Discussion 7

The article on IRB this week discusses broad consent under the revised Common Rule. When you are doing any sort of research you are going to need to have your research plan approved by the University’s institutional review board or IRB. If you have never heard of this term before, please take a look online and find a brief summary of what it is about, before you read the article.  

Please answer the following questions in your main post:

• What are the main issues that the article addresses?
• What is the Common Rule?
• How is this issue related to information systems and digital privacy?

At least one scholarly source should be used in the initial discussion thread. Be sure to use information from your readings and other sources from the UC Library. Use proper citations and references in your post.

RESEARCH ARTICLE Open Access

Development of an enterprise risk
inventory for healthcare
Ana Paula Beck da Silva Etges1,2,3*, Veronique Grenon4,6, Ming Lu4, Ricardo Bertoglio Cardoso3,
Joana Siqueira de Souza3, Francisco José Kliemann Neto3 and Elaine Aparecida Felix5

Abstract

Background

: The first phase of an enterprise risk management (ERM) program is the identification of risks. Accurate
identification is essential to a proactive and effective ERM function. The authors identified a lack of such risk
identification in the literature and in practical cases when interviewing the chief risk officers from healthcare
organizations. A risk inventory specific to healthcare organizations that includes detailed risk scenarios and risk
impacts currently does not exist. Thus, the objective of this research is to develop an enterprise risk inventory for
healthcare organizations to create a common understanding of how each type of risk impacts a healthcare
organization.

Method: ERM guidelines and data from 15 interviews with chief risk officers were analyzed to create the risk
inventory. The identified risks were confirmed through a survey of risk managers from a range of global healthcare
organizations during the ASHRM conference in 2017. Descriptive statistics were developed and cluster analysis was
performed using the survey results.

Results

: The risk inventory includes 28 risks and their specific risk scenarios. Cyberattack was ranked as the principal
risk by the participants, followed by sentinel events and risks associated with human capital management
(organizational culture, use of electronic medical records and physician wellness). The data analysis showed that the
specific characteristics of the survey participants, such as the length of time working in risk management, the size
of the organization, and the presence of a school of medicine, do not impact an individual’s opinion of the
importance of the risks identified. A personal background in risk management (clinical or enterprise) was a
characteristic that showed a small difference in the perceived importance of the risks from the proposed risk
inventory.

Conclusion

s: In addition to defining specific risk scenarios, the enterprise risk inventory presented in this research
can contribute to guiding the risk identification phase of an ERM program and thereby support the development of
a risk culture. Patient data security in hospitals that operate with high levels of technology is fundamental to
delivering high quality and safe care to patients. At the top of the risk ranking, the identification of cyberattacks
reflects the importance that healthcare risk managers place on this risk by allocating time and other resources.
Exploring opportunities to improve cyber risk management and evaluating the benefits of using the risk inventory
at the beginning of the risk identification phase in an ERM program are suggestions for future studies.

Keywords: Enterprise risk management, Healthcare management, Risk inventory, Healthcare, Risk identification, Risk
analysis

* Correspondence: anabsetges@gmail.com
1School of Technology, PUCRS, Avenida Ipiranga, 6681, Porto Alegre
90619-900, Brazil
2National Health Technology Assessment Institute, CNPq, Porto Alegre, RS,
Brazil
Full list of author information is available at the end of the article

© The Author(s). 2018 Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0
International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and
reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to
the Creative Commons license, and indicate if changes were made. The Creative Commons Public Domain Dedication waiver
(http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated.

Etges et al. BMC Health Services Research (2018) 18:578
https://doi.org/10.1186/s12913-018-3400-7

http://crossmark.crossref.org/dialog/?doi=10.1186/s12913-018-3400-7&domain=pdf

mailto:anabsetges@gmail.com

http://creativecommons.org/licenses/by/4.0/

http://creativecommons.org/publicdomain/zero/1.0/

Background
Enterprise risk management (ERM) programs have been
implemented in organizations across various industries
with the aim of minimizing the negative effects of uncer-
tainty in achieving corporate objectives while at the
same time promoting its potential positive effects [1, 2].
As stated in the most recent guidelines, ERM programs
facilitate strategy selection. Choosing a strategy calls for
a structured decision-making process that analyzes risks
and aligns an organization’s resources with its mission
and vision [3]. In the healthcare industry, the ERM
process has been explored by risk managers to improve
the organizational value creation process and develop a
safer environment [4, 5].
ERM guidelines, including ISO 31000 [6, 7] and COSO

[3, 8], outline an ERM process that includes several
common phases: identification, analysis, assessment,
monitoring and control. Adequately performing the first
phase, risk identification, is a requirement to build a
proactive and effective ERM process [9, 10]. In the same
way that Cox’s (2008) [11] research explores how risk
matrices can be used in the ERM process during the risk
analysis phase, this research takes a deep dive in the risk
identification phase. The ability to identify and define
risks correctly is indispensable to subsequently enable
the effective use of risk analysis tools [10, 12].
The risk identification process needs to be proactive,

to involve multiple employees, and to create value for
and protect the organization [13, 14]. In previous re-
search that explored how ERM is conducted in health-
care organizations, it was established that the guidelines
that currently exist are not practical because they only
include a list of risk domains [12]. The development of
an enterprise risk inventory that includes specific risk
events, details of the risk scenarios and descriptions of
how each risk impacts the organization was identified as
a gap for healthcare organizations.
The guidelines by the Committee of Sponsoring Orga-

nizations of the Treadway Commission (COSO) were
the first to define risk factors by industry, but they do
not explore risk events in detail. In 2014, the American
Society of Healthcare Risk Management (ASHRM) pro-
posed risk domains for healthcare organizations, but
again, risk events and scenarios are not described in de-
tail [15]. Other institutions, such as Healthcare Insur-
ance Reciprocal of Canada (HIROC) [16] and the
National Health Service in England (NHS) [17] have de-
veloped risk taxonomies that include clinical risks and
enterprise risks. In 2014, AON Corporation published
the Healthcare Industry Report [18] based on collabora-
tive research with various healthcare organizations that
proposed ten common healthcare risks: regulatory/legis-
lative changes; failure to attract or retain top talent; eco-
nomic slowdown/slow recovery; increasing competition;

damage to reputation/brand; failure to innovate/meet
customer needs; lack of technology infrastructure to
support business needs; political risk/uncertainties;
workforce shortages; and cash flow/liquidity. Unfortu-
nately, and similar to other existing guidelines, this re-
port does not define each risk in sufficient detail for
multiple individuals in an organization to have a com-
mon understanding of the risks the organization faces.
This means that every healthcare organization must de-
velop its own enterprise risk identification process.
The authors previously interviewed 15 hospital risk of-

ficers from Brazil and the USA and presented a novel
model for healthcare risk management, the Economic
Enterprise Risk Management innovation program for
healthcare: E2RMhealthcare [19]. This previous research
identified qualitative differences in individual risk per-
ception capabilities among risk managers from large and
small hospitals based on personal background and
whether the hospitals were associated with a school of
medicine. To complement the published model, the au-
thors reviewed the data again and conducted a new sur-
vey in order to develop an enterprise risk inventory for
use at the beginning of the risk identification phase.
Thus, the main objective of this paper is to develop an

enterprise risk inventory for healthcare organizations in
order to create a common understanding of how each
type of risk impacts a healthcare organization. Addition-
ally, it aims to determine whether the length of time
working with ERM, the number of employees at the hos-
pital and the presence of a school of medicine impact
the perceived importance of the enterprise risks
identified.

