Risk Management Strategy and Policy

Transcription

1 Risk Management Strategy and Policy SUMMARY The purpose of this document is to provide guidance to all staff within the CCG on the management of strategic, operational and project risks within the organisation describes the procedures to be used in identifying, analysing, evaluating and monitoring risks to the delivery of key objectives. 2 RESPONSIBLE PERSON: Assistant Director of Quality, Governance & Risk 3 ACCOUNTABLE DIRECTOR: Director of Quality and Integrated Governance 4 APPLIES TO: All staff employed within ECCG 5 GROUPS/ INDIVIDUALS WHO HAVE OVERSEEN THE DEVELOPMENT OF THIS POLICY: Director of Quality and Integrated Governance, Directors Meeting, SMT, RSM 6 GROUPS/INDIVIDUALS WHO WERE CONSULTED AND HAVE GIVEN APPROVAL: Risk Manager, Clinical Governance Lead, Head of Corporate Services, Board Secretary, Risk Champions & Directors 7 EQUALITY IMPACT ANALYSIS COMPLETED: Policy Screened N/A Template completed Yes 8 RATIFYING COMMITTEE(S) & DATE OF FINAL APPROVAL: 6 September 2017 Audit Committee 9 VERSION: 9 10 AVAILABLE ON: Intranet X Website X 11 RELATED DOCUMENTS: ECCG Serious Incident & Reporting Policy, Prime Financial Policies, Constitution, Health & Safety Policy 12 DISSEMINATED TO: All staff in ECCG 13 DATE OF IMPLEMENTATION: September DATE OF NEXT FORMAL 4 th June 2019 or sooner following legislative changes REVIEW: 1

2 Document Version Control Date Version Action Author Amendments 09/10/12 1 Created Alison Mitchell-Hall 17/10/12 2 Updated following internal review Alison Mitchell-Hall 30/10/12 3 Updated following Governing Body Review Alison Mitchell-Hall 13/12/12 4 Updated following external review (consultant) Alison Mitchell-Hall Editorial Changes Editorial Changes Editorial Changes 9/01/ Update following Audit Committee review and Quality & Safety Committee Alison Mitchell-Hall & Andy Nuckcheddee, Interim Head of Governance & Risk Editorial Changes Updating for Audit Committee Andy Nuckcheddee, Interim Head of Governance & Risk Feb Updating frequency of reporting, roles & responsibilities (6.2.9) (10.2) and Corporate Risk Register reporting arrangements (10.3.5) Paul Balson Interim Governance Manager Bridget Pratt, Head of Governance & Risk Editorial Changes 9 September Updated to reflect: Revised Corporate Risk Register Reporting Bridget Pratt, Head of Governance & Risk Editorial Changes 2

3 arrangements Datix software for managing risk registers and BAF Enfield CCG Corporate Governance Structure Project Risk Escalation process National Patient Safety Agency (NPSA) Risk Scoring Tool: Corporate Services Manager s responsibilities Audit Committee to receive assurance reports on Health & Safety, Emergency Planning and Security Management Directors attending Audit Committee on a rotational basis to provide assurance on their risks on the BAF and Corporate Risk Register Risk Scoring guidance Integrated BAF & Risk Register Template ECCG Governance structure Routine update which includes: 4 th June Revised risk management threshold for BAF level and corporate risk Revised process for reporting programme/project risks Revised template for reporting risks Revised organisational structure chart Bridget Pratt, Assistant Director of Quality Governance & Risk Routine 12 th January Amended to reflect LCFS role following internal audit review and recommendation Bridget Pratt, Assistant Director of Quality Governance & Risk Editorial Changes 30 August Routine update to reflect NCL STP arrangements and organisational changes Bridget Pratt, Assistant Director of Quality Governance & Risk Routine 3

4 Section 1: Introduction Introduction Aims and Objectives Purpose Scope... 5 Section 2: Accountability Structure for Risk Management Roles and responsibilities Enfield CCG Governing Body Staff Responsibilities ECCG Chair... 6 Section 3: Committee Responsibilities ECCG Risk Management Structure & Committees (appendix H) Audit Committee Finance & Performance Committee Quality and Safety Committee Each GP Locality Network will: The ECCG Remuneration and Nominations Committee The Clinical Commissioning Committee Section 4: Risk Management Process, Performance Management Reporting and Monitoring The Risk Management Process Risk Identification and scoring Quantifying and scoring risk The Governing Body Assurance Framework and Risk Registers Section 5: Document consultation, approval & ratification Requirements Open and Fair Culture Training and support Consultation and Communication with Stakeholders Monitoring the Effectiveness of this Strategy Dissemination and Implementation Equality and Diversity Appendix A: Glossary and definitions of governance and risk terms Appendix B: Risk Management, Identification and Scoring guidelines Appendix C: Project and Programme Risk Guide for Risk Champions/Project Managers Appendix D: Risk Register and BAF Reporting Flowchart to the Governing Body and it s Committees Appendix E Integrated Risk Management in ECCG Appendix F Governing Body Assurance Framework Template Appendix G: Risk Register Template (Populated Example) Appendix H: ECCG Governance Structure

5 Section 1: Introduction 1 Introduction Enfield CCG has a responsibility to ensure that the organisation is properly governed in accordance with best practice in corporate, clinical and financial governance. Every activity that the CCG undertakes or commissions others to undertake on its behalf, brings with it some element of risk that has the potential to threaten or prevent the organisation from achieving its objectives. The CCG Governing Body recognises that robust risk management and assurance is an integral part of its governance responsibilities and part of Enfield CCG s culture. The Governing Body is, therefore, committed to ensuring that risk management forms an integral part of its philosophy, practices and business plans rather than viewed or practised as a separate programme, and that responsibility for implementation is accepted at all levels of the organisation. 2 Aims and Objectives 2.1 Purpose The purpose of this document is to provide guidance to all staff within the CCG on the management of strategic, operational and project risks and describes the procedures to be used in identifying, analysing, evaluating and monitoring risks. The objectives of this strategy and policy are to: Promote awareness of organisational risk and embed the approach of its management throughout the CCG. Ensure that risk management is an integral part of the CCG s culture Seek to identify, control and report on any risk that will undermine the achievement of ECCG s priorities, both strategically and operationally, through appropriate assessment criteria. Monitor and measure the overall performance of the Risk Management Strategy /Policy and the way in which it contributes to the achievement of business objectives 3 Scope This strategy/policy applies to all areas of the organisation s business, staff that are directly employed by the CCG, the CCG Governing Body and all managers to ensure that risk management is a fundamental part of the CCG s approach to governing the organisation and all its activities. The strategy/policy sets out the risk register reporting process to ensure that risk management is every employee s business. It describes the reporting/ escalation process through clear governance structures as well as the process for escalating project risks. The strategy describes: The responsibilities of the Governing Body and committees in relation to risk; The roles and responsibilities of staff with regard to risk management; 5

