Guidance

Risk Management Policy Foundations

Risk management policy foundations are background elements that express the values, priorities, and policies of an organisation in relation to risk management. They guide the decision-making process and must be in place before the process begins. The following diagram illustrates how the framework is based upon four foundational elements, which are relevant at every stage of the process.

While generally stable, the foundations are reviewed periodically so they can be improved as needed. To establish these foundations, organizations are encouraged to develop an overarching risk management policy that:

• Outlines risk management principles
• Sets out assessment principles
• Offers direction on communicating risk and engaging stakeholders
• Specifies the organisation’s approach to judging risk tolerability

Risk Management Principles

The purpose of risk management is not to eliminate risk but to use resources appropriately to minimise risk. Principles such as those suggested below govern the decision-making process and the actions that flow from decisions.

Beneficence:  Decisions must do more good than harm. Decisions must focus on the safety of donors and patients. The blood supply must be managed cautiously.

Fairness:  Safety decisions must be timely, fair, independent, and sensitive to cultural values. Risks that are unacceptable to society are not imposed, and the risk is distributed as equitably as possible.

Transparency:  The decision-making process must be transparent and accessible to stakeholders and members of the public. People involved in making decisions must declare all relevant conflicts of interest.

Consultation:  Stakeholders must be consulted on relevant issues that affect them or present a significant social concern. The consultation process must give stakeholders an opportunity to provide input.

Evidence and judgement:  Risk management decisions should include an analysis of the risk, possible mitigation options, expected benefits of those interventions, and the impacts and costs of achieving them. This analysis should encompass the best available evidence, coupled with sound judgement.

Practicality and proportionality:  To make best use of society’s limited resources for risk management, the allocation of effort and resources to manage risk should be proportional to the level of risk and potential for risk reduction.

Vigilance:  Management of blood-supply risks requires vigilant acquisition of knowledge, a survey of established and emerging risks, and the application of lessons learned from previous situations. Evolving risk situations must be monitored to identify the need for interventions, understand stakeholder concerns, and assess the effectiveness of risk management measures.

Continuous improvement:  All aspects of blood safety risk management, including risk-reduction strategies, stakeholder engagement, operational efficiencies, cost reduction, and decision-making processes and policies, must undergo periodic review and improvement.

Assessment Principles

Various types of assessments are used to help make decisions about risks.

An initial screening assessment helps you assess the level of risk, relevant ethical concerns, and the urgency of taking action, thus giving you a broad understanding of the issue and decision. It is not a full assessment with detailed risk data, but a “desktop” assessment that can:

• Shed light on the quality of information on a subject
• Help assess the information and resources needed for full assessments
• Help determine the depth of assessments required (in proportion to the magnitude and significance of the risk)
• Confirm which specific assessments would be most useful

Specific assessments may include, among others:

• Blood safety risk assessment (generally considered essential)
• Health economics and outcomes assessment (generally considered essential)
• Operational risk assessment (generally considered essential)
• Contextual assessment: Assessment of issues particular to a situation, such as risk perception, ethical concerns, trust, equity, legal issues, and jurisdictional factors, among others

Some of these assessments will require considerable information gathering and analysis, while others may be shorter and more informal. Each type of assessment has its own set of recognised standards and methods. After all assessments have been conducted, they are integrated into a comprehensive profile of the overall magnitude of risk and the risk/benefit profile of proposed risk management options.

To ensure the value of the assessments, the risk management policy should provide a set of expectations for these assessments, such as:

• Proportionality:  The scope and level of detail of assessments are proportional to the significance of the risk and the decision to be made.
• Timeliness:  Assessment information is provided in a timely manner to decision-makers so they can use the information when they need it.
• Quality of evidence:  Assessments use established, discipline-specific methods of assessing data.
• Characterisation of uncertainty:  Assessments should describe the types and sources of uncertainty and their impact on the assessment results.
• Variability:  Assessments must consider how the risk varies within relevant populations.
• Integration with related analyses:  Individuals responsible for different assessments should communicate to ensure all relevant areas are covered while minimising duplication of effort.
• Transparency and confidentiality:  Assessments that support decisions of primary importance to the public should include consultations with stakeholders and the public. Assessment processes and results should be made available to the public, subject to confidentiality obligations.

Risk Communication and Stakeholder Participation

Overview:  Stakeholders are people or groups with an interest (stake) in an issue. Stakeholder concerns about a risk issue may significantly affect public perception, which in turn can affect blood supply. As such, a risk management policy should include a plan for stakeholder participation. This participation may take the form of two-way consultation or one-way communication.

Consulting with key stakeholders does not mean the organisation gives up the authority to make decisions. When done well, consultation improves the quality of decisions by:

• Keeping decision-makers informed about stakeholders’ concerns and ideas
• Developing relationships between stakeholders and the organisation
• Creating a shared understanding of risk management priorities
• Laying the foundations of trust

By the same token, informing the public about risk issues can prepare society to understand and embrace important decisions.

