Risk Prevention and Management Introduction
Purpose
Proactive, comprehensive, and systematic risk prevention and management practices sustain the agency’s ability to positively impact the communities and people it serves by reducing its risk, loss, and liability exposure.Introduction
Note: Please see PA-RPM Reference List for the research that informed the development of these standards.
Note: For information about changes made in the 2020 Edition, please see RPM Crosswalk.
Risk Prevention and Management (PA-RPM) 1: Legal and Regulatory Compliance
The agency annually reviews compliance with applicable federal, state, and local laws, codes, and regulations including those related to:
- licensure;
- facilities;
- accessibility;
- health and safety;
- finances; and
- human resources.
Interpretation: In regard to element (b), agencies that rent facilities should obtain relevant documentation from their landlord. If the agency cannot obtain access to the required documentation from their landlord or from relevant public or private health and safety authorities, the agency may also solicit a recognized expert to verify compliance with applicable laws and safety codes.
Interpretation: When necessary, the agency should consult legal counsel to obtain comprehensive guidance regarding legal and regulatory compliance.
Examples: In regards to element (b), examples of relevant regulations and codes can include:
- certification of occupancy requirements;
- zoning and building codes;
- occupational safety and health administration codes;
- health, sanitation, and fire codes; and
- elevator inspections.
In regards to element (d), relevant requirements can include: universal precautions for minimizing exposure to contagious and infectious disease; and storage, cleaning, and disposal of medical waste.
In regards to element (f), it is recommended practice to conduct an annual review of human resource practices to verify compliance with applicable employment and labor laws, civil service rules and regulations, and union contracts. The Human Resource Management field refers to this annual review as an annual "audit." Examples of human resource laws and regulations include: use of independent contractors;
- use of contingent workers such as temporary employees, volunteers, and leased workers;
- laws governing fair employment practices, including non-discrimination and harassment;
- compensation and benefits;
- maintenance of personnel records;
- retention of hiring records;
- background checks; and
- collective bargaining.
A rating of (1) indicates that the agency's practices fully meet the standard and reflect a high level of capacity.
- All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions: exceptions do not impact service quality or agency performance.
A rating of (2) indicates that an agency's infrastructure and practices are basically sound but there is room for improvement.
- The majority of the standards requirements have been met and the basic framework required by the standard has been implemented.
- Minor inconsistencies and not yet fully developed practices are noted; however, these do not significantly impact service quality or agency performance.
Partial Implementation, Concerning Performance
A rating of (3) indicates that the agency's observed infrastructure and/or practices require significant improvement.
- The agency has not implemented the basic framework of the standard but instead has in place only part of this framework.
- Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.
- Service quality or agency functioning may be compromised.
- Capacity is at a basic level.
A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all.
- The agency’s observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.
Risk Prevention and Management (PA-RPM) 2: Risk Prevention
- conducting prevention and risk reduction activities; and
- monitoring and evaluating risk prevention and management effectiveness.
A rating of (1) indicates that the agency's practices fully meet the standard and reflect a high level of capacity.
- All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions: exceptions do not impact service quality or agency performance.
A rating of (2) indicates that an agency's infrastructure and practices are basically sound but there is room for improvement.
- The majority of the standards requirements have been met and the basic framework required by the standard has been implemented.
- Minor inconsistencies and not yet fully developed practices are noted; however, these do not significantly impact service quality or agency performance.
Partial Implementation, Concerning Performance
A rating of (3) indicates that the agency's observed infrastructure and/or practices require significant improvement.
- The agency has not implemented the basic framework of the standard but instead has in place only part of this framework.
- Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.
- Service quality or agency functioning may be compromised.
- Capacity is at a basic level.
A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all.
- The agency’s observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.
PA-RPM 2.01
- articulates the agency’s overall approach to risk management;
- describes the risk management structure and activities;
- defines staff roles and outlines training and competency expectations by job position or category; and
- includes measurable goals for reducing potential risks.
- the specific responsibilities of the central, regional, and local offices in carrying out risk management activities;
- how risk management information will be communicated among the various offices; and
- what role each office will play in implementing and tracking corrective action.
PA-RPM 2.02
The agency annually assesses areas of potential risk including:
- compliance with legal requirements;
- disruption of operations due to a public health emergency;
- technology and information management;
- liability exposure;
- the health and safety of personnel and persons served including the prevalence of work-related stress and the impact of trauma;
- human resources practices;
- contracting practices and compliance;
- client rights and confidentiality issues;
- financial risks;
- public relations, branding, and reputation; and
- conflicts of interest.
