RISK REGISTER POLICY AND PROCEDURE

Transcription

1 RISK REGISTER POLICY AND PROCEDURE Lead Manager: Head of Clinical Governance Responsible Director: Board Medical Director Approved by: Date Approved: Date for Review: Feb 2012 Replaces Version: 1.0 Page 1 of 20

2 POLICY CONTENTS 1. Introduction 2. Scope 3. Aim 4. Responsibilities 5. Monitoring of policy 6. Review 7. References Appendices 1. Procedure for Risk Registers 2. Risk Matrix 3. Criteria for Escalation Page 2 of 20

3 1. Introduction NHS Scotland has expressed a need for risk management strategies to be in place, as evidenced in the Quality Improvement Scotland Clinical Governance and Risk Management standards. They have provided a framework by adopting the Australian/New Zealand Risk Management Standards for the NHS in Scotland. The Board of NHS Greater Glasgow & Clyde acknowledges that the sound and effective implementation of risk management is considered best business practice at a corporate and strategic level as well as a means of improving operational activities. The continuing maintenance and development of a comprehensive Risk Register is a core part of risk management activity. The Risk Register will be used as a systematic and structured method of recording all risks: clinical, financial and organisational, that threatens the objectives of the organisation. This process will form an integral part of day-to-day practices and culture, utilising a single co-ordinated approach to the identification, assessment and management of all types of risk. This will ensure clarity and understanding of the risk profile, as the Board can only properly fulfil its responsibility if it has a sound understanding of the principal risks facing the organisation. A comprehensive risk register e.g. based on corporate objectives, adverse events, claims, and internal and external assessment has the potential to provide information on the totality of risks facing the organisation. 2. Scope This policy applies to all services within NHS Greater Glasgow & Clyde. 3. Aim The main aim of the risk register is to ensure that the risks (an event, action or inaction) which threaten the implementation of organisational objectives, or the execution of strategies, are visible and are managed at an appropriate level. This is a management tool providing clarity, addressing responsibility and generating action plans. 4. Responsibilities 4.1 The Chief Executive: has overall responsibility for having an effective Risk Management system in place within the organisation by ensuring that the appropriate structures are in place and adequate resources are available to provide effective risk management throughout NHSGGC. will as part of the business planning process consider, and where necessary make allocation for, capital expenditure for the control of risks identified through risk assessment in line with the escalation process, as recorded in the corporate risk register. Page 3 of 20

4 4.2 The NHS Board & Corporate Directors: recognises that the provision of health care, teaching and research, and ensuring innovation in these areas, will always involve risks but that the risks should be minimised as far as is reasonably practicable. recognises that effective risk management is an integral part of governance. acknowledges its ongoing responsibility to develop and implement robust and integrated processes that will ensure that risks are identified, assessed, prioritised, managed and recorded in a consistent and holistic way, and eliminated or controlled as far as is reasonably practicable. will provide a web-based system for the recording and monitoring of risks. will develop mechanisms to ensure that all significant risks are brought to the attention of the Board, along with appropriate assurances that strategies are in place to manage these risks. acknowledges that ongoing risks that cannot be addressed within the organisation will be accepted or, in the case of significant risks, shared with the commissioners of services, members of the health care community and other stakeholders. will actively encourage all staff to be actively involved in identifying and managing risks. 4.3 CH(C)P & Partnership Directors and the Chief Operating Officer, Acute Services: will ensure a comprehensive risk register is established and maintained to provide an accurate account of the risks preventing the achievement of objectives for their area of responsibility. will monitor, update and review the risk register to ensure it reflects the current issues that have some bearing on the service. will identify risks to be reported by exception to the NHSGGC Board for inclusion in the corporate register. will respond to risks identified by the corporate risk register if the actions required are within their area of responsibility. will identify which service areas within their Directorate/ Partnership should maintain their own distinct risk registers. will as part of the business planning process consider, and where necessary make allocation for, capital expenditure for the control of risks identified through the risk assessment process, as recorded in their risk register. Page 4 of 20

