RISK MANAGEMENT PROCEDURES

Transcription

1 RISK MANAGEMENT PROCEDURES

2 Recommended by Approved by Approval date Risk Moderation Sub-Committee Executive Management Team 15-Oct-2012 Version number 1.0 Review date Responsible Director Responsible Manager (Sponsor) For use by Oct-2014 Performance & Patient Experience Director Assistant Director, Healthcare Governance All Trust employees This policy is available in alternative formats on request. Please contact the Performance and Patient Experience team on Risk Management Procedural Document Page: Page 2 of 35 Author: Risk Manager Version: 1.0 Date of Approval: 15-October-2012 Status: Final Oct-2012 Oct-2014

3 Change record form Version Date of change Date of release Changed by Reason for change x 0.1 May 2011 May 2011 M Dorrian Document created x 0.2 May 2011 May 2011 M Dorrian x 0.3 May 2011 June 2011 x 0.4 October 2012 October 2012 x 1.0 October 2012 October 2012 M Dorrian N Barnes M Dorrian F Buckley M Dorrian N Barnes Recommendations from Risk Moderation Sub-Committee Preparation for EMT Approval Revision in line with organisational changes and advancements Preparation for EMT Approval Risk Management Procedural Document Page: Page 3 of 35 Author: Risk Manager Version: 1.0 Date of Approval: 15-October-2012 Status: Final Oct-2012 Oct-2014

4 Contents Section 1 The Risk Management Process Purpose & Scope The Risk Management Principles Acceptable Risk The Risk Management Process Establishing the context Risk Assessment Risk Identification Risk Analysis Risk Evaluation Risk Treatment Monitoring and Review Communication and Consultation Business Planning A to Z took kit.. 11 Section 2 Risk Management Procedure and Responsibility Board Assurance Framework Risk Registers Project Risks Actions plans... Committee and Management Group Risk Review and Assurance Processes Responsibilities Ownership & risk escalation Duties within risk register and assurance framework process Appendices 1 NWAS Risk Matrix Equality Impact Assessment Risk Management Procedural Document Page: Page 4 of 35 Author: Risk Manager Version: 1.0 Date of Approval: 15-October-2012 Status: Final Oct-2012 Oct-2014

5 Section 1 Risk Management Process Procedure 1. Purpose and Scope of this document 1.1 Principle: Risk Management identifies threats and drives change. Risk management is about focusing upon experiences and learning, in order to improve outcomes and the working environment. It assesses, and where possible, anticipates risk to eliminate or reduce harm. The purpose of this document is to describe in detail the process needed to ensure appropriate management of risk within the Trust. It describes the framework and the methods that the Trust will use to identify, manage and reduce the risks (actual or potential) which exist within the organisation and its environment. 1.2 It seeks to embed key risk management system and process:- Satisfy the requirements of the Annual Governance Statement, Provide a robust Assurance Framework, Embed Risk Registers across all Directorates, Initiate a systematic and consistent approach to learning lessons and promoting continuous improvement and, As far as is reasonably practicable, minimise costs associated with risk. Identify the reporting structure for escalation of risks through the reporting/committee hierarchy 1.3 This document provides guidance on processes needed for the on going development of risk management throughout the Trust. This document applies to all staff working for or on behalf of the Trust in all environments. It also applies to non-trust staff working for or representing the Trust in any way including contractors employed by others who work on Trust premises. It is imperative that managers and clinicians ensure that the message risk management is everybody s responsibility is well understood and acted upon within the Trust. 2.0 Risk Management Principles 2.1 For risk management to be effective, NWAS should at all levels comply with the principles below; a) Risk Management protects and creates value Risk Management contributes to the demonstrable achievement of objectives and improvement of performance in, for example legal and regulatory compliance, security, public confidence, environmental protection, project management, efficiency in operations, etc.

6 b) Risk Management is an integral part of NWAS management process Risk management is not a standalone activity that is separate from the main activities and process of NWAS. Risk Management is part of the responsibilities of management and an integral part of all of NWAS s processes, including strategic planning and all project and change management processes. c) Risk Management is part of decision making Risk management helps decision makers make informed choices, prioritise actions and distinguish between alternative courses of action. d) Risk management explicitly addresses uncertainty Risk management explicitly takes account of uncertainty, the nature of the uncertainty, and how it can be addressed. e) Risks Management is systematic and timely A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable reliable results. f) Risk management is based in the best available information The inputs to the risk management process are based on information sources such as historical data experience, stakeholder feedback, observations, forecasts and expert judgment. However, decisions makers should inform themselves and take account of any limitations of the data or modelling used or possibility of divergence among experts. g) Risk management is tailored Risk management is aligned with NWAS external and internal context and risk profile. h) Risk management takes human and cultural factors into account Management recognises that the capabilities, perceptions and intentions of staff and stakeholders can facilitate or hinder achievement of NWAS s strategic and corporate objectives. i) Risk Management is transparent and inclusive Appropriate and timely involvement of stakeholders and in particular, decision makers at all levels of NWAS, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria. j) Risk Management is dynamic, iterative and responsive to change Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and other disappear. k) Risk Management facilitates continual improvement NWAS should develop and implement strategies to improve our risk management maturity alongside all other aspects of the organisation.

