Beyond utility systems, other types of risks include the potential for cyber threats such as software supply chain attacks on the “internet of things” through a backdoor of a third-party vendor or partner. Indeed, the COVID-19 pandemic also brought out a higher level of cyber threat focused upon the health care system employees working from home and utilizing their corporate resources online.

Authority having jurisdiction (AHJ) compliance risks also are an issue because many elements of infrastructure utility performance exist to comply with mandatory physical environment performance requirements. Unfortunately, the regulations imposed by one AHJ may not agree with the regulations imposed by a different one. 

Additionally, many regulations that are operational in nature (as opposed to physical infrastructure that is construction-related) will change as regulators become aware of previous adverse results. In fact, many sources cited in the accompanying article are examples of changes in earlier documents that resulted from more recent lessons learned. 

Risk assessments come in many sizes and shapes. The infection control risk assessment (ICRA) is one of the most broadly applied appraisals in health care, but it is only one segment of the more focused pre-construction risk assessment. 

Chapter 4 of the 2012 and more recent editions of the National Fire Protection Association’s NFPA 99, Health Care Facilities Code, requires that the equipment covered by several other NFPA 99 chapters be assigned Chapter 4 Risk Categories 1 to 4; and those risk categories then invoke both infrastructure and operational requirements. 

Other risk assessments may follow the commonly used seven-step process often mentioned by Joint Commission speakers: identify the issues; develop arguments that support the proposed process or issue; develop arguments that disagree with the proposed process or issue; objectively evaluate both arguments; reach a conclusion; document the process; and monitor and reassess the conclusion to ensure it is the best decision.

Finally, other risk assessments may follow a slightly different approach: identify all hazards; decide who might be harmed and how; evaluate the risks and decide on appropriate precautions and risk mitigation strategies; record the findings; propose actions and identify who will lead on what action or strategy; review the assessment periodically; and update the risk assessment when appropriate.