RISK ASSESSMENT AND RISK REGISTER PROCEDURE

Transcription

1 RISK ASSESSMENT AND RISK REGISTER PROCEDURE Reference No: UHB 024 Version No: 1 Previous Trust/LHB Ref No: Trust 162 & 206 Documents to read alongside this Procedure Risk Management Policy Health and Safety Policy Control of Substances Hazardous to Health (COSHH) Procedure Display Screen Equipment Procedure Management of Violence and Aggression (Personal Safety) Policy Minimal Manual Handling Policy Risk Assessment for New and Expectant Mothers Procedure Thermal Comfort Procedure Classification of document: Area for Circulation: Author: Executive Lead: Group Consulted Via/ Committee: Ratified by: Corporate UHB Wide Governance and Risk Manager Director of Governance Directors, Divisional Teams and Corporate Departments Audit Committee Date Published: 28 th January 2011 Version Number Date of Review Reviewer Name 1 Melanie Westlake Completed Action To replace Previous Trust Versions 162 & 206 Approved By Audit Committee Date Approved New Review Date 25/01/11 25/01/14 Disclaimer When using this document please ensure that the version you are using is the most up to date either by checking on the UHB database for any new versions. If the review date has passed please contact the author. OUT OF DATE POLICY DOCUMENTS MUST NOT BE RELIED ON Page 1 of 38 Ref: UHB 024

2 RISK ASSESSMENT AND RISK REGISTER PROCEDURE CONTENTS Page No. 1 Introduction 3 2 Aim 3 3 Objectives 4 4 Scope 4 5 Definitions 4 6 Roles and Responsibilities 5 7 Process for Undertaking Risk Assessments and Recording their findings 11 8 Resources 12 9 Training Implementation Further Information Equality Impact Assessment Audit Review 14 Appendices: 1 Definitions of Terms 15 2 Risk Assessment Flow Chart 19 3 Risk Assessment Scoring and Matrix 21 4 General Risk Assessment Form Part General Risk Assessment Form Part Steps of Risk Assessment 32 7 Specialist Advisors 36 8 References and Further Reading 38 Page 2 of 38 Ref: UHB 024

3 1. INTRODUCTION The Vision of the Cardiff and Vale University Local Health Board (UHB) is that it:- will be the flagship UHB in Wales, with an international reputation for excellence and innovation. Our skilled and committed staff will provide safe, high quality care, at the right time, in the right place We will work with partners and with communities to support the people of Cardiff and Vale in improving their own health and well-being. We will build a shared sense of pride and purpose in our health services. The UHB will face a number of risks which will potentially affect achievement of its Vision. These risks could have an impact on the:- safety of patients, staff or the public; ability to deliver services and care; quality of the care that is provided; ability to comply with legislation, mandatory requirements and guidance; reputation of the UHB; ability to achieve objectives and meet project deadlines; and finances and resources of the UHB. The UHB will be able to appropriately respond to, and prioritise the risks that it faces if it identifies them and considers how it is going to manage them. This process is known as Risk Assessment. Risk assessments must be suitable and sufficient. There is a specific legal requirement under the Management of Health and Safety at Work Regulations 1999 to carry out a suitable and sufficient assessment of the risks to the health and safety of employees and anyone else who may be affected by activities of the UHB. Once assessed any action required to further manage the risk should be identified and these actions should be considered in the appropriate forums where they will be prioritised. Where risks present a moderate, high or extreme risk to the UHB they should be recorded on the appropriate risk register. This will assist with the prioritisation of actions. The completion of risk assessments and the management of risk registers form part of the risk management arrangements within the UHB. 2. AIM The aim of this procedure is to identify how risk assessments will be undertaken, recorded and prioritised within the UHB. It will also identify who is responsible at each stage of the process. Page 3 of 38 Ref: UHB 024

4 3. OBJECTIVES Cardiff and Vale University Local Health Board The objectives of this procedure are to ensure that the UHB has a general risk assessment process which:- 4. SCOPE Defines a risk assessment, risk register and other associated terms commonly used; Clarifies who is responsible throughout the process from identification to resolution; Specifies how they will be considered, prioritised and managed within the UHB; Is simple to use; Provides consistent scores when used by staff from a variety of roles and professions; and Is capable of assessing a wide range of risks including clinical, health and safety, financial and reputational. This procedure outlines the general risk assessment process. It should be used for identifying general health and safety risks, financial risks, general clinical risks, risks to the reputation of the UHB etc. Within the healthcare setting there are a number of different types of risk assessment. Some relate to individual patients e.g. Falls Assessment, others relate to a particular risk in the workplace e.g. Manual Handling. Where specific assessment criteria are contained within other UHB policies and procedures they should be used. It may however, from time to time, be necessary to consolidate the findings from a number of specific assessments into a single general risk assessment where there are trends which require action e.g. a disproportionate number of falls in a ward and it is identified that this is due to the flooring and not the clinical condition of the patients. This procedure is applicable across the whole of the UHB. It should also be referred to when assessing risks in association with contractors and partner organisations e.g. Local Authorities. 5. DEFINITIONS A full list of definitions for words and phrases used throughout this procedure and within the field of risk management/assessment are listed in Appendix 1. Some of the common ones are shown below:- Hazard Anything that may cause harm, damage or loss, e.g. chemicals, manual handling Risk - The chance of suffering harm caused by a hazard, loss or damage or the possibility that the UHB will not achieve an objective Page 4 of 38 Ref: UHB 024

