For several years the Joint Commission on Accreditation of Healthcare Organization (JCAHO) has required hospitals to ensure they evaluate and mitigate risks and exposures that could impact their ability to deliver healthcare services under all conditions. By incorporating findings from our facilities risk assessment work into an enhanced HVA, we’ve produced an approach that can be used in any environment which critically depends upon its facilities services, such as electric power, heating and cooling, etc.
Although JCAHO does not prescribe any specific approach, the defacto “standard” of this activity since 2001 has been the “Hazard Vulnerability Analysis” (HVA) which was originally developed in response to JCAHO’s request for a “more quantitative risk assessment.” While the existing HVA is useful for auditors looking to confirm minimum compliance, its scope and subjective assessment methodology can be modified to determine how risk mitigation strategies and limited capital can effectively be deployed for maximum benefit.
Standard HVA Model
The existing commonly used model includes specific external and internal events and threats such as flood, electrical failure, terrorism, and chemical exposure defined for natural, technological, human, and hazardous materials risk categories.
A risk score of each event (or threat) within a risk category, is computed by scoring probability, types of impact, and mitigating activities. Impact categories include human, property and business impacts while mitigating activities include preparedness, internal resources, and external resources.
Each probability, impact and mitigation risk factor is assigned a numeric value representing a high, medium or low chance of occurring and magnitude of impact. Mitigation activity scores are reverse (high = 1, medium = 2, low = 3) representing comprehensiveness of the mitigating activity and an offsetting influence on impact. One can also assign zero (0) for factors that are not applicable or have no influence on risk. The probability, impact, and mitigation scores are derived from a qualitative assessment of each factor based on a limited set of general guidelines applied to the personal knowledge, experience(s), subject matter experts, and/or consensus of individual(s) responsible for completing the assessment.
The final risk score, risk = probability x severity, of an event/threat is a percentage derived by multiplying the probability with severity, which is the weighted average computation of the six impact and mitigation parameters. By ranking the magnitudes of risk scores, a facility can identify which events pose the highest risk and subsequently which risks need to be addressed. Similarly a single composite score for each risk category can be computed by multiplying the composite weighted average probability of all events with the composite weighed average of the their severities.
Ideally, an HVA could provide more depth and breadth of specificity to more accurately assess risk and to provide actionable information to address those risks. The three noteworthy enhancement opportunities of the traditional HVA encompass:
- The subjectivity by which probability and risk factors are scored: The model lacks standard or objective criteria, or other fact-based data by which to determine a range of probabilities and vulnerabilities in an objective way. Scoring is based on perceptions, personal experience and varying criteria from person-to-person or assessment-to-assessment resulting in an inconsistent methodology and results.
- Impacts, mitigations, and risk events: They may be too general or limited in scope of possible contributing factors. For example, in the technology risk category many factors could contribute to an information system failure event. The single all encompassing category is too general and doesn’t allow a more granular means by which to identify key factors that could contribute to an IS failure. Similarly, a health care facility with research capability or a manufacturing facility with work-in-progress has no means by which to account for the impact on the loss because they cannot be accounted for in the existing model.
- The model allows ‘0’ to be assigned to risk factors when a factor is not applicable to an event. This gives numeric weight to that factor when it has no contributing influence on the risk. Inclusion of “0” understates the individual event risk, or overall category risk, which makes it less than it would otherwise be by excluding 0 in the computation. Moreover, the limited three-point scoring scale tends to produce clusters of like risk scores that limits the ability to differentiate the more salient risks.
These issues are not restricted to the HVA. Classic risk assessment, using a 3 x 3 matrix where one axis represents probability and the other represents impact, uses a similar high, medium and low scoring and suffers the same limitations of its subjective approach.
The ‘Enhanced’ HVA
Focusing on the technology risk category, our approach to enhancing the HVA is to define a scorecard having a set of contributing factors that influence probability, preparedness and internal response risk factors for each technology event. Each contributing factor has a set of descriptors which define a range of specific unfavorable to favorable criteria by which to assess each factor.
The criteria are assigned values from 1 to 9 indicating a low (not favorable) to high (very favorable) rating. More importantly, the descriptors provide a means by which to identify the source(s) of vulnerability while the larger scoring scale provides greater variability in risk values. The value for each risk factor, previously assigned 1, 2, or 3 based on subjective criteria, is the average of the contributing factor descriptor scores. Zero is excluded in all computations where a contributing factor’s criteria value or a risk factor is not applicable.
Descriptor values are then mapped to a stop light chart where the red (high), yellow (medium), green (low) color scheme readily identifies each technology events’ probability, preparedness and internal response vulnerabilities. The scorecard feeds the HVA from which we generate a risk matrix depicting the relative risk position of the facilities services in the matrix.
The scorecard and risk matrix provide a powerful tool for evaluating risk and providing actionable results within healthcare to meet JCAHO requirements or to satisfy facility risk objectives for other industries.
Bob Farkas has a background in chemical and metallurgical engineering and has been a senior consultant for Virtual Corporation since 2001. He specializes in conducting BIA’s, supply chain and facility risk assessments, and BC program and Sustainable Planner® implementations.