6 The process for identification, assessment, evaluation, management and closure of risk; The system for managing the organisation wide Risk Register and Governing Body Assurance Framework Section 2: Accountability Structure for Risk Management 4 Roles and responsibilities 4.1 Enfield CCG Governing Body The Governing Body has a duty to assure itself that the organisation has properly identified the risks it faces, has processes and controls in place to mitigate those risks and the impact they have on the organisation and its stakeholders. The CCG is a legally constituted organisation with statutory duties and powers. The Governing Body discharges its risk management duties as follows: Identifies risks to the achievement of its strategic objectives via the Governing Body Assurance Framework Horizon scanning on risk management Ensure that there is a structure in place for the effective management of risk throughout the CCG Receives assurance regarding risk management within organisations providing services; Receives regular reports from the Audit Committee and respond formally to any issues raised on the effectiveness of risk management and assurance Demonstrates leadership, active involvement and support for risk management; Approve the Risk Management Strategy and subsequent revisions thereof Scrutinise (not less than four times a year) the Governing Body Assurance Framework for all strategic risks rated 12 or above Annual approval of the Annual Governance Statement (AGS) on internal control. 4.2 Staff Responsibilities ECCG Chair The role of the Chair is to: Lead the Governing Body, ensuring its effectiveness on all aspects of its role and setting the Board agenda; Ensure the provision of accurate, timely and clear information to Governing Body members; Ensure that there is rigorous scrutiny on the organisation s risk management framework and processes; Ensure effective communication with staff, patients; public and key stakeholders; Arrange regular evaluation of the performance of the Governing Body, its committees and individual directors; 6

7 Locality Leads, Lay Members and Clinical Director Locality Leads, Lay Members and Clinical Director have a particular role in encouraging the cultural change that is needed to ensure the full engagement of patients, staff and local communities. Specific responsibilities include: Helping to plan for the future to improve healthcare services; Making sure that the financial systems and processes of ECCG are managed properly with accurate information; Ensuring that the organisation has sound and robust risk management systems in place to deliver key services by scrutinising the effectiveness of controls in place to manage risks; and Helping the Governing Body work in the public interest and ensuring patients and the public are properly informed, consulted and engaged The Accountable Officer The Accountable Officer has overall accountability for the management of CCG risks and is responsible for continually promoting risk management and demonstrating leadership, involvement and support ECCG Chief Operating Officer The Chief Officer is the nominated Governing Body member responsible for promoting the risk management function and its effectiveness throughout the CCG. The Chief Officer is responsible for: Continually promoting risk management and demonstrating leadership, involvement and support; Ensuring an appropriate committee structure is in place, with regular reports to the CCG Committee; Ensuring that Clinical Leads and Senior Managers are appointed with responsibility for risk management; Ensuring appropriate policies, procedures and guidelines are in place and operating throughout the CCG; and Ensuring that an appropriate Board Assurance Framework is prepared and regularly updated and receives appropriate consideration. Hold Directors to account with regards to the management of strategic risk NCL Chief Finance Officer The Chief Finance Officer is accountable for financial risk management and will ensure: The effectiveness of the CCG s financial control systems Significant financial risks faced by the CCG are identified and managed effectively 7

8 The Audit Committee and internal audit effectively perform their roles in assuring the CCG s system of internal control Robust Counter Fraud arrangements is in place - Fraud and bribery risks identified within the CCG are considered for inclusion within the Corporate Risk Register and are reported to the Local Counter Fraud Specialist; - The NHS Protect issued Self Review Tool (SRT) is completed - Periodic Risk Assessment of Fraud and Bribery Risk to identify areas that are known to be vulnerable to fraudulent activity and to ascertain where the CCG may be open to fraud due to weaknesses in controls and systems in place Director of Quality and Integrated Governance The Director of Quality and Integrated Governance is the CCG s Lead for Nurse Clinical Supervision, Director lead for quality, integrated governance, risk management and Information Governance. Delegated responsibilities include: Ensuring risk management systems are in place throughout the CCG to identify and assess risk in line with the CCG s Risk Management Strategy; Ensuring risk champions are nominated to management of risk registers; Ensuring the Assurance Framework and Risk Register are developed, maintained and regularly reviewed by the risk owners, updated and reported to the Governing Body and all of its sub committees in line with the CCG reporting arrangements (section 7); Ensuring that there is appropriate external review of the CCG s risk management systems, and that these are reported to the appropriate CCG committees; Overseeing the management of risks as determined by the CCG Governing Body; Working collaboratively with Internal Audit; and Ensuring that the Risk Management Strategy is updated regularlyand approved by the CCG Governing Body and Audit Committee. Responsible Director for Continuing Healthcare Deputy Chief Officer and Director of Primary Care Is the CCG s Senior Information Risk Officer (SIRO) Lead Director fo Enfield Referral Service, Performance and Corporate Services Medical Director Is the CCG s Caldicott Guardian Governing Body Registered Nurse Member The Governing Body Nurse is responsible for ensuring that the CCG has a strong strategic focus on high quality care and patient safety, promoting excellence in professional practice and leading quality improvement across care pathways and organisational boundaries. 8

9 Assistant Director of Quality, Governance & Risk The Assistant Director of Quality, Governance & Risk is the Risk Management Lead (supported by the Risk & Governance Manager) and has management responsibility for: CCG Information Governance Complaints Policy Development Integrated Governance and Risk management Quality Assurance Organisational Risk Register and an Assurance Framework are developed and maintained and reviewed by the Management Team Ensuring the Assurance Framework and Risk Register is regularly reviewed by the senior managers designated as risk holders, updated and reported to the Governing Body and all of its sub committees Ensuring that there is appropriate external review of the CCG s risk management systems, and that these are reported to the CCG Committee Overseeing the management of risks as determined by the CCG Governing Body Ensuring that identified risk mitigation and actions are put in place, regularly monitored and implemented Providing advice and training on the risk management process Ensuring that the Risk Management Strategy & Policy is updated regularly and approved by the CCG Governing Body Preparing the Annual Governance Statement liaising with the Finance Team as appropriate Head of Corporate Services The Head of Corporate Services is responsible for ensuring arrangements are in place for: Health & Safety Local Security Management Estates Management Human Resources and Organisational Development Emergency Planning Preparedness and Resilience (EPRR).This includes ensuring EPRR risks are assessed periodically by the Heads of the four core CCG services to review and assess potential risk and threats and populate the risk register via Datix Assistant Director of Safeguarding The Assistant Director of Safeguarding is responsible for: Ensuring robust arrangements and processes are in place for safeguarding children and adults Directors and Heads of Service Roles within Enfield CCG Directors and Heads of Service where allocated will be responsible for: Appointing departmental risk champions to ensure population and management of risk registers; 9

