Protect Your Practice

Risk Management Overview

Just as practice managers are a vital ingredient of good practice, risk management is a crucial part of good practice management. Risk management should also be integrated into a practice’s philosophy, policies and strategic plan, rather than viewed or practiced as a separate program or ‘add-on’ only if time permits. All staff have a responsibility to be involved actively in practice risk management. As a leader, practice managers can play a key role in creating a positive quality improvement culture. When this is achieved, risk management becomes a priority for everyone in the practice.

As a practice manager, you know that prevention is better than cure. Proactive risk management can be thought of as the ultimate form of prevention against the risks brought about by the rapidly changing and uncertain environment in today’s medical practices.

What is risk management ?

Risk management is defined as the culture, processes and structures that are directed towards realising potential opportunities while managing adverse effects (AS/NZ ISO 31000:2009). The concept of risk has two elements:



PracticeHub is an online practice management platform providing you with essential tools and resources to help reduce complexities, risks and costs involved with managing a practice. Find out more

  • The likelihood of something happening.
  • The consequences for your business/practice if it happens.

If you have had experience in a hospital environment you would be familiar with a clinical risk management unit. Transferring this knowledge and skills into a business and private practice sense may be more of a challenge.

Why do I need to consider risk management in the practice?

Working as a practice manager, you know there are a myriad of risks your staff face today that are unlike any in the past. We now practice in an environment of shared electronic health records, industrial relations changes, trade practice and advertising guidelines, open disclosure programs, changes to registration.and regulation of medicine, social media, Medicare scrutiny, corporatisation of medicine, changing patient demographics, informed financial consent and increasing patient awareness and autonomy – and each of these brings new risk for doctors and practice staff.

Risks that were unheard of a decade ago are now amongst the most common causes of claims as well as enquiries to Avant’s Medico-legal Advisory Service: for instance those related to computer systems and IT security, or monitoring and tracking referrals and pathology tests ordered. While the incidence of civil claims has declined in the past decade, this has been countered by an increase in non-civil claims such as complaints before regulatory and disciplinary bodies, and many of these are related to the kinds of changes and uncertainties listed above.

Risk management is important in your practice for the following reasons:

  • Patient safety and quality of care flows from an understanding of practice risks and proactive management of these.  
  • Professional reputation and career prospects may be damaged from negative publicity associated with complaints.
  • To avoid suspension or conditions placed on Medical Board/AHPRA registration. And in extreme cases, de-registration.
  • Failure to recognise and manage risks in practice can result in disciplinary action by AHPRA or the Medical Board, resulting in suspension of registration, conditions on practising, or even de-registration on the grounds of unprofessional conduct or findings of professional conduct.
  • Failure to manage risks may result in higher insurance premiums and policy conditions or deductibles.
  • The impact on the long-term growth and reputation of the practice if risks are not managed, resulting in complaints or adverse outcomes.
  • Inconvenience, loss of income and loss of time results when practitioners fail to plan for and manage their practice risks.

Don’t forget, in your role as a practice manager, risk management is a continual process, and a key component of the professional responsibility of a doctor. According to the Medical Board of Australia’s Good Medical Practice: A Code of Conduct for Doctors in Australia, “Good medical practice involves understanding and applying the key principles of risk minimisation and management in your practice”. The advantages of risk management include:

  • Increased patient satisfaction.
  • Improved patient and business/practice outcomes
  • Improved practitioner and staff satisfaction and retention.
  • Improved organisation and time management
  • Improved standards of accountability
  • Improved practice reputation
  • More economic and efficient practice
  • Reduction in complaints and adverse events
  • Greater enjoyment of medical practice.

What are the common risks in private practice?

The delivery of healthcare in Australia has changed significantly over the last two decades. Many practices are group practices and most are fully computerised and employ both clinical and administrative staff. Patients today have unlimited access to information and communication. This has resulted in practice managers and doctors not only facing new risks but there are recurring patterns and areas of risk. The most common of these in the Australian context include:

  • patient safety
  • staff safety (WHS)
  • professional reputation
  • practice and practitioner financial viability
  • principal, practitioner and staff health
  • computer systems and IT security
  • confidentiality and privacy
  • fraud
  • organisational risk
  • compliance, corporate and clinical governance
  • business interruption.
  • customer quality
  • legal risks
  • project risks
  • strategic/political risks

