NHS BROMLEY CLINICAL COMMISSIONING GROUP RISK MANAGEMENT STRATEGY

Transcription

1 NHS BROMLEY CLINICAL COMMISSIONING GROUP RISK MANAGEMENT STRATEGY 1

2 CONTENTS Page Number Introduction 3 Purpose 4 Objectives 4 Systematic Approach to Risk Management 4 The Risk Management Structure 5 Risk Reporting, Risk Management and Risk Rating 6 Duties and Roles 8 Risk Management Structure/Assurance Framework 10 Independent Assurance 11 Review 11 2

3 INTRODUCTION 1. Risk management is an ongoing process that supports delivery of both the CCG s strategic and operational objectives. Risk can be seen as something negative, a constraint on achieving the organisation s objectives, but by acknowledging risk and having processes in place to manage it effectively, the CCG can embrace the opportunities provided by innovation and creativity. 2. Bromley CCG s Risk Management Strategy aims to deliver a pragmatic and effective multi-disciplinary approach to risk management, which is underpinned by a clear accountability structure throughout the organisation. 3. The strategy recognises the need for robust systems and processes to support continuous programmes of risk management, enabling all staff, clinicians, the Governing Body, committees and working groups to integrate risk management into their daily activities. It outlines the approach the CCG will take to ensure that it develops throughout the organisation effective risk management processes, which will enable the CCG to deliver its objectives and meet its statutory requirements. It forms a key component of the CCG s overall governance arrangements. 4. The CCG s Risk Management Strategy will: Provide a clear definition of the approach and direction to be taken to manage risks and opportunities in an effective and efficient manner Facilitate the Governing Body of the CCG s awareness of all significant risks and allow the Governing Body to allocate resources appropriately, in a prioritised way, to manage risk and ensure that all sections of the CCG meet their objectives Provide a strategic framework through which to identify, assess, control, eliminate and transfer risk within the CCG Support commissioning processes that provide the services the people of Bromley need in a way that makes best use of financial resources, to nationally consistent standards of quality and safety Provide the means by which the CCG can integrate risk management within the organisation and effectively manage risks to the delivery of business priorities Protect the services, reputation and finances of the CCG 5. The risk management strategy and assurance process is based on recognised best practice and underpins the production of the CCG s Annual Governance Statement. It also ensures that all the CCG s corporate and principal objectives are met. It will systematically identify at all levels, those risks that could affect these objectives, and take every reasonable step to control the risks. 3

4 This includes a process to monitor, and if necessary, improve how risks are being managed. 6. Bromley CCG employs effective techniques for risk management, supported by good information systems, discusses and shares risk information and trains and supports its staff to an appropriate level of expertise. 7. Bromley CCG also requires the individuals and organisations from whom it commissions health services or business support, in pursuit of its objectives, to demonstrate that they have effective risk management systems. PURPOSE 8. An effective risk management system is fundamental in ensuring good governance. Its aim is to continually improve the quality of health service commissioning through the identification, prevention, control and mitigation of risks. 9. The Governing Body of the CCG requires robust and independent assurances on the effectiveness of the systems and processes in place for meeting its objectives and delivering appropriate outcomes. This requires assurance that the processes of risk identification, evaluation and control are effective. The corporate risk register and assurance framework provide this assurance, and enable the Governing Body to be assured that the controls applied in the mitigation of risk are operating effectively. OBJECTIVES 10. The objectives of the risk management strategy and assurance framework approach described here are: Ensuring compliance with all standards and regulations that apply to health care and non-healthcare for all commissioned services; Ensuring a common and integrated approach to risk management across the CCG Implementing and managing a robust assurance framework that addresses risks at all levels of the organisation with relevant and appropriate escalation SYSTEMATIC APPROACH TO RISK MANAGEMENT 11. The CCG has adopted a generic model for identifying, prioritising and dealing with risks in any situation at department or corporate level. It comprises definition, scope and consequence of risk. It provides an effective means of controlling and mitigating the risks associated with the delivery of commissioned 4

