 8 Figure 4: EFQM-Excellent-Model - the Model Criteria (EFQM) ... 15 Figure 5: Connection between risk- and Quality Management, (Ennker,
Pietrowski, & Kleine, 2007)... 18 Figure 6: PDCA-Cycle, own illustration... 24 Figure 7: Risk Management Cycle (own illustration, based on the PDCA-
Cycle and ISO 31000) ... 25 Figure 8: Risk Management Process including the Risk Assessment
(EN 31010, 2010) ... 26 Figure 9: The coupling-interactiveness diagram (following (Perrow,
1984); fig. 1 in (Hollnagel, de Paris, & Antipolis, 2008) ... 29 Figure 10: Revised Perrow diagram; fig. 2 in (Hollnagel, de Paris, &
Antipolis, 2008) ... 30 Figure 11: FMEA - basic theory ... 34 Figure 12: HFMEA™ Components and their origins ( (DeRosier,
Stalhandske, Bagian, & Nudell, 2002), table 1, p. 250) ... 41 Figure 13: HFMEA™ Hazard Scoring Matrix, ( (DeRosier, Stalhandske,
Bagian, & Nudell, 2002), appendix 3, p. 267)... 41 Figure 14: Organisation accident model by Reason (Reason J. ,
Understanding adverse events: human factors, 1995) ... 44 Figure 15: Stages of development of organisation accident (Reason J. ,
1995) ... 46 Figure 16: Pyramid of safety relevant events in the cycle of an Incident-
Reporting-System (source: (Rall, et al., 2006), based on (Dieckmann & Rall, 2004), (Möllemann, Eberlein-Gonska, Doch, & Hübler, 2005), (Rall, Manser, Guggenberger, & Unertl, 2001) ... 50 Figure 17: “Swiss Cheese Model” by J. Reason, adapted from (Reason
J., 1990) ... 51 Figure 18: Framework as proposed by (Vincent, Taylor-Adams, &
Stanhope, 1998) for analysing critical incidents, source of table: (Mahajan, 2010) ... 53 Figure 19: Overview on the RiDeM-H - Risk-Dependent-Management
(RiDeM) for Healthcare ... 61
Figure 20: Research questions – from the problems to the benefit ... 62
Figure 21: Eight phases to RiDeM-H - Risk-Dependent-Management (RiDeM) for Healthcare ... 63
Figure 22: CIRSmedical.de –Where do events take place? ... 68
Figure 23: CIRSmedical.de – information about all reported events (note: the allocation is done once per event, however there is no multiple appointment for each event) ... 69
Figure 24: CIRSmedical.de – Contributory Factors (Note: more than one category can be assigned to one event; if there are no human factors assigned to one specific event, this is supplemented under “not assigned”) ... 70
Figure 25: CIRS-health-care.de – reported events to affected areas of expertise ... 73
Figure 26: CIRS-health-care.de – professional categories... 73
Figure 27: CIRS-health-care.de – “Risk Matrix” and risk-categorisation including for effective protection measures82 ... 74
Figure 28: CIRS-health-care.de – contributory factors assigned to each event (Note: more than one category can be assigned to the same event; if there are no human factors assigned to one specific event, this is supplemented under “not assigned”) ... 75
Figure 29: HFdFMEA – basic theory ... 84
Figure 30: Risk-Matrix for HFdFMEA Model ... 85
Figure 31: Encoded Contributory Factors ... 86
Figure 32: HFdFMEA – from CIRS-data to the Human Factor based RPN ... 87
Figure 33: HFdFMEA in practice - demonstrated on five events ... 89
Figure 34: Case study 1 - Normal P-P Plot of Regression Standardized Residual, Approach (A), (B)... 96
Figure 35: Case study 2 - Normal P-P Plot of Regression Standardized Residual, Approach (A), (B)... 97
Figure 36: COSO II cube (source: COSO II, 2004, p. 23) ... 99
Figure 37: Control System Design – Control Process Variants (Schwaiger, 2011) ... 101
Figure 38: Management Process - Modelling as PDCA diagram ... 102
Figure 39: Closed versus Open Loop Management (Schwaiger, 2012) ... 102
Figure 40: Cybernetic Business Management System, including Sub- Systems (Schwaiger, 2011)... 103
Figure 41: Generic Cybernetic Management Framework – Double Loop Learning and Supervision (Schwaiger, 2011) ... 104
Figure 42: Risk-Dependent-Management (RiDeM) in Healthcare - Stakeholders ... 108
Figure 43: Risk-Dependent-Management (RiDeM) in Healthcare – overview... 114
Figure 44: Generic Method – Risk-Dependent-Management (RiDeM) ... 115
List of Tables
Table 1: ISO 9000, ISO 9001 - strengths and weakness, based on (Knopp & Knopp, 2010) ... 11 Table 2: Eleven quality characteristics of healthcare services with
interrelated quality requirements, according to (ÖNORM EN 15224, 2012) ... 12 Table 3: QEP - strengths and weakness, according to (Knopp & Knopp,
2010) ... 13 Table 4: KTQ - strengths and weakness, based on (Knopp & Knopp,
2010) ... 14 Table 5: EFQM - strengths and weakness, based on (Knopp & Knopp,
2010) ... 16 Table 6: EPA - strengths and weakness, based on (Knopp & Knopp,
2010) ... 17 Table 7: Risk control and recommended strategies, according to
(Fischer D. , 2009) ... 32 Table 8: Risk and Risk Priority Number – used terms according to
ÖVE/ÖNORM EN 60812 ... 35 Table 9: Framework for medicine – hierarchy of factors that my
influence clinical practice, (Vincent, Taylor-Adams, &
Stanhope, 1998) ... 47 Table 10: Qualitative guideline – based on (Williams, 1988) ... 54 Table 11: Relative Strengths of Error-producing Conditions according to