7 2.2 The British Standards Institute Risk Management Standard (BSI ISO 31000:2009) has been adopted by the Trust in order to facilitate effective risk management throughout the organisation. By using the key stages and processes identified within the standard the Trust can profile identified and potential risks, develop prioritised action plans for the management of risks and evaluate the effectiveness/end result of the implemented action plans using residual risk scoring. Risk prioritisation and action planning takes account of incident reporting, complaints, PALS enquiries, claims, audit information, and issues raised by individual directorates/departments, as well as national requirements and guidance. 2.3 Risk Management Mandate for Commitment Continual Improvement of the Design of framework for managing risk Monitoring and review of the framework Implementing risk management Figure 1 Risk Management Procedural Document Page: Page 7 of 35 Author: Risk Manager Version: 1.0 Date of Approval: 15-October-2012 Status: Final Oct-2012 Oct-2014

8 2.4 In addition to utilisation of the information sources referred to above, in depth risk assessments will be undertaken across the Trust when: The strategic objective are changed or refined There are changes in operational targets Developing and/or revising systems, procedures or working practices Introducing new equipment Planning and managing projects Business planning Event scanning highlighting risks that could impact on the Trust, such as the publication of national reports on health care risks or global terrorist events Cost Improvement programmes are implemented. 3 Acceptable Risk 3.1 Defining what is an acceptable level of risk is very difficult, as acceptability will vary depending on each risk and the prevailing circumstance. The North West Ambulance Service s Trust Board has agreed the following definition of Acceptable Risk North West Ambulance Service NHS Trust acknowledges that no system can be risk free and defines acceptable risk as that risk which remains after rigorous assessment of equipment, work processes and procedures have been undertaken and steps have been taken, including training, to remove all risks as far as is reasonably practicable Decisions about risk acceptability and appropriate risk treatment may be based on any number of criteria such as operational, technical, financial, legal, social, humanitarian etc. Identified risks will be formally acknowledged, quantified and addressed. Action plans and risk treatment solutions will be devised for risks with a residual score over 12, detailing proposed control measures to be implemented to address risks which it has not been possible to resolve in the first instance. 3.2 Risk Appetite Risk appetite can be defined as: - the risk of loss that the Trust is willing to accept for a given risk-reward ratio (over a specific time horizon at a given level of confidence) Determining the risk appetite for the Trust is an important component of the Trust s operational risk management approach. Risk appetite, at the organisational level, is the amount of risk exposure, or potential adverse impact from an event, that Board of Directors is willing to accept/retain. Risk Management Procedural Document Page: Page 8 of 35 Author: Risk Manager Version: 1.0 Date of Approval: 15-October-2012 Status: Final Oct-2012 Oct-2014

9 Once the risk appetite threshold has been breached, risk management treatments and business controls are implemented to bring the exposure level back within the accepted range. Used effectively risk appetite will influence the operational risk culture, risk operating style and risk resource allocation. 4.0 The Risk Management Process 4.1. Establish the context Figure 2 (below) is a pictorial representation of the process for managing risk. The numbers refer to the sections within this document that explain that particular section of the process. Establish the Context 4.1 Risk Assessment 4.2 Risk Identification Communication and Consultation 4.5 Risk Analysis Risk Evaluation Monitoring and Review 4.4 Risk Treatment 4.3 Figure 2 The following steps should be followed when managing a risk or several interlinked risks Before starting the implementation of the framework for managing risk, it is important to evaluate and understand both the external and internal context of the Trust since this can significantly influence the design of the framework. The Board of Directors set the strategic objectives which are broad parameters for evaluation and understanding of the context in which the Trust s risk management systems operate Evaluating the Trust s external context may include but is not limited to a) The social and cultural, political, legal and regulatory, financial, technological economic natural and competitive environment; b) Key drivers and trends having impact on the objectives of the organisation; and c) Relationships with, and perceptions and values of external stakeholders Risk Management Procedural Document Page: Page 9 of 35 Author: Risk Manager Version: 1.0 Date of Approval: 15-October-2012 Status: Final Oct-2012 Oct-2014

