Health Care Risk Management

13 March 2019
4 min read

If a company defines objectives without taking the risks into consideration, chances are that they will lose direction once any of these risks hit home. Clinical Risk, which includes quality patient care and safety, is the number one risk for all health care providers.

Let’s explore another three key risks that should be considered:

Data Governance

Health care providers generate, maintain and report on large quantities of data. How this data is best captured and used is an ongoing area of focus. A recent report from the Grattan Institute and comments from Stephen Duckett, the report’s co-author, call for making accreditation and measuring safety outcomes data public. This approach calls for greater transparency with the aim to improve patient outcomes. Now more than ever, health care providers need to be focusing on the governance of their data. The introduction of My Health Records in 2018 for health information to be stored in one central location increases the need for data governance and also ties to the next key risk; cyber security.

An internal audit of data governance can review your accountability framework and assess the valuation, creation, storage, use, archiving and deletion of key information.

Top three areas to consider:

  1. Data governance policies and procedures require updating as more data flows into and out of health care organisations;

  2. Technology does not guarantee effective data governance if business processes are not aligned; and

  3. How is value assigned to datasets and when was this last reviewed.

Cyber Security

Cyber threats are increasing in the health care industry. In March 2018, Healthcare Information Management System Society (HIMSS), who are a global voice in health care, published their annual Cybersecurity Survey. The majority of respondents (75.7%) indicated that their organisations experienced a significant security incident in the past 12 months. Cyber security is a key risk. The health care industry tends to use a number of systems which do not always integrate well. This can lead to complicated business models and inefficient monitoring and detection capabilities. There can be a number of drivers behind cyber threats in health care including data access, medical device access and financial gains.

An internal audit of cyber security can range from penetration testing to social engineering and framework reviews.

Areas to consider:

Cyber Vulnerability Scorecard – An organisation’s vulnerability to cybercrime depends on the interaction between intrinsic and extrinsic factors that can be separated in terms of the following:

  1. Attractiveness to cyber criminals;

  2. Potential damage in event of a cyber breach; and

  3. Strength/weakness of cyber security and resilience.

The results of this assessment will help you to understand your organisation’s cyber vulnerability and identify the steps necessary to strengthen it.

Cyber Security Framework (CsF)__– To combat the growing concerns, Findex has developed a CsF to assist businesses to move from reactive to a more proactive mode of operation, in addressing cyber concerns.

Cyber Insurance__– know what you are covered for.



The Victorian Auditor General’s Office released a Bullying and Harassment in the Health Sector performance audit report in March 2016. This audit highlights the importance of building and maintaining a positive workplace culture that effectively and decisively deals with the full range of inappropriate behaviours, including bullying and harassment.

The_Targeting Zero: putting patient safety first in Victoria_; report in 2016 was a review of hospital safety and quality assurance in Victoria. The review also highlighted the presence of bullying and threatening behaviour in the public health system as a major risk to patient safety.

It can take a long time to build trust and confidence. However, the same trust and confidence can be lost very quickly when there is misconduct and can take even longer to restore.

The NSW Health Workplace Culture Framework was created to address Recommendation 42 of the Special Commission Inquiry into Acute Care Services (2008). The Framework outlines the characteristics and elements that enable staff to contribute positively to the culture in their individual workplaces in NSW Health.

In 2016 Qld Health embarked upon a culture change initiative. Their objective was to significantly change the behaviours of their people as well as their attitudes towards their work, the organisation and the role of leaders.

Areas to consider:

  1. Desired culture – has it been clearly communicated?

  2. Embedding the culture – has the desired culture been embedded in every part of the organisation?

  3. Measures to monitor culture – does management have adequate processes in place to understand culture and are behaviours in line with the desired culture as articulated by the Board and Senior Management?

The above are areas every health care organisation should be considering

Do you have your key risks covered? For more information on how to ensure you remain protected talk to your adviser today, and they can introduce you to an internal auditor.