2024 Edition

Risk Prevention and Management Introduction

Purpose

Proactive, comprehensive, and systematic risk prevention and management practices sustain the agency’s ability to positively impact the communities and people it serves by reducing its risk, loss, and liability exposure.

Introduction

COA’s Risk Prevention and Management standards require that agencies take a proactive approach to risk by continually improving systems and practices for identifying and mitigating potential risks, and learning from adverse events and challenges when they occur. Proactive, systemic risk prevention and management requires a holistic approach that involves staff throughout the agency and considers all areas of potential risk including, but not limited to: legal compliance, liability exposure, health and safety, human resources, contracting, technology, security of information, client rights and confidentiality, and finances. Such practices contribute to mission fulfillment by protecting the agency’s long-term sustainability.

Note: Please see PA-RPM Reference List for the research that informed the development of these standards.


Note: For information about changes made in the 2020 Edition, please see RPM Crosswalk.

2024 Edition

Risk Prevention and Management (PA-RPM) 1: Legal and Regulatory Compliance

The agency annually reviews compliance with applicable federal, state, and local laws, codes, and regulations including those related to:

  1. licensure;
  2. facilities;
  3. accessibility;
  4. health and safety;
  5. finances; and
  6. human resources.

Interpretation: In regard to element (b), agencies that rent facilities should obtain relevant documentation from their landlord. If the agency cannot obtain access to the required documentation from their landlord or from relevant public or private health and safety authorities, the agency may also solicit a recognized expert to verify compliance with applicable laws and safety codes. 


Interpretation: When necessary, the agency should consult legal counsel to obtain comprehensive guidance regarding legal and regulatory compliance.

NA State-administered regional office
Related Standards:

Examples: In regards to element (b), examples of relevant regulations and codes can include:

  1. certification of occupancy requirements; 
  2. zoning and building codes; 
  3. occupational safety and health administration codes; 
  4. health, sanitation, and fire codes; and
  5. elevator inspections.


In regards to element (d), relevant requirements can include: universal precautions for minimizing exposure to contagious and infectious disease; and storage, cleaning, and disposal of medical waste.

 

In regards to element (f), it is recommended practice to conduct an annual review of human resource practices to verify compliance with applicable employment and labor laws, civil service rules and regulations, and union contracts. The Human Resource Management field refers to this annual review as an annual "audit." Examples of human resource laws and regulations include: use of independent contractors;

  1. use of contingent workers such as temporary employees, volunteers, and leased workers;
  2. laws governing fair employment practices, including non-discrimination and harassment; 
  3. compensation and benefits;
  4. maintenance of personnel records; 
  5. retention of hiring records;
  6. background checks; and
  7. collective bargaining.

1
Full Implementation, Outstanding Performance
A rating of (1) indicates that the agency's practices fully meet the standard and reflect a high level of capacity.  
  • All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions: exceptions do not impact service quality or agency performance. 
2
Substantial Implementation, Good Performance
A rating of (2) indicates that an agency's infrastructure and practices are basically sound but there is room for improvement.
  • The majority of the standards requirements have been met and the basic framework required by the standard has been implemented. 
  • Minor inconsistencies and not yet fully developed practices are noted; however, these do not significantly impact service quality or agency performance.
3

Partial Implementation, Concerning Performance
A rating of (3) indicates that the agency's observed infrastructure and/or practices require significant improvement.  

  • The agency has not implemented the basic framework of the standard but instead has in place only part of this framework.  
  • Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.  
  • Service quality or agency functioning may be compromised.  
  • Capacity is at a basic level.
4
Unsatisfactory Implementation or Performance
A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all.  
  • The agency’s observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.
2024 Edition

Risk Prevention and Management (PA-RPM) 2: Risk Prevention

The agency identifies and reduces potential loss and liability by:
  1. conducting prevention and risk reduction activities; and
  2. monitoring and evaluating risk prevention and management effectiveness.