5 Risk Assessment - The overall process of identifying risk and evaluating whether acceptable or not taking into account best practice and the appetite of the organisation. Risk Register/Profile - A documented and prioritised log of the overall assessment of a range of risks faced by the organisation 6. ROLES AND RESPONSIBILITIES 6.1 The Board, Committees and Groups The Board is responsible for the organisations system of internal control, including risk management and it is required to ensure that there are proper and independent assurances given on the soundness and effectiveness of the systems and processes in place for meeting strategic objectives and delivering appropriate outcomes The Board is responsible for debating and discussing its strategic risks and for reaching agreement on those top scoring risks set against the high level objectives and priorities for the UHB. The Board s assessment of its strategic risks will inform operational planning as such plans will need to reflect actions to manage both strategic and operational risks The Board will determine its risk appetite which will confirm its attitude to risk. This will be communicated to the whole organisation and be applied in decision making to inform the prioritisation of actions and the resources required to resolve risks The Audit Committee will receive the Corporate Risk Register of extreme risk and those high risks that score 15 or above at every meeting and advise the Board of those risks that have been assessed as presenting an extreme risk to the organisation Where risks present an extreme or high risk scoring 15 or above the appropriate Committee of the Board e.g. the Quality and Safety Committee for patient safety related risks, will consider them. The Committees will provide assurance to the Board that all reasonably practicable steps have been taken to reduce the risk, that effective controls are in place and it is being managed at a tolerable level The Board will review all of the extreme risks to which it is exposed, ensuring effective controls are in place to reduce these risks to a tolerable level Key issues arising from the Corporate Risk Register will be used to inform the agenda for the Management Executive Team and Operational Board of Directors On an annual basis the Board and each Committee will receive a report summarising: Page 5 of 38 Ref: UHB 024

6 Themes and cross cutting issues identified throughout the year. The total number of risks on the register at the beginning and end of the period; Those that have been added; Those that have been removed from the register; Those that have been reduced; and Those that have increased during the year The Board will utilise the information identified via the risk management and risk assessment arrangements to help inform the Assurance Framework. 6.2 Chief Executive The Chief Executive Officer, as accountable officer, is responsible for systems of internal control and implementing the policies set by the Board. The Chief Executive Officer also has overall accountability for risk management within the UHB and as such is responsible for ensuring that there are adequate arrangements in place to identify and manage risk. These arrangements will help to provide the necessary assurances to demonstrate that the Board has been properly informed about the totality of its risks, both clinical and non clinical and that the appropriate systems are in place to manage all such risks. 6.3 Director of Governance The Director of Governance has delegated responsibility for ensuring that arrangements are in place to effectively assess and manage risks within the UHB. This will include the need to ensure that adequate training is available within the UHB. They will be supported in this role by the Governance and Risk Manager. 6.4 Executive Directors and other Corporate Directors Executive and other Corporate Directors are responsible for ensuring that: Comprehensive assessments have been undertaken of all risks that fall within their area of responsibility The assessment of risk is embedded within the day to day management of their Directorate Their Divisions and Clinical Directorates/Localities/Departments undertake suitable and sufficient risks assessments, record their findings, identify effective controls, develop appropriate action plans and advise them via the appropriate forums of all extreme and high risks They report, in association with the Director of Governance, all extreme risks to the UHB Board, recommending the actions that they consider necessary to reduce the risk to a tolerable level. Page 6 of 38 Ref: UHB 024

7 6.4.5 They report to the appropriate UHB Board Committee, in association with the Director of Governance, all extreme risks and those high risks that score 15 or above. They will recommend to the Committee the actions that they consider necessary to reduce the risk to a tolerable level Where the UHB is actively engaged in partnership working, that the appropriate risk assessments have been undertaken. Where risks are identified they must be documented and appropriate arrangements put in place for their effective control and management. The Risk Owner for each of the risks must be clearly identified taking into account statutory and contractual arrangements to ensure that the UHB is aware of those risks for which it could be liable On an annual basis they will receive a report summarising:- Themes and cross cutting issues identified throughout the year. The total number of risks on the Divisions register at the beginning and end of the period; Those that have been added; Those that have been removed from the register; Those that have been reduced; and Those that have increased during the year. 6.5 Divisional Directors, Assistant Directors and Clinical Director Medicines Management The Divisional Directors, Assistant Directors and Clinical Director Medicines Management will ensure that: The assessment of risk is embedded within the day to day management of their Division/Directorate, that activities, projects etc have been assessed at their inception and that there are clear performance management arrangements in place to ensure that effective controls are in place and appropriate action is taken to manage risks at a tolerable level or escalate via the appropriate forum/management reporting line Arrangements are in place to undertake appropriate risk assessments, record their findings, develop appropriate action plans and advise them via the appropriate forums of all extreme or high risks Their staff are aware of the Register Procedure and arrangements for assessing, managing and monitoring risks within their Clinical Directorate or Department The training needs of staff are assessed in accordance with the Knowledge and Skills Framework (KSF) and that where further development is required this is reflected within Personal Development Plans (PDPs). Page 7 of 38 Ref: UHB 024