Methods

This study can be classified as exploratory, as it analyzes
the literature and data collected from interviews to in-
crease the knowledge about ERM [20]. Thus, a survey
was constructed and administered, data from the survey
responses were collected, and a quantitative analysis was
performed. Figure 1 illustrates the three phases: survey
development, survey application and data analysis.

Survey development
To construct the survey, two steps were taken. First,
data from 15 interviews with risk professionals from
various healthcare organizations in Brazil (7) and the
United States (8) were analyzed. Hospitals in Brazil were
identified using a list from the magazine America Econo-
mia (2014) as “the best hospitals in Latin America”.
JCI-accredited hospitals and hospitals with risk manage-
ment teams in their management structure were selected
and contacted. US hospitals with national quality accred-
itations as well as established risk management teams
were also contacted. Data from a ninth US hospital,

Etges et al. BMC Health Services Research (2018) 18:578 Page 2 of 16

however, were not included due to incompleteness,
which prevented comparisons. The resulting sample was
heterogeneous, as it included data from different types
of organizations: private and public hospitals, academic
and non-academic hospitals, and a range of sizes. The
main characteristics of the healthcare organizations
interviewed are presented in Additional file 1. Second,
the content of the guidelines developed by COSO (2007)
[8], ASHRM (2014) [15], HIROC (2014) [16], NHS
(2008) [17] and AON (2014) [18] were assessed, as they
were mentioned by the interviewees as being important
to the creation of their ERM programs.
The software NVIVO was used to analyze the com-

bined content of the interviews and guidelines. The re-
searchers used the software to identify the risks listed by
the interviewees to develop a first enterprise risk inven-
tory list based on repetition of the risks by the inter-
viewees and the literature. In sequence, two external risk
management consultants, one Brazilian and the other
from USA, both of whom had more than 10 years of ex-
perience in healthcare risk management, discussed the
risk inventory with the two first authors of this study.
The inventory was agreed upon by the authors,

including the name of the risk, the concept that it de-
scribed, and a detailed risk scenario. The risk scenarios
considered real examples that occurred in recent years
in hospitals throughout the world that were shared on
global media.
Subsequently, the survey was built using the Qualtrics

platform. The survey was made available online, and the
participants were asked to choose if they strongly agree,
somewhat agree, neither disagree nor agree, somewhat
disagree or strongly disagree when asked about the im-
portance of each risk identified. The complete question-
naire can be found in Additional file 2 through an
online link.

Survey application
A stratified approach was used to calculate the mini-
mum number of surveys that needed to be completed.
Two variables for stratification were defined: length of
time working in risk management and type of risk man-
agement (clinical or enterprise). These variables were se-
lected based on the results presented by Etges et al. in
previous research [19]. The 15 interviews were analyzed
to develop an ERM model oriented toward healthcare

Fig. 1 Research methods

Etges et al. BMC Health Services Research (2018) 18:578 Page 3 of 16

organizations. The model also presented the differences
between clinical and enterprise managers and those re-
lated to length of working time in risk management. For
each stratum variable, two classes were identified:
(stratum 1) number of years working in risk manage-
ment – less than 7 years and more than 7 years; and
(stratum 2) type – clinical risk management and enter-
prise risk management. The total number of strata is
therefore four. To calculate the minimum number of
questionnaires per group, a normal distribution was
used. The formula to calculate the number of question-
naires per group is defined in eq. 1:

n ¼ Z2α
2

CV 2

ER2
ð1Þ

Z2α
2
= significance level to be applied in the estimation;

CV2 = coefficient of variation;
ER2 = the permissible relative error, that is, the per-

centage error in the estimate that we were willing to
accept.
Assuming a significance level of 5%, Z2α

2
¼ 1:96, with a

moderate CV and a low ER, we calculated 16 completed
surveys per group and a total of 64 completed surveys
for the four groups combined.
In October 2017, the American Society of Healthcare

Risk Management’s annual conference took place in Se-
attle. The survey was distributed at the conference dur-
ing ERM workshops and at the exhibit hall, where only
people participating in the conference had access. In
parallel, emails were sent to various healthcare risk pro-
fessionals in Brazil and United States who worked at ter-
tiary hospitals and occupied a risk management position.
The survey was open from October 10, 2017 to January
5, 2018.

Data analysis
The survey data were extracted from Qualtrics and ana-
lyzed using SPSS and Microsoft Excel software. The de-
scriptive statistical analysis was used to create a risk
ranking and analyze differences between the strata. The
risk ranking was first analyzed based on the Likert scale.
The second, third and fourth analyses utilized a binary

reference. The answers “strongly agree” and “somewhat
agree” were classified as agreeing that the risk is an im-
portant enterprise risk in the healthcare industry. The
answers “strongly disagree”, “somewhat disagree” and
“neither agree nor disagree” were classified as not agree-
ing that the risk is an important enterprise risk in the
healthcare industry. The second analysis combined dif-
ferent sample strata (time working in risk management
and type of risk management background, clinical or en-
terprise). The third analysis compared the survey results
between participants who worked in organizations with

more than 1000 employees to those who worked in or-
ganizations with fewer than 1000 employees. The fourth
analysis compared the participants’ opinions from orga-
nizations with and without a school of medicine.
Cluster analysis was performed to allocate the risk

professionals to groups based on their answers regarding
the perceived importance of each risk. The cluster classi-
fication was performed in the software SPSS in two steps
following Favero et al. (2009) [21]. First, the hierarchical
algorithm nearest neighbor was applied to the data,
which enabled the number of clusters to be defined
through an analysis of the resulting dendrogram. Sec-
ond, based on the number of clusters previously defined,
the non-hierarchical algorithm K-means was used to es-
tablish the members of each cluster. The nearest neigh-
bor algorithm used the Euclidian distance as the
distance measure, while the K-means algorithm used the
square of the Euclidean distance. Additionally, the
K-means algorithm was configured to (i) use random
seeds when defining the initial centroids, and (ii) repeat
the analysis 100 times and return the most frequent
result.