Best-practice considerations for consultation:

• Stakeholders have a right to be consulted about decisions that affect them and issues in which they have a significant interest.
• Stakeholder consultation is a way to show good faith and accountability.
• The extent of stakeholder involvement depends on the situation.
• Be clear about which aspects of an issue are open to stakeholder input.
• Let stakeholders know how their input was used.
• Even if some stakeholders disagree with a decision, engaging them in the process helps them accept the decision as valid.

Best-practice considerations for communication:

• Explain why risk communication is needed (e.g., emerging risk to public safety, public notification of a recent decision).
• Determine the urgency of the need to communicate risk.
• Specify the intended outcome, time frame, and budgets for the programme.
• Develop core message(s) to be communicated and the evidence behind the message(s).
• Decide on the best form of communication, which may be:
  • Persuasive — communicating a recommendation and its rationale to elicit a specific behaviour; used in urgent situations when the audience needs to understand and follow protective measures, or to encourage adoption of healthy behaviours (e.g., quitting smoking).
  • Informational — enhancing public understanding of an issue without making recommendations, to enable people to make informed decisions (e.g., choice of medical treatment).

Risk Tolerability

Some risks are low enough that they require no management. These are considered acceptable risks. By contrast, a risk is considered tolerable if it is:

• Justified by the benefits gained
• Managed at a level proportional to the risks and benefits
• Fairly distributed to the extent possible
• Undertaken with full knowledge

Risk tolerability is a judgement that a risk is reasonable given the expected benefits of an activity and required resources to manage the risk. Factors that can make a risk less tolerable include:

• Activities without evident benefits
• Risks imposed without adequate consultation or consent
• Risks expected to be managed by an institution
• Risks resulting from incompetence or negligence
• Risks that apply to vulnerable individuals or groups
• Unequal distribution of risks and benefits in society

Risk tolerability principles align with the risk management principles described earlier.

Who determines risk tolerability?  The judgement of risk tolerability is made by the blood operator, usually with consideration of stakeholder and public concerns. The risk managers in the institution make the judgement on behalf of the public, using criteria aligned with the public good. For this reason, blood system operators must combine principles of societal tolerability with stakeholder and public consultations to assess the tolerability of a specific risk.

ALARA principle:  ALARA (as low as reasonably achievable) is a widely used approach to incorporating risk tolerability into risk management. ALARA attempts to achieve the lowest possible risk level with attention to practicality and costs.

ALARA is useful where two fundamental conditions are present:

a) A recognition that an activity involves risk; and
b) The level of risk is weighed against benefits and risk-reduction costs.

Viewed through the ALARA lens, risk tolerability is a continuum that can be divided into acceptable, tolerable and intolerable regions, as shown below.

At one end of the continuum is a region of very low risks, which individuals are expected to accept and which don’t require any interventions. At the other end is a region in which the risk to health is intolerable regardless of other benefits.

Risks that fall in the ALARA region between these two extremes are weighed against benefits, the potential for further risk reduction, and a range of contextual factors. These risks may not be broadly acceptable, but they are deemed tolerable because of the benefits gained and the assumption that the risks have been reduced as much as reasonably achievable.

The ALARA principle offers a solid anchor for making risk decisions. The risk manager is expected to integrate scientific, clinical, and contextual factors into the ALARA approach.

Also embedded within ALARA is the expectation of continual improvement as management methods, technologies, and costs change.

Tolerability thresholds:  Tolerability thresholds determine the zone in which the risk is to be managed. These thresholds are unique to an organisation and should be established as part of its risk management policy. Thresholds may be expressed in numerical terms, qualitative terms, or both. In some cases, it may be necessary to establish separate thresholds for different risk decisions, such as once-in-a-lifetime infusions, chronic infusions, or risk-risk tradeoffs.

Approach:  The approach to risk tolerability adopted in this framework is modelled on the Tolerability of Risk framework developed by the UK Health and Safety Executive. Key features of this approach include the following:

• A structure and process for evaluating risk tolerability against a set of fundamental criteria and a range of ethical and contextual factors.
• Assessment of the risk in relation to established thresholds for lower (acceptable) and upper (intolerable) risk levels. In between these limits is a “tolerable risk” zone.
• To be considered tolerable, risks in the tolerable zone must have been reduced as much as reasonably achievable/practicable.
• Medical, economic, social, and ethical concerns all play into the tolerability of a risk.

The final determination of risk tolerability takes a variety of inputs into account, such as:

• Basic risk management principles
• Results of the assessments conducted in Stage 3 of the framework
• Ongoing consultation with stakeholders

The Risk Tolerability Evaluation Tree can help you situate a risk within the acceptable, tolerable, or intolerable range.