Risk Management & Assurance Strategy. Audit Committee. See reference page 38

Transcription

1 BHH Brent Harrow Hillingdon Clinical Commissioning Groups Risk Management & Strategy Author: Policy Number: Version: Sponsor/Executive: Responsible committee: Gilbert George Dawn Crump Interim Head of Interim Risk Manager Governance V1 Director of Quality & Safety Audit Committee Ratified by: Consultation & Approval: (Committee/Groups which signed off the policy, including date) Date ratified: Date issued: Review date: Purpose of the Policy: If developed in partnership with another agency, ratification details of the relevant agency Policy in-line with national guidelines: CCG Executives Quality Safety & Clinical Risk(Integrated Governance) Audit Committee CCG Governing Bodies The strategy describes Brent, Harrow & Hillingdon CCGs vision in relation to the management of risk, detailing the systems and processes in place and highlighting roles and responsibilities See reference page 38 Signed on behalf of the Brent, Harrow & Hillingdon CCGs:..Accountable Officer 1

2 Version Control Page Version Date Author Comments 1.0 January 2016 Interim Risk Manager To supersede all previous risk management strategy documents This policy will be reviewed in 3 years, as set out in the BHH Federation Policy on Procedural Documents, unless best practice dictates the need for an earlier review. Policy Circulation Information Notification of policy release: All recipients; Staff Notice Board; Intranet; Key words to be used in search. All Staff Policy Guidelines Standard Operation Procedures Strategy Template 1

3 Contents Section Number Paragraph Heading Page Number Document Reference Information 1 Version Control Record BHH CCGs Statement Introduction and Purpose 1.1 Introduction 1.2 Purpose Scope 6 3 Developing the Risk Management Framework 7 4 Definitions 8 5 Duties and Responsibilities 9 6 Risk Management Process 6.1 Governance structures to support risk management 6.2 Horizon scanning 6.3 Process for managing risk 6.4 Reporting structure and sources of risk 6.5 Risk profile 6.6 Project and Programme Risks 6.7 Board Framework Risk Appetite 7.1 Risk appetite 7.2 Risk appetite statement 7.3 Defining risk appetite and tolerance 7.4 Risk Domains 7.5 Risk levels and treatment 7.6 Risk categories

4 8 8.1 vision 8.2 system 8.3 Links to other strategies 8.4 Types, sources and levels of assurance map 8.5 values 8.6 Tools 8.7 Directory 8.8 Mapping Education and Training Process for Dissemination and Implementation Process for Monitoring Effective Implementation References and Related Documents 38 Appendices 1 Establishing Effective Risk Management 39 2 Corporate Risk Register Template 3 Risk Grading Matrix 4 BHH Consequence Table 5 Risk Register Flow 6 BAF Template 7 CCG Board Framework (BAF) Maintenance and Review Process 8 Principles and Application 9 Sources of (examples) 10 Using Sources in Practice 11 Mapping 12 Training Needs Analysis 13 Action Plan to Support Year 1 Target 14 Equality Impact Assessment To 3

5 Brent, Harrow and Hillingdon Clinical Commissioning Groups Risk and Statement Brent, Harrow and Hillingdon Clinical Commissioning Groups (CCGs) is the Outer North West London collaboration of 3 CCGs (referenced as BHH Federation). The CCGs recognise that the commissioning of healthcare and the activities associated with the treatment and care of patients, employment of staff, maintenance of premises and managing finances by their nature incur risks. The CCGs are committed to having a risk management culture that underpins and supports their business. The CCGs intend to demonstrate an on-going commitment to improving the management of risk throughout the three organisations. Where this is done well, the Governing Body and management are not surprised by risks that could, and should, have been foreseen. Considered risk taking is encouraged, together with innovation within authorised limits. The priority is to reduce those risks that impact on safety, and our financial, operational and reputational risks to agreed levels of risk exposure. Board and Risk Management are not just the responsibility of one person, one team, or directorate or the Governing Body; it is the responsibility of all working for the CCGs. The CCGs is committed to implementing the principles of governance, defined as the system by which the organisation is directed and controlled to achieve its objectives and meet the necessary standards of accountability, probity and openness. The principles of governance must be supported by an effective risk management system and the need to strike a balance between ensuring prudent controls are in place and allowing innovation to transform and improve local services. By 2019 Brent, Harrow and Hillingdon CCGs will be seen as an example of excellence in relation to the management of risk and assurance in commissioning, with other NHS organisations looking to our systems of internal control and methodology as examples of best practice. Tom Challenor Rob Larkman Audit Committee Chair Accountable Officer March 2016 March

6 1 Introduction and Purpose 1.1 Introduction The Risk Management and Strategy outlines the Brent, Harrow & Hillingdon CCGs approach to risk management and the organisations vision in relation to assurance systems. It aims to support the work of the constituent Clinical Commissioning Groups (CCGs) by sharing knowledge, experience and risk across the CCGs. The Brent, Harrow & Hillingdon Clinical Commissioning Groups have a responsibility to ensure that they are effectively governed in accordance with best practice across corporate, clinical and financial governance. Every activity that the CCGs undertakes or commissions others to undertake on its behalf, brings with it some element of risk that has the potential to threaten or prevent the organisation achieving its objectives. Risk management aims to draw attention to actual or potential problems and to encourage the appropriate response to them; risks should be managed by the people who have the greatest ability to control them. For operational risks, this will be at CCGs management level and they will maintain a risk register to record these risks. However for major strategic risks that affects all the CCGs it is more effective to manage them collaboratively. Achievement of objectives is subject to uncertainty, which gives rise to threats and opportunities. Uncertainty of outcome is how risk is defined. Risk management includes identifying and assessing risks, and responding to them. This Governing Bodies approved strategy for managing risk identifies accountability arrangements, resources available, and provides guidance on what may be regarded as acceptable risk within the organisation. Successful risk management involves: Identifying and assessing risks Taking action to anticipate or manage them Monitoring them and reviewing progress in order to establish whether further action is necessary or not Ensuring effective contingency plans are in place The aim of this strategy is to set out the CCGs vision for managing risk. Through the management of risk, it seeks to minimise, though not necessarily eliminate, threats, and maximise opportunities. The strategy applies to all, contractors and other third parties working in all areas of the organisations. Risk Management is the responsibility of all staff and managers at all levels are expected to take an active lead to ensure that risk management is a fundamental part of their operational area. The organisations encourage an open culture that requires all employees, contractors and third parties to operate within the systems and structures outlined in this strategy. 5

7 1.2 Purpose This strategy describes a consistent and integrated approach to the management of all risks across the CCGs. The organisations are committed to having a risk management culture that underpins and supports the business of the CCGs. It intends to demonstrate an on-going commitment to improving the management of risk throughout the organisations. Where this is done well, this ensures the safety of our patients, visitors, and staff, and that as an organisation the Governing Bodies and management is not surprised by risks that could, and should, have been foreseen. Strategic and business risks are not necessarily to be avoided, but, where relevant, can be embraced and explored in order to grow business and services, and take opportunities in relation to the risk. Considered risk taking is encouraged, together with innovation within authorised and defined limits. The priority is to reduce those risks that impact on safety, and reduce our financial, operational and reputational risks through awareness, competence and management (see Appendix 1 for further detail). The establishment of effective risk management systems, including a Risk Review Group, which is recognised as being fundamental in ensuring good governance. Its aim is to continually improve the quality of commissioning health services through the identification, prevention, control and containment of risks of all kinds. To do this, a systematic and consistent approach to risk management across the range of the CCGs commissioning activities is preferable. 2. Scope This strategy is intended to provide an overarching framework for the management of risk within the CCGs and relates to all areas of activity. The strategy applies to all parts of the organisation and includes all staff, either permanent or temporary and to those working within, or for the organisation under a contract for services and persons engaged in business on behalf of the organisation. 6

8 3. Developing the Risk Management Framework Key targets Year March 2019 Evolve Bi Annual Triangulation Reporting Risk Performance Quality Year 2 31 March 2018 Refine and Improve System Year 1 31 March 2017 Implement & Embed Dynamic risk management processes A detailed action plan can be found at Appendix 13 to the support development of the risk management framework Year 1 (31 March 2017). 7

9 4. Definitions Information used to ascertain whether controls are in place. At Risk Board Framework Possibility of exposure to the hazard and therefore the chance of injury, ill health, harm, damage, loss or service disruption. It may include substances, equipment, a work practice or proposed business plan. A high level management assessment process and record of the strategic risks relating to the delivery of the key objectives and the governance process to prevent these risks occurring. Consequence The impact or outcome component of a risk, on a scale of 1 -> 5 Controls The available systems and processes, which help, minimise the risk. Hazard Anything/Situations with the potential to cause harm, damage or loss In health Provide strategic advice and support for health and social care Associates organisations so that they can work with patients, service users, carers and citizens as true partners for change. Likelihood The probability of a risk occurring or recurring, on a scale of 1 -> 5 Mature Risk Appetite Proactive Risks Reactive Risks Residual Risk Rating Risk Risk Appetite Risk Assessors Risk Assessment A high degree confidence in setting high levels of risk appetite because controls, forward scanning and responsiveness systems are robust, usually within and established organisation. Risks that are identified before they cause an event or that are being looked for during the audit process. Risks that are identified following an event, such as an incident, complaint or audit. The remaining risk that exists following implementation of the proposed measures or controls to reduce the risk. Effect of uncertainty on objectives. Note that an effect may be positive, negative, or a deviation from the expected. Also, risk is often described by an event, a change in circumstances or a consequence. The amount and type of risk that an organisation is willing to pursue or retain. Competent persons who possess the knowledge, skills and experience to undertake a risk assessment. A process by which information is collected about an event, process, organisation or service area, in order to identify existing risks/hazards, the consequence and the likelihood of harm and what 8