10 4.1.4 Evaluating internal context may include, but is not limited to: Governance, the Trust s structure roles and accountability Policies, Strategic Framework roles and accountability; Information systems, information flows and decision making processes (both formally and informal) Standards, guidelines and models adopted by the organisation; and The form and extent of the contractual relationships. 4.2 Risk Assessment The overall process of risk identification, risk analysis and risk evaluation. The process of risk assessment is to establish the hazards facing the Trust and the risk of them occurring. Because of the degree of uncertainty associated with such a process, a methodical system is used to ensure consistency, ensuring that all activities undertaken by the Trust are identified, assessed, controlled, registered, monitored and reviewed Risk Identification The Trust identifies sources of risk, areas of impact, events (including changes in circumstances and their causes and their potential consequences). The aim of this step is to generate a comprehensive list of risks based on those events that might cause, enhance, prevent, degrade accelerate or delay the achievement of the Trust s strategic & corporate objectives Risk Analysis Risk Analysis involves developing an understanding of the different aspects to a risk. Risk analysis provides an input to risk evaluation and to decisions on whether a risk needs to be treated and on the most appropriate risk treatment strategies and methods Risk Evaluation Risks are assessed and quantified using 2 criteria the likelihood of occurrence and the consequence of impact. The Trust has adopted a systematic and common approach to quantifying risk through defining qualitative measures of likelihood of occurrence and consequence of impact. The product of multiplying the two numbers together quantifies the risk and provides a score Risk Management Procedural Document Page: Page 10 of 35 Author: Risk Manager Version: 1.0 Date of Approval: 15-October-2012 Status: Final Oct-2012 Oct-2014

11 The Trusts risk matrix descriptors will be reviewed on an annual basis by the Risk Manager approval must be sought from the Risk Moderation Management Group before any changes to the matrix can be implemented. Further Guidance on risk evaluation and the Trust risk matrix can be found in within the Trust A to Z tool kit Risk Treatment Identifying risk control measures (risk treatment) is the process of determining the actions to take in response to the risks identified and includes reviewing what is already in place and then determining if these measures are sufficient to manage the identified risk at an acceptable level Monitor and Review of Risks Both monitoring and review must be a planned part of the risk management process and involve regular checking or surveillance. Guidance on the monitoring and review of risks can be found within the Risk Management Policy and the Risk Management A to Z tool kit Communication and Consultation It is good practice to involve stakeholders, as appropriate, in the Trust s activities during all stages of the risk management process Therefore, plans for communication and consultation must be continually developed. These must address issues relating to the risk itself, its causes, its consequences (if known), and the measures being taken to control it. The Trust must engage in effective external and internal communication and consultation to ensure that those accountable for implementing the risk management process and stakeholders understand the basis of which decisions are made, and the reasons why particular actions are required. Guidance on the Communication and Consultation can be found within the Risk Management Policy and the Risk Management A to Z tool kit. 5.0 Business Planning 5.1. The content of the Assurance Framework is considered as an integral part of the business planning process. Ensuring that risks arising from pursuing the strategic, aims and goals are identified, analysed and evaluated populates the Assurance Framework. (Board Assurance Framework guidance) gives an overview of process required for the affective population of Trust s Assurance Framework. Risk Management Procedural Document Page: Page 11 of 35 Author: Risk Manager Version: 1.0 Date of Approval: 15-October-2012 Status: Final Oct-2012 Oct-2014

12 5.2 The Trust will complete checks to ensure that all relevant items identified within the Assurance Framework have been appropriately considered and addressed within the business planning process. 5.3 Each department and directorate will be responsible for ensuring that risks identified appear on the relevant risk registers of the Trust so that the Trust can in turn ensure that all known key risks are utilised to inform current and future business planning. All departmental risks must be aligned to either the strategic or corporate objectives, or both, were at all possible. 5.4 Each Directorate must allocate a risk handler to work in conjunction with the risk lead to review and revise directorate risks. 6.0 A to Z Tool Kit 6.1 Procedural documents and guidance have been produced for each stage of the Risk Management Process described within sections 4.1 establishing the context to 4.5 consultation and communication. They can be found along with other pertinent information within the Risk Management A to Z tool kit which can be found on the Trust Intranet. Risk Management Procedural Document Page: Page 12 of 35 Author: Risk Manager Version: 1.0 Date of Approval: 15-October-2012 Status: Final Oct-2012 Oct-2014

13 Section 2 Risk Management Procedure and Responsibility 7.0 Board Assurance Framework A structure within which the Board of Directors can review identified principal risks that inhibit the Trust from achieving its Strategic Objectives. The framework will also depict both the key control measures in place to manage these principal risks and an assurance level to indicate how effective the control measures identified are The Board of Directors is responsible for managing the content of the Assurance Framework via the Executive Management Team When new corporate risks are added to Datix the risk lead should click on the Risk Type section and select awaiting approval section of the Risk Moderation management. Those risks scoring above 12 will be presented to both the Risk Moderation Management Group and the Board of Directors. Once any changes have been approved by the Board of Directors, they will then be matched to the Integrated Business Plan All high level risk identified on the Board Assurance Framework needs to be reviewed, as a minimum, every two weeks, in line with the current Risk Management Policy Any high level risk that does not provide adequate or fully compliant positive assurance(s) will require an action plan, developed by the risk owner, to demonstrate how assurance will be gained. This is the responsibility of the Executive Management Team risk owner The Trust Board will be responsible for monitoring progress of the Trust s high level risks and their assurance(s) via a Boards Assurance Framework Action Plan When assessing the level of assurance, the Trust utilises a questionnaire based approach, the total of affirmative answers will determine whether the risk has High Significant, Limited or No (None) assurance. Section 4 page 43 (Board Assurance Framework guidance) 7.2 Key controls within the assurance framework Only the key control measures that are approved (if required) and fully implemented/in place/active should be identified within the Key Controls section of the Framework For each key control measure identified, risk owners should identify the sources of any assurances. This should be a clear indication of where the evidence to support the key control measures identified can be found. Risk Management Procedural Document Page: Page 13 of 35 Author: Risk Manager Version: 1.0 Date of Approval: 15-October-2012 Status: Final Oct-2012 Oct-2014

