The risk management of HAI: A Methodology for NHSscotland

The Risk Management of HAI: A Methodology for NHSs

3. NHSScotland model for organisational risk management

Introduction to the process

In January 2005 NHS Quality Improvement Scotland ( NHSQIS) purchased the licence on behalf of NHSScotland for the Australian/New Zealand ( AS/ NZS) 4360: 2004 Risk Management Standard 11, in order to provide NHS Boards with a consistent tool to implement risk management systems, providing consistency of terminology and methods. Within the context of a national framework for risk management, NHSQIS also commissioned work that enabled development of a national approach to incident and near miss reporting (Safe Today - Safer Tomorrow 16, 2006). This work was undertaken in partnership with NHSScotland.

It is essential that management of risks related to Healthcare Associated Infection ( HAI) is set within the context of an organisation's system of governance and risk management. An example of an HAI risk management tool already available is the 'Watt Group Risk Management Matrix' 17 (2002). This was developed for use by infection control teams in the practical management of infection incidents or outbreaks.

Risk management requires the development of a method to identify, measure and manage the risks thereby reducing the potential for unexpected loss or harm. Such a method involves the consistent use of suitable techniques throughout the organisation. The risk management process should involve the following stages (see also Figure 1 on page 15):

3.1 Communicate and consult

3.2 Establish the context

3.3 Identify the infection risks

3.4 Assess the infection control risks (likelihood and impact)

3.5 Evaluate

3.6 Treat risks (plan and control)

3.7 Monitor & review

Adapted from AS/ NZS 4360:2004 11

Risks cover all aspects of healthcare activity. However, key triggers of particular importance to each organisation may be developed from key plans and operational policies. No single category or trigger should be analysed in isolation.

3.1 Communicate and consult

It is essential to communicate and consult with internal and external stakeholders as appropriate at each stage of the risk management process. This is an important consideration at each step of the way and should be an opportunity for all to contribute rather than a one way flow of information. Effective communication will ensure that those responsible for managing risk understand how to escalate risks, why decisions are made and feedback on any actions taken.

3.2 Establish the context

Establish the external, internal and risk management context in which the rest of the process will take place. The criteria against which risks will be evaluated should be established and the structure of the analysis defined.

3.3 Identif y the infection risks

Comprehensive identification of 'what, where, when, why and how' in relation to risks and potential risks to the organisation at all levels is crucial. Some of these risks will be immediately identifiable; others may be less recognisable.

An important feature of this stage is to focus on the full range of risks across the organisation's objectives. This exercise will also identify current controls. Not every risk will be controlled at an acceptable level. The risks should be stated explicitly and must be communicated to the organisation, patients and public; and others. Healthcare Associated Infection is a significant risk for all NHS organisations.

3.4 Assess the infection control risks (likelihood, impact)

This stage is concerned with developing an understanding of the risks. The consequences, likelihood and hence the level of risk need to be determined at this stage. (see Tables 1, 2 and 3)

It is useful to consider and develop an understanding of the following of when analysing infection risks:

  • What are the risks associated with the work of the team (for staff, patients and others)?
  • Assess the potential consequence of each risk (for staff, patients and others).
  • Assess the likelihood of the risks occurring.
  • What is the team's capacity/ability to reduce the impact of the risks identified (to staff, patients and others)?
  • Cost/benefit of controls in relation to the identified risks

When this is translated to the organisational level, the following should be considered:

  • Nature and extent of the risks and their existing control measures
  • Degree and category of risk, including what is regarded as acceptable
  • Likelihood of the risks materialising
  • Organisation's ability to reduce the likelihood and the potential impact on business

All identified risks then need to be assessed and prioritised. The risk assessments will identify significant risks arising from the activities of the organisation (or infection control team), and these can then be assessed for potential impact on, for example:

  • Patient outcome and experience
  • Failure to meet objectives
  • Cost - resulting from civil action /claims /litigation /enforcement actions e.g. Health & Safety Executive
  • Activity - result of operational delays, increased waiting times, reduction of service or service failure
  • Loss of reputation.

Once the risks of an HAI incident or outbreak have been identified, the next step is to consider the likelihood of the risk actually happening and then relate this to the potential consequences or impacts that this event would have on the organisation, patients and staff.


