Private Organization Accreditation

Lutheran Social Services of New England is a high-performing nonprofit organization. LSS is a powerful difference maker and go-to resource, driving ourselves to constantly anticipate futures that are different from the past. For 140 years, LSS has been caring for people in need in New England.


Holy Family Institute

Sister Linda Yankoski, President/CEO

The Council On Accreditation provides all stakeholders involved in the delivery of social services the assurance that the organization is credible, effective, and is committed to quality improvement. The COA process is an important tool for anyone involved in leading an organization to establish best practices and maintaining and updating these practices over time.
read more>>


Proactive, comprehensive, and systematic risk management practices reduce the agency’s risk, loss, and liability exposure.

PA-RPM 2: Risk Prevention

The agency identifies and reduces potential loss and liability by:

  1. conducting prevention and risk reduction activities; and
  2. monitoring and evaluating risk prevention and management effectiveness.
Rating Indicators
Full Implementation, Outstanding Performance
A rating of (1) indicates that the agency's practices fully meet the standard and reflect a high level of capacity.  
  • All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions: exceptions do not impact service quality or agency performance. 
Substantial Implementation, Good Performance
A rating of (2) indicates that an agency's infrastructure and practices are basically sound but there is room for improvement.
  • The majority of the standards requirements have been met and the basic framework required by the standard has been implemented. 
  • Minor inconsistencies and not yet fully developed practices are noted; however, these do not significantly impact service quality or agency performance.
Partial Implementation, Concerning Performance
  • A rating of (3) indicates that the agency's observed infrastructure and/or practices require significant improvement.  
  • The agency has not implemented the basic framework of the standard but instead has in place only part of this framework.  
  • Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.  
  • Service quality or agency functioning may be compromised.  
  • Capacity is at a basic level.
Unsatisfactory Implementation or Performance
  • A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all.  
  • The agency’s observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.
Please see Rating Guidance for additional rating examples. 

Table of Evidence

Self-Study Evidence On-Site Evidence On-Site Activities
    County/Municipality Administered Agency, State Administered Agency (Central Office), or other Public Entity
    • Risk management plan (PA-RPM 2.01) including:
      1. Procedures for conducting annual assessments of potential agency risks (PA-RPM  2.02)
      2. Procedures for quarterly review of immediate and ongoing risks (PA-RPM 2.03)
      3. Procedures for investigation and review of critical incidents (PA-RPM 2.04)
    • Quarterly (PA-RPM 2.03) and annual (PA-RPM 2.02) risk management reports, including analyses and improvement action plans, as applicable
    • Contract or other documentation of agreement with organizations permitted to use facilities (PA-RPM 2.05)
    • Network only:
      1. Procedures for identifying and verifying provider insurance 
      2. Copy of written communication to providers regarding required insurance
      3. Documentation of insurance verification (PA-RPM 2.06)
    State Administered Agency (Regional Office)
    • Regional risk management procedures, as applicable
    • Regional quarterly (PA-RPM 2.03) and annual (PA-RPM 2.02) risk management reports, including analyses and improvement action plans, as applicable
    All Agencies
    • Management meeting minutes at which risk and risk prevention performance is reviewed, improvement actions are discussed and implemented, as applicable (PA-RPM 2.02, PA-RPM 2.03)
    County/Municipality Administered Agency, State Administered Agency (Central Office), or other Public Entity
    • Interview:
      1. Agency head
      2. In-house counsel
      3. Risk management personnel
    • Network only interview:
      1. Provider Governing Body members
      2. Provider CEO/CFO
    State Administered Agency (Regional Office)
    • Interview:
      1. Regional Director
      2. Agency leadership

  • PA-RPM 2.01

    A written risk management plan operationalizes the agency’s risk management activities and:

    1. articulates the agency’s overall approach to risk management;
    2. describes the risk management structure and activities; 
    3. defines staff roles and outlines training and competency expectations by job position or category; and
    4. includes measurable goals for reducing potential risks. 

