< Previous | Contents | Next >

The Risk Management of HAI: A proposed Methodology for NHSScotland Consultation Document

1. Background and consultation

1. Healthcare Associated Infection (HAI) is a priority issue for NHSScotland. The profile of prevention and control of HAIs has been transformed within the past few years. Significant milestones include the Carey Report "Managing the risks of healthcare associated infections in NHSScotland" (August 2001); the NHS Quality Improvement Scotland (NHSQIS)/Clinical Standards Board for Scotland HAI Infection Control Standards (December 2001) and Cleaning Services Standards (June 2002); "A framework for national surveillance of healthcare associated infection in Scotland" (July 2001); the Antimicrobial Resistance Strategy and Scottish Action Plan (June 2002); the Ministerial HAI Action Plan "Preventing infections acquired while receiving healthcare" (October 2002); the Audit Scotland review of cleaning services and the NHSQIS review of HAI infection control standards (both published January 2003) and the roll-out of the "champions" educational initiative (2003).
2. A major programme of work to improve the prevention and control of HAI across the NHS in Scotland was laid out in the Scottish Executive Health Department's Ministerial Action Plan on HAI. This programme is now being actioned by the Scottish HAI Task Force under the chair of the Chief Medical Officer. The HAI Task Force is both overseeing existing work in progress and commissioning several new working groups to address the many tasks specified in the Action Plan. One of the priorities for the HAI Task Force is to develop a risk-based methodology to reduce the risk of HAI.
3. An HAI Task Force working group was formed in 2003 to develop the risk-based methodology to set priorities for targeting measures to reduce the risk of HAI and to facilitate action to ensure strict compliance with standards. This multidisciplinary working group included representation from NHS clinical and support services, members of the public, the non-NHS care sector including independent hospital representation and staff partners (full membership at Annex 6).
4. Following the consultation, the working group will take account of all views expressed and will move forward to finalise an agreed risk-based methodology.
5. In the interim period before the risk-based methodology is finalised, the consultation version of the methodology will be piloted in NHSScotland under the direction of the Scottish Centre for Infection and Environmental Health (SCIEH). This pilot will test the methodology for applicability, utility and ease of use.
6. The purpose of consulting widely is to seek views on a piece of work which is important for individual NHS bodies in Scotland and for the NHS as a whole. As such, you are invited to comment on:

• The scope and content of this consultation document
• The format and clarity of the document
• Ease of use of the methodology
• Whether there are any gaps in the document

Comments should be sent by 28 February 2005 to:

Christopher Bergin
HAI Task Force Project Supervisor
2EN
St Andrew's House
Regent Road
Edinburgh
EH1 3DG

Or by e-mail to: christopher.bergin@scotland.gsi.gov.uk

Please note that all responses to this consultation may be made public, unless a respondent requests that their views be kept confidential.

2. Introduction

Over the last three years considerable progress has been made across NHSScotland organisations to establish co-ordinated risk management structures and processes as recommended by the Carey Group Report. This is evidenced by the organisations that have a Board approved risk management strategy, have key people responsible for the co-ordination of risk and, in addition, who have monitored their progress against NHSScotland risk management standards to see how well these controls are working. The required compliance with the Statement of Internal Control ensures that, as risk management frameworks develop, they enable organisations to apply a whole systems approach to corporate, clinical and staff governance, demonstrating that risk management is an integral component of everyday activity. The management of HAI must be viewed within the context of a whole systems approach.

2.1 Risk Management of HAI

Effective action to control HAI involves systems, culture and management. It is a problem for which there is no quick or easy solution. Systems include structures and processes, policies and procedures, education and training, audit and surveillance. Much of this is already addressed through compliance with NHS Quality Improvement Scotland (NHS QIS) Standards relating to infection control.

Effective action to reduce HAI requires improving the quality of individual behaviour, clinical care, the clinical environment and equipment, underpinned by risk management and prioritisation. Risk assessment in the context of HAI entails identifying, evaluating, ranking and treating risks, with ongoing monitoring and review. Full communication and consultation is essential. Values must include openness, partnership, learning and development, within a ‘just’ culture.

Further development in risk management systems for infection prevention and control must be consistent with those already in use for risk management and incident reporting in NHSScotland. Guidance produced to underpin the Risk Management standards of the Clinical Negligence and Other Risks Indemnity Scheme (CNORIS) has gone some way to facilitate consistency in application throughout Scotland. Risk teams are now moving from a numbered scoring system towards a colour coded system to simplify interpretation of the level of risk within the organisation.

