1

Rebalancing Risk Management –Part 1: The Process for Active

Risk Control (PARC)

Authors: Alan J. Card, PhD, MPH, CPH, CPHQ

James R. Ward, BEng, CEng, PhD

P. John Clarkson, PhD, HonD, CEng, FIET, FIED, FREng

This is a pre-print draft of the paper. The final and definitive version will be published in the Journal of

Healthcare Risk Management. Please cite as:

Card AJ, Ward JR, Clarkson PJ. Rebalancing Risk Management -Part 1: The Process for Active Risk

Control (PARC). J Healthc Risk Manag 2014;34:21–30.

ABSTRACT

Risk assessment, by itself, does nothing to reduce risk or improve safety. It can only

change outcomes by informing the design and management of effective risk control

interventions. But current practice in healthcare risk management suffers from an almost

complete lack of support for risk control. This first installment of a 2-part series on

rebalancing risk management describes a new framework to guide risk control practice:

The Process for Active Risk Control.

INTRODUCTION

Risk assessment, by itself, does nothing to reduce risk or improve safety. It can only

change outcomes by informing the design and management of effective risk control

interventions. But, while current practice in healthcare risk management is supported by a

2

bewildering array of risk assessment (problem exploration) tools,1 there is very little

support for the problem-solving process of risk control.2–4 This may reflect the fact that

healthcare risk management relies on approaches that were originally developed for high-

reliability fields (e.g., power generation, manufacturing, the chemical industry, etc.), in

which the risk management process is typically led by safety / reliability engineers.

Engineers receive extensive training in converting requirements (such as those identified

through risk assessment) into robust and effective interventions,5 which may prepare

them to bridge the gap between risk assessment and the design high-quality risk controls.

This is not the case in the healthcare industry6 where risk assessment techniques are used

largely by healthcare workers who have deep clinical knowledge, but often lack training

in fields like engineering or ergonomics.7 Perhaps as a result, healthcare workers have a

difficult time generating and assessing risk control options, leading to overuse of weak

risk controls, including some that may do more harm than good.6,8–14

Healthcare risk management has been defined as “an organized effort to identify, assess,

and reduce, where appropriate, risks to patients, visitors, staff, and organizational

assets.”15 And among these objectives, patient safety improvement has been identified as

the discipline’s “number one goal.”16 But despite the uptake of risk assessment

techniques such as root cause analysis (RCA)6 and failure mode and effects analysis

(FMEA),17 it does not appear that patients are getting safer.18 And the current rate of

harm, at about 25-30%,18–20 clearly represents an unacceptable failure rate. Indeed,

preventable adverse events in healthcare may be the leading cause of death in the US.21

3

There are probably many reasons for this, including slow uptake and sometimes poor

application of existing risk management approaches, as well as an anemic evidence base

to support practice.22 But the well-documented shortfalls of current practice in risk

control almost certainly play a role.6,8–13 This article is the first in a two-part series aimed

at addressing these shortfalls.

In this first installment, we present a novel framework for risk control practice, the

Process for Active Risk Control (PARC). In the second installment, we will describe a set

of techniques for operationalizing the PARC, in the form of the Active Risk Control

(ARC) Toolkit23,24 and present pilot study to show how the approach can be used in

practice. (The ARC Toolkit is available for free at www.activeriskcontrol.com)

FRAMING THE PROCESS FOR ACTIVE RISK CONTROL

Defining Risk Control

We define risk control as: Coordinated activities to modify the level of one or more risks

that have been evaluated as unacceptable, with the goal of achieving, maintaining, and

demonstrating an acceptable level of risk for the risk(s) of interest, and an overall

improvement in the organization’s risk profile. Table I describes some implications of

this definition.

4

Table I: Implications of this definition

Facets of the Definition Implications Risk can be constructed in positive or negative terms (the risk of benefit). 25

Not important when focusing on negative patient safety risks, but allows for broader application of the definition in support of the recent trend toward enterprise risk management26

Successful risk control must result in a net improvement in risks held by the organization.

Reducing the risk of interest is necessary, but not sufficient; both the positive and negative side effects of the risk control must be taken into account to determine the system-wide effect of risk control interventions.

Risk control success must be maintained. Initially achieving an acceptable risk level is only part of the job. Sustaining success is an ongoing process that is more or less active, depending on the nature of the risk control.

Risk control success must be demonstrated.

Requires monitoring and evaluation. Investment in this process should be in proportion to the risk, identified side effects, and the nature of the risk control.

Risk control success is based on achieving an acceptable level of risk (while doing more good than harm for the organization’s risk profile).