5 4.4 Service Managers: will monitor the risk registers at service area level and consider risks submitted by exception for the Directorate risk register. will ensure appropriate risk action plans are in place at all levels throughout their service area and that those plans inform the Performance Review Group. will be responsible for risk management activities within their service area. will ensure that their Director is kept fully appraised of the significant findings during the risk assessment programme including progress, the continual identification of significant risk, outstanding control measures and monitoring the effectiveness of the programme through exception reports. will as part of the business planning process consider, and where necessary make allocation for, capital expenditure for the control of risks identified through the risk assessment process, as recorded in their risk register. 4.5 The Risk Management Steering Group: will assist the Board by monitoring the systems and processes of risk management including the Risk Register and provide assurance to the audit committee. 4.6 Support Staff: Clinical Risk Management Staff and Health & Safety Advisors will be responsible for policy development, providing instruction and training for nominated key personnel, monitoring and evaluating the effectiveness of the risk assessment process within the organisation making recommendations to management and the NHSGGC Board for improvement. They will also act as a source of advice and support for all staff, managers and the NHSGGC Board. Datix administration staff will be responsible for the maintenance and development of the web-based system for Risk Registers, ensuring system upgrades are applied. 5. Monitoring of policy The Risk Management Steering Group (RMSG) will monitor the implementation of this policy on a consistent basis. This group will establish relevant indicators of performance reflecting NHS Quality Improvement Scotland, Clinical Governance & Risk Management Standards and compliance with requirements on risk grading and risk assessment policy for business case proposals. In addition to providing routine informal reports to the Chief Executive, the RMSG will compile the Corporate Risk Register for the Chief Executive that will be reviewed by the Audit committee on an annual basis. The Corporate Risk Register will comprise of escalated risks combined with the review of individual risk registers from the key organisational entities; it will summarise the key risks to the organisation s aims and how they are being mitigated. Page 5 of 20

6 6. Review & Evaluation This policy will have a scheduled review date for 3 years however if any aspect is found to be inadequate, the policy may be reviewed earlier in line with NHSGGC Policy on Policies. The Risk Management Steering Group (RMSG) will establish an annual evaluation cycle of the effectiveness of risk register policy and practice that will be expressed in the annual report it publishes. This will include reflection on performance against any key indicators, specialist advice from risk staff, commissioned reviews e.g. by internal auditors. 7. References Making it happen, A Guide for Risk Managers on How to Populate a Risk Register, Controls Assurance Support Unit, Keele University, 2002 (ISBN ). Page 6 of 20

7 Appendix 1 THE PROCEDURE FOR IMPLEMENTING RISK REGISTERS CONTENTS 1. Objectives 2. Method 3. Assessing Risk 4. Process 5. Monitoring 6. Tolerance and Escalation 7. Risk Identification and Assessment in Business Cases Page 7 of 20

8

9 3. Assessing Risk The purpose of a Risk Register is primarily to focus attention on the risks related to our activities, to provide a method of describing and communicating the risk and to document our efforts to reduce the risk. This process involves a sequence of events: 3.1 Identification of risk This could be through: Group review Individual management concerns Following a significant incident Performance data Legislation See Diagram 2. Diagram 2. Sources of information for Risk Registers Complaints Incidents Claims Internal Inspections Audits Reactive Proactive Risk Assessment s ORGANISATION OBJECTIVES Consultation staff & patients Internal External HSE, QIS Reports National Initiatives MHRA, NPSA Notices Reactive Risk Register Proactive Benchmarking Mandatory / Statutory Targets Internal External Consultation external stakeholders National Enquiry Reports Making it happen, CASU, Keele University, 2002 Review existing controls Consider the current systems and processes in place, which have an effect on the occurrence of this risk. This could be in reducing the likelihood of the risk occurring or in reducing the severity if the risk did occur. Examples of controls could be; training, policies, procedures, protective equipment, alarms, contingency plans, etc. Assessment Judgements about the acceptability or tolerability of a risk will depend on context and the potential for the safe management of the risk. The question to be asked about risk is: is it so great as to be unacceptable, or so minor as not to require further precautions, or somewhere between the two? This question can best be addressed by considering two factors: Page 9 of 20