If risk descriptors for infection control are to be adopted, they must be in a format recognised by staff who are actively assessing risk and operating an organisational adverse incident management system consistent with methods and tables used by best practice risk departments.

"Learning From Experience": How to improve safety for patients in Scotland endorsed the principles and recommendations of the DoH reports of 2000, An Organisation with a Memory and 2001, Building a Safer NHS for Patients. This establishes the NHSScotland commitment to applying the AS/NZS 4360:1999 Australian Standard in Risk Management. This standard provides a generic framework for establishing the context, identification, analysis, evaluation, treatment, monitoring and communication of risk. The emphasis however, must be on local systems and application, as organisations’ risk management will be influenced by varying needs, objectives, products, services, processes and specific practices employed. Key to success is the effective organisational establishment of proactive risk assessment and adverse incident management, evidenced by reporting and learning systems that collect and analyse information on adverse events and near misses. For this reason we have utilised established risk management practice and practical examples from NHS Argyll & Clyde and NHS Tayside. It is our proposal that other areas replicate this on a pilot basis so that local interpretation will inform the overall NHSScotland application and implementation of the risk methodology.

2.2 The Human Factor

Success in reducing the risk of HAI depends upon the commitment given to hygiene and the prevention and control of infection by staff in healthcare settings and the general public. Key to this are the attitudes and culture, local management responsibilities and sharing and learning from good and bad experiences.

The term "human factors" refers to the role played by human beings in "complex socio-technical systems" (Davies J et al, 2003), a set of circumstances in which people and machines interact with each other. NHSScotland is a complex socio-technical system. Human error is said to occur in situations that arise where a particular human action has, or could have, an unwanted consequence; and where the action in question is deemed with hindsight to have been incorrect. The term is frequently used incorrectly to describe a mistake made by a front-line operator. However, human error can occur at any point in a complex socio-technical system, from the front-line workers through middle-management and supervisory staff, and ultimately to senior management.

Consequently, in recent times systems have been devised which look at human error at three distinct levels. These are the proximal level where the errors made are defined by the jobs that front-line staff are required to do ‘at the coal face’; the intermediate level which encompasses issues such as staff training, supervision and local procedures; and the distal level which includes the kinds of errors that management may make concerning decisions such as resource allocation, staffing levels, recruitment of contract labour etc. In the context of HAI management, this proximal/distal methodology can be used, for example, to explore and determine why people do not wash their hands:

• an individual refuses or forgets to do it (proximal)
• poor estates planning where there is a lack of wash hand basins in clinical areas, overstretched staff feel ‘too busy’ to comply, or delay in delivery of a hand hygiene training programme (intermediate)
• lack of a training programme, low organisational priority for HAI control, or low priority for funding initiatives (distal).

There is evidence to suggest that proximal errors are relatively more common, more likely to be self-detecting (i.e. at this level, the fact that an error has been made is usually obvious) and less likely to have catastrophic consequences for the organisation than errors at the distal level. By contrast, errors at the distal level are more likely to remain dormant for long periods of time, more likely not to reveal their presence until too late, and more likely to be involved as root causes in major incidents/catastrophes. It is also the case that errors at the front line can sometimes occur because decisions made higher up in the organisation have inadvertently created the conditions under which certain types of front-line error are more likely to occur. In such a case, human error is said to be due to "error-promoting conditions"; the implication being that any person involved in that task would have an increased probability of making that type of error due to the way the task is configured or the conditions under which it is to be performed.

A fuller discussion of this issue, and the important relationship between risk management and learning from adverse incident reporting, is attached as Annex 1.

3. NHSScotland model for organisational risk management

3.1 Introduction to the process

It is essential that management of the risks related to Healthcare Associated Infection (HAI) is set within the context of the organisation’s system of governance and the following risk management system (or equivalent).

