Delving Into Risk Assessment: Thoughts on how to develop tools that may guide your thinking

I previously wrote a blog post called 50 Shades of Grey where I spoke about why I believe we need to do a better job of articulating the fact that a) Infection Prevention and Control is basically 80% risk assessment and b) risk assessments therefore look different in different settings as patients and scenarios differ.

Following on from this post I recorded a podcast with Martin Kiernan as part of the Infection Control Matters series where he reminded me that I said in that original post that I would write a follow up with more details about the components of risk assessment and the different ways you can capture your thinking around them. So continuing what appears to have turned into a bit of a risk assessment themed July here are some of my thoughts about the different ways you can go about developing your own risk assessment framework.

Firstly a disclaimer. The following are things that I have found useful for how my brain works. I hope that others might find it useful but if you do not I apologise, maybe you could share what works for you instead? Then we could have a collective resource around this.

What is risk assessment?

The basics of risk assessment are to understand what risks are present and to put measures in place to decrease those risks. Sounds simple right? The problem is that we throw around the words risk assessment as if we all have the same understanding of what the words really mean, in reality as that concept is applied in different settings or by different professions it can have very different meanings.

a systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking

If you talk about requiring a risk assessment to someone working in engineering or Health and Safety you will get a very different piece of documentation to that I would expect in IPC. Now some of that is to do with the amount of information that needs to be processed in order to come to a conclusion and some of that is about how we convey information. The aim of an engineering or Health and Safety based risk assessment is to give a risk level and matched control measures. The aim of an IPC risk assessment is to support complex decision making. In IPC a risk assessment is more like a framework for ensuring you have taken into account multiple factors in order to support informed action. They are not a one and done process, they are dynamic and can change rapidly as more information is added to the framework. Patients for instance can become more or less infectious, more or less mobile, require more or less intense interventions and outbreaks have information that changes as they develop or come under control.

The use of a framework is nothing new, a lot of medicine and healthcare is based on algorithms we develop during training. The thing is that these are often integrated into our thinking as cognitive processes via experiential learning and we don’t often talk about them. There are two issues with this, one is if we can find a way to visualise or share how we go through our risk assessment framework it can prove helpful to others as they can have access to it without having to fully develop their own. The second thing is that, like anything developed through experiential learning, our frameworks may have intrinsic bias or weaknesses based on the scenarios used to develop it. I am much more likely to dive down a scientific vs ward practice approach for instance. By being able to share our frameworks we can therefore have better conversations with colleagues to both share our thinking and if needed modify our frameworks for future use. The framework itself isn’t static and should continue to develop as we see more, learn more, after all microbes aren’t static and healthcare is ever changing.

What is different between health and safety and IPC risk assessment?

Below is a matrix that I think most of us will be very familiar with and is commonly used in Health and Safety risk assessment. They are based on identifying how likely a risk is likely to be and the impact that risk would have if the incident occured. The thing is that for IPC risk assessments this misses a whole third axis, what are the implications of the intervention on other aspects of that patients care? What are the consequences of controlling this risk for the patient? When we are managing IPC risk we are not always talking about risk from an inanimate object we are often talking about humans that can experience negative impacts from risk interventions. There is for instance data on the impacts of isolation on patient care and also the impacts on staff from cohorting and other measures. I’m not suggesting we therefore don’t need to control risk in IPC, just that a 2 axis table may not be able to capture the complexity of the decision making associated with that risk.

The other difference is the dynamic nature of IPC risk assessments. Although Health and Safety risk assessment should be revisited and reviewed, they are for the most part fairly static. IPC risk assessments can change every time we received new information, results become available, patients become better or worse. Finally, risks in IPC are cumulative, and so the impact of the risk may be low during a 15 minute outpatient appointment but much more significant during a 7 night inpatient stay. All of which mean that a framework that can manage these changes will probably look different to the matrix we are used to seeing.

What are the components of IPC risk assessment?

Below I’ve included some of the key components that I use in my risk assessments and decision making. Overlaid on top of these specifics are always:

  • Length of exposure
  • Level of exposure
  • Susceptibility
  • Clinical consequences

These always need for each scenario to be looked at bi-directionally i.e. what is the risk from the patient or other patients, what is the risk from the organism to the patient themselves. Even if you’re looking at things like infrastructure or staff the same thing applies. What is my risk of contaminating the sinks with this patients’ Pseudomonas aeruginosa? What would that mean for other patients, visitors and staff? It’s also important to know where or what you are getting your information from? How does that information/data collection method impact the true extent of the information you have? For instance if you are only doing responsive screening you may miss out on asymptomatic carriage vs the information you may have using universal screening. Developing a framework that captures key information is essential but it also needs to be done is a way that acknowledges any knowledge deficits in what is being captured. These are important for the ‘assessment’ bit of risk assessment and impact final decision making. Knowing what you do not know is a large part of the process.

How do we develop a framework that will help us?

Some of the below is taken/modified from a session I gave on risk assessment at the 2021 Paediatric IPC course from the GOSH Learning Academy (shameless plug for the 22/23 sessions below) but the principles apply even if you are not looking at this from a paediatric perspective. Again these are just methods that work for my brain so you may have different formats that work for you.

