Healthcare risk

assessment made easy

March 2007
The purpose of this document is to provide:
1. an easy-to-use risk assessment tool that helps
promote vigilance in identifying risk and the
ways in which risk can be minimised;
2. guidance that will encourage greater
consistency in the way risk assessment
is applied across the NHS.
The tool is intended to encourage greater use
at practice level, and increased awareness and
understanding of risk assessment at all levels.
Frontline staff may use the tool to assess any
risk to a patient or patients in their care.
Created with acute care in mind, this tool is
equally applicable and easily adapted for use in a
primary care setting.
Before you start to assess risks make sure you
have a good understanding of your organisation’s
risk management policy/strategy.

2
What is risk assessment?
A risk assessment seeks to answer four simple,
related questions:

How bad?

What can Is there a need

go wrong? for action?

How often?

It is not usually possible to eliminate all risks but

healthcare staff have a duty to protect patients
as far as ‘reasonably practical’. This means you
must avoid any unnecessary risk. It is best to
focus on the risks that really matter – those with
the potential to cause harm. Keep risk assessment
simple – do not use techniques that are overly
complex for the type of risk being assessed.

3
In risk assessment we look at:
• hazards – which are situations with the
potential to cause harm; and
• risks – which are defined as the probability
that a specific adverse event will occur in
a specific time period or as a result of a
specific situation.

– Risk is the combination of likelihood and

consequence of a hazard being realised.
– A clinical risk or healthcare risk is the
chance of an adverse outcome resulting
from clinical investigation, treatment or
patient care.
For each hazard identified, it is important to
decide whether it is significant and whether
appropriate and sufficient controls or
contingencies are in place to ensure that
the risk is properly controlled.

4
Understanding the difference between
a hazard and a risk – an example
A medicine could be described as a hazard if it
has the potential to cause harm. However, the
risk of that harm may be very small provided
effective controls/measures are in place. If a
patient could suffer harm as a result of taking
the drug, the adverse event may be described as
a clinical risk, and as a patient safety incident if
harm occurred unintentionally or unexpectedly.
It is important that you identify and have a clear
understanding of the significant risks of each
particular hazard. To avoid confusion, describe
each risk separately and clearly. For example,
when considering the hazard of selecting the
wrong drug because of similar (look-alike)
packaging, there is risk to the patient, risk to
the staff involved and risk to the organisation.
Failure to describe or define each risk clearly
is a common pitfall that can lead to problems
when carrying out risk assessment.

5
Five steps to easy risk assessment
Identify the hazards (what can go wrong?)
Step 1

Decide who might be harmed and how

Step 2
(what can go wrong? who is exposed
to the hazard?)
Evaluate the risks (how bad? how often?)
Review

Step 3
and decide on the precautions (is there
a need for further action?)
Record your findings, proposed action
Step 4
and identify who will lead on what action.
Record the date of implementation.
Review your assessment and update
Step 5
if necessary.

Step 1 Identify the hazards

(what can go wrong?)
To prevent harm it is important to understand
not only what is likely to go wrong but also how
and why it may go wrong. Consider the activity
within the context of the physical and emotional
environment, and the culture of the organisation
and the staff who perform the activity.
6
Take into account things that have gone wrong
in the past and near-miss incidents. Learn from
the past.
1. Walk around the workplace or clinical area
and talk to patients and staff.
2. Map or describe the activity to be assessed.
3. The risk assessment may require a
multi-disciplinary team.

Step 2 Decide who might be harmed

and how (what can go wrong? who is
exposed to the hazard?)
People will make mistakes. It is necessary to
anticipate some degree of human error and
try to prevent the error from resulting in harm.
1. Consider the number of patients that might
be affected over a stated period of time.
When quoting the number of patients
affected you should always state the length
of the assessment period.
2. Remember that the most vulnerable patients
are more likely to suffer harm.
3. Think about the complexity of the task.

7
Step 3 Evaluate the risks (how bad?
how often?) and decide on the precautions
(is there a need for further action?)
Consider both consequence (how bad?) and
likelihood (how often?). Is there a need for
additional action? The law requires everyone
providing a service to do everything reasonably
practical to protect patients from harm.
1. Use your organisation’s risk matrix
(an example risk matrix is on page 10).
2. Decide on the precautions (controls) that
will most effectively reduce consequence
and/or likelihood.
3. Re-evaluate the risks assuming the
precautions (controls) have been taken.

Step 4 Record your findings, proposed action

and identify who will lead on what action.
Record the date of implementation
Risk assessments and action planning should
be reviewed and changed when necessary.
This is easy only if the assessment is well-
recorded and the logic behind the decisions
transparent. An efficient and succinct system
of documentation is essential.
8
You need to show that:
1. a thorough check was made to identify all the
hazards and treat all the significant risks;
2. the precautions are reasonable and the
remaining risk is acceptable;
3. the solutions are realistic, sustainable
and effective.
It may be reasonable to accept some degree
of preventable risk, if the benefits to be gained
outweigh the risk.

