NHS WEST NORFOLK CLINICAL COMMISSIONING GROUP RISK MANAGEMENT STRATEGY AND POLICY FRAMEWORK

Transcription

1 NHS WEST NORFOLK CLINICAL COMMISSIONING GROUP RISK MANAGEMENT STRATEGY AND POLICY FRAMEWORK

2 DOCUMENT CONTROL SHEET Name of Document: WNCCG Risk Management Strategy & Policy Framework Version: 2.0 Date Of This Version: 4th October 2014 Produced By: What is it for? (Intro) Who is it aimed at and which settings? (Scope) Evidence Base: Jean Clark, Head of Governance NHS West Norfolk CCG is committed to commissioning high quality and safe services and minimising risk exposure to patients and public, to its staff and to itself, by effectively managing clinical, corporate, financial and environmental risks that have the potential to affect the CCG s ability to meet its strategic and business objectives, cause harm or result in losses to finances and assets. All staff who work for the CCG, including employed staff, voluntary staff, contractors, CCG members, Governing Body members Reviewed by Jean Clark, Head of Governance, WNCCG Audit Committee WNCCG Executive Committee Equality Impact Assessment (completed) No adverse impact Consultation (Staff, Trade Unions, Lay Members) Not applicable Approved By (as per scheme of Accountable Officer Delegation) Date Adopted: 16 th October 2014 Dissemination All CCG staff, Governing Body Date Due For Review: September 2015 Evaluation Via: The Audit Committee, Patient Safety & Clinical Quality Committee, Governing Body Head of Internal Audit Opinion Review of GBAF and Corporate Risk Register Annual Governance Statement External and Internal Audit IG toolkit assessment Revision History Revision Date Summary of changes Author(s) Version Number 29/9/14 Refresh of framework, including risk escalation chart, risk appetite, clearer process, linkage to Training Needs Assessment, third party assurance, assurance mapping, separating safeguarding into separate policy. Jean Clark 2.0 Page 2 of 20

3 CONTENTS Part Description Page RISK MANAGEMENT STRATEGY 1 CONTEXT 4 2 STRATEGY AIMS AND OBJECTIVES SCOPE OF STRATEGY 4 4 IMPLEMENTING THE STRATEGY 5 5 RESPONSIBILITIES 6 6 MONITORING AND ASSURANCE 7 RISK MANAGEMENT POLICY FRAMEWORK 7 CONTEXT 8 8 PROACTIVE RISK MANAGEMENT 8 9 REACTIVE RISK MANAGEMENT 10 Appendix A Key Steps in Managing Risks 11 Appendix B Risk Escalation Chart 12 Appendix C General Risk Assessment Form 13 Appendix D Risk Rating and Risk Appetite 14 Appendix E Risk Register template 19 Appendix F Key Questions for an audit committee to ask 20 Page 3 of 20

4 1. CONTEXT INTEGRATED RISK MANAGEMENT STRATEGY 1.1. Risk management is the systematic process for identifying, evaluating, managing and mitigating risk and learning from these events to minimise occurrences in the future NHS commissioning organisations face a wide range of strategic, operational, financial and clinical risks, from both internal and external sources, which may prevent them from achieving their objectives Commissioning and providing health services is an inherently risky business and NHS organisations have a legal and moral responsibility to effectively manage risk. Well managed risk taking can bring positive benefits and opportunities to organisations. 2. STRATEGY AIMS AND OBJECTIVES 2.1. Aim NHS West Norfolk CCG is committed to commissioning high quality and safe services and minimising risk exposure to patients and public, to its staff and to itself, by effectively managing clinical, corporate, financial and environmental risks that have the potential to affect the CCG s ability to meet its strategic and business objectives, cause harm or result in losses to finances and assets Objectives To maintain a sound system of internal control, which underpins the Annual Governance Statement To support a positive risk management culture which promotes safety, fosters learning and empowers all staff to make sound judgements and decisions concerning the management of risk To promote an integrated corporate governance approach to the management of risk and organisational performance, in accordance with Turnbull recommendations To ensure that robust risk management, whether financial, clinical or organisation, is fully embedded in all CCG activities, so that risks are mitigated as far as reasonably practicable and managed at the right level of the organisation To ensure that risks associated with the provision of services to its patients are well mitigated by the provider organisations through robust contract management To ensure resources are appropriately directed, thereby maximising value for money for patient services and care To meet all statutory and legal duties with regard risk management, health & safety, information governance etc. 3. SCOPE OF STRATEGY 3.1. This strategy applies to: Page 4 of 20