Common reasons for patient complaints

Doctors practice today in an environment of patient autonomy, shared decision making, increased patient health awareness, and high patient expectations. Patients and their families increasingly feel confident in expressing their dissatisfaction with care they receive from doctors and practice staff. Furthermore, regulatory and statutory bodies have been established in all Australian jurisdictions to protect the public and maintain high standards of care provided by medical practitioners. These bodies also regularly receive complaints from patients, relating to care. Common reasons for complaints include:

  • Inadequate communication and inconsistent information
  • Insufficient provision of information regarding management and treatment plans
  • Inadequate informed patient consent
  • Lack of informed financial consent
  • Failure to diagnose
  • Failure to maintain standards of practice
  • Failure to maintain accurate patient records
  • Impolite practice staff
  • System failures:
    1. Poor policies and procedures
    2. Faulty systems
    3. Privacy breaches
    4. Inadequate quality control measures
  • Practising outside scope of practice or knowledge and skills.

Who is responsible?

All staff have a responsibility to be actively involved in practice risk management.

Who are the stakeholders in the risk management process?

All stakeholders need to be involved in the process. The stakeholders include:

  • Patients and their families
  • Colleagues and associates in the practice
  • Other practitioners and healthcare professionals involved in the patient care
  • Employed staff in the practice who are involved in the running of the practice and the delivery of care to the patient.

How to minimise risk

Risks and strategies can be classified into three areas.

1. Clinical knowledge and skill

Strategies to reduce risk related to clinical knowledge and skill include:

  • Keeping up to date with clinical knowledge, skills and best practice and using appropriate and up-to-date resources to support clinical decision-making.
  • Attending peer meetings and discussing management of cases.
  • Taking a thorough history and examination when attending patients.
  • Documenting all aspects of the consultation in the clinical record – remember, this is considered a legal document and is your best defence in the event of legal investigations. Review the standards expected of clinical records relating to consultations and apply them systematically. Ensure any other doctors working in your practice are also committed to thorough and complete documentation.
  • Clinical staff being aware of their own scope of practice and referring patients on appropriately.
  • Investigating further if treatment is not working.
  • Making use of protocols, checklists and clinical decision support tools.
  • Looking after your own health
  • Reporting or addressing concerns if you feel you or practice staff are being exposed to unsafe work practices.

2. Communication

Effective communication is fundamental to the doctor-patient relationship, as communication failures underlie many patient complaints or findings against doctors in legal-related claims. Strategies to reduce risk due to communication issues include:

  • Building a patient relationship based on open communication and shared decision-making
  • Showing empathy to patients
  • Managing adverse events or complaints in a timely and efficient manner to ensure the patient (or a staff member) feels their concerns have been acknowledged and addressed
  • Minimizing interruptions during consultations
  • Managing unrealistic patient expectations.
  • Communicating regularly with your practice staff through staff meetings, sharing feedback and receiving their input
  • Providing a practice environment where patients feel welcome and staff are skilled in all aspects of managing patients
  • Educating staff in techniques to provide the best patient communication at all levels.
  • Fostering strong relationships with professional colleagues and the healthcare team, within your practice as well as in your local healthcare community.
  • Keeping open and transparent channels of communication with health facilities you interact with (e.g. hospitals, radiology and pathology services)
    Ensuring your consent process allows the patient to understand the implications of a proposed treatment, medication or procedure – in other words, ensuring you obtain informed consent
    Ensuring informed financial consent process explains to all patients where there will be any additional charges for any service – consultations or procedures.

3. Systems

Practice managers know all too well that effective risk management in practice is to a large extent all about employing or developing appropriate systems. These systems allow consistent level of operation and serve to prevent errors and mistakes. System, policies and procedures which decrease risk in practice include:

  • Complaints-handling procedures
  • A practice “policies and procedures” manual
  • Test tracking and follow-up processes
  • Recording of appointments, recalls, cancellations and any failure to attend
  • Documentation of all patient communications with the practice in the patient record
  • Infection control and waste management policies
  • Recruitment, orientation, training and management of practice staff
  • Managing confidentiality and privacy
  • Computer security and data back-up.

Principles and guidelines

As well as being a requirement of good medical practice, according to the Medical Board of Australia, the National Safety and Quality Health Service Standards requires the establishment of an organisation-wide risk management system in healthcare providing organisations and businesses. This standard incorporates identification, assessment, rating, controls and monitoring for patient safety and quality, and includes the use and monitoring of an organisation-wide risk register, and that actions are taken to minimise the risks to patient safety and quality of care.