(Williams, 1988). ... 55 Table 12: Generic Tasks (extract) according to (Williams, 1988). ... 56 Table 13: Avoidable adverse events, (Ennker, Pietrowski, & Kleine,
2007) ... 57 Table 14: Frequency of avoidable system errors, (Ennker, Pietrowski, &
Kleine, 2007) ... 58 Table 15: CIRSmedical.de – collected data ... 66 Table 16: CIRSmedical.de – Areas of Expertise, where events / incidents
are reported ... 67 Table 17: CIRS-health-care.de – Areas of expertise ... 71 Table 18: CIRS-health-care.de – search criteria ... 72 Table 19: Framework as proposed by (Vincent, Taylor-Adams, &
Stanhope, 1998) for analysing critical incidents (illustration based on (Mahajan, 2010)) ... 76 Table 20: CIRS-health-care.de vs CIRSmedical.de – contributory factors
that derive in human factors ... 77 Table 21: CIRS-health-care.de - contributory factors ... 78 Table 22: Conventional reliability allocation methods according to (Kim,
Yang, & Zuo, 2013) ... 82
Table 23: Regression Analysis – summarized results ... 96 Table 24: Management Process Modelling – terminology
English/German ... 103
1 Introduction
1.1 Background
Companies in different industry segments are subject to traditional business risks such as: market risks, credit risks, liquidity risks, or other operational risks.
These typical risks have evolved with time. Nowadays a number of new risks occurred due to the increasing structural changes, macroeconomic transparency and also as consequence of the globalisation and deregulation of the markets, (Ennker, Pietrowski, & Kleine, 2007), (Hollnagel, de Paris, & Antipolis, 2008).
This change affects next to industrial companies and banks also the healthcare sector. They all became part of a rapidly changing global economy. This in- creases claims for compensation for damages. In turn this requires effective Risk Management. It is necessary to manage risks, which means to identify, to evaluate, to describe and to minimize risks in order to guarantee a smooth sur- vival of a company or organisation.
1.1.1 Legal general conditions
Several approaches for Risk Management amongst others are the legal general conditions. On one hand abidance by law & regulations is mandatory; on the other hand there are specific standards and directives that have to be fulfilled too. In the following two laws are pointed out.
One approach for example is the Corporate Sector Supervision and Transpar- ency Act. In Germany the so called KonTraG1 was released on 01.05.1998.
Based on this law Germany amended §91 (2) AktG2 whereby a board of direc- tors of publically listed stock companies has to take adequate action and it has to implement an early-warning system to guarantee the survival of the company.
That also addresses the board of directors of any hospital operator. To fulfil this due diligence, the implementation of Risk Management is mandatory. Other countries have a similar law, e.g. in Austria the Incoherency and Transparency Act was released on 24.06.19833.
Another approach is the malpractice liability law. In the case a person would sustain damage he/she has the claim on compensation. In a hospital but also in any other healthcare facility and clinic, doctors and nurses succumb to the risk,
1 KonTraG (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich): Corporate Sector Supervision and Transparency Act, Germany, 27.04.1998 BGBl. I 786; Austria: 24.06.1983, BGBl. Nr. 330/1983
2 AktG (Aktiengesetz): Companies Act
3 Unvereinbarkeits- und Transparenz-Gesetz: Incoherency and Transparency Act, Austria, 24.06.1983, BGBl. Nr. 330/1983, last modified in BGBl. I Nr. 59/2012
that in the case of a fault, e.g. error in treatment, error in diagnostic, error in therapy or faulty organisation, the injured person could take the responsible doctor to court and claim compensation (Ennker, Pietrowski, & Kleine, 2007).
This fact points out the importance of Risk Management to increase patient safe- ty.
1.1.2 What does Risk Management stand for?
Risk Management means the professional handling of risks with the intent of identification and avoidance of risks. “It is a methodology that allows failures, their origin and possible consequences to be identified, to analysed and avoided in systemic forms”, (Ennker, Pietrowski, & Kleine, 2007).
Professional Risk Management starts before failures happen that would have caused any damage. In practice this doesn’t mean the absolutely absence of failures but the excellence to handle failures and the consequential risks and damages.
Risk identification and Risk assessment techniques
A number of different risk identification and risk assessment techniques are available to help identifying and rating failures.
In this thesis an advanced Failure Mode and Effects Analysis (FMEA) is pro- posed.
1.1.3 Improvement of patient safety
As a consequence of professional Risk Management, safety within a company or organisation can be improved enormously. For healthcare it means the im- provement of patient safety.
