Enterprise Risk Management (ERM) Strategic

Creating an Effective Risk Management Plan

Depending on an organization’s structure, a Risk Management Plan may be an independent document or incorporated into another plan addressing risk, patient safety and quality improvement. Creating an RMP requires a solid understanding of the key elements of risk in order to develop strategies and goals as well as educate staff about risk functions throughout the organization.

Risk Management Plan Elements

The RMP should clearly define the risk management program’s scope of services. It is essential for each business to customize the RMP scope based on its culture. Clearly documenting the purpose of the RMP is an important first step. Establishing written, measurable goals helps keep the RMP an active, relevant document.

Within the plan, risk management processes should be identified and may include risk identification and analysis, loss prevention, risk transfer and risk retention. Goals should be specific, measurable, reasonable, and achievable. They should be reviewed through the quality, patient safety or risk management committee process. The RMP should also include how patient safety, quality improvement, and other departments collaborate to achieve shared goals, and the how, when and where integration occurs.

Proactive risk identification activities are another important element and may include departmental risk assessments, walking rounds, walk-through hazard inspections, observation, medical record audits, and tracking and trending of incident report data. Reporting on quantifiable and actionable data should be detailed in the RMP and include how data collected through various risk identification techniques will be used.

The RMP may include aspects of risk transfer, risk retention and risk avoidance activities undertaken by the risk management team and organization. Loss prevention services provided by brokers and carriers should be detailed. 

Reporting and Response

Staff and providers alike should feel safe reporting incidents and near misses. The RMP should include the methods and frequency used to educate providers and staff on the incident reporting process.

A clear understanding regarding the type of events to report and a consistent process about how to report are important. This is especially true for events that require mandatory or immediate reporting through regulatory, licensing and accrediting agencies. The RMP may also include an escalation process to ensure an active organizational response to a critical event. Serious incidents and events require different management processes. Notification within the organization as well as composition of the response team may be outlined in the plan.

Patient & Family Grievances

Whether or not the patient relations team members report through risk management, responding to patient and family complaints should be described in the RMP, unless referenced in another organizational plan. The work of patient relations — such as service excellence, patient advocates or patient experience–serves as an important risk identification method and allows for early response and resolution.

Communication, Education & Training

The RMP should also include education of staff, providers and leadership on the role of risk and its impact on the organization. This may take place during new employee or provider orientation, risk management grand rounds, training on risk management basics and updates on trending topics.


The RMP requires support from all levels of organizational leadership. Although the plan may be written by risk management leaders, the effort and support should reflect a top-down approach and be communicated widely throughout the organization. If possible, a separate risk management council that reports to the Board should be considered unless risk management is strongly represented within another committee structure, such as an organizational Patient Safety Committee. Board awareness and understanding of the risk management program is essential, regardless of how the information is communicated.

Annual Program Assessment

Periodic monitoring of the effectiveness and performance of risk management actions is necessary. Annual review of the RMP and the work performed is a best practice. Sharing the review with appropriate committees and senior leadership is an effective way to show the effectiveness of the RMP.


The Risk Management Plan provides the organization with a comprehensive guide to identify, evaluate and plan for potential risks that may arise in the normal course of operations. The complex nature of health care creates an environment ripe with challenges and will continue to offer the risk professional a rollercoaster ride of considerations in order to remain responsive.

Author Joan M. Porcaro, RN, BSN, MM, CPHRM, is as an associate director of Client Relationship Management for WTW (Willis Towers Watson). She has more than 25 years of experience as a risk management professional and prior to that, Porcaro served as an operational leader in acute care, home health, hospice and physician practice settings. 

Porcaro has led and served on American Society of Healthcare Risk Management committees and has been an ASHRM state chapter board member. She is an author and frequent speaker for industry communications and events, and is currently an adjunct professor at Texas Tech University. 

Sign Up for ASHRM Forum Updates

Provide your information below to subscribe to ASHRM email communications