Incident Response & Legal
Coordinating Risk, Legal & Compliance on WV Matters
How hospital risk, legal, and compliance functions should coordinate on workplace violence — roles, handoffs, and a RACI that keeps the program and the record aligned.
Healthcare workplace violence is one of the few program areas that lands squarely on three desks at once: compliance, risk management, and legal. When those functions coordinate, the facility produces one aligned program and one coherent record. When they do not, activities fall through the cracks, records duplicate and contradict, and the facility discovers — usually after an incident — that no one owned the thing that mattered. This article lays out the roles, the handoffs, and a practical RACI that keeps the program and the record aligned.
It supports our pillar on workplace violence incident response and legal exposure, and complements the WVP program charter: scope, authority, and accountability. It is general compliance information, not legal advice.
#Why three functions, and why coordination is the failure point
Workplace violence touches all three functions by its nature:
- It is a compliance obligation — Texas HSC Chapter 331, Joint Commission standards, and OSHA guidance all impose specific, documentable requirements (SB 240, 88th Leg., 2023; TJC R3 Report Issue 45, eff. Jan. 1, 2022 for hospitals; OSHA Pub. 3148).
- It is a risk function — incidents, the incident log, post-incident response, insurance, and operational mitigation live here.
- It is a legal matter — privilege, litigation exposure, contract and vendor language, and regulatory response live here.
The danger is not that any one function is incompetent. It is that the seams between them go unmanaged. Two recurring failure modes:
- Gaps — an activity (say, reconciling the OSHA 300 Log to the WVP incident log) that everyone assumes someone else owns, so no one does.
- Collisions — two functions both documenting the same incident from different angles, producing inconsistent accounts that opposing counsel later exploits.
Coordination is the discipline that closes the seams.
#The default division of labor
While every organization's structure differs, a workable default division of responsibility looks like this.
| Function | Typically owns |
|---|---|
| Compliance | Alignment to Chapter 331 / Joint Commission / OSHA; the survey-readiness binder; the annual plan evaluation; policy-to-standard mapping |
| Risk management | Incident response and the incident log; post-incident services; trending; insurance interface; operational corrective actions |
| Legal | Privilege strategy; litigation holds and response; regulatory correspondence; contract and vendor/agency language; sensitive communications |
| WVP program leader | Cross-functional coordination; committee operation; the program of record; the single point of accountability the Joint Commission expects |
The designated program leader is the connective tissue. The Joint Commission requires hospitals to name one (R3 Report Issue 45), and the role exists precisely so a single accountable person can coordinate across functions rather than leaving the program to emerge from three uncoordinated workstreams. We cover the role in appointing a designated workplace violence prevention program leader.
#The handoffs that matter most
Coordination becomes concrete at the handoffs — the moments one function passes work to another. Three are especially consequential.
Incident → legal escalation. Not every incident needs counsel, but the criteria for when it does should be defined in advance, not improvised. Serious injury, potential litigation, regulatory exposure, or media attention should trigger early legal involvement, because the structure of the review and communication affects privilege. We address this in preserving privilege while documenting a defensible program.
Compliance → board reporting. The Chapter 331 annual plan evaluation goes to the governing body. Compliance assembles it, but risk supplies the incident and trend data and legal advises on framing. A clean handoff produces a single, accurate board report rather than three competing versions.
Risk → corrective action ownership. A debrief generates corrective actions, but the owner often sits in operations or facilities, not risk. The handoff — who owns each action, by when — is where loops stay open if it is not managed. We cover the discipline in tracking corrective actions to closure.
#A practical WVP RACI
A RACI (Responsible, Accountable, Consulted, Informed) turns the abstract "three functions" into assigned ownership. A representative starting point — to be adapted to each organization's structure:
| Activity | Responsible | Accountable | Consulted | Informed |
|---|---|---|---|---|
| Worksite analysis / risk assessment | Safety / program leader | Program leader | Risk, compliance | Legal, leadership |
| Incident response & log | Risk | Risk | Program leader | Compliance, legal |
| Legal escalation decision | Risk / program leader | Legal | Compliance | Leadership |
| Policy & plan drafting | Compliance | Program leader | Legal, HR | Risk |
| Annual plan evaluation to board | Compliance | Program leader | Risk, legal | Governing body |
| Litigation hold & response | Legal | Legal | Risk, compliance | Leadership |
| Training program | HR / education | Program leader | Compliance | Risk |
The value is not the specific assignments — it is that every activity has exactly one Accountable owner and no activity is unassigned. The RACI is most useful when it is reviewed and ratified by all three functions and the program leader together, so each agrees to its role before an incident tests it.
#Coordinating without collapsing the functions
A caution: coordination does not mean collapsing the three functions into one undifferentiated process. Legal needs to preserve privilege where appropriate; compliance needs an honest, complete survey record; risk needs operational speed. These can pull in different directions, and the program leader's job is to coordinate them, not to override counsel's privilege judgments or compliance's accuracy obligations. The healthiest model is defined roles in constant communication — a standing forum (often the WVP committee) where all three functions sit, plus clear escalation rules for when an incident moves from routine to sensitive.
A note on scope: VIGILO is a compliance, training, and consulting firm, not a guard, patrol, or investigations provider, and it does not provide legal advice or direct litigation strategy. It builds the compliance documentation, governance structure, and coordination protocols a defensible program requires; privilege and litigation decisions remain with the facility's counsel.
#How VIGILO helps
VIGILO builds the governance architecture that makes coordination routine — on flat-fee terms, never per-incident or contingent.
- Policy development drafts the program charter, RACI, and escalation criteria that assign ownership across risk, legal, and compliance.
- Annual program reviews run the committee cadence where the three functions coordinate, and assemble the board report from a single source of truth.
- Mock surveys test whether the handoffs actually function — or whether activities fall through the seams.
Hospital risk managers, compliance officers, and healthcare attorneys are the buyers here. For the upstream program that anchors the structure, see Texas SB 240 & HSC Chapter 331 compliance.
#Where to start
Coordination problems are invisible until an incident exposes them. A flat-fee survey-readiness audit maps your workplace violence activities against the three functions, surfaces the unassigned and the contested ones, and helps you ratify a RACI before an incident forces the question — so risk, legal, and compliance speak with one aligned record.
Sources: Texas Health & Safety Code Chapter 331 (SB 240, 88th Leg., 2023); 26 TAC §133.55 (adopted Oct. 11, 2024); The Joint Commission R3 Report Issue 45 (WVP requirements effective Jan. 1, 2022 for hospitals); OSHA Publication 3148. This article is general compliance information, not legal advice.