8 6.5.5 Where risks have been assessed as extreme or high the advice of the appropriate specialist (see Appendix 7) has been sought regarding the accuracy of this score and the actions required to mitigate it The Divisional Management Team and Quality and Safety Group (where applicable) meeting, or other appropriate forum receives regular reports detailing the risks which have been assessed as extreme or high, the action required to manage these risks together with recommendations that should be taken by the UHB if the risk is to be reduced to a tolerable level. 6.6 Divisional Managers The Divisional Managers will ensure that: Risk management and the assessment of risk is a key component of operational planning and management for the Division Risks registers are populated and utilised as appropriate at Divisional and Directorate levels They work with the Divisional Nurse to provide advice within the Division on the production of risk registers The Divisional Director is informed of all areas of strategic and operational risk that have been assessed as presenting an extreme or high risk. 6.7 Divisional Nurses The Divisional Nurses will ensure that: Clinical risk within the Division is assessed in accordance with the Risk Assessment and Risk They work with the Divisional Manager to provide advice within the Division on the production of risk registers. Note: Where a Division does not have a Divisional Nurse the Divisional Director and Divisional Manager will ensure that the responsibilities detailed above have been appropriately discharged. 6.8 Directorate/Locality Managers Directorate/Locality Managers are responsible for ensuring that: Risks are effectively identified, managed and recorded on the Directorate Risk Register where they present a moderate, high or extreme risk to the UHB. Page 8 of 38 Ref: UHB 024

9 6.8.2 They advise the appropriate Health and Safety Adviser/Clinical Governance Facilitator or the Governance and Risk Manager where a risk has been assessed as being High or Extreme to allow them to advise on the appropriateness of the risk assessment score Appropriate plans are developed and maintained to manage these risks The Risk Register is reviewed and monitored via the appropriate forums High and extreme risks are communicated to the Divisional Manager for inclusion in the Divisional Risk Register. 6.9 Directorate/Locality Lead Nurses The Directorate/Locality Lead Nurses will ensure that: Clinical risk within the Directorate is assessed in accordance with the They work with the Directorate/Locality Manager to provide advice within the Directorate on the production of risk registers. Note: Where a Directorate/Locality does not have a Lead Nurse the Clinical Director and Directorate/Locality Manager will ensure that the responsibilities detailed above have been appropriately discharged Ward/Department Managers Ward/Departmental Managers are responsible for ensuring that: Tasks, functions and projects within their area of responsibility are assessed and action plans are developed to ensure that risks are reduced to a tolerable level Action plans identify those that are responsible for taking the action and are SMART (Specific, Measurable, Achievable, Realistic, Timed). Achievement of actions will be monitored as part of the performance framework and will be contained within individual and departmental objectives as appropriate Risks which are assessed as Moderate, High or Extreme are reported via appropriate forums and structures to the Directorate/Locality Manager Where a risk impacts on patient care the appropriate Consultant(s) are informed so that the Patient Care Plans can be developed accordingly They liaise with the Occupational Health Department where a risk assessment identifies that employees may require health surveillance. Page 9 of 38 Ref: UHB 024

10 6.11 Employees Employees should be actively engaged in the risk assessment process within their area of work. Their views and those of their safety representatives should be sought. If an employee identifies a risk they must report it to the appropriate person. They should also be actively engaged in the development of effective solutions and the agreement of action plans Governance and Risk Manager The Governance and Risk Manager will ensure that: A Risk Assessment Procedure has been developed and that it is regularly reviewed taking in to account the latest developments and research Competent risk management advice is provided to the organisation Divisions and Directorates are sign-posted to the relevant specialist advisor where appropriate to assist with the undertaking of risk assessments and the development of action plans Appropriate training is provided in risk assessment. This could be via specific courses or as part of a wider training programme e.g. the Managing Safely Course Reports are provided to the UHB Board and its Committees as required to allow them to receive appropriate assurance and take remedial action to ensure that risks are reduced to a tolerable level They meet regularly with Divisional Managers, Divisional Nurses and Assistant Directors to agree the Divisional Risk Register prior to its submission to the appropriate Executive/Corporate Director Clinical Governance Facilitators The Clinical Governance Facilitators will, on request, provide advice where risks are of a clinical/patient safety nature. Where a risk has been assessed as High or Extreme they will help to advise on the appropriateness of the assessment Health and Safety Department The Health and Safety Department will, on request, provide advice where a risk is related to health and safety. Where a risk has been assessed as High or Extreme they will help to advise on the appropriateness of the assessment. Page 10 of 38 Ref: UHB 024

