Skip to main content

As the situation in Ukraine evolves, businesses should be mindful of potential risks to their people, assets, operations, or supply chains in the region and globally. Marsh, as part of the Marsh McLennan family of companies, has created a page with information, tools, and resources related to the Russia-Ukraine conflict. Please visit the page for the latest information.

December 28, 2023

Risk management in health care

Discover the advantages of having a risk management plan and how Marsh McLennan Agency can help you build one.


  • Risk management: What it is and why it’s important
  • 5 principles of risk management in health care
  • Creating a health care risk management plan

The medical field is vast and constantly changing, making it hard for businesses to control and maintain associated risks. With critical staffing concerns and regulatory compliance troubles being just a few of the problems industry professionals face daily, a risk management strategy is essential for health care organizations.

However, knowing where to start can be challenging. How can health care companies better control issues prior to halting operations? In what ways can businesses put guardrails in place to proactively address situations before they arise?

Let’s look at risk management in health care and why it’s essential for maintaining a safe and compliant organization in the medical industry.

Risk management: What it is and why it’s important

Health care risk management—also referred to as medical risk management—is a collection of best practices and procedures designed to keep medical facilities operating safely and in accordance with financial and governmental regulations.

Risk compliance reduces medical errors through protocols that prevent and mitigate mistakes. It ensures that all team members are aware of possible risks and know how to handle them. Risk management solutions help organizations get to the root of errors and failures to prevent future occurrences rather than coming up with a one-time fix for the problems and hoping they go away.

There are several hazards that medical employees and risk managers must be aware of on top of common health-related claims like medical malpractice and medical error. Here are the top risks that health care providers need to monitor.

Talent acquisition

The health care industry is growing, and there aren’t currently enough workers to meet demand. While people are still going to school and getting medical degrees and certificates, there just aren’t enough individuals to fill every empty position. According to the U.S. Bureau of Labor Statistics, there are about 1.8 million expected job openings each year in the industry due to employment growth and the need to replace workers who retire or leave the occupation permanently.

In response to the shortage of skilled workers, there is increased competition among health care organizations, including hospitals, clinics, and research institutions vying for the same qualified candidates. This is beneficial for employees within this sector, but extremely challenging for companies trying to employ the best and brightest.

Cybersecurity threats

Technology advances the level of care offered by medical professionals, but it also poses serious cybersecurity risks. As more technology is used to innovate how doctors, nurses, and other health care professionals do their jobs, it puts organizations at greater risk of cyber events. Hospitals and health systems house a multitude of personal and financial information for patients, making them a target for extortion and ransomware attacks.

A 2023 study done by Protenus found that 59 million patient records have been breached within medical organizations, a 44% rise in the number of hacking incidents than in previous years. On top of that, 88% of organizations have had at least one cyber attack in 2023, as stated in a Proofpoint report. This same report discovered that the average cost of disruption to normal health care operations was up 30% from 2022, for a total of about $1.3 million. These numbers go to show security measures can save your medical company thousands—or millions—of dollars.

Quality of patient care

Because staffing shortages are hitting health care companies across the country, many patients aren’t receiving the type or level of care they need. In fact, at the end of 2022, a total of 145,213 health care providers left the profession, leaving companies without enough resources, according to Definitive Healthcare. Medical professionals are stretched thin, making it difficult to spend the necessary time assessing care needs and ensuring patient safety. Readmissions and litigations for adverse patient outcomes—like medical malpractice or medical error claims—can be costly for any company within this sector, resulting in financial loss and business interruption.

It also means they have less time to complete procedures and examinations, resulting in an uptick in errors or misdiagnoses. Ultimately, patients’ health outcomes are at stake if organizations can’t provide consistent, top-notch attention to detail and professionalism.


Medical professional liability has been a longstanding problem for health care providers, even with laws being passed to protect industry professionals. In fact, many reforms directly impact medical businesses and open them up to more risks.

California’s Medical Injury Compensation Reform Act’s $250,000 cap on noneconomic damages has been raised, increasing exposure for the health care industry. The updated legislation introduces two separate caps, depending on whether a wrongful death claim is involved. In wrongful death cases, the cap increases to $500,000. Each January after the incident, the cap increases by $50,000 until it reaches $1 million. As of 2022, if the medical malpractice case doesn’t involve wrongful death, the cap starts at $350,000 and increases annually by $40,000 until it reaches $750,000.

This reformed act can potentially influence other states to enact similar legislation, making it essential for health care companies to protect themselves.


Regulatory compliance keeps health care companies in check and ensures patient safety and protection. Failure to comply can be detrimental. While errors do occur to even the most experienced industry professionals, mistakes, overpayments, and a lack of documentation can put a health care business at risk of compliance fines and penalties.

There are three main areas of health care compliance for any company in this sector:

  • Patient safety: One of the main focuses of health care compliance is keeping people out of harm’s way. Compliance programs involve measures to prevent medical errors, ensure infection control, and safeguard patients from threats during their care.
  • Patient privacy and data security: As cybersecurity remains a top concern, protecting patient information is crucial. To comply in this area, businesses must maintain patient privacy and data security, adhering to regulations from HIPPA and other government agencies to keep sensitive health information out of the wrong hands.
  • Billing and coding: Accurate billing and coding practices within the health care sector keep fraud and cybersecurity concerns from becoming a problem. This section of compliance deals with the precision required for billing, following coding standards and anti-fraud regulations.

By being aware of these common risks, health care companies can better serve and protect their patients and more easily remain compliant with regulations.

5 principles of risk management in health care

It’s not enough to know what potential risks could make your business come to a standstill; you must also prepare for these concerns proactively.

There are five main elements of risk management in health care laid out by the National Library of Medicine:

  1. Avoid risk: Document any potential risks that could occur in your line of business.
  2. Identify risk: Assess the root cause of these risks and what or who is involved through a risk assessment.
  3. Analyze risk: Examine how the risk can occur and how often. Also, look at the consequences of the adverse event to your business.
  4. Evaluate risk: Determine solutions to the risk.
  5. Treat risk: Come up with an action plan to identify who will be responsible and how the treatment will be monitored.

While many jobs are involved in this cycle, one person can’t do it alone. The key is to divide and conquer, ensuring there aren’t any gaps in the audit and treatment of specific problems within your medical business. Every member of your team—from IT specialists and HR professionals to doctors and nurses—should have a role in the risk mitigation process.

Creating a health care risk management plan

To build a risk management plan, you must first answer these questions to determine your specific needs:

  • Who or what is at risk?
  • What is involved in that situation?
  • Why is it possible for this risk to arise?
  • How likely is it to occur?
  • What are the consequences?
  • What can be done to stop it?
  • How can the solution best be applied to the identified risk?

After documenting your responses to these questions, it’s time for your team to go through the five steps to avoid, analyze, identify, evaluate, and treat potential problems within your health care organization.

Having a game plan in place is vital, but knowing what needs to be included can be difficult without assistance. By partnering with Marsh McLennan Agency, you can receive the insurance experience and health care industry knowledge necessary to mitigate concerns for both the current and future risk landscape of your organization.

Our team specializes in providing risk management services tailored to your industry’s specific issues. By partnering with Marsh McLennan Agency, you can receive:

  • Commercialization strategies
  • Data protection liability 
  • Employee and patient safety
  • In-house pharmacy, including 340B strategies
  • Management liability solutions
  • Medical professional liability services
  • Population health strategy design and support

Ready to secure your medical business and enhance patient safety? Reach out to a specialist to get help with your company’s risk management plan.