14 When completing this section risk owners should be as specific as possible and identify for example; exact minute references, copies of wording or extracts for internal/external evidence related documents, numbered sections of Policy/Procedure documents, etc It is important to acknowledge that many of the potential sources of assurance will come from risk owners satisfying their own legal or regulatory requirements and the assurances that the Board of Director s may obtain can be a by-product of this process Therefore, the issue is one of establishing whether there is an overlap between the work of the risk owner and the Trust s own broader assurance needs. Where the risk owner s report is deemed relevant, the Trust must endeavour to confirm that sufficient work has been undertaken within the risk review process to be able to place reliance on the conclusions drawn and therefore, support the assurance level identified Figure 3 outlines the assurance framework process within NWAS, linking risk with strategic objectives and highlighting ownership of key parts of the process NWAS Assurance Framework Process Figure 3 Risk Management Procedural Document Page: Page 14 of 35 Author: Risk Manager Version: 1.0 Date of Approval: 15-October-2012 Status: Final Oct-2012 Oct-2014

15 7.3 Strategic/Corporate Objective Risk leads must ensure that all identified risks populated within the DATIX system are aligned to at least one of the Trust s Strategic or Corporate Objectives Risk leads must be aware that quite often identified risks will impact on much more than one objective within the Trust. 7.4 Risk Owner Executive Director level risk owners must be identified on the Assurance Framework so that the Board of Directors is clear as to where the responsibility for mitigating the identified risk lies. Risk owners may delegate the responsibilities associated with risk mitigation to other team members but must always remain accountable for the overall controls and outcomes. 7.5 Action Plans Action plans in relation to each identified risk that has no positive assurance will be developed and agreed by the appropriate level of management and body of the Trust. Through these bodies the Trust will monitor and measure its performance against these action plans, which will be reported to the Risk Moderation Sub-Committee as part of the Healthcare Governance Report and to the Trust Board as part of the Trust s Assurance Framework Action Plan. The indicators will be derived from the Trust s Business Planning Process, Assurance Framework Process and the Risk Management Policy. 8.0 Risk Register A risk register is a structure within which the Trust can review identified risks that inhibit the Trust from achieving its Strategic and Corporate Objectives identified within the Wheel. The risk register will also depict both the key control measures in place to manage these risks and an assurance level to indicate how effective the control measures identified are The Trust will utilise the following risk registers: Trust Wide Directorate Departmental Project Risk Management Procedural Document Page: Page 15 of 35

16 Figure 4 below gives an overview of the hierarchy for populating Trust risk registers Hierarchy of Populating Trust Risk Registers Risk Identified and reported to line Manager Can the Risk be mitigated at source, if so take action and close the risk, if not procced Assess the Risk Rate the risk using Consequence V Likelihood Reject, Amend, Accept If Accepted Add to Departmental Risk Register on Datix Escalate risks with a residual risk score of more than 6 to the Directorate Senior Management Team Directorate Senior Management Team will Chose to Accept, Reject, Amend Escalate risk with a residual risk of more than 12 to Board Assurance Framework for EMT ownership Full Board Director will chose to accept, reject or amend or risk. All risk identified as potential High Risk Areas must go to the risk Moderation Management Group for review Risk Moderation Management Group Will : - Accept, Reject or Amend Risk Add risk to Board assurance Framework >12 or to the Corporate Risk Register <12 Revivew and revise in line with changing circumsances. Close if risk mitigated. Figure 4 Risk Management Procedural Document Page: Page 16 of 35