11 The specialist Health and Safety Advisers (e.g. Manual Handling Advisors, Violence and Aggression Advisors) may be able to assist departments through the preparation of generic assessments for frequently reoccurring risks across the UHB Occupational Health Department The Occupational Health Department should be consulted on risk assessment issues where there may be an impact on the health of staff. 7. PROCESS FOR UNDERTAKING RISK ASSESSMENTS AND RECORDING THEIR FINDINGS A suitable and sufficient risk assessment can be undertaken by following the 5 steps detailed below. Step 1 Identify the hazards (what can go wrong?) Step 2 Decide who might be harmed and how (what can go wrong? Who is exposed to the hazard?) Step 3 Step 4 Review Evaluate the risks (how bad? How often?) and decide on the precautions (is there a need for further action?) Record your findings, proposed action and identify who will lead on what action. Record the date of implementation. Step 5 Review your assessment and update if necessary. More in depth information is available in the following publications: Five Steps to Risk Assessment, INDG163 (rev 2) 06/06, Published by the Health and Safety Executive Healthcare risk assessment made easy, Gateway Reference Number 8083, Published by National Patients Safety Agency (NPSA) - 2%ac&p=3 Page 11 of 38 Ref: UHB 024

12 Undertaking an initial assessment of the activities and objectives to be achieved will help areas to identify those areas that require a more in-depth assessment. The General Risk Assessment Form Part 1 (see Appendix 4) should be used to summarise the relevant information and undertake an initial assessment of the risk. If it is found that the risk is scoring 6 or above a more in-depth assessment should be undertaken utilising either the General Risk Assessment Form Part 2 (see Appendix 5) or a more specific form e.g. a Manual Handling Risk Assessment Form. Risk assessments should not be undertaken in isolation and a multi-disciplinary approach is encouraged. Employees and their representatives should be engaged at all stages of the risk assessment process. Appendix 6 explains the 5 Steps summarised above in more detail. Risk Assessments should be retained whilst they remain current and for 6 years following the date of their review. 8. RESOURCES No additional resources have been identified as a result of approval of this procedure. However, it is likely that issues will arise which will require resources when establishing effective controls that need to be put in place to manage risks. As such issues arise a full review will be undertaken and resources will be identified as part of the action planning process. It will also be necessary to review the resources required to deliver an appropriate training programme as the development needs of staff are identified. 9. TRAINING The Governance and Risk Manager will work with the Executive Director of Workforce and Organisational Development to ensure that training programmes within the UHB incorporate the methodology for assessing and recording risks where appropriate. Examples of courses where it is already included are as follows:- 9.1 Risk management awareness and the basic approach to risk assessment in the Induction and Mandatory Training programmes facilitated within the UHB. 9.2 Courses organised by the Health and Safety Department which include risk assessment e.g. Manual Handling, Violence and Aggression. 9.3 Clinical Governance Development sessions facilitated by the Patient Safety and Quality Department will ensure that Clinical Risk Assessment is incorporated as appropriate. Page 12 of 38 Ref: UHB 024

13 9.4 The Governance and Risk Manager will provide general risk assessment training in response to the needs of the Divisions and Directorates. 10. IMPLEMENTATION A Project Initiative Document will be developed to identify how the Risk Assessment and Risk Rating Procedure will be implemented. The Responsibilities section of this document outlines the responsibilities of those within the UHB that have a key role to play in the implementation of this document. Line Managers will ensure that all new staff are made aware of the procedure and the relevance within their area of work. 11. FURTHER INFORMATION Full details of the references used to inform this Procedure are detailed in Appendix EQUALITY IMPACT ASSESSMENT The UHB is committed to ensuring that, as far as is reasonably practicable, the way it provides services to the public and the way it treats its staff reflects their individual needs and does not discriminate against individuals or groups. The UHB has undertaken an Equality Impact Assessment and received feedback on this procedure and the way it operates. The UHB wanted to know of any possible or actual impact that this procedure may have on any groups in respect of gender (including maternity and pregnancy as well as marriage or civil partnership issues), race, disability, sexual orientation, Welsh language, religion or belief, transgender, age or other protected characteristics. The assessment found that there was no impact to the equality groups mentioned. Where appropriate the UHB will make plans for the necessary actions required to minimise any stated impact to ensure that it meets its responsibilities under the equalities and human rights legislation. 13. AUDIT 13.1 The Governance and Risk Manager will regularly review the effectiveness of this procedure and provide reports the Audit Committee The Internal Audit function will review the risk assessment and recording arrangements within the UHB. This may take the form of a specific review or as part of a generic review of systems within Divisions/Departments. Findings will be reported to the Audit Committee. Page 13 of 38 Ref: UHB 024

14 13.3 Performance indicators will be built into the performance monitoring processes within the UHB to ensure that there is a systematic review of risks The UHB will undertake a self assessment against the Healthcare Standards which will require review of the arrangements in place to ensure the appropriate recording and assessment of risks Compliance will also be monitored by external agencies as part of periodic reviews/inspections which are undertaken e.g. Health and Safety Executive, Healthcare Inspectorate Wales, Welsh Risk Pool. 14. REVIEW The will be reviewed as a maximum at 3 yearly intervals. Page 14 of 38 Ref: UHB 024