5 All NHS West Norfolk CCG activities and functions All staff who work for the CCG, including employed staff, voluntary staff, contractors, CCG members, Governing Body members. 4. IMPLEMENTING THE STRATEGY 4.1. NHS West Norfolk CCG will: Promote a clear Integrated Risk Management Framework which supports staff to identify and record risk, to quantify risks in terms of likelihood and consequence and to mitigate risk, in a structured, consistent way and to agree acceptable level of exposure or and/or escalate risks. Risks will have clear ownership Have an agreed organisational risk appetite Employ the three lines of defence model: First Line management assurance from front line or business operational areas Second Line: oversight of management activity, separate from those responsibility for delivery, but not independent of the organisation s management chain Third line: independent and more objective assurance, including the role of internal audit and external bodies Support well managed, positive risk taking and a positive staff attitude to the control of risk Ensure that staff and members are clear about their personal accountability, authority and responsibilities for risk management through appraisal, training and induction. The CCG s Training Needs Analysis (TNA) is linked to the risk management strategy and framework, ensuring training is a robust control Ensure that third parties, including the Commissioning Support Services, operate under the appropriate governance framework and that their risks are managed in accordance with the CCG strategy and policies Have in place clear, up to date Scheme of Delegation, Prime Financial Policies and Standing Orders as part of its Constitution Ensure all major projects, tasks, partnerships and new business/initiatives are risk assessed and risks mitigated to ensure delivery e.g. Quality, Innovation, Productivity and Prevention (QIPP) projects Identify Information Asset Owners (IAO) and Information Asset Administrators (IAA) as part of the Information Governance Framework who will monitor information asset risks Engage internal auditors to carry out risk-based reviews of internal controls, testing to confirm they are operating as intended and thus providing assurance (negative or positive) Page 5 of 20

6 Employ Counter Fraud systems and policies, in line with NHS Protect, supported by the Local Counter Fraud Specialist, and monitored by the Audit Committee Promote a robust incident reporting system, in line with the Incident Management Policy, the Serious Incident Policy, Whistleblowing Policy and Safeguarding Policy, ensuring robust investigation and sharing of lessons learnt and supporting an open and fair no-blame culture Insure against risk through NHS Litigation Authority and ensure that any litigation against the Trust is managed in accordance with the Claim s Policy Have in place robust business continuity plans Provide the resources and support systems necessary to implement this strategy and the Integrated Risk Management Framework 5. RESPONSIBILITIES 5.1. NHS West Norfolk CCG will ensure that appropriate accountabilities and structures are in place to support risk management (see Appendix B) Body Council Of Members Governing Body Accountable Officer Executive Team Audit Committee Patient Safety & Clinical Quality Committee Responsibility Members of the CCG have overall accountability for risk management and systems of internal control throughout the organisation. The Council of Members ensures this accountability is discharged effectively by the Governing Body and its Committees and by CCG staff. Is responsible for risk management as described in the Constitution. It ensures sound systems of internal control are in place to manage risks and reviews assurances via the Assurance Framework (GBAF). As per the Scheme of Delegation, it approves the comprehensive system of internal control, including budgetary control that underpins the effective, efficient and economic operation of the group Has overall responsibility for ensuring NHS West Norfolk CCG meets statutory and legal requirements for risk management. Operational management of risk and management of the Assurance Framework and Corporate Risk Register Provides scrutiny and challenge to the systems of internal control, governance and risk. Uses the assurance framework as the central tool for planning its work and as a key topic for its scrutiny to provide the governing body with assurance.. The Committee operates a programme of deep dives with risk owners Is a committee of the Governing Body and ensures the services commissioned by the CCG are safe, effective, high quality and patient focused, meeting all national standards and legislation. It reviews clinical quality risks and reviews the Corporate Risk Page 6 of 20