This is based on the likelihood of the event occurring. Identifying the likelihood of most events occurring in health can be subjective and based upon the knowledge and expertise of those involved in the risk analysis. However, evidence and statistics may be available regarding the recurrence of certain events and this information can help you to assess the likelihood level. Within the management of HAI available evidence includes the wealth of surveillance data collected locally and nationally. Only one level to describe likelihood may be selected for each risk from Table 1.

Table 1: Likelihood descriptions


Frequency of event occurring



Can't believe this event would happen - will only happen in exceptional circumstances

These should be defined locally by each NHS Board at corporate level and by teams at Unit / Directorate level. May be in terms of days, weeks, months or years.


Not expected to happen but definite potential exists - unlikely to occur.


May occur occasionally, has happened before on occasions - reasonable chance of occurring.


Strong possibility that this could occur - could occur several times.

Almost certain

This is expected to happen frequently / in most circumstances - more likely to occur than not.

(Adapted from AS/ NZS 4360:2004)


Once the likelihood is determined, the consequences or impact of the risk on the organisation must be agreed. In identifying the consequence level, the worst case scenario has priority. Executive teams and infection control teams should agree the tolerance of consequences for the organisation.

A consequence matrix based on AS/ NZS 4360:2004 11 is provided for guidance as Table 2. This table has been developed in collaboration with NHSScotland risk managers and is designed to be used as guidance when NHS Boards are developing or reviewing their own risk assessment matrices. An example of what an adapted, specific matrix for HAI might look like (based on existing practice within NHSScotland) is presented as Table 3. Several consequence descriptors may apply to a single risk. The most serious/significant of these should be used to determine the risk exposure rating.

The likelihood and consequence levels are then cross tabulated to give a risk exposure rating. This determines whether a risk is categorised as red, amber, yellow or green (Table 4). Use of colour coding facilitates rapid communication and understanding of risks. Prioritising of risks that are assigned the same risk exposure rating is achieved by examining the strength of the control measures in place for these risks. For example, a 'high' rated risk could have effective control measures in place that cannot be improved upon, whereas a 'medium' rated risk may not have any control measures in place, and this is the risk that should be prioritised for action by the team.

Table 2: NHSQIS Core risk assessment matrix: Consequence descriptors (February 2008)

Table 2: NHS QIS Core risk assessment matrix: Consequence descriptors (February 2008)

Table 3: Example HAI Infection Control Consequence Matrix

Table 3: Example HAI Infection Control Consequence Matrix

Table 4: Risk Exposure Rating

Table 4: Risk Exposure Rating

3.5 Evaluate

The purpose of evaluation is to make decisions, based on the outcomes of risk analysis above, about the controls and the level of priority required for each risk as laid out in the section below. Communication, consultation and consideration of the wider context are key to the success of this stage in the process.

3.6 Treat risks (plan and control)

Develop and implement a plan for the control of these risks. This can include many actions such as eliminating a particular activity because it is too dangerous, the use of protective measures, special training, or new policies and procedures to improve the current arrangements. NHS activity is inherently risky. All staff throughout the organisation currently manage aspects of risk within their existing practice to give some level of control.

There are three distinct types of control level:

  • Risk control level: this represents the current position and the existing control mechanisms at the time any risk is identified and assessed.
  • Target risk control level: the target will represent the highest control level considered realistically achievable for any risk.
  • Tolerance control level: following detailed analysis of the identified risks, the organisation must indicate an acceptable tolerance level for the risk. This should reflect the minimum steps considered necessary in a short timescale to improve control of any risk to a tolerable level. This will highlight areas for immediate further action or demonstrate a milestone in the achievement of the target control level.

Control Groups and Control Level

The systems and processes that are in place to control risk can be categorised into five groups of control. This helps to ensure that controls are recorded consistently and accurately throughout the organisation.

  • Management: the management systems/structures required to control risk
  • Policies and procedures: policies and procedures in place to control the risk
  • Contingencies: emergency plans/alternative arrangements that intervene should the risk become apparent
  • Active controls: implementation of immediate actions required
  • Passive controls: activity/information/legislation, outside your direct control, which may have an effect of reducing the risk

The controls within each group are explored using brief bullet point information. This information will help to determine how much control there is against each group across the following scale:

list graphic

Descriptors for each of these levels are detailed in the risk control matrix (Table 5). Within each of the five groups choose the one level of control that applies to the risk. This must be done for all five control groups. When completed this allows a gauge of the total level of current control to be made and a decision on what actions (if any) are required to increase the level of control.

