Connecting Incidents to Risk in the Healthcare Enterprise

Going on patrol. Checking locks. Opening doors. Closing doors. Most times, the life of a healthcare security officer is… slow.

Until all of a sudden, it’s not.

A patient with dementia is trying to escape. Or you find an expensive piece of hospital equipment in the parking lot. Or someone in the psychiatric ward is threatening to harm themselves and others. Or you’re doing chest compressions in the emergency ward because there’s simply no-one else who could have helped.

But between the monotony and the chaos lies what some might call the everyday work of security: documenting activities, investigating incidents, and trying to make sense of trends.

That’s hard enough, but if you’re like most security teams, you’re facing increased pressure to decrease the likelihood of serious incidents reoccurring.

The teams that are best able to do that are those who can successfully connect enterprise incident management (EIM) and enterprise risk management (ERM).

Incidents, threats and risks aren’t going away. That means the better you get at managing incidents and connecting them to risk, the more adaptable and resilient your organization will be—and the better you’ll look in the eyes of both your stakeholders and your management.

Incident Management: Connecting—and eliminating—the dots

Incidents often don’t “just happen.” They’re frequently driven by underlying issues. And failing to connect those issues to paint a larger risk picture can lead to a misplaced focus on the symptoms of a problem—not the cure.

For instance, consider the violent patient who regularly needs to be restrained. What could you and your security team do differently if you were able to identify that the patient only needed to be restrained after a particular family member visited?

Using software that is designed to help connect issues to incidents, you’ll be able to:

  • Standardize incident reporting, workflow, dispatching and investigation management—across a single team or dozens of organizations;
  • Intelligently comb through hundreds or thousands of incident reports, identify trends, and plan mitigations; and
  • Leverage greater insight into what’s happening, where it’s taking place, and why it’s occurring to better safeguard against incidents and loss.

When incident recording is tied to issue management, you’ll be able to better plan for incidents, identify and assess risks, and report on your activities.

You’ll prevent more problems from happening, make smarter decisions, more easily capitalize on security opportunities that you might have missed and—importantly—demonstrate to the C-suite that you’re playing an active role in keeping visitors, staff and patients safe

Using incidents to inform risk management

For the most part, incident management is about the past. What happened? Why? Who was involved? What were the consequences?

And even if you’re able to bring your focus into the present—“What’s happening at this very moment?”— a focus on just incidents can’t tell you anything about the future.

That’s where software can help. By moving past incident capture and toward risk analysis, you can:

  • Learn from incidents and work to prevent them from recurring.
  • Increase your organization’s awareness of root causes, as a way of garnering support for stamping them out.
  • Show connections between seemingly unrelated incidents to demonstrate patterns that reveal a larger organizational risk.
  • Provide value to the organization by identifying unrecognized risks and helping stop them at the source.

When you can shift the focus from what actually happened to what may happen, you can help your organization improve its ability to assess, measure, and manage risk—no matter whether it stems from people, processes, systems or external events. And you’ll be able to help your enterprise risk team better deal with threats and capitalize on opportunities.

This is a whole-system view of incidents and risk, one that sees events as a part of a continuum—moving through planning and preparation before an event happens, through response and recover, and then back to planning again with a better knowledge of “what to do next time.”

Operational risk is a serious challenge. And until the mythical day that everyone everywhere is safe, property stops getting lost or damaged, and equipment, processes and systems don’t break down, it will continue to be.

But by using software to properly connect incidents to risk, you can more easily meet that challenge head-on.

Integrating incident management and ERM

Depending on the size of your organization, you may be wrestling with thousands of incidents a year.

Software that could help manage them all makes sense for that reason alone. However, there are also a host of other benefits inherent in an EIM suite.

For example, with software you could:

  • Analyze information and events more effectively, increasing your ability to develop security and response policies and procedures;
  • Standardize responses to issues, whether across your security team or across multiple facilities;
  • Reduce duplication of effort around similar or recurring incidents; and
  • Educate internal departments and the C-suite on your team’s role and the work you do day-in and day-out.

If you’re still using spreadsheets to try to do all that, odds are you’re not getting the insight you need. You could be analyzing incidents and connecting them to risks more quickly, more simply—and more effectively—with software.

And most importantly, although it’s certainly not as critical as keeping visitors, staff and patients safe, there’s another benefit to using incident management software—one that has a direct impact on your ability to do the work you do.

With software, you’ll be able to report better and more detailed information around activities, incidents, trends and mitigations to your organization’s risk and compliance managers. The result? More visibility for your security team, and more worth in the organization.