10 Identifying, assessing, mitigating on risks in connection with the key business processes and activities for which they are responsible through the use of risk registers Ensuring that all risks identified are allocated to an individual risk owner for the purposes of on-going management and assurance reporting as required; Ensure directorate, project and project risk registers are updated and reviewed regularly Determining resource implications / requirements arising in connection with risk assessments and assurance provision; Reporting on the key risks and the effectiveness of controls to the relevant group/committee for the purpose of providing assurance that these are effective. These reports will be supported by evidence in a form that is appropriate and proportionate to the needs of the CCG. Holding to account the individual Risk Leads who are responsible for the management of each individual risk associated with the key business process in question. The risk lead will report on the management of the risk and provide appropriate assurances. Attending the Audit Committee deep dive on a timetable rotational basis to discuss the significant risks in their business areas and how these are being managed and mitigated CCG Risk Champions & Project/Programme Leads Proactively engage in the implementation of the monthly risk register review and update within their directorate/programme/project. Risk Champions should liaise with Risk Leads to ensure risk registers are quality checked Input risk register information on to the Risk Module of the Datix database in an accurate and timely manner to enable production of reports for the Transformation Board, Clinical Commissioning Committee, Audit Committee, Finance & Recovery Committee, Quality & Safety Committee, Governing Body and other Committees. Keep up to date with any changes to the database by attending refresher training as and when appropriate. Report any concerns to their Director and advice directors, managers and other staff within their directorate of identified risks requiring attention Project/Programme SRO s are responsible for:- Ensuring that project/programme risk registers have been challenged and scrutinised at each Transformation Board meeting. Ensuring risk is appropriately monitored by Project Managers and any actions identified will effectively mitigate the risks identified Ensuring corporate risks are escalated to the relevant Governing Body Committee as appropriate 10

11 Risk Leads/Owners Responsible for taking a lead role in embedding risk management processes within their directorate/service Ensure local risk registers are maintained and updated Ensure risks that meet the tolerance level of 8 or more are escalated to either the Corporate Risk Register or Board Assurance Framework Provide assurance on risk management activity through the Audit Committee All Staff All staff members employed by ECCG have a responsibility to perform their duties in accordance with the values, policies and procedures of the organisation, professional statutory bodies regulations, legislative and regulatory frameworks, national good practice standards and to contribute to the achievement of CCG s objectives available on the intranet/internet. All staff working for the CCG are responsible for: Being aware that they have a duty under legislation to take reasonable care of their own safety and the safety of others who may be affected by the CCG s business and to comply with appropriate CCG rules, regulations, instructions, policies, procedures and guidelines; Taking action to protect themselves and others from risks; Identifying and reporting risks to their line manager; Ensuring incidents, claims and complaints are reported using the appropriate procedures and channels of communication (policies on the intranet); Co-operating with others in the management of all ECCG risks; Attending mandatory and statutory training as determined by the CCG or their line manager; Being aware of emergency procedures relating to their particular locations; Ensuring all contractors and partners are made aware of the importance of risk management and the mechanisms for feeding concerns into the formal processes Contractors, Agency and Locum Staff Managers must ensure that where they are employing or contracting agency and locum staff they are made aware of and adhere to, all relevant policies, procedures and guidance of the CCG, including: The CCG Incident reporting framework and Procedure, Risk Management Strategy /Policy and the Health and Safety Policy; Taking action to protect themselves and others from risks; and Bringing to the attention of others the nature of risks which they are facing in order to ensure that they are taking appropriate protective action 11

12 Section 3: Committee Responsibilities 5. ECCG Risk Management Structure & Committees (appendix H) 5.1. Audit Committee The Audit Committee is the Assurance Committee and is responsible for ensuring the CCG has an effective process in place with regards to risk management. The Committee monitors the quality of the Assurance Framework and refers significant issues to the Governing Body. The Committee is the central means by which the Governing Body ensures that effective internal control arrangements are in place. The Committee will: Receive and consider the latest iteration of the Assurance Framework at every meeting as well as the levels of assurance provided Undertake a deep dive on high risk areas in line with its work plan and responsible Directors Receive the corporate risk register at every meeting Receive regular reports on the effectiveness and compliance with the risk management and assurance strategy. This will be through a combination of internal management reports and independent reviews; Receive independent reports on the on-going effectiveness of key controls that contribute to the management of specific risks being faced by the CCG; Assess the level and quality of assurance providers i.e. management and / or internal audit; Challenge the way in which risk is managed particularly where there is uncertainty or concerns over the effectiveness of existing arrangements until satisfactory conclusions have been drawn. This could include requesting attendance at meetings for the purpose of providing relevant information for assurance purposes; Formally assess via the Audit Committee Annual Report, the overall effectiveness of the application of the risk management and assurance arrangements and reporting on the conclusions reached to the Governing Body as a basis for continuous improvement; Review and comment on the annual report on risk management (in the form of the AGS) to ensure that it is fair and representative of the risk management arrangements prior to inclusion in the annual financial statements Finance & Performance Committee The Finance & Performance Committee will ensure the CCG develops effective strategies and plans for use of its delegated financial resources in order to achieve its strategic objectives. The Committee will also ensure appropriate recovery plans are in place where performance deviates and recommend approval of strategies to the CCG Governing Body. The Committee also serves to provide the CCG, with assurance that the budgets, as delegated, are being managed effectively and efficiently, and with due regard to the governance and financial procedures. The Committee ensures that all finance and QIPP risks are monitored through a robust Risk Register and ensures that the Governing Body and its sub-committees receiving up-to-date finance reports. 12