Results
The results are presented below. First, the development
of the survey and the risk inventory are explained. Sec-
ond, the survey application is described, and finally, the
data from the survey responses are analyzed and
discussed.

Survey development: risks and origin
Twenty-eight risks were selected for inclusion in the risk
inventory. Table 1 below shows the risks that were iden-
tified for each guideline. Five additional risks were
added: disputes with insurance companies regarding re-
imbursements; security – active shooter; financial batch
claim emanating from reimbursement reforms; use of
social communication networks; and union strikes.
A document that includes risk descriptions, risk sce-

narios, and risk impacts was developed to constitute the
healthcare enterprise risk inventory. One of the objec-
tives of the inventory was for the interviewees to have a
common understanding of each risk so that meaningful
results and comparisons could be obtained. Another ob-
jective of the risk inventory was to educate risk man-
agers and other interested professionals. The complete
risk inventory is presented in Additional file 3 through
an online link.
One concern that was raised in the interviews with the

risk managers related to the lack of a common definition
of a defined risk. The ERM guidelines currently in place
do not offer sufficiently detailed definitions to allow for
proper comparisons. For example, regarding the risk of
fraud, stealing money from Medicare is fraud, but taking

Etges et al. BMC Health Services Research (2018) 18:578 Page 4 of 16

a photograph of a medical record is also fraud. With no
explicit definition, individuals may think of the risk of
fraud in different ways. A large organization must create
a taxonomy to develop a common understanding of
identified risks. The risk inventory created should help
guide risk managers and other users from different
levels, backgrounds, positions, and locations. In addition,
if different organizations use the same inventory, it will
be possible to develop risk benchmarks around the busi-
ness aspects of healthcare.
Another new element that the risk inventory provides

is the association of each risk with the dimension that
the risk impacts. The dimensions used are the patient,
for risks that impact the patient’s care or the patient’s
family; financial, for risks that impact the organization’s
finances; legal or regulatory, for risks that are associated
with lawsuits or regulations; reputation, for risks that

can impact the hospital’s image; and social, for risks that
can affect the region around the hospital or a large num-
ber of people.
Finally, the risks are categorized by group using the

ASHRM domains and COSO factors as guidelines. The
groups are important for the risk analysis and risk as-
sessment phases. Table 2 below lists the enterprise risk
events, their groups, the risk descriptions and the impact
dimensions.

Survey application
After the risk inventory was completed, the survey was
developed. For each risk, the participants were asked if
they strongly disagreed, somewhat disagreed, neither dis-
agreed nor agreed, somewhat agreed or strongly agreed
that the risk is an important enterprise risk in the
healthcare industry. The survey was anonymous. To

Table 1 Risk inventory origin

# Risks Guideline and participants

COSO ASHRM HIROC NHS AON Participants

1 Board governance – poor communication or lack of direction x x

x

x

2 Business Interruption Due to Natural Catastrophe

x

x x

3 Clinical batch claim

x x x

4 Conflicts due to organizational hierarchy

x x x x

5 Cyber security x

6 Deficiency in development of technology and innovation x x x x

7 Dependence on insurance companies x

8 Dispute with insurance companies on reimbursements x

9 Electronic Health Record (EHR) x x

10 Environment Protection Agency or similar x

11 External media communication x x x

12 Financial batch claim emanating from reimbursement reform x

13 Fraud committed by a provider x x x x

14 Government instability x x x

15 Loss of accreditation x x

16 Non-compliance with laws and regulations x x x x

17 Loss of Occupational Safety and Healthcare Administration (OSHA in USA) x x x

18 Organizational culture

x x x x x

19 Physician wellness x x x

20 Relation between the School of Medicine or Residency program and hospital x

21 Active Shooter x

22 Sentinel events x x x

23 Supply chain x x

24 Talent retention x x x x

25 Terrorism x x

26 Unethical conduct x x x x

27 Union strike x

28 Use of social communication networks x

Etges et al. BMC Health Services Research (2018) 18:578 Page 5 of 16

Table 2 Risk inventory – group and impacts

Risk impact

Risk Risk group Short description Patient Financial Reputation Legal Social

Board governance – poor
communication or lack of
direction

Financial Relationship with shareholders and the board of the
organization; transparency in the information and results,
capacity to prosecute governance. Mergers and
Acquisitions. Conflict of Interest

x x

Business Interruption Due to
Natural Catastrophe

Operational Occurrence of internal or external events, which make it
impossible for an organization to maintain its critical
activities. Natural disasters must be allocated to this
event. Earthquake or Hurricane.

x x x

Clinical batch claim Clinical With the increase of technologies and multiples
techniques applied to patient to treat diseases, the batch
claims have increased in size and frequency. Batch claims
are frequently related to poor delivery of clinical service.

x x x x

Conflicts due to
organizational hierarchy

People Responsibilities, leadership and respect among the
employees and functions. The relationship between the
decision-making process and hierarchy. The medical hier-
archy needs to be balanced in favor of teaching, learning
and patient safety rather than the exercise of power
(WALTON, 2006).

x

Cyber security Information
Technology

Invasion of an internal or external hacker that causes
damage to the information security of the organization
or its operational capacity. The use of ransomware is
frequently present.

x x x x x

Deficiency in development of
technology and innovation

Clinical Lack of technologic innovation or development of
innovations that do not meet the organization’s needs. It
is related organization’s ability to possess, dominate and
use technological resources that have an effect on its
operations. Effects on the quality of clinical procedures
and patient experience, as well as valuation of the
institution towards insurers can be perceived.

x x x

Dependence on insurance
companies

Financial Negotiations with one health insurance company that
accounts for 30% of the billing. The insurance company
wants to reduce reimbursements for many medical tests
and procedures.

x x

Dispute with insurance
companies on
reimbursements

Financial An insurance company disputes the drugs, devices, or
procedures used by the providers and hospital. The
insurance company denies coverage.

x x x

Electronic Health Record
(EHR)

Information
Tecnology

Difficulty in obtaining information due to error in
communication, loss of processing power or difficulty in
operating the Hospital’s system.

x x

Environment Protection
Agency or similar

Compliance Government agency comes to investigate and fines the
hospital or a department of the hospital.