17 8.1.3 The Trust s risk registers will include, as a minimum: Guidance on each of the following is in the Risk Management A to Z tool kit. Risk ID A unique reference for each risk identified. Corporate or Strategic Goal risk is linked to/affects Risk Description A description of the principle risk and its possible impact upon the organisation. Approval Status Has this risk been approved by the Risk Moderation Management Group. The likelihood The probability of the realisation of the risk. The consequence The degree to which the interests of the organisation would be harmed by the realisation of the risk. Risk Owner The person with overall responsibility for managing the risk. Control Measures Actions which either reduce the probability of the risk being realised or reduce the effects of the risk that are currently in place Gaps in Control proposed actions required to treat the risk Assurances- for risk over 12, each control measure should also list its sources of assurance. Monitoring the systems to be used to monitor the risk. Level of Assurance which will be classified as one of the following none, limited, significant or high guidance on assessing assurance levels Designated lead(s) will be responsible for maintaining and reviewing the relevant risk register(s), ensuring any required actions are undertaken and the provision of evidence or assurance The Risk Moderation Management Group will be responsible for reviewing corporate risks before addition to the full corporate risk register and making any recommendations for change or approval to the Trust Board. The Quality Committee receive assurance reports from the Risk Moderation Management Group on effectiveness of the Trust s risk Management process New corporate risks added to Datix must be classified within the Risk Type section (awaiting approval section of the Risk Moderation Management Group) if scoring 12 or less. They will then be presented to the next Risk Moderation Management Group for review. Once required changes have been made, if warranted, they will be added to the full corporate risk register. The Risk Manger will be responsible for managing this process. Risk Management Procedural Document Page: Page 17 of 35

18 8.1.7 The A to Z tool kit document relating to Assurance gives guidance on the assessment of the level of assurance for a Risk, the Trust which will determine whether the risk has High, Significant, Limited or None assurance The Trust Board will receive the Trust Wide risk register, for review, as a minimum, on an annual basis The NWAS Head of Risk & Safety will provide support in conjunction with the Risk Manager The Risk Manager will be responsible for ensuring that relevant risk registers are co-ordinated, maintained and kept up to date The Risk Manager will be responsible for ensuring that the Trust s Directorate and Trust Wide risk registers are co-ordinated, maintained and kept up to date. 9.0 Project Risks 9.1 Projects risks are to be included within Datix and classified within the Type section accordingly. All projects require at least one overall risk adding to the corporate risk register. The owner of these risks must score them utilising the corporate risks rating matrix. All other risks arising out of the Project may be scored independently of the corporate risk matrix, looking at the likelihood and consequences to that particular project rather than the risk to the Trust. 9.2 New project risks added to Datix must be classified within the Risk Type section (awaiting approval section of the Project Board). They will then be presented to the next relevant project board for review. Once required changes have been made, if warranted, they will be added to the full project risk register Action Plans 10.1 Action plans in relation to each identified risk that has no positive assurance will be developed and agreed by the appropriate level of management and body of the Trust. Through these bodies the Trust will monitor and measure its performance against these action plans, which will be reported to the Risk Moderation Sub-Committee and to the Trust Board as part of the Trust s Assurance Framework Action Plan. The indicators will be derived from the Trust s Business Planning Process, Assurance Framework Process and the Risk Management Policy. Risk Management Procedural Document Page: Page 18 of 35

19 11.0 Committee/Management Group Risk Review & Assurance Process 11.1 Good Risk Management is an integral part of a sound system of internal control and both form the basis for effective Corporate Governance Figure 5 below explains the relationship between the Board of Directors the Quality Committees and Risk Moderation Management Groups who oversee the Trust risks and risk management systems The Board of Directors oversee the Board Assurance Framework and receive a full report on these high level risks at least 8 times a year. The Board of Directors receive in writing and consider the minutes from the Quality Committee who monitor the effectiveness of the Trust risk management process The Quality Committee receive reports and considers the minutes from the Risk Moderation Management Group. One of the main functions of the group listed within its terms of reference is to obtain assurance on the effectiveness of the Trusts risk management Systems 11.5 The Risk Moderation Management Group will review all of the Trust Risk Directorate registers, at least twice a year and the Board assurance framework at least 8 times a year. Risk Management Procedural Document Page: Page 19 of 35

20 Figure 5 Risk Management Procedural Document Page: Page 20 of 35

21 12.0 Responsibilities 12.1 The Trust s clear lines of accountability aim to ensure that there is both a coordinated and holistic approach to the management of risk throughout the Trust All managers and staff will be responsible for the management of risk within the extent of their roles and responsibilities. They will be expected to comply with the systems and associated procedures, and ensure all efforts are made to eliminate or minimise risks they become aware of Within sections six seven and eight of the risk management policy the roles and responsibilities of all NWAS staff are mapped out. The policy seeks to simplify the what is expected from all NWAS staff with respect to risk management utalising a linier approach which divides the process into clearly defined stages. This process is broken down into three distinct groups. Those with general risk management duties, from the top down. Those with specific delegated risk management duties under the Risk management policy, and those with specific roles. The roles and responsibility section is split across the page and mirrors the requirements of the BSi ISO risk management standard, i.e. setting the context for risk management, identification, analysis, evaluation, and treatment. It also sets out the contribution to the assurance and controls framework Ownership & Escalation of risk RAG Status Risks Review Ownership Level scored at Schedule Low risk (Green): 1, 2 or 3 Relevant management team. Annual Low risk (Green): 4, 5 or 6 Sector Managers or equivalent Bi-annually Moderate risk (Amber) 8 & 9 Head of Service or equivalent Quarterly Moderate risk (Amber) 10 & 12 Deputy Director or equivalent Monthly High risk (Red) 15,16,20 & 25 Executive Management Team Board of Directors Fortnightly Figure 6 Figure 6 above sets out the hierarchy of ownership of risk within NWAS. Figure 7 sets out the escalation and responsibilities for risk management in a horizontal manner Risk Management Procedural Document Page: Page 21 of 35