5 services, the achievement of corporate objectives and any other aspect of Bromley CCG s business. 12. It has also adopted a risk management and assurance toolkit which sets out the terms and definitions and processes for managing risk in the organisation. THE RISK MANAGEMENT STRUCTURE 13. The risk management and assurance structure allows for risk to be captured, reported and managed across the organisation. It enables risks to be considered at an operational level and strategic level depending on the nature and severity of the risk as represented by an assessment of its likelihood of occurring, the potential area impacted by that risk and the consequences resulting from its potential occurrence. 14. At an operational level, managers and clinicians within the CCG are responsible for ensuring that appropriate and effective risk management processes are in place for each department / function within their scope of responsibility. They must also ensure compliance with the CCG approach to risk management and assurance for the Governing Body and bring to the attention of their director/department lead any significant risks that have been identified where local control measures are considered to be inadequate. This is achieved through the production of directorate/departmental risk registers covering every operational function. 15. The Clinical Executive Group of the CCG is responsible for ensuring that a top-down process of identification of risks associated with the strategic objectives of the organisation is undertaken and constantly reviewed and updated. These risks comprise the corporate risk register (assurance framework) of the Governing Body. The Clinical Executive Group is also responsible for ensuring that risk registers are in place for each of its directorates and departments, and that operational risks are escalated to strategic level, where appropriate, by incorporating them into the corporate risk register (assurance framework). This will require directors to give consideration for escalation to the corporate risk register of any red-rated directorate risk (score 15 or more). The corporate risk register will contain all risks to the CCG s strategic objectives, including those high to medium strategic risks (25 12) with inadequate controls escalated from the directorate risk registers. 16. The Governing Body of the CCG owns the organisational objectives, risks to delivery, assurance framework and corporate risk register. It must satisfy itself that operational responsibility is being discharged such that the organisation both mitigates risk and has a reasonable chance of delivering upon its objectives. The 5

6 Governing Body receives additional assurance from the Integrated Governance Committee and Quality Assurance Subcommittee on the challenge and scrutiny. 17. The Audit Committee, as part of the assurance it provides to the Governing Body on all financial, management and clinical governance systems, provides independent assurance to the Governing Body that there is a risk management and assurance process in place, that is appropriate, and fulfilling its purpose. RISK REPORTING, RISK MANAGEMENT AND RISK RATING 18. Risk registers are the mechanism by which identified risks are recorded and the details of the associated controls and assurances put in place to manage an individual risk to its agreed acceptable level. 19. Risk registers are used at each level of risk reporting. Individual risks are assessed on a range from 1 to 5 in terms of likelihood and impact. The overall risk score is the product of these two assessments. Each risk is scored three times; first in terms of the risk as originally identified, second after existing controls are taken into account (the residual or current risk), and third after plans for mitigation of the risk have been implemented. 20. Detailed exception reports/action plans are required for residual risks scoring 15 or more. Risks scoring less than 9 after mitigation are generally considered to be acceptable i.e. they fall within the risk appetite of the CCG. 21. Some risks are referred to as zero tolerance risks and are noted on the corporate risk register. This means that the Governing Body will need to be constantly aware of these risks regardless of the rating. They will always be included in the corporate risk register, whatever the residual risk rating is considered to be. An example would be Safeguarding. 22. The model register employed by the CCG is reproduced on the following page.. 6

7 7

8 DUTIES AND ROLES 23. A prerequisite for the effective management of risk is the need for all staff, clinicians, the Governing Body, committees and working groups to be clear on, and to fully undertake, their specific duties in respect to their roles and responsibilities within the risk management structure. 24. The key duties of staff are as follow: Chief (Accountable) Officer has overall responsibility for ensuring there is an effective risk management or assurance framework in place within the CCG, for meeting all statutory requirements, adhering to guidance issued by the Department of Health in respect of Governance and is required to sign the Annual Governance Statement. The accountable officer is accountable to the NHS Commissioning Board. All Clinical Leads, Directors and Managers All levels of management must understand and implement the principles of the assurance framework and the toolkit. All Clinical Leads, Directors/Directorate managers are responsible for: - o Ensuring that appropriate and effective risk management processes are in place within their designated area(s) and scope of responsibility. o Ensuring all staff are made aware of the risks within their work environment and of their personal responsibilities. o Preparing specific Directorate/Departmental policies and guidelines to ensure all necessary risk assessments are carried out within their directorate/department in liaison with appropriate identified relevant advisors where necessary. o Implementing and monitoring any identified and appropriate risk management control measures within their functions and scope of responsibility. o Ensuring that in situations where significant risks have been identified and where local control measures are considered to be potentially inadequate, Directors/ Directorate managers are responsible for bringing these risks to the attention of the Clinical Executive Group of the CCG and the Governing Body o Ensuring that all staff are given the necessary information and training to enable them to undertake effective risk management practices. o Ensuring that a risk register is maintained for each area of responsibility All Employees should understand the nature of risk and accept responsibility for risks associated with their area of authority. They are responsible for:- o Reporting incidents/accidents and near misses using the agreed channels. 8