7 Register and GBAF. It is responsible for the safeguarding arrangements for the CCG and discusses risks and issues from the Children s & Maternity Commissioning Board Senior Managers Staff Have responsibility for managing risk on a day-to-day basis, keeping live risk registers with formal escalation processes and understanding of risk appetite. They promote risk awareness Have responsibility for their own safety and that of others and a duty to identify and manage risks including clinical, financial and organisational risks, and to escalate significant risks and report incidents. They must participate in mandatory training and other training identified according to their role. 6. MONITORING AND ASSURANCE 6.1. The following monitoring mechanisms will ensure the strategy is implemented: The Audit Committee will receive assurances on risk, internal and external audit, counter fraud and governance and will ensure all auditor recommendations are fully implemented The Head of Internal Audit Opinion will summarise the effectiveness of controls from the work carried out by internal audit each year The Governing Body will review the Assurance Framework at each meeting which will provide sufficient assurances as to the effective mitigation of the CCG s risks The Executive Team will discuss significant operational risks, including QIPP, at each meeting The Patient Safety & Clinical Quality Committee will review all clinical risks, Never Events, Serious Untoward Incidents and Safeguarding issues at each meeting. This committee links to the cluster-wide arrangements for patient safety & clinical quality The Annual Governance Statement (AGS) will review the effectiveness of the system for internal control for the year and any significant control issues that arise during the year. The AGS will be compliant with Treasury and Department of Health Guidance The Council of Members will review the AGS and the effectiveness of the systems of internal control The Governing Body will ensure that there is a clear map of assurances, including from third parties such as the CSU and regularly reviews the quality of these assurances. Page 7 of 20

8 RISK MANAGEMENT POLICY FRAMEWORK 1 CONTEXT 1.1 Risk management is the systematic process for identifying, evaluating, managing and mitigating risk clinical, financial and corporate - and learning from these events to minimise occurrences in the future. 1.2 This framework outlines the practical application of risk management in NHS West Norfolk Clinical Commissioning Group (CCG), supporting a sound system of internal control. 1.3 Members and staff of the CCG have a duty and responsibility to consider the risks involved in what they do. Well managed risk can bring positive benefits and opportunities, ensuring resources are appropriately directed, thereby maximising value for money for patient services. 1.4 Effective risk management is both: Proactive the identification, assessment and evaluation of risk, the evaluation of controls and assurances of the effectiveness of controls, risk treatment and the ongoing monitoring of risk mitigation and Reactive when things go wrong i.e. adverse events - incidents, complaints and claims; identifying a learning action plan feeding back into the risk assessments and registers. 2 PROACTIVE RISK MANAGEMENT 2.1 Each individual/team/committee identifies and assesses risks to the delivery of their objectives. Risks can be clinical, financial or corporate, risks to the delivery of QIPP schemes, risks of joint working with other CCGs or local authorities, risks of delegating to third parties such as the CSU etc. 2.2 Strategic Risks relate to the delivery of the organisation s strategic objectives. They have the highest potential for external impact e.g. an adverse effective on engagement with the wider health ad social care community and with external stakeholders. Examples include risks to services from competitor organisations, technological or societal change and changing patient demographics 2.3 Operational Risks relate to the organisation s on-going day-to-day business delivery e.g. patient safety, staff safety, security, information, finance and litigation. Whilst they may have some external impact, operational risks mostly affect internal functioning and services. Depending on the level of risk involved, operational risks are managed at directorate or committee level. 2.4 Significant operational risks, which are not effectively managed, can have an impact on the delivery of strategic objectives and organisations therefore need to have a process in place to escalate risk as required. 2.5 Risks are assessed/evaluated in terms of likelihood and consequence/impact using a standardised organisational Risk Matrix (Appendix D) 2.6 Controls that are currently in place to manage these risks are identified as are the assurances that these controls are working. Page 8 of 20