10 Risk Champion Risk Register Risk Score Risk Tolerance Risk Owner control measures are in place, or are required to be put in place. The person responsible for monitoring and coordinating the process for the management of risk registers in their service A record of risks faced by an organisation, the controls in place additional controls that are required and responsibility for control activities. Each risk is scored, using a 5 x 5 matrix, (consequence x likelihood), which determines whether the risk is ranked as green, yellow, amber or red. The organisation s or stakeholder s readiness to bear the risk after treatment in order to achieve its objectives. Tolerance relates to specific or individual risk, rather than the more general approach represented by risk appetite. The person with the responsibility of ensuring that actions to control the risk are implemented. 5. Duties and Responsibilities Individual Responsibilities Risk Management is the responsibility of all staff. Ultimately all who work at the BHH Federation and its CCGs have a responsibility for the commissioning of high quality, safe care, although this may manifest itself in the day to day work of members of staff in many different ways. The following sections define the organisational expectations of particular roles or groups Accountable Officer The Accountable Officer is responsible for ensuring that the CCGs can discharge their legal duty for all aspects of risk. The Accountable Officer has overall responsibility for maintaining a sound system of internal control, as described in the Annual Governance Statement. Operationally, the Accountable Officer has delegated responsibility for implementation of risk management as outlined below Chief Operating Officers Chief Operating Officers are accountable for ensuring that appropriate and effective risk management processes are in place within the CCGs, and that all staff are aware of the risks within their work environment, together with their personal responsibilities. They must ensure that risks are identified, assessed, and acted upon. They must ensure that where appropriate captured on Corporate and Team & Directorate Risk Registers, ensuring that risks are reviewed by an appropriate management group at least bimonthly as part of performance monitoring, to consider and plan actions being taken. They must ensure appropriate escalation of risks from work streams within the defined tolerances. Chief Operating Officers have further responsibility for ensuring compliance 9

11 with standards and the overall risk management system as outlined in this strategy and related documentation. The Chief Operating Officers are responsible for ensuring staff receive the relevant elements of risk management training and that non-attendance is followed up Executive Directors Executive Directors have responsibility for the management of strategic and operational risks within individual portfolios. These responsibilities include the maintenance of a risk register and the promotion of risk management training to staff within their areas of responsibility. Executive Directors have responsibility for monitoring their own systems to ensure they are robust for accountability, critical challenge, and oversight of risk Chief Finance Officer The Director of Finance has responsibility for financial governance and associated financial risk Director of Quality & Safety The Director of Quality and Safety has responsibility for patient safety and patient experience, and quality. These responsibilities also include the executive lead for the overall performance of corporate governance functions, including monitoring the system of internal control; including the system and supporting processes for risk registers and maintenance of the Board Framework Governing Body Clinical Leader(s) The Governing Body Clinical Leader(s) have a duty to assure themselves that the organisation has properly identified the clinical risks it faces, challenge and highlight areas of risk as well as ensure that it has robust and clinically sound processes and controls in place to mitigate those risks and the impact they have on the organisation and its stakeholders. The Clinical Leader(s) are responsible for: Contribute from a clinical perspective in the identification of risks, including patient care, to the achievement of its strategic objectives as recorded on the BAF Monitoring the BAF at each governing body meeting and to seek robust clinical assurances from the CCG committees and lead Directors; Ensuring that there is a structure in place for the effective management of clinical risk throughout the CCG Governing Body Lay Member The Governing Body Lay Member has a duty to assure itself that the organisation has properly identified the risks it faces, and that it has processes and controls in place to mitigate those risks and the impact they have on the organisation and its stakeholders. The Governing Body is responsible for: Identifying risks to the achievement of its strategic objectives as recorded on the BAF 10

12 Monitoring the BAF at each governing body meeting and to seek assurances from the CCG committees and lead Directors; Ensuring that there is a structure in place for the effective management of risk throughout the CCG; and Approving and reviewing strategies for risk management on an annual basis Head of Governance The Head of Governance is accountable to the Director of Quality & Safety for the overall performance of corporate governance functions, including monitoring the system of internal control; including the system and supporting processes for assurance, risk registers and maintenance of the Board Framework, supported by the Risk and Information Governance Manager Senior Managers Senior managers take the lead on risk management and set the example through visible leadership of staff. They do this by: Taking personal responsibility for managing risk Sending a message to staff that they can be confident that escalated risks will be acted upon Ensuring risks are updated regularly and acted upon Discussing risks on a regular basis with staff and up the line to help improve knowledge about the risks faced; increasing the visibility of risk management and moving towards an action focussed approach Communicating downwards what the top risks are, and doing so in plain English Linking risk to discussions on Finance, and stopping or slowing down non-priority areas or projects to reduce risk as well as stay within budget, demonstrating a real appetite for setting priorities Ensuring staff are suitably trained in risk management Monitoring mitigating actions and ensuring risk and action owners are clear about their roles and what they need to achieve Ensuring that people are not blamed for identifying and escalating risks, and fostering a culture which encourages them to take responsibility in helping to manage them Ensuring that risk management is included in appraisals and development plans where appropriate Identify risks to the safety, effectiveness and quality of services, finance, delivery of objectives and reputation, in commissioned services and the CCG Identify risk owners with the seniority to influence and be accountable should the risk materialise Assess the rating of individual risks, looking at the likelihood that they will happen, and the consequence if they do 11

13 Identify the actions needed to reduce the risk and assign action owners Is there an opportunity to benefit from the risk or the work done to militate against the risk materialising? Record risks on a risk register and check frequently on action progress, especially for high severity risks Implement a process to escalate the most severe risks, and use it All Staff All staff are encouraged to use risk management processes as a mechanism to highlight areas they believe need to be improved. Where staff feels that raising issues may compromise them or may not be effective they should be aware and encouraged to follow the BHH Whistleblowing Policy. 5.2 Committee Duties and Responsibilities Governing Bodies The Governing Bodies are accountable for risk and are responsible for ensuring that CCGs have effective systems for identifying and managing all risks whether operational, financial or organisational. The risk management structure helps to deliver the responsibility for implementing risk management systems throughout the BHH CCGs. The responsibility for monitoring the management of risk across the organisations has been delegated by the Governing Bodies to the following interrelating committees: Audit Committee Quality Improvement Productivity and Prevention (QIPP) & Finance Committees Quality Safety & Clinical Risk (QSCR) Committee/Integrated Governance Remuneration Committee The CCGs Management Executives in its role as the executive decision making committee maintains oversight of operational risk (Corporate Risk Register). Specific responsibilities for the management of risk and assurance on its effectiveness are delegated as follows: Audit Committee The Audit Committee is responsible for providing assurance to the CCG Governing Bodies on the process for the CCGs system of internal control by means of independent and objective review of corporate governance and risk management arrangements, including compliance with laws, guidance, and regulations governing the NHS. In addition, it has the following responsibilities relating to risk: To maintain an oversight of the CCGs general risk management structures, processes and responsibilities, including the production and issue of any risk and control related disclosure statements. To review the CCGs Corporate Risk Registers at least twice annually or as the Governing Body determines. 12

14 To monitor and review the CCG Board Frameworks, and ensure its presentation to the Governing Body four times per year. To assess the overall effectiveness of risk management and the system of internal control. To challenge on the effectiveness of controls, or approach to specific risks QIPP & Finance CCG Committees The QIPP & Finance Committee is responsible for providing information and making recommendations to the Governing Body on financial and performance issues, and for providing assurance that these are being managed safely. The committee will consider any relevant risks within the Board Framework and CCG risk register as they relate to the remit of the Committee, as part of the reporting requirements, and to report any areas of significant concern to the Audit Committee or the Governing Body as appropriate Quality Safety & Clinical Risk/Integrated Governance CCG Committees The Quality Safety & Clinical Risk/Integrated Governance Committee is responsible for providing the CCG Governing Body with assurance on all aspects of quality of clinical care; governance systems including risks for clinical, corporate, workforce, information and research & development issues; and regulatory standards of quality and safety. The committee will consider any relevant risks within the Board Framework and Corporate Risk Register as they relate to the remit of the Committee, as part of the reporting requirements, and to report any areas of significant concern to the Audit Committee or the Governing Body as appropriate CCGs Management Executives The CCGs Management Executive are responsible for the operational management and monitoring of risk, through the Corporate Risk Register and Board Framework, and for agreeing resourced treatment plans and ensuring their delivery Work Stream Risk Management Arrangements Work Streams will put the necessary arrangements in place within their areas for proper governance, safety, quality and risk management. The work stream forums have the responsibility, through the senior management team, for the risks to the services they commission and for the putting in place of appropriate arrangements for the identification and management of risks. The work streams will develop, populate and review their risks, drawing on risk processes within the services, to ensure that Team/Directorate Risk Registers are kept up to date through regular review. In doing this, due account will be taken of the CCGs strategic and corporate objectives, particularly in terms of meeting regulatory standards and guidance, national performance standards and targets and relevant legislation, and of the issues and risks relevant to specific areas within the particular work stream and its services. 13

15 Work Streams and teams will be responsible for managing risks that fall within the defined tolerances, and escalating those risks above set tolerances for information, or further action Risk Review Group The Risk Review Group has overall responsibility for reviewing the CCGs progress in directing and promulgating a consistent and proactive approach to risk management and assurance across the organisation. The Group will ensure that the necessary processes are in place to achieve the embedding of risk management across the CCGs by: Monitoring the implementation of the CCGs Risk Management & Strategy Act as the CCGs co-ordinating body on all risk-related policies and procedures Assist the CCGs Governing Body in defining acceptable risk tolerance within the CCGs Ensure that adequate organisational systems are in place for implementing, monitoring and reviewing assurances on controls Make recommendations to the Audit Committee on priority risk areas and appropriate actions where required Review all Directorate Risk Registers annually and report to the Audit Committee Monitor and review the CGGs assurance framework and monitor the assurances detailed within the BAF for each CCG Receive information on incidents and their analysis on a CCG wide basis and assess trends and developments and make recommendations on appropriate improvements Review the Risk Management and Strategy on an annual basis Ensure that all requirements are met for the Accounting Officer to sign the Annual Governance Statement The Group will meet bi-annually as a formal sub group of the Audit Committee and will report annually. 6. Risk Management Process The CCGs risk management process ensures that risks are identified, assessed, controlled, and when necessary, escalated. These main stages are carried out through: Clarifying objectives Identifying risks to the objectives Defining and recording risks Completion of the risk register and identifying actions Escalation of risks 6.1 Governance structures to support risk management There are different operational levels of risk governance in the CCGs: Governing Bodies 14

