Enterprise Security Risk Management

Tactics for Joint Commission Workplace Violence Requirement Alignment

The healthcare environment is one of the most complex settings to adequately secure. There are many different types of security vulnerabilities that must be considered, and workplace violence is always a top concern. Healthcare workers accounted for 73 percent of all nonfatal workplace injuries and illnesses due to violence in recent U.S. Bureau of Labor Statistics reports, making physician and nurse resiliency a critical consideration.1 Beyond assaults on staff, however, health care organizations face many other security threats and vulnerabilities, including theft of property, theft of information, intrusion and trespassing, assaults on patients, kidnapping, disorderly behavior, and weapons on campus.

The Joint Commission (TJC) released workplace violence prevention standards effective January 1, 2022. These requirements are in the form of three new Elements of Performance (EP) and two revised Elements of Performance (EP). It is important to note that programs developed to meet these requirements can also work to address other types of security risks. Specifically, your organization can mitigate risks across your entire organization by taking an enterprise security risk management approach.

What is Enterprise Security Risk Management? (ESRM)

ESRM is a holistic approach to security that ties the activities, practices and culture of the security team into the overall strategy of the organization using established risk management tactics.

As part of the focus on tying the security functions into the overall function of the organization, ESRM

recognizes that security responsibilities are shared by security, administrative, operational and clinical leaders. To focus on managing holistic security risk, the security team must be significantly concerned about partnership with organizational leaders, scope of the role of security in the complex set of needs in a healthcare environment, and transparency about the role of security and the ways in which security can help make the environment safer for everyone who interacts within it.

That may sound complicated, but it does not have to be. Ultimately, ESRM really comes down to three simple questions that should be asked on a continual basis:

  • What do we, as an organization, need to protect the most?
  • What do we need to protect it from?
  • How can we best protect it – together?

The philosophy of ESRM, boiled down into those three simple questions, is the pathway to ensuring a smooth adoption of integrated security programs with the right people, procedures, and supportive technology that will not only support the adherence to workplace violence prevention requirements, but also serve to provide greater security risk management effectiveness for the organization as a whole.

Enterprise Security Risk Management Aligns to the needs of 2022’s Joint Commission Workplace Violence Requirements

ESRM (or, simply, risk-led security) operates as a continual cycle, evaluating the three questions. This Cycle is predicated on the idea that everyone in the organization is a stakeholder in identifying the answer to all of the questions and that these conversations can support a full understanding of the needs of all different types of people with a stake in the outcomes of the security program.



How does adopting ESRM align the organization for success in complying with Joint Commission Workplace Violence Standards?

Any organization that adopts a risk-led approach for their security program will be setting a foundational structure that naturally supports the achievement of the Joint Commission Workplace Violence requirements.

The chart below shows how a risk-based approach to security fits with the most recent set of requirements.


Joint Commission Standards and requirements related to Workplace Violence

How a Risk-Based Security Program Facilitates Adherence to The Requirement

Environment of Care Standard EC.02.01.01: “The hospital manages safety and security risks.”

Requirement EP 17:

The hospital conducts an annual worksite analysis related to its workplace violence prevention program. The hospital takes actions to mitigate or resolve the workplace violence safety and security risks based upon findings from the analysis.



Establishing ESRM ensures compliance with EC02.01.01 as it is, in itself, an ongoing risk management approach.


Setting the context with all stakeholders, then continually cycling through the three questions we need to ask in a risk-based approach to security will ensure that workplace violence and other risks are considered, and tactics continually updated for effectiveness over time as the context and environment may change.


Standard EC.04.01.01: “The hospital collects information to monitor conditions in the environment.”

Requirement EP 1: 

The hospital establishes a process(es) for continually monitoring, internally reporting, and investigating the following:

  • Safety and security incidents involving patients, staff, or others within its facilities, including those related to workplace violence.

We mentioned that ESRM requires a foundation of transparency.  Transparency requires information about the types and factors involved in security incidents. 


Risk-led security programs will require this type of information for all security incidents, and therefore will ensure alignment with this standard. As a cycle, the continual collection monitoring, and evaluation happen as part of the overall operation of the risk-based security program.


Standard LD.03.01.01: “Leaders create and maintain a culture of safety and quality throughout the hospital.”

Requirement EP 9: 

The hospital has a workplace violence prevention program led by a designated individual and developed by a multidisciplinary team.


Standard HR.01.05.03: “Staff participate in ongoing education and training.”

Requirement EP 29: 

 As part of its workplace violence prevention program, the hospital provides training, education, and resources (at time of hire, annually, and whenever changes occur regarding the workplace violence prevention program) to leadership, staff, and licensed practitioners. The hospital determines what aspects of training are appropriate for individuals based on their roles and responsibilities.



In setting the context for ESRM, we mentioned the critical nature of partnerships across functional lines to ensure that security responsibilities are shared by security as well as administrative, operational, and clinical leaders. 


Solid partnerships and shared decision-making lead to the understanding that if everyone has a stake in security, everyone must understand that stake and role. 


Training and educating stakeholders is much more easily facilitated when they are part of the conversation about security from the beginning and have a feeling of ownership over the outcomes.


Organizational leaders that embrace an ESRM partnership have a more transparent understanding of the nature of impacts that might harm their critical assets and can better enact their responsibilities to ensure those assets are properly protected.


A risk-based security approach, founded in a partnership environment across the organization, will be able to clearly identify and prioritize the things that are most critical to the organization in the risk cycle. The result being greater alignment with tactical security measures to protect what is most important to the organization from the things most likely to bring harm. This simple approach brings a powerful benefit to the organization by keeping the organization secure and compliant with regulatory standards. 

Next month, we will focus on the selection of security measures to address the results of the risk-based approach, and how integrating the solutions will create a more secure and efficient healthcare environment.

1 U.S. Bureau of Labor Statistics. (2020, April). Fact Sheet | Workplace Violence in Healthcare, 2018 | April 2020. U.S. Bureau of Labor Statistics.

About the Author:

Rachelle Loyear is Vice President of Integrated Security Solutions at Allied Universal®, a leading security and facility services company with a global workforce of approximately 800,000 people and revenues of approximately $20 billion.  To learn more or for any specific ESRM questions, contact Rachelle at

Click to download a pdf version of this article