Currently viewing: RISK PREVENTION

Viewing: PA-RPM 2 - Risk Prevention
Previous: PA-RPM 2 - Risk Prevention Next: PA-RPM 4 - Technology and Information Management

VIEW THE STANDARDS

1
Full Implementation, Outstanding Performance
A rating of (1) indicates that the agency's practices fully meet the standard and reflect a high level of capacity.  
  • All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions: exceptions do not impact service quality or agency performance. 
2
Substantial Implementation, Good Performance
A rating of (2) indicates that an agency's infrastructure and practices are basically sound but there is room for improvement.
  • The majority of the standards requirements have been met and the basic framework required by the standard has been implemented. 
  • Minor inconsistencies and not yet fully developed practices are noted; however, these do not significantly impact service quality or agency performance.
3

Partial Implementation, Concerning Performance
A rating of (3) indicates that the agency's observed infrastructure and/or practices require significant improvement.  

  • The agency has not implemented the basic framework of the standard but instead has in place only part of this framework.  
  • Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.  
  • Service quality or agency functioning may be compromised.  
  • Capacity is at a basic level.
4
Unsatisfactory Implementation or Performance
A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all.  
  • The agency’s observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.
 

PA-RPM 2.01

A written risk management plan operationalizes the agency’s risk management activities and:
  1. articulates the agency’s overall approach to risk management;
  2. describes the risk management structure and activities; 
  3. defines staff roles and outlines training and competency expectations by job position or category; and
  4. includes measurable goals for reducing potential risks. 
Interpretation: Element (b) for statewide agencies, or agencies that cover multiple regions/communities, must delineate:
  1. the specific responsibilities of the central, regional, and local offices in carrying out risk management activities; 
  2. how risk management information will be communicated among the various offices; and 
  3. what role each office will play in implementing and tracking corrective action.
Additionally, in regards to element (b), risk management activities should include contract monitoring activities that align with the standards in PA-PQI 7.
 
 
Fundamental Practice

PA-RPM 2.02

The agency annually assesses areas of potential risk including:

  1. compliance with legal requirements;
  2. disruption of operations due to a public health emergency;
  3. technology and information management; 
  4. liability exposure; 
  5. the health and safety of personnel and persons served including the prevalence of work-related stress and the impact of trauma;  
  6. human resources practices; 
  7. contracting practices and compliance;
  8. client rights and confidentiality issues;
  9. financial risks; 
  10. public relations, branding, and reputation; and 
  11. conflicts of interest.
Related Standards:

Interpretation: Although the agency should assess all areas of potential risk at least annually and compare related areas, the assessments do not need to be conducted together at one time.

Interpretation: Regarding element (c), annual assessments should include a review of systems in place to protect physical and electronic data and information, databases, files, computers and mobile devices, networks, and programs from unauthorized access, use, modification, disruption, destruction, and/or attack.

Interpretation: Regarding element (d), annual assessments of liability exposure should include a review of the agency’s use of agency- and privately-owned vehicles in the course of the its daily operations including, but not limited to, transporting clients, running errands, attending home visits, traveling between sites, attending meetings, etc.

 
Fundamental Practice

PA-RPM 2.03

The agency conducts a quarterly review of immediate and ongoing risks that includes a review of incidents, accidents, and grievances related to the following, as appropriate to each program or service:

  1. facility safety issues;
  2. serious illnesses, injuries, and deaths; 
  3. situations where a person was determined to be a danger to himself/herself or others;
  4. service modalities or therapeutic interventions; and
  5. the use of restrictive behavior management interventions, such as seclusion and restraint.
Related Standards:
EAP Interpretation: In employee assistance programs, only elements (a)-(c) could potentially apply. 

Examples: In regards to element (b), serious illnesses can include those illnesses that pose a significant, widespread risk to public health or the health of the agency's staff and persons served.


Example: The agency can examine critical incident data that disaggregates incidents by race and ethnicity to identify trends in service equity, such as disproportionate use of restrictive interventions.

 
Fundamental Practice

PA-RPM 2.04

The agency conducts an independent review of each incident and accident that involves the threat of or actual harm, serious injury, and death; and review procedures:
  1. establish timeframes for review including requiring the investigation be initiated within 24 hours of the incident and/or accident being reported;
  2. require solicitation of statements from all involved individuals;
  3. ensure an independent review;
  4. require timely implementation and documentation of all actions taken;
  5. address ongoing monitoring if actions are required and determine their effectiveness; and
  6. address applicable reporting requirements.
Related Standards:

Note: For child and family services agencies, please see PA-RPM 3.03 for more information on conducting internal administrative reviews following a child fatality or near fatality.
2024 Edition

Risk Prevention and Management (PA-RPM) 3: Child Fatality and Near Fatality Review

The agency is accountable to the public and manages risk associated with child maltreatment and fatalities.