16 Management Executive Quality Safety & Clinical Risk/Integrated Governance Audit Committee Work stream Forums Risk Management by the Governing Bodies is underpinned by a number of interlocking systems of control: The Governing Body reviews risk principally through the following three related mechanisms: a) Board Framework b) Corporate Risk Register (informed by Team, Work Stream & Directorate risks) c) Audit Committee d) Annual Governance Statement The Board Framework (BAF) sets out the strategic objectives, identifies risks in relation to each strategic objective along with the controls in place and assurances available on their operation. The BAF can be used to drive the Governing Body agendas. The CCGs Corporate Risk Register is the corporate high level operational risk register used as a tool for managing risks and monitoring actions and plans against them. Used correctly it demonstrates that an effective risk management approach is in operation within the organisation. The Audit Committee and other Governing Body subcommittees exist to provide assurance of the robustness of risk processes and to support the Governing Bodies. The Annual Governance Statement is signed by the Accountable Officer and sets out the organisational approach to internal control. This is produced at the yearend (following regular reviews of the internal control environment during the year) and scrutinised as part of the Annual Accounts. This process is undertaken by the Audit Committee and brought to the Governing Bodies with the Annual Report and Accounts. Each Work stream, Team and Directorate will have a forum, best practice directs, where risk is discussed, including the risk register, actions, and any required escalation. To facilitate dynamic risk management, consideration will be given to implementing an electronic risk management system to enable a greater degree of version control, ease of risk and assurance reporting. 6.2 Horizon Scanning Horizon scanning is about identifying, evaluating and managing changes in the risk environment, preferably before they manifest as a risk or become a threat to the business. Additionally, horizon scanning can identify positive areas for the CCGs to develop its business and services, taking opportunities where these arise. The CCGs will work collaboratively with partner organisations and statutory bodies to horizon scan and be attentive and responsive to change. 15

17 By implementing formal mechanisms to horizon scan the CCGs will be better able to respond to changes or emerging issues in a planned structured coordinated way. Issues identified through horizon scanning should link into and inform the business planning process. As an approach it should consider on-going risks to commissioned services. The outputs from horizon scanning should be reviewed and used in the development of the CCGs strategic priorities, policy objectives and development. The scope of horizon scanning covers, but is not limited to: Legislation Government white papers Government consultations Socio-economic trends Trends in public attitude towards health International developments Department of Health publications Local demographics Public health Involving stakeholders including Health & Wellbeing Board Regulatory information and intelligence All staff has the responsibility to bring to the attention of their managers potential issues identified in their areas which may impact on the CCG delivering on its objectives. Governing Bodies have the responsibility to horizon scan and formally communicate matters in the appropriate forum relating to their areas of accountability. 6.3 Process for managing risk The following sections will lead you through the process of identifying and successfully managing risks. Stage 1: Clarifying objectives To understand whether something constitutes a risk it must first be understood what the objectives/outcomes are that you want to achieve. Strategic or Corporate Objectives Identify and clarify which CCG strategic or corporate objective is relevant to the Work Stream or Team. Look at the CCG Business Plan and the latest local business plan. If this step is missed or omitted then the risk register will be neither relevant nor effective. Local Objectives As well as the above, think what the local team or area objectives are. By identifying the objectives it can be identified whether there is a risk to manage. Stage 2: Identifying risks to objectives Once the objectives have been identified then risks can start to be identified. Consider the following questions: Do you know what all of the risks to the delivery of your objectives or work are, especially those that impact on delivering high quality, safe services? What could happen, and what could go wrong? How and why could this happen? What is depended on for continued success? 16

18 Is there anyone else who might provide a different perspective on your risks? Is it an operational risk or a risk to a strategic objective? Best practice directs that a workgroup made up of knowledgeable staff, that are able to assist with the identification of risk for that area of work. Guidance on how to do this is available in The Orange Book (Management of Risk Principles and Concepts), HM Treasury (2004) Stage 3: Defining and recording risks Once the risk has been identified then: Describe it so that others understand what the risk is. Think about the cause, effect and impact Assign an owner to the risk List the key controls (actions) being taken to reduce the likelihood of the risk happening, or reduce the impact If it is a severe risk (red or orange) then consider what the contingency action plan is, i.e. what will you do should the risk happen (see escalation) Rate the likelihood of the risk materialising Rate the consequence of the risk happening All of these things should be recorded on a risk register following risk assessment. The following sections describe in detail how to complete the Corporate Risk Register found at Appendix 2. Detailed descriptions follow at Stage 4. Stage 4: Completing a Risk Register Traditionally completing a risk register can be daunting but the aim is to have a simplified process to allow the monitoring of actions and aid decision making, electronically. Headings in the register that need to be completed are: Risk Identification (ID) and Date Added is the unique identifier to distinguish the risk from the other risks in your register. The ID will not change throughout the life of the risk and the date added will give additional information in terms of review and audit. Risk Description this section, as the name suggests allows the risk to be described. It is important that risks are clearly articulated. If not, then it is difficult to put effective 17

19 controls, or actions, in place to reduce the risk materialising and contingency plans. Using the following subheadings will help to clearly describe risks: CAUSE e.g.: Failure of providers to meet the quality aspects of contract EFFECT e.g.: Poor patient experience and standards of care IMPACT e.g.: Potential loss of reputation and deemed by NHSE to be a failing CCG leading to the likelihood of special measures Cause Impact Effect Getting this right is important as the controls relate directly to the description of the risk. Potential Sources of how or where the risk was identified. This could include: Business planning Clinical audit Complaints/PALS External Audit External Review Incident Internal Audit Legislation Litigation Regulatory standard Risk Assessment 18

20 Risk register (existing) Risk Owner is the individual who is accountable and has overall responsibility for a risk; it may or may not be the same person as the Action Owner. High severity corporate risks, for example, will be owned by one Executive Director, but there may be many Action Owners. The Risk Owner must know, or be informed, that they are the owner, and accept this responsibility. Controls are the measures put in place as preventative measures to lessen or reduce the likelihood or consequence of the risk happening and the severity if it does. You must ensure that each control (or action where a gap in control has been identified) has an Owner and target completion date. These must describe the practical steps that need to be taken to manage and control the risk. Without this stage, risk management is no more than a paper based or bureaucratic process. Not all risks can be dealt with in the same way. The 5 T s provide an easy list of options available to anyone considering how to manage risk: Tolerate the likelihood and consequence of a particular risk happening is accepted Treat work is carried out to reduce the likelihood or consequence of the risk (this is the most common action) Transfer shifting the responsibility or burden for loss to another party, e.g. the risk is insured against or subcontracted to another party Terminate an informed decision not to become involved in a risk situation, e.g. terminate the activity Take the opportunity - actively taking advantage, regarding the uncertainty as an opportunity to benefit In most cases the chosen option will be to treat the risk. When considering the action to take remember to consider the cost associated with managing the risk, as this may have a bearing on the decision. The key questions in this instance are: Action taken to manage risk may have an associated cost. Make sure the cost is proportionate to the risk it is controlling. When agreeing responses or actions to control risk, remember to consider whether the actions themselves introduce new risks or affect other people in ways which they need to be informed about. In most cases the chosen option will be to treat the risk. When considering the action to take remember to consider the cost associated with managing the risk, as this may have a bearing on the decision. The key questions in this instance are: Action taken to manage risk may have an associated cost. Make sure the cost is proportionate to the risk it is controlling. When agreeing responses or actions to control risk, remember to consider whether the actions themselves introduce new risks or affect other people in ways which they need to be informed about. Contingency Plans if a risk has already occurred and cannot be prevented or if a risk is rated red or orange (extreme or high) then contingency plans should be in place should the risk materialise. Contingency plans should be recorded underneath the key 19

21 controls on the register. Good risk management is about being risk aware and able to handle the risk, not risk averse. Proximity this indicates when the risk is likely to materialise or anticipated timescale. There are three categories: Within three months Between three and twelve months Twelve months or longer Considering the proximity, or how soon a risk may occur, can help to compare risks for decision making Gaps in Control Additional measure that could be put into place to lessen or reduce the likelihood or consequence of the risk materialising and the severity if it does. Sources It is important to measure whether the actions that have been put in place are succeeding in reducing risks as planned. This section lists what is in place to allow the CCGs to monitor effectiveness of controls. Gaps in If there are additional measures that could be put in place to improve the effectiveness of controls. Action and Contingency Planning if a risk has already occurred and cannot be prevented or if a risk is rated red or orange (extreme or high) then contingency plans should be in place should the risk materialise. Contingency plans should be recorded underneath the key controls on the register. Good risk management is about being risk aware and able to handle the risk, not risk averse. This section should also include the Action Owner and Implementation Date. Inherent, Current and Target Risk Rating - these columns are mirror images of each other. Each time the register is reviewed or updated the risk register should move the current rating into the previous column and recalculate the current rating. This is so the history and progress of a risk can be reviewed. The CCG guidance on the matrix and advice on scoring in contained in Appendix 3 Risk Grading Matrix and Appendix 4 Consequence Table. Likelihood Consequence Rare Unlikely Possible Likely Almost certain 5 Catastrophic Major Moderate Minor Negligible Trend shows the movement compared to the previous review rising, stable, or reducing, and will be represented by an appropriate arrow. 20