The publication “To Err is Human – Building a Safer Health System” was pub- lished by the U.S. Institute of Medicine (IOM)4, in 1999. It was the first time top- ics as patient safety and quality in the healthcare sector were highlighted (ANetPAS), (Paula, 2007). “It is now more important than ever for the medical community to objectively evaluate the progress in efforts to promote patient safety”, (Stelfox, Palmisani, Scurlock, Orav, & Bates, 2014). The committee ar- rived at a conclusion that 2,9 percent (Colorado & Utah) to 3,7 percent (New Your) overall patients disclosed adverse events (Institute of Medicine, 1999). An adverse event is a damage caused by the medical treatment and not by the disease itself (Paula, 2007).
4 U.S. Institute of Medicine: www.iom.edu
Vincent et al. came to the conclusion that safety needs to be addressed on the basis of a broad assessment of a system's health. “Interventions may need to be targeted at several points in the hierarchy, an approach already followed in many industrial settings. Taking such a broad approach to the assessment and management of risk and the improvement of quality may seem difficult, even utopian, but may be necessary if the level of iatrogenic injury is ever to fall below 4%” (Vincent, Taylor-Adams, & Stanhope, 1998).
Patient safety became one of the major quality targets within the healthcare. As a result next to the right handling of risks, adverse events are taken into consid- eration to improve patient safety.
1.2 Motivation and Objectives
Faults are not depending on the acting persons only but also on external factors.
It is utterly wrong to believe risk factors caused by acting persons are the crucial factors. That is proven in high-risk industries e.g. aerospace, air traffic manage- ment, and nuclear power industry (Ennker, Pietrowski, & Kleine, 2007). Of course, “one of the greatest contributors to accidents in any industry including healthcare, is human error”, (WHO, 2005). Already in 1991 Leape pointed out in his study about the nature of adverse events in hospitalized patients, “an im- portant step in reducing the incidence of adverse events is to identify the pa- tients at highest risk” (Leape, et al., 1991).
1.3 Thesis Organisation
The first section is an Introduction (section 1) and presents an outline on the background of this thesis. Chapter 1.1 gives general information on the Back- ground on the situation in healthcare, the motivation and subject area is intro- duced in chapter 1.2 Motivation and Objectives. How the thesis is organised is presented in chapter 1.3 Thesis Organisation (this chapter).
Section 2 deals with the Research Proposal. The intention for this research is described in chapter 2.1 Purpose. The problem is summarized in chapter 2.2 Problem Statement, and chapter 2.3 gives an outline on the Expected Result.
Under the headline Research Review (Section 3) the results of the literature review and what is state-of-the-art is described. Well known methodologies re- lated to the thesis are pointed out and discussed. Next to a short introduction to The Healthcare Industry (chapter 3.1), an introduction in understanding the ge- neric Quality Management (chapter 3.2) and Risk Management (chapter 3.3) approach is given. Chapter 3.4 gives an Introduction into Risk Assessment Methods and chapter 3.5 is about The „Human Factor” Approach.
The proposed enhanced Risk Management methodology is described and dis- cussed in section 4 Human-Factor-based Risk Management RiDeM-H, briefly referred to RiDeM. Here a short summary of the research questions and hypoth- esis claims is given in chapter 4.1 RiDeM-H - General basics. Chapter 4.2 The RiDeM-H Concept with HFdFMEA is about the Human-Factor-based Risk Man- agement in Healthcare (RiDeM-H), its model and its phases, which are de- scribed in detail.
The results of the model-validation are covered in section 5 Evaluation Setting and Results. The computation and results from raw data of the human factors are described in Defining the human factors (chapter 5.1) and Weighting the human factors (chapter 5.2). How the evaluation was done is described in chap- ter 5.3 Evaluation of HFdFMEA model via Regression. The monitoring and su- pervisory approach is described in chapter 5.4 Monitoring and Supervision of the proposed Model RiDeM-H.
Questions such as “What are the implications for the health system, practitioners and patients?”, “How generalised are the results?” and “To which restrictions and limitations lead the CIRS databases?” are treated in section 6, Discussion.
Section 7 is about Conclusion and Perspective and gives on the one hand an overview on the conclusions and on the other hand an outline of possible further topics for research investigations.
The Annex (section 8) covers a list of Abbreviations (chapter 8.1), Parameters (chapter 8.2) and a short Glossary (chapter 8.3).
The references and list of literature is contained in section 9 Annex B - Bibliog- raphy.
Finally section 10 Annex C - Papers, Conference Papers, Articles gives an over- view on the author’s publications.
2 Research Proposal
2.1 Purpose
As mentioned, Risk Management means the professional handling of risks with intent of identification and avoidance of risks. Nowadays companies and organi- sations are requested to implement amongst others a Risk Management system, as function of corporate organisation, legal restrictions and/or standards. This is to guarantee a smoothly survival of a company or organisation. Compare (Ennker, Pietrowski, & Kleine, 2007).
In healthcare, both quality and Risk Management are used to improve patient safety, one of the main quality targets in that area. In different domains of healthcare Quality Management already won wide recognition whereas Risk Management as such didn’t receive the necessary attention and importance until recent years.
As one of the most established risk assessment methods, the Failure Mode and Effects Analysis (FMEA) is used to demonstrate how Risk Management meth- odology can be used to improve patient safety, (WHO, 2005), (Marx & Slonim, 2003), (Ennker, Pietrowski, & Kleine, 2007).