An organisation (or infection control team) may identify several 'red' risks that require to be prioritised for action. Examining the current level of control enables this prioritisation to take place. For example, if several 'red' risks are identified some of these will have acceptable control measures in place that cannot be improved upon. These risks do not decrease, but are being actively managed to keep them under control. The remaining 'red' risks can be prioritised for action according to the level of control measures in place and whether or not these are acceptable to the organisation. Risk control plans or action plans can then be developed.

The risk control plan or action plan

After considering the risk control level, you are now able to decide whether a target control level is required, and if any improvements are necessary. If so, then decide the level of control that you need to achieve to reach the target control level.

Specific actions can be assigned to any or all of the five control groups and will aim to increase the control level (Table 5). The summarised list of actions becomes the risk control plan or action plan. The plan must also detail the timescale for the improvement to be achieved and any cost benefit in relation to the risk. Additional information required to complete the risk control plan includes:

  • The named risk owner - the person ultimately accountable for the risk
  • The named risk manager - the person actually responsible for managing the risk
  • The reporting arrangements for review - the review timescale and the person responsible for that if different from the risk owner. The risk control plans may also be reviewed by a group or committee
  • Details of the person recording the information and the date.


The risk control planning process should also compare the risk exposure costs (should the risk materialise) with the cost of planned improvements to current controls. Capital and revenue, recurring and non-recurring costs must be considered. Any increase in other resource requirements must also be considered and identified. It is possible that the impact in cost or resources required might outweigh the actual impact of the risk materialising on the organisation. The prioritisation of risks allows the organisation to further characterise the risks that require early attention on a cost and benefits basis and address them in the most effective way.

Table 5: Risk control matrix

Control Group (Priority)

None (1)

Under Review (2)

Planned (3)

Partially Operational (4)

Fully Operational (5)


No systems at present

Recognise change is necessary

Objectives set

Action plan

Evidence of problem areas

Measured outcomes so some improvement

Not applicable over the whole dept/organisation

Evidence that controls are reducing risk. Audit of system can demonstrate reduction in likelihood or severity

Policies Procedures

Not available

No evidence that a procedure exists

Recognition that current policy requires review /amendment

Action plan to review policy identifiable

Implementation plan for policy in operation

Evidence of staff awareness of policy and associated practices within some areas of the organisation /department

Evidence of audit of policy, which has reduced the likelihood or severity of the risk identified


If something goes wrong with current controls no plans available

Awareness that plans are required. Evidence of investigation

Contingency plan under development

Evidence of the implementation of contingency plan

Tested and reviewed as a result

Contingency plans have been tested and proved to be operational if required

Active Controls

No action taken

Plans to be reviewed

Action plan for this risk under development

with clear deadlines

Partially achieved

In full operation

Immediate action of plans

Passive Controls

No evidence available

Currently have some knowledge of passive control

Plan to identify information and other systems which may have an impact on risk exposure

Emerging evidence that changes introduced elsewhere are having an unexpected effect on outcome and reducing risk.

Demonstrable reduction in risk from passive risk awareness activity

3.7 Monitor & Review

Establish a system where all risks have a review process and defined reassessment timetable. This will ensure that the risk management process is dynamic and continuous. The review process must include the addition of new risks as they are identified.

All identified risks and associated actions must be monitored and reviewed on a continuous basis by named individuals and/or groups, for example, the Infection Control Committee. A risk control plan that does not change very often may indicate that risk is being identified, but not managed or controlled.

A monitoring process which is able to provide assurance to the NHS Board that appropriate control measures are in place and being followed for all significant risks, is key to ensuring effective risk management. In addition, there should be formal procedures in place for reporting weaknesses and for ensuring corrective action. Additional support for the review process will come from effective internal audit and clinical governance systems.

Summary of this section

To summarise the process laid out here, risk identification leads to decisions on the likelihood of the event and the severity of consequences if the event happens: cross tabulating these two values give a red/amber/green colour coded risk exposure rating. The risk controls already in place under five categories give a risk control level, and 'red' or 'amber' risks in particular can be prioritised for action by assessing their existing risk control level. The risk can then be placed on the risk register for the team and the organisation, and action taken to increase risk controls to a level the organisation can tolerate.

Figure 1: Risk Assessment Process ( AS/ NZS 4360:2004)

Figure 1: Risk Assessment Process (AS/NZS 4360:2004)

Back to top