22 Risk Target is the amount of risk that is accepted or tolerated, or the level that has been decided to manage a risk down to. When deciding the risk target, consider the following: What risk rating should an individual risk be managed down to in an ideal world? What level can the risk actually and practicably be managed down to? Remember that costs can be attached with managing a risk downwards as this may ultimately affect what level the risk target is set at. Given that there may be limited resources to use to counter this risk, what level of risk is acceptable and affordable? What are the defined tolerance and escalation thresholds for the level of risk? (see the Risk Management Handbook for detailed guidance) Having considered the above, assign the risk target a colour that best represents what it is possible and practical to manage it down to using the existing risk matrix. If the risk target is: RED represents a very high threat of risk, i.e. willing to tolerate the threat of a risk rated with either a very high likelihood or consequence (or both). Needs immediate action to mitigate AMBER represents a reasonably high tolerance to the threat occurring i.e. more open to the threat occurring, often if there are operational or resourcing constraints. YELLOW prepared to tolerate and accept a little more threat but are prepared to be more scared as more risk is accepted, but still cautious. GREEN averse to the risk as if the risk materialises this cannot be tolerated The term risk appetite or risk appetite target may also be used. When the risk has been managed to the target level then this may indicate the risk has been managed down to a level defined within the CCGs risk appetite definitions. Review Date should be used to indicate when this risk was reviewed, i.e. the date of the latest information including rating and key controls. Committees/Working Groups best practice directs that this should indicate the forum for the review cycle pertinent to the risk. Stage 5: Escalation and De-escalation of Risks The consequences of some risks, or the action needed to mitigate them, can be such that it is necessary to escalate the risk to a higher management level, for example from a Directorate (work stream) risk register to a Corporate register, or from the Team risk register to the Directorate Risk Register. It should be reviewed by the assigned committee (see Section 5.4 for further guidance). 6.4 Reporting structure and sources of risk Risks will be escalated or de-escalated within the defined tolerances and authority to act for each level. Further guidance is contained in The Orange Book (Management of Risk Principles and Concepts), HM Treasury (2004). 21

23 The risk owner should discuss and seek approval from their manager who in turn should consult the risk register owner before risk escalation to the next level. A risk will then be reviewed and either accepted at the next level and agreed at the relevant risk forum, or rejected and returned to the management team to review and rescore, or for further action. Where risks are escalated to the next management level, they will be reassessed against the objectives at that level, i.e. a risk rated 25 (red or extreme) at Directorate/Team level will be re-evaluated and may not be rated at 25 at the Corporate Risk Register level. Once a risk or an escalated risk has reached the accepted target for the risk, following mitigating actions or a change in the nature of the risk, it will normally be de-escalated. Where a risk is de-escalated this must be communicated to the management level below, and the risk monitored at the appropriate management level and risk forum. It is important that risks are reviewed regularly to ensure appropriate action, including closing risks or action plans where necessary. Risk registers at Directorate/Team level will also be reviewed to ensure that any common risks across areas are identified and aggregated to ensure that the full risk profile of the CCG is available. This will aid in identifying lower risk issues which may be common across many areas. Registers will also be reviewed to identify high impact but low frequency risks which may pose a threat. These will be included in the CCG Risk Register reports for review. Any Directorate/Team risks 8-12 will be monitored at the monthly performance meeting. Any risk(s) that the Directorate/Team consider cannot be managed at that level, or has the potential to affect the CCG as a whole, should be escalated as soon as possible to the SMT for consideration and addition onto the Corporate Risk Register. Any identifiable trends arising from the Directorate/Team risk registers (including lower scoring risks) may be aggregated and escalated to the Corporate Risk Register by the Senior Management Team. Corporate Risk Register - Any risk scoring will be considered an extreme risk and will be escalated and submitted to SMT for consideration, moderation and authorisation. If the SMT is assured that the residual risk cannot be reduced they will then have the responsibility of authorising further action to reduce the risk or agreeing acceptance onto the Corporate Risk Register of the risk on behalf of the Governing Bodies. To ensure this occurs, it is essential that there is a robust process for populating the register with identified risks in all Teams and a process for monitoring the progress and treatments of those risks. Teams must have in place mechanisms to keep local staff & managers informed of the risks in their areas and this will usually be through their team briefings, , meetings. 22

24 The table below overleaf summarises actions to be taken at each stage. Risk Action / Approval Score 1-3 Low Risk can be managed at local level. All managers have the authority to directly manage the risks and accept them. Enter onto local risk register 4-6 Risk can be managed at local Moderate level. All managers have the authority to directly manage the risks and accept them Significant Extreme Enter onto local risk register An initial or residual risk rated 8-12 are risks which require further investigation. Risk reduction is required so far as reasonably practicable. Responsibility and authority for acceptance lies with the manager for risks within their area of responsibility. Risks held on Directorate Risk Register Risks rated are deemed to be extreme. Action is required immediately (or as soon as possible) to reduce or mitigate the risk. Determined by local risk management arrangements/internal assurance (usually reviewed at least annually) Determined by local risk management arrangements/internal assurance (usually reviewed at least annually) Risks are monitored monthly by SMT and monthly by the Directorate performance meeting until the risk is deemed acceptable or reduced onto local risk register. Clinical & Financial control risks scoring 8+ will be scrutinised at the Quality & Finance Committees respectively All risks 15+ will be entered onto the Corporate Risk Register and will be monitored and reviewed monthly by SMT until residual risks are less than 15 when the risk will then be removed onto the Directorate Risk Register responsible for the risk. See Appendix 5 for Risk Register Flow Diagram 6.5 Risk Profile A summary risk profile is a simple visual mechanism that can be used in reporting to increase the visibility of risks; it is a graphical representation of information normally found on an existing Risk Register. A risk profile shows all key risks as one picture, so that managers can gain an overall impression of the total exposure to risk. The risk profile allows the risk tolerance at the level of reporting to be shown. If exposure to risk is above this, and therefore the tolerance set at that level, managers can see that they must take prompt action such as upward referral of relevant risks. Risk tolerances are defined by the Governing Body and CCG Management Executive and are available in the Risk Management Handbook. 23

25 Example Risk Profile using Heat Map 6.6 Project and Programme Risk Project and programme risks are managed in the same way as other risks in the CCGs but there are slight differences in the approach. Risk registers or logs will still be maintained for risks to programmes or projects as part of project documentation. Project and programme opportunities and threats are generally identified: If a programme, through the escalation of risks from projects within the programme During project or programme start up By other projects or programmes with dependencies or interdependencies with this project or programme By operational areas affected by the project or programme Although a project or programmes should adhere to the CCGs Risk Management & Strategy it should also have its own risk management guidelines, which should: Identify the owners of a programme and individual projects within the programme Identify any additional benefits of adopting risk management within this project or programme 24

26 Identify the nature and level of risk acceptable within the programme and associated projects Clarify rules of escalation from projects to the programme and delegation from programme to projects. Or, for a project with no overarching programme, the escalation link from the project to the divisional or corporate level Identify mechanisms for monitoring the successful applications of this strategy within the programme and its projects Identify how inter-project dependencies will be monitored and managed Clarify relationships with associated strategies, policies, and guidelines. Project and programme risk management must be designed to work across appropriate organisational boundaries in order to accommodate and engage stakeholders. Costing of project and programme risks In many of the risks identified at project and programme level it will be possible to work out the financial cost of the risk materialising. This should be recorded in the risk description column of the risk register as part of the impact description. The cost of mitigating the risk should also be recorded in the Controls and Actions/Contingency Plans columns, if this can be determined. Both these figures will be relevant to the calculation of risk targets. If, for example, a risk will have a big financial impact and it is likely to actually happen, how much are you prepared to spend to counter it? 6.7 Board Framework Each CCG Governing Body has a Board Framework (BAF); the BAF is a requirement established by the Department of Health in : the Board Agenda in July The BAF is a tool for the Governing Bodies to satisfy itself that risks are being managed and objectives are being achieved. The BAF template for CCGs is found at Appendix 6. The BAF sets out: Strategic objectives Principal risks Mitigating controls s on controls, including Governing Body Reports Gaps in control Gaps in assurance Action plans Lead Director Board Lead Each CCG will establish a clear BAF so that it can confidently sign its Annual Governance Statement (Statement on Internal Control). The CCG BAF will reflect significant risks (15+) impacting on the CCGs Corporate Objectives. Significant risks (15+) are those that potentially threaten the achievement of the CCGs Corporate Objectives. This would include risk s that could impact on the financial performance of the CCG as well as other high profile risks such as national performance indicators (KPI s) and risks arising from external reviews. The BAF Maintenance and Review Process if found at Appendix 7. 25

27 7. Risk Appetite and Tolerances 7.1 Risk Appetite The UK Corporate Governance Code states that the board (governing body) is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. By articulating its appetite for risk taking the Governing Body makes clear that: Some element of risk taking is necessary to allow the CCG to seize important opportunities; Risk taking is more acceptable in some areas than in others; There is a point at which the management of a risk should be immediately escalated to the direct oversight of the senior management team. A formal risk appetite statement sets a clear process for the management of risk and enhances the reporting of any instances where the appetite and specific risk thresholds are reached. The Governing Body will review its risk appetite on an annual basis or during times of increased uncertainty or adverse changes. 7.2 Risk Appetite Statement The risk appetite statements agreed annually reflect the strategic objectives of the CCG and acknowledge a willingness and capacity to accept different levels of risk in each area of activity. The CCG Governing Bodies will periodically review their appetite for and attitude to risk, updating these where appropriate. This includes the setting of risk tolerances at the different levels of the organisation, thresholds for escalation and authority to act, and evaluating the organisational capacity to handle risk. The periodic review and arising actions will be informed by an assessment of risk maturity, which in turn enables the Governing Body to determine the organisational capacity to control risk. 7.3 Defining Risk Appetite and Tolerance Risk Appetite The amount and type of risk that an organisation is willing to pursue or retain. Risk Tolerance The organisation s or stakeholder s readiness to bear the risk after treatment in order to achieve its objectives. Tolerance relates to specific or individual risk, rather than the more general approach represented by risk appetite. 26

