When I run SCCI 0160 courses in clinical risk management in Health IT I like to ask attendees lots of questions. I often feel that I learn as much as they do at these sessions. One question in particular nearly always gets a predictable answer; how do you manage risk in your health IT systems currently?
Attendees will usually present their ‘risk and issue log’, a graveyard of on-going gripes, complaints, barriers and short-comings which are the bane of their owners’ lives. Then I pose a different question; if we were to look at all the potential hazards which a health IT system presents, how could I use your current risk log to show that risks have been mitigated? This causes frowns, consternation and debate – a moment I cherish on every course.
The reality is that these kinds of logs and processes represent a reactive approach to risk management. They give us the means to escalate problems, bring them to the attention of senior colleagues and occasionally even resolve them. These are useful risk management activities but by no means the complete picture. Clinical risk management in Health IT, like all safety critical industries, requires a proactive approach.
So why is a reactive method insufficient? The problem is two-fold. Firstly with a reactive process, one is forced to wait for problems to arise before they are tackled. Suppose we allow a supplier to develop a software product in the vacuum of any user engagement, clinical input, domain knowledge or usability evaluation. The resulting solution is likely to be naïve, ‘clunky’ and possibly unsafe. With a reactive approach we need to turn those short-comings into items on a log in the hope that the supplier might agree to invest in putting things right.
Worse still, we might have to wait for a patient to come to harm before anyone takes notice of the product’s limitations. This is not a strategic way of managing risk. Suppose we had to wait for an aircraft to crash before we understood its flight characteristics? Suppose we had to bring a drug to market in order to determine its side effects? Whilst seemingly ridiculous the approach is not uncommon in Health IT.
Secondly, suppose we have a tried and tested Health IT system with a long history of safe operation, surely we can rely on a reactive approach in these circumstances? Well consider this, to improve safety we need to constantly learn. With a reactive approach we only learn when something goes wrong. But if things go wrong infrequently, there is little or no opportunity to learn. Taking our previous analogy, suppose the only time we improved the safety profile of a Boeing 747 was following a crash. With such low incidence it will be a long time before we made any progress.
Effective risk management in Health IT isn’t achieved by documenting gripes. Remember, on the journey to reaching a safe system ones does not need to transit through one which is unsafe. What’s needed therefore is a fundamental shift in the way we think about risk. We need to harness the power of foresight and prediction, skills which frankly are in no short supply amongst healthcare professionals. Given what we know about the system’s characteristics, what might go wrong? How might a patient come to harm? What can we do early in the project to prevent that from happening? We document these activities and the result is a safe system accompanied by a compelling safety case.
So the next time you’re asked how you currently manage risk in your Health IT solution, how about putting your list of moans and groans to one side. Instead proudly shout about the strategic work being done to proactively identify hazards and systematically mitigate them before problems ever arise.