SVKM’s Narsee Monjee Institute of Management Studies

Mukesh Patel School of Technology Management and Engineering

FINAL REPORT ON
RISK MANAGEMENT ANALYSIS OF
APOLLO HOSPITALS

By

NEIL PATANI M052

SAKET SAYANAR M054
PARTH SHETH M055
JEET BHANUSHALI M203
SARAVANA KUMARAN L034

Faculty Mentor
Dr. Padmanabha Aital

1
 Table of Contents

Sr. Topic Page No

No
1 Acknowledgement 3
2 Executive Summary 4
3 Introduction 5
4 Objective Study of Project 7
5 Methodology Adopted 8
6 Issues in Implementation 21
7 Analysis of issues with observations & 22
findings.
8 Results and Outcome 24
9 Conclusion 25

10 Learnings & Recommendations 26

11 Limitations of study & Future scope of 27

work
12 References 28

2
 1. Acknowledgement

Behind every successful project and experience there are a lot of people who gave time,
heart and soul to make it one. We would sincerely like to take this opportunity to
appreciate and thank all those who gave me their precious time, shared their in-depth
knowledge and experience and became my mentors providing their guiding and helpful
hands in completing this project as a fulfilment for this Report and Analysis and
sincerely thanking our Associate Dean Dr. Anuja Agarwal for designing our
curriculum in such a way that we are exposed to both theoretical and practical aspects
of management through this Report and Analysis.

Also, I would like to thank our Mentor Dr. Padmanabha Aital for helping us
understand the right approach to work, to gain knowledge and to be systematic about
the project to be accomplished. A right guidance and to the point explanation for the
outcome expected helped me follow a correct path towards successful completion.

Finally, I would like to thank my institute Mukesh Patel School of Technology and
Management Engineering for providing me this opportunity which helped me a lot
in enhancing my professional skills and knowledge. Also, I would like to extend my
gratitude to all those people who were directly or indirectly associated with the
preparation of this report.

3
 2. Executive summary

The Company is committed to high standards of business conduct and good risk management
to Maintain the company's assets, Grow the firm in a sustainable manner;, Make risk-adjusted
business decisions, Ensure that all legal and regulatory standards are met. The goal of risk
management is to assist managers in Integrating risk management into day-to-day company
management, Improving corporate performance via better decision-making and planning,
Communicate risk information to relevant levels on a regular basis, Encourage a risk-aware
culture in the search of possibilities that will benefit the company. The systematic process of
discovering, analysing, and responding to prospective future occurrences that might have
unintended consequences. The process of assessing the likelihood of certain occurrences
occurring and the severity of their repercussions (impact). The method of determining Risk
Management priorities by comparing the degree of risk to present standards, target risk levels,
or other criteria to produce a prioritised list of risks for future monitoring and mitigation. Risk
assessment is the result of combining the risk analysis and risk evaluation processes. Various
risk categories are used to categorise risk aspects. For easier management and control, risks are
categorised. For the sake of general comprehension, each risk category is adequately specified.

4
 3. Introduction

Apollo Hospitals was established in 1983 by Dr. Prathap C Reddy, renowned as the architect
of modern healthcare in India. As the nation’s first corporate hospital, Apollo Hospitals is
acclaimed for pioneering the private healthcare revolution in the country.

Apollo Hospitals (Apollo) started as a 150-bed hospital in Chennai in 1983. The Apollo
Hospitals group today includes over 8065 beds across 45 hospitals in India and overseas,
neighbourhood diagnostic clinics, an extensive chain of Apollo Pharmacies, medical BPO and
health insurance services and clinical research divisions that are working on the cutting edge
of medical science. Apollo has succeeded in being more than just a quality healthcare provider.
It has been a major player in scripting the medical landscape of the nation. This is primarily
because the group has continuously been at the helm of several game-changing innovations in
Indian healthcare. An endeavour to bring world class healthcare to semi-urban and rural India
is key.

Company Vision
Apollo’s vision for the next phase of development is to ‘Touch a Billion Lives’.