28 7.4 Risk Domains The CCGs risk appetite is established according to the following domains: - Clinical Quality - Safety - Partnership Working - Finance - Compliance with - Innovation and Productivity legislation - Reputation The Governing Body will, using the Risk Domains above, score each domain against the 5 x 5 Risk Scoring Matrix (Appendix 3 ) which uses the multiple of Likelihood X Consequence. The Risk Appetite Matrix uses the following terms to describe five rising levels of tolerance to risks, depending on the score they receive of Low, Moderate, High or Significant. These could result in reputational damage, financial loss or exposure, major breakdown in services, information systems or integrity, significant incidents of regulatory or legislative compliance, or potential risk of injury to staff or service user Risk Appetite Matrix Appetite Minimal Cautious Tolerance Open Seek Mature (Established organisation) Appetite Descriptors Avoid risk whatever the cost or opportunity As low as reasonably practical Willing to consider all potential delivery options and choose while also providing an acceptable level of reward (and Value for Money) Eager to be innovative and to choose options offering potentially higher business rewards (despite greater inherent risk) Confident in setting high levels of risk appetite because controls, forward scanning and responsiveness systems are robust Appetite Minimal Cautious Tolerance Open Seek Mature Risk Tolerance (Score) SCORE RANGE: Net: <5 L x C SCORE RANGE: Net: 5-10 L x C SCORE RANGE: Net: L x C SCORE RANGE: Net: L x C L = Likelihood C = Consequence Source Good Governance Intiture adapated by Gilbert George 27

29 7.5 Risk Levels & Treatment Once established, the risk appetite statement gives senior management clear guidance regarding the risk levels. Depending on the on the risk level; low to significant the following Risk Treatments apply according to the Governing Body s expectation of how risk is managed and establishes a common acceptance of the importance of continuous management of risk. Risk Level SIGNIFICANT HIGH MODERATE LOW Action and Timescales The Risk Owner must take appropriate actions within agreed timescales to mitigate the risk; control measures should be put into place which will have the effect of reducing the consequence of an event or the likelihood of it occurring. Significant resources may have to be allocated to reduce the risk and these risks must be: - overseen by the Senior Management Team on a monthly basis; - Specifically brought to the notice of the Governing Body and responsible Committee on a bi-monthly basis. The Risk Owner must take appropriate actions within agreed timescales to mitigate the risk; control measures should be put into place which will have the effect of reducing some of the consequence of an event or the likelihood of it occurring. Some significant resources may have to be allocated to reduce the risk and these risks must be: - overseen by the Senior Management Team on a monthly basis; - Specifically brought to the notice of the Governing Body and responsible Committee on a bi-monthly basis. The Risk Owner should strive to reduce the risk rating by monitoring and adjusting existing controls; additional controls should be carefully measured and weighed against the consequence of an event. Moderate risks should be: - reviewed by the Senior Management Team on a bi-monthly basis; - scrutinised by the responsible Committee on a bi-monthly basis. Acceptable risks require no further action or additional controls; risks at this level should be: - monitored and reassessed by the responsible Committee on a bimonthly basis. 7.6 Risk categories Organisational risks The CCG endeavours to establish a positive risk culture within the organisation, where unsafe practice (clinical, managerial, etc.) is not tolerated and where every member of staff feels committed and empowered to identify and correct/escalate system weaknesses. 28

30 The CCGs appetite is to minimise the risk to the delivery of quality services within the CCGs accountability and compliance frameworks whilst maximising our performance within value for money frameworks. A programme of risk assessments will be conducted throughout the CCG to support the generation of a positive risk culture. Reputational risk The Governing Body of Directors models risk sensitivity in relation to its own performance and recognises that the challenge is balancing its own internal actions with unfolding, often rapidly changing events in the external environment. The CCG endeavours to work collaboratively with partner organisations and statutory bodies to horizon scan and be attentive and responsive to change. Opportunistic risks The CCG wishes to maximise opportunities for developing and growing its business by encouraging entrepreneurial activity and by being creative and pro-active in seeking new business ventures, consistent with the strategic direction set out in the Integrated Business Plan, whilst respecting and abiding by its statutory obligations. Taking action based on the CCGs stated risk appetite will mean balancing the financial budget and value for money in a wide range of risk areas to ensure safety and quality is maintained. Risks to patient safety The CCGs recognise that safety is at the centre of all good health care and that positive risk management, conducted in the spirit of collaboration with patients and carers, is essential to support recovery. In order to deliver safe, effective, high quality services, the CCG will encourage staff to work in collaborative partnership with each other and patients and carers to minimise risk to the greatest extent possible and promote patient well-being. Information Governance Risks The CCGs recognise that the aim of information risk management is not to eliminate risk, but rather to provide the structural means to identify, prioritise and manage the risks involved in all the CCGs information activities. It requires ensuring a balance between the cost of managing and treating information risks vs. the anticipated benefits that will be derived from managing these risks. The CCGs risk appetite will therefore be informed by the cost effectiveness and proportionality of technological and human risk mitigating actions applied within a potential benefits vs. risk context to itself and relevant stakeholders. Risk assessments will be performed for all its information systems and critical information assets. Information Risk and or Privacy Impact assessments will occur at the following times: - At least annually with critical assets 3 monthly. - Annually to inform the review of information risk by the SIRO to the Chief Executive. - At the inception of new systems, processes, applications, facilities, transition arrangements etc. that may impact the assurance of Information or Information Systems. - Before enhancements, upgrades, and conversions associated with critical systems, processes or applications and transition arrangements is implemented. - When CCG policy, regulation or legislation requires risk determination. 29

31 - When CGGs Corporate Management Team or any other appropriate bodies requires it. - Annual flow mapping exercises to determine the information risks regarding its data flows in transit. 8. is term that is often used although not always fully defined. Within the NHS it has become an ever increasingly important concept. The introduction a decade ago of the requirement for the Accountable Officer, on behalf of the Governing Body, to write and publish a Statement on Internal Control, now known as an Annual Governance Statement, made sure public sector organisations were able to demonstrate that they are properly informed about the totality of their risks. Put simply they needed to have confidence in their governance framework. The Department of Health was at the forefront of developments with assurance systems and published guidance on building an assurance framework and linkage of this with the Statement on Internal Control. The degree of change expected, including the expanded reliance on Internal Audit, has not however been reflected in practice. A review undertaken by the Audit Commission, the report of which Taking it on Trust was published in 2009 noted that, In the worst cases, the assurance process had become a paper chase rather than a critical examination of the effectiveness of the trust s internal controls and risk management arrangements. The NHS has, in many cases, been run on trust. Over a number of years organisational failures, within both the public and private sector have been attributed to poor governance or failings in risk management. The response to this has been heightened control in these areas via legislation and publications of governance codes. Yet the failures continue to happen and therefore concentration has shifted to assurance and how Governing Bodies know what is being undertaken in their name. The aim of this strategy is to ensure that through the articulation of the assurance vision and explanation of the key aspects within the relevant system and processes there is a common understanding throughout the CCGs of what is meant by assurance and its importance in a well-functioning organisation. It defines roles and responsibilities and details the assurance processes. 8.1 vision Our vision is to ensure an assurance system exists that adds value to the CCGs by eliminating duplication of effort and resources, reducing the burden of bureaucracy and providing a central point of expertise in relation to governance, risk management and assurance. is underpinned by a number of elements: a robust governance framework with clearly defined and understood strategic objectives, a developed maturity in relation to risk management and effective internal controls. is about getting the right balance of strategy, risk and control. It is acknowledged that it is never possible to provide complete and absolute assurance and as such the concept of reasonable assurance is adopted. 30

32 8.2 The System The assurance system will enable the Governing Body and senior management to review the corporate governance, risk management and internal control framework and address any weaknesses identified. To be able to do this it is important that the component assurances can be assessed in terms of value. It is the policy of the CCGs to ensure that there is a robust methodology for enabling evidence based assurance to be provided to the Governing Body on the key risks and the key controls within the organisation as well as stakeholders as required and at the appropriate levels. The methodology is based on the principles of assurance in relation to risk management as defined by the HM Treasury Orange Book publication. These principles, which have been expanded to cover all areas of governance, and the method of application within the CCGs, can be found at Appendix 8. The following diagram summarises a model of assurance within the NHS, considered applicable for BHH CCGs: The Governing Body identifies the key purposes and achievements for the CCG Objectives The Governing Body identifies evidence to satisfy itself that it has met its assurance needs *In-health Associates Risks The Governing Body identifies the risks which will prevent the objectives from being met, e.g. financial failure Controls The Governing Body articulates its assurance needs to demonstrate controls are effective to minimise risk A model for structured assurance Source: Health Care Standards Unit * In health Associates - working with patients, service users, carers and citizens 31

33 Benefits of an System An assurance system achieves a number of benefits: Provides confidence in the operational working of the CCGs Maximises the use of resources available in terms of audit planning, avoiding duplication of effort and educating members of staff across all disciplines Ensures assurances are appropriately gathered, reported and that the governance structure is working as intended Identifies any potential gaps in assurances relating to key risks and key controls, and that these are understood and accepted, addressed as necessary Supports the preparation of the Annual Governance Statement and regular governance reports 8.3 Links to other Strategies, Policies and Guidance The Strategy links closely to Risk Management and Quality and Performance Systems in a three tiered approach: Quality and Performance Risk 32

