Risk Management Strategy. February 2016 February 2019 Risk management, risk Assurance Plan SOP

Transcription

1 Corporate Risk Register: Standard Operating Procedure Document Control Summary Status: Version: Author/Title: Owner/Title: Approved by: Ratified: Related Trust Strategy and/or Strategic Aims Implementation Date: Review Date: Key Words: Associated Policy or Standard Operating Procedures New v1.0 Date: December 2015 Sarah Hankey - Risk & Claims Manager Liz Lockett - Associate Director of Quality & Risk Policy and Procedures Committee Date: 21/01/2016 Policy and Procedures Committee Date: 21/01/2016 Risk Management Strategy February 2016 February 2019 Risk management, risk Assurance Plan SOP Contents 1. Introduction Purpose Scope Process for Managing the Risk Register Process For Monitoring Compliance And Effectiveness References... 6 Appendix 1 - Risk Register Flowchart...6 Appendix 2 - Risk Grading Tool Page 1 of 10

2 Change Control Amendment History Version Dates Amendments 1. Introduction South Staffordshire and Shropshire NHS Foundation Trust has identified priority areas of delivery which are described in detail in the Trust Annual Report and Quality Accounts. In order to maximise chances of successful delivery, the organisation must review factors likely to increase or decrease chances of success and then put processes in place to maximise the effects of the former and minimise the effects of the latter. The factors likely to decrease the chances of success are risks. A risk register is a prioritised log of risks faced by an organisation. It includes an assessment of each risk: a description, as well as analysis and a summary of action to be taken in respect of each identified risk. A risk register is used to help ensure that appropriate action is taken to control, reduce or eliminate each risk. This policy supports the Risk Management Strategy. 2. Purpose This Standard Operating Procedure has been developed to ensure robust processes in respect to the management of risk registers across the organisation. 3. Scope A risk register is a management tool that enables an organisation, directorate and or team to understand their comprehensive risk profile. It is a repository for all risk information. This repository is the hub of the internal control system, given that it should contain the objectives, risks and controls for the whole organisation. It is through this process that the Trust will risk manage and is the process by which the organisation identifies, assesses and takes action to manage their risks. It is the responsibility of all staff throughout the Trust to ensure that they fulfil their role in risk management Page 2 of 10

3 4. Process for Managing the Risk Register 4.1 Identification of Risks It is a responsibility for all managers to identify and record appropriately any risks in connection with their department and to report on those risks at the relevant meeting, using the risk management process described in this document. It is important to ensure clarity not only about how risks are reported, but also about how they are managed with the aims of enabling junior staff to be clear about how to raise issues where actions go beyond their levels of authority, and ensuring senior staff are able to instigate necessary and timely action. Risks may be identified from a range of sources including: Audits (internal and external) Service shortfall Incident and near misses PALS/complaints Claims Service reviews (Internal and external) Assurance Plan Surveys Investigations (internal and external) 4.2 Definitions: Risk A risk is something that may impact upon the achievement of an objective or action. Hazard A hazard is considered anything that has the potential to cause harm. Likelihood Likelihood is a measure of the probability that the predicted harm, loss or damage will occur. Impact Impact is a measure of the impact that the predicted harm, loss or damage would have on the people, property or objectives affected. Risk Score The risk score is the combination of the likelihood and severity. Risk Action A risk action(s) is an action taken to remove or reduce the severity and/or likelihood of an identified risk. A risk action can turn into a longer term control measure. Control Measures Control measures are the mechanism that can be put in place to reduce the likelihood or a risk/hazard actually happening. Gross Risk The risk which currently exists prior to the implementation of further actions identified using the Risk Rating Tool at the end of this section. Residual Risk This is the level of risk remaining after the relevant controls have been applied by management to the gross (or 'absolute') risk. Residual risk represents the actual level after the action description is in place of exposure that the organisation faces Page 3 of 10

