Digital Services risk management tool
This tool can be used to assess the functional risks of social and healthcare remote and digital services from the client's and patient's perspective. The tool is based on the BowTie risk management model (BowTie).
Digital-Service-risk-management-tool.pdf
This tool can be used to assess the functional risks of social and healthcare remote and digital services from the client’s and patient’s perspective. The tool is based on the BowTie risk management model (BowTie).
The term digital service refers to a service implemented with the support of a digital communication channel or platform. Digital services also include remote services, which are real-time services based on an interaction between people.
Risks related to service processes must be identified, and measures to protect against risks must be defined. The evaluation of operational risks must be continuous and last for the entire lifetime of the service.
Structure of BowTie risk management
The BowTie risk management tool can be used to describe various chains of events. The model gets its name from the bowtie shape of the diagram (Figure 1).
In the centre of the diagram is a key event where a loss of control occurs, such as an accident. On the left are chains of events from threats that can lead to a key event. Chains of events can be broken with protections that prevent a key event from occurring. The right hand side presents potential consequences that can be mitigated or limited by responsive actions.
BowTie risk management in practice
The most common dangers that can threaten activities within digital services are described in Table 1. The factors that expose you to these risks are described in Table 2.
Table 3 is used to calculate the magnitude of the risk by estimating the probability of each hazard occurring and how large the impact of the occurrence would be. Table 4 is used to assess the need and urgency of the necessary measures. The Excel tool prepared by the Finnish Centre for Client and Patient Safety automatically calculates the magnitude of the risk.
After this, measures to reduce the risks will be reviewed. A record is made for each risk:
- current risk management methods, i.e. a description of preparedness
- assessment of the current management of the risk (adequate, to be developed, insufficient)
- proposals for improving risk management and decided development activities.
| The client’s or patient’s dealings in the digital service are not successful, which results in one of the following: |
| – The service is interrupted |
| – The service is implemented with incorrect information |
| – Access to the service is delayed |
| – The client or patient is completely deprived of services. |
| The client or patient may be harmed as a result. |
| Client does not choose a digital service | Client cannot use the digital service | Client does not get the matter in question taken care of |
| The client has not received information about the service or cannot find the digital service | The client does not have the necessary equipment (computer, smartphone, internet connection) | The digital service is difficult to use or the service is not understandable |
| The client is concerned about data security or privacy protection | The client does not have tools for strong identification | A technical malfunction interrupts or prevents activities taking place |
| The client does not know whether the matter in question can be handled by the digital service | The client has insufficient digital skills | It is not possible to handle the matter in question with a digital service |
| The benefit of the digital service is unclear to the client | Dealing on someone else’s behalf is not possible in the digital service | Deficiencies in the client’s or Staff’s remote interaction skills |
| The client’s functional limitation or reduced cognition prevents the use of the digital service | Not all relevant facts are identified or verified | |
| The digital service cannot be used in a language the client understands | The client cannot switch from one digital service or application to another | |
| The client does not receive written instructions at the end of the digital service |
It should be noted that a review is always made from the perspective of the client and the patient. If necessary, risk identification can be refined and made more extensively, for example, by the service.
The bowTie risk management method can also be used to review a risk event that has already occurred. The starting point is the consequences of the event for the client or patient. The chain of events is explained by proceeding from right to left. At the same time, it is assessed whether protections had existed and whether they had been implemented.
Excel tool
A written record can be made with the help of an Excel tool prepared by the Finnish Centre for Client and Patient Safety, which contains the identified risk factors (Figure 2). The tool can be obtained by request from noharm(a)ovph.fi. (not yet in English, coming soon)
The tool also contains a more detailed description of the BowTie from the perspective of social welfare and healthcare digital services.
——-
This document has been made in the strategy group 3.2 of Client and Patient Safety strategy operational programme.
For more information: Finnish Centre for Client and Patient Safety (noharm(a)ovph.fi)
Published: 14.5.2024
Publisher: Finnish Centre for Client and Patient Safety
The need for updating the tool is checked annually.