x x x x x

External media
communication

Information
Tecnology

Healthy external marketing and media communication
about the hospital and close relations. Organizational
information being shared before the formal process and
department of the hospital. The information timing can’t
be the correct, or the information credibility can cause
future problems.

x x x

Financial batch claim
emanating from
reimbursement reform

Political Financial risk for healthcare organizations associated with
bundled services or healthcare outcomes.

x x x

Fraud committed by a
provider

Financial Insurance plan fraud committed by a doctor or a group
of doctors through prescriptions. In addition, important
medicines or equipment stolen from the hospital can
also be considered like a fraud.

x x x x x

Government instability Political Reduction in the country’s healthcare budget x x x

Loss of accreditation Compliance Loss of an important certification or accreditation. x x x x

Non-compliance with laws
and regulations

Compliance A clinical trial is taking place without the proper
Institutional Review Board (IRB) approval. Patients die

x x x x x

Etges et al. BMC Health Services Research (2018) 18:578 Page 6 of 16

create strata and analyze the responses, additional
questions were asked to determine the credentials of
the participants and the type of institution in which
they work. The questions were used to determine the
participants’ position, years working in that position,
number of employees in the company, and whether a
school of medicine was present. This information was
used to develop the sample strata. Figure 2 presents
an example of the risk questions on the platform.
A total of 69 risk professionals started the survey,

and 53 completed surveys were obtained during the
period of study. This sample did not reach our 5%
confidence interval target; however, it is still under

the 10% confidence interval (required sample size of
44 participants).

Data analysis
The survey data were exported to a CSV file, and the
software SPSS was used to conduct the analysis. A total
of 28 participants believed that their organization had a
very or moderately effective ERM program. Thirty-eight
participants worked in non-for-profit organizations, and
35 were from organizations with a school of medicine or
a residency program. Twenty-seven participants were
chief risk officers or executive professionals, and 26 were
clinical risk managers. A total of 19 participants had

Table 2 Risk inventory – group and impacts (Continued)

Risk impact
Risk Risk group Short description Patient Financial Reputation Legal Social

while part of the research.

Loss of Occupational Safety
and Healthcare
Administration (OSHA in
USA)

Compliance The effect that working laws represent in how
employees are being contracted. Any change in the
formal orientations represent an effect for the hospital
management.

x x x

Organizational culture People The healthcare organization needs to be able to share
and implement its culture among all the employees.
New and old employees need to work conducted by the
same values and principles independently of their own
religion or origins.

x

Physician wellness People 50% rate of burnout amongst physicians discovered after
taking a physician wellness survey that measures burnout
and professional fulfillment.

x x x

Relation between the School
of Medicine or Residency
program and hospital

Clinical Interface between the SoM and the health service that
may lead to interference of the university model to the
business or, on the other hand, value the institution due
to the teaching quality.

x x x

Active Shooter Operational Assault and active shooter threats to patients, families
and hospital employees.

x x x x

Sentinel events Clinical Sentinel events, near miss events, incidents or medical
error that can cause lawsuit.

x x x x

Supply chain Operational Materials and equipment control and management.
Political problems with countries that supply resources
for hospitals.

x x x

Talent retention People Loss of a team of providers that are specialized in certain
types of procedures. It can happen in function of bad
recruitment processes, or bad human resources
management.

x x x x

Terrorism Political Terrorism attack close to the hospital. x x x x x

Unethical conduct Operational Problems related with unethical employee conduct
whether or not involving patients. Personal information,
images or objects can be used without the approval of
patient. Internal problems between employees can result
in organization impact.

x x x x x

Union strike Political Union strikes among different classes of employees that
can affect the hospital capacity to be operated.

x x x x

Use of social communication
networks

Information
Tecnology

Problems with confidential information being
communicated through social media. A VIP: executive,
actor, etc. Information is released on Facebook, what’s
app or other.

x x x x

Total/impact 26 22 18 15 15

Etges et al. BMC Health Services Research (2018) 18:578 Page 7 of 16

worked fewer than 7 years in risk management, and 34
had more than 7 years’ experience working in risk man-
agement. Finally, 26 participants worked in organizations
with fewer than 1000 employees, and 27 worked in orga-
nizations with more than 1000 employees.
The first analysis aimed to develop a ranking of the 28

risks. Figure 3 shows the risk ranking ordered by the
perceived level of risk importance. The y-axis refers to

the frequency with which each risk was identified, and
each color bar shows one of the alternative choices.
Cyber security was ranked first, which highlights the

importance that risk managers have placed on cyber is-
sues. The second highest ranked risk was “sentinel
event”. This result was expected, given the number of
international regulations and rules to monitor and con-
trol sentinel events.

Fig. 2 Risk inventory survey example

Fig. 3 Risk ranking according to the 53 participants

Etges et al. BMC Health Services Research (2018) 18:578 Page 8 of 16

The sentinel events, unethical conduct, organizational
culture, and conflicts due to organizational culture risks
demonstrate the importance of employee management
in the healthcare industry. These risks are associated
with an organization’s ability to manage human capital
in alignment with respect for the values, rules and objec-
tives established by organizational leaders.
The second analysis (Fig. 4) shows the differences in

the answers for the four groups representing the strata
detailed in the methods section. The y-axis represents
the percentage of each group that agree that the risk is
an important enterprise risk: i) chief risk officers with
more than 7 years working in risk management, 18 par-
ticipants; ii) chief risk officers with fewer than 7 years
working in risk management, 9 participants; iii) clinical
risk managers with more than 7 years working in risk
management, 10 participants; and iv) clinical risk man-
agers with fewer than 7 years working in risk manage-
ment, 16 participants.
Figure 4 shows that chief risk officers tend to agree

more than clinical risk managers regarding the risks that
they consider to be important. The average percentage
in which chief risk officers answered that they strongly
agreed or somewhat agreed on the importance of each
risk was 83% (the blue and orange bars in Fig. 4). In
contrast, the percentage for clinical risk managers was
73% (the gray and yellow bars in Fig. 4). When consider-
ing the type of risk management, the difference in the
average percentage with regard to years of experience is
small: 76% for more than 7 years and 78% for fewer than
7 years working in risk management.