This is gauged by evaluating risk levels against the organizations risk criteria.27 These risk criteria may be imposed (e.g., by law, regulations, or contract), or may be locally constructed [e.g., a 50% reduction within 6 months; as low as reasonably practicable (ALARP).28] When risk criteria are locally constructed, this definition’s focus on acceptability allows for the potential of double-loop learning,29 in cases where the assessment of risk control options, or the experience of attempting to implement and sustain risk controls, leads to a new definition of what is acceptable.

Current Practice

The risk management process model described in ISO 31000: Risk management —

Principles and guidelines on implementation27 has been widely adopted as a framework

for healthcare risk management policies and procedures. Because ISO 31000 is

frequently used as an approach to enterprise risk management (ERM), the recent

5

promotion of ERM by the American Society for Healthcare Risk Management

(ASHRM)30 is likely to accelerate the adoption of this approach in healthcare.

ISO 31000 describes a risk management process consisting of 5 steps (Establishing the

Context; Risk Identification; Risk Analysis; Risk Evaluation; and Risk Treatment) and 2

cross-cutting functions that take place in parallel with all 5 steps (Communication and

Consultation; and Monitoring and Review).

Risk control (referred to in ISO 31000 as risk treatment) focuses on solutions. Arguably,

it is therefore the most important component of the broader risk management process.

But this function has received scant attention in the risk management literature.2–4,6

Instead, the risk management literature has primarily concerned itself with the problem-

focused process of risk assessment. That is reflected in the ISO process model,27 which

perpetuates this unbalanced approach by illustrating risk assessment as a 3-step process

(risk identification, risk analysis, and risk evaluation), while relegating risk treatment to a

single step.

The standard gives some useful guidelines for risk treatment (see Table II), but much of

the guidance it provides is vague, inconsistent, or incomplete.31,32 Examples include:

• Defines risk treatment (i.e., risk control) as a “process to modify risk,” which is so

vague that purposely making things worse would qualify as risk treatment;

• Ignores the need to sustain risk controls in operation;

6

• Discusses the possibility that a risk control might lead to secondary risks, but

ignores the possibility of positive or negative side-effects that do not meet the ISO

definition for risks;

Perhaps most importantly from the standpoint of a practitioner seeking to use the

standard as a framework for risk control practice, it paints an incomplete and confused

portrait of the risk control process. First, it states that “Risk treatment involves a cyclical

process of: assessing a risk treatment; deciding whether residual risk levels are tolerable;

if not tolerable, generating a new risk treatment; and assessing the effectiveness of that

treatment.”27p.19 Without acknowledging the first description, it then goes on to describe

risk treatment as a 2-step risk treatment process consisting of Selection of risk treatment

options and Preparing and implementing risk treatment plans. As we will describe, both

of these descriptions are incomplete.

Table II: Selected risk control guidance from ISO 31000 27

Risk control selection should be based on cost-benefit analysis (including non-economic costs)

A combination of risk controls may be required

Produce a prioritized list of risk control recommendations

Consider new risks that might result from risk control; integrate management of these secondary risks with management of the risk of interest

Monitor, review, and communicate residual risk after treatment

Document performance measures and constraints

Document the resource requirements

Document planned timing and schedule

Engage stakeholders

Integrate risk treatment plan with existing management processes

7

Despite its widespread adoption, ISO 31000 provides an inadequate model for

understanding and managing the risk control process. It includes some useful advice, but

overall its guidance for risk control is underdeveloped, inconsistent, and difficult to

translate into practice. There is an urgent need for clear, cogent guidance to achieve better

risk control performance.

The Process for Active Risk Control

Figure 2 illustrates the Process for Active Risk Control (PARC), which is intended to fit

within the consensus model of the risk management process (for example by replacing

the risk treatment step of the ISO 31000 process model). As shown in Figure 1, the

PARC consists of eight steps (central column) and two cross-cutting functions (the outer

columns, which are drawn from ISO 31000). Movement through the steps is not expected

to occur in a strictly linear fashion; in fact, iterative loops are an important component of

the process. Learning generated in one step should be used not only to inform subsequent

steps, but also to refine previous ones.

8

Figure 1: The Process for Active Risk Control 23 (used by permission under a Creative Commons Attribution 3.0 Unported License)

Beyond the risk management literature, the PARC draws from (and may contribute to)

the disciplines of design,33–38 and Lewinian change management.39–44 It also aligns well

with the Engineering Problem Solving Methodology, which has recently been introduced

to the patient safety community.45

!Comm

unication!and!consu

ltation!

Options(assessment(

Establish!the!context!

Generate!risk!control!options!

