/

Risk is both a noun and verb, a concept and an action. We can take risks and we can
risk disaster. We can speculate that analytical error is one of the biggest risks in
laboratory testing. We can try to quantify our statement by speculating that the risk
of a laboratory error is a certain probability. Those are all accepted examples of risk.

There are also many common definitions, such as: risk is an unwanted event, which
mayor may not occur; risk is the cause of an unwanted event, which mayor may
not occur; and risk is the probability of an unwanted event, which mayor may not
occur. But beyond those common meanings, in the discipline of risk and the practice
of Risk Management, we must be aware of more specific definitions, such as found
in ISO 14971 :2007:

• Risk - the combination of the probability of occurrence ofh!lrm and the severity
of that harm
• Harm - physical injury or damage to the health of people, or damage to property
or the environment
• Severity - measure of the possible consequences of a hazard
• Hazard - potential sources of harm

According to the ISO definition, risk appears to be quantitative, a product of the

probability of occurrence and the severity of harm. It is interesting that the
"probability of occurrence" is not defined, even though it is a critical factor in the
determination of risk. Severity is defined, but it will obviously be a challenge to
come up with a quantitative measure. Nevertheless, this difficulty should not be
insurmountable. Clearly, despite multiple definitions of the word Quality, we've still
been able to implement many quality control, quality assurance, and quality
improvement techniques in the laboratory. It's the same with Risk. We may have
different working definitions of the term, and the layman's idea of what Risk is may
not agree with our own, but that shouldn't stop us from trying to make things better.

Now we need to get technical in order to define and confine the application of risk
management to analytical QC. The many different terms being used today are
themselves confusing, so let's start with some basic definitions [all from ISO
14971 :2007]:

• Risk management - the systematic application of management policies,

procedures, and practices to the task of analyzing, evaluating, controlling and
monitoring risk
• Risk analysis - systematic use of available information to identify hazards and to
estimate the risk
• Risk evaluation - process of comparing the estimated risk against given risk
criteria to determine the acceptability of the risk
 • Risk control - process in which decisions are made and measures implemented
by which risks are reduced to, or maintained within, specified levels

There is no definition of Risk monitoring, though that activity is an essential part of

risk management, but there are some other terms that will often be encountered:

• Risk assessment - overall process comprising a risk analysis and a risk

evaluation
• Residual risk - risk remaining after risk control measures have been taken

When first encountering all these terms, several sound the same, yet take on specific
meanings that must be recognized in order to understand the ISO and CLSI
guidelines. Figure 4-1 provides a graphic explanation of their relationships, as well
as a picture of the process of risk management.

1-----------------------------------------------1
: Risk Analvsis and Assessment :
I I

: 1:Hazard Analysis 2:Risk Es rima llon 3:Risk Evaluarion :

: Identify hazards Estimate Occurrence Acceptability Matrix :
I Failure-modes Estimate Severity "Criticality" 1

: Assessharm Estimate Detectabllity Prioritization:

I
1 - I
1

6:Risk Moniloring 5:RiskComrol 4:Risk Reduction

Identify fa ilures Identify controls Analyze rootcause
Estimate frequency Developcontrol plan Prevent error
Assessrisk Implement controls Mitigate error

The first step in Risk Management is Hazard Analysis, which focuses on identifying
hazards or the failure-modes of analytical methods and systems, then assessing
whether they may result in harm to the patient. Risk Estimation is the rating or
ranking of occurrence, severity, and detectability to provide a semi-quantitative
method for estimation of risk in terms of a Risk Priority Number or RPN.

Note that Risk Analysis commonly refers to the combined steps of Hazard Analysis
and Risk Estimation. Risk Assessment is commonly _used to include the third step
Risk Evaluation, which deals with the comparison of the estimated risk to acceptable
risk, sometimes using the RPN, or an acceptability matrix, or the calculation of
"criticality":

Then follows the application of some prioritization technique, such as Pareto

analysis or sometimes various prioritization rules.
Given the knowledge from the first three steps, the next part of risk management has
to do with Risk Reduction, which involves root cause analysis, implementation of
preventive mechanisms when possible, and other mitigations if necessary to identify
error conditions to reduce their impact. Risk Control is the part of the process that
corresponds to the "QC Plan," which identifies controls for specific sources of errors
and organizes their implementation. Finally, Risk Monitoring is the mechanism for
continual improvement by monitoring failures, estimating their frequency, and
assessing their risk through Hazard Analysis, etc., starting the risk management
cycle again.

Hopefully, this picture is worth a thousand words! Understanding risk management

starts with a careful understanding of the terminology and the relationship of the
different steps or components involved in the risk management process, otherwise
reading the literature and guidelines can be confusing. Risk management, on one
level, is intuitive, but its application in the real world requires a depth of
understanding that may not be obvious on first encounter.

With risk management guidelines for laboratory QC due to be published this year by
CSLI, we will be following the emerging recommendations and will try to help you
understand where they fit relative to traditional QC practices that focus on error
management. It is important to adopt new tools and techniques that lead to the
improvement of quality. It is equally important to maintain effective tools such as
Statistical QC, which have a proven history throughout industry, including medical
devices and healthcare laboratories. The end point, the analytical QC plan, must
provide the right balance of QC tools that should, according to ISO 15189, "verify
the attainment of the intended quality of test results."

1. ISO 15189 Medical Laboratories - Particular requirements for quality and

competence. 2007
2. Institute of Medicine. To Err is Human: Building a Safer Health System.
Washington DC: National Academy Press, 2001.
3. Institute of Medicine. Crossing the Quality Chasm: A New Health System for the
21st Century. Washington DC: National Academy Press, 2001.
4. Joint Commission on Accreditation of Healthcare Organizations. 2002
Comprehensive Accreditation Manual for Hospitals. Oakbrook, IL;2001, pp 200-
201.
5. Institute for Healthcare Improvement. Failure Modes and Effects Analysis
(FMEA). 2004 (www.ihi.org accessed March 2009).
6. .De Rosier J, Stalhandske E, Bagian JP, Nudell T. Using health care failure mode
and effects analysis: the VA national center for patient safety's proactive risk
analysis system. Jt Comm J Qual Improv 2002;27:248-67.
3 The risk management process

The risk management process consists of a series of steps that, when undertaken
in sequence, enable continual improvement in decision-making.

The elements of the risk management process are summarised in Figure 3.1.

1-------------------
..•...

::-
--~·---~-I----E-s-ta-b-l-iS-h-~~h-e-c-o-nt-e-x-t--

II~- I r-
!
.±:::
~
c
o
u
<:l
C ~ I
-gi
; ~_r <ll
<ll
.~
,g I
~Eli I ~
c
o

8 ~.K---~a,uate the risks

1 l· . I

__ J
••