15 DEFINITIONS OF TERMS Appendix 1 Assurance Assurance Committee Assurance Framework Board Assurance Action Plan Board Assurance Reports Effective Control Exposure Confidence, based on sufficient evidence, that internal controls are in place, operating effectively and objectives are being achieved A board level committee with overarching responsibility for ensuring appropriate assurance is gained on the management of all principal risks. This function will be performed by the Audit Committee. A structure within which boards identify the principal risks to the organisation meetings its principal objectives and map out both the key controls in place to manage them and also how they have gained sufficient assurance about their effectiveness An action plan approved by the board to improve its key controls to manage its principal risks, and gain assurances when required Key information reported to the board on the assurance framework, providing details of positive assurances and significant gaps in internal controls and assurances relating to principal risks. In additional to providing information leading to a board assurance action plan this will also provide evidenced to support the annual Statement on Internal Control A control that is properly designed, and delivers the intended objective the consequences, as a combination of impact and likelihood, which may be experienced by the organisation if a specific risk is realised. External Assurance Assurances provided by reviewers, auditors and inspectors from outside the organisation, such as Wales Audit Office, Health Inspectorate Wales Page 15 of 38 Ref: UHB 024

16 Gap in Assurance Gap in Control Hazard Failure to gain sufficient evidence that policies, procedures, practices or organisational structures on which reliance is placed are operating effectively Failure to put in place sufficient effective policies, procedures, practices or organisational structures to manage risks and achieve objectives Something that may cause harm, damage or loss, e.g. chemicals, manual handling Independent Assurance Inherent Risk Internal Control Key Control Positive Assurance Principal Objectives Principal Risk Prioritisation of Risk Assurances provided by (a) reviewers external to the organisation and (b) internal reviewers working to government standards, such as Internal Audit The exposure arising from a specific risk before any action has been taken to manage it. Any action, originating within the organisation, taken to manage risk. These actions may be taken to manage either the impact if the risk is realised, or the frequency of the realisation of the risk A control to manage one or more principal risks Evidence that shows risks are being reasonably managed and objectives are being achieved Objectives set at strategic level A risk which threatens the achievement of Principal Objectives A process by which risks are graded in order based on the likelihood of their occurrence and the severity of their consequences Page 16 of 38 Ref: UHB 024

17 Residual Risk Risk Risk Appetite Risk Acceptance Risk Assessment Risk Avoidance Risk Management Risk Reduction Risk Strategy Risk Register/Profile Risk Transfer The exposure arising from a specific risk after action has been taken to manage it and making the assumption that the action is effective The chance of suffering harm caused by a hazard, loss or damage or the possibility that the UHB will not achieve an objective The amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point in time An informed decision to accept (tolerate) the consequences and the likelihood of a particular risk, for example where the probability or consequence is so low that the cost of managing it would be prohibitive compared to the benefit or it is not within the remit of the organisation to prevent the risk e.g. emergency situations. The overall process of identifying risk and evaluating whether acceptable or not taking into account best practice and the appetite of the organisation. Taking the decision not to take a risk A systematic process by which potential risks are identified, assessed, managed and monitored in a way that will enable organisations to minimise losses and maximise opportunities By reducing the probability of the risk occurring or reducing the impact The overall organisational approach to risk management as defined by the Accounting Officer and/or Board. This should be documented and easily available throughout the organisation A documented and prioritised log of the overall assessment of a range of risks faced by the organisation see definition for Transfer below Page 17 of 38 Ref: UHB 024

18 Statement on Internal Control (SIC) Strategic Objectives Strategic Risk System of Internal Control Terminate Tolerate Transfer Treat (or mitigate) Working Risk An annual statement signed by the Accountable Officer on behalf of the Board that forms part of the Annual Financial Statements for the year. The SIC provides public assurances about the effectiveness of the organisation s system of internal control An overall goal of the organisation Risk which may have a significant impact on the organisation and could affect the ability to achieve strategic objectives A system, maintained by the board, that supports the achievement of the organisation s objectives. This should be based on an ongoing risk management process that is designed to identify the principal risks to the organisation s objectives, to evaluate the nature and extent of those risks, and to manage them efficiently, effectively and economically Take a decision not to take a risk A decision is taken to accept a risk Risk managed/mitigated by another organisation, for example insurance or contracting out (although still need to have regard of legal responsibilities which cannot be transferred) Take action to manage the risk. This is the most common action taken the current level of risk with existing control measures in place Page 18 of 38 Ref: UHB 024

19 Appendix 2 RISK ASSESSMENT FLOW CHART 1. Ward /Departmental Managers Completes risk assessment. Develops action plan. Prepares Departmental Risk Register, of risks assessed as *moderate, high or extreme. 2. Directorate/Locality Manager** Review Departmental Risk Registers. Review scores of those scoring 12 or above. Seek assistance of appropriate advisor to assist with review Prepare Directorate Risk Register assessed as *moderate, high or extreme. Prepare Directorate Action Plan. 3. Divisional Manager** Review Directorate Risk Registers. Further review scores if necessary. Prepare Divisional Risk Register of *high and extreme risks. Prepare Divisional Action Plan. 4. Divisional Director ** Advise Exec Director of all *high and extreme risks on Divisional risk register. 5. Executive / Corporate Directors Review Divisional Risk Registers. Further validate scores if necessary. Prepare Directorate Risk Register. Prepare Directorate Action Plan. 6. Governance and Risk Manager Consolidates Risk Registers into single corporate risk register of *high and extreme risks. Ensure that risks are reflected in Assurance Framework as appropriate. Prepare reports as appropriate for Board and its Committees. Page 19 of 38 Ref: UHB 024