2.2 Problem Statement
FMEA is one of the most established risk assessment methods in high-risk in- dustries e.g. aerospace, medical engineering, and nuclear power industry and since 2001 it has been introduced in and recommended for the healthcare, (Marx & Slonim, 2003), (WHO, 2005).
The FMEA approach is simple but there are some shortcomings in obtaining a good estimate of the failure ratings (Vikramjit, Harish, Sarabjeet, & Simranpreet, 2013), (EN 60812 - FMEA, 2006), (DeRosier, Stalhandske, Bagian, & Nudell, 2002).
Often there are several simultaneous risks, and a problem in the measurement and rating of risks is that it is not just about a possible event, but often about several individual events that relate to each other in close linkage (Ennker, Pietrowski, & Kleine, 2007), (Marx & Slonim, 2003). Also the dependency be- tween both internal and external risks respectively risk indicators, as well as the dependency from “human factors” are not taken into consideration. Hence a new risk assessment method based on the dependency of risks and broadened by the observation of human factors is proposed to deal with these drawbacks.
Each established risk assessment method has its advantages and disad- vantages and consequently limitations in practice. They are constructive in han- dling risks (ISO_31000, 2009), (ONR_49000ff, 2010), (Ennker, Pietrowski, &
Kleine, 2007). Also there are known limitations of the traditional FMEA with re-
spect to very complex systems (Marx & Slonim, 2003), (DeRosier, Stalhandske, Bagian, & Nudell, 2002), (Vikramjit, Harish, Sarabjeet, & Simranpreet, 2013).
Such complex systems are excluded in the examination and future practice of the proposed risk assessment method.
2.3 Expected Result
As mentioned, the FMEA is already used in high-risk industries but there are some shortcomings in obtaining a good estimate of the failure ratings. The en- hanced Failure Mode and Effects Analysis (HFdFMEA) takes into account the relationship between various risk factors, which are caused by human factors. It is expected that the HFdFMEA method leads to an enhanced Risk Management methodology, the Human-Factor-based Risk Management (RiDeM).
The proposed Human-Factor-based Risk Management (RiDeM) method by us- ing the proposed HFdFMEA investigates the relation between risks and human factors. The impact of human factors on risks is discussed.
2.4 Summary
The three pillars of the research proposal, (1) purpose, (2) problem statement and (3) expected result are summarized in Figure 1.
Figure 1: Research Proposal: Purpose – Problem Statement – Expected Result
3 Research Review
The following section describes the results of the literature review of the state-of- the-art art. It gives an introduction in understanding the generic Quality Man- agement and Risk Management approach. Furthermore it is necessary to un- derstand the changing nature of risks and the role of the human factor. One result is the growing importance in development of socio-technical systems.
3.1 The Healthcare Industry
The healthcare industry is composed of a number of business segments that develop, manufacture, and deliver products and services. These segments in- clude for instance:
Healthcare plans and insurers
Diagnostic and medical equipment companies
Hospitals and other health facilities
Biotechnology
Drug manufacturing
During the last years, the healthcare industry underwent a huge change. Langa- beer speaks about a primer on healthcare industry, observing the U.S.
healthcare market. “Historically, healthcare organisations have largely been controlled by non-profits and local governments that were less concerned about efficiency and performance because of a lack of industry transparency and re- imbursement practices that preserved margins despite excessive cost struc- tures”, (Langabeer, DelliFraine, & Helton, 2010). This has changed. For exam- ple, the costs have risen faster in healthcare industry than in other industries (see Figure 2).
According to Langabeer et al they saw a 33% increase in costs per hospital bed and a 20% decrease in operating efficiency, as measured by operational costs per full-time equivalent (FTE) on the U.S. healthcare market from 2002 to 2007.
Figure 3 presents the industry’s average operational cost structure per employee during that time period.
Figure 2: Costs in healthcare industry; Source: Data tables from U.S. Depart- ment of Labor, Bureau of Labor Statistics, 2009 (Langabeer, DelliFraine, & Helton, 2010)
Figure 3: Operating Efficiency, $ per FTE; Source: American Hospital Associa- tion Annual Survey Database, 2002-2007 (Langabeer, DelliFraine, &
Helton, 2010)
Amongst others, Langabeer et al concluded five findings:
Need for heightened operational efficiency
Finance executives are becoming more strategic
Greater focus on internal controls
Increased reliance on business analysis
Industry growth will continue
All these make it necessary for quality and Risk Management. As Langabeer concluded, ”tracking operational results and identifying opportunities to improve long a bastion of the management accountant’s practice, represent an unmet need in this evolving and substantial industry”, (Langabeer, DelliFraine, &
Helton, 2010).
3.2 Quality Management
Quality in general is defined as “degree to which a set of inherent characteristics fulfils requirements”, (ÖNORM EN 15224, 2012). According to DIN EN ISO 84025 “quality is related to the entire organization method, which is based in the pursuit of continuous improvement to the legitimate needs of citizens / custom- ers“.
A further well-known standard for Quality Management is the ISO 9000 series.