9 2.7 Gaps in controls or in assurances are identified and action plans developed to close these gaps (including potential costs, balanced against the cost of the risk occurring, owner and timescale). N.B. risks can be avoided, reduced, transferred or accepted. 2.8 Controls can be Directive e.g. policies, training, risk sharing agreements with other CCGs, Section 75 agreements, Detective e.g. clinical audit, root cause analysis, inventories, reconciliations, or Preventative e.g. limits to decision making such as the scheme of delegation, secure access and passwords etc. 2.9 Assurances need to be specific and include a wide range of independent, internal sources (e.g. NED-led scrutiny committee such as Audit or Remuneration, internal audit, clinical audit, performance data, local counter fraud, serious incident/complaint investigations, IG toolkit evidence etc and external sources (e.g. patient surveys and feedback, benchmarking, CQC, Monitor, External Audit, LINk/HealthWatch, Health & Well Being Board, HOSC etc) Assurances can be negative or positive: Negative assurance: evidence that controls are not working as intended and risks remain unmitigated Positive assurance: confirmation that risks are mitigated by the controls with firm evidence to show that the organisation is reasonable managing its risks and that strategic objectives are being delivered 2.11 Each risk is allocated a risk owner whose responsibility it is to ensure the risk is mitigated to the agreed target level as quickly as possible Risks are documented in a Risk Register (Appendix C), including detailed action plans for mitigation, which is updated regularly. Governing Body Assurance Framework (GBAF): focuses on key strategic risks and operational risks that exceed the risk appetite and therefore impact on delivery of strategic objectives. It is used by the Governing Body as its main tool for discharging the responsibility for internal control. Corporate Risk Register (CRR): focuses on the significant operational risks 2.13 The Governing Body agrees organisational risk appetite (Appendix D). Residual/accepted risk is either small enough to have an immaterial effect on the achievement of objectives or a significant risk that has been well mitigated. Residual risks should continue to be reviewed periodically Appendix B shows how risks are escalated and de-escalated in relation to risk appetite and target mitigation 2.15 All new initiatives, major projects, activities are assessed for risk and incorporated into risk management structures e.g. QIPP, Information Asset Registers etc. Risks that exceed the agreed risk appetite are escalated to the Corporate Risk Register or GBAF as necessitated by the risk rating score (Appendix B) 2.16 Governing Body Sub-Committees review risk mitigation e.g. Patient Safety & Clinical Quality Committee reviews clinical risks, Information Governance Committee reviews IG and Information Asset risks. Committees operate a dip test, requiring close scrutiny of any risk which has remained unchanged above its target level for more than three months. Page 9 of 20

10 2.17 The Audit Committee provides scrutiny and challenge to the implementation of the risk strategy and framework and to the systems of internal control in operation throughout the CCG. The Committee calls risk owners to account to review the effectiveness of controls and the reliability of assurances on controls. 1. REACTIVE RISK MANAGEMENT 9.1 All incidents, near misses and complaints are reported and robustly investigated in order to reduce the risk of recurrence. 9.2 Provider complaints, patient feedback, serious incidents, safeguarding issues, never events and early warning indicators are reviewed by the Patient Safety & Clinical Quality Committee and issues are raised at contract meetings. 9.3 Learning from adverse events informs risk ratings. Page 10 of 20