20 7. Audit Committee Receives and reviews Corporate Risk Register of *high risks scoring 15 or above and all extreme risks on behalf of Board. Provides assurance to Board for those high risks scoring 15 or above and all extreme risks for which it is the Assuring Committee having reviewed and agreed action plans. Advises Board of all extreme risks. 8. Board Committee Receive and review extract from Corporate Risk Register for which they are the Assuring Committee. Provides assurance to Board for those *high risks scoring 15 and above and all extreme risks for which it is assuring committee having received and agreed action plans. Feed back Loop 9. Board Reviews Corporate Register of *extreme risks. Reviews and approves action plans developed to mitigate risks. Receives assurance from its Committee s that high risks scoring 15 and above and extreme risks are being appropriately managed. * Moderate Risks = Risks Scoring NB risks scoring 6 or above need to be recorded on Risk Registers. High Risks = Risk Scoring Extreme Risks = Risk Scoring ** Within Corporate Directorates these functions may be undertaken by Assistant Directors and/or Heads of Departments. Page 20 of 38 Ref: UHB 024

21 Table 1 Appendix 3 Risk Assessment Scoring and Matrix Consequence score (severity levels) and examples of descriptors Domains Negligible Minor Moderate Major Catastrophic Impact on the safety of patients, staff or public (physical/ psychologic al harm) Minimal injury requiring no/minimal intervention or treatment. No time off work Minor injury or illness, requiring minor intervention Requiring time off work for >3 days Moderate injury requiring professional intervention Requiring time off work for 4-14 days Major injury leading to long-term incapacity /disability Requiring time off work for >14 days Incident leading to death Multiple permanent injuries or irreversible health effects Increase in length of hospital stay by 1-3 days Increase in length of hospital stay by 4-15 days Increase in length of hospital stay by >15 days RIDDOR /agency reportable incident Mismanagement of patient care with longterm effects An event which impacts on a small number of patients An event which impacts on a large number of patients Page 21 of 38 Ref: UHB 024

22 Quality/ complaints/ audit Peripheral element of treatment or service suboptimal Overall treatment or service suboptimal Treatment or service has significantly reduced effectiveness Noncompliance with national standards with significant risk to patients if unresolved Totally unacceptable level or quality of treatment/ service Informal complaint/ inquiry Formal complaint/ Local resolution Formal complaint / Local resolution (with potential to go to independent review) Multiple complaints/ independent review Inquest/ ombudsman inquiry Gross failure of patient safety if findings not acted on Single failure to meet internal standards Repeated failure to meet internal standards Critical report Gross failure to meet national standards Minor implications for patient safety if unresolved Major patient safety implications if findings are not acted on Page 22 of 38 Ref: UHB 024

23 Human resources/ organisation -al development /staffing/ competence Short-term low staffing level that temporarily reduces service quality (< 1 day) Low staffing level that reduces the service quality Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Uncertain delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>5 days) Non-delivery of key objective/ service due to lack of staff Ongoing unsafe staffing levels or competence Loss of key staff Loss of several key staff Low staff morale Very low staff morale Statutory duty/ inspections No or minimal impact or breech of guidance/ statutory duty Breech of statutory legislation Poor staff attendance for mandatory/ key professional training Single breech in statutory duty Significant numbers of staff not attending mandatory/ key professional training Multiple breeches in statutory duty No staff attending mandatory training /key professional training on an ongoing basis Multiple breeches in statutory duty with high likelihood of enforcement action Challenging external recommendations Critical report Complete systems change required Severely critical report Improvement notice Prohibition notice Prosecution Page 23 of 38 Ref: UHB 024

24 Adverse publicity/ reputation Rumours with potential for public concern Local media coverage short-term reduction in public confidence Local media coverage long-term reduction in public confidence National media coverage for <3 days with service well below reasonable public expectation National media coverage for >3 days with service well below reasonable public expectation. MP/AM concerned (questions in the House/ Assembly) Elements of public expectation not being met Total loss of public confidence Business objectives/ projects Insignificant cost increase/ schedule slippage <5 per cent over project budget 5 10 per cent over project budget per cent over project budget Incident leading >25 per cent over project budget Schedule slippage Schedule slippage Schedule slippage Schedule slippage Finance including claims Small loss Risk of claim remote Loss of per cent of budget Loss of per cent of budget Key objectives not met Uncertain delivery of key objective/los s of per cent of budget Key objectives not met Non-delivery of key objective/ Loss of >1 per cent of budget Claim less than 10,000 Claim(s) between 10,000 and 100,000 Claim(s) between 100,000 and 1 million Purchasers failing to pay on time Claim(s) in excess of 1 million Loss of contract Page 24 of 38 Ref: UHB 024