Most if not all of the techniques used in risk management are not new but have been taken from other areas of organisational activity. However, the pace of change in recent times has brought new risks and new forms of risk. Information technology, new legislation, availability of resources, and staffing issues all create risks that threaten the organisation’s ability to meet its key objectives. Risk management requires the development of a method to identify, measure and manage the risks thereby reducing the potential for unexpected loss or harm. Such a method involves the consistent use of suitable techniques throughout the organisation. A typical risk management process will involve five main stages:

1. Identification. Identification of risks and potential risks to the organisation at all levels. Some of these risks will be immediately identifiable; others may be less recognisable.
2. Evaluation. Once the risks have been identified, the next step is to measure (evaluate) those risks. Measurement is defined by how serious the risks are in terms of consequence and likelihood (or relative frequency) of occurrence.
3. Plan & control. The next stage is to prepare a plan for the control of these risks. This can include many actions such as eliminating a particular activity because it is too dangerous, the use of protective measures, special training, or new policies and procedures to improve the current arrangements.
4. Resources. The fourth stage in following an agreed risk management control plan is to ensure that adequate resources are or will be available to meet the impact of the actions and measures that have been identified.
5. Monitoring & review. The fifth stage is to establish a system where all risks have a review process and defined reassessment timetable. This will ensure that the risk management process is dynamic and continuous. The review process includes the addition of new risks as they develop.

Risks cover all aspects of healthcare activity. However, key triggers/identifiers of particular importance to each organisation may be developed from key plans and operational policies. No one category or trigger should be analysed in isolation.

3.2 Stage 1: Identification

The first stage in identification should be to carry out a risk assessment of the organisation in relation to HAI. This stage sets out to analyse the major risks facing the organisation and to understand its unique risk position. When complete, this exercise will determine the broad risk objectives, in terms of risk control and resource requirements. This preliminary stage is intended to give a general understanding of the risks facing the organisation so that the major risks can be identified.

Strategic leadership and direction is fundamental to the development of the organisation’s risk management framework. The risk assessment will initially be a top down approach looking at the significant risks and controls at corporate level. An important feature of this stage is to focus on the full range of risks across the organisation’s objectives. The Local NHS Plan and Operational Performance Plan will determine some of the key areas. This exercise will also identify current controls and present initiatives to examine the gaps and overlaps. Not every risk will be controlled at an acceptable level. The risks should be stated explicitly and must be communicated to the organisation, the patient, public and others. Healthcare Associated Infection is a significant risk for all NHS organisations (see Table 2a).

The organisation must consider:

• The nature and extent of the risks
• The degree and category of risk, including what is regarded as acceptable
• The likelihood of the risks materialising
• The organisation’s ability to reduce the likelihood and the potential impact on business
• The cost/benefit of controls in relation to the identified risks

All identified risks should then be assessed and prioritised. The risk assessments will identify the significant risks arising from the activities of the organisation, and can be assessed across the potential impacts on:

• Failure to meet objectives
• Cost – resulting from civil action /claims /litigation /enforcement actions (e.g. via The Health & Safety Executive)
• Schedule – result of operational delays, increased waiting times, reduction of service or service failure
• Loss of reputation
• Accountability Review

These impacts are only given as examples. Alternative differential impacts may be developed to address each level/department within the organisation. However, use of a standardised template is recommended to create consistency across all service components.

3.3 Stage 2: Evaluation

Once the risks of an HAI incident or outbreak have been identified, the next step is to consider the likelihood (frequency) of the risk actually happening and then relate this to the potential consequences/impacts that this event would have on the organisation, patients and staff.

3.3.1 Likelihood

This will be based on the likelihood of the event occurring i.e. the probability or known frequency of the event. Identifying the likelihood of most events occurring in health can be subjective and based upon the knowledge and expertise of those involved in the risk scoring exercise. However, evidence and statistics may be available regarding the recurrence of certain events and this information can help you to assess the likelihood score. Only one score may be selected for each risk from Table 1.

Table 1: Likelihood scores

3.3.2 Consequences

Once the likelihood is determined, the consequences or impact of the risk on the organisation must then be determined. The establishment of accurate severity categories is fundamental to the risk management exercise.

This will reflect the impact (including financial) on the organisation should an identified risk or event occur. Severity must include the consequential losses as well as the direct loss to enable an accurate and consistent appraisal of the risks. In identifying the score, the worst case scenario consequence will have priority. The Executive teams and operational units should agree the tolerance of consequences for the organisation.

A sample severity banding for generic organisational risks is detailed in Table 2, and a consequence scoring matrix specifically for HAI (based on existing practice within NHSScotland) is presented as Table 2a. As with the likelihood scores, only one score may be selected.