“The ISO 9000 family of standards is related to Quality Management systems designed to help organizations ensure that they meet the needs of customers and other stakeholders while meeting statutory and regulatory requirements related to a product”, (Poksinska, Dahlgaard, & Antoni, 2002). The Quality Man- agement standard ISO 9000 was first published in 1987, but its history can be traced back some twenty years before that, to the publication of the United States Department of Defense MIL-Q-9858 standard in 1959.
Today there are specific standards available for different segments, amongst others also for healthcare.
3.2.1 Quality Management in the healthcare sector
In the last years different quality standards and systems as well as “best practice models” have been developed and established in the healthcare area.
This section will give an overview on some selected international quality stand- ards and systems used in healthcare:
Quality Management – ISO 9000 family
Standard for Healthcare Services 6 - EN15224:2012
QEP 7 (Quality and Development in Doctor’s Surgery)
5 DIN EN ISO 8402: Quality management and quality assurance -Vocabulary
6 ÖNORM EN 15224: Healthcare services - Quality management systems - Requirements based on EN ISO 9001:2008
7 QEP = Qualität und Entwicklung in Praxen® (Quality and Development in Doctor’s Surgery)
KTQ8 (Cooperation for transparency and quality in healthcare)
EFQM9 (European Foundation for Quality Management)
EPA10 (European Doctor’s Surgery Assessment)
DRG11 (Diagnosis-related group)
Quality Management – ISO 9000 family
ISO 9000 standard is the standard of Quality Management par excellence: “The ISO 9000 family addresses various aspects of Quality Management and con- tains some of ISO’s best known standards. The standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer’s requirements, and that quality is con- sistently improved”, (ISO 12).
Following standards are included in the ISO 9000 family:
ISO 9000:2005 - covers the basic concepts and language
ISO 9001:2008 - sets out the requirements of a Quality Management system
ISO 9004:2009 - focuses on how to make a Quality Management sys- tem more efficient and effective
ISO 19011:2011 - sets out guidance on internal and external audits of Quality Management systems
Today ISO 9001 standard is one of the most widely used management tools in the world. “ISO 9001:2008 sets out the criteria for a Quality Management system and is the only standard in the family that can be certified to (although this is not a requirement)”, (ISO12). It can be used by any organization, large or small, re- gardless of its field of activity”, (ISO12), (EN ISO 9001, 2008). Now with the up- dated standard ISO 9001:2015 Risk Management became one of the main parts within this standard.
8 KTQ - Kooperation für Transparenz und Qualität im Gesundheitswesen (KTQ): www.ktq.de
9 EFQM - European Foundation for Quality Management, www.efqm.org
10 EPA – Europäisches Praxis Assessment / European Doctor’s Surgery Assessment;
www.europaeisches-praxisassessment.at, http://www.europaeisches-praxisassessment.de
11 DRG - Diagnosis-related group, https://en.wikipedia.org/wiki/Diagnosis-related_group
12 ISO - International Organization for Standardizatio, www.iso.org/iso/iso_9000, last visit 2014-10- 07
Table 1 highlights some strengths and weakness of the ISO 9000 and IOS 9001 according to the healthcare area (hospitals/in clinical practice, doctor’s surger- ies/in private practice):
Strengths Weakness
It is very structured.
The handbook structure is distinguishable.
It is internationally accepted.
The concept requires a self- assessment (internal audit) whereby a constant control on the effectiveness and efficien- cy of the regulation is taken.
It is kept very general.
There are less concrete starting points related to doctor’s surger- ies. This requires paraphrases.
The terminology is the one used in the industry.
The concept is hardly designed as employee oriented.
ISO requires a complete presen- tation of all business processes.
As a result for a doctor’s surgery the fulfilment of the requirements is problematical and very time- consuming.
Table 1: ISO 9000, ISO 9001 - strengths and weakness, based on (Knopp &
Knopp, 2010)
Healthcare services – ÖNORM EN 15224
A standard, especially for Quality Management systems for healthcare, was published in 2012. “The requirements in this standard incorporate those from EN ISO 9001:2008 with additional interpretations and specifications for healthcare”, (ÖNORM EN 15224, 2012).
“To be able to define and describe the quality in healthcare the quality character- istics need to be identified and described. A quality characteristic always relates to a quality requirement”, (ÖNORM EN 15224, 2012). Thus eleven quality char- acteristics of healthcare services with interrelated quality requirements were identified, where one is patient safety.
Eleven quality characteristics of healthcare services 01 appropriate, correct care
02 availability 03 continuity of care 04 effectiveness 05 efficiency
06 equity
07 evidence/knowledge based care
08 patient centred care including physical, psychological and social integrity
09 patient involvement 10 patient safety
11 timeliness/accessibility
Table 2: Eleven quality characteristics of healthcare services with interrelated quality requirements, according to (ÖNORM EN 15224, 2012)
In most countries representatives of healthcare professionals support healthcare facilities (e.g. hospitals, residential care home, etc.), and doctor’s surgeries to implement and improve Quality Management.
QEP - Quality and Development in Doctor’s Surgery
For example in Germany the Association of Statutory Health Insurance Physi- cians13 and the National Association of Statutory Health Insurance Physicians14 developed the so called QEP model especially supporting doctor’s surgeries at their implementation of Quality Management. In the QEP 2010, revised edition 2012, there are 144 quality targets defined and for their operationalisation 270 different indicators are mentioned (Diel & Gibis, 2013). The 63 core targets are divided into 18 divisions and 5 chapters15, where patient safety is one out of them. The 5 chapters consist of patient-centred care, patient rights and patient safety, employees and qualification, management and organisation, and quality development. Those core targets compose the code of practice for the structur- ing (Knopp & Knopp, 2010). As part of the QUP, proofs are equal to indicators.
