Risk Prevention and Management Introduction
Purpose
Comprehensive, systematic, and effective risk prevention and management practices sustain the organization's ability to positively impact the communities and people it serves by reducing its risk, loss, and liability exposure.Introduction
Currently viewing: RISK PREVENTION AND MANAGEMENT
VIEW THE STANDARDS
Note: Please see the RPM Reference List for the research that informed the development of these standards.
Note: For information about changes made in the 2020 Edition, please see RPM Crosswalk.
Risk Prevention and Management (RPM) 1: Legal and Regulatory Compliance
The organization annually reviews compliance with applicable federal, state, and local laws, codes, and regulations, including those related to:
- licensure;
- facilities;
- accessibility;
- health and safety;
- finances; and
- human resources.
- certification of occupancy requirements;
- zoning and building codes;
- occupational safety and health administration codes;
- health, sanitation, and fire codes; and
- elevator inspections.
In regards to element (f), it is recommended practice to conduct an annual review of human resource practices to ensure compliance with applicable employment and labor laws. The Human Resource Management field refers to this annual review as an annual "audit". Examples of human resource laws and regulations include:
- use of independent contractors;
- use of contingent workers such as temporary employees, volunteers, and leased workers;
- laws governing fair employment practices, including non-discrimination and harassment;
- compensation and benefits;
- maintenance of personnel records;
- selection and retention practices, including retention of hiring records; and
- background checks.
- One of the elements has not been reviewed in more than two years; or
- The organization has been notified of compliance or licensure problems and is working with the relevant authority to remediate deficiencies.
- Two elements have not been reviewed in more than two years; or
- The organization is under sanction due to noncompliance with legal or regulatory requirements; or
- The letter certifying compliance with all applicable laws was not signed or was otherwise inadequate.
Risk Prevention and Management (RPM) 2: Risk Prevention and Management
- conducting prevention and risk reduction activities; and
- monitoring and evaluating risk prevention and management effectiveness.
RPM 2.01
The organization conducts a quarterly review of immediate and ongoing risks that includes a review of incidents, critical incidents, accidents, and grievances related to the following, as appropriate to the program or service:
- facility safety issues;
- serious illness, injuries, and deaths;
- situations where a person was determined to be a danger to himself/herself or others;
- service modalities or therapeutic interventions; and
- the use of restrictive behavior management interventions, such as seclusion and restraint.
EAP Interpretation: In employee assistance programs, only elements (a) through (c) could potentially apply.
- Reviews are conducted quarterly but one of the elements is not fully addressed.
- The organization conducts reviews less than quarterly; or
- Two elements are not fully addressed; or
- One element is not addressed at all.
RPM 2.02
- require that the investigation be initiated within 24 hours of the incident and/or accident being reported and establish timeframes for completing the review;
- require solicitation of statements from all involved individuals;
- ensure an independent review;
- require timely implementation and documentation of all actions taken;
- address ongoing monitoring if actions are required and assessing their effectiveness; and
- address applicable reporting requirements.
- Review procedures need strengthening; or
- One of the elements is not fully addressed; or
- Documentation could be improved.
- One of the elements is not addressed at all; or
- While reviews are generally conducted, documentation is consistently missing; or
- There is evidence that at least one serious incident was not reviewed.
Risk Prevention and Management (RPM) 3: Insurance Protection
RPM 3.01
- general liability;
- worker's compensation;
- disability;
- fire and theft;
- medical;
- indemnification;
- professional liability;
- officer's or director's liability;
- automobile liability;
- property and casualty;
- malpractice;
- cybersecurity orcyberliability; and
- bonding or other forms of employee theft insurance, for all staff and governing body members who sign checks, handle cash or contributions, or manage funds.
The organization obtains professional consultation about appropriate coverage.
- Insurance needs are reviewed annually, however coverage may be insufficient in some areas.
- Insurance needs have not been reviewed for more than two years; or
- Coverage is clearly inadequate in one key area.
RPM 3.02
- provides written notification to the governing body and personnel of the amount and type of insurance coverage related to the scope of their activities performed on the organization’s behalf;
- advises the governing body and personnel of the extent and limits of liability coverage; and
- provides and assumes the cost of legal assistance to personnel against whom claims are made related to lawful, authorized actions taken within the course and scope of their duties.
Interpretation: This standard does not require the organization to provide assistance to personnel who commit unlawful acts or acts that are not conducted in the course of, or in furtherance of, their employment. In addition, this standard does not require the organization to provide legal assistance to personnel if the organization’s legal counsel determines that doing so would constitute a conflict of interest.
- The organization generally provides a written description but on occasion the disclosure is verbal and informal.
- The organization provides information only upon request or provides partial disclosure.
