One of the reasons for managing risk is that we have a duty of care to our staff, our customers and to members of the public. Duty of care is a legal concept that was established in 1932 during a case that was brought after a snail was found in a bottle of ginger beer – after the ginger beer had been drunk. Lord Atkins, in his decision, stated that ‘you must take reasonable care to avoid acts or omissions that you can reasonably foresee would be likely to injure your neighbour’.

Failure to manage risk effectively can lead to cases of negligence being taken. Negligence requires three things:

• That a duty of care is owed
• A breach – a failure to conform to standards
• Causation – that suffering has resulted from the breach.

Failure to exercise the skills and knowledge expected of us, or to have procedures that avoid adverse effects, will lead to negligence claims. We are used to this concept with clinical adverse effects, but there is also risk in terms of corporate governance.

Vicarious liability

Liability can rest with you, even if an adverse event was caused by an action or omission by a member of staff that you did not authorise or knew nothing about it – if the act or omission took place in the course of their employment. This is known as vicarious liability. This may relate to dispensing or a range of other possible situations in the pharmacy.

We generally understand that poor advice from a member of staff or a patient tripping over a box left out in the shop can lead to our liability. However, if a locum pharmacist or technician refused to serve someone for reasons of their race or sexual orientation, the business owner or director may also be liable.

In order to protect your business from vicarious liability it is important to take all reasonable steps to reduce the risk of these adverse incidents and be in a position to demonstrate this. In the example above, liability can be reduced by having a clear equality policy that is communicated to all staff, including locum staff, and providing equality training to any member of staff who needs it.

Risk management

Risk management is the process that all businesses should be undertaking. It should not be seen as a task to be completed but as a continuous process that is constantly being reviewed, refined and implemented. Risk can be defined as the probability of an adverse event occurring.

That event can be anything that prevents the organisation from reaching its goal. It can be something that prevents the business from performing effectively or it can be an adverse event in which a third party is involved when litigation or bad PR will damage the business financially or in reputation.

The key to managing risk correctly is to thoroughly assess the risks that face you.

Risk assessment

Risk assessment is the process of identifying and quantifying risk to allow us to make decisions. A risk assessment should be carried out when you start providing a new service or change the way you do something. Risk assessments should also be carried out on the existing business and should be reviewed regularly as well as when changes, such as staff changes, occur.

The assessment of a risk is context-specific and is not static. For example, the risk of a dispensing error occurring will be different depending upon the competence and experience of the staff working on a particular day, as well as a whole host of other factors. It is therefore relative risk that you should assess.

Evaluation of risk

There are different risk assessment models you can use to evaluate risk:

Scoring system

One model is to use a scoring system. Each potential risk is scored on a scale of one to five for the impact the adverse event will have and the probability that it might happen. The product of the impact score and the probability score will give a measure of potential significance and this will help you prioritise where to focus your attention in terms of managing risk.

A four-quadrant grid

An alternative is to create a four-quadrant grid with one axis comprising the impact of the adverse event and the second the probability of it happening. This will give you a visual map of the risks and how they might cluster, allowing you to focus your attention on specific groups of risks. Both methods will benefit from being independently undertaken by different people.

Individuals will perceive risks differently. While there will be some measure of agreement, discussion and challenge around those areas of disagreement will provide a more robust assessment of the risks.