Therefore QUP requires only the following findings (Knopp & Knopp, 2010):
proof is met
proof is not met
proof is not applicable
Table 3 points out the strengths and weakness of the QEP method.
13 Kassenärztlichen Vereinigungen (KV)
14 Kassenärztliche Bundesvereinigung (KBV)
15 QEP – 5 chapters: patient services, patient rights and patient safety, employees and qualifica- tion, leadership and organisation, quality development (Diel & Gibis, 2013)
Table 3: QEP - strengths and weakness, according to (Knopp & Knopp, 2010)
KTQ - Cooperation for transparency and quality in healthcare
One further healthcare standard has been established by the Cooperation for Transparency and Quality in Healthcare (KTQ17) in Germany. Any medical facili- ty in Germany, Austria and Switzerland (DACH-Region) has the possibility to get certified by this quality standard. KTQ is a self-assessment model and the main target of the KTQ certification is to optimize patient care processes ( (Ennker, Pietrowski, & Kleine, 2007), (Knopp & Knopp, 2010), KTQ17).
The methodology describes the criteria for Quality Management, which is divid- ed into six KTQ-categories17:
patient-orientation
employee-orientation
safety
communication and information
leadership
16 G-BA – Gemeinsamer Bundesausschuss (Federal Commission)
17 Kooperation für Transparenz und Qualität im Gesundheitswesen (KTQ): www.ktq.de
Strengths Weakness
The QEP method has been de- veloped and written from doc- tors for doctors.
The proof of a requirement is equal to an indicator. The result of this is no need for an elabo- rate evaluation compared to any other method.
The core targets achieve the requirements of the federal commission (G-BA16) on the QM concept for a doctor’s surgery.
According to long explanations of the core targets and the com- plicated wording, it is often hard for the medical staff to handle the QEP system “alongside”.
There are a number of infor- mation and notices to each core-target, which makes the handling extremely time- consuming.
There is no handbook structure visible. The wealth of docu- ments is more a bundle of sin- gle-proof documents, which are not related to a superordinate instrument except for the core target number.
Quality Management
The KTQ method is comparable to the EFQM method by the European Founda- tion for Quality Management18 (Ennker, Pietrowski, & Kleine, 2007), (Knopp &
Knopp, 2010).
Table 14 illustrates strengths and weakness of the KTQ method in hospitals and doctor’s surgery.
Strengths Weakness
It has been specifically devel- oped for the needs of hospitals and doctor’s surgery.
The self-assessment is very well structured.
It includes employees.
All relevant processes of a hos- pital or the doctor’s surgery are considered.
KTQ provides hardly structured guidelines. The handbook as navigation instrument is miss- ing.
Different assessment tech- niques require additional train- ings and learning-processes.
The assessment itself is very extensive.
The self-assessment can lead to an apparent objectivity.
Table 4: KTQ - strengths and weakness, based on (Knopp & Knopp, 2010)
EFQM - European Foundation for Quality Management
The EFQM Excellence Model was established in 1988 by European enterprises (EFQM19). “The EFQM Excellence Model provides a framework that encourages the cooperation, collaboration and innovation that we will need to ensure this goal is achieved", Herman van Rompuy20, President of the European Council says.
EFQM connects two main components, the Enabler and the Results (Knopp &
Knopp, 2010). Figure 4 shows the EFQM-Excellent-Model as designed by EFQM21.
18 www.efqm.org/
19 EFQM - European Foundation for Quality Management, www.efqm.org
20 www.efqm.org/the-efqm-excellence-model, retrieved 2014-10-06
Figure 4: EFQM-Excellent-Model - the Model Criteria (EFQM21)
The EFQM Foundation was formed to recognise and promote sustainable suc- cess and to provide guidance to those profit and non-profit organisations seek- ing to achieve it (EFQM20). “This is realised through a set of three integrated components, which comprise the EFQM Excellence Model (EFQM20):
The Fundamental Concepts of Excellence
The Model Criteria
The RADAR Logic
Below table highlights some strengths and weakness of the EFQM Excellent regarding to the healthcare of clinical domains and physicians in private practic- es domains:
21 EFQM – Model Criteria, http://www.efqm.org/efqm-model/model-criteria, retrieved 2014-10-07
Table 5: EFQM - strengths and weakness, based on (Knopp & Knopp, 2010)
Based on the initiative of German doctors, the “QP- Qualitätspraxen GmbH22”, a composite of interested and committed doctors, was established in 1998 with the target to implement the EFQM Excellence Model into the doctor’s surgeries (Knopp & Knopp, 2010). The concept is based on a descriptive modular setup of the EFQM model. At least it is a conglomerate of the previously mentioned standards (Knopp & Knopp, 2010):
ISO: use of internal audits
QEP, EPA: e.g. complex of questioning
KTQ: implementation of the Deming Cycle As a result a mutual exchange of documents is possible.