The likelihood and consequence scores are then multiplied to give a figure that represents potential exposure. This is called the Risk Exposure Rating. This rating determines whether a risk is categorised as Red, Amber or Green (Table 3) and has a numerical value determined by the product of likelihood and consequence scores.

Both the colour category and the numerical value are useful: colour coding facilitates rapid communication and understanding, whereas the numerical values assist in further exploration of the technical process of risk management and prioritisation. It should be remembered that there is inevitably a degree of subjectivity in the process of assigning numerical values, which will be minimised by further refinement of the risk descriptors.

Table 2: Organisational Consequence Score (distal risks)

Table 2a: HAI Infection Control Consequence Score (proximal risks)

*SD = standard deviation

Table 3: Risk Exposure Colour Code and Risk Exposure Rating values

Key for black & white print:

3.4 Stage 3: Plan and control

3.4.1 Control Levels

NHS activity is inherently risky. All staff throughout the organisation currently manage aspects of risk within their existing decision making processes to give some level of control (Control Level). There are three distinct types of Control Level.

1. Risk Control Level
   This figure represents the current position reflecting the existing control mechanisms at the time any risk is identified and assessed.
2. Target Risk Control Level
   The target will represent the highest control standard considered realistically and economically achievable for any risk.
3. Tolerance Control Level

Following detailed appraisal of the identified risks, the organisation must indicate an acceptable tolerance level for the risk. This should reflect the minimum steps considered necessary in a short timescale to improve control of any risk to a tolerable level. This will highlight areas for immediate further action or demonstrate a milestone in the achievement of the Target Control Level.

3.4.2 Risk Control Plan

The inter-relationship between likelihood, severity and Control Levels has become the generally accepted basis of risk management and is used to generate the Risk Control Plan for infection control and HAI, sometimes referred to as the Risk Register.

The Risk Control Plan lists the sources of risk. The plan outlines all risks and assesses the extent of the risks, particularly in terms of exposure and likelihood. The following steps explain how to agree the mechanisms currently available to control the risk.

3.4.3 Control Group and Control Level

The systems and processes that are in place to control risk can be categorised into five groups of control:

• Management
• Policies and procedures
• Contingencies
• Active controls
• Passive controls.

This grouping ensures that all controls are recorded consistently and accurately throughout the organisation. They are characterised as:

The controls within each group should be explored using brief bullet point information. This information will help to determine how much control you have against each group across the following scale:

No Control Controls Under Review Controls Planned Controls Partially Operational Controls Fully Operational.

The meaning of each of these levels and scores is described in the Risk Control Matrix (Table 4). Within each of the five groups choose the one level of control that applies to the risk. This must be done for all five control groups. When complete, the cumulative score on a scale of 5 to 100 represents the overall level of control for the risk. To make the analysis of the Risk Control Scores straightforward, the score is converted to a Risk Control Level on a scale of 1 to 10 as show in Table 5. This is the Control Level where 1 is ‘excellent’ and 10 is ‘very poor’.

3.4.4 Risk Ranking

This is calculated by multiplying the Risk Exposure Rating (Likelihood x Severity) by the Risk Control Level i.e. the score from Table 3 times the score from Table 5. This Risk Ranking value allows comparison and prioritisation of different risks.

3.4.5 The Risk Control Plan or Action Plan

After considering Risk Control Level, you are now able to decide whether a Target Control Level is required i.e. are improvements necessary? If so, then decide the level of control that you need to achieve to reach the Target Control Level.

Specific actions can be assigned to any or all of the five Control Groups and will aim to increase the control level (see Table 4). The summarised list of actions becomes the Risk Control Plan or Action Plan. The plan must also detail the timescale for the improvement to be achieved and any cost benefit in relation to the risk.

If a Target Control Level has not already been set, it may be set once the identified changes and actions are planned. Should the Target Control Level be a longer-term goal, then a Tolerance Control Level may be set to indicate achievable steps in the proposed actions taken to further control the risk.

Additional information required to complete the Risk Control Plan includes:

• The named Risk Owner – the person ultimately responsible for the risk
• The named Risk Manager – the person actually managing the risk
• The reporting arrangements for review – the review timescale and the person responsible for that if different from the Risk Owner. The risk control plans may also be reviewed by a group or committee.
• Details of the person recording the information and the date.

Table 4: Risk control matrix

Table 5: Risk Control Levels

Risk control level x likelihood x severity = value for risk ranking

Poor risk control results in a high risk control score which, multiplied by high likelihood of the event happening and high severity scores, enables the potential impact of the risk to be ranked as a high priority within the Risk Register. Action can then be considered in relation to resources required for management.