Mission Statement
“Our mission is to bring healthcare of International standards within the reach of every
individual. We are committed to the achievement and maintenance of excellence in education,
research and healthcare for the benefit of humanity”

The Company is committed to high standards of business conduct and good risk management
to:

• Protect the company’s assets.

• Achieve sustainable business growth.
• Take risk adjusted business decisions.
• Ensure compliance with applicable legal and regulatory requirements.

5
The Risk Management Policy is intended to enable Apollo Hospitals Enterprise Limited
('AHEL' or the 'Company') to implement a defined risk management procedure on an ongoing
basis. An important goal of this document is to implement a structured and comprehensive risk
management process that establishes a common understanding, language, and methodology for
identifying, assessing, monitoring, and reporting risks and provides management and the Board
with assurance that key risks are identified and managed. This policy establishes the
overarching structure for the Company's Risk Management procedure. The rules outlined in
this document describe the system through which AHEL will identify, measure, and monitor
its main risks.

The risk management process must be established, implemented, and reviewed by the Board.
The Board may assign the task of evaluating the risk management procedures' effectiveness.
The Policy may be revised on a regular basis to reflect changes in company and market
conditions. All policy modifications must be authorised by the Board or the authority
designated by the Board.

This policy is intended to ensure that an effective risk management framework is established
and implemented within the Company and to provide regular reports on the performance of
that framework, including any exceptions, to the Board of Directors of the Company.

6
 4. Objective of study project:

The purpose of risk management in healthcare organizations is to identify potential hazards or

threats and do everything possible to mitigate them through recommendation, planning and
execution. The aim of the project is to understand and document the practical implementation
of the Risk Management concepts.

 To document the Risk Management (RM) Strategy of Apollo Hospitals, which will
provide a framework for identification, assessment, evaluation, mitigation and review
of the risk categories on a periodic basis.
 To understand the use of risk framework for taking informed business decisions
integrated with risks and to minimise the adverse consequences of risks on business
objectives.
 To understand risk management in the day to day management of the business
 To understand the reporting techniques at Apollo Hospitals to escalate risk information
on timely basis at appropriate levels
 To understand the tools and techniques adopted by Apollo Hospitals in order to make
the organization a more risk aware
 Also, to understand the RM during the difficult pandemic duration

7
 5. Methodology Adopted:

5.1.Risk Management Process

5.1.1. Risk Identification

Comprehensive risk identification using a well-structured systematic process is critical because

a potential risk not identified is excluded from further analysis. Identification should include
all risks whether they are under the control of the Company. Risks can be identified in several
ways as:

 Structured workshops
 Brainstorming sessions
 Occurrence of a loss event
 Review of documents

Each Head of DRMC/Function/Location/Risk Owner must periodically review the risks within
their risk category. Workshops or brainstorming sessions may be conducted amongst the focus
groups to identify new risks that may have emerged over a period of time. Any loss event may
also trigger risk identification.

All identified risks should be updated in a risk register. Risk registers should be periodically
reviewed to ensure pertinence of the risks listed. Risks that would have ceased should also be
closed appropriately. The RMSC should ensure that the risk register is reviewed and updated.

8
 5.1.2. Risk Assessment

The risks will be assessed on qualitative two-fold criteria. The two components of risk
assessment are (a) the likelihood of occurrence of the risk event and (b) the magnitude of impact
if the risk event occurs. The combination of likelihood of occurrence and the magnitude of
impact provides the inherent risk level. The likelihood and impact should be rated over a period
of 12 to 18 months.

The magnitude of impact of an event, should it occur, and the likelihood of the event and its
associated consequences, are assessed in the context of the existing controls. Impact and
likelihood may be determined using statistical analysis and calculations. Alternatively, where
no past data are available, subjective estimates may be made which reflect an employee’s or
group’s degree of belief that a particular event or outcome will occur.