EPA - European Doctor’s Surgery Assessment
The basis of the EPA concepts consists of 5 domains (infrastructure, humans, information, finances, quality, safety), subdivided into 26 dimensions with 168 indicators and 413 items (Knopp & Knopp, 2010).
Strengths and weakness of the EPA concept are summarized in Table 6.
22 QP-Qualitätspraxen GmbH, http://www.qualitaetspraxen.de/ueber-uns, retrieved 2014-09-29
Strengths Weakness
Employees are taken into ac- count in both areas, the enabler and results.
The description of requirements can be motivating.
The self-assessment differenti- ates between strengths and room for improvements. This can result in continuous further work.
The model is not designed spe- cifically for the healthcare area (clinical domain, private practic- es domains).
The description is of limited use for clinical areas and doctor’s surgeries.
Similar to KTQ, the self- assessment can lead to appar- ent objectivity.
For smaller doctor’s surgeries the assessment is not practica- ble.
Table 6: EPA - strengths and weakness, based on (Knopp & Knopp, 2010)
DRG - Diagnosis-related group
The DRG is a system to classify hospital cases into one of originally 467 groups, so it is used for categorisation of diseases.
At least, the original objective of DRG was to develop a classification system that identified the "products" that the patient received. Since the introduction of DRGs in the early 1980s, the healthcare industry has evolved and developed an increased demand for a patient classification system that can serve its original objective at a higher level of sophistication and precision (Baker, 2002). The objective of the DRG system had to expand in scope to meet those evolving needs. Today, there are several different DRG systems available and in use, whereas most of the systems have been developed in the US.
Such systems could help when it is necessary to define categories and subcate- gories for contributory factors as required and used in the proposed HFdFMEA model.
3.2.2 Patient Safety
Patient safety is defined as absence of adverse events23,24,25.
Patient safety has become one of the main quality targets within the healthcare sector during the last years. Due to this reason, patient safety is mentioned in different national and international quality standards and best practice methods
23 Institute of Medicine: http://www.iom.edu
24 Patient safety platform Austria: http://www.plattformpatientensicherheit.at
25 Patient safety platform Germany: http://www.aktionsbuendnis-patientensicherheit.de
Strengths Weakness
Predetermined indicators allow a good assessment of the organi- sation of doctor’s surgeries.
The survey of all persons in- volved can convey impressions.
Based on the anonymous benchmarking it is possible to compare with other.
Similar to QEP there are less structured guidelines. The handbook as navigation instru- ment is missing and the +/- rating isn’t helpful.
Surveys are subjective and of limited use.
The EPA requirements, the benchmarking and external su- pervision can cause the loss of independence.
for healthcare. This situation is driven on the one hand by the progress in terms of treatment options and on the other hand by the increased demanding mentali- ty of patients, that both characterise the current situation in healthcare (Ennker, Pietrowski, & Kleine, 2007). There is a growing interest in patient safety and
“growing interest in safety culture has been accompanied by the need for as- sessment tools focused on the cultural aspects of patient safety improvement efforts”, (Nieva & Sorra, 2003).
3.3 Risk Management
In practice it is necessary to distinguish between Quality Management and Risk Management. Two legitimate questions are: How to distinguish between Quality Management and Risk Management and where the interfaces of both systems are?
The vernacular says, “Errors are there to be made.” On the other hand Murphy’s Law says, “Human errors are inevitable.” In this context “Risk Management aims to the conscious dealing with opportunities and risks”, (Ennker, Pietrowski,
& Kleine, 2007). Events, actions and developments, which can prevent compa- nies and organisations from their targets, are rated. Even Quality Management deals with important risks, Quality Management is usually completely detached / uncoupled operated by Risk Management. Quality Management serves as a platform for Risk Management. At least until today the implementation of the ISO 9001:2015 Risk Management itself was completely detached from Quality Man- agement in case of normative regulations.
Figure 5: Connection between risk- and Quality Management, (Ennker, Pietrowski, & Kleine, 2007)
Figure 5 shows the correlation between Quality Management and Risk Man- agement. Quality, time and costs are the three cornerstones of the triangle, the aspect patient is at least influenced by those three points and of course, all are in strong relation to each other.
3.3.1 Areas of Risk Management
“As applied to corporate finance, Risk Management is a technique for measur- ing, monitoring and controlling the financial risk or operational risk on a firm's balance sheet.”26
In contrast the Basel II and Base III framework by Bank for International Settle- ments (BIS) breaks risks into the three components market risk, credit risk and operational risk. Furthermore it specifies methods for calculating capital re- quirements for each of these three components.
Today Risk Management is used in different areas. In the following some areas are pointed out.
Enterprise Risk Management
e.g. regulated by the COSO II framework
“A key objective of this framework is to help managements of busi- nesses and other entities better deal with risk in achieving an entity’s objectives”, (COSO II, 2004).
According to COSO II, enterprise Risk Management means different things to different people, with a wide variety of labels and meanings preventing a common understanding. “An important goal, then, is to in- tegrate various Risk Management concepts into a framework in which a common definition is established, components are identified, and key concepts are described. This framework accommodates most view- points and provides a starting point for individual entities’ assessment and enhancement of enterprise Risk Management, for future initiatives of rule-making bodies, and for education”, (COSO II, 2004).