I think the formats that I find useful to help both the process and to visualise for different audience fall into three main categories:

  • tabular
  • question based
  • flow chart or algorithm based

Each one has pros and cons depending on the amount and variability of the information you are trying to collect and the number of decisions that are open to you based on each piece of data.

Tabular recording

Tabular recording works well if you have electronic systems to record the input data and the decision making based on those actions are clearly defined. A good example of this type of risk assessment framework might be reviewing results for a new MRSA outside of an outbreak setting, and it is very similar to the way that data is collected on the HCAI reporting portal. The benefits of this kind of system is that it is very defined (each field can have definitions linked to it) and therefore it is a good way to ensure the capturing of a minimum data set, as you can require all fields have a response. It is also a good check list for those completing so that items don’t get forgotten. It also permits really good data analysis, you can run reports to see if, for example, everyone with a C. difficile diagnosis had a box ticked to indicate the ward was called and advised to start chlorine cleaning. You can then also run a report against the cleaning order to see that not only the advice was given but whether it was acted on. As a scientist I like this as it removes variability in response, however that inflexibility also reduces it’s usefulness in non standard situations, especially in outbreak scenarios where there may be a large number of possible actions. You can always add in open text fields to record that kind of open data but you then also lose some of the benefits of using this system as you then can’t analyse the inputs easily and you lose the consistency of recording. I recommend this kind of risk assessment framework for complex but standard tasks, where a lot of information needs to be gathered but the number of resulting actions can be captured in a defined list.

Question based

Question based frameworks are (I think) the one that most people working in IPC are most familiar with. You take a call and you work through a mental checklist of information gathering, decision making, and action taking. Even this common tool is often not recorded as a framework that is written down however. When I learnt I did so by listening to calls others took and then having experienced staff listening into mine, pointing out questions I may have missed and therefore data I had not captured. I think even in this scenario it is helpful to have a list of key questions (and sub questions) as prompts or at least a list of framework points to make sure you are capturing key items that would impact your decision making.

There are benefits to this approach, because it is a free framework it enables the capturing of unexpected or non standard information and further exploration of key points. This level of flexibility however does mean that it is possible to go down an information rabbit hole and miss the collection of key information that could have changed the decision outcome. It is especially useful for scenarios where there are lots of possible decision outcomes, such as in outbreak meetings. It also has a downside in terms of the requirement for conscious recording of all data components, which can be time consuming or fail to truly reflect the situation. The free nature of the information gathering can also lead to a lack of consistency between individuals and increase the experiential bias of how scenarios are managed. I would suggest that although this is the most frequently utilised approach it could be improved by having a question frame work recorded so that at least there is a structure, both for data collection and for recording decisions made on the basis of that information.

Flow chart/algorithm based

The main final risk assessment framework is probably the one most of us have become most familiar with following and producing during the pandemic. That is the use of flow charts or visual algorithms. Although in many ways these are the most intuitive for most people to follow they are actually pretty difficult to do well, I know we are up to versions 14+ on some of ours, a lot of those are changes because of guidance, but some are for clarity as it always amazes me how people can read the same info in different ways. This clarity can be especially challenging using this kind of framework as you have to minimise words to make it readable, which can lead boxes open to interpretation and you have no space to include definitions or other wordy items that would support their use.

The advantage of this sort of framework is that it often clearer to describe a process like this than to do so in words, where you would use many 1000s to cover what is shown in a 1 sided sheet of A4. That said this approach is only good for fairly straight forward processes with highly limited variability. The example below comes from a PHE document and despite how much I appreciate the effort that went into creating it, it is clear how easy it is to produce something that is quite hard to follow as soon as the data becomes complex or too many options are available. I would therefore tend to only use this kind of approach with a fairly linear risk assessment that needs to be circulated widely and does not have a high level of decision recording linked to it.

I thought I would mention here the final version of a risk assessment that I use regularly and that is a discussion based assessment. This tends to come after one of the three frameworks I’ve mentioned above and has a whole complexity in itself, both in terms of the decision making but also the recording process. I think I will cover this more separately as it is a slightly different thing but I thought I would just include the below info graphic. If you are going to go through a discussion based risk assessment process (which I think is important, dependent on complexity, to deal with some of the bias and potential for missed info) it is important to pre determine how those discussions are going to lead to decisions and how those decisions will be recorded. It is endlessly interesting to me that different professions will go into meetings with very different ideas about how decisions are reached and so, especially in an MDT setting, there should be clarity ahead of meeting in order to ensure a fair and equitable process.

Image by Jurgen Appelo

How can we share our risk assessments with others to aid understanding?

We are re-entering a period of ‘normal’ healthcare where instead of us using a command and control approach, where algorithms for risk are determined centrally and based on test and response, individuals are being expected to return to individual risk assessment for patient care. This is fine but there are now a number of members of staff who haven’t experienced this form of risk assessment enough to have the experiential component, even those members of staff who have pre pandemic experience may now lack confidence due to the fear of consequences in this new world where many of the components of the risk assessment have changed. I’m hoping that by sharing some of my thinking on this we will be able to come together and share some of the frameworks that we use to make risk assessments to support learning, build confidence, identify bias and work towards improvement in all that we do.

Here are the links to the other posts I’ve done on risk assessment including the post the podcast above refers to, one on paediatric risks and one on environmental IPC.

All opinions on this blog are my own

One thought on “Delving Into Risk Assessment: Thoughts on how to develop tools that may guide your thinking

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s