10 Severity: the potential scale and the impact of an event arising from the risk (ranging from an insignificant to a catastrophic event) Likelihood: the likelihood of the event taking place at all or occurring or reoccurring (ranging from the likelihood being rare to its being almost certain). Scoring the identified risks enables the risks on the register to be prioritised. This score is called a risk rating and is reached by multiplying the likelihood score with the severity score. There are descriptions of the likelihood and severity categories provided to assist determine the rating. The scoring is done taking into consideration the present controls. When making an evaluation it is important to use objective factual information as well as subjective judgement and the evidence of experience. Establishing a risk rating is ideally discussed in a group of people familiar with the risk, to reduce the subjectivity of risk assessment. Once a rating is established the score can be mapped on a risk matrix, which would place the risk in a colour zone representing very high, high, medium or low risk. (Risk rating tool in appendix 2). When entering the risk on the Datix risk register module there is the ability to record the initial rating, the current rating and the target rating. This provides the ability to track progress in reducing the risk. When initially entering a new risk both the initial and current fields should be complete with the same risk rating. Evaluate additional controls and action plans The aim is now to reduce the risk rating by forming a plan with actions that would collectively achieve this. It may be that additional controls could be implemented or that current controls need to be improved or expanded. It may result that following consideration: The present controls are adequate and the remaining risk is low. The present controls are adequate and the remaining risk will be tolerated. The present controls are not adequate and an action plan is formed to reduce the risk rating. The present controls are the maximum currently possible but the risk exposure is still high and not tolerable (should be reported by exception). If actions are planned, it is wise to conduct a provisional re-score to assess if these actions were implemented, would the risk be reduced as expected. This is called the Risk Reduction Potential and can provide assurance that the actions planned are appropriate. This could be entered as your target rating on the Datix system to allow you to monitor progress against achieving planned reduction. Allocate responsibility and timescales. It may be that the senior manager responsible for the area in which the risk was identified owns the risk; however the action points can be allocated to appropriate individuals within the organisation / unit. It is important to ensure all actions have an anticipated completion date even if some actions are over a longer period of time, a review date provides a prompt to check the action plan is on target. Page 10 of 20

11 Review and update The register should form part of the routine management meetings within each service / directorate to ensure it is kept up to date and serves as a live document making risk management part of the business. A more formal review should occur at least quarterly to: Monitor implementation dates on action plans to assess if work planned is on target Add new risks that have emerged Change the risk rating of risks that have been successfully reduced Monitor the overall ongoing progress towards risk reduction Ensure stakeholders are informed of risks identified 4. Process The Risk Register will work on three main levels (diagram 3): Corporate Directorate / CHP Clinical Service Area / Operational Service Area The content of these registers may originate from two main sources as a top down / bottom up approach is in place. Risks descend from the top by means of objectives and directives to the organisational level of management below. Risks ascend the levels by a system of exception reporting. The owner of the risk register is the person with ultimate responsibility for a defined area of responsibility, however they may elect a custodian of the register who will update it and provide relevant reports. The web facility allows various levels of management to view the register assured that it is the most up to date version. The Risk Register as a whole is a virtual document as it is not one complete record. The composition is from a variety of registers controlled at different levels of management to provide a useful working tool to support innovation, safety and the sound management of risk in the organisation. Corporate The owner of the Corporate Risk Register is the Chief Executive who will in association with the Executive Directors and the members of the NHSGGC Board ensure that strategic risks that would influence the business aspects of managing the organisation are recognised and addressed. These risks may derive from: Recognition of threats to the corporate objectives. Risks to the organisation s key investment and change projects Key risks arising from the need to comply with external standards Significant risks escalated from Directorates / Partnerships Key risks from topic specific assessments Significant risks escalated from Corporate Services Page 11 of 20