NA The agency does not provide child and family services and is not assigned the Child and Family Services (PA-CFS) standards.

1
Full Implementation, Outstanding Performance
A rating of (1) indicates that the agency's practices fully meet the standard and reflect a high level of capacity.  
  • All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions: exceptions do not impact service quality or agency performance. 
2
Substantial Implementation, Good Performance
A rating of (2) indicates that an agency's infrastructure and practices are basically sound but there is room for improvement.
  • The majority of the standards requirements have been met and the basic framework required by the standard has been implemented. 
  • Minor inconsistencies and not yet fully developed practices are noted; however, these do not significantly impact service quality or agency performance.
3

Partial Implementation, Concerning Performance
A rating of (3) indicates that the agency's observed infrastructure and/or practices require significant improvement.  

  • The agency has not implemented the basic framework of the standard but instead has in place only part of this framework.  
  • Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.  
  • Service quality or agency functioning may be compromised.  
  • Capacity is at a basic level.
4
Unsatisfactory Implementation or Performance
A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all.  
  • The agency’s observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.
 
Fundamental Practice

PA-RPM 3.01

The agency increases accountability to the public, promotes safety, and manages risk by:
  1. aggregating information on fatalities and near fatalities from multiple data sources;
  2. actively participating on a multi-disciplinary child fatality and near fatality review team;
  3. participating in investigations of child fatalities and near fatalities, as appropriate, including assessing the safety of surviving children in the home; and
  4. ensuring adherence to the public disclosure policy, which reflects federal statute.
 
Fundamental Practice

PA-RPM 3.02

The agency incorporates recommendations from the child fatality and near fatality review team into its risk prevention, quality improvement, and long-term planning activities by:
  1. developing a customized improvement plan to implement recommendations;
  2. tracking progress toward plan implementation; and
  3. monitoring and periodically reporting back to the review team on the status of planned improvements.
 
Fundamental Practice

PA-RPM 3.03

The agency conducts internal administrative reviews following a fatality or near fatality of any child known to the agency to:
  1. assess the agency’s internal operations including adherence to policies and procedures; and 
  2. identify and respond to the social and emotional support needs of staff. 
Interpretation: Conducting administrative reviews of fatalities or near fatalities of “any child known to the agency” means an open case is not required in order to pursue an internal investigation. Agencies should follow state definitions regarding what it means to be “known to the agency” (e.g. how long ago contact was last was made, the type of contact, etc.).

Note: The agency should also conduct aggregate reviews of child fatalities or near fatalities to identify trends or patterns of concern as part of the quarterly review process in PA-RPM 2.03. See PA-RPM 2.04 for additional incident review requirements, including requirements for corrective action.
2024 Edition

Risk Prevention and Management (PA-RPM) 4: Technology and Information Management

The agency’s technology and information systems have sufficient capability to support operations, service delivery, strategic planning, and quality improvement activities.
Interpretation: The standards in this section address the management of all types of paper and electronic information maintained by the agency including:
  1. case records and other information of persons served;
  2. administrative, financial, and risk management records and reports;
  3. personnel files and other human resources records; 
  4. performance and quality improvement data and reports; and
  5. contract monitoring data and reports.
NA State-administered agency regional office
Related Standards:

1
Full Implementation, Outstanding Performance
A rating of (1) indicates that the agency's practices fully meet the standard and reflect a high level of capacity.  
  • All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions: exceptions do not impact service quality or agency performance. 
2
Substantial Implementation, Good Performance
A rating of (2) indicates that an agency's infrastructure and practices are basically sound but there is room for improvement.
  • The majority of the standards requirements have been met and the basic framework required by the standard has been implemented. 
  • Minor inconsistencies and not yet fully developed practices are noted; however, these do not significantly impact service quality or agency performance.
3

Partial Implementation, Concerning Performance
A rating of (3) indicates that the agency's observed infrastructure and/or practices require significant improvement.  