In determining what constitutes a given level of risk the following scale is to be used for
likelihood:

Level Descriptor

5 Very high likelihood

4 High likelihood

3 Moderate likelihood

2 Low likelihood

1 Very low likelihood

9
In determining what constitutes a given level of risk the following scale is to be used for
impact

Level Descriptor

5 Very high impact

4 High impact

3 Moderate impact

2 Low impact

1 Very low impact

5.1.3. Risk Evaluation

Impact and likelihood are combined to produce a level of risk. Average of the group's score
should be determined. The risk should be classified into three zones based on the combined
scores of the group.

 Risks that score within a red zone are considered “critical” and require immediate action
plans to close a significant control gap. (Average score of 11 and more)
 Risks that score within the yellow zone are considered “cautionary” where action steps
to develop or enhance existing controls is also needed. (Average score in the range of
6 to 11)
 Risks that score within the green zone are considered “acceptable” or in control.
(Average score less than 6).

10
 RISK TREATMENT APPROACH:

Note: The boxes with value 5 have been included in the Yellow (Cautionary) zone due to
very high likelihood / impact scores

11
Example for Calculation of Group Score:

Rating of Risk X

Likelihood (A) Impact (B)

Participant 1 2 5

Participant 1 3 5

Participant 1 4 5

Total 9 15

Group Score 3 5
i.e., Simple Average
(Total / No. of Participants)

Combined Score (Group Score A*Group Score B) 15

The output of a risk evaluation is a prioritized list of risks for further action.
The objective of risk assessment and risk evaluation is to assist the organization in prioritizing
risk to ensure that appropriate attention is given to risks based on their criticality and that
company resources are effectively utilized in managing these risks.

12
 5.1.4. Risk Treatment / Action Plan

Risk treatment involves identifying the range of options for treating risk, assessing those
options, preparing risk treatment plans and implementing them. Treatment options may
include: -
 Accepting the risk level within established criteria.
 Transferring the risk to other parties viz. insurance.
 Avoiding the risk by hedging / adopting safer practices or policies; and
 Reducing the likelihood of occurrence and/or consequence of a risk event.

The risk assessed as critical should be profiled in the 'Risk profile format' provided in Annexure
IV. The profile contains details of the risk, its contributing factors, risk scores, controls
documentation and specific and practical action plans. Action plans need to be time bound and
responsibility driven to facilitate future status monitoring. Mitigating practices and controls
shall include determining policies, procedures, practices and processes in place that will ensure
that existing level of risks are brought down to an acceptable level. In many cases significant
risk may still exist after mitigation of the risk level through the risk treatment process. These
residual risks will need to be considered appropriately. In case of financial risks this can be
accomplished by a combination of:

 Insurance by external agencies; and

 Self-insurance or internal funding

5.1.5. Escalation of risks

It is critical to institute an effective system of escalation which ensures that specific issues are
promptly communicated and followed up appropriately. Every employee of the Company has
the responsibility of identifying and escalating the risks to appropriate levels within the
organization. The respective DRMC will determine whether the risk needs immediate
escalation to the next level, or it can wait till subsequent periodic review.

13
 5.1.6. Risk Reviews & Reporting Cycle

Risks and the effectiveness of control measures need to be monitored to ensure changing
circumstances do not alter risk priorities. Few risks remain static. Ongoing review is essential
to ensure that the management plans remain relevant. Factors, which may affect the likelihood
and impact of an outcome, may change, as may the factors, which affect the suitability or cost
of the various treatment options.

A risk review involves re-examination of all risks recorded in the risk register and risk profiles
to ensure that the current assessments remain valid. Review also aims at assessing the progress
of risk treatment action plans. Risk reviews should form part of agenda for every RMSC
meeting. The risk register should be reviewed, assessed and updated on a periodic basis.
The DRMC is responsible for ensuring that the Risk Register is reviewed and updated at least
half yearly.

The frequency of review and reporting of the risk management process is given below:

Activities Frequency

Updating Risk register As and when risk is identified and assessed, at least once in a
half year

Updating Risk profile Half Yearly

Risk Management Quarterly

Reporting

14
Annexure I: List of risk category

Sr. Risk Categories Definitions

No.