12 The risks identified would not only be significant in nature but failure to address these may result in serious consequences for the organisation. The Chief Executive will review quarterly a report on corporate risks, collated from key internal risk registers, and shared with Audit Committee fro their review at agreed intervals. Acute Division / Partnerships The Chief Operating Officer of the Acute Division and the Partnerships Directors Group may find benefit in maintaining a risk register containing corporate risks for their area of responsibility, which do not automatically fall within one of the Directorates or individual Partnerships. This register will also contain the operational risks which have been highlighted by the Directorates / Partnerships as exceptions. This level of register will act as a filter before risks are escalated up to the corporate register. Review of this register also allows discussion and planning around risks that originate in one Directorate / Partnership, which have the potential to cause risks in other Directorates / Partnerships. Directorate / Partnership Organisations The Director is the owner of this register who will decide what is included on the register and be responsible for ensuring controls and action plans are in place and monitored. The Directorate Risk Register should be a standing agenda item on the Directorate Management Team meetings for discussion and review. All risks should be managed at Directorate level unless they fall into the criteria for escalation to the Acute Division / Partnerships Register. In CHCP s where joint risk registers have been established between local authority and health partners, the practice and principles should be consistent with this policy. Service Area The General Manager is the owner of this register with responsibility for ensuring controls and action plans are in place and monitored. There may be department registers below this level, which feed into this register. The local registers will be developed and monitored locally. The Service Area Risk Register should be a standing item on the Service Management Meetings. All risks should be managed at this level unless they fall into the criteria for escalation to the Directorate Register. Page 12 of 20

13

14

15 5. Monitoring The Chief Executive will ensure there is suitable review and management of Corporate Risks and that all significant risk management concerns are properly prioritised, considered and communicated to the Board on a regular basis. Each level of the Risk Register will require to be monitored so that the NHS Board can be assured of progress in the management of risks at all levels in the organisation. As well as the risk register being reviewed during management team meetings as a standing agenda item, there requires to be a quarterly formal review of the risk register to ensure the content is current and any outstanding actions are progressing. Level of register: Corporate RR Acute Services /Partnerships RR Directorate / Partnership RR Service Area RR Monitored by: Risk Management Steering Committee The Board Audit Committee Chief Executive AS Operating Management Group / Partnership Directors Group Directorate Management Team / Committee Risk Support Staff Service Area Management Team / Committee With a remit for: Ensuring correct process in line with policy. Ensuring content is in line with live issues. Ensuring it is reviewed and updated. Ensuring action plans in place and responsibility allocated Ensuring appropriate action taken / planned. Ensuring timescales on actions are met. Ensuring risks are graded appropriately. Ensuring registers are altered to reflect action completed. Ensuring action plans in place and responsibility allocated Ensuring appropriate action taken / planned. Ensuring timescales on actions are met. Ensuring risks are graded appropriately. Ensuring registers are altered to reflect action completed. Ensuring any cross Directorate / Partnership risks are communicated and addressed appropriately. Ensuring action plans in place and responsibility allocated Ensuring appropriate action taken / planned. Ensuring timescales on actions are met. Ensuring risks are graded appropriately. Ensuring registers are altered to reflect action completed. Ensuring correct process in line with policy. Ensuring content is in line with live issues. Ensuring it is reviewed and updated. Ensuring action plans in place and responsibility allocated Ensuring appropriate action taken / planned. Ensuring timescales on actions are met. Ensuring risks are graded appropriately. Ensuring registers are altered to reflect action completed. Page 15 of 20