RPM 3.03
NA The organization is not a network management entity and is not assigned the Network Administration (NET) standards.
- Procedures for identifying/specifying level and type of insurance or for annually verifying coverage need strengthening.
- Annual verification not documented for all providers; or
- Some providers did not meet insurance requirements yet continue to provide network services.
Risk Prevention and Management (RPM) 4: Technology and Information Management
- case records and other information of persons served;
- administrative, financial, and risk management records and reports;
- personnel files and other human resources records; and
- performance and quality improvement data and reports.
- updating, creating, and deleting documents;
- notifying users of changes;
- identifying documents; and
- maintaining a master list of documents.
RPM 4.01
- current technology and information systems in use by the organization;
- short- and long-term goals for utilizing technology; and
- current technical skills of staff and need for staff training.
- One of the standard's elements was not fully addressed.
- The assessment is very basic and provides minimal guidance to staff; or
- One of the elements was not addressed at all.
RPM 4.02
- gives personnel consistent, timely, and appropriate access to all types of electronic and paper records; and
- supports continuity and integration of care across programs and services by giving timely access to information about persons served to practitioners across the organization, as appropriate.
- A formal system is in place, but is not fully implemented so locating records may sometimes be time consuming or difficult.
- The system is informal and unsystematic; or
- Records are occasionally misplaced.
RPM 4.03
- capturing, tracking, and reporting financial, compliance, and other business information;
- longitudinal reporting and comparison of performance and outcomes over time; and
- the use of clear and consistent formats and methods for reporting and disseminating data.
- Some aspects of the system need further development.
- The system is basic and minimally supports the organization’s data needs.
Risk Prevention and Management (RPM) 5: Security of Information
- case records and other information of persons served;
- administrative, financial, and risk management records and reports;
- personnel files and other human resources records; and
- performance and quality improvement data and reports.
RPM 5.01
- limiting access to authorized personnel on a need-to-know basis;
- using firewalls, anti-virus and related software, and other appropriate safeguards;
- monitoring security measures on an ongoing basis;
- having the ability to remotely wipe or disable mobile devices, if applicable, in the event that a device is lost, stolen, repurposed, or discarded; and
- maintaining paper records in a secure location when not in use by authorized staff.
- limiting access based on staff role within the organization;
- ensuring the electronic system requires strong passwords/passcodes for access to confidential information, requires passwords/passcodes to be regularly changed, locks the user out of the system for incorrect login attempts, and automatically times out after a period of inactivity and prompts reauthentication;
- disabling the equipment, passwords, and access of former employees; and
- ensuring the system is capable of tracking who accesses confidential information in the system and recording when information is altered or deleted, also known as audit logs.
- locked file cabinets;
- a locked file room with limited access or a gatekeeper system whereby one person or a few people can unlock the file storage area or access the files themselves; or
- a system using a keypad or keys where only authorized individuals are given the keypad code or copies of the keys.
Note: Please see the Facility Observation Checklist for additional guidance on this standard.
- Some aspect of the organization's data security procedures needs strengthening; or
- With few exceptions, procedures are understood by staff and are being used.
- There is a major deficiency in at least one of the listed elements resulting in risk to the organization; or
- There have been instances of unauthorized access to confidential or sensitive information; or
- Procedures are not well-understood or used appropriately.
RPM 5.02
RPM 5.03
- social media;
- electronic communications; and
- mobile devices, including staff-owned devices, if applicable.
- the organization's own website;
- external websites;
- email;
- texting;
- blogs;
- social networking and bookmarking sites such as Pinterest, Instagram, Twitter, and Facebook;
- wikis; and
- discussion forums.
- unauthorized or prohibited contact between staff and service recipients;
- unauthorized or inappropriate use of organization logos or trademarks;
- personal comments or opinions that can be misconstrued as representing the views of the organization, or that present the organization in a negative light;
- inadvertent or deliberate disclosure of confidential or proprietary business information; and
- inadvertent or deliberate disclosure of confidential or protected information about service recipients.
- the organization's definition of "social media";
- responsible parties (e.g., individuals responsible for setting up accounts, contributing content, monitoring content, etc.);
- prohibited forms of communication;
- the appropriate use of social media including confidentiality and privacy considerations; and/or
- consequences for failure to follow the policy and/or related guidelines.
- Some aspect of the procedures need further development.
- Procedures are very basic and provide minimal guidance to staff; or
- Procedures are not well-understood by staff or are frequently not being followed; or
- Procedures are still under development and have only been partially implemented.
RPM 5.04
- maintaining procedures for managing data interruptions and resuming operations;
- backing up electronic data regularly, with copies maintained off premises; and
- regularly testing the organization’s back-up plan including data restoration processes.
