The importance of Risk Management

Prevention is better than cure. This applies equally to our health, as it does to managing the complex and varied risks faced in running a healthcare business. The issue for healthcare businesses is often the unknown risks….

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know.” – Donald Rumsfeld

We can assist you in identifying your practice risks and suggesting risk management strategies to put in place. Broadly a business has four options in managing risk:

‘Avoid the risk’

E.g. by not entering into a new business venture, new procedure or contract.

‘Reduce the risk’

E.g. developing a risk management framework to reduce the likelihood of adverse events occurring – and if they do occur, then to minimise the impact on the business.

‘Accept the risk’

E.g. a ‘do nothing’ approach or ‘self-insurance’. This may be appropriate for small risks such as balancing the pretty cash tin (who really cares if its $5 out each month)

‘Transfer the risk’

such as by sharing the risk through a joint venture, or transferring the risk to insurance.

If you want to learn about risk management, google Risk Management standard: AS/NZS ISO 31000:2009.

While it would be nice for a small medical practice to adopt a full risk management framework, the reality for most practices is the Practice Manager is usually acting as the internal Risk Manager and doing so amongst many other responsibilities.

However there are practical risk management strategies every healthcare business can implement in their business. We can be engaged as a risk management consultant to help you set up key documentation and processes. Please contact Chris Mariani from our Sydney office to discuss.

Consider the below question and range of answers. If your practice does not answer something along the lines of Answer C, then you and your practice are potentially breaching Australian privacy laws, at increased risk of civil penalties, patient complaints, legal action, and reputational damage.


“Dear doctor, can you please provide me a copy of your Privacy Policy, how do you make is accessible to patients and tell me about your processes to protect patient privacy?” The answer usually falls into three categories:


1.“What’s a Privacy Policy and should I have one?”

2.“We have one somewhere, but I have no idea where it is or when we last looked at it. The practice manager is responsible for privacy”

3.“We recently updated our Privacy Policy, we put it on our website and also a hard copy at reception. We have detailed processes for privacy and embed it into the business. It is a regular item on our management team meetings and it’s included in our staff induction and training process. We are all responsible for patient privacy, but Mary takes the lead as the appointed Privacy Officer”

The third answer above is the right answer from a risk management perspective. Unfortunately, many practices we review aren’t up to the level expected.

We recommend to our clients they:

  • Have ‘Privacy’ on their 10 ten risks and actively manage this risk via their Risk Register
  • Have an updated and compliant Privacy Policy (ideally on their website and hard-copies at reception).
  • Their new patient information form states “we take your privacy seriously, a copy of our Privacy Policy is available from reception or our website”
  • The conduct staff induction and ongoing training
  • They conduct annual audits of their privacy risks (for example using a specialist IT security firm to test for weaknesses and report back to management).
  • They have an appointed Privacy Officer (as required under law) who takes charge of their privacy obligations.

See our articles on numerous risk management topics.