  • The agency has not implemented the basic framework of the standard but instead has in place only part of this framework.  
  • Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.  
  • Service quality or agency functioning may be compromised.  
  • Capacity is at a basic level.
4
Unsatisfactory Implementation or Performance
A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all.  
  • The agency’s observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.
 

PA-RPM 4.01

The agency assesses its technology and information management needs based on feedback from direct service staff and supervisors and a review of:
  1. current technology and information systems in use by the agency;
  2. short- and long-term goals for utilizing technology; and
  3. current technical skills of staff and need for training.

Examples: Involving direct service staff and supervisors in the needs assessment of current technology and information systems can help produce information systems that are needs-driven, flexible, and user-friendly.
 

PA-RPM 4.02

The agency has an information management system that:
  1. gives personnel consistent, timely, and appropriate access to paper and electronic records; and
  2. supports continuity and integration of care across settings and services by giving timely access to information about persons served to practioners across the agency, as appropriate.
Related Standards:
Interpretation: Agencies moving to electronic systems may need to develop procedures for maintaining both electronic and paper records including procedures for maintaining consistency between the two file types and ensuring the electronic record is comprehensive and complete. If there are components of paper records that cannot be accommodated electronically, the agency should consider how it will retain and document the existence of supplemental, paper-based portions of records.
 

PA-RPM 4.03

The agency’s electronic information systems are appropriate to its size and complexity and permit:
  1. information sharing between the public agency and its contracted providers, when applicable; 
  2. capturing, tracking, and reporting financial, compliance, and other business information;
  3. access to real-time data to inform decision making at the worker, program, region/community, agency, and system level;
  4. longitudinal reporting and comparison of performance over time; and
  5. useful, clear, and consistent data reporting.
Interpretation: “Electronic information systems” are used for collecting, storing, analyzing, and disseminating information electronically. An electronic information system may consist of a single desktop or larger network of computers, laptops, and/or devices. Agencies must have systems that can effectively support their administrative operations and service delivery. 
NA Another entity is responsible for selecting or designing the electronic information system state-wide.
2024 Edition

Risk Prevention and Management (PA-RPM) 5: Security of Information

Electronic and printed information is protected against intentional and unintentional destruction or modification and unauthorized disclosure or use.
Interpretation: The standards in this section address security of all types of paper and electronic information maintained by the organization, unless otherwise noted, including:
  1. case records and other information of persons served;
  2. administrative, financial, and risk management records and reports;
  3. personnel files and other human resource records; and
  4. performance and quality improvement data and reports.
Related Standards:

1
Full Implementation, Outstanding Performance
A rating of (1) indicates that the agency's practices fully meet the standard and reflect a high level of capacity.  
  • All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions: exceptions do not impact service quality or agency performance. 
2
Substantial Implementation, Good Performance
A rating of (2) indicates that an agency's infrastructure and practices are basically sound but there is room for improvement.
  • The majority of the standards requirements have been met and the basic framework required by the standard has been implemented. 
  • Minor inconsistencies and not yet fully developed practices are noted; however, these do not significantly impact service quality or agency performance.
3

Partial Implementation, Concerning Performance
A rating of (3) indicates that the agency's observed infrastructure and/or practices require significant improvement.  

  • The agency has not implemented the basic framework of the standard but instead has in place only part of this framework.  
  • Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.  
  • Service quality or agency functioning may be compromised.  
  • Capacity is at a basic level.
4
Unsatisfactory Implementation or Performance
A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all.  
  • The agency’s observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.
 

PA-RPM 5.01

The agency protects confidential and other sensitive information from theft, unauthorized use or disclosure, damage, or destruction by:
  1. limiting access to authorized personnel on a need-to-know basis;
  2. using firewalls, encryption and/or secured networks, anti-virus and related software, and other appropriate safeguards;
  3. monitoring security measures on an ongoing basis;
  4. having the ability to remotely wipe or disable mobile devices, if applicable; and
  5. maintaining paper records in a secure location, when applicable.