34 8.4 Types, Sources and Levels of There are three types of assurance that can be sought: verbal, written and empirical. All can be of use depending on the circumstances. Each will be valued differently depending on other factors. There are many sources of assurance, examples of which can be found in Appendix 9. Levels of assurance are noted below: Level 1 Operational (Management) Level 2 Oversight functions (Committees) Level 3 Independent (Audits/Reviews/Inspections) Management has the primary responsibility for providing assurance on the adequacy of risk management and internal control, which is often subject to challenge from the oversight functions for example Quality Safety & Clinical Risk Committees/Integrated Governance. It is however essential that there are robust frameworks in place to support the managerial assertions about the adequacy and effectiveness of internal control. Independent assurance is used to confirm management assertions and is often seen as of highest value. This is however dependent on many other factors as noted below. A worked example showing types, sources and levels of assurance in relation to the 18 week wait target can be found in Appendix Values Regardless of the type, source and level of assurance there are a number of issues that impact on its value, all of which need to be considered: Age the time elapsed since assurance obtained Durability whether it endures as a permanent assurance on an historical matter e.g. Auditors Report on Financial Statements, or loses relevance over passage of time e.g. clinical audit Relevance the degree to which assurances aligns to specific area or objective over which it is required Reliability trustworthiness of the source of assurance Independence the degree of separation between the function over which assurance is sought and the provider of assurance The value of assurances used for the Governing Body will be assessed by the Senior Management Team. 8.6 Tools There are various assurance tools which feed into the overall system of assurance. Through the mapping of sources of assurance, issues can be identified relating to gaps in control or gaps in assurance, and duplication of effort. Where the need for additional control measures or assurances are recognised, these will be reported through an appropriate mechanism, e.g. addition to risk register, performance reporting, or the Board Framework. 33

35 External Reviews Internal Reviews Directory Stakehold er Feedback External Audit ASSURANCE TOOLS Map Regulation & Accreditation Systems Clinical Audit Internal Audit Board Framework Example Tools 8.7 Directory An Directory is a central register of assurances, detailing the types and value of assurance. This is maintained by the CCG Senior Managers. The information held within the Directory is used to create a map of assurances. An example template for an Directory is provided at Appendix Mapping An Map is created in order to obtain clarification in relation to assurance currently provided. There is more than one purpose for such a map and this will depend on who wants the map and why. One map should not be everything to everyone and therefore a number of different maps at various levels can be produced. Maps can be used at different levels and for different reasons as determined by need. The starting point can also vary depending on purpose. Gain a clear and complete understanding of the services we deliver, the activities undertaken and the types of assurance obtained Identify any potential areas where assurance activities are not present or are insufficient (assurance gaps) 34

36 Identify any areas where assurance is duplicated, repeated or excessive when compared with the activity being undertaken Approaches to Mapping Risk based Have you identified all the risks? Is it a risk that is managed through existing corporate processes? Be corrected through the rectification of existing control Monitoring focuses on assurance in place Process based Identify key processes - Organisation wide and/or Departmental - Location, Regional or National Gaps, including where assurance has been provided but is deemed to be insufficient and duplications of assurance can be identified and addressed thereby consolidating assurance and reducing the amount of irrelevant information provided. maps are created and maintained by the CCG Senior Management Team. A template for recording Mapping is provided at Appendix 11. The following steps should provide systematic guidance for those undertaking assurance mapping. Mapping: The Key Steps Focus & Scope Strategy Risk Approach Source & Type 1 st, 2 nd & 3 rd Level of Effectiveness Management Engagement Communicati on Template & Tools Clarity in Terminology Clear Accountabiliti Analysis of Data Management Information Monitor & Maintain Internal Step 4 35

37 Reviews Internal assurance reviews may be undertaken in any area of the CCG and are one of the ways it assures itself that relevant standards, regulation and other requirements including best practice are being met. Whenever internal assurance reviews are undertaken terms of reference are prepared and agreed by all parties. The Head of Governance provides support for such reviews. Board Framework The Board Framework, an NHS requirement, sets out the strategic objectives, identifies risks in relation to each strategic objective and the controls to mitigate these risks. The details of the assurances on the effectiveness of these controls are also included. As such gaps in controls and assurances can be identified and acted upon. This forms an integral part of the risk management reporting system. In support of the Board Framework similar documents will be developed for use at directorate/team/work stream level. Internal Audit Internal Audit is an independent objective function which can help the CCGs accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control, and governance processes. The scope of reviews is agreed in advance with relevant directors, and the annual Internal Audit plan agreed by the Audit Committee. Contingency days may be built into the Internal Audit plan to allow for any issues identified where review or further assurance may be required. Clinical Audit Clinical audit is defined as a quality improvement process in our provider organisations that seeks to improve patient care and outcomes through systematic review of care against explicit criteria and the implementation of change. Where indicated, changes are implemented at an individual, team, or service level and further monitoring is used to confirm improvement in healthcare delivery and improve the overall quality of services. External Audit External Audit is the organisation appointed to fulfil the statutory functions in relation to providing an opinion on the annual accounts of the CCGs. They are audit professionals who undertake their work in accordance with specific laws and accounting/auditing standards. They are completely separate and independent from the organisation. Proactive Stakeholder Involvement Valuable assurance is provided to all NHS organisations through feedback from stakeholders, including patients, visitors, our staff and partner organisations. Additionally feedback processes provide additional sources of assurance, including: Surveys carried out with patients and staff Reactive risk processes, such as complaints, claims, inquests or incidents Contractual monitoring information received form provider organisations Intelligence provided by the Care Quality Commission as part of the providers Quality & Risk Profile. 36

38 9. Education and Training 9.1 Knowledge of how to manage risk is essential to the successful embedding and maintenance of effective risk management. Training required to fulfil this strategy will be provided in accordance with the Risk Management Training Needs Analysis Appendix 12. Management and monitoring of training will be in accordance with the BHH Federation s Training & Education Policies. Specific training will be provided in respect of high level awareness of risk management for the CCGs Governing Bodies. Risk Awareness Sessions are included as part of their Development Programmes. Training will be available to all staff at differing levels on risk assessment, particularly the scoring or grading of risks, and how to use the risk register. The specific training required by staff group is outlined in Appendix 12 along with description of how the training is managed. 9.2 There is no mandatory training associated with the assurance aspect of this strategy. Ad hoc training sessions based on an individual s training needs will be defined within their annual appraisal or job plan. For training in relation to assurance please refer to the CCGs Intranet. 10. Process for Dissemination and Implementation 10.1 All staff and stakeholders have access to a copy of the Risk Management & Strategy and all other policies through the publication on intranet and the staff handbook The implementation of this strategy will be achieved through clear leadership, effective delivery and defined roles and responsibilities. Roles and responsibilities in relation to assurance within the CCG can be found in Section 4. This document applies to all areas of activity within the CCGs. All employees of the CCG, including individuals employed by a third party, by external contractors, as voluntary workers, as students, as locums or as agency staff are required to comply with any requirements in relation to assurance noted within this Strategy The values and expected behaviours of the CCG as defined by the CCG Governing Body are communicated across the organisation and reflect the culture based on learning and continuous improvement that is essential for strong assurance systems to develop The Head of Governance acts as a champion for this area, providing support across the CCGs All members of the CCG Governing Body will be involved in the evaluation of risk management and assurance, except where delegated to specialist committees There will be a standard approach to audits, inspections and assessments as outlined in the CCGs Policy on Procedural Documents. 37

39 11 Process for Monitoring of compliance and effectiveness 11.1 This policy will be reviewed bi-annually to ensure that is remains in line with current employment law and NHS guidance. 12 References and Related Documents Related Documents BHH Whistleblowing Policy BHH Policy on Procedural Documents BHH Policy Being Open BHH Policy on Claims BHH Complaints Policy BHH Health and Safety Policy BHH Incident Reporting and Investigation Policy BHH Mandatory Training Policy BHH Information Governance Policies and Procedures BHH Business Continuity Policy and Plan References NHS England CCG Framework 2015/16 Home Office Risk Management Policy and Guidance, Home Office (2011) A Risk Matrix for Risk Managers, National Patient Safety Agency (2008) NHS Audit Committee Handbook, Department of Health (2011) Building the Framework: A Practical Guide for NHS Boards, Department of Health (2003) Governance in the NHS: Statement in Internal Control for 2001 / 2002 and beyond, HM Treasury (2002) Compliance Framework, Monitor (latest version 2012) Code of Governance for NHS Foundation Trusts, Monitor (latest version 2010) The Healthy NHS Board: Principles for Good Governance, 2010 NHS Audit Committee Handbook, Department of Health (2011) UK Corporate Governance Code, Financial Reporting Council (2010) Taking it on Trust: A Review of How Boards of NHS Trusts and Foundation Trusts Get Their, Audit Commission (2009) The Orange Book (Management of Risk Principles and Concepts), HM Treasury (2004) Risk Management Assessment Framework, HM Treasury (2009) Principles of Best Practice in Clinical Audit, National Institute of Clinical Excellence (2002) 38

40 Appendices 1 Establishing Effective Risk Management 2 Corporate Risk Register Template 3 Risk Grading Matrix 4 BHH Consequence Table 5 Risk Register Flow 6 BAF Template 7 CCG Board Framework (BAF) Maintenance and Review Process 8 Principles and Application 9 Sources of (examples) 10 Using Sources in Practice 11 Mapping 12 Training Needs Analysis 13 Action Plan to Support Year 1 Target 14 Risk Map & Risk Lead Table (Under development) 15 Equality Impact Assessment Tool 39

41 Appendix 1 Establishing Effective Risk Management AWARENESS Staff will have an awareness and understanding of the risks that affect patients, visitors, and staff. Risk Identification line managers will encourage staff to identify risks to ensure there are no unwelcome surprises. Staff will not be blamed or seen as being unduly negative for identifying risks. Accountability staff will be identified to own the actions to tackle risks. Communication there will be active and frequent communication between staff, stakeholders and partners. COMPETENCE Staff will be competent at managing risk. Training staff will have access to comprehensive risk guidance and advice; those who are identified as requiring more specialist training to enable them to fulfil their responsibilities relevant to their roles will have this provided internally. Behaviour and culture senior management will lead change by example, ensuring risks are identified, assessed and managed. All staff are encouraged to identify risks. MANAGEMENT Activities will be controlled using the risk management process and staff are empowered to tackle risks. Risk assessment and management - risks will be assessed and acted upon to prevent, control, or reduce them to an acceptable level. Staff will have the freedom and authority, within defined parameters, needed to take action to tackle risks, escalating them where necessary. Contingency plans will be put in place where required. Process the process for managing risk will be reviewed to continually improve. This will be integrated with our processes for providing assurance, and the processes of our stakeholders and any relevant third parties. Measuring performance exposure to risk will be measured with the aim of reducing this over time. The culture of risk management will also be measured and improved during the lifetime of this strategy. 40

