Goals And Values
A provider organisation’s fundamental purpose is undoubtedly safe patient care, and this provides a golden thread for all range of strategy documents. These same strategies tend to guide personnel behaviour in pursuit of high-quality care delivery and the motivation to report instances where standards have dropped. But documentation alone does not drive the necessary behaviours that reduce risk. Mechanisms for active prevention are required; monitoring activities and guiding behaviours towards desired norms.
Large scale change, within which an EPR implementation certainly falls, is built on solid change management principles, which themselves begin at the very top with culture and communication. Culture must be nurtured through well publicised, and indeed practiced, organisational values, clearly encouraged as everyone’s responsibility, with a holistic risk management regime. Eyes and ears on the frontline are the only pragmatic way to understand and act upon risks. Failure to foster the culture will undermine the identification of, and progress to mitigate risks, and ultimately the strategic goals.
The Board Assurance Framework
Healthcare providers must accept risks to deliver complex services in line with their strategies, since being risk-free is not possible. Board-level strategic risks differ from operational or project risks, with an effective framework crucial to meeting public and government expectations. The assurance system must aim to reduce the likelihood of the most significant risks materialising and improve the organisation’s ability to contain resulting issues. Mobilising an EPR programme is a key moment in the transformation. EPR deployments often face delays and unplanned costs, but also influence service disruptions, so the organisation culture must cater for the linking of risks back to the driving strategy, goals and values from before the investment has gained approval.
A robust Risk Management System (RMS) hosting both corporate and project risks underpins a well-presented BAF, allowing an organisation to adopt those higher risk levels when justifiable against corporate aims. This shift from healthcare risk aversion to a greater risk appetite is essential for an effective EPR transformation programme that can never be risk free.
Risks are categorized as corporate, project, strategic, and external. Corporate risks offer limited strategic benefits, project risks support strategic goals, and external risks address uncontrollable factors. Mitigations vary:
- corporate/project risks focus on avoidance or elimination
- strategic BAF entries on reducing likelihood/impact
- and external threats on lowering impact.
An EPR program’s complexity and impact warrants the Board-level attention via the BAF, helping the Programme Director gain high-level support at every stage of the journey, within an appropriate risk appetite, correlating with those approved strategic goals.
The Business Case Influence
Cognitive biases often prevent individuals from considering risks until it’s too late, so programme governance must enforce a strong regime traceable to the original case for change, such as a Strategic Outline Case (SOC). Initially, the BAF reflects high-level strategic risks, but as the programme progresses, risks evolve and the BAF matures. The Trust Board must regularly reassess its EPR appetite through open dialogue that ensures its understanding grows, leading to informed, surprise free considerations of key gateways such as the Full Business Case (FBC).
Risks Are Hard to Quantify
Personnel can be overconfident about the accuracy of their risk assessment, often anchoring estimates to readily available evidence or their own lived experiences, whereas future events are known to be uncertain and variable. It is common for some risks to be dismissed as farfetched, yet our volatile world is now surprising us on a regular basis. The pandemic in 2020 is a prime example of this.
Stakeholders apply confirmation bias, favouring information that supports their aims (or those that they aim to please) and suppress information that threatens them, initially to glean business case approval and later to save face. Rather than mitigating risk, the “organisation” can incubate risk through tolerance of apparently minor failures and treat early warning signals as false alarms rather than alerts to imminent danger. It can be a fine line.
Effective risk-management processes must counteract these behaviours. It must allow the EPR programme team to feel comfortable thinking and talking about what could go wrong within their existing programme and feeling empowered to share this. Patient Safety via appropriate resourcing that challenges affordability are good current EPR examples.
A positive risk culture begins with stimulating challenging dialogue in pursuit of a position that ultimately facilitates appropriate board messaging within the BAF.
Managing EPR Programme Risks
No single staff group has the knowledge to perform operational-level risk management across a diverse healthcare organisation. A multi-discipline Risk Review Board, set against its own Terms of Reference is an essential part of assured programme governance. An agenda item tagged onto a Programme Board does not provide the time and space for rich dialogue to facilitate the required challenge and refinement.
The Risk Review Board should include non-programme personnel to capture the wider impact of activities, whilst it should be chaired by a skilled facilitator with no obvious bias to any aspect of the programme. Risk statements should be quality moderated by a member of the organisation’s risk management department.
Even when the programme has a system that promotes rich discussions about risk, a further trap awaits. EPR risks are often quite predictable and familiar, thus the project may compartmentalise them along departmental lines, often reflected in the named risk lead. This may inhibit discussion of how different risks interact, supressing challenge and integration at the same time; thus the role of risk leads needs to be clearly stated as the custodian of record accuracy and currency, but not its isolated analysis or status/outcome.
Programme risk registers traditionally record the baseline level of risk and current level of risk with a proximity for when the risk is likely to manifest into an issue. Some programmes also agree target levels of risk against which tolerance (acceptance) of a risk would occur. All these details benefit the general robustness, but reviews tend to be restricted to a point in time, similar to a car MOT.
A risk map or radar is a useful approach to visualising the project risks profile, allowing stakeholders to comprehend the overarching level of risk to the programme as a whole, and informing the BAF of how the programme is performing as it moves forward. Strategic risk records within a BAF contain a helpful trend indicator that can also benefit the operational project risks – the movement arrow – to provide early warnings. When you consider a red risk that is dropping and compare it to an amber risk that is rising, which should be the focus of an assurance dialogue? Trends enable a Risk Review Board to apply its focus to those risks that truly require challenge and support.
A risk stress test may also prove useful where multiple risks share common causes that could shift the overarching perspective very quickly. By simulating pragmatic upward movements in their impact levels, a programme can demonstrate worst case scenarios and play these into Trust Board assurance. The key is making valid assumptions by avoiding the temptation to simply base estimates on those most recent experiences.
To Summarise
Programme risk management can be viewed as a pyramid, with the Trust Board at the top seeking a simple, strategic summary of detailed operational risks below. A robust risk management regime that draws in appropriate pan organisation wide influence and avoids point-in-time only perspectives, will provide superior Board Assurance and thus support.
About the author –
Phil James is a Managing Consultant at Apira and have previously held Board level Chief Information Office and EPR Programme Director roles. To contact Phill, please email phill.james@apira.co.uk or connect with him on LinkedIn here – Phill James | LinkedIn