Step 5 Review your assessment and update

if necessary
Good documentation is important because
things are always changing. Research and new
developments increase the pace of change, and
those changes can alter existing and/or introduce
new hazards.
Review your risk assessment:
1. when you are planning a change;
2. routinely at least on an annual basis;
3. when there has been a significant change.
9
 Example risk matrix
Catastrophic Yellow Orange Red Red Red

Major Yellow Orange Orange Red Red

Consequence

Moderate Green Yellow Orange Orange Red

Minor Green Yellow Yellow Orange Orange

Negligible Green Green Green Yellow Yellow

Rare Unlikely Possible Likely Almost

certain
Likelihood

Consequence – For example catastrophic means

death or debilitating permanent injury and minor
means requiring first aid.
Likelihood – This must be estimated over a
stated period or related to a given activity.
1 2 3 4 5
Frequency Rare Unlikely Possible Likely Almost
certain
How often Can’t Do not Might Will Will
might it believe that expect it to happen probably undoubtedly
happen (per this will ever happen or or recur happen or happen or
procedure/ happen or recur but it is occasionally recur but recur, possibly
episode or recur possible it is not a frequently
within a persistent
specified issue
timeframe)?

10
For the definitions of adverse event and patient
safety incident see page 13.
Risk scoring – The risk scores are not intended
to be precise mathematical measures of risk,
but they are useful when prioritising control
measures for the treatment of different risks.
Low risk (green) – Quick, easy measures
implemented immediately and further action
planned for when resources permit.
Moderate risk (yellow) – Actions implemented
as soon as possible, but no later than a year.
High risk (orange) – Actions implemented as
soon as possible and no later than six months.
Extreme risk (red) – Requires urgent action.
The trust Board is made aware and it implements
immediate corrective action.
The above information is not meant to be
prescriptive but is intended for guidance. The
trust Board is responsible for defining the level
of acceptable risk.

11
Action required in reducing risks
to an acceptable level
It is often hard to judge the level of risk that can
be tolerated. This is because the risk is balanced
against the benefit and whether there is a better
alternative to accepting the risk. It is reasonable
to accept a level of risk if the risk from all the
other alternatives, including doing nothing, is
even greater. A risk is not acceptable if there is
a reasonable alternative that offers the same
benefit but avoids the risk. Acceptable risk may
become unacceptable over time or because
circumstances change.
It is best to use your organisation’s approved
risk assessment forms. As not all organisations
have developed risk assessment forms, model
forms are provided on the National Patient Safety
Agency’s website (www.npsa.nhs.uk).

12
Any significant residual risk should be recorded in
the organisation’s risk register. The organisation’s
risk register should be subject to regular review
by the trust Board.

Definitions
Risk management is assessment, analysis and
management of risks. It is simply recognising
which events (hazards) may lead to harm in
the future and minimising their likelihood
(how often?) and consequence (how bad?).
An adverse event is any event or circumstance
leading to unintentional harm or suffering.
A patient safety incident is any unintended
or unexpected incident which could have or did
lead to harm for one or more patients receiving
healthcare. It is a specific type of adverse event.

13
Inherent clinical risk is the permanent
or currently unavoidable clinical risk that is
associated with a particular clinical investigation
or treatment. It is the risk from undergoing a
particular procedure in ideal conditions and
performed by the best staff using the most up-
to-date research, equipment and techniques.
The inherent clinical risk can be considered
permanent or currently unavoidable when used
for the purpose of risk assessment. The risk that
should be targeted by clinical risk assessment
is the risk that is added to the inherent risk and
results from, for example, a poor safety culture,
poor communication and teamwork, inadequate
supervision of inexperienced staff, unreliable
equipment or an unsuitable environment.

14
Acknowledgements
This document has been prepared by the
National Patient Safety Agency (NPSA).
The following organisations have been
consulted and/or have assisted in defining
and testing the risk assessment:
– Guy’s and St Thomas’ NHS
Foundation Trust
– Mid Yorkshire Hospitals NHS Trust
NPSA project team
Michael Coultous, Patient Safety Manager
Donna Forsyth, Patient Safety Manager
Aly Hume, Patient Safety Manager
John Morrison, Patient Safety Manager
Feedback
We would appreciate your feedback on this
document. Please send your comments to:
Michael Coultous, Patient Safety Manager,
michael.coultous@npsa.nhs.uk

15
The National Patient Safety Agency
4-8 Maple Street
London
W1T 5HD
T 020 7927 9500
F 020 7927 9501
Gateway Reference Number: 8083

0536

© National Patient Safety Agency 2007. Copyright and other intellectual

property rights in this material belong to the NPSA and all rights are
reserved. The NPSA authorises healthcare organisations to reproduce
this material for educational and non-commercial use.

www.npsa.nhs.uk