4 4.3. Recording the Risk Any one may identify a risk. Once a risk has been identified it is the responsibility of the person identifying the risk to discuss it with the team leader at the earliest opportunity. The team leader should log the risk on the risk register using the Safeguard system. Further information on how use the risk registers on Safeguard can be found in the Safeguard Handbook. 4.4 Allocating actions When allocating actions on the risk it is important that the person to whom the action has been allocated has agreed to undertake the action. 4.5 Reviewing the risk All risks must be given a review date and the risks reviewed by this date. When a risk is reviewed this must be recorded in the Reviews section of the risk and a revised due date identified. Teams should review their risk registers at their team meetings. Divisions should review risks at their governance group all risks scoring 8 or above on the gross risk score which: Have been updated Are new Are to be removed or Are overdue Trust level risks are risks which score 15 or above on the gross risk score. These risks are monitored at Trust Board level. The details of the Trust Board responsibilities are identified within the Trust Risk Strategy. Trust Management team reviews the Trust level risks monthly which: Have been updated Are new Are to be removed or Are overdue 5. Process for Monitoring Compliance and Effectiveness Monitoring of the implementation of this Standard Operating procedure will be through Internal Audit processes. 6. References The Risk Management Process, Federation of European Risk Management Associations (FERMA), 2005 A Risk Management Standard, The Association of Insurance and Risk Managers, (AIRMIC), 2002 International Organisation for Standardisation (ISO)/IEC Guide 73:2002 Risk Management Risk Management Model (HSG65), Successful Health & Safety Management, HSE Books, 1997 Australia New Zealand Standard 4360:2004 Risk Management Five Steps to Risk Assessment, HSE, 2006 Page 4 of 10

5 Appendix 1 Flow Chart for Managing Risk Registers Risk identified by individual or team Risk discussed at team/ward meeting- Meeting chair to place risk on risk register Do not score at 15 or over until agreed with lead Director Allocated lead must agree to be lead before being allocated Where other divisions input is required discussion with identified leads must take place before an action is allocated to them Changes to scoring are the responsibility of the identified lead in consultation with the committee/team responsible Score risk using Risk Rating Tool and complete as add Risk on Safeguard system All risks reviewed quarterly at Ops Forum Divisional Senior team agree scoring allocate Director and Committee and update in Review box Trust Management Team review all new, updated, and overdue risks monthly Risk not mitigated by review date Risk reduces to 12 or below Gross risk scores moderate i.e. 12 or below Review at monthly Divisional Governance Forum Gross risk scores high i.e. 15 or above Risk fully mitigated Gross risk scores moderate i.e. 12 or below Remain at Divisional level - review on review date at Divisional Governance Meeting Risk reduces to below 15 Area or locality manager to quality assure risks on a monthly basis Gross risk scores "high i.e. 15 or above TMT agree scoring allocate Director and Committee, agree wording with lead director and update in Review box Risk fully mitigated Manage risk at team level or close risk on Risk register write update in Review box Committee reviews action plan to mitigate risk Close risk on Risk register write update in Review box N.B. Risk fully mitigated means that the lead is satisfied that the risk is effectively managed. Page 5 of 10

6 Appendix 2 Risk Grading Tool 1. Introduction This annex sets out the means by which risks identified across the organisation are graded. 2. Statement of Intent This document is intended to support the application of a common grading system to all risks, ensuring organisational consistency for the prioritisation of required actions. 3. Scope The same grading tool is used by South Staffordshire and Shropshire NHS Foundation Trust for all risk processes, including risk assessment and associated risk registers, incident and near miss reports. 4. Procedure Risks are measured according to the following formula: Likelihood Likelihood x Impact = Risk Risks are first judged on the likelihood of the risk being realised - for example, how likely it is that someone is going to injure their back lifting heavy equipment. Categories of likelihood available for grading, set out within the Risk Grading Matrix (Appendix 1), are: rare, unlikely, likely, highly likely and certain. Impact Situations are then judged to evaluate what, if the risk were to be realised, the severity of the outcome would most likely be. Categories of severity available for grading, set out within the Risk Grading Matrix (Appendix 1), are: insignificant, minor, moderate, major and catastrophic. Risk Based on the above judgements, use the Risk Grading Matrix (Appendix 1) to crossreference the selected likelihood with the selected severity and assign a risk grade, either: Very Low, Low, Moderate or High. Page 6 of 10