1 Risks associated with the doctor engagement model

Physician
including attracting and retaining experienced panel of
Strategy and
physicians for hospital operations.
Relations

2 Risks associated with a multidisciplinary approach to

Medical
acute care, speciality care, diagnostic and
Services
investigations and wellness program. This includes
risks related to inadequate facilities and inaccurate
treatment of an ailment in each of the service areas.

3 Risks associated with adequate infrastructure to

Service
support patient services, patient satisfaction and care
Excellence
for IP, OP and International Patients

4 Risk associated with infection control, physician

Quality and
licensing and credentialing, Medicare documentation
Accreditations
and reporting, clinical standards and practices,
emergency procedures, clinical audits etc.

5 Risks associated with environment pollution, safety of

Health & Safety
resources and employees’ health and security at health
care establishments

6 Risks related to the adequacy of policies and

Nursing
procedures related to nursing operations and maintain
Operations
continuous care.

15
 7 Risks associated with inadequacy or failure of
Facilities &
facilities and equipment for delivery of care.
Equipment’s

8 Risks associated with operation of pharmacy and

Pharmacy
delivery of pharmaceutical products to hospital units
and outpatients.

9 Risks associated with culture, organisational structure,

Human
communication, recruitment, performance
Resource
management, remuneration, learning & development,
retention, Occupational Health & Safety and industrial
relations, including supporting systems, processes and
procedures.

10 The risk that systems are inadequately managed or

Information
controlled, data integrity, reliability may not be
Technology
ensured, inadequate vendor performance and
monitoring, system or network architecture not
supporting medium- or long-term business initiatives
and strategy, capacity planning not being reviewed on
a regular basis resulting in processing failures, risks of
data or systems migration or interfaces.

16
Sr. Risk Categories Definitions
No.

11 Risks associated with customer sources,

Marketing/Business
competition, brand management & brand
Development
licensing and reputation of the company.

12 Risks related to liquidity /treasury operations,

Finance
relationship management with lenders,
management of cash, billing and claims
processing, customer credit risks, receivables
management inadequacy of controls and lack of
adequate monitoring leading to higher risks of
frauds.

13 Risk relating to non-compliance with

Legal and Compliance
legislations including direct & indirect tax
law provisions, adequacy of financial
reporting & disclosures, regulations,
internal policies and procedures.

14 Risks associated with sourcing and

Supply Chain
vendor management.

15 Risks associated with strategy development,

Planning and Strategy
strategic alliances, business planning, business
mix, performance targets, failure to align
functional strategies and objectives with
enterprise-wide strategies. Risks related to
improper capital structuring and funding.

16 The risks associated with board and board

Corporate Governance
procedures including risk oversight, internal
controls, CSR, stakeholder relations including
investor relations etc.

17
17 Risks associated with
Corporate/External
appropriateness/adequacy of external
communication
communication & PR

18 Market/Environmental Risks associated with changing

impact assessment consumer/business trends/technological shifts
affecting all aspects of business and adequacy
of assessment of such risks

This list may be modified in future to add/modify new risk baskets that may emerge.

Annexure II: Risk Register

Risk Risk Risk Contributi Likeliho Impa Tota Risk

ID No. Cate Statem ng Factor od Score ct l Owne
gory ent Score Scor r
e

18
Annexure III: Risk Assessment Template

Note: The person assessing the risk should give his perception of likelihood and
impact in the above template as explained in Section

Group’s average score should be used as a risk assessment score:

19
20
 6. Issues in implementation

Workplace violence, workers' compensation injuries, automotive liability, general liability,

employee and management actions, financial risk, technical failure, and natural disasters are
all frequent business hazards in the healthcare industry. The healthcare industry has unique
risks in a variety of areas, in addition to the typical organisational hazards. Healthcare firms
are exposed to a variety of hazards, including medical malpractice, patient complaints, HIPAA
violations, data breaches, and medical accidents or near-accidents.