22 NWAS Risk Management Responsibilities Risk Escalation Board of Directors Risk Executive Management Team Risk Assistant Directors/ Risk Lead Risk Head of Department Owners Owners Owners Risk Register Escalation Strategic Risks 12 Plus Risk Directorate Risk Register Departmental Risk Register Review & Monitoring Process Board of Directors Review Board Assurance Framework & Directorate Risk Register Quality Committee Receive assurance reports from the Risk Moderation Management Group on effectiveness of the Trust s risk management process Risk Managers Risk Staff Risk Moderation Management Group Review Directorate Risk Registers and Board Assurance Framework Figure Figure 07, gives duties within the Trust risk register and Assurance Frameworks process. It is set out in the same format as the Responsibilities section of the Risk Management Policy, and aims to give simple guidance and pointers on each of the significant stages within the risk management process. Risk Management Procedural Document Page: Page 22 of 35

23 Duties within the Trust Risk Registers and Assurance Frameworks Risk Escalation Process Datix population Reporting Hierarchy Assurance framework All staff :- Are responsible for the identification of risks arising out of the Trust undertakings reporting them to their line manager Local Managers :- Are responsible for the identification of risks arising out of the Trust undertaking and reporting these and those raised by their staff group to:- Sector Mangers :- Are responsible for the identification of risk arising out of the trust undertakings and reporting those raised by local managers to:- Senior Managers: - Are responsible for the identification of risk arising out of the Trust undertaking and reporting these and those raised by sector managers. They are responsible for the analysis and evaluation of these risks and the population of Datix to: CEO, Directors and Assistant Directors:- Ensure the risk arising out of the Wheel process & internal & external operating environment (i.e. those raised by senior managers) are identified & that they are recorded on Datix. Datix population must be in line with the Trust Guidance It is the responsibility of the Senior Management Team, Assistant Directors to ensure that the correct grade of manager is assigned the owner. Each Directorate must allocate a risk handler to work in conjunction with the risk lead to review and revise directorate risks within Datix It is the role of the Risk Manager is to ensure that all risk entered on to Datix conform to Trust Guidance. It is the role of the Risk Moderation Sub- Committee to ensure all risk entered on to Datix meet the standards laid down by the trust All risk must be aligned to a strategic or corporate objective Each Directorate must ensure that the risk register is reviewed in line with the Trust Guidance Directorate risk registers are presented to the relevant Trust Committees in line with their terms of reference. Each of the Directorate risk registers will be collated together to for the Trust wide risk register Risks scoring above twelve on the Trust wide risk register are to be recorded on the Trust Assurance Framework. Each of the risks on the Assurance Framework must be assigned to an Executive lead The Risk Moderation Management Group will receive each Directorate risk register in line with its terms of reference. The Quality Committee will receive reports from the Risk Moderation Management Group regarding the effectiveness of the Trust risk management systems The Board of Directors will receive the Board Assurance Framework at least 08 times a year & the full Trust wide risk register twice a year. All risk on the Board Assurance framework must be assigned to an Executive Management Team lead. All risk on the Board Assurance Framework must score over 12 and be reviewed in line with the Trust Guidance The Board of Directors will review the Board Assurance Framework minimum of 8 times a year. All the risks on the Board Assurance Framework must be aligned to either strategic or corporate objective of both. The assurance framework will contain the following Datix ID Strategic/Corporate Objective Key Controls/Assurance Residual risk Score Assurance Level/Gaps in Assurance Executive Risk Owner Last reviewed Figure 8 Risk Management Procedural Document Page: Page 23 of 35

24 Appendix 1 Version 6 Risk Matrix It is very important to accurately define the risks identified to ensure that they are appropriately understood and scored so that the necessary controls can be highlighted and implemented. The definition of a hazard is something that has the potential to cause harm and a risk is the likelihood that the harm will be caused. In order to ensure that risk are appropriately worded and recorded on the Trust s risk registers the following guidance should be followed. It is acknowledged that risk is inherently negative, implying the possibility of adverse consequences therefore: - Risks should always describe the potential consequences if the risk were to materialise Risks should also describe the causal factors that could make the risk materialise It may be that the risk has more than one consequence and these should be recorded separately so that the risk can be accurately scored and control measures applied. Choose the most appropriate risk descriptor for the identified risk from the left-hand side of the table, then work along the columns in the same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column. Risk Matrix Once the risks are identified and the wording agreed that accurately reflects the issue raised, they are assessed and quantified using two criterion; likelihood of occurrence and consequence outcome. The definitions for the consequence of risk are detailed in Tables 1 and 4 and are provided to enable a degree of consistency to be achieved. Either table can be used to assess the consequence of the risk identified however in general:- Table 1 are for future risks taking into account general knowledge and potential outcomes and Table 4 are for those risks which the Trust has already experienced and there is a history of likelihood The risk descriptors are very specific and can be utalised by practitioners/managers to score incident and then ensure the appropriately management/mitigation is utalised to reduce the impact. Likelihood can be assessed against two sub elements namely:- Frequency where there is evidence and knowledge to determine the frequency or Probability, where there is no current evidence or knowledge to support the assessment of likelihood, table 2 provides guidance to make this judgement. Risk Management Procedural Document Page: Page 24 of 35