    Interpretation:  Element (b) for statewide agencies, or agencies that cover multiple regions/communities, must delineate:

    1. the specific responsibilities of the central, regional, and local offices in carrying out risk management activities; 
    2. how risk management information will be communicated among the various offices; and 
    3. what role each office will play in implementing and tracking corrective action.
    Additionally, in regards to element (b), risk management activities should include contract monitoring activities that align with the standards in PA-PQI 9.

  • PA-RPM 2.02

    The agency annually assesses areas of potential risk, including:

    1. compliance with legal requirements;
    2. technology and information management;
    3. liability exposure;
    4. the health and safety of personnel and persons served, including the prevalence of work-related stress and the impact of trauma;
    5. human resources practices;
    6. contracting practices and compliance;
    7. client rights and confidentiality issues;
    8. financial risks;
    9. public relations, branding, and reputation; and
    10. conflicts of interest.

    Interpretation: Although the agency should assess all areas of potential risk at least annually and compare related areas, the assessments do not need to be conducted together at one time.

    Interpretation: Regarding element (b), annual assessments should include a review of systems in place to protect physical and electronic data and information, databases, files, computers and mobile devices, networks, and programs from unauthorized access, use, modification, disruption, destruction, and/or attack.

    Interpretation: Regarding element (c), annual assessments of liability exposure should include, when applicable, a review of the agency’s use of agency- and privately-owned vehicles in the course of the its daily operations including, but not limited to, transporting clients, running errands, attending home visits, traveling between sites, attending meetings, etc.

    Research Note: In accordance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, agencies that receive, store, and/or transmit electronic protected health information (ePHI) are required to conduct a security risk assessment. Risk analysis is the first step towards implementing effective and appropriate administrative, physical, and technical safeguards to secure ePHI. The process requires that agencies review their existing security infrastructure and identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of critical data and information. Findings from the security risk analysis inform the agency’s risk mitigation strategy and help to reduce the likelihood and severity of identified threats. 

    The HIPAA Security Rule does not prescribe any one method of risk analysis, recognizing that agencies vary in size, complexity, and capabilities. The Office of the National Coordinator for Health Information Technology (ONC) offers a helpful security risk assessment tool for agencies managing ePHI.

  • FP
    PA-RPM 2.03

    The agency conducts a quarterly review of immediate and ongoing risks that includes a review of incidents, accidents, and grievances including the following, as appropriate to each program or service:

    1. facility safety issues;
    2. serious illnesses, injuries, and deaths;
    3. situations where a person was determined to be a danger to himself/herself or others;
    4. service modalities or other agency-wide practices that involve risk or limit freedom of choice; and
    5. the use of restrictive behavior management interventions, such as seclusion and restraint.

    Interpretation: In regards to element (b), serious illnesses are defined as those illnesses that pose a significant, widespread risk to public health or the health of the agency’s staff and persons served.

    Interpretation: In credit counseling agencies, only elements a-c could potentially apply.

    Interpretation: In employee assistance programs, only elements a-c could potentially apply. 

  • FP
    PA-RPM 2.04

    The agency conducts an independent review of each incident and accident that involves the threat of or actual harm, serious injury, and death, and review procedures:

    1. establish timeframes for review including requiring the investigation be initiated within 24 hours of the incident and/or accident being reported;
    2. require solicitation of statements from all involved individuals;
    3. ensure an independent review;
    4. require timely implementation and documentation of all actions taken;
    5. address ongoing monitoring if actions are required and determine their effectiveness; and
    6. address applicable reporting requirements.

    Interpretation: For child and family services agencies, please see PA-RPM 3.03 for more information on conducting internal administrative reviews following a child fatality or near fatality.

  • FP
    PA-RPM 2.05

    The agency informs external organizations that use its facilities of their obligation to minimize hazards and to assume liability for use of the facility.

    NA The agency does not permit other organizations to use its facilities.

  • PA-RPM 2.06

    The network identifies and specifies the level and type of insurance required by its providers, and annually verifies that provider coverage is current.

    NA The agency is not a network management entity.

Copyright © 2019 Council on Accreditation. All Rights Reserved.  Privacy Policy and Terms of Use