42 41

43 Appendix 2 1

44 Likelihood Risk Scoring Matrix (Source National Patient Safety Agency) Appendix 3 Likelihood score Rare Unlikely Possible Likely Almost certain 5 Catastrophic Major Moderate Minor Negligible For grading risk, the scores obtained from the risk matrix are assigned grades as follows 1-3 Low risk 4-6 Moderate risk 8-12 High risk Extreme risk Likelihood score (L) What is the likelihood of the consequence occurring? The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency. Likelihood score Descriptor Rare Unlikely Possible Likely Almost certain Frequency How often might it/does it happen This will probably never happen/recur Do not expect it to happen/recur but it is possible it may do so Might happen or recur occasionally Will probably happen/recur but it is not a persisting issue Will undoubtedly happen/recur, possibly frequently 2

45 Instructions for use 1 Define the risk(s) explicitly in terms of the adverse consequence(s) that might arise from the risk. 2 Use table 1 to determine the consequence score(s) (C) for the potential adverse outcome(s) relevant to the risk being evaluated. 3 Use table 2 to determine the likelihood score(s) (L) for those adverse outcomes. If possible, score the likelihood by assigning a predicted frequency of occurrence of the adverse outcome. If this is not possible, assign a probability to the adverse outcome occurring within a given time frame, such as the lifetime of a project or a patient care episode. If it is not possible to determine a numerical probability then use the probability descriptions to determine the most appropriate score. 4 Calculate the risk score the risk multiplying the consequence by the likelihood: C (consequence) x L (likelihood) = R (risk score) 5 Identify the level at which the risk will be managed in the organisation, assign priorities for remedial action, and determine whether risks are to be accepted on the basis of the colour bandings and risk ratings, and the organization s risk management system. Include the risk in the organisation risk register at the appropriate level. 1

46 Appendix 4 Consequence Table Choose the most appropriate domain for the identified risk from the left hand side of the table Then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column. Consequence score (severity levels) and examples of descriptors Domains Negligible Minor Moderate Major Catastrophic Impact on the safety of patients, staff or public (physical/ psychological harm) Minimal injury requiring no/minimal intervention or treatment. No time off work Minor injury or illness, requiring minor intervention Requiring time off work for >3 days Increase in length of hospital stay by 1-3 days Moderate injury requiring professional intervention Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients Major injury leading to long-term incapacity/disability Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with longterm effects Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients Quality/complaint s/ audit Peripheral element of treatment or service suboptimal Informal complaint/inquiry Overall treatment or service suboptimal Formal complaint (stage 1) / Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report Totally unacceptable level or quality of treatment/service Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Gross failure to meet national standards Reduced performance rating if unresolved Major patient safety implications if findings are not acted on 2

47 Human resources/ organisational development/staff ing/ competence Short-term low staffing level that temporarily reduces service quality (< 1 day) Low staffing level that reduces the service quality Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Non-delivery of key objective/service due to lack of staff On-going unsafe staffing levels or competence / Loss of several key staff Statutory duty/ inspections No or minimal impact or breech of guidance/ statutory duty Breech of statutory legislation Reduced performance rating if unresolved Low staff morale / Poor staff attendance for mandatory/key training Single breech in statutory duty Challenging external recommendations/ improvement notice Loss of key staff /Very low staff morale No staff attending mandatory/ key training Enforcement action Multiple breeches in statutory duty Improvement notices No staff attending mandatory training /key training on an on-going basis Multiple breeches in statutory duty Prosecution Complete systems change required Low performance rating Zero performance rating Adverse publicity/ reputation Rumours Potential for public concern Local media coverage short-term reduction in public confidence Elements of public expectation not being met Local media coverage long-term reduction in public confidence Critical report National media coverage with <3 days service well below reasonable public expectation Severely critical report National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Total loss of public confidence Business objectives/ projects Insignificant cost increase/ schedule slippage <5 per cent over project budget Schedule slippage 5 10 per cent over project budget Schedule slippage Non-compliance with national per cent over project budget Schedule slippage Incident leading >25 per cent over project budget Schedule slippage Finance including claims Small loss Risk of claim remote Loss of per cent of budget Claim less than 10,000 Loss of per cent of budget Claim(s) between 10,000 and 100,000 Key objectives not met Uncertain delivery of key objective/loss of per cent of budget Claim(s) between 100,000 and 1 million Key objectives not met Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Purchasers failing to pay on time Loss of contract / payment by results Claim(s) > 1 million Service/ business interruption Environmental impact Loss/interruption of >1 hour/ Minimal or no impact on the environment Loss/interruption of >8 hours Minor impact on environment Loss/interruption of >1 day Moderate impact on environment Loss/interruption of >1 week Major impact on environment Permanent loss of service or facility Catastrophic impact on environment 3

48 Risk Score 1-6 Team/Department Team Risk Registers Team Risk Registers Team Risk Registers Team Risk Registers R I S K E S C A L A T I O N Risk Score 8-12 Work Stream/Directorate Risks scored 8 and above Risks scored 8 and above Risk Register Flow Appendix 5 Directorate Risk Registers REDUCE SCORE See 1-6 Directorate Risk Registers R I S K E S C A L A T I O N Risk Score CCGs Corporate Risks scored 15 and above Risks scored 15 and above Corporate Risk Register (CRR) Reduce Score See 8-12 Corporate Risk Register (CRR) R I S K E S C A L A T I O N Governing Body Strategi c Prioritie s Risks Board Framework (BAF) Compliance Risks Horizon Scanni ng Corporate Risk Register (CRR) BHH Federation Strategic Priorities Horizon Scanning BHH Corporate Risk Register (CRR) Risks 15 & above Compliance Risks Depending on complexity of work area, Managers, Leads and Heads of Departments may need to develop a Team Risk Register e.g. Continuing Care. Al new risks are entered onto team risk registers after discussion/challenge with Managers, Leads, and Heads of Department. Risk owners are assigned and responsible for managing the risk(s), implementing controls measures reviewing actions and reviewing the risk. All risks scored 8 and above will be monitored by the Senior Management Team to ensure that the risk is effectively managed, to allocate additional resources or to nominate an executive risk owner if the decision is made to escalate. All risks scoring 15+ will be owned by a Director and will be monitored monthly by the Executive Committee to ensure that the management of the risk is effective and to allocate additional resources if required. Lower scoring risks occurring across multiple Directorates may be aggregated and escalated to the CRR. The Executive Team will determine which strategic CRR risks should be escalated to the Board Framework, which provides the Board with a register of significant risks against the strategic objectives of the CCG and gives assurances that the risks are being managed effectively. The BHH Senior Team will determine which Corporate Risks overarch the 3 CCGs scoring will populate the risk register and give assurance the risk is managed. 4

49 Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Strategic Objective : Last updated: Category : Risk Appetite: Responsible Committee: Risk: (State risk, cause & effect) Board Lead: Management Owner: Risk Rating: (consequence x likelihood) Risk Score Action Plan Progress: (Progress / blockages to achieving target rating and how these are being addressed) Initial: Current: Target: 5 0 Target Controls: (What have we done to prevent the risk from happening or to reduce the impact if it does happen?) Gaps in control: (What hasn t been done yet? Why?) s: (How do we know the things we are doing are having an impact? Who can confirm this?) Gaps in assurance: (What additional assurances should we seek?) Action: (What more is planned? By when? By whom?) Action owner: Due date:. Action owner: Due date: BAF Template Appendix 6 5

50 Appendix 7 CCG Risk and Board Framework (BAF) Maintenance and Review Process Introduction Each CCG maintains 2 risk registers: BAF Risks and Corporate/Operational risks. All BAF risks are overseen by the Governing Body (facilitated by the Head of Governance) through the process set out below. Corporate/operational risks are overseen by the CCG management team; however, the Governing Body is also notified of any corporate/operational risks that are red rated. Head of Governance advises on the maintenance of the Corporate Risk Register but plays no role in its day to day management. BAF As agreed by the Audit Committee Chair at their meeting held on 19 March 2015, the CCG BAF maintenance and review process has been streamlined to make it easier for risk owners and CCG BAF leads to know what is expected of them. Led by the Head of Governance, the risk reporting system can be broadly stated as - CCG risk liaison officers send out reminders to Risk Owners to update risk forms, a template of which can be found in Appendix A. - Local CCG risk liaison officers collate and retain individual risk forms - The Head of Governance - collects individual risk forms from local liaison officer, then - drafts detailed report for each risk owning committee and presents at meeting for scrutiny of individual risks by the Committee - drafts an overview report* for Audit Committee that includes owning committee comments and presents at meeting - Drafts consolidated overview report for Governing Body together with the assurance of owning committee and Audit Committee cycle repeats every three months. *The summary BAF report details each CCGs strategic risks, the key assurances that they are being managed appropriately and a summary of the progress being made towards mitigating them further. The risks will be sorted in descending risk rating order so that the committee can focus on the most critical issues. See template at Appendix 6 A detailed review of individual BAF risks will be undertaken by the appropriate Responsible Committee to ensure adequate progress is being made and to identify further mitigating actions as required. 1