25 Risk scoring = Consequence x Likelihood (C x L ) Table 1 Consequence Scores Risk Consequence score (severity levels) and examples of descriptors Risk Descriptors Negligible Minor Moderate Major Catastrophic Harm to patients and/or public (including physical and/or psychological harm) Minimal injury requiring no/minimal intervention or treatment e.g. delay in routine transport for patient Minor injury not requiring first aid or no apparent injury Minor injury or illness, requiring minor intervention Increase in length of hospital stay or treatment by 1-3 days Minor injury or illness, first aid treatment needed 1-2 people affected Moderate injury requiring professional intervention e.g. Vehicle carrying patient involved in a road traffic collision Increase in length of hospital stay or treatment by 4-15 days An event which impacts on a small number of patients Some permanent harm up to a year people affected Possible RIDDOR/MHRA/StEIS reportable incident Major injury leading to long-term incapacity/disability Increase in length of hospital stay or treatment by >15 days Serious mismanagement of patient care with longterm effects people affected Potentially StEIS reportable Death /life threatening harm Multiple permanent injuries or irreversible health effects A significant event which impacts on a large number of patients - more than 50 people affected STEIS reportable Harm to staff and/or contractors (including physical and/or psychological harm) No time off work Minor injury not requiring first aid or no apparent injury No long term consequences Minor injury or illness, first aid treatment needed Anxiety requiring occupational health counseling (no time off work required) Short term staff sickness/absence (less than 3 days off work) 1-2 staff affected Minor element of treatment or service suboptimal Moderate injury or illness requiring hospital treatment/outpatient appointments/assess ment of social care needs Staff sickness more than 3 days off work Possible RIDDOR/ MHRA/StEIS agency reportable incident 3-15 staff affected Treatment or service has significantly reduced quality Major injury or illness requiring long term treatment or community care intervention Long term staff sickness More than 15 staff affected Post-traumatic stress disorder Major quality implications if findings are not acted on Death Life threatening injury or illness Permanent injury/damage/loss of limb/ long term incapacity or disability StEIS Catastophic quality implications if findings are not acted on Quality Minimal disruption to routine organisation activity No long term consequences Single failure to meet internal standards or follow protocols Possible long term consequences Potential damage to Trust reputation Major long term consequences Repeated failure of service to meet professional standards/ practice guidelines/ operational protocols Trust reputation damaged Risk Management Procedural Document Page: Page 25 of 35 Catastrophic long term consequences

26 Clinical Audit (Provision of Clinical Information) No or limited/single disruption to the provision of timely and accurate clinical information across NWAS Meets local clinical audit standards Minor disruption to the provision of timely and accurate clinical information on an individual CBU/ business area Minor discrepancy with local clinical audit standards Reduction in the provision of timely and accurate clinical information in CBU s/ business areas Moderate discrepancy with meeting local clinical audit standards Inconsistent production of timely and accurate clinical information across all CBU s/ business areas Non compliance with local clinical audit standards agreed by NWAS Failure to produce clinical information or participate within any local or national quality frameworks Non compliance with national clinical audit standards Complaint / Concern / Comment Comment and/or concern inquiry (informal) Agreed local resolution Between concerns raised Single failure to meet patient needs Minor implications for patient safety if unresolved Local resolution Repeated failure to meet individual patient needs Moderate patient safety implications if findings are not acted on - injury to patient/potential claim Delay in participation with national and local quality frameworks Major patient safety implications if unresolved Significant risk to patient safety if unresolved Contentious Inquest/ombudsman inquiry Litigation Claim Human resources/ staffing levels No complaint received Risk of claim remote Legal challenge minor out of court settlement Short-term low staffing level that temporarily reduces service quality (less than 1 day) Civil action with or without defence Improvement notice Claim less than 10,000 Low staffing level that reduces the service quality (1-5 days) CNWASs action Criminal prosecution Prohibition notice Claim(s) between 10,000 and 100,000 Late delivery of key objective/service due to lack of staff/capacity Unsafe staffing level (1-2 weeks) Low staff morale Criminal prosecution without defence Executive officer dismissed Claim(s) between 100,000 and 1 million Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level (more than a month) Loss of key staff Very low staff morale Criminal prosecution without defence Executive officer fined or imprisoned Claim(s) > 1 million Non-delivery of key objective/service due to lack of staff Constant ongoing unsafe staffing levels or competence Loss of several key staff Staff Competence Staff are adequately equipped with the appropriate skills, knowledge and competence to undertake their duties Staff attendance at mandatory/ key training Insignificant effect on delivery of service objectives due to failure to maintain professional development or status (less than 10 staff) Minor error due to a lack of appropriate skills, knowledge and competence to undertake duties. Insignificant staff attendance at mandatory/ key training Minor effect on delivery of service objectives due to failure to maintain professional development or status (between staff) Moderate error due to limited skills, knowledge & competence to undertake duties Poor staff attendance for mandatory/key training Moderate effect on delivery of service objectives due to failure to maintain professional development or status (between staff) Serious error due to limited skills, knowledge & competence to undertake duties Regular poor/low attendance at mandatory/key training Major effect on delivery of service objectives due to failure to maintain professional development or status ( between staff) Risk Management Procedural Document Page: Page 26 of 35 Critical error due to limited skills, knowledge & competence to undertake duties Significant/ inconsistant low uptake of attendance at mandatory/key training Significant effect on delivery of service objectives due to failure to maintain professional development or status (more than 250 staff)