25 Service/ business interruption Environmental impact Loss/ interruption of >1 hour Minimal or no impact on the environment Loss/ interruption of >8 hours Minor impact on environment Loss/ interruption of >1 day Moderate impact on environment Loss/ interruption of >1 week Major impact on environment Permanent loss of service or facility Catastrophic impact on environment What is the likelihood of the consequence occurring? The frequency based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify the frequency at which a risk is likely to occur. The probability score is more appropriate for risks relating to time limited or one-off projects or business objectives Table 2 Descriptor 1 Rare Likelihood Score (L) 2 3 Unlikely Possible 4 Likely 5 Almost Certain Frequency How often does it/ might it happen Probability Will it happen or not? % chance of not meeting objective This will probably never happen/ recur <0.1 per cent Do not expect it to happen / recur but it is possible it may do so per cent Might happen or recur occasionally 1-10 per cent Will probably happen/ recur but it is not a persistent issue per cent Will undoubtedly happen/ recur, possibly frequently >50 per cent Table 3 Consequence Score Risk Scoring = Consequence x Likelihood (C x L) Likelihood Score Rare Unlikely Possible Likely 5 Almost certain Catastrophic 4 - Major Moderate Minor Negligible Page 25 of 38 Ref: UHB 024

26 Table 4 For grading risk, the scores obtained from the risk matrix are assigned grades as follows 1-3 = Low Risk 4-10 = Moderate Risk = High Risk = Extreme Risk Quick, easy measures implemented immediately and further action planned for when resources permit Actions implemented as soon as possible but no later than a year Actions implemented as soon as possible but no later than six months Requires urgent action. The UHB Board is made aware and it implements immediate corrective action Page 26 of 38 Ref: UHB 024

27 Appendix 4 NOTE: A Microsoft Word version of this form can be accessed here. GENERAL RISK ASSESSMENT FORM PART 1 Location Division/ Directorate Department Activity /Tasks (Brief Description) Potential Risk/Issue Consequence X Likelihood = Current (See Tables 1-3 Risk Risk Assessment Scoring & Rating Matrix) Further Action required e.g. Undertake more detailed Risk Assessment if score 6 or above Page 27 of 38 Ref: UHB 024

28 Continuation Sheet Activity /Tasks (Brief Description) Potential Risk/Issue Consequence X Likelihood = Current See Tables 1-3 Risk Risk Assessment Scoring & Rating Matrix Further Action required e.g. Undertake more detailed Risk Assessment if score 6 or above Assessors Name (s) Signature (s) Position (s) Date Review Period Dates of Review Page 28 of 38 Ref: UHB 024

29 Cardiff and Vale University Health Board Appendix 5 NOTE: A Microsoft Word version of this form can be accessed here. General Risk Assessment Form Part 2 Reference Numbers UHB Division Directorate Premises/ Location (if applicable) Division/ Department Exact Location (if applicable) Description of Activity/Risk Area: Risk/Issued (Including Impact) to UHB due to shortfalls: Risk Domain (See Table 1 Risk Matrix) Impact on the Safety of Patients, staff or Public. Human Resources/Organisational Development etc Adverse Publicity/ Reputation. Finance Including Claims. Environmental Impact Quality/Complaints/Audit. Statutory Duty/Inspections. Business Objectives/Projects. Service Business Interruption. Number of people exposed to the Hazard/Risk during the work activity (if applicable) Staff / Students / Contractors list job roles Service / Patient Users Frequency of Exposure (if applicable) Infrequently Annually Monthly Weekly Daily Hourly Constantly Page 29 of 38 Ref: UHB 024

30 Control Measures already taken to reduce risk: Adequacy of existing control measures: No Controls in Place Inadequate Controls in Place Adequate but more action required Optimum Controls No further action required Current Risk Rating Consequence (score from Table 1) X Likelihood (score from Table 2) = Risk Rating (see Table 3) Risk Grading (see Table 4) Moderate High Extreme Additional control measures required: With the above action implemented the risk rating figure would be reduced to: Target Risk Rating Consequence (score from Table 1) X Likelihood (score from Table 2) = Risk Rating (see Table 3) Risk Grading (see Table 4) Moderate High Extreme Page 30 of 38 Ref: UHB 024

31 Cardiff and Vale University Health Board Assessors Name(s) Signature(s) Position(s) Date of Assessment Review Period Dates of Review Progress Report: Date: Signature: Page 31 of 38 Ref: UHB 024