The results shown in Fig. 5, the third analysis, are
similar to those in the second analysis. The y-axis repre-
sents the percentage of participants from each group
that agree that the risk is important. The figure shows
that the size of a healthcare organization has no impact
on risk professionals’ perception of risks: the average
percentage in which participants from organizations
with fewer than 1000 employees (27 participants) an-
swered that they strongly agreed or somewhat agreed on
the importance of each risk was 77% (yellow bar). On
the other hand, the same percentage for the group from
companies with more than 1000 (26 participants) em-
ployees was 76% (gray bar).
With regard to the presence of a school of medicine, it

is possible to identify small differences in the percep-
tions of risks between the two groups. In general, the
managers from organizations without a school of medi-
cine or residency program (18 participants) tend to agree
slightly more about the importance of each risk than
those with a school of medicine or residency program
(35 participants), on average 6% more. However, for the
following risks, the opposite is true, i.e., those who work
in an organization with a school of medicine or resi-
dency program agree more about the importance of the
following risks: security – active shooter, government in-
stability, use of social media networks, deficiency in de-
veloping new technology and innovation, relation
between the school of medicine and hospital and union
strikes. Figure 6 shows the results, with the y-axis indi-
cating the percentage of participants who agree about
the importance of the risk from each group.

Fig. 4 Type of risk management and time working in risk management

Etges et al. BMC Health Services Research (2018) 18:578 Page 9 of 16

The cluster analysis defined four different groups, as
shown in Table 3.
The K-means algorithm was used to establish which

participants were included in each of the four clusters.
Table 4 shows the results.
Clusters 1 and 2 include 92% of the sample. The

remaining 8% is divided among cluster 3 (one member)
and cluster 4 (three members). Case 6 is a single mem-
ber of cluster 3, which can be explained by the fact that
the individual is a health insurance broker focused on
clinical insurance. The members of cluster 4 are clinical

risk managers working in not-for-profit companies with
established ERM processes.
Subsequently, ANOVA was used to identify which

questions had statistical significance to the establishment
of participant group membership. Table 5 presents the
results.
Table 5 shows that only 13% (7) of the questions were

not significant to the identification of cluster members.
This result indicates that the risks integrated in the en-
terprise risk inventory captured each risk’s perceived im-
portance during the survey application because the

Fig. 5 Differences between participants from hospitals with fewer and more than 1000 employees

Fig. 6 Differences between participants working in organizations with and without a school of medicine

Etges et al. BMC Health Services Research (2018) 18:578 Page 10 of 16

analysis indicates that the majority of the risks were sig-
nificant to the cluster formation.
Furthermore, the final analysis shows that all 28 risks

were confirmed through the survey. More than 50% of
the managers somewhat agreed or strongly agreed that
all the risks are important enterprise risks in the health-
care industry, and this percentage is higher than 70% for
20 risks (all risks above and including loss of occupa-
tional safety and healthcare administration in Fig. 7).
This represents an important advance in healthcare risk
research and for practical application. Figure 7 shows
the results, with the y-axis indicating the percentage of
participants who agreed or disagreed that the risks are
important.
The final analysis was performed to examine the free

text written by the participants in response to an add-
itional comments question. One item was mentioned by
many participants: the importance of managing the im-
pact of a hospital’s external image. The risk inventory
does not include reputation as a risk but rather as an
impact. However, two additional risks were reported.
First, the participants mentioned investments in out-
patient care and their connection to the hospital’s cap-
ability to deliver a positive patient experience. The
second risk mentioned was the growth in healthcare
technology that has enabled home healthcare through-
out the world. This risk impacts the support patients re-
ceive from the hospital after hospitalization.

Discussion

ERM is applied across the board and is subject to the
strategic positioning of organizations, which have the
autonomy to manage processes and provide informa-
tional support when making strategic decisions [12].
When conducting ERM program, it is important that
employees with different expertise and from different
positions work together to incorporate the specific char-
acteristics of the market in which the program will be
implemented [10, 12, 22]. Therefore, it is particularly im-
portant for individuals with diverse expertise and experi-
ence to have a common understanding and specific
definitions of risk events [11]. The results of this study
show that having a personal background in risk manage-
ment (clinical or enterprise) was a characteristic that

showed a small difference in the perceived importance
of the risks from the proposed risk inventory. These re-
sults highlight the necessity for clinical risk managers to
work closely with chief risk officers to create a risk cul-
ture across the entire organization [9, 12, 23]. The length
of time working in risk management and the number of
employees in an organization do not show substantial
differences with regard to the answers in Figs. 4 and 5.
The cluster analysis also confirmed these results, as par-
ticipants’ background had no influence on cluster mem-
bership. Both types of backgrounds were found in
participants in all 4 clusters.
With regard to the small difference in how risk man-

agers from organizations with and without a school of
medicine agree with the risk results, an argument made
during the first phase of the interviews (15 managers)
deserves attention. A possible explanation is that organi-
zations associated with schools of medicine are more ex-
posed to students posting on social media than
organizations that have formal contracts with employees
[24]. Additionally, schools of medicine connect organiza-
tions to government funding, which can lead to instabil-
ity. Hospitals associated with schools of medicine and
residency programs also must contribute to research and
innovation capability [25].
When ASHRM started to include ERM in its own

principles in 2011, one objective was to connect ERM
concepts from other industries to the traditional risk
management concepts present in healthcare organiza-
tions [26]. The developed risk inventory innovates in the
risk identification phase of ERM by highlighting ways
that enterprise risks affect patient care. Of the 28 risks
identified, 26 can impact patient care or the patient’s
family. ERM teams in healthcare organizations need to
develop transparent processes that include the clinical
impact of risks, irrespective of whether the initial risk
event was clinical. This approach would help make pa-
tient care and the patient experience the focus to guide
the strategic decision-making process.
With regard to the other characteristics explored

among the study participants, it is possible to assume a
near consensus regarding risk perceptions independent
of the type of risk management performed or the length
of time working in risk management, as demonstrated
by the cluster analysis. Although we were not able to
identify participant characteristics that lead to member-
ship in clusters 1 and 2, the presence of clinical risk
managers, chief risk officers, and employees with differ-
ent levels of experience working in risk management led
us to conclude that the length of time working in risk
management as well as the participants’ background had
no influence on cluster membership. Therefore, as the
previous descriptive statistics analysis suggests, it is pos-
sible to assume that risk perceptions are not directly