Analyze!risk!control!options!

Evaluate!risk!control!options!

Select!risk!controls!

Implement!risk!controls!

Sustain!risk!controls!

Evaluate!outcomes!

Monitoring!and!review!

9

Establish the (Risk Control) Context

This step consists of two components: Framing the Problem, and Defining the Criteria

for Success.

Framing the Problem

This sub-step ensures that the risk to be addressed is correctly framed (e.g., is the real

problem patient falls, or patient falls with injury?), and that the risk is formulated as a

solution-neutral problem statement,36 (i.e., a definition of the problem that does not

specify a preferred solution).

Defining the Criteria for Success

In this sub-step, participants explicitly state the conditions under which the risk control

process would be deemed successful. Given the definition of risk control proposed

earlier, the definition of success should include a net improvement in the risks held by the

organization.

Rationale for Establish the Context

Establishing the context defines the goals of the risk control process, and serves as the

standard against which outcomes are measured.

Problem framing is a concept borrowed from the literature on design thinking.34 It is

necessary because the problem-as-presented (in this case, the risk as originally defined

10

through the risk assessment process) is not always the most useful way of looking at the

problem. Two common approaches to problem-framing include making the problem

more abstract, and making it more specific.

For example, consider an incident in which a patient fell and broke her hip because she

needed help toileting, but her nurse was away from the unit retrieving supplies for

another patient. Framing the problem as “a patient fall” is not inaccurate, but it might not

be the most helpful approach. A more abstract problem frame, such as “nurses are being

pulled away from patient care,” could result in a much broader range of solutions (e.g.,

storing more supplies in the unit, using non-care staff to restock supplies, etc.). Perhaps

counter-intuitively, a more specific problem frame, such as “patient falls with injury” can

also allow for a broader range of solutions; unlike the original problem frame of “patient

falls,” this approach would allow for a focus on reducing injury for those who do fall

(e.g., by using softer materials for floors and walls, using inset sinks, etc.).

Establishing the criteria for success should ideally result in a goal that is SMART

(specific, measurable, achievable, realistic, and time-bounded), such as “a 50% reduction

in the rate of falls-with-injury within 6 months of implementation, and a net positive

effect on the organization’s risk profile.” But in the case of low-likelihood incidents like

active shooter scenarios,46 or risks for which reliable tracking data is not available, the

goal can be to achieve a level of risk that is as low as reasonably practicable (ALARP).28

11

Options Assessment

Analogous to the Risk Assessment function from ISO 31000, Options Assessment is

made up of three steps: Generate Risk Control Options (analogous to Risk Identification),

Analyze Risk Control Options, and Evaluate Risk Control Options (analogous to Risk

Analysis, and Risk Evaluation, respectively). This is the overarching process by which

potential risk control interventions are conceived and explored, and through which their

anticipated outcomes are compared to the criteria for success.

Generate Risk Control Options

This is the creative process of developing an initial list of potential risk control

interventions.47

Analyze Risk Control Options

This is a process to comprehend the nature of a risk control option across its lifecycle, to

and to determine the level of costs and benefits associated with that risk control option.

This includes a description of its mechanism of action (the logic model48 that explains

how the risk control option would reduce risk), and an assessment of positive and

negative side effects (i.e., new risks introduced, and additional risks controlled, as a result

of the risk control). The PARC calls for users to analyze and document the factors

described in Table III.

12

Table III: Factors to be documented in the Options Analysis Stage

Negative and positive side effects of the risk control Assessing both enables modification of the risk control design to reduce the former and increase the latter; it is also critical for making accurate assessments of a risk control’s net impact on the risks held by an organization.

Mechanism of action “The theory behind the chosen intervention components or an explicit logic model for why this patient safety practice should work.”49, p.694

Stakeholder identification Stakeholder engagement necessarily requires stakeholder identification.

Ease-of-use An evaluation of how easy or difficult it will be for stakeholders to use the risk control as intended.

Definitions of success for implementation, sustainment, and outcomes evaluation The criteria for success at all 3 stages of the risk control’s lifecycle.

Risk control robustness The likelihood of the risk control being consistently sustained over time. A hierarchy of risk controls can be used as a high-level measure of the likely robustness of a risk control6,50

Forces in favor of, and against, the risk control’s success e.g., a force-field analysis51 or Lovebug Diagram52

Requirements for successful implementation, sustainment, and monitoring / evaluation The resources that will be required to implement and sustain the risk control, to monitor implementation and sustainment, and to evaluate the success of the risk control.

Anticipated costs Monetary costs associated with implementing, sustaining, and evaluating the risk control. This may be quantitative or qualitative.

