Ops Risk Survival Guide: Three Lessons Bankers Need to Learn from Hospital Risk Management

Posted by Brian Barnier, ValueBridge Advisors

Warning – don’t read this while you’re eating lunch! Those who have seen me teach know I draw on examples from my health care experience. Recently, while on a break from facilitating a financial services workshop, I saw the displays for a program on medical risk. This program addressed the risk of hepatitis infection through poorly sterilized equipment used for lower GI examinations – with lots of pictures. This reminded me of the combination process and event approach that the medical industry has used for decades to manage risk. In the past decade, they have seen significant improvements. In this post, we’ll look at just three valuable lessons to learn from the hospital industry.

Over the years, I’ve spent quite a bit of time in hospitals, whether as adjunct facility in medical economics, working on business issues, advising a hospital in emerging Russia or with some serious family medical issues (as many of us have, including mal outcomes). Through this, I’ve seen steady improvements in medical risk management from both research and practical perspectives. I also know that some hospitals are doing better than others. While financial institution risk managers feel the pain of fraud, IT controls and excessively complex debt instruments, the impacts are not as severe or tangible as death and disability. Ops risk managers in financial institutions can learn good lessons from their colleagues in the medical profession. Here are just three lessons that can be immediately moved from the hospital setting to financial institutions.

1. Hospitals use risk impact categories for their worst medical outcome events that relate to both severity and ability to prevent. Sometimes bad things happen and there was little to systematically prevent it. Other times, something could have been done and wasn’t. These events that were bad and preventable are called “Never Events” and have strong best practices around them. These categories are a significant lesson and yet rather foreign to most financial institutions. Debate has surrounded the Basel II risk categories and reporting for years due to the flaw in focusing on “proximate” rather than “root” cause. This is still not resolved. Yet in the medical setting we see the categories actually attached to the cause – through the vehicle of prevention. This link to prevention is a particularly good lesson to be borrowed by financial services ops risk leaders who are struggling to get support from their management to move from ops risk “reporting” to “fixing.” Tip: Call up your risk management counter-part in your local hospital. Arrange for the two of you and your CEOs to have lunch and talk risk.

2. Hospitals are increasingly focused on performance. Best practice training materials define “performance = quality/cost.” Improved quality reduces cost and risk. This stands in stark contrast to most (certainly not all) financial institutions where “risk and compliance” seem to go together (making it likely that risk is not see as a value-driver in the business). What are they doing on the hospital side? Here are two great bullet points that the president of clinical services at a large hospital system shared at an American Hospital Association program.
• Measurable improvement targets will be incorporated into the Performance Improvement Program and reported to senior leadership and the facility Board of Trustees. Reporting, at a minimum, should include the frequency and severity of serious preventable adverse events, how they were communicated to the patient and identified opportunities for improvement.
• Quality & Safety – always the best business case – now offers an increasingly compelling and overt business case in value-based purchasing world that reveals price and performance
The point is that risk management is seen as deeply connected with the performance to various stakeholders (patient, payors, insurers, regulators) in a hospital. Again, prevention is paramount. Tip: Consider your organizational structure: Can you shift to the model used in some hospitals? Will your new job role be “Director of Performance Improvement & Risk Management?”

3. Root cause analysis is built-in. If you read hospital best practice post-event procedures, you’ll see the requirements for root cause teams to understand problem and recommend actions to prevent. (Yes, we know some of this is driven by liability concerns, but let’s take the high road.) Of course, you don’t wait for something bad to happen to do root cause analysis. Just as we discussed last week in lessons from the oil and gas industry, the point is to understand the business process and understand what can go “bump.” This requires a detailed understanding of both the process and likely bad outcomes.
• In one report on the spread of infectious diseases, a simple checklist for a high risk (but relatively common) procedure was shown to have a meaningful impact on reducing infections in a US state.
• Take this another step, in your diagnosis, look at the systematic aspect – how did people behave? Was this a training problem? Was it a procedure problem? Was it raised in the management chain? Was the wrong action taken in response to some event that made the situation worse? Would another similarly trained person take the same actions? These questions provide much insight to design the fix.
Tip: (OK, this is a bold one) tell your CEO you are going to stop tracking what you are not fixing. Sometimes tracking feels like a security blanket. But it just distracts from root cause and performance. Be a “fixer.”

In summary, everyone knows that operational risk is newer than other types of risk in financial services. What many financial services people don’t know is how far financial services are behind other industries. Take time to apply just these three lessons from hospitals.

What do you think? Are you already applying some of these approaches? If so, good for you! Why do you think others struggle to get to where you are? If you are not using these lessons, is it because you were unaware or is there some hurdle you are facing? Share your thoughts and post a comment. If you would like to reply to me personally or ask a question, feel free to do so at briangbarnier @ gmail.com (remove the spaces).

Best,

Brian

P.S. Will you or a colleague be at the World Conference on Disaster Management in Toronto in June? If so, look me up. I’ll be teaching a session on Business Continuity Governance.

About the author: Brian Barnier, CGEIT, is an advisor, teacher, writer and researcher on risk-return value management. He teaches CPE classes and speaks at a range of conferences, writes for business and technology publications, and serves on multiple industry practices committees regarding risk, business process and IT value. He has worked in a range of industries and, in doing so, helps cross-pollinate his clients with the best of the best in risk management.


This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.