Table 3 Number of cases per cluster

Number of cases in each cluster

Cluster 1 15.000

2 34.000

3 1.000

4 3.000

Valid 53.000

Missing .000

Etges et al. BMC Health Services Research (2018) 18:578 Page 11 of 16

associated with the length of time working in risk man-
agement and the type of risk management performed
(clinical or enterprise). This result can be explained by
the fact that a risk manager in a healthcare organization
is involved in many areas: accounting, actuarial sciences,
the healthcare business, information technology, and
people management, among others [9, 12]. Thus, the
organizational structure does not greatly affect the way
that risk managers think about risk. Some participants
reported that it is individuals’ responsibility to stay
current on the innovations in risk management and to
be completely engaged in the cause.
Cyberattack-related risk was identified as the num-

ber one enterprise risk for healthcare organizations,
and this result is supported by the attention and in-
vestment allocated to combatting hackers. The last re-
port developed by AON suggests that healthcare
organizations are increasingly purchasing data breach
coverage to protect their sensitive patient information
[27]. This is mainly driven by the HIPAA legislation,
which outlines data privacy and security provisions
for safeguarding medical information and that now
holds organizations responsible in the event of a
breach [27].
The year 2017 will be remembered for the large

number of cyberattacks targeting healthcare organiza-
tions. Hackers accessed hospital databases throughout
the world, interrupting operations and stealing data
from millions of patients and thousands of companies.
The National Health Service in England and Scotland
announced in May 2017 that it would spend
€60,000,000.00 per year on the NHS’ cyber system to
improve its security [28]. By August 2017, the health-
care sector reported 233 breach incidents to the US
Department of Health and Human Services in which
more than 3.16 million patient records were breached
[29]. These events align with the results found in this
research and justify the investments in research and
the dollars spent to improve information systems to
keep hospital data safe.

Table 4 Cluster membership

Case number Cluster Distance

17 4 7.659

21 4 9.309

23 4 7.394

6 3 .000

2 2 8.886

4 2 6.735

5 2 9.196

7 2 6.615

8 2 5.874

9 2 6.131

10 2 6.537

11 2 6.927

12 2 8.148

13 2 8.315

14 2 8.841

15 2 7.964

16 2 6.633

18 2 5.666

19 2 7.694

20 2 12.066

24 2 8.969

26 2 7.694

27 2 7.179

30 2 11.298

32 2 7.398

34 2 6.769

39 2 11.399

41 2 5.686

42 2 9.645

43 2 5.366

44 2 7.195

46 2 10.550

47 2 6.422

50 2 5.461

52 2 6.633

53 2 6.242

37 2 8.783

38 2 9.007

1 1 10.223

3 1 11.056

22 1 13.069

25 1 8.844

28 1 9.005

29 1 10.025

Table 4 Cluster membership (Continued)

Case number Cluster Distance

31 1 9.911

33 1 7.960

35 1 12.624

36 1 10.444

40 1 9.997

45 1 9.036

48 1 7.046

49 1 7.779

51 1 11.854

Etges et al. BMC Health Services Research (2018) 18:578 Page 12 of 16

Patient data security in hospitals that operate with
high levels of technology is fundamental to delivering
high quality and safe care to patients. The identification
of cyberattacks at the top of the risk ranking reflects the
importance that healthcare risk managers are placing on
this risk by allocating time and other resources.
Sentinel events are a specific characteristic of health-

care organizations, which have been encouraged by
international institutions such as JCI to reduce sentinel
events through safety and quality practices [30, 31]. Hu-
man errors represented a starting point for advances in
the clinical risk management literature since the publica-
tion of To Err is Human [32] and “Crossing the Quality
Chasm” by the Institute of Medicine [33]. These publica-
tions suggest that between 3.7–16.7% patients suffer an
adverse event, and it is estimated that a half of these
events could be prevented through better risk manage-
ment practices. These events and the attention paid to

this issue by international institutions were highlighted
during this research, as the participants confirmed the
importance of all risks associated with employee man-
agement and human relations in healthcare
organizations.
Addressing clinical teams’ emotional exhaustion is es-

sential to ensuring a high level of patient safety [34]. In-
deed, Wallace et al. [35] concluded that physician
wellness might not only benefit the individual physician,
it could also be vital to the delivery of high-quality
healthcare. The authors suggest that physician wellness
may be an organizational indicator of quality [35]. The
sequence of risks noted as important in the survey, in-
cluding unethical conduct, the organizational culture,
and conflicts due to the organizational culture are asso-
ciated human capital management. The fact that health-
care organizations are sustained by human capital is
clearly an important issue for risk management [25].

Table 5 Analysis of variance of cluster members

Questions Cluster mean square df Error mean square df F sig.

Clinical Batch Claim 27.262 3 2.234 49 12.204 .000

Conflicts Due To Organizational Hierarchy 28.863 3 2.493 49 11.577 .000

Dependence on health insurance 47.235 3 2.074 49 22.777 .000

Dispute with insurance companies in reimbursement 33.268 3 2.987 49 11.136 .000

Environmental protection agency 32.966 3 3.428 49 9.617 .000

External media communication 16.074 3 2.019 49 7.960 .000

Fraud commited by a provider 67.311 3 2.077 49 32.411 .000

Non-compliance with laws and regulations 20.580 3 1.552 49 13.257 .000

Loss of occupational safety and healthcare administration (OSHA in USA) 23.920 3 3.024 49 7.911 .000

Physician wellness 16.601 3 1.559 49 10.650 .000

Sentinel event 16.908 3 1.143 49 14.797 .000

Board governance-Poor communication or lack of direction 19.512 3 2.992 49 6.522 .001

Active shooter 23.871 3 4.210 49 5.670 .002

Financial batch claim emanating from Reimbursement reform 30.082 3 5.108 49 5.889 .002

Cyber security 5.239 3 .970 49 5.401 .003

Unethical conduct 11.637 3 2.165 49 5.376 .003

Supply chain 6.196 3 1.380 49 4.491 .007

Union strike 18.470 3 4.808 49 3.841 .015

Business Interruption due to natural catastrophe 13.759 3 3.754 49 3.666 .018

Relationship between the school of medicine (SOM) and Hospital 13.718 3 3.886 49 3.531 .021

Electronic Health Record (EHR) 7.338 3 2.234 49 3.285 .028

Terrorism 14.222 3 5.269 49 2.699 .056

Organizational Culture 4.998 3 1.915 49 2.610 .062

Loss of Accreditation 8.363 3 3.252 49 2.571 .065

Government Instability 7.226 3 2.971 49 2.432 .076

Deficiency in developing new technology and innovating 8.506 3 4.223 49 2.014 .124

Talent retention 5.491 3 2.781 49 1.974 .130

Use of social communication networks 2.744 3 2.176 49 1.261 .298

Etges et al. BMC Health Services Research (2018) 18:578 Page 13 of 16

According to some of the interviewed managers, this
highlights the necessity of having a well-described risk
inventory and a defined risk management process to
minimize interpersonal conflicts based on the exist-
ence of a document that establishes rules for profes-
sionals [19]. The hierarchy among employees in a
healthcare organization and professionals’ dependency
on such employees deserve attention when imple-
menting a proactive and strategic risk management
process because only by engaging all professionals in
ERM can a risk culture be created and a safer envir-
onment achieved [36–39].