Factors that increase the effectiveness of a disaster recovery plan include:
- training staff on response procedures;
- practicing procedures/conducting downtime drills;
- testing disaster recovery systems on an ongoing basis; and
- monitoring plan implementation.
- Some aspects of the procedures need further development.
- Procedures are very basic and provide minimal guidance to staff; or
- Procedures are still under development and have only been partially implemented.
RPM 5.05
- Procedures for monitoring and maintaining legal compliance require greater clarity or specificity.
- The organization is aware of compliance problems and is working to remediate deficiencies.
- The organization is aware of compliance problems and is not working to remediate deficiencies.
Risk Prevention and Management (RPM) 6: Contracts and Service Agreements
- consistent with the organization’s mission;
- aligned with, and supportive of, the organization’s service array and resource development goals; and
- responsive to the needs and desired outcomes of persons served.
Interpretation: These standards apply to all contracts entered into by the organization in which it acts as a purchaser or vendor of social and human services as well as to contracts for the purchase of support services, such as maintenance or transportation services. These standards are not applicable to contracts with individual consultants and independent contractors, which are addressed in Human Resources Management (HR 7).
Note: See Applicability of COA Standards to Contracts and Non-contractual Service Agreements for additional guidance on this standard.
RPM 6.01
The organization:
- establishes a system of standardized contracting practices;
- pursues contracts that serve the organization’s and service recipient’s best interests, not private interests;
- seeks opportunities to source goods and services from diverse suppliers;
- conducts due diligence in contracting activities including review of possible risks;
- uses competitive bidding, when applicable; and
- ensures governing body review of significant contracts.
- One of the elements needs strengthening.
- Two of the elements need strengthening; or
- One element is not addressed at all; or
- The governing body does not review significant contracts.
RPM 6.02
- are reviewed by legal counsel or another qualified individual prior to signing; and
- contain all significant terms and conditions in accordance with applicable law.
- roles and responsibilities of participating organizations;
- services to be provided;
- clearly defined performance goals;
- measurable outcomes;
- service authorization, including eligibility criteria;
- provisions for training and technical support, as necessary;
- duration of contract, including delineation of follow-up services;
- policies and procedures for sharing information;
- methods for resolving disputes;
- a plan and procedure for timely payment, and consequences for failure to pay;
- necessary documentation and means of reporting to, funding or oversight bodies; and
- conditions for termination of the contract.
- Though all contracts are reviewed, contracting procedures do not address the standard.
- Terms and conditions of contracts are often general, nonspecific, or unclear; or
- There is evidence that some contracts have not been reviewed as required by the standard.
- Contracts are totally inadequate in specification of terms and conditions; or
- Contracts are not routinely reviewed as required.
RPM 6.03
- services exchanged or provided, and/or the goals and objectives of such collaborations;
- roles and responsibilities of each organization including reporting responsibilities;
- procedures for sharing information;
- confidentiality protections including signed written consent forms;
- assignment of case coordination responsibilities;
- service authorization procedures including accepting or rejecting cases; and
- how to resolve communication difficulties.
- Procedures need strengthening; or
- One element is not addressed at all.
- Terms and conditions of service agreements are often general, nonspecific, or unclear; or
- At least two of the elements are not addressed at all.
RPM 6.04
- the network's requirements regarding provider participation in network quality improvement activities;
- access to case record provisions;
- utilization management protocols;
- required levels and types of insurance; and
- agreement to participate in network training.
NA The organization is not a network management entity and is not assigned the Network Administration (NET) standards.
- Procedures need strengthening; or
- One of the elements is not fully addressed.
- The terms and conditions of contracts are often general, nonspecific, or unclear; or
- At least two of the elements are not fully addressed; or
- One element is not addressed at all.
- Contracts are totally inadequate in specification of terms and conditions.
Risk Prevention and Management (RPM) 7: Quality Monitoring of Contracted Social and Human Services
The standards in this Core are also not applicable to contracts with individual consultants and independent contractors, which are addressed in Human Resources Management (HR 7).
Network Interpretation: These standards apply to services purchased from all service providers including owner and partner organizations, and individual practitioners, as applicable.
RPM 7.01
- have sufficient human and financial resources to fulfill the terms of the contract; and
- are licensed or otherwise legally authorized to provide the contracted services.
- Procedures need strengthening.
- Documentation is poorly maintained or some documentation is missing; or
- The organization has not conducted the required due diligence in some instances.
RPM 7.02
- Monitoring procedures need strengthening.
- Monitoring is not consistently done.
RPM 7.03
- service quality, client satisfaction, and outcomes that accord with the organization’s expectations;
- criteria for evaluating vendor performance;
- a process for remediating performance issues; and
- protocols for routine communication of related data.
- Monitoring procedures need strengthening.
- One of the elements has not been implemented.