Interpretation: Although the agency should assess all areas of potential risk at least annually and compare related areas, the assessments do not need to be conducted together at one time.
Interpretation: Regarding element (c), annual assessments should include a review of systems in place to protect physical and electronic data and information, databases, files, computers and mobile devices, networks, and programs from unauthorized access, use, modification, disruption, destruction, and/or attack.
Interpretation: Regarding element (d), annual assessments of liability exposure should include a review of the agency’s use of agency- and privately-owned vehicles in the course of the its daily operations including, but not limited to, transporting clients, running errands, attending home visits, traveling between sites, attending meetings, etc.
PA-RPM 2.03
The agency conducts a quarterly review of immediate and ongoing risks that includes a review of incidents, accidents, and grievances related to the following, as appropriate to each program or service:
- facility safety issues;
- serious illnesses, injuries, and deaths;
- situations where a person was determined to be a danger to himself/herself or others;
- service modalities or therapeutic interventions; and
- the use of restrictive behavior management interventions, such as seclusion and restraint.
Examples: In regards to element (b), serious illnesses can include those illnesses that pose a significant, widespread risk to public health or the health of the agency's staff and persons served.
Example: The agency can examine critical incident data that disaggregates incidents by race and ethnicity to identify trends in service equity, such as disproportionate use of restrictive interventions.
PA-RPM 2.04
- establish timeframes for review including requiring the investigation be initiated within 24 hours of the incident and/or accident being reported;
- require solicitation of statements from all involved individuals;
- ensure an independent review;
- require timely implementation and documentation of all actions taken;
- address ongoing monitoring if actions are required and determine their effectiveness; and
- address applicable reporting requirements.
Risk Prevention and Management (PA-RPM) 3: Child Fatality and Near Fatality Review
NA The agency does not provide child and family services and is not assigned the Child and Family Services (PA-CFS) standards.
A rating of (1) indicates that the agency's practices fully meet the standard and reflect a high level of capacity.
- All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions: exceptions do not impact service quality or agency performance.
A rating of (2) indicates that an agency's infrastructure and practices are basically sound but there is room for improvement.
- The majority of the standards requirements have been met and the basic framework required by the standard has been implemented.
- Minor inconsistencies and not yet fully developed practices are noted; however, these do not significantly impact service quality or agency performance.
Partial Implementation, Concerning Performance
A rating of (3) indicates that the agency's observed infrastructure and/or practices require significant improvement.
- The agency has not implemented the basic framework of the standard but instead has in place only part of this framework.
- Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.
- Service quality or agency functioning may be compromised.
- Capacity is at a basic level.
A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all.
- The agency’s observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.
PA-RPM 3.01
- aggregating information on fatalities and near fatalities from multiple data sources;
- actively participating on a multi-disciplinary child fatality and near fatality review team;
- participating in investigations of child fatalities and near fatalities, as appropriate, including assessing the safety of surviving children in the home; and
- ensuring adherence to the public disclosure policy, which reflects federal statute.
PA-RPM 3.02
- developing a customized improvement plan to implement recommendations;
- tracking progress toward plan implementation; and
- monitoring and periodically reporting back to the review team on the status of planned improvements.
PA-RPM 3.03
- assess the agency’s internal operations including adherence to policies and procedures; and
- identify and respond to the social and emotional support needs of staff.
Risk Prevention and Management (PA-RPM) 4: Technology and Information Management
- case records and other information of persons served;
- administrative, financial, and risk management records and reports;
- personnel files and other human resources records;
- performance and quality improvement data and reports; and
- contract monitoring data and reports.
A rating of (1) indicates that the agency's practices fully meet the standard and reflect a high level of capacity.
- All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions: exceptions do not impact service quality or agency performance.
A rating of (2) indicates that an agency's infrastructure and practices are basically sound but there is room for improvement.
- The majority of the standards requirements have been met and the basic framework required by the standard has been implemented.
- Minor inconsistencies and not yet fully developed practices are noted; however, these do not significantly impact service quality or agency performance.
Partial Implementation, Concerning Performance
A rating of (3) indicates that the agency's observed infrastructure and/or practices require significant improvement.
- The agency has not implemented the basic framework of the standard but instead has in place only part of this framework.
- Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.
- Service quality or agency functioning may be compromised.
- Capacity is at a basic level.
A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all.
- The agency’s observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.
PA-RPM 4.01
- current technology and information systems in use by the agency;
- short- and long-term goals for utilizing technology; and
- current technical skills of staff and need for training.