Cost-effectiveness for sustained success An assessment of the risk control’s cost-effectiveness across all 3 stages of its lifecycle. This may be quantitative or qualitative.

13

Evaluate Risk Control Options

This is the process of comparing analyzed risk control options to the criteria for success.

A combination of risk controls may be required to achieve success, so a positive

evaluation is not dependent on whether a single risk control by itself can achieve success,

but on whether it makes a sufficient contribution toward success in view of its costs. Any

dependencies, synergistic effects, or overlapping mechanisms of action between

individual risk controls should be taken into account at this stage. The purpose is to

produce a suite of risk controls that will work together as a system.

Note: Neither costs nor benefits are limited to financial costs; they also include side

effects, effort, impact on morale, expenditure of internal or external political capital,

reputational impacts, etc.

Note: Options evaluation includes producing a rank-ordered list of risk control

recommendations, as called for in ISO 31000.27

Rationale for Options Assessment

Current practice in risk control often involves little more than brainstorming a few action

plans (usually weak ones like training or policy development6). These typically take the

form of short blurbs, such as “Develop an annual training course for safe use of the new

IV pump.” The PARC calls for a far more robust process. The goal of options assessment

is to produce a manageable number of cost-effective and sustainable risk control

recommendations, and to ensure that they work together as a system not only to reduce

14

the risk of interest, but also to improve the organization’s overall risk profile. It should

also result in a detailed rationale for these recommendations, to assist decision-makers in

the next step of the process select risk controls.

Select Risk Controls

In this step, decision-maker(s) use the results of the previous steps to make a judgment

about which risk controls to implement. This decision may be informed by information

not immediately available to the team that produced the recommendations [see for

instance 9,53].

Depending upon the nature of the risk controls in question, this may lead to another round

of the options assessment / selection process, in which detailed (implementable) designs

or prototypes are generated, analyzed, and evaluated before final selection /

implementation takes place. For instance, if training is selected as a risk control, the

training curriculum might be generated, analyzed, evaluated, and selected (approved)

before final implementation. Or if a decision is made to purchase a new type of IV

pump, a list of candidate IV pumps might be generated, analyzed (including usability

testing, cost comparisons, risk assessment, etc.), and evaluated before a final selection is

made and purchasing can commence.

15

Rationale for Select Risk Controls

Final approval of risk control recommendations should include sign-off from senior

management. This is important both to ensure that the risk controls are aligned with the

organization’s strategic goals, and to secure senior management support for the intended

actions.

Implement Risk Controls

This step consists of putting the selected risk controls into practice. The Implementation

phase lasts until the risk control is fully operational in all respects and meets the criteria

for successful implementation described in the Options Analysis documentation.

Rationale for Implement Risk Controls

A risk control that is never implemented cannot reduce risk. Nevertheless, current

practice in risk management often consists of preparing a report and designating a

responsible manager, with little or no follow-up to ensure that the risk controls have been

implemented (or that implementation has been accurately measured).10,54

Sustain Risk Controls

This step consists of ensuring that the risk control continues to operate as intended over

time. The Sustain Risk Controls step lasts until either the risk control is no longer

intended to operate, or until it is determined that no further action is required to ensure its

sustainment.

16

Note: This does not necessarily mean sustaining the risk control as originally envisioned.

Rather, the focus should be on sustaining the most current agreed version of the risk

control, in line with the PARC’s iterative, progressively-elaborated approach.

Note: The degree of activity required for sustainment will vary depending on the nature

of the risk control in question. Ongoing sustainment is particularly important for

administrative risk controls like training, policies, etc., which are the most commonly-

used category of risk controls in healthcare.6,55

Rationale for Sustain Risk Controls

As Kurt Lewin wrote:

A change towards a higher level of group performance is frequently short lived;

after a ‘shot in the arm,’ group life soon returns to the previous level. This

indicates that it does not suffice to define the objective of a planned change in

group performance as the reaching of a different level. Permanency at the new

level, or permanency for a desired period, should be included in the

objective.41,pp.34-35

Current practice often provides little support for sustaining risk controls once they have

been implemented, which can result in reversion to previous (riskier) practice,56

especially when the risk controls rely on people to do the right thing.6,55 These

administrative controls may often require more active sustainment efforts to achieve

long-term success than risk controls that do not rely on people to do the right thing

(design controls, or eliminating the hazard entirely).6,55

17

Evaluate Outcomes

This step involves a summative evaluation of the acceptability of the risk control’s

outcomes. At this point a decision is made as to: A) whether or not the given risk control

makes an acceptable contribution to risk control success and should therefore be

maintained as-is or in some modified form, and B) whether or not the aggregate level of

risk control achieved is acceptable (essentially a revisiting of the Risk Evaluation step in

light of the new risk controls in place).