Apollo Hospitals has been in the forefront of leveraging technology to create integrated
healthcare delivery systems throughout Asia. They have left no stone unturned in utilising
technology to ensure better access to medical treatment, improved convenience, and improved
patient care, including intelligent medical equipment, integration of Electronic Medical
Records, and Hospital Information Systems. With over 45 million patients served across 121
countries and 70 hospitals, Arvind Sivaramakrishnan, CIO of Apollo Hospitals Enterprises,
knew how important it was to preserve millions of PHI information and the clinical repository
of patients.

Challenges faced by apollo hospital in implementation of the risk management are :-

1. Lack of a real-time quantified view of risk posture and breach likelihood of critical
components of Apollo’s infrastructure, especially their critical assets that store PHI
data.
2. Absence of a centralized platform measuring the organization’s adherence to globally
recognized compliance and regulatory frameworks in real-time

21
 7. Analysis of issues with observations & findings.

One of the main issues for healthcare organisations is the security of patient, customer, and
corporate data. In addition to the high prices provided in underground marketplaces for patient
records, the continuously expanding attack surface provides a strong incentive for threat actors
to target the healthcare business. With over 45 million patients served across 121 countries and
70 hospitals, Arvind Sivaramakrishnan, CIO of Apollo Hospitals Enterprises, knew how
important it was to preserve millions of PHI information and the clinical repository of patients.

However, the increasing adoption of emerging technology such as Artificial

Intelligence/Machine Learning and cloud-based software introduces new risks that could
jeopardise the healthcare industry's security and compliance. As a result, compliance and
regulatory frameworks, which are normally implemented to protect systems and sensitive data,
are compounding security difficulties. The increased frequency of targeted cyber attacks on
healthcare organisations further adds to the problem.

The IT operations and security team at Apollo Hospitals has been in charge of ensuring that
their organisation adheres to security requirements. At the same time, they needed to make sure
that these security principles complied with the industry's compliance standards and best
practises. With patients coming from over 121 countries for treatment, it's critical that they
follow the security best practises outlined by internationally recognised cyber security
standards and recommendations.

To effectively deal with these most pressing challenges, Arvind brought in SAFE - an
enterprise-wide, unified, and real-time Cybersecurity & Digital Business Risk Quantification
platform for his organization’s hybrid environment.

SAFE assists Apollo Hospitals in keeping up with the newest information technology, industry
impacts, and risks to systems and data. SAFE allows the business to manage many moving
targets while still achieving criteria. Apollo Hospitals may use SAFE to track and report on
their adherence to globally recognised industry-specific compliance standards on a
consolidated platform, and manage overlapping compliances intelligently.

22
SAFE assists Arvind in measuring and directing his approach to solve the security concerns he
has as part of enterprise risk management. This means that his team may immediately begin
assessing the risk posture and likelihood of a breach of critical infrastructure components. On
a single platform, you can monitor endpoints, databases, and employee cyber risk. Once the
risks have been identified and assessed, his team may decide whether to accept the risk or take
the necessary remediation procedures to address it.

23
8. Results and outcome.

 Lead to the formation of the Risk Management Policy

 This policy is intended to guarantee that the Company establishes and implements an
effective risk management framework, as well as to provide regular reporting on the
framework's effectiveness.
 Other current compliance processes are not replaced by this Risk Management Policy.
 This Risk Management Policy covers the whole Company, including all hospital and
pharmacy divisions, services, and units.
 Risk management's goal is to assist managers in:
 Integrating risk management into day-to-day business management
 Improving business performance by improving decision-making and planning
 Escalating risk information on a timely basis at appropriate levels
 Promoting a more risk-aware culture in pursuit of opportunities to benefit the
organisation

24
 9. Conclusion

Department of Health project directors, program managers, and senior managers of Apollo
hospitals have the responsibility to assess and manage risks on their projects and project
portfolios. Project risks can be managed to successful conclusions through the following basic
actions:

1. Establish and maintain management commitment to performing risk management on all

projects.

