29. Februar 2024
One year after the introduction of a risk management system, I was asked to evaluate the first steps, principles and plans for risk management. There was an existing quality policy, which was supplemented by the sentence "We emphasise risk management and patient safety". This summary was called the quality and risk policy. As you can imagine, this is nice information, but not a risk policy. Despite the greatest commitment and effort, this sentence does not fulfil the requirements of a risk policy in the slightest. Unfortunately, this is not an isolated case and many organisations, including in the healthcare sector, can demonstrate no, a rudimentary or only a pro forma risk policy.
A "proper" risk policy is far more than a theoretical construct or an audit requirement to tick off. It is a comprehensive representation, specification and description of risk management in the organisation, ranging from strategic derivation to "tactical" operational implementation.
To visualise the importance of a risk policy in a slightly different way, let's imagine that the risk policy is our navigator, steering the ship safely through dangerous waters. The risk policy acts as a compass and nautical chart that helps the navigator to define elements, components and important principles. It forms the basis for determining the optimum route and developing strategies for avoiding or overcoming obstacles (risks), but also for setting up the key components of a risk management system. Without a clear risk policy, the ship, in our case the organisation's risk management, would be exposed to an uncertain fate.
Imagine you are planning a 6-month tour of Africa and the only thing written in your plan is: we are travelling a lot by car. Very instructive and helpful in practice, ironically of course.
A conscientious risk policy must be reflected in all areas of the organisation. Unfortunately, practical examples besides those mentioned above show that either option A. the risk dimension is not included in an existing quality management policy or option B. there is no risk policy at all. Both indicate that no step has been or will be taken in the organisation.
Without a concrete, living risk policy that has been thought through at length from the top and has been approved, promoted, communicated and, above all, demanded with full conviction, you should save yourself the effort and time for pro forma exercises. The risk policy is light years more than a compulsory exercise for an audit or because it looks good or is customary. It is the beginning, the foundation and the basis for all further derivations. Details on one of the most important factors in this context will follow in Episode 10, the CEOP(S) factor.