Note: Through the process of implementing and sustaining risk controls, the original

criteria for success may be revised in a phenomenon known as double-loop learning. 29

Similarly, it is important to differentiate between the outcomes of the suite of risk controls

and the contribution of an individual risk control. For both of these reasons, individual

risk controls should be assessed in terms of acceptability, not the original criteria for

success.

Rationale for Evaluate Outcomes

If it is worth taking action to reduce a risk, then it is worth determining what that action

achieved. If the results were not acceptable, the reasons for its failure should be

investigated and the risk control process should be revisited. If the results were

acceptable, the risk control should be sustained and/or serve as the foundation for further

improvement efforts.

18

As with implementation and sustainment, evaluation requires planning and resources. By

including these steps (and calling for users to plan for all three as part of options

analysis), the PARC helps to ensure that they receive the attention they require.

Communication and Consultation

This cross-cutting function is retained from ISO 31000, which defines it as a “continual

and iterative processes that an organization conducts to provide, share or obtain

information and to engage in dialogue with stakeholders and others regarding the

management of risk.” It goes on to define consultation as “a two-way process of

informed communication between an organization and its stakeholders or others on an

issue prior to making a decision or determining a direction on a particular issue,” and

elaborates that “consultation is: a process which impacts on a decision through influence

rather than power; and an input to decision making, not joint decision making.”27

Rationale for Communication and Consultation

Healthcare organizations are complex adaptive systems,57 in which even small changes

can have large impacts that may be difficult (or even impossible) to predict.58 Involving

stakeholders in the risk control process allows for a broader range of perspectives that can

help in understanding the forces for and against success and potential side-effects. It can

also help in ensuring that the risk control, as implemented and sustained, remains on

course to achieve acceptable outcomes. Unsurprisingly, stakeholder involvement in the

risk control process increases the likelihood of achieving successful outcomes.8,59

19

Monitoring and Review

This cross-cutting function is retained from ISO 31000, which defines it as “continual

checking, supervising, critically observing or determining the status in order to identify

change from the performance level required or expected,” and “[determining] the

suitability, adequacy and effectiveness of the subject matter to achieve established

objectives.”27

Rationale for Monitoring and Review

This is a form of process evaluation. The central question it seeks to answer is “are we on

course to achieve success?” It allows the organization to make changes to ensure

implementation, sustainment, and acceptable outcomes without waiting for the results of

the outcomes evaluation process.

DISCUSSION

A recent review of healthcare risk management policies and procedures found “…an

almost complete lack of useful guidance to promote good practice” in risk control.54,p.1

This reflects the state of the literature on risk management, which has long focused

almost exclusively on risk assessment. The PARC helps to address both problems, and

also provides a structure to guide the development of risk control tools and techniques.

First, it provides a framework for risk management policies and procedures. An

increasing proportion of risk management policies are currently built around the ISO

31000 process model; the PARC can easily be integrated into such policies, providing a

20

structure for the risk control process without disrupting the risk assessment components

of an organization’s risk management system. It can also be used in conjunction with

other risk management frameworks (such as those described here 60).

Second, the PARC helps delineate the scope of the risk control process, and provides a

vocabulary that will enable researchers and practitioners alike to discuss risk control in a

comprehensible way. We hope this conceptual contribution will help to open the field of

risk control as an area of research and practice innovation.

Finally, the PARC can help guide the development of risk control tools and techniques.

The Active Risk Control (ARC) Toolkit will be the subject of the second installment of

the Rebalancing Risk Management series.61 It was specifically designed to help

implement the PARC.23,24,47 Currently, there are few other techniques available to support

risk control.52,62 In contrast, the risk assessment process benefits from a wide array of

tools.63 We hope that the PARC will help support the development of a similar (if

hopefully more manageable) selection of risk control techniques.

References

1. Lyons M. Towards a framework to select techniques for error prediction:

supporting novice users in the healthcare sector. Appl Erg. 2009;40(3):379–

395.

2. Ben-David I, Raz T. An integrated approach for risk response development

in project planning. J Oper Res Soc. 2001;52(1):14–25.

21

3. Hillson D. Developing effective risk responses. In: Proceedings of the 30th

Annual Project Management Institute 1999 Seminars & Symposium.

Philadelphia, Pennsylvania, USA; 1999.

4. Saari H. Risk management in drug development projects. Helsinki: Helsinki

University of Technology Laboratory of Industrial Management; 2004:41.