PA-RPM 4.02
- gives personnel consistent, timely, and appropriate access to paper and electronic records; and
- supports continuity and integration of care across settings and services by giving timely access to information about persons served to practioners across the agency, as appropriate.
PA-RPM 4.03
- information sharing between the public agency and its contracted providers, when applicable;
- capturing, tracking, and reporting financial, compliance, and other business information;
- access to real-time data to inform decision making at the worker, program, region/community, agency, and system level;
- longitudinal reporting and comparison of performance over time; and
- useful, clear, and consistent data reporting.
Risk Prevention and Management (PA-RPM) 5: Security of Information
- case records and other information of persons served;
- administrative, financial, and risk management records and reports;
- personnel files and other human resource records; and
- performance and quality improvement data and reports.
Currently viewing: SECURITY OF INFORMATION
VIEW THE STANDARDS
A rating of (1) indicates that the agency's practices fully meet the standard and reflect a high level of capacity.
- All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions: exceptions do not impact service quality or agency performance.
A rating of (2) indicates that an agency's infrastructure and practices are basically sound but there is room for improvement.
- The majority of the standards requirements have been met and the basic framework required by the standard has been implemented.
- Minor inconsistencies and not yet fully developed practices are noted; however, these do not significantly impact service quality or agency performance.
Partial Implementation, Concerning Performance
A rating of (3) indicates that the agency's observed infrastructure and/or practices require significant improvement.
- The agency has not implemented the basic framework of the standard but instead has in place only part of this framework.
- Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.
- Service quality or agency functioning may be compromised.
- Capacity is at a basic level.
A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all.
- The agency’s observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.
PA-RPM 5.01
- limiting access to authorized personnel on a need-to-know basis;
- using firewalls, encryption and/or secured networks, anti-virus and related software, and other appropriate safeguards;
- monitoring security measures on an ongoing basis;
- having the ability to remotely wipe or disable mobile devices, if applicable; and
- maintaining paper records in a secure location, when applicable.
- limiting access based on staff role within the agency;
- ensuring the electronic information systems require strong passwords/passcodes for access to confidential information, require passwords/passcodes to be regularly changed, lock the user out of the system for incorrect login attempts, and automatically time out after a period of inactivity prompting re-authentication;
- disabling the equipment, passwords, and access of former employees; and
- ensuring the information systems are capable of tracking who accesses confidential information in the system and recording when information is altered or deleted, also known as audit logs.
- locked file cabinets;
- a locked file room with limited access or a gatekeeper system whereby one person or a few people can unlock the file storage area or access the files themselves; or
- a system using a keypad or keys where only authorized individuals are given the keypad code or copies of the keys.
Note: Please see the Facility Observation Checklist for additional guidance on this standard.
PA-RPM 5.02
PA-RPM 5.03
- social media;
- electronic communications; and
- mobile devices, including staff-owned devices, if applicable.
- the agency's own website;
- external websites;
- email;
- texting;
- blogs;
- social networking and bookmarking sites such as Pinterest, Instagram, Twitter, and Facebook;
- wikis; and
- discussion forums.
- unauthorized or prohibited contact between staff and persons served;
- unauthorized or inappropriate use of agency logos or trademarks;
- personal comments or opinions that can be misconstrued as representing the views of the agency, or misrepresent the agency;
- inadvertent or deliberate disclosure of confidential or proprietary business information; and
- inadvertent or deliberate disclosure of confidential or protected information about persons served.
Examples: A social media policy could address:
- the agency's definition of "social media";
- responsible parties (e.g., individuals responsible for setting up accounts, contributing content, monitoring content, etc.);
- prohibited forms of communication;
- the appropriate use of social media including confidentiality and privacy considerations; and/or
- consequences for failure to follow the policy and/or related guidelines.
PA-RPM 5.04
The agency is prepared for planned and unplanned interruptions of data and limits the disruption to its operations and service delivery by:
- maintaining procedures for managing data interruptions and resuming operations;
- backing up electronic data regularly, with copies maintained off premises; and
- regularly testing the agency’s back-up plan including data restoration processes.
Factors that increase the effectiveness of a disaster recovery plan include:
- training staff on response procedures;
- practicing procedures/conducting downtime drills;
- testing disaster recovery systems on an ongoing basis; and
- monitoring plan implementation.
PA-RPM 5.05
- operates in compliance with all applicable regulations; and
- limits access to information in accordance with confidentiality rules and the person’s privacy preferences to the greatest extent possible.