32 Appendix 6 5 STEPS OF RISK ASSESSMENT Introduction Undertaking an initial assessment of the activities and objectives to be achieved will help assessors to identify those areas that require a more indepth assessment. The General Risk Assessment Form Part 1 (see Appendix 4) should be used to summarise the relevant information and undertake an initial assessment of the risk. If it is found that the risk is scoring 6 or above a more in-depth assessment should be undertaken utilising either the General Risk Assessment Form Part 2 (see Appendix 5) or a more specific form e.g. a Manual Handling Risk Assessment Form. Risk assessments should not be undertaken in isolation and a multi-disciplinary approach is encouraged. Employees and their representatives should be engaged at all stages of the risk assessment process. Following the 5 Steps below will take the assessor through a logical process. Step 1 Identify the Hazard/Factors that could prevent the UHB achieving its objectives (What can go wrong?) Identify the hazards that staff, volunteers, visitors or patients may be exposed to or the factors that may prevent the UHB from achieving its objectives. The trivial hazards should be ignored. However, it is necessary to decide if a number of hazards that may seem trivial in isolation could come together to present a greater risk. It is important to consider long-term hazards to health. Step 2 Decide who may be harmed and how/what will the impact be on the UHB? Identify those that will be harmed by the hazard. It is not necessary to identify individuals, to indicate that groups of staff, volunteers, students will be affected may be sufficient. It is necessary to consider how they will be harmed e.g. cuts and bruises, risk of death. Where the issue is likely to be that the UHB will not meet an objective it is necessary to consider the likely impact on the UHB e.g. failure to achieve financial balance could impact on the approval of the annual accounts. Step 3 Evaluate the Risk and identify the Actions required To evaluate the risk it is necessary to consider the consequence of the hazard should it occur or the impact on the organisation if an objective is not met or the UHB is the subject of adverse media coverage etc. Page 32 of 38 Ref: UHB 024

33 Cardiff and Vale University Health Board The consequence is given a numerical score by considering the severity of the hazard on the scale of 1-5 (see Appendix 3). The descriptors have been designed to ensure that they can apply equally to the impact on the safety of patients and staff, the risk of complaints, adverse media coverage, business objectives etc. The controls measures already in place should be documented and then the likelihood of the hazard occurring or the objective not being achieved quantified. The likelihood can be measured by considering how often an event will occur e.g. Will undoubtedly happen(5), Will probably never happen(1). For one off time limited events it may be more appropriate to consider the probability of the event not occurring e.g. <1.0 per cent chance (1) or >50 per cent chance (5) (see Appendix 3) The Consequence and Likelihood are multiplied to give the Current Risk Rating. The Current Risk Rating is plotted on the Risk Matrix (see Appendix 3) which will identify whether the risk is a Low, Moderate, High or Extreme Risk to the UHB. If the risk rating is High or Extreme the appropriate specialist advisor should be contacted to provide additional advice. They will help to advise on the appropriateness of the assessment. Having analyzed the risk it is necessary to consider if the controls/actions that are already being taken are adequate. Reference should be made to recognised good practice, approved Codes of Practice, issues highlighted within previous inspection reports etc. The adequacy of existing controls should be categorised as follows:- No Controls Inadequate Adequate but more action required Optimum Controls No Further Action Required Table 4, Appendix 3 provides guidance as to how quickly action should be taken to manage a risk and introduce control measures. Where an action has been identified as Adequate but more action required it will be necessary to consider whether the risk can be tolerated whilst presenting a High risk if this will allow the UHB to resolve risks that have been assessed as Extreme. The additional controls required to further minimise the risk should be considered. A further assessment should be undertaken to identify the consequence and likelihood when the controls have been introduced. This will give an indication of the Target Risk Rating. Step 4 Record the findings and proposed actions The information that has been established at Step 3 should be recorded. A summary of the assessment should be recorded on the General Risk Assessment Form Part 1 (see Appendix 4). If the risk is scoring 6 or above Page 33 of 38 Ref: UHB 024

34 Cardiff and Vale University Health Board a more in-depth assessment must be undertaken using the General Risk Assessment Form Part 2 (see Appendix 5) or a more specific form (e.g. Manual Handling Risk Assessment Form). Risk assessments should be suitable and sufficient and where the form has been fully completed and the latest information/guidelines considered it is likely to meet these requirements. Risk assessments should be shared with employees and their representatives, although as previously indicated they should be engaged at all stages of the process. The Risk Assessment will identify the additional control measures required. These control measures should be prioritised and the most important actions should be taken first. Where a risk has been assessed as a Moderate, High or Extreme risk a summary of the information contained within the Risk Assessment should be added to the appropriate Risk Register. Each Directorate will maintain a central file for Risk Registers from their Wards/Departments. The Divisional Manager will ensure that Directorate Registers are collated and amalgamated at a Divisional Level. The Executive and other Corporate Directors will each maintain a register for their areas of responsibility. A copy of the Executive and Corporate Directors Risk Registers will be submitted to the Governance and Risk Manager for collation and amalgamation into a Corporate Risk Register where appropriate. At each stage it is necessary to ensure that the Risk Assessments are available to support the Risk Registers. Each risk should be assigned a Risk Owner (e.g. Ward Manager at Ward Level, Divisional Director at Divisional Level). A Lead Executive should also be identified for all risks that are contained within the UHB Risk Register. Step 5 Review Risk Assessment and update if necessary All recorded risk assessments must have a review date. The timescale for this will be influenced by the risk rating and the ability of the organisation to introduce control measures. As control measures are introduced the assessment should be reviewed as a series of incremental actions may gradually reduce the risk rating. When reviewing the risk assessment it is necessary to consider if there is any new information that has to be considered e.g. incident reports, changes to legislation, amendment of targets. The review date will initially be set by those recording the assessment but it is possible that influences from outside the Department, such as a Divisional Director or a Committee of the Board require that the review is undertaken at an earlier date. Page 34 of 38 Ref: UHB 024