13 5.3. Quality and Safety Committee The Quality & Safety Committee has overarching responsibility for quality, integrated governance and information governance. The Quality & Safety Committee will ensure that there is a sound system of governance and quality assurance in place. As part of that work it: Initiates and monitors all quality, safety and governance risks; Receives and reviews all quality issues of concern and ensures that any actions to mitigate them are carried out; Ensures that appropriate plans are in place to mitigate risks Liaises with the Governing Body to ensure that there are agreed Clinical Quality and Risk protocols across the CCG; Receive Safeguarding children and adult reports from the CCG Safeguarding Sub Groups The CCG Quality & Risk Subgroup is an operational group and discharges duties on behalf of the Quality and Safety Committee. It supports the development of risk management, reviews the clinical, quality and safety areas of the Corporate Risk Register and Board Assurance Framework and receives reports on: Information Governance; Serious Incidents and Complaints; Safeguarding Adults; Safeguarding Children Insight and Learning 5.4. Each GP Locality Network will: Promote risk management processes, as part of clinical governance, with all Enfield CCG member practices and escalate risks via their Locality Leads to the CCG Clinical Commissioning Committee. This will ensure that practices report risks relating to commissioned services to the CCG to ensure that risks are identified and managed The ECCG Remuneration and Nominations Committee The Remuneration and Nominations Committee is the committee with responsibility for overseeing all recruitment and remuneration matters on behalf of the full ECCG Governing Body. It has a particular focus on senior management recruitment and remuneration but also supports CCG s managers on matters of recruitment and remuneration of all staff members overseeing staffing and remuneration strategies and encouraging best practice The Clinical Commissioning Committee The purpose of the CCC is to drive GP-led, multi-professional clinical commissioning across all Members and to communicate and implement the Enfield CCG s (ECCG) vision and values as detailed in its constitution. The Committee is accountable to the Governing body, for the strategic and operational management of the CCG in line with its statutory functions and duties. The Committee is responsible for monitoring commissioning risks. 13

14 5.7. Enfield CCG Directors Meeting The Enfield CCG Directors meeting undertakes an oversight role in the management of all strategic and corporate risks. The Directors meeting moderates on risks scores and reviews risk descriptions.. The Directors meeting will Review the adequacy of controls and actions recorded on the BAF Provide quality assurance, moderation and consistency in reporting of risks. Ensure risk registers are managed, monitored and reviewed Determine resource requirements arising in connection with risk responses Embed a risk management culture across the organisation Ensure there is a common acceptance through the organisation of the importance of continuous management of risk, including clear accountability for and ownership of risks. Encourage risk reporting, incident reporting and whistleblowing to actively learn from mistakes and near misses. Ensure risks identified, that may affect the organisation are recorded as necessary and reported to the relevant Committee and Governing Body as appropriate. Ensure the Board Assurance Framework and Corporate Risk Register reflects the actual risks to the organisation (inclusive of strategic, financial, clinical and non-clinical risks) NCL Joint Commissioning Committee The Committee is a joint committee between Barnet CCG, Camden CCG, Enfield CCG, Haringey CCG and Islington CCG to jointly commission goods and services as set out in section 4 for the people of the London Boroughs of Barnet, Camden, Enfield, Haringey and Islington. The Committee will monitor (liaising with local CCG leads) risks related to the following commissioning areas: All acute services including core contracts and other out of sector acute commissioning; All learning disability contracting associated with the Transforming Care programme; All integrated urgent care (including 111/ GP Out-of-Hours services) Any specialised services not commissioned by NHS England All Governing Body Sub Committees: Governing Body sub-committees (Appendix H) are responsible for declaring risks in their reports to the Governing Body by completing the risk section of the coversheet and assuring the Governing Body that risks are being effectively mitigated The Terms of Reference for all Governing Body Committees are available on the CCG website %20of%20reference.pdf. 14

15 Section 4: Risk Management Process, Performance Management Reporting and Monitoring 6. The Risk Management Process 6.1. Risk Identification and scoring Risks should be identified against strategic, corporate, directorate, programme/project objectives. Methods for identifying and managing levels of risk would include: Internal methods, such as: incidents, complaints, claims and serious incident reporting and identification of trends, audits, QIPP related risks, emergency planning risks, project/programme risks based on the achievement of project objectives, patient satisfaction surveys, surveys including staff surveys, whistleblowing, ccontract quality monitoring of commissioned services; and External methods, such as: media reports, national reports, new legislation, reports from assessments/inspections by external bodies, reviews of partnership working The Risk Champion/Project Lead will ensure risks are recorded on Datix using the Assurance Framework and Corporate Risk Register Template Headings in appendix F & G. Committee/groups reporting to the CCG Governing Body highlight risks for inclusion within the CCG Risk Register or BAF. Risk identification is also obtained from member practices through, GP locality meetings, engagement forums and 360 feedback. The designated risk owners will ensure that all risks are added to the Risk Register and BAF and are managed in line with the CCG risk appetite outlined in appendix B (11.4) Quantifying and scoring risk Once a risk is identified it is important to establish the likelihood of it occurring and the potential impact if it did occur. This is called the initial or inherent risk and is measured by using the National Patient Safety Agency risk scoring matrix found at (appendix B (table 3). The risk scoring matrix is a systematic and common approach to quantifying all categories of risk. 15

16 Risk Identification and Management Flowchart Identify the risk Possible impact OBJECTIVES Identify risk owner Record the risk RISK REGISTERS Evaluate the risk Is the risk acceptable? No Identity suitable controls Yes Monitor the risk Has the risk materialised? No Is the risk still live? Yes No INCIDENT/ISSUE CLOSE Implement controls Yes No Has the risk changed? Yes 7. The Governing Body Assurance Framework and Risk Registers The CCG s 3 main documents for reporting and managing risks are via the Governing body Assurance Framework, Corporate and Directorate/programme/project Risk Registers: 7.1. Governing Body Assurance Framework The Governing Body Assurance Framework (GBAF) is a requirement established by the Department of Health in Assurance: the Board Agenda in July The GBAF is a tool for the Governing Body to satisfy itself that significant risks (see appendix A for definitions) are being managed and objectives are being achieved. The ECCG BAFcontains all 12+ strategic risks. The purpose of the GBAF is to: Identify the main risks (12+) to achieving Enfield CCG s Corporate objectives, List and evaluate the mitigations in place to the reduce the likelihood or impact of the risk, Summarise the remedial or proposed actions that further mitigate the likelihood or impact of the risk. Summarise the controls, assurances and gaps relating to each main risk. 16

