Kick-off your risk management!

Welcome to module no 2: kick-off from our seven weeks online course “Best Practices of Risk Management in 7 modules”. This module is for all who have to introduce risk management. It is about all things to consider in the kick-off meeting.

Content: Start with the why, Continue with the how, Get down to business & Checklist

If you have followed our first module: preparation everything should be well prepared. You invited the relevant people and now you are all together in a meeting room. They know from earlier conversations that today’s task is to agree and define the strategy of your risk management.

Start with the Why

Tell the participants why you believe in risk management. Explain that risk management does not have to be a sad paper exercise resulting in documents collecting dust in a drawer with the only purpose to be pulled out when the auditor arrives. Instead it will bring much more than compliance to the law or standards: 

  • active prevention of harm and hazard
  • open-discussion culture
  • agile and continuous thrive for optimization
  • less escalation because risks are early reported to decision makers

If we see the purpose of the overall whole, we are empowered to decide how we can adapt risk management to fit our needs in the best possible way.

Continue with the How

Present the big picture, so everybody knows what the risk management process is, where in the process you are, and what steps lie ahead. Our bubble sheet is perfect for that. During the preparation the participants will have already seen the chart. That works in your favor. Recognizing things gives our reptile brain a safe feeling: “You can relax here, no hungry lion …”

Then get down to business

Open the essential risk management strategy template in the app and give the group an overview what points need to be discussed and agreed on. If you follow the course and don’t use our app you can create a slide set with the following points: scope, goal, responsibilities, risk assessment procedure, risk re-assessment, risk severity, risk likelihood, risk rating, risk acceptance.

We strongly recommend an agile approach. Don’t try to define the perfect strategy document in your first meeting. Todays document is a starting point for continuous and agile risk management activities. Don’t fall into the “perfection-trap”.

Here are the most important points which need to be defined:

l. Scope – For Radiotherapy the scope will be the risks due to over-dosage or under-dosage of radiation applications.

2. Goal – For health care the goal is the best possible patient treatment.

3. Responsibilities – Accountable person: e.g. Head of Radiotherapy. Approver: e.g. Quality Manager, Responsible person (owner of the document): you.

4. Risk Assessment Procedure – The group will meet regularly to analyze risks and this meeting is called risk assessment. Our template outlines a proven procedure. Also here our recommendation is to start simple and adapt later.

The result of the risk assessment procedure is:

  • A structured list of risk
  • For each risk:
    • A detailed analysis incl. severity and likelihood
    • Planned or active counter measures to mitigate the risk
    • Potential tasks to perform in order to implement the measures
    • A final „traffic light“ rating summarizing the risk

If there are active measures already in place to mitigate a risk, the team audits how effective they are, by determining the severity and likelihood of the risk without measures, and in a second step, with active measures.

Note: We restricted the risk assessment procedure to severity and likelihood and excluded detectability. This has 2 reasons:

  • The first one is that the definition of detectability is often not clear for anything which is not industrial production, and thus leads to long discussion with often no consensus.
  • The second is that low detectability is a risk as such, and you can take care of it with severity and likelihood as well. One example is a Brachy patient leaving the hospital with the radioactive source inside. The risk is high, as it might be hard to get detected, however if this happens the severity will be high. Another example is a head&neck patient being treated with a wrong mask. The RTTs will see this in most of the cases therefore the likelihood can be rated as low.

5. Risk Re-Assessment – stay tuned we will publish a dedicated module.

6. Risk Severity – categorize the consequences and the impact of risks. Commonly used categories are: insignificant, minor, moderate, major, catastrophic.

7. Risk Likelihood – here you define categories for the likelihood, a measure on how likely a certain risk would eventuate, ranging from rare to almost certain

8. Risk Rating – We recommend to use a risk is rating with four categories: LOW, MODERATE, SIGNIFICANT, and EXTREME. In the case your organization uses another matrix you adjust it.

The risk rating category we use is determined by the quantitative and qualitative measure of the risk, according to the following table:

When there are multiple ratings for a risk, the highest combination of severity and likelihood is taken as the overall level of risk.

9. Risk Acceptance – here you define what you do with the categorized risks. Some may require no actions, other will have to be handled in the way you specify here.

After you completed the risk management strategy find a date for the next meeting. Then the fun part will begin. In module3: identify we will tell you all about it.


  1. define scope, goal, responsibilities, risk assessment procedure, risk re-assessment, risk severity, risk likelihood, risk rating, risk acceptance
  2. how often the risk assessment takes place, make appointments and  block your agenda
  3. clarify who is participating in the meetings (multidisciplinary)

Let us know how you getting on.