2. Start the risk management process early in the project life cycle—prior to approval of project
needed

3. Include key stakeholders in the process, with the project director as the lead and the
integrated project team (IPT) intimately involved in the process.

4. Evaluate project risks and risk responses periodically during the project/operation function
life cycle.

5. Develop risk mitigation plans and update them as the project progresses.

6. Follow through with mitigation actions until risks are acceptable.

7. Tie a project’s level of risk to cost and schedule estimates and contingencies.

8. Effectively communicate to all key stakeholders the progress and changes to project risks
and mitigation plans.

25
 10.Learnings & Recommendations

Learnings

Risk management has become an integral part of hospital administration for both developing
as well developing countries. Since we are living in a global village and with advances in
communication technology, the day is not far when patients will initiate lawsuits against the
health care providers and hospitals for medical malpractice and negligence threatening patient
safety. Proactive risk control and treatment can be achieved through a strong risk management
plan, which can include staff training, quality assurance programs, the acquisition of improved
tools and technology, and the proper handling of medical equipment.

Recommendations:

It is recommended that Apollo hospitals must give serious consideration to implementing and
/or strengthening risk management programs to protect their assets and minimize financial
losses. It should organize training programs for staff with specific risk management
responsibilities. Each employee and volunteer should be charged with risk
Management. It is also highly recommended that the employees and volunteers at Apollo
Hospitals must be consistent and support the organization’s efforts to improve performance
accreditation

It is also recommended that the incident report should:

1. Fully describe exactly what transpired.
2. Be simple and practical in format and take the least amount of time and effort to
complete.
3. Contain the name, address, age, and condition of the individual involved, along with
exact location, time, date, and description of the occurrence.
4. Have physician's examination data.
5. Include checklists or questions to remind the reporter to include such items as bed rail
status, reason for hospitalization, description of those involved, witnesses, and extent
of out-of-bed privileges.

26
 11.Limitations of study & Future scope of work

In any type of organization, there are going to be risks. Some may be more pressing and severe,
while others may not require any sort of external policy or approach to handle them.
Nevertheless, it’s important to effectively identify, address, and mitigate risks, which requires
a robust risk management policy.
Strong risk management is vital to the healthcare field. A single malpractice suit could cost a
hospital millions of dollars. A small clerical error or treatment oversight could lead to a decline
in the health of a patient and even death. And the lack of procedures in place to effectively
address and mitigate these risks can lead to larger problems in the future. It may not be possible
to stop every healthcare risk from developing into a larger problem, but healthcare risk
management enables professionals to anticipate and address conflicts, now and in the future.
This requires the efforts of dedicated and trained healthcare staff, such as hospital
administrators and healthcare risk managers.
This kind of study was conducted with respondents from Kolkata, West Bengal, and nearby
areas. Though utmost care has been taken to choose the hospitals and respondents that belong
to both public and private sector, however, the challenges in other metropolitan and non-
metropolitan cities of India might be different. Due to paucity of time, the study could not be
extended to other cities. This limitation can be eradicated by recruiting numerous healthcare
personnel from different Indian cities.
Another limitation of this study was that it was conducted qualitatively, although the
researchers attempted to quantify the qualitative data through visual reflections. The
quantitative assessment in the near future shall help to draw a composite conclusion and design
suitable intervention strategies. Quantitative research can be further progressed keeping the
sampling frame constant

27
 12.References

https://online.maryville.edu/blog/risk-management-in-healthcare/

https://www.researchgate.net/publication/271297764_Risk_Management_in_Hospitals

https://www.who.int/workforcealliance/members_partners/member_list/apollo/en/

https://journals.sagepub.com/doi/full/10.1177/09720634211011695

https://www.safe.security/resources/case-study/apollo-hospital/

https://work.chron.com/potential-risk-quality-management-issues-may-affect-healthcare-
industry-25601.html

https://www.nap.edu/read/11183/chapter/11

28