5. Engineering Professors Council. The EPC Engineering Graduate Output

Standard: Interim Report of the EPC Output Standards Project. Godalming,

UK; 2000.

6. Card AJ, Ward J, Clarkson PJ. Successful risk assessment may not always

lead to successful risk control: A systematic literature review of risk control

after root cause analysis. J Healthc Risk Manag. 2012;31(3):6–12.

doi:10.1002/jhrm.20090.

7. Dul J, Bruder R, Buckle P, et al. A strategy for human factors/ergonomics:

developing the discipline and profession. Ergonomics. 2012;55(4):377–95.

8. Mills PD, Neily J, Kinney LM, Bagian J, Weeks WB. Effective

interventions and implementation strategies to reduce adverse drug events in

the Veterans Affairs (VA) system. Qual Saf Health Care. 2008;17(1):37–46.

doi:10.1136/qshc.2006.021816.

9. Iedema R, Jorm C, Braithwaite J. Managing the scope and impact of root

cause analysis recommendations. J Heal Organ Manag. 2008;22(6):569–

585.

10. Nicolini D, Waring J, Mengis J. The challenges of undertaking root cause

analysis in health care: a qualitative study. J Health Serv Res Policy.

2011;16 Suppl 1(April):34–41. doi:10.1258/jhsrp.2010.010092.

22

11. Percarpio KB, Watts BV, Weeks WB. The effectiveness of root cause

analysis: what does the literature tell us? Jt Comm J Qual Saf.

2008;34(7):391–8.

12. Taitz J, Genn K, Brooks V, et al. System-wide learning from root cause

analysis: a report from the New South Wales Root Cause Analysis Review

Committee. Qual Saf Healthc. 2010;19(6):e63.

doi:10.1136/qshc.2008.032144.

13. Wu AW, Lipshutz AKM, Pronovost PJ. Effectiveness and efficiency of root

cause analysis in medicine. JAMA. 2008;299(6):685–7.

doi:10.1001/jama.299.6.685.

14. Gosbee J, Anderson T. Human factors engineering design demonstrations

can enlighten your RCA team. Qual Saf Heal Care. 2003;12(2):119–121.

doi:10.1136/qhc.12.2.119.

15. Kavaler F, Spiegel AD. Risk Management Dynamics. In: Kavaler F, Spiegel

AD, eds. Risk Management in Health Care Institutions: A Strategic

Approach. 2nd ed. Sudbury, MA: Jones and Bartlett Publishers; 2003:3.

16. Kuhn AM, Youngberg BJ. The need for risk management to evolve to

assure a culture of safety. Qual Saf Healthc. 2002;11(2):158–62.

17. Dhillon BS. Methods for performing human reliability and error analysis in

health care. Int J Health Care Qual Assur. 2003;16(6):306–317.

18. Landrigan CP, Parry GJ, Bones CB, Hackbarth AD, Goldmann DA, Sharek

PJ. Temporal trends in rates of patient harm resulting from medical care.

NEJM. 2010;363(22):2124–34. doi:10.1056/NEJMsa1004404.

23

19. HHS OIG. Adverse Events in Hospitals: Incidence Among Medicare

Beneficiaries. Washington DC; 2010.

20. Unbeck M, Schildmeijer K, Henriksson P, et al. Is detection of adverse

events affected by record review methodology? an evaluation of the

“Harvard Medical Practice Study” method and the “Global Trigger Tool”.

Patient Saf Surg. 2013;7(1):10.

21. Card AJ. Patient Safety: This is Public Health. J Healthc Risk Manag. [In

press].

22. Card AJ, Ward JR, Clarkson PJ. Getting to Zero: Evidence-based healthcare

risk management is key. J Healthc Risk Manag. 2012;32(2):20–27.

23. Card AJ. The Active Risk Control (ARC) Toolkit. 1st ed. Davenport, FL:

Evidence-Based Health Solutions, LLC; 2011:1–83.

24. Card AJ. The Active Risk Control (ARC) Toolkit: A New Approach to

Designing Risk Control Interventions. J Healthc Risk Manag. 2014;33(4):5–

14.

25. Raz T, Hillson D. A comparative review of risk management standards. Risk

Manag. 2005;7(4):53–66. doi:10.1057/palgrave.rm.8240227.

26. Carroll RL, Nakamura P, Rose R V. Enterprise Risk Management

Handbook for Healthcare Entities. 2nd ed. AHLA; 2013:830.

27. ISO. ISO 31000: Risk management — Principles and guidelines on

implementation. Geneva; 2009.