Illustrative examples of application of this methodology can be found in Annex 2

3.5 Stage 4: Resources

The risk control planning process should also compare the risk exposure costs (should the risk materialise) with the cost of planned improvements to current controls. Capital and revenue, recurring and non-recurring costs must be considered. Any increase in other resource requirements must also be considered and identified. It is possible that the impact in cost or resources required might outweigh the actual impact of the risk materialising on the organisation. The prioritisation of risks through the risk ranking process allows the organisation to further characterise the risks that require early attention on a cost and benefits basis and address them in the most effective way.

3.6 Stage 5: Monitoring & Review

All identified risks and the associated actions must be monitored and reviewed on a continuous basis by named individuals and/or groups (e.g. the Infection Control Committee). A Risk Control Plan that does not change very often would probably indicate that risk is merely being identified, but not being managed or controlled.

A key element to ensure adequate follow up is a monitoring process which is able to provide reasonable assurance to the Executive Board that there are appropriate control procedures in place for all significant risks, and that these procedures are being followed. In addition, there should be formal procedures in place for reporting weaknesses and for ensuring corrective action.

Additional support for the review process will come from effective internal audit systems. The Annual Internal Audit plan will target days each year to survey the risk management process within the organisation, demonstrating the achievement of a robust performance management process. The Audit and Clinical Governance Committees will also monitor the implementation of corrective actions, but will undertake a review role rather than any direct responsibility for risk management.

3.7 Summary of this section

Risk identification leads to decisions on the likelihood of the event and the severity of consequences if the event happens: cross-tabulating these two values give a simple green-amber-red risk exposure category and (the product of these two values) the risk exposure rating. The risk reduction systems and controls already in place under five categories give a numerical value for risk control level. Multiplying this by the risk exposure rating gives a risk ranking value for use in prioritising risk which takes into account the likelihood, severity and control measures relating to each risk in the risk register.

Preparing Risk Control Plans using the above risk management methodology will enable NHSScotland organisations to comply with mandatory requirements. The following diagram of the Risk Management Process (Figure 1) and incident flow chart (Figure 2) provide examples of the flow of risk assessment, incident reporting, investigation, actions and implementing changes and learning. This is a continuous process.

Figure 1: Risk management process Adapted from AS/NZS 4360:1999 - Risk management

Figure 2

4. The wider context of the model

There are two other areas which link closely to the risk management model, namely the management of adverse events which cannot easily be quantified in terms of recurrence, and the connections with a future national adverse incident reporting system.

Active management decisions on the former may be helped by application of the management matrix developed by the Watt Group (Annex 3). It is, however, a tool which is fundamentally different from the risk management model in that it helps determine specific actions arising from a situation rather than the broader issues of proactive risk management.

Development of national adverse incident reporting is at an early stage in NHSScotland, and the discussion paper prepared by the Working Group (Annex 1) explores some of the underlying issues which will have to be considered, in addition to giving further consideration to human factors and prior cause analysis.

5. Critical Success Factors

Success in reducing the impact of HAI will depend on:

• creating a managed environment that minimises the risk of infection to patients and the public; and
• compliance with relevant national Scottish standards (eg NHS QIS standards on HAI infection control and on cleaning services).

This will be achieved by:

• Development of a partnership culture that secures the involvement and participation of all staff in risk assessment and adverse incident/near miss reporting in relation to HAI
• Ensuring that routine and systematic identification, assessment and control of infection risk is an integral component of all work activities
• Ensuring that an effective reporting process is in place to facilitate the systematic identification of HAI adverse events and near misses
• Acknowledgement that even though staff are accountable for their own actions and decisions, the greatest risk of loss is most likely due to failure in the system rather than individual error alone. (This principle will determine how NHSScotland organisations respond to adverse events)
• Securing the commitment of management at all levels to promote HAI risk management and provide the necessary leadership and direction
• Adoption of agreed standards of risk management throughout the organisation which are audited and monitored at corporate and operational level ensuring that corrective action on infection control is taken where necessary
• Having in place effective communication systems to make sure everyone in the organisation is sufficiently informed about risk management and incident reporting in relation to HAI and infection control
• Providing resources, facilities, information, training, instruction and supervision to meet these objectives

< Previous | Contents | Next >