Risk management framework

As a practice manager, you need to ensure your practice has a risk management framework in place. This framework encompasses a set of components that are used to establish, support and sustain risk management throughout your practice. This is also about developing the risk criteria and risk champions. The key elements of a risk management framework include:

  • Risk management policy – This is a general statement of direction or intent and commitment to risk management within the practice.
  • Risk attitude – This defines the practice’s general approach to the management of risk and will dictate and influence how risks will be managed.
  • Risk management process – This sets out how the practice applies policies, procedures and practices to a set of activities designed to establish the context, communicate and consult with stakeholders, identify, analyze, evaluate, treat, monitor and review risk.

The risk management process

The risk management process is a series of linked activities designed to allow you to identify, analyse, evaluate, manage, report and monitor risks

Risk management process: steps to consider

1. Identify risk and opportunity
In your role as a practice manager, it is critical to determine what can happen (even those risks not under your direct control) and how they could happen in your practice.
Some of the approaches you can use to identify risks include checklists, judgements based on experience and records, flow charts, surveys, incident analysis, peer review, brainstorming, systems analysis and third party reports.

It is important to identify the basic facts around each possible risk:

  • What can happen?
  • Where can it happen?
  • When can it happen?
  • Why can it happen?
  • How can it happen?
  • Who might be involved or impacted?

2. Analyse the risk
Determine the likelihood of the event occurring or recurring.
Determine the consequences of the event occurring.
Factors to consider in relation to likelihood include:

  • The anticipated frequency of occurrence of the event
  • The working environment
  • The procedures and skills currently in place
  • Staff commitment, morale and attitude
  • History of previous events.
  • Factors to consider in relation to the consequences include:

    • The need to separate minor risks from major risks
    • The consequences if the risk occurs
    • The financial and non-financial impacts on the business
    • Giving the risks a description from trivial to severe.

3. Evaluate the risk
Take a step back from the day-to-day running of the practice to evaluate the practice’s risk. Start by comparing your analysis of risk to your criteria and significant considerations (whether it be patient safety, financial considerations, or something else – for instance a commitment to offering a particular service) to determine priority. It is usually a combination of factors.

You will then have a list of risk management priorities for your practice. Next, identify the ‘controls’ that currently exist for managing these risks – are they adequate?

4. Develop and deliver risk strategy
You have four options when it comes to “dealing with” a particular risk:

  • Avoid the risk: don’t offer a particular risky service or procedure.
  • Accept the risk (“risk retention”).
  • Reduce the risk: for example, by implementing risk-reducing systems and practices through policies and procedures.
  • Transfer the risk by insurance. Risk transfer is not just using insurance. It can be a range of choices such as use of contractors; locums; referring to another practitioner; outsourcing autoclaving of instruments etc.

To underpin your risk management process it is important to include the following steps:

1. Monitor and review
You will need to check whether the processes you have put in place to manage the risks in the practice are effective and if circumstances have changed to impact on your risk management processes. You can monitor and review your processes by:

  • keeping adequate records
  • Checking the number of incident reports – have they decreased?
  • Reporting any adverse events
  • Maintaining a central adverse event/near miss and complaints register
  • Maintaining a risk treatment schedule and action plan.
  • Maintaining a risk register, risk treatment schedule. The action plan should be within the risk treatment schedule.

2. Communicate and consult
There must be continuous communication and consultation with all stakeholders throughout the whole risk management process. This can be both formal and informal communication – discussions, meetings or written.

3. Documentation of these two steps are important.
Remember, there is help available from professional organisations (AAPM) and professionals such as accountants, business planners, IT consultants and from Avant’s Member Risk Management Team.

Next page

Scope of practice and credentialing
  • The formal process
  • Appropriate credentials
  • Improving your practice

This publication is proudly brought to you by Avant Mutual Group. The content was authored by Brett McPherson, reviewed by Colleen Sullivan and Avant Mutual Group.

This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practice proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgment or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published. © Avant Mutual Group Limited 2014.

IMPORTANT: Professional indemnity insurance products and Avant’s Practice Medical Indemnity Policy are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765. The information provided here is general advice only. You should consider the appropriateness of the advice having regard to your own objectives, financial situation and needs before deciding to purchase or continuing to hold a policy with us. For full details including the terms, conditions, and exclusions that apply, please read and consider the policy wording and PDS, which is available at or by contacting us on 1800 128 268. Practices need to consider other forms of insurance including directors’ and officers’ liability, public and products liability, property and business interruption insurance, and workers compensation and you should contact your insurance broker for more information. Cover is subject to the terms, conditions and exclusions of the policy. Any advice here does not take into account your objectives, financial situation or needs. You should consider whether the product is appropriate for you before deciding to purchase or continuing to hold a policy with us.