17 7.2. Corporate Risk Register The Corporate Risk Register includes all high level strategic and operational risks (8+) identified as affecting ECCG s corporate objectives. These risks are monitored at Governing Body Committee level and are identified from Directorate/Service/Project/Programme Risk Registers (see appendix C for project/programme risk escalation process). These are based on documented risk assessments and may be linked to incidents, audits, external assessments or other qualitative information The Corporate Risk Register is compiled and maintained by the Risk & Governance Team. Strategic risks scoring 12+ will be escalated to the BAF via the responsible Director and relevant Committee as outlined in the appendix D Directorate/Service /Programme Risk Registers Directorate/Service //Project/Programme Risk Registers provide a local record of all potential or actual risks within the directorate. Actions to mitigate these risks will be managed by the respective director in conjunction with the appropriate senior lead. Directorate/Service Risk Registers are compiled and maintained by locally nominated Service Risk Champions/Co-rdinator. Risks scoring 8+ should be escalated to the Corporate Risk Register as agreed by a Committee of the Governing Body & Risk Lead (see appendix D). Directorate Risk Registers should be maintained and monitored via Directorate meetings Datix Risk Management Software. All identified CCG risks will be recorded and managed through the CCG Datix risk management system. Datix captures risks at all levels within the organisation from operational (directorate) to strategic level as well as project risks. These risks can be prioritised in accordance with the CCG s Risk Management Strategy, thereby enabling its principal risks to be fed upwards onto the Assurance Framework. The key objectives of the Datix are to: Develop and use an agreed coding structure to satisfy the current and anticipated needs of the CCG and, as much as possible, to make risk grading easily understood by relevant managers and directors without compromising the CCG s risk management strategy; Make use of Datix system-wide codes for Risk Register(including Assurance Framework), project and programme risk register to enable easier sharing of information and risks across different directorates and services; Maximise the potential benefit of having an integrated risk management database within the CCG by ensuring that a standard set of reports, accessible across the CCG for its relevant committees and for the Governing Body meetings; Centralise storage of related documents and information (assurance records) onto Datix Risk Register through the use of document templates, file uploads, attached documents from the internal drives. A system of trained Risk Champions has been established in each directorate who will be responsible for ensuring their department risk registers are managed and updated. A table of departmental Risk Registers, Risk Champions and Risk Owners can be found in the Datix manual on the Enfield CCG intranet. Risk register Owners are Directors and are accountable for the identification, assessment and management/ mitigation of all risks in their area. Nominated Risk Champions ensure their risk register is updated liaising with Risk Leads/Owners. 17

18 7.5. Risk Reporting Arrangements To enable successful risk management and assurance reporting and ensure that it is embedded within the CCG, a monitoring and reporting structure has been established for both strategic, operational and project risk. The flowchart can be found in appendix D. The CCG Governing Body will review the BAF at every meeting. The BAF will have previously been scrutinised at the Audit Committee The Finance Committee, Clinical Commissioning Committee and the Quality & Safety Committee will review risks which fall under their remit from the Corporate Risk Register & BAF. This risk register will be produced and maintained by the Risk Champion and Risk & Governance Manager) and in line with each Committee s workplan as well as the CCG BAF and risk register reporting workplan. The Directors meeting will also moderate on BAF and corporate risks before scrutiny at the Audit Committee. Directorate risk registers will be reported at directorate meetings with risk escalated to the Corporate Risk Register via the risk owner and relevant Committee Project & project risk registers will be reported at the Transformation Programme Board who will recommend risks for escalation to the Corporate Risk Register via the Finance Committee as appropriate (see appendix C) Closure of risks The implementation of the action plan and the level of risk must be kept under review. Where implementation of action plans is not producing the anticipated results, the risk should be re-assessed and a revised action plan agreed as necessary. Once all possible actions have been completed or the event has passed, the risk should be recommended to a Committee of the Governing Body for closure, once approved by the Committee, the risk is closed and updated as closed on Datix for audit purposes and archived. Risks can be re-opened on Datix as deemed necessary by the Risk Leads. Section 5: Document consultation, approval & ratification 8. Requirements 8.1. Open and Fair Culture The CCG supports an open, fair and a positive learning culture. A culture of openness is central to improving patient safety and the quality of healthcare systems. Encouraging openness and honesty about how and why things have gone wrong will help improve the safety of NHS services. However, disciplinary action may be appropriate to be considered in the following circumstances: Repeat occurrences of incidents involving the same individual Deliberate failure to report an incident 18

19 Failure to co-operate fully in subsequent investigation 8.2. Training and support To ensure the successful implementation and maintenance of this Risk Management Strategy, committee members and staff will have access to appropriate advice, guidance, information and training in order to carry out their respective responsibilities for risk control and risk assessment. All staff will receive mandatory training in health, fire & safety, including risk assessment and management as outlined in the CCG essential training/corporate learning and development programme. General awareness raising for staff is also undertaken through staff briefings, induction programmes and inclusion of relevant documents on the intranet. The Risk Management Strategy is accessible to all CCG staff via the CCG intranet Consultation and Communication with Stakeholders It is good practice to involve stakeholders, as appropriate, in all areas of the CCG s activities, and this includes informing and consulting on the management of any significant risks. Interested parties would include: Staff, patients and the public within the CCG s; Local politicians and the Secretary of State for Health; Statutory and voluntary agencies; Local Authority Health Scrutiny Committee; Primary Care practices; Patient and Public Involvement Forum/Links (Health Watch); and Health and Wellbeing Board. 9. Monitoring the Effectiveness of this Strategy The CCG monitors and reviews its performance in relation to the management of risk, and the continuing suitability and effectiveness of the systems and processes in place to manage risk through a programme of internal and external audit work, oversight of the CCG Governing Body and Audit Committee and its Annual Governance Statement Dissemination and Implementation This document will be made available to all employees via the CCG intranet and internet Equality and Diversity The CCG aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage over others. All policies and procedures should be developed in line with the CCG s Equality and Diversity policies. 10. Appendix A: Glossary and definitions of governance and risk terms A risk is an uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives. It is measured in terms of impact and likelihood. 19

20 Issue is a certain or on-going circumstance, which will have or is already having an effect upon the achievement of objectives Incident is an event that has occurred and which has had an effect upon the achievement of objectives. Risk Management is the activities required to identify, understand and control exposure to uncertain (possible) events, which may threaten the achievement of objectives. Risk assessment is the process used to evaluate the risk and to determine whether precautions are adequate or more should be done. Regulation 3 of the Management of Health and Safety at Work Regulations 1999, requires, among other things, that all employers assess the risks to the health and safety of their employees while they are at work and record the risk if they employ 5 or more employees Consequence is a measure of the effect that the predicted harm, loss or damage would have on the people, property or objectives affected. Likelihood is a measure of the probability that the predicted harm, loss or damage will occur. Strategic risks are significant risks that have the potential to impact across the organisation and are raised and monitored by the relevant CCG Committee, Audit Committee and Governing Body. Strategic risks are those risks that if realised, could fundamentally affect the way in which the organisation exists or commissions services in the next 1 to 5 years. These risks will have a detrimental effect on the Group s achievements of its key objectives. Operational risks are key risks that impact on individual service/directorate areas and are managed locally by heads of service, locality leads and senior responsible officers. Operational risks are those risks that if realised, could affect the way in which the Group operates across its five localities in the next 0-1 years. They will have a detrimental effect on the CCG s key processes, and activities that underpin the delivery of objectives. Corporate risks: are all high level strategic and operational risks (8+) identified as affecting ECCG s corporate objectives. Project/Programme risks are risks that impact on the delivery of key projects/programmes and are the responsibility of Senior Responsible Officers, Project Managers/Project Leads monitored by Project Boards, Steering Groups and Programme Board. Risk Appetite the level and type of risk considered that the CCG is prepared to accept, tolerate or be exposed to at any point in time Risk Owner the individual who is responsible for the management and control of all aspects of individual risks. This is not necessarily the same as the action owner, as actions may be delegated Risk Champion responsible for ensuring their department risk registers are managed and updated Risk Rating the total risk score worked out by identifying the consequence and likelihood scores and cross referencing the scores on the risk matrix Risk Register is a risk management tool which acts as a central repository for all risks identified by the organisation or project. For each risk the register will include information such as risk likelihood, impact, the actions to be taken, the risk owner and so on. Managers should view the risk register as a management tool to review and update the process that identifies, assesses, and manages risks down to acceptable levels. Actions are then instigated to reduce the probability and the potential impact of specific risks. 20