27 Statutory duty/ inspections No or minimal impact or breech of guidance/ statutory duty Breech of statutory legislation Reduced performance rating if unresolved Single breech in statutory duty Challenging external recommendations/ improvement notice Enforcement action Multiple breaches in statutory duty Improvement notices Multiple breachesin statutory duty Prosecution Complete systems change required Low performance rating Zero performance rating Critical report Severely critical report Adverse publicity/ reputation/publi c confidence Business programmes/ projects Financial loss /Contracting Service /business interruption Rumours No public/political concern Temporary defects causing minor short term consequences to time and quality Small loss of budget ( 0-5,000) Loss of ability to provide services (interruption of >1 hour) Local media area interest short-term reduction in public confidence Local public/political concern. Elements of public expectation not being met Poor project performance shortfall in area(s) of minor importance (performance may be related to time, cost & quality either singularly or in combination of) Medium financial loss ( 5,000-10,000) Loss of ability to provide services (interruption of >8 hours) Local media interest reduction in public confidence Damage to reputation. Extended local/regional media interest. Regional public/political concern. Poor project performance shortfall in area(s) of secondary importance (performance may be related to time, cost & quality either singularly or in combination of) High financial loss ( 10,000-50,000) Loss of ability to (interruption of >1 day) Regional/national media interest with less than 1 day service well below reasonable public expectation Loss of credibility and confidence in organisation. Independent external enquiry. Significant public/political concern Significant damage to reputation Poor performance in area(s) of critical or primary purpose (performance may be related to time, cost & quality either singularly or in combination of) Major financial loss ( 50, ,000) Purchasers failing to pay on time Loss of ability to provide services (interruption of >1 week) National media interest with more than 1 day service well below reasonable public expectation. MP concerned (questions in Parliament) Full public enquiry Total loss of public confidence in organisation. Major damage to reputation Significant failure of the project to meet its critical or primary purpose Huge financial loss ( 100,000 +) Loss of contract / payment by results Unrecoverable financial loss by end of financial year Permanent loss of service or facility Risk Management Procedural Document Page: Page 27 of 35

28 Information risks Environmental impact Minimal or no loss of records containing person identifiable data. Minimal or no impact on the environment (small spillage or escape of nonclinical or nonharmful material on Trust premises) Loss/compromised security of one record (electronic or paper) containing person identifiable data. Minor impact on environment (spillage or escape of clinical or toxic waste with effects contained within unit or dept) Loss/ compromised security of records (electronic or paper) containing person identifiable data. Moderate impact on environment (spillage or escape of clinical or toxic waste affecting an entire building) Loss/ compromised security of 101+ records (electronic or paper) containing person identifiable data. Major impact on environment (significant spillage or escape of clinical or toxic waste with effects contained to Trust property) Compromised security of a local application / system / facility holding person identifiable data (electronic or paper). Compromised security of an organisation / Trust wide application / system / facility holding person identifiable data (electronic or paper). Catastrophic impact on environment (significant discharge or escape of clinical or toxic waste with widespread effects beyond Trust property) Table 1 Consequence Score (C) What is the likelihood of the consequence occurring? The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency. Table Descriptor Rare Unlikely Possible Likely Almost Certain Frequency Not expected to occur for years Expected to occur at least annually Expected to occur at least monthly Expected to occur at least weekly Expected to occur at least daily Probability Will only occur in exceptional circumstances Unlikely to occur Reasonable chance of occurring Likely to occur More likely to occur than not Table 2 Likelihood score (L) Overall risk score Once the risk has been worded, the consequence and likelihood scores decided, multiply the two scores together to give an overall risk score. This quantifies the risk and its place on the table below indicates the level of risk. Risk Management Procedural Document Page: Page 28 of 35