24

28. HSE. Policy and guidance on reducing risks as low as reasonably practicable

in Design. ALARP Suite Guid. 2003. Available at:

http://www.hse.gov.uk/risk/theory/alarp3.htm. Accessed May 27, 2012.

29. Argyris C. Double loop learning in organizations. Harv Bus Rev.

1977;55(5):115–126.

30. Mitchell J. A new view. Healthc Risk Manag Rev. 2014. Available at:

http://www.hrmronline.com/article/a-new-view.

31. Leitch M. ISO 31000:2009--The new international standard on risk

management. Risk Anal. 2010;30(6):887–92. doi:10.1111/j.1539-

6924.2010.01397.x.

32. Aven T. On the new ISO guide on risk management terminology. Reliab

Eng Syst Saf. 2011;96(7):719–726. doi:10.1016/j.ress.2010.12.020.

33. Cross N. Designerly ways of knowing. Des Stud. 1982;3(4):221–227.

doi:10.1016/0142-694X(82)90040-0.

34. Dorst K. The core of “design thinking” and its application. Des Stud.

2011;32(6):521–532. doi:10.1016/j.destud.2011.07.006.

35. March L. The logic of design and the question of value. In: March L, ed.

The Architecture of Form. Cambridge, UK: Cambridge University Press;

1976:1–40.

36. Wynn D, Clarkson J. Models of Designing. In: Clarkson J, Eckert C, eds.

Design Process Improvement: A Review of Current Practice. London;

2004:1–18.

25

37. Shah JJ, Smith SM, Vargas-Hernandez N. Metrics for measuring ideation

effectiveness. Des Stud. 2003;24(2):111–134. doi:10.1016/S0142-

694X(02)00034-0.

38. Ulrich KT. Design: Creation of Artifacts in Society. 1st ed. Philadelphia:

University of Pennsylvania; 2011:137.

39. Lewin K. Action research and minority problems. In: Lewin GW, ed.

Resolving Social Conflict. London: Harper & Row; 1946.

40. Lewin K. Frontiers in group dynamics. In: Field Theory in Social Science.

London: Social Science Paperbacks; 1947.

41. Lewin K. Frontiers in Group Dynamics: Concept, Method and Reality in

Social Science; Social Equilibria and Social Change. Hum Relations.

1947;1(1):5–41. doi:10.1177/001872674700100103.

42. Lewin K. Frontiers in Group Dynamics: II. Channels of Group Life; Social

Planning and Action Research. Hum Relations. 1947;1(2):143–153.

doi:10.1177/001872674700100201.

43. Lewin K. The Research Center for Group Dynamics at Massachusetts

Institute of Technology. Sociometry. 1945;8(2):126–136.

44. Burnes B. Kurt Lewin and the Planned Approach to Change: A Re-

appraisal. J Manag Stud. 2004;41(6):977–1002.

45. Anderson DE, Watts B V. Application of an engineering problem-solving

methodology to address persistent problems in patient safety: a case study

on retained surgical sponges after surgery. J Patient Saf. 2013;9(3):134–9.

26

46. Card AJ, Harrison H, Ward J, Clarkson PJ. Using prospective hazard

analysis to assess an active shooter emergency operations plan. J Healthc

Risk Manag. 2012;31(3):34–40.

47. Card AJ, Ward JR, Clarkson PJ. Generating Options for Active Risk Control

(GO-ARC): Introducing a Novel Technique. J Healthc Qual.

2013;00(00):[Epub ahead of print]. doi:10.1111/jhq.12017.

48. Foy R, Ovretveit J, Shekelle PG, et al. The role of theory in research to

develop and evaluate the implementation of patient safety practices. BMJ

Qual Saf. 2011;(February). doi:10.1136/bmjqs.2010.047993.

49. Shekelle P, Pronovost P, et al. Advancing the Science of Patient Safety. Ann

Intern Med. 2011;154(10):693–6.

50. Manuele FA. Risk assessment and hierarchies of control. Prof Saf.

2005;50(5):33–39.

51. Baulcomb J. Management of change through force field analysis. J Nurs

Manag. 2003;11(4):275–280.

52. Card AJ. A new tool for hazard analysis and force field analysis: The

Lovebug Diagram. Clin Risk. 2013;00(00):00.

doi:10.1177/1356262213510855.

53. Morse RB, Pollack MM. Root Cause Analyses Performed in a Children’s

Hospital: Events, Action Plan Strength, and Implementation Rates. J

Healthc Qual. 2011;34(1):55–61.

54. Card AJ, Ward JR, Clarkson PJ. Trust-Level Risk Evaluation and Risk

Control Guidance in the NHS East of England. Risk Anal. 2013:00–00.

doi:10.1111/risa.12159.