16 The Datix system provides tracking of risk, so the stage of management is identified. The approval status will inform if the risk has been approved for the register by the appropriate level of manager and the system also records the date the risk was identified, review dates and a closed date. 6. Tolerance and Escalation It may be the case that having identified and assessed a risk within your unit it is decided that a level of tolerance of this risk has been met. This would indicate that the level of risk is acceptable and controls are thought to be adequate. Although the risk is still present the cost (time, effort and money) for additional controls outweighs the benefits of the risk reduction at the current time. Risks of this nature should still be reviewed to ensure the risk has not increased and the controls are still adequate. Most risks identified can be reduced or tolerated within the unit in which it belongs. Reducing the risk may require reprioritization of finances within a directorate / service area and/or adoption of more robust processes and systems. In risk management terms this would mean additional management action or controls. Following the implementation of all actions that are possible and practical, there may be on occasion, the need to report a risk by exception to the next level of management: Where that risk is unacceptable with current controls Where the risk is identified as significant Where that risk is unable to be reduced with current resources i.e. requires additional funding Where that risk effects more than one area within the service i.e. outwith management control In the event of such a risk being identified, it should be put on the Risk Register and notified to the level of management above as being an exceptional risk. Exceptional risks that are escalated to the level above remain on the register that has raised the risk. Therefore each register that has a level beneath it would have a combination of risks raised at their own level and risks escalated from the level below. This ensures the risk is only on the system once and any information in relation to timescales and actions can be seen by the appropriate individuals for that service. These exceptional risks must be labelled as escalated risk in the risk status field on the Datix web form so the management level above can include these in their risk register review. Appendix 3 provides a checklist providing the criteria for escalation to assist in reviewing these risks. Page 16 of 20

17 7. Risk Identification and Assessment in Business Cases and Projects As part of this policy it is a requirement for risks to be explicitly identified, and graded in any business case or project and in any papers seeking support for decisions, which go before the Directorate or Corporate Management Team. Risks assessed as medium or high will then need to be accompanied by a statement defining how such risks will be managed if they materialise. It will be the responsibility of Directors, General Managers, and Associate Medical Directors to ensure this requirement is adopted and adhered to within their areas, and of other Executive Directors in relation to the committees they service. In respect of the NHS Board papers for approval / decision, they will require an explicit section on risk and the Head of Corporate Administration will ensure this requirement is adhered to. Page 17 of 20

18 Appendix 2. Table 1 Impact definitions. Descriptor Negligible Minor Moderate Major Extreme Patient Experience Objectives / Project Reduced quality of patient experience/clinical outcome not directly related to delivery of clinical care. Barely noticeable reduction in scope, quality or schedule. Unsatisfactory patient experience/ clinical outcome directly related to care provision readily resolvable. Minor reduction in scope, quality or schedule. Unsatisfactory patient experience/ clinical outcome; short term effects expect recovery <1wk. Reduction in scope or quality of project; project objectives or schedule. Unsatisfactory patient experience/ clinical outcome; long term effects expect recovery >1wk. Significant project over-run. Unsatisfactory patient experience/ clinical outcome; continued ongoing long term effects Inability to meet project objectives; reputation of the organisation seriously damaged. Injury: physical and psychological Complaints / Claims Service / Business Interruption Adverse event leading to minor injury not requiring first aid. Locally resolved verbal complaint. Interruption in a service which does not impact on the delivery of patient care or the ability to continue to provide service. Minor injury or illness, first aid treatment required. Justified written complaint peripheral to clinical care. Short term disruption to service with minor impact on patient care. Agency reportable, e.g. Police (violent and aggressive acts). Significant injury requiring medical treatment and/or counselling. Below excess claim. Justified complaint involving lack of appropriate care. Some disruption in service with unacceptable impact on patient care. Temporary loss of ability to provide service. Major injuries/long term incapacity or disability (loss of limb) requiring medical treatment and/or counselling. Claim above excess level. Multiple justified complaints. Sustained loss of service which has serious impact on delivery of patient care resulting in major contingency plans being invoked. Incident leading to death or major permanent incapacity. Multiple claims or single major claim Complex justified complaint Permanent loss of core service or facility. Disruption to facility leading to significant knock on effect Staffing and Competence Financial: including damage / loss / fraud Inspection / Audit Adverse Publicity / Reputation Short term low staffing level temporarily reduces service quality (< 1 day). Short term low staffing level (>1 day), where there is no disruption to patient care. Negligible organisational/ personal financial loss. ( <1k). (NB. Please adjust for context) Small number of recommendations which focus on minor quality improvement issues. Rumours, no media coverage. Little effect on staff morale. Ongoing low staffing level reduces service quality. Minor error due to ineffective training/implementation of training. Minor organisational/personal financial loss ( 1-10k). Recommendations made which can be addressed by low level of management action. Local media coverage short term. Some public embarrassment. Minor effect on staff morale/public attitudes. Late delivery of key objective / service due to lack of staff. Moderate error due to ineffective training/implementation of training. Ongoing problems with staffing levels. Significant organisational/personal financial loss ( k). Challenging recommendations that can be addressed with appropriate action plan. Local media long-term adverse publicity. Significant effect on staff morale and public perception of the organisation. Uncertain delivery of key objective/ service due to lack of staff. Major error due to ineffective training/ implementation of training. Major organisational/personal financial loss ( 100k-1m). Enforcement action. Low rating. Critical report. National media/adverse publicity, less than 3 days. Public confidence in the organisation undermined. Use of services affected. Non-delivery of key objective/service due to lack of staff. Loss of key staff. Critical error due to ineffective training/ implementation of training. Severe organisational/personal financial loss ( >1m). Prosecution. Zero rating. Severely critical report. National/international media/adverse publicity, more than 3 days. MSP/MP concern (Questions in Parliament). Court Enforcement. Public Inquiry/ FAI. Page 18 of 20