Conclusion
The results provide important progress for the strategic
healthcare management process and ERM programs. In
addition to defining specific risk scenarios, the enterprise
risk inventory presented in this research can be used to
educate professionals, guide the risk identification phase
in future ERM programs, and thereby contribute to the
development of a risk culture.
Establishing cyberattacks and the risks associated

with human capital management (organizational cul-
ture, use of electronic medical records and physician
wellness) at the top of the risk ranking is an import-
ant contribution of this research. Cyber security is at
the top of the risk list for most industries, including
healthcare. Employee wellness is also a theme that
has been growing in importance in many industries.
There are now opportunities to investigate and de-
velop solutions to manage and assess those risks for
healthcare organizations.

The results also demonstrate that the qualitative char-
acteristics of risk managers from large organizations, the
length of time working in risk management, and the
presence of a school of medicine do not alter the per-
ceived importance of the risks. Clinical risk managers
and chief risk officers have small differences of opinion
on the risks, but not enough to group them in the same
cluster. This finding enables us to conclude that the per-
sonal background of each employee is a more important
factor than the organization’s structure or the employee’s
own risk perception capability.
For future research, the authors suggest evaluating the

benefits of using the risk inventory at the beginning of
the risk identification phase, that is, during the baseline
phase of the E2RMhealthcare. To demonstrate the value
of the risk inventory, a comparative study that explores
the ability to disseminate an ERM program in an
organization should be conducted.

Additional files

Additional file 1: Interviewees description. (XLSX 35 kb)

Additional file 2: The enterprise risk inventory survey. (DOCX 29 kb)

Additional file 3: The enterprise risk inventory. (DOCX 32 kb)

Abbreviations

ASHRM: American society for healthcare risk management; COSO: Committee
of sponsoring organizations of the treadway commission; ERM: Enterprise risk
management; HIPAA: Health insurance portability and accountability act;
HIROC: Healthcare insurance reciprocal of Canada; ISO: International
organization for standardization; JCI: Joint commission of international
standards for hospitals; NHS: The national health service in England;
USA: United States of America

Fig. 7 Agree x disagree – risk inventory confirmation

Etges et al. BMC Health Services Research (2018) 18:578 Page 14 of 16

https://doi.org/10.1186/s12913-018-3400-7

https://doi.org/10.1186/s12913-018-3400-7

https://doi.org/10.1186/s12913-018-3400-7

Acknowledgements

We acknowledge The Risk Authority Stanford for providing us the
opportunity to contact managers from North American health organizations
and The Federal University of Rio Grande do Sul for providing the
orientation for the PhD research behind this paper. In addition, we
acknowledge all the participants.

Availability of data and materials

The datasets used and/or analyzed during the current study are available
from the corresponding author upon reasonable request.

Authors’ contributions

APBSE: invited the participants to answer the survey and to participate in the
first phase of interviews, applied the survey, conducted the data analysis,
analyzed the papers, was involved in the entire writing process. VG: invited
the participants to answer the survey and to participate in the first phase of
interviews, applied the survey, conducted the data analysis, analyzed the
data, and was involved in the entire writing process. ML: applied the survey,
conducted the data analysis, and reviewed the paper. RBS: analyzed the data
and reviewed the paper. JSS: reviewed the methods, the results and the
paper. KFN: reviewed the methods, the results and the paper. EAF: reviewed
the methods, the results and the paper. All authors read and approved the
final version of the manuscript.

Authors’ information

APBSE, Msc. Eng.: is a Researcher at the National Health Technology
Assessment Institute (CNPq, Brazil), is a Professor at the School of
Technology of PUCRS (Brazil), and serves as a consultant in Brazil for projects
focused on measuring the economic impact of risks, assessing health
technologies and developing models to improve companies’ ability to make
strategic decisions.
VG, Actuary: is a fully trained actuary and serves as the Managing Director of
Guy Carpenter & Company, LLC.
ML, Data Scientist: serves as a Data Scientist at The Risk Authority Stanford.
RBS, Msc. Eng.: is a researcher and a PhD student in the Industrial
Engineering Program at The Federal University of the South of Brazil
(UFRGS).
JSS, PhD. Msc. Eng.: serves as a Professor in the Industrial Engineering
Program at The Federal University of the South of Brazil (UFRGS) and also
conducts research focused on enterprise risk management.
KFN PhD. Msc. Eng.: serves as a Professor in the Industrial Engineering
Program at The Federal University of the South of Brazil (UFRGS) and also
conducts research focused on cost management and economic analysis.
EAF PhD. Msc. MD.: serves as a Professor in the School of Medicine at The
Federal University of the South of Brazil (UFRGS) and also conducts research
focused on clinical and enterprise risk management.

Ethics approval and consent to participate

All interviewees (the 15 managers in the first interviews and the 53
participants) were invited to participate and agreed to have their data
analyzed.
This research was conducted by the Industrial Engineering Department of
the Federal University from the South of Brazil, which approved the conduct
of the research.

Consent for publication

Not applicable.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

Author details

1School of Technology, PUCRS, Avenida Ipiranga, 6681, Porto Alegre
90619-900, Brazil. 2National Health Technology Assessment Institute, CNPq,
Porto Alegre, RS, Brazil. 3Department of Industrial Engineering, UFRGS, Porto
Alegre, RS, Brazil. 4The Risk Authority Stanford, Palo Alto, California, USA.

5Department of Anesthesiology, School of Medicine, UFRGS, Porto Alegre, RS,
Brazil. 6Guy Carpenter, LLC, New York, NY, USA.

Received: 14 February 2018 Accepted: 16 July 2018

References

1. Damodaran A. Gestão estratégica do risco. Bookman Editora; 2008.
2. Aven E, Aven T. On the need for rethinking current practice that highlights

goal achievement risk in an Enterprise context. Risk Anal. 2015;35:1706–16.
3. Committee of Sponsoring Organizations of the Treadway Commission.

COSO Enterprise Risk Management: Integrating with Strategy and
Performance. 2017; June.

4. Woodruff JM. Consequence and likelihood in risk estimation: a matter of
balance in UK health and safety risk assessment practice. Saf Sci. 2005;43:
345–53.

5. Card AJ, Ward JR, Clarkson PJ. Trust-level risk evaluation and risk control
guidance in the NHS east of England. Risk Anal. 2014;34:1469–81.