7 Risk Treatment Options Risks to the organisation can be: Accepted: very low and low risks can be accepted as requiring no further action. These are termed acceptable risks. On reviewing this type of risk it may, however, be decided that some cost effective action would reduce the risk still further. Action on such risks is generally a low priority. Managed: in many cases action can be taken to change the way activities are carried out in order to reduce the risk identified. South Staffordshire and Shropshire NHS Foundation Trust is committed to using a systematic/holistic approach to risk management. Avoided: in some cases risk cannot be accepted, transferred or managed. Then the Board may decide that a particular risk should be avoided altogether, which may involve ceasing the activity giving rise to the risk, or not taking on a new activity. Where risk treatment plans require significant additional funding, or changes to the working pattern of the organisation, these decisions will be made by the Board. Decisions with less significant implications will be taken by the Chief Executive and/or responsible Executive Director. Action Required According to Risk Grading Very Low and Low risks Most risks will be graded into these less serious categories and either require no action or can normally be managed through local action by an appropriate person or department as identified in the relevant Policy. Moderate risks Of the rest, most risks will be addressed by the responsible senior manager within the organisation. For this type of risk an option appraisal needs to be carried out to identify the most appropriate way of dealing with the risk, which should be added to the appropriate team Risk Register. High risks A systems approach will be used to identify the root causes of the risk and thereby help choose an appropriate risk treatment plan. All high risks i.e. those scoring 15 and above will be reported to each meeting of the Board via the Risk Register which will approve treatment plans and monitor progress. Page 7 of 10

8 Risk Grading Matrix Risk Grading: Most likely impact (if in doubt grade up, not down): Consider 2 aspects: Insignificant Minor Moderate Major Catastrophic 1. Likelihood of the risk and the 2. Severity of the risk Once you have decided upon the likelihood and severity of the risk, use the Risk Grading Matrix to cross-reference these and determine the Risk Grade. e.g. If you decide that the likelihood of the risk occurring is Unlikely (2) and the severity is Major (4), then the Risk Grade is Moderate (8) It is important to record how you arrive at your score, No injury or identifiable damage No disruption to service or the organisation Financial implications are negligible e.g. spills of nonhazardous liquids, paper cuts Mild injury (will probably resolve in less than 1 month) The impact would threaten the efficiency of some aspects of the organisation Some financial implications e.g. absence from work <3 days, incorrectly filed documents Some injury (emotional, psychological or physical), ill health, damage or loss of function likely to resolve within a few months Disruption to organisation could be managed Moderate financial implications (> 50K) e.g. RIDDOR reportable injury, local adverse publicity, lost claim file Serious injury (emotional, psychological or physical), ill health, damage or loss of function possibly with prolonged disability Serious disruption to the organisation High financial implications (> 500K) e.g. large section of roof falling in, national adverse publicity, computer network failure >3 working days, prolonged time off work (>15 days), theft of claim file Death or significant permanent disability Organisation unable to function Very high financial implications (> 1million) e.g. large scale fraudulent claims management, international adverse publicity, bomb threat, anything untoward that involves >50 people e.g. 2 x 4 = 8. Page 8 of 10

9 Likelihood: Rare: Cannot believe that an event of this type will occur in the foreseeable future 1 VERY 1 VERY Unlikely: Unlikely that this type of event will happen 2 VERY Likely: This type of event may well happen (e.g. 50/50 chance) Highly Likely: This type of event will happen but it is not a persistent concern Certain: This type of event will happen frequently Page 9 of 10

10 Action Required According to Risk Grading and Assignment of Responsibility Risk Further Action By Whom Very Low Acceptable Risk. All employees Take action to reduce risk where necessary Low Acceptable Risk. As above plus: Consider whether any further action should be taken to reduce future risk Team Leaders Moderate Unacceptable Risk. As above plus: Senior Managers Report to the Risk Management Committee identifying treatment options Quarterly report to Risk Management Committee Meeting monitoring progress on treatment action plans High Significant Risk. As above plus: Report to Board identifying treatment options, and periodic monitoring Report to each meeting of identified Board committees monitoring progress on treatment action plans Identified Committee to Trust Board Page 10 of 10