9 o Complying with all CCG rules, regulations, guidance and instructions to protect the health, safety and welfare of anyone affected by the CCG s business. o Complying with all rules, regulations, guidance and instructions to ensure the CCG carries out its business in a safe and proper manner. 25. The Governing Body has overall responsibility for: Ensuring that the CCG has a risk and assurance framework in place; Identifying all its key significant risks and that they are being managed appropriately. Undertaking periodic horizon scanning for strategic risks using the PEST analysis 1 Receiving and monitoring the key risks via the assurance framework and corporate risk register. It needs to be satisfied that appropriate policies and strategies are in place and that systems are functioning effectively. 26. The Audit Committee will; Review the establishment and maintenance of an effective system of internal control and risk management. Review the adequacy of the assurance framework and the structures, processes and responsibilities for identifying and managing key risks facing the CCG Use the Corporate Risk Register to identify areas for internal audit and deep dives 27 The Primary Care Commissioning Committee will; Identify and monitor the key risks associated with the commissioning of primary medical services in Bromley Ensure that such risks are being managed appropriately Escalate to the corporate risk register (and Governing Body) any significant risks to the CCG s corporate objectives that it might identify 28. The Integrated Governance Committee will; Receive and review new and updated versions of the Corporate Risk Register, as agreed by the Clinical Executive Group, and provide assurance to the Governing Body and Primary Care Commissioning Committee, as appropriate, on the management of risk across the whole range of the CCG s business, including finance, performance, quality and safety. 1 PEST - Analysis under the following headings: Political, Economic, Social & Technological 9

10 Monitor the on-going management of these risks through its receipt and scrutiny of monthly Integrated Governance Reports. 29. The Quality Assurance Subcommittee will; Continuously monitor, in greater depth than the Integrated Governance Committee, the management of risks to the quality and safety of patient services commissioned by the CCG and provide assurance to the Integrated Governance Committee, Primary Care Commissioning Committee and the Governing Body 10

11 RISK MANAGEMENT STRUCTURE/ASSURANCE FRAMEWORK Primary Care Commissioning Committee (PCCC) Receives the Primary Care Risk Register and escalates to GB via CRR Governing Body (GB) Receives the Corporate Risk Register which is updated quarterly Integrated Governance Committee (IGC) Reviews CRR against monthly Integrated Governance, Finance & Quality Reports Audit Committee Reviews adequacy of CRR as an internal control mechanism. Uses CRR to identify risk areas for deep dives and for audit planning Quality Assurance Subcommittee Reviews risks to quality & patient safety Corporate Risk Register (CRR) The CRR is refreshed at the beginning of each financial year to reflect the CCG s strategic objectives as set out in strategic and operational plans for the year. It is subsequently reviewed quarterly and submitted to the IGC, GB and Audit Committee. Individual risks can be reviewed as appropriate at any time. Clinical Executive Group Meets monthly to review management of key risks and agree and take ownership of CRR Directorate Risk Registers Directorate Risk Registers are updated monthly for each directorate (Quality and Governance, Commissioning (inc. Primary Care), Finance, and OD). Risks at this level identified by directors as relevant to the CCG s strategic objectives are elevated to the CRR. Project/Service Risk Registers Project and Service level risk registers are produced as required in accordance with the Risk Management Strategy and fed into the Directorate Risk Registers as considered appropriate by the managers who are the risk owners and their director. 11

12 INDEPENDENT ASSURANCE 30. External audit provides assurance that the assurance framework is in place, in collaboration with the annual audit reviews carried out by Internal Audit. 31. Internal audit reviews the process for the maintenance and delivery of the assurance framework and provides the assurance that it meets the requirements of the Department of Health. Internal audit also reviews other risk areas in line with an agreed annual audit plan and reports its findings to the audit committee. 32. The NHS Litigation Authority perform an independent assessment against risk management standards, in order to establish the level of discount the CCG receives in relation to its indemnity contribution schemes. REVIEW 33. The approach Bromley CCG adopts to manage risk and provide assurance to the Governing Body, as described within this documentation, is reviewed annually by the audit committee who reports to the Governing Body upon its findings. 12