6. Purdy G. ISO 31000: 2009—setting a new standard for risk management.
Risk Anal. 2010;30:881–6.

7. ISO. ISO 31000:2018 Risk Management Guidelines. 2018.
8. COSO. Enterprise Risk Management Integrated Framework 2004.
9. Carroll BR. Identifying risks in the realm of enterprise risk management. J

Healthc Risk Manag. 2016;35(3):24–30.
10. Cagliano AC, Grimaldi S, Rafele C. Choosing project risk management

techniques. Theoretic Framework J Risk Res. 2015;18:232–48.
11. Anthony Cox L. What’s wrong with risk matrices? Risk Anal. 2008;28:497–512.
12. Etges APB da S, Souza JS, Kliemann Neto FJ, Felix EA. A Proposed Enterprise

Risk Management Model for Health Organizations. J Risk Res 2018;21:1-19.
13. COSO. Gerenciamento de Riscos Corporativos – Estrutura Integrada. 2007.
14. Briner M, Kessler O, Pfeiffer Y, Wehner T, Manser T. Assessing hospitals’

clinical risk management: development of a monitoring instrument. BMC
Health Serv Res. 2010;10:337. https://doi.org/10.1186/1472-6963-10-337.

15. ASHRM. Enterprise risk management. Framework Success. 2014;6:53–73.
16. HIROC. HIROC Integrated Risk Management ( IRM ) Initiative HIROC

Integrated Risk Management ( IRM ) Initiative. 2014; October:1–7.
17. National Patient Safety Agency (NPSA). A risk matrix for risk managers. NHS.

2008; January:1–18.
18. AON. 2014 US Industry Report Healthcare 2014.
19. Etges APB da S, Grenon V, Souza JS, Kliemann FJN, Felix EA. Economic

Enterprise risk management innovation program in healthcare
(E2RMhealthcare). Value Heal Reg Issues. 2018;17C:102–8.

20. Selltiz C, Wrightsman LS, Cook SW. Research methods in social relations.
New York: Holt, Rinehart and Winston; 1976.

21. Fávero LP, Belfiore P, da Silva FL, Chan BL. Análise de dados: modelagem
multivariada para tomada de decisões. 2009.

22. Bromiley P, McShane M, Nair A, Rustambekov E. Enterprise risk
management: review, critique, and research directions. Long Range Plan.
2015;48:265–76. https://doi.org/10.1016/j.lrp.2014.07.005.

23. Celona J, Driver J, Hall E. Alue-driven ERM: making ERM an engine for
simultaneous value creation and value protection. J Healthc Risk Manag.
2010;30 WINTER:15–33.

24. Kind T, Genrich G, Sodhi A, Chretien KC. Social media policies at US medical
schools. Med Educ Online. 2010;15(1):5324.

25. Chervenak FA, McCullough LB. Responsibly managing the medical school-
teaching hospital power relationship. Acad Med. 2005;80:690–3.

26. Oppenberg AA. Our ASHRM journey continues: ERM for our patients’ safety.
J Healthc Risk Manag. 2013;33:1–1. https://doi.org/10.1002/jhrm.21119.

27. Aon Inpoint. Global Cyber Market Overview. 2017; June. doi: http://www.
aon.com/attachments/risk-services/cyber/Cyber .

28. O’dowd A. Major global cyber-attack hits NHS and delays treatment. BMJ Br
Med J. 2017;357.

29. Davis J. Insiders, hackers causing bulk of 2017 healthcare data breaches.
Healthcare IT News. 2017. https://www.healthcareitnews.com/news/insiders-
hackers-causing-bulk-2017-healthcare-data-breaches.

30. JCI. Joint Commission International International Standards for Hospitals. 5th
ed; 2014. p. 309.

31. Valentin A, Capuzzo M, Guidet B, Moreno RP, Dolanski L, Bauer P, et al.
Patient safety in intensive care: results from the multinational sentinel
events evaluation (SEE) study. Intensive Care Med 2006;32:1591–1598.

Etges et al. BMC Health Services Research (2018) 18:578 Page 15 of 16

https://doi.org/10.1186/1472-6963-10-337

https://doi.org/10.1016/j.lrp.2014.07.005

https://doi.org/10.1002/jhrm.21119

http://www.aon.com/attachments/risk-services/cyber/Cyber

http://www.aon.com/attachments/risk-services/cyber/Cyber

https://www.healthcareitnews.com/news/insiders-hackers-causing-bulk-2017-healthcare-data-breaches

https://www.healthcareitnews.com/news/insiders-hackers-causing-bulk-2017-healthcare-data-breaches

32. Kohn LT, Corrigan JM, Donaldson MS. To err is human: building a safer
health system. Washington: National Academies Press; 2000.

33. Corrigan JM. Crossing the quality chasm. Build a better Deliv Syst. 2005.
34. Welp A, Meier LL, Manser T. The interplay between teamwork, clinicians’

emotional exhaustion, and clinician-rated patient safety: a longitudinal
study. Crit Care. 2016;20:1–10. https://doi.org/10.1186/s13054-016-1282-9.

35. Wallace JE, Lemaire JB, Ghali WA. Physician wellness: a missing quality
indicator. Lancet. 2009;374:1714–21.

36. Troyer GT, Brashear AD, Green KJ. Managing corporate governance risks in a
nonprofit health care organization. J Healthc Risk Manag. 2005;25:29–34.

37. Teoh SY, Cheong C. Implicit enterprise risk management: an IT healthcare
adoption case study. ACIS 2008 Proceedings. 2008;8.

38. Sodomka P, Spake MA, Rush JJ Jr. Enterprise-wide effort brings patient
perspective into mix. J Healthc Manag. 2010;29(4):28-32.

39. Haney JR, Church J, Cockerill R. Pursuing enterprise risk management: a
local road map for Canadian healthcare leaders. Healthc Manag Forum.
2013;26:145–9. https://doi.org/10.1016/j.hcmf.2013.05.004.

Etges et al. BMC Health Services Research (2018) 18:578 Page 16 of 16

https://doi.org/10.1186/s13054-016-1282-9

https://doi.org/10.1016/j.hcmf.2013.05.004

Abstract
Background
Method
Results
Conclusions
Background
Methods
Survey development
Survey application
Data analysis
Results
Survey development: risks and origin
Survey application
Data analysis
Discussion
Conclusion
Additional files
Abbreviations
Acknowledgements
Availability of data and materials
Authors’ contributions
Authors’ information
Ethics approval and consent to participate
Consent for publication
Competing interests
Publisher’s Note
Author details
References