21 Board Assurance Framework - is a reporting tool for the Governing Body corporately to assure itself (gain confidence based on evidence) about successful delivery of the CCG s strategic priorities. The BAF is designed to focus the Governing Body on controlling principal risks threatening the delivery of those priorities. It aligns principal risks, key controls and assurances on controls alongside each priority. Stakeholders person or persons with an interest in ECCG Initial Risk Ratings - When a risk is identified, the initial risk score is known as the initial risk rating. This is the risk in the absence of any controls or actions that might alter, mitigate, or reduce the likelihood or impact of the risk. Once controls are put in place, the risk that remains is known as the current risk rating. Controls are the systems and processes in place that mitigate the risk. Assurance Sources are internal or external evidence that risks are being effectively managed (e.g., Governing Body Reports, external audit report CQC reports, NHSE reviews). Gaps in Control or Assurance are where an additional system or process is needed, or evidence of effective management of the risk is lacking The action plan is how the identified gap is to be addressed and how the risk is to be diminished. External Audit the organisation appointed to fulfil the statutory functions in relation to providing an opinion on the annual accounts of ECCG Internal Audit the team, which may be part of ECCG or an outsourced provider, responsible for evaluating and forming an opinion of the robustness of the system of internal control 21

22 11. Appendix B: Risk Management, Identification and Scoring guidelines Introduction Risk management is a systematic and effective method of identifying risks and determining the most cost effective means to minimise or remove them. It is an essential part of any risk management programme and it encompasses the processes of risk analysis and risk evaluation. Risks identification requires recognising the objectives the risk could impact on. The objective could be strategic, operational, directorate or project/programme. Risks are usually analysed by combining estimates of consequence and likelihood in the context of existing control measures. The rating of a given risk is established using a two dimensional grid or matrix (table 3 below) with consequence as one axis and likelihood as the other. This guidance can be used on its own as a tool for scoring risks, improving consistency and for training purposes. This guidance is integrated with the Governing Body approved Risk Management Strategy and should be used within the framework of Enfield CCGs risk appetite (11.4) and risk management decision making process Guidance on Consequence Scoring When assessing a risk against achieving an objective, the consequence or how bad the risk being assessed is must be measured. In this context consequence is defined as the outcome or potential outcome of an event. Consequences should be assessed against objective definitions across different domains to ensure consistency in the risk assessment process. First define the risk explicitly in terms of the adverse consequence that might arise from the risk being assessed (see example below for cause and effect methodology). Then use Table 1 to determine the consequence score of the potential adverse outcomes relevant to the risk being evaluated. The examples given in Table 1 are not exhaustive How to Use Consequence (Table 1) Choose the most appropriate domain for the identified risk from the left hand side of the table. Then work along the columns in the same row to assess the severity of the risk on the scale of 1-5 to determine the consequence score which is the number given at the top of the column Consequence scoring 1= Negligible 2= Minor 3= Moderate 4= Major 22

23 5=Catastrophic A single risk area may have multiple potential consequences and these may require separate assessment. It is also important to consider from whose perspective the risk is being assessed because this may affect the assessment of the risk itself, its consequences and the subsequent action taken. TABLE 1: ASSESSMENT OF THE SEVERITY OF THE CONSEQUENCE OF AN IDENTIFIED RISK*: Choose the most appropriate domain for the identified risk from the left hand side of the table then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column. Consequence score (sev erity lev els) and examples of descriptors Domains Negligible Minor Moderate Major Catastrophic Impact on the safety of patients, staff or public (physical/psychological harm) Minimal injury requiring no/minimal intervention or treatment. Minor injury or illness, requiring minor intervention Moderate injury requiring professional intervention Major injury leading to long-term incapacity/disability No time off work Requiring time off work for >3 days Increase in length of hospital stay by 1-3 days Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR*/agency reportable incident An event which impacts on a small number of patients Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with long-term effects Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients Quality/complaints/audit Peripheral element of treatment or service suboptimal Informal complaint/inquiry Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report Totally unacceptable level or quality of treatment/service Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Gross failure to meet national standards 23

24 Human resources/ organisational dev elopment/staffing/ competence Short-term low staffing level that temporarily reduces service quality (< 1 day) Low staffing level that reduces the service quality Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Low staff morale Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Loss of key staff Non-delivery of key objective/service due to lack of staff Ongoing unsafe staffing levels or competence Loss of several key staff Statutory duty/ inspections No or minimal impact or breech of guidance/ statutory duty Breech of statutory legislation Reduced performance rating if unresolved Poor staff attendance for mandatory/key training Single breech in statutory duty Challenging external recommendations/ improvement notice Very low staff morale No staff attending mandatory/ key training Enforcement action Multiple breeches in statutory duty Improvement notices No staff attending mandatory training /key training on an ongoing basis Multiple breeches in statutory duty Prosecution Complete systems change required Low performance rating Zero performance rating Adv erse publicity/ reputation Business objectives/ projects Finance including claims Serv ice/business interruption Env ironmental impact Rumours Potential for public concern Insignificant cost increase/ schedule slippage Small loss Risk of claim remote Loss/interruption of >1 hour Minimal or no impact on the environment Local media coverage short-term reduction in public confidence Elements of public expectation not being met <5 per cent over project budget Schedule slippage Loss of per cent of budget Claim less than 10,000 Loss/interruption of >8 hours Minor impact on environment Local media coverage long-term reduction in public confidence 5 10 per cent over project budget Schedule slippage Loss of per cent of budget Claim(s) between 10,000 and 100,000 Loss/interruption of >1 day Moderate impact on environment Critical report National media coverage with <3 days service well below reasonable public expectation Non-compliance with national per cent over project budget Schedule slippage Key objectives not met Uncertain delivery of key objective/loss of per cent of budget Claim(s) between 100,000 and 1 million Purchasers failing to pay on time Loss/interruption of >1 week Major impact on environment Severely critical report National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Total loss of public confidence Incident leading >25 per cent over project budget Schedule slippage Key objectives not met Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage * Consequence scores rarely changes but likelihood does: The chance of us being able to actually reduce the consequence (C) score is low because should the risk be realised the outcome is still likely to be the same so it is the likelihood we are essentially trying to reduce which in turn will of course reduce the overall risk score. * Reporting of Injuries, Diseases and Dangerous Occurrences Regulations Loss of contract / payment by results Claim(s) > 1 million Permanent loss of service or facility Catastrophic impact on environment 24

