Standards for public agencies

2020 Edition

Risk Prevention and Management (PA-RPM) 2: Risk Prevention

The agency identifies and reduces potential loss and liability by:
  1. conducting prevention and risk reduction activities; and
  2. monitoring and evaluating risk prevention and management effectiveness.
2020 Edition




Proactive, comprehensive, and systematic risk prevention and management practices sustain the agency’s ability to positively impact the communities and people it serves by reducing its risk, loss, and liability exposure.
Full Implementation, Outstanding Performance
A rating of (1) indicates that the agency's practices fully meet the standard and reflect a high level of capacity.  
  • All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions: exceptions do not impact service quality or agency performance. 
Substantial Implementation, Good Performance
A rating of (2) indicates that an agency's infrastructure and practices are basically sound but there is room for improvement.
  • The majority of the standards requirements have been met and the basic framework required by the standard has been implemented. 
  • Minor inconsistencies and not yet fully developed practices are noted; however, these do not significantly impact service quality or agency performance.

Partial Implementation, Concerning Performance
A rating of (3) indicates that the agency's observed infrastructure and/or practices require significant improvement.  

  • The agency has not implemented the basic framework of the standard but instead has in place only part of this framework.  
  • Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.  
  • Service quality or agency functioning may be compromised.  
  • Capacity is at a basic level.
Unsatisfactory Implementation or Performance
A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all.  
  • The agency’s observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.
Self-Study EvidenceOn-Site EvidenceOn-Site Activities
County/Municipality Administered Agency, State Administered Agency (Central Office), or other Public Entity
  • Risk management plan including:
  1. Procedures for conducting annual assessment of potential agency risks 
  2. Procedures for quarterly review of immediate and ongoing risks 
  3. Procedures for investigation and review of critical incidents 
State Administered Agency (Regional Office)
  • Regional risk management procedures, as applicable
All Agencies
  • Management meeting minutes at which risk and risk prevention performance was last reviewed and improvement action steps were discussed and implemented, as applicable  
  • Most recent quarterly and annual risk management reports, including analyses and improvement action plans, as applicable
  • Results of independent investigations of critical incidents
County/Municipality Administered Agency, State Administered Agency (Central Office), or other Public Entity
  • Interviews may include:
    1. Agency leadership
    2. In-house counsel
    3. Risk management personnel
State Administered Agency (Regional Office)
  • Interviews may include:
    1. Regional Director


PA-RPM 2.01

A written risk management plan operationalizes the agency’s risk management activities and:
  1. articulates the agency’s overall approach to risk management;
  2. describes the risk management structure and activities; 
  3. defines staff roles and outlines training and competency expectations by job position or category; and
  4. includes measurable goals for reducing potential risks. 


 Element (b) for statewide agencies, or agencies that cover multiple regions/communities, must delineate:
  1. the specific responsibilities of the central, regional, and local offices in carrying out risk management activities; 
  2. how risk management information will be communicated among the various offices; and 
  3. what role each office will play in implementing and tracking corrective action.
Additionally, in regards to element (b), risk management activities should include contract monitoring activities that align with the standards in PA-PQI 7.

Fundamental Practice

PA-RPM 2.02

The agency annually assesses areas of potential risk including:
  1. compliance with legal requirements;
  2. technology and information management; 
  3. liability exposure; 
  4. the health and safety of personnel and persons served including the prevalence of work-related stress and the impact of trauma;  
  5. human resources practices; 
  6. contracting practices and compliance;
  7. client rights and confidentiality issues;
  8. financial risks; 
  9. public relations, branding, and reputation; and 
  10. conflicts of interest.


Although the agency should assess all areas of potential risk at least annually and compare related areas, the assessments do not need to be conducted together at one time.


Regarding element (b), annual assessments should include a review of systems in place to protect physical and electronic data and information, databases, files, computers and mobile devices, networks, and programs from unauthorized access, use, modification, disruption, destruction, and/or attack.


Regarding element (c), annual assessments of liability exposure should include a review of the agency’s use of agency- and privately-owned vehicles in the course of the its daily operations including, but not limited to, transporting clients, running errands, attending home visits, traveling between sites, attending meetings, etc.

Fundamental Practice

PA-RPM 2.03

The agency conducts a quarterly review of immediate and ongoing risks that includes a review of incidents, accidents, and grievances including the following, as appropriate to each program or service:
  1. facility safety issues;
  2. serious illnesses, injuries, and deaths; 
  3. situations where a person was determined to be a danger to himself/herself or others;
  4. service modalities or other agency-wide practices that involve risk or limit freedom of choice; and
  5. the use of restrictive behavior management interventions, such as seclusion and restraint.


In employee assistance programs, only elements (a)-(c) could potentially apply. 

Examples: In regards to element (b), serious illnesses can include those illnesses that pose a significant, widespread risk to public health or the health of the agency’s staff and persons served.

Fundamental Practice

PA-RPM 2.04

The agency conducts an independent review of each incident and accident that involves the threat of or actual harm, serious injury, and death; and review procedures:
  1. establish timeframes for review including requiring the investigation be initiated within 24 hours of the incident and/or accident being reported;
  2. require solicitation of statements from all involved individuals;
  3. ensure an independent review;
  4. require timely implementation and documentation of all actions taken;
  5. address ongoing monitoring if actions are required and determine their effectiveness; and
  6. address applicable reporting requirements.
Note: For child and family services agencies, please see PA-RPM 3.03 for more information on conducting internal administrative reviews following a child fatality or near fatality.