Medical device Risk Management
The management of risks for medical devices is described in ISO 14971:2007, Medical devices - Application of Risk Management to
26 see: http://en.wikipedia.org/wiki/Risk_management, retrieved 2014-06-10
medical devices, a product safety standard27. “ISO 14971:2007 speci- fies a process for a manufacturer to identify the hazards associated with medical devices, including in-vitro diagnostic (IVD) medical devic- es, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls” (ISO 14971, 2007).
Risk Management activities as applied to Project Management
In Project Management, Risk Management includes different activities, for example assigning a risk officer; planning activities including Risk Management tasks, responsibilities, activities, resources, budget, re- ports, etc.;
Project Management for example is regulated in the ISO 21500:2012 - Guidance on Project Management. It “can be used by any type of or- ganization, including public, private or community organizations, and for any type of project, irrespective of complexity, size or duration28”.
Risk Management of Information Technology
One of the most established frameworks is the Risk IT Framework by ISACA29.
The “Risk IT framework fills the gap between generic Risk Manage- ment frameworks such as COSO ERM, AS/NZS 4360, ISO 31000, the UK-based ARMS5 and domain-specific (such as security-related or project-management-related) frameworks. It provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of Risk Management, from the tone and culture at the top, to operational issues. In summary, the framework will enable enterprises to understand and manage all significant IT risk types”, (ISACA, 2009).
Risk Management as applied to the finance sector
For the finance sector there are a number of specific standards, frameworks but also legal restraints and regulations available. For in- stance Basel II and Basel III by Bank for International Settlements
27 ISO 14971:2007, http://www.iso.org/iso/catalogue_detail?csnumber=38193, retrieved 2014-08- 30
28 ISO 1500:2012 - Guidance on Project Management,
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=50003, re- trieved 2014-10-08
29 ISACA - http://www.isaca.org
(BIS)30, Sarbanes-Oxley Act of 2002 (also known as SOX, SarbOx, SOA), EuroSOX (accordingly SOX directives by the European Union are colloquially known as EuroSOX), KonTraG31, CobiT32, COSO II Framework33, IFAC34 Principles of the Code of Ethics, IAS (Interna- tional Accounting Standards), FATCA35, etc..
These regulations and standards are also - more or less - relevant to any other enterprise, not only to banks and financial service provider.
Risk Management as applied to different industries sectors e.g. aerospace, railway, energy, nuclear power, pharmaceutical, public, etc.
Each industry sector has its own specific regulations, standards and frameworks where Risk Management is part of it.
Criticisms on Risk Management
However, researchers at the University of Oxford and King's College London found that the notion of complementarity may be a concept that does not work in practice26.
Fischer and Ferlie investigated in a four-year organizational study of Risk Man- agement in a leading healthcare organisation. They found major contradictions between rules-based Risk Management required by managers, and ethics- based self-regulation favoured by staff and clients. This produced tensions that led neither to complementarity nor to hybrid forms, but produced instead a heat- ed and intractable conflict which escalated, resulting in crisis and organizational collapse (Fischer & Ferlie, 2013).
30 Bank for International Settlements (BIS), www.bis.org
31 KonTraG - Gesetz zur Kontrolle und Transparenz im Unternehmensbereich (Corporate Sector Supervision and Transpa-rency Act); It is a German piece of law that set new standards of cor- porate governance for German publicly listed companies. The German KonTraG is similar to the U.S. Sarbanes-Oxley Act of 2002.
32 CobiT (Control Objectives for Information and Related Technology) by ISACA, www.isaca.org
33 COSO II Framework by the Committee of Sponsoring Organizations of the Treadway Commis- sion, www.coso.org
34 IFAC - International Federation of Accountants, www.ifac.org
35 FTCA - Foreign Account Tax Compliance Act. FATCA is a United States federal law that re- quires United States persons to report their financial accounts held outside of the United States.
Individuals who live outside the United States are included. FATCA requires foreign financial in- stitutions to report to the Internal Revenue Service (IRS) about their U.S. clients.
3.3.2 Risk Management - Terms and Definitions
There are different definitions for same terms available in the literature36. There- fore it is necessary to consider the respective source.
Accordingly to ISO/Guide 7337 Risk Management are coordinated activities to direct and control an organization with regard to risk, whereupon risk is the effect of uncertainty on objectives.
Risk
One of the most often used definition of risk is related to ISO/IEC Guide 7337, ISO 3100038 and ONR 49000:201039:
Risk is the effect of uncertainty on objectives.
The term “risk“ contains following aspects:
An effect is a deviation from the expected — positive and/or nega- tive.
Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
Risk is often characterized by reference to potential events and consequences, or a combination of these.
Risk is often expressed in terms of a combination of the conse- quences of an event (including changes in circumstances) and the associated likelihood of occurrence.
Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its conse- quence, or likelihood.
36 Definition RISK – e.g. see www.businessdictionary.com/definition/risk.html, www.investopedia.com/terms/r/risk.asp
37 ISO/IEC Guide 73:2002, Risk Management – Vocabulary – Guidelines for Use in Standards
38 ISO 31000:2009-11-15; Risk management - Principles and guidelines
39 ONR 49000:2010 – an Austrian technical regulation with the title: Risk Management for Organi- zations and Systems - Terms and basics - Implementation of ISO 31000