25 11.3. Guidelines on Likelihood Scoring Once a specific area of risk has been assessed and its consequences score agreed, the likelihood of that consequence occurring can be identified by using Table 2 below which includes probability and frequency descriptions. As with the assessment of consequence the likelihood of a risk occurring is assigned a number from 1 to 5 the higher the number the more likely it is the consequence will occur: 1= Rare 2 =Unlikely 3= Possible 4 =Likely 5= Almost certain When assessing likelihood it is important to take into consideration the controls already in place. The likelihood score is a reflection of how likely it is that the adverse consequence described will occur. Likelihood can be scored by considering: Frequency (how many times will the adverse consequence being accessed actually be realised?) or Probability (what is the chance the adverse consequence will occur in a given reference period?) What is the likelihood of the consequence occurring? The reporting-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency Risk Scoring and grading The Risk scoring and grading process is as follows: a. Define the risk(s) explicitly in terms of the adverse consequence(s) that might arise from the risk. b. Use Table 1 to determine the consequence score(s) (C) for the potential adverse outcome(s) relevant to the risk being evaluated. c. Use Table 2 to determine the likelihood score(s) (L) for those adverse outcomes. If possible, score the likelihood by assigning a predicted frequency of occurrence of the adverse outcome. If this is not possible, assign a probability to the adverse outcome occurring within a given time frame, such as the lifetime of a project or a patient care episode. Use the probability descriptions to determine the most appropriate score. d. Calculate the risk score by multiplying the consequence by the likelihood: C (consequence) x L (likelihood) = RR (total risk score). e. The 5x5 risk matrix in Table 3 shows both numerical scoring and colour bandings. Enfield CCGs Risk Management Strategy is used to identify the level at which the risk will be managed in the CCG. A summary of this is in table 4 and section 11.4 below. 25

26 Table 2: Likelihood (L) score What is the likelihood of the consequence occurring? Likelihood score Descriptor Rare Unlikely Possible Likely Almost certain Frequency This will Do not Might Will probably How often probably expect it to happen or Will undoubtedly happen/recur might never happen/recur recur happen/recur,possibly but it is not a it/does it happen/recur but it is occasionally frequently persisting happen possible it issue may do so Table 3 - Risk Matrix Likelihood Likelihood score Rare Unlikely Possible Likely 5 Catastrophic Major Moderate Minor Negligible Almost certain The below table provides the Risk scores and grades of risks for inclusion on the risk register. Table 4: Enfield CCG Risk Appetite Score Grade Management 1-3 Low risk Tolerate. No action required/directorate Risk Register, review every 6 months Managed by Risk Owner, Reported via:- Directorate risk register 4-6 Moderate risk Keep under review quarterly Directorate risk register 8-12* High risk Actively manage to reduce risk. Review monthly Extreme risk Immediate action to reduce risk review monthly 8-10 via the Corporate Risk Register *12+ via the Board Assurance Framework Board Assurance Framework 26

27 *Enfield CCG Governing Body agreed risk appetite for the BAF ECCG s Risk Appetite Risk appetite is a threshold the amount of risk that an organisation is prepared to accept before it takes action Definition of the CCG s risk appetite Methods of controlling risks must be balanced in order to support innovation and the imaginative use of resources, especially when it is to achieve substantial benefit. In addition, the organisation may accept some high risks because of the cost of controlling them. As a general principle the CCG risk appetite is cautious. The CCG will seek to control all highly probable risks which have the potential to: cause significant harm to service users, staff, visitors and other stakeholders; compromise severely the reputation of the organisation; have financial consequences that could endanger the organisation s viability; jeopardise significantly the organisation s ability to carry out its core purpose; threaten the organisation s compliance with law and regulation Risk Scoring in Enfield CCG As part of Enfield CCG s risk management process, all risks identified are evaluated and given a risk level rating. The higher the risk level, the greater the likelihood an opportunity or threat will occur and the greater its consequence The risk scoring/tolerance for Enfield CCG is defined as follows (also see flowchart in appendix D): RED Risk with scores between will be considered extreme risk which are unacceptable and should be reported on Datix The Chief Officer and the Directors should be informed immediately. The consequences of these risks could seriously impact on the organisation s objectives and the responsible Director should ensure that there are suitable and sufficient action plans in place to reduce the risk and that strategic risks are escalated to the BAF. It is the responsibility of the relevant manager to inform the Chief Officer and a nominated director if there is any delay in mitigating the risk Orange Risks scored between 8-12 will be considered high risk, which are unacceptable and should be reported on the Corporate Risk register. High scoring strategic risks 12 or above should be escalated to the BAF. These risks require prompt actions. With a concerted effort (for example extra resource in terms of funding, staff time etc.) and a challenging action plan, these risks could be realistically reduced within the required timescale. 27

28 Managers or staff who identify risks to be high, should bring them to the attention of the Risk Champion or Head of Service immediately, who will be responsible for adding the risk to Datix, taking advice where necessary from a Director, the Risk & Governance Team Yellow Risks scored between 4-6 will be considered moderate risk and are tolerable provided the appropriate responses are in place to minimise the likelihood of undesirable occurrences. It should be realistically possible to reduce these risks within a reasonable timescale through reasonably practicable measures to mitigate them. Existing responses should be reviewed, with regular auditing of their effectiveness undertaken. It is the responsibility of relevant managers to ensure that the risk register is kept up-to-date, reviewed at Directorate meetings with relevant actions taken in order to monitor and mitigate all moderate risks Green Risks scored between 0-3 will be considered low risk and would probably be unlikely to occur. These risks are regarded as acceptable and should be managed locally or within the relevant directorate areas. Services should review low risks on a regular basis at relevant directorate and team meetings. Managers or Team Leaders who are responsible for managing these risks, should take advice where necessary, from the Risk Champion or Risk & Governance Manager if trends or patterns have been identified in risk assessments It is the Manager, Risk Lead or Risk Champion s responsibility to enter these risks into their service or departmental risk registers. The Directorate Team should make decisions on a monthly basis which Low level risks should be archived if no action is required to mitigate these risks. These risks once fully mitigated can be archived and also, retrievable if need be. Acknowledgement: Risk Scoring Tool Source: A risk matrix for risk managers NPSA January Risk identification example using the cause and effect Methodology Directorate Objective Ensure ECCG Compliance with the DH IG Toolkit at level Risk Description Concern about the CCG s ability to attain level 2 IG Toolkit compliance Causes: Lack of understanding of the Act by staff Low completion rate by staff of IG and data protection e-learning modules Line managers do not encourage staff to read and be aware of CCG policies Effects: Patient and/or staff data may be incorrectly processed and shared with 3rd parties CCG may incur financial penalties if investigated by the Information Commissioners Office CCG may receive adverse publicity and reputational damage 28