19 Appendix 2. Table 2 Likelihood Definitions Descriptor Rare Unlikely Possible Likely Almost Certain Probability Can t believe this event would happen will only happen in exceptional circumstances. Not expected to happen, but definite potential exists unlikely to occur. May occur occasionally, has happened before on occasions reasonable chance of occurring. Strong possibility that this could occur likely to occur. This is expected to occur frequently / in most circumstances more likely to occur than not. Table 3 - Risk Matrix Likelihood Almost Certain Likely Possible Unlikely Rare Impact / Consequences Negligible Minor Moderate Major Extreme Medium 5 Medium 4 Low 3 Low 2 Low 1 High 10 Medium 8 Medium 6 Medium 4 Low 2 High 15 High 12 Medium 9 Medium 6 Low 3 V High 20 High 16 High 12 Medium 8 Medium 4 V High 25 V High 20 High 15 High 10 Medium 5 Page 19 of 20

20 Appendix 3. - Criteria for Escalation Issues to consider if planning escalating a risk - 1. The issue is currently on the appropriate Risk Register. Yes No 2. The issue has been scored and has been assessed as a significant risk. Yes No 3. All possible controls have been implemented. Yes No 4. Other sources of funding available have been considered. Yes No 5. The Management Team believes there is no provision in the current budget to address this risk. 6. The Management Team believes this risk needs to be addressed and are able to demonstrate the reduction of risk from any additional finance made available. Yes Yes No No If No to any question the risk requires to be explored further at the current management level to ensure it is a true exception. If all Yes, pass to more senior management level It is preferable that several options of risk reduction should be presented to the more senior level providing a range of choices. Issues to be considered when receiving escalated risks - Criteria to be used to assess the risk 1. Is there agreement on the scoring of the risk? (Likelihood x Severity) Yes No 2. What evidence does the Directorate have to justify the likelihood score of the risk? (Audit, incident report, claim, complaints, inspection, external review) 3. Is there agreement that the Directorate does not have funding within the budget for this issue? Evidence Available Yes No No Evidence Available 4. Have other controls and solutions been implemented in other services which could be applied as an alternative to additional funding? Yes No 5. Are there any knock-on effects / impact on any of the other areas? Yes No 6. Are there other alternative controls that could be implemented? Yes No 7. Is further information required before making a decision? Yes No After due consideration of actions to be taken, feedback must be provided to the Service / Directorate who escalated the risk. Page 20 of 20