51 Review Cycle A detailed review of individual BAF risks is undertaken by their appropriate Responsible Committee to ensure adequate progress is being made and to identify further mitigating actions as required; the most up-to-date detailed BAF forms are presented to these committees, with significant changes outlined in the covering summary. The responsible committees of each CCG are as follows: CCG Responsible Committee Frequency of meetings Brent QSCR Bi-monthly Finance, QIPP & Performance Monthly Executive Monthly Harrow QSCR Monthly QIPP & Finance Monthly Procurement Monthly Hillingdon QCRS Monthly Finance & QIPP Monthly Management Monthly SRG Monthly The Board Framework should be presented to the Joint Audit Committee in May, September, December and February 1 each year. Any feedback from the Audit Committee is incorporated into the BAF Summary report before it is presented to individual Governing Bodies at their first meeting following the Audit Committee, probably in June, October, January and March. BAF Reporting This section refers to the BHH BAF Maintenance & Review process, which should be followed by each CCG. The BHH Head of Governance is responsible for preparing the BAF Summary report and should request updated BAF forms at least 18 working days prior to each meeting of the Joint Audit Committee. It s worth reminding risk leads that all updates should be clearly identified in blue text so that they can be identified easily. The BHH Head of Governance should review the detailed BAF forms and provide feedback on individual risks as required before producing a draft BAF Summary report for each CCG. The risks need to be sorted into descending risk rating order so that the Audit Committee can focus on the most critical issues facing each CCG. The draft BAF Summary report should be sent back to each CCG to be presented to each CCG SMT 2 to provide an opportunity for risk owners to challenge and sense check the severity of their risk ratings. The BAF Summary reports of the other two CCGs can also be shared with the SMT to provide an opportunity for wider 1 Flexible according to AC meeting dates 2 Brent & Hillingdon SMTs meet weekly 2

52 comparison on scoring and provide greater consistency of BAF reporting across the CCGs. Any updates agreed by the SMT are fed back to the BHH Head of Governance, who should incorporate these into the final BAF Summary report before sending it to the secretary of the Joint Audit Committee. The BHH Head of Governance presents the BAF Summary report to the Joint Audit Committee. The BHH Head of Governance is responsible for feeding back any comments from the Joint Audit Committee to risk leads before updating the report and sending it to the secretaries of individual CCG Governing Bodies. The BHH Head of Governance is responsible for preparing BAF risk reports for the individual CCG committees responsible for the detailed review of specific BAF risks. These reports comprise a covering summary followed by the detailed BAF forms. The BHH Head of Governance is responsible for collating the detailed BAF forms and picking out the significant changes to be reported in the covering summary; a slightly different format is used for each CCG, but the information reported is basically the same. Brent and Harrow CCGs update their BAF risks on a 4-monthly cycle and so the detailed BAF forms collected for the latest Joint Audit Committee can be used for BAF risk reporting to responsible committees. Hillingdon CCG, however, follows a monthly update cycle and so the latest detailed BAF forms should be requested just before each report is due. 3

53 Appendix 8 Principles and Application Principle Planning to gain assurance Overall assurance will only be gained if there is a strategy for obtaining it. The Strategy should be approved by the Governing Body and the Audit Committee. Supporting processes for obtaining assurance should be embedded into existing processes. Making explicit the scope of the assurance boundaries To form an overall opinion the scope of the processes need to include the whole of the organisation s governance, risk and performance management lifecycle. Whilst this does not reflect the need to review every risk and internal control it should cover: on the Risk Management and Performance Management Strategies and how these work in practice (the extent to which line managers review the risks and controls within their responsibility and maintain dynamic risk and performance management arrangements) on management of risks and controls themselves. on the adequacy of the assurance processes. Evidence The evidence supporting assurance should be sufficient in scope and weight to support the conclusion and be: - Relevant - Reliable - Understandable - Free from material misstatement - Neutral / free from bias - Such that another person would reasonably come to the same conclusion All evidence does not carry the same weight and should be weighted in accordance to independence and relevance. Evidence may be flawed in terms of both quality and quantity, leading to limitations in the assurance that can be provided. Application within the CCG An Strategy, which reflects the assurance system in operation within the CCG and therefore the supporting processes, has been approved at Governing Body Level after consultation with both the Audit Committee and the Quality Committee. The Strategy has been prepared to align with the other key strategies. The CCG will be responsible for ensuring that there is adequate assurance on the risk management system and the risks / controls themselves. Tools such as an Map and an Directory will enable the assurance process to be assessed in terms of value and any gaps in assurance identified and addressed. When planning to gain assurance at any level the following questions will be asked: - Why do we need assurance? - What do we need assurance on? - What type and level of assurance do we need? - Would we be happy to accept less? - How can we gain this assurance / who provides the assurance (the source)? - What are the exact boundaries for the assurance and therefore is there further work required? The CCG will define what good evidence looks like, ensuring that the details within this principle are adhered to. A training programme on assurance will be undertaken for key staff in the CCG, which will include a session on evidence. The CCGs being used to support the assurance agenda will act as a central repository of evidence, allowing a quality assurance process to be undertaken by the Head of Governance in relation to quality of evidence. Any issues identified in this way will be addressed by additional training. 4

54 Principle Evaluation The objective is to: - Evaluate the adequacy of the governance, risk and performance management policies and strategies to achieve their objectives - Evaluate the adequacy of the risk management processes designed to constrain residual risk to the risk appetite - Evaluate the adequacy of the performance management processes to support the achievement of targets and goals - Identify limitations in the evidence provided or in the depth or scope of the reviews undertaken - Identify gaps in control and / or over control and provide the opportunity for continuous improvement - Support the preparation of the Annual Governance Statement Reviewing and Reporting s are reported from many different sources within an organisation and therefore the Strategy needs to define stages where assurances will be evaluated and opinions reported through the various layers of management to the Governing Body. opinions need to be reported clearly and worded so as to clearly communicate the scope and criteria used in arriving at those conclusions. Application within the CCG A review of all key areas will be co-ordinated by the Head of Governance in conjunction with the Finance Directorate. The Audit Committee will approve the intended approach as put forward by the Head of Governance. Gaps and duplications in assurance will be identified by the development of an assurance map, the responsibility for which falls within the remit of the CCG. A directory of sources of external assurances will be maintained. This will populate, in part, the assurance directory, which will also contain internal sources of assurance. Central reviews of evidence will be undertaken by the Head of Governance. Training will be provided across the CCGs to be the first line of evidence assessment. The Strategy contains the governance structure for the CCGs. It makes it clear that assurances for the Governing Body will be assessed in terms of value by the Head of Governance. Training and education will be undertaken across the CCG in relation to reporting of assurances. Source: The Orange Book (Management of Risk Principles and Concepts), HM Treasury (2004) 5

55 Appendix 9 Sources of Source Scope Process External Audit Financial accounts and Financial audit and reviews as determined review reports Internal Audit All areas related to Individual review governance, risk reports. Scope of management and reviews agreed in internal control. Will advance with relevant be limited by number directors. Internal of days in audit plan Audit Plan agreed with and expertise of staff Audit Committee Clinical Audit Audit Committee Management Executive CQC Inspection (providers) Other Accreditation Systems Integrated Performance report Stewardship reports Walkabouts/ Quality Visits Information Governance Toolkit Patient Experience PALS Health Watch Area under review, defined by the Clinical Audit Plan All areas related to corporate governance, risk management and internal control, as determined by Terms of Reference All areas related to corporate governance, risk management and internal control Restricted to CQC Outcomes, whichever are subject to review at the time Restricted to area of accreditation e.g. CPA Specific to identified targets, internal and external, for finance, performance, and quality Specific to area of responsibility Specific to area of visit Specific to area of responsibility Specific to national and local surveys, data and public feedback evidence. Report to Clinical Audit Committee (providers) Report to Governing Body annually and update via issue of minutes after each meeting Report to Governing Body at each meeting Report to the Governing Body Report to the CCG Governing Body/ relevant department depending of accreditation Reports to relevant groups and committees Governing Body Reports to relevant groups and committees and Governing Body Reports to relevant groups and committees and Governing Body Reports to management, relevant committee etc. Reports to relevant groups and committees and Governing Body Type Written Written Written Written and Verbal Written or Verbal Written Written Written Written Empirical Written Level 3 - Independent 3 - Independent 1 - Operational / Independent 2 - Oversight function 1 - Operational 3 - Independent 3 - Independent 1 Operational 1 - Operational 1 - Operational 1 - Operational 1 - Operational 3 - Independent 6

56 Appendix 10 Using Sources in practice Example 1: Identified Sources of for National Performance 18 week wait Source Scope Process Type Level Specific monitoring Reports to relevant Written 1 Operational of performance groups and against the target committees. and assessment of data quality Integrated Performance report External Audit Internal Audit Adult Survey Clinical Audit Inpatient Review of data quality for all mandatory national performance targets Testing of process for recording clock stops and breaches along the pathway by random sample basis. Scope of reviews agreed in advance with relevant directors. Internal Audit Plan agreed with Audit Committee Sample interview survey conducted on a quarterly basis. Scope agreed as a monitoring measure in the Patients Experience Framework. Review of adherence to admission criteria in theatres. Scope agreed as part of local clinical audit plan Data quality audit and review reports. Scope of review agreed nationally. Report to Audit Committee Report to relevant committee Report to relevant Governance Committee Written 3 - Independent Written 3 - Independent Written 3 - Independent Written 1 - Operational / Independent 7

57 Example 2: Identified Sources of for Information Governance Source Scope Process Type Level Integrated Specific monitoring Reports to relevant Written 1 Operational Performance of performance groups and report against the target and assessment of data quality committees External Audit Review of data quality for all mandatory national performance targets Internal Audit Independent review of Information Governance as required by the Information Commissioner. Scope of reviews agreed in advance with relevant directors. Internal Audit Plan agreed with Audit Committee Clinical Audit Review of adherence to Health Records Policy Scope agreed as part of local clinical audit plan Data quality audit and review reports. Scope of review agreed nationally. Report to Audit Committee Report to relevant Governance Committee Written 3 - Independent Written 3 - Independent Written 1 - Operational / Independent 8

58 Mapping Appendix 11 Risk No Risk Description Residual Risk Score Risk Owner GB Member Oversight Review Annually Overall Monitor / Action Action Required Reviewed Date Operational e.g. Internal Reports (1 st Line) Committees e.g. Audit (2nd Line) Independent e.g. Audit Report (3 rd Line) 1