27

55. Bagian JP. Health care and patient safety: The failure of traditional

approaches – How human factors and ergonomics can and MUST help.

Hum Factors Ergon Manuf. 2012;22(1):1–6. doi:10.1002/hfm.

56. De Saint Maurice G, Auroy Y, Vincent C, Amalberti R. The natural lifespan

of a safety policy: violations and system migration in anaesthesia. Qual Saf

Healthc. 2010;19(4):327–331. doi:10.1136/qshc.2008.029959.

57. Committee on Quality of Healthcare in America / IOM. Crossing the

Quality Chasm: A New Health System for the 21st Century. National

Academies Press; 2001:364.

58. Atun R. Health systems, systems thinking and innovation. Health Policy

Plan. 2012;27 Suppl 4(Hsiao 2003):iv4–8. doi:10.1093/heapol/czs088.

59. Mills PD, Neily J, Luan DD, Stalhandske E, Weeks WB. Using Aggregate

Root Cause Analysis to Reduce Falls and Related Injuries. Jt Comm J Qual

Patient Saf. 2005;31(1):21–31.

60. Jardine C, Hrudey S, Shortreed J, et al. Risk management frameworks for

human health and environmental risks. J Toxicol Environ Health B Crit Rev.

2003;6(6):569–720. doi:10.1080/10937400390208608.

61. Card AJ, Ward JR, Clarkson PJ. Rebalancing Risk Management -Part 2: The

Active Risk Control (ARC) Toolkit. J Healthc Risk Manag. In press.

62. Pham JC, Kim GR, Natterman JP, et al. ReCASTing the RCA: an improved

model for performing root cause analyses. Am J Med Qual. 2010;25(3):186–

91.

63. ISO. ISO 31010: Risk management — Risk assessment techniques. Geneva;

2009.

28

You might also be interested in these papers on related topics

The Active Risk Control (ARC) Toolkit and its Components

Card AJ. The Active Risk Control (ARC) Toolkit: A New Approach to Designing Risk Control

Interventions. J Healthc Risk Manag 2014;33:5–14. Available from:

http://www.academia.edu/7094246/The_Active_Risk_Control_ARC_Toolkit_A_New_Approach_t

o_Designing_Risk_Control_Interventions

Card AJ. The Active Risk Control (ARC) Toolkit. Evidence-Based Health Solutions, LLC. Available from:

www.activeriskcontrol.com/tools-and-templates

Card AJ, Ward JR, Clarkson PJ. Generating Options for Active Risk Control (GO-ARC): Introducing a

Novel Technique. J Healthc Qual 2013;00:[Epub ahead of print]. Available from:

http://www.academia.edu/3377753/Generating_Options_for_Active_Risk_Control_GO-

ARC_Introducing_a_Novel_Technique

Card AJ, Simsekler MCE, Clark M, Ward JR, Clarkson PJ. Use of the Generating Options for Active Risk

Control (GO-ARC) Technique Can Lead to More Robust Risk Control Options. Int J Risk Saf Med.

[In press]. Available from:

http://academia.edu/8744500/Use_of_the_Generating_Options_for_Active_Risk_Control_GO-

ARC_Technique_Can_Lead_to_More_Robust_Risk_Control_Options

Shortfalls in current risk control practice

Card AJ, Ward J, Clarkson PJ. Successful risk assessment may not always lead to successful risk control: A

systematic literature review of risk control after root cause analysis. J Healthc Risk Manag

2012;31:6–12. Available from:

https://www.academia.edu/1081937/Successful_Risk_Assessment_May_Not_Always_Lead_To_S

uccessful_Risk_Control_A_Systematic_Literature_Review_of_Risk_Control_after_Root_Cause_A

nalysis

Card AJ, Ward JR, Clarkson PJ. Trust-Level Risk Evaluation and Risk Control Guidance in the NHS East

of England. Risk Anal 2014;34:1471–81. Available from:

http://onlinelibrary.wiley.com/doi/10.1111/risa.12159/abstract

29

Advancing the Field of Healthcare Risk Management

Card AJ, Ward JR, Clarkson PJ. Getting to Zero: Evidence-based healthcare risk management is key. J

Healthc Risk Manag 2012;32:20–7. Available from:

http://www.academia.edu/1952946/Getting_to_Zero_Evidence-

based_healthcare_risk_management_is_key

Card AJ. Patient Safety: This is Public Health. J Healthc Risk Manag 2014;34:6–12. Available from: http://www.academia.edu/6920019/Patient_Safety_This_is_Public_Health