Examples: In regards to element (a), the agency may limit access to authorized personnel by: 
  1. limiting access based on staff role within the agency;
  2. ensuring the electronic information systems require strong passwords/passcodes for access to confidential information, require passwords/passcodes to be regularly changed, lock the user out of the system for incorrect login attempts, and automatically time out after a period of inactivity prompting re-authentication; 
  3. disabling the equipment, passwords, and access of former employees; and 
  4. ensuring the information systems are capable of tracking who accesses confidential information in the system and recording when information is altered or deleted, also known as audit logs.
In regards to element (e), secure storage of paper records can include:
  1. locked file cabinets; 
  2. a locked file room with limited access or a gatekeeper system whereby one person or a few people can unlock the file storage area or access the files themselves; or 
  3. a system using a keypad or keys where only authorized individuals are given the keypad code or copies of the keys. 
Other important considerations can include information taken off-site by staff.

Note: Please see the Facility Observation Checklist for additional guidance on this standard.

 

PA-RPM 5.02

Confidential information, when electronically transmitted, is protected by safeguards in compliance with applicable legal requirements. 
 

PA-RPM 5.03

The agency has policies and guidelines addressing the use and monitoring of:
  1. social media;
  2. electronic communications; and
  3. mobile devices, including staff-owned devices, if applicable.

Examples: "Social media and electronic communications" include a variety of applications and websites used to create and share content, for example: 
  1. the agency's own website; 
  2. external websites;
  3. email;
  4. texting; 
  5. blogs;
  6. social networking and bookmarking sites such as Pinterest, Instagram, Twitter, and Facebook;
  7. wikis; and
  8. discussion forums.
Risks associated with the use of social media and electronic communications may include:
  1. unauthorized or prohibited contact between staff and persons served;
  2. unauthorized or inappropriate use of agency logos or trademarks;
  3. personal comments or opinions that can be misconstrued as representing the views of the agency, or misrepresent the agency;
  4. inadvertent or deliberate disclosure of confidential or proprietary business information; and
  5. inadvertent or deliberate disclosure of confidential or protected information about persons served.

Examples: A social media policy could address:  
  1. the agency's definition of "social media";
  2. responsible parties (e.g., individuals responsible for setting up accounts, contributing content, monitoring content, etc.);
  3. prohibited forms of communication; 
  4. the appropriate use of social media including confidentiality and privacy considerations; and/or
  5. consequences for failure to follow the policy and/or related guidelines.  
 

PA-RPM 5.04

The agency is prepared for planned and unplanned interruptions of data and limits the disruption to its operations and service delivery by:

  1. maintaining procedures for managing data interruptions and resuming operations;
  2. backing up electronic data regularly, with copies maintained off premises; and
  3. regularly testing the agency’s back-up plan including data restoration processes. 
Interpretation: This standard applies to any instance of prolonged data disruption, regardless of whether there is a corresponding emergency. 

Examples: A disaster recovery plan is a set of procedures put in place to protect and recover an agency's IT infrastructure to ensure the continuation of business in the event of a disaster. The plan clearly defines what disaster means for the agency's administrative operations and service delivery. It also includes specific guidance on when primary systems are considered nonfunctional/shut down, at what point secondary systems should be activated, who has the authority to make that determination, and how to inform staff and stakeholders that a disaster has occurred. 

Factors that increase the effectiveness of a disaster recovery plan include: 
  1. training staff on response procedures; 
  2. practicing procedures/conducting downtime drills; 
  3. testing disaster recovery systems on an ongoing basis; and 
  4. monitoring plan implementation.
 

PA-RPM 5.05

The agency ensures its electronic information system for managing health records or protected health information:
  1. operates in compliance with all applicable regulations; and
  2. limits access to information in accordance with confidentiality rules and the person’s privacy preferences to the greatest extent possible.
Interpretation: Regarding element (b), if the electronic health record system employed by the agency is not able to meet all the person’s privacy preferences and/or all of the necessary confidentiality rules, the agency must inform the service recipient of the system’s limitations and obtain consent for the exchange of electronic health information based on those restrictions. 
NA The agency does not electronically manage health records or protected health information.

Examples: The HIPAA Security Rule and Meaningful Use criteria provide strong guidance to agencies regarding the capabilities of electronic health record (EHR) systems. Using a certified EHR is the best way to meet the Meaningful Use criteria. Agencies that are unable to acquire a certified EHR should still strive to meet Meaningful Use recommendations in their selection and use of EHR systems. 
 
Copyright © 2024 Council on Accreditation