11 Appendix A - Key Steps in Managing Risks Stages Description 1 Establish the context Define the activity, and consider the goals and objectives. 2 Identify the risk Identify the risk what could happen, how could it happen and what would be the consequence 3 Analyse and assess the risk 4 Evaluate and prioritise the risk Consider how the risk could occur, what would be the effect and how could they be removed or reduced. Score the risk based on likelihood and consequence to identify the significance of the risk/reporting requirements. Consider controls currently in place, assurances as to whether these are working and any gaps in control. Evaluate in light of the significance and quantify any further options for reducing risk, including cost/benefit analysis to identify the preferred course of action. Agree risk rating threshold = Target Risk Rating, based on the risk appetite for that risk (see Appendix D) 5 Risk treatment and control Develop and implement risk reduction action plans depending on risk appetite: Avoid: do not proceed with activity Reduce: or control likelihood and/or consequence Transfer: arrange for another party to risk share Accept: some risk may be minimal and retention acceptable Think: Preventative, directive, detective controls Ensure controls are relevant to the risk and applied consistently over time 6 Monitor and review Monitor the risk impact, the effectiveness of the action and whether the risk priority changes. Escalate/de-escalate as necessary in line with risk appetite. 7 Communicate and consult Identify who needs to know, who is affected, and communicate/consult accordingly. 8 Learning All incidents and near misses shall be reported via the Incident Management Policy. Learning from adverse events will reduce the risk of recurrence, and will be informed by learning from successes as well. Page 11 of 20

12 Appendix B Risk Escalation Chart Encompasses the three lines of defence approach of ownership by frontline staff, accountability by executive and scrutiny by the Governing Body and its Audit Committee. Audit Committee Provides scrutiny of Risk framework GBAF Governing Body Reviews strategic risks and assurances on risk mitigation Risk exceeds risk appetite Corporate Risk Register Executive Team & Patient Safety & Clinical Quality Committee Reviews operational risks and clinical risks respectively Risk identification, assessment and peer challenge Risk decreases to threshold of risk appetite or target mitigation Risk exceeds risk appetite Programme Risk Registers e.g. SRG, Alliance, QIPP, IAOs, Commissioning Boards review operational risks Risk identification, assessment and peer challenge Staff and members can identify risks for assessment and inclusion on risk registers Risk decreases to threshold of risk appetite or target mitigation Page 12 of 20

13 Appendix C - General Risk Assessment Form Risk Assessment No Site/Locality Date Assessment undertaken Assessor Name Review Date Risk Rating quantified in terms of Likelihood and Consequence (L x C) (refer to detailed risk descriptors) Description of Hazard & Risk Hazard = Anything with the potential to do harm Risk = The likelihood of that harm occurring Who might be harmed? Existing controls Risk Rating (L x C) Mitigation Action plan Time scale Lead Page 13 of 20

14 Appendix D - Risk Rating and Risk Appetite Step 1 Look at what is being assessed and ask the question: what is the likelihood of the risk occuring? Use the table to determine the likelihood score(s) for those adverse outcomes. If possible, score the likelihood by assigning a predicted frequency of occurrence of the adverse outcome. If this is not possible, assign a probability to the adverse outcome occurring within a given time frame, such as the lifetime of a project or a patient care episode. If it is not possible to determine a numerical probability then use the probability descriptions to determine the most appropriate score If in doubt grade UP not down LIKELIHOOD of event happening Likelihood score 1- Rare 2 - Unlikely 3 - Possible 4 - Likely 5 - Almost certain How often might it/does it happen This will probably never happen/recur Less than 0.1% chance of happening Do not expect it to happen/recur but is possible Between 0.1% - 1% chance of happening Might happen or recur occasionally Between 1-10% chance of happening Will probably happen/recur but it is not a persisting issue Between 10-50% chance of happening Will undoubtedly happen/recur,possibly frequently Over 50% chance of happening Do not expect to happen for years Annual occurrence Expect to happen monthly Expect to happen weekly Expect to happen daily Step 2 If risk occurs, what is the likely consequence/severity to persons, service, organisation? Use the table of risk descriptors below. Choose the most appropriate domain for the identified risk from