29 Level of complaints and litigation claims received may increase With the knowledge of our individual causes, we now know where to concentrate our controls and actions to mitigate or at least reduce the risk. If we can eliminate or at least reduce the likelihood of each cause occurring then we can reduce the overall likelihood (L) score. However the chance of us being able to actually reduce the consequence (C) score is low because should the risk be realised the outcome is still likely to be the same (in most cases but probably not all) so it is the likelihood we are essentially trying to reduce which in turn will of course reduce the overall risk score. 29

30 12. Appendix C: Project and Programme Risk Guide for Risk Champions/Project Managers Step 1 Identify risk Create new risk on Datix. If you hav e not used Datix before you will need to contact the risk manager to set you up with a log in Title for risk: put the project ID first, then the risk title e.g 306 Integrated Cardiology Serv ices: Risk to... Select the DirectorLead The risk owner is the person who will be managing the risk and updating Datix. Risk Cause. There may be sev eral risk causes. These should be numbered and kept succint. For each risk cause there should be a risk impact or risk effect. Current Controls are the things that you are doing to manage the risk: There should be a control for each element of the risk identified under risk cause(s). If there isn't, this is a gap in control You will need to number each control and assurance and gap in control and assurance C1, A1 etc Step 2 e.g. Risk to the delivery of saving outlined in the business case for year 1. Risk caused by assumptions based on unvalidated activity data from Trust Risk effect (impact of the risk) is that savings may not be delivered Risk Control (what you are doing about it) C1 validating activity data C2 developing a recovery plan for project Risk assurances(how is this being monitored) A1 validated activity monitored through TPG A2 recovery plan monitored via TPG and FRQ - developed through project steering group Gaps in control (what do you still need to do to mitigate the risk) C1 Provider engagement Gap in assurance (the ev idences that you are taking mitigating action) - A1 No strategy to engage providers Step 3 Risk approv al You will need to select your risk type as project/programme risk and select the sub type as the programme you are working under. You will also need to identify at what stage the risk was identified and when it is likely to occur by using the drop down boxes. Choose the responsible directorate, this enable the risk champion to run directorate reports. Once you hav e completed this part you will need to go to the current approv al status and select, for rev iew The system does not currently send automated alerts for each new risk so you will need to the appropriate person to let them know that there is a risk waiting for their approv al. Once the risk is approv ed it will show on the risk register ready for reporting. Step 4 Risk Rating You will need to reference the risk rating guide in assessing your risk grade. There are three types of risk grade. 1. without mitigation. 2. with controls in place 3. After you hav e addressed gaps in controls and identified actions to mitigate the risk. The risk rating will be moderated through the risk rev iew. RIsks rated 8+ should be escalated to TPG under project risk escalation, which will also be the responsible committee for approv ing the risks rated 8+ Step 5 Action Planning Sav e the risk Select Action plan next on the left hand side of the screen For each gap in control you will need to hav e an action in place. Each gap in control will be numbered C1, C2, C3 etc. Reference the action with the corresponding number for the gap ie. Action C1 no prov ider engagement; to dev elop a strategy to engage prov iders, set up meeting with senior managers to agree approach. Each action should hav e an action lead and deadline. Risks and actions should rev iewed at least monthly as a way of managing your risks and reporting to the TPG. Under key changes you should identify it as a new risk Step 6 Governance For HIGH and EXTREME project and programme risks 8+ you will need to discuss the risk with the SRO for the project or programme and make a recommendation for the TPG whether the risk should be escalated to the corporate register. The TPG will decide if it is a risk to the organisation or a strategic risk that needs to go on either the Corporate RIsk Register or BAF based on the recommendation of the SRO. If a risk is escalated to the corporate risk register or BAF, it becomes the responsibility of the relev ant Gov erning Body sub committee to agree closure or modification on rev iew. All programme and project risks should be identified as project or programme risk unless it is agreed through TPG to be escalated to either the Corporate Risk Register or BAF. Once the risk has been rev iewed by the TPG you will need to go into the risk and make any changes agreed, this includes escalation, de-escation and changes to the risk rating. These changes should be noted in the key changes since last rev iew box for transparency. Risks 8+ should not be closed, descalated or escalated without agreement through the TPG. For LOW AND MODERATE risks <6, should be locally managed through steering groups. Low risks may be closed following discussion with Project Leads, Moderate Risks should be recommended for closure v ia directorate or steering group meetings before action. Under key changes you should identifiy it as a new risk 30

31 13. Appendix D: Risk Register and BAF Reporting Flowchart to the Governing Body and it s Committees Governing Body BAF: Strategic risks Review and approval at all Governing Body meetings. The Governing Body will hold a Board Seminar focusing on risk twice a year, approve Corporate Objectives annually Audit Committee - BAF: Strategic risk Scrutiny at all Audit Committee meetings. - Deep div e on significant risks as required - Rev iew corporate risks Finance Committee - Committee Lev el (Finance, Contracts & QIPP) Risk Register (strategic, corporate & operational risk 8+) no less than 4 times a year Clinical Commissioning Committee -Committee lev el commissioning risks 8+ including NCL joint commissioning no less than 4 times a year Quality & Safety Committee - Committee lev el Risk Register (strategic, corporate & operational risk 8+) no less than 4 times a year Audit Committee Scrutiny of adequacy of systems of internal control Directorate Meetings Transformation Board - Project/Programme Risk Register: Monthly rev iew of 8+ Project/programme risk register, risk identification, reporting and escalation - Escalate 8+ operational/strategic risks to Corporate Risk Register and 12+ strategic risk to the Assurance Framework v ia the Finance Committee Clinical Reference Group Identification of new clinical commissioning risks for escalation to the CRR or BAF v ia the Clinical Commissioning Committee Quality & Risk Sub Group - Quality & Safety Risks: Identification of new quality & safety risks for escalation to the CRR or BAF v ia the Quality & Safety Committee - Ov ersight role, rev iew and moderate on risk registers before Audit Committee scrutiny. 31

32 14. Appendix E Integrated Risk Management in ECCG Directorate Risk Registers should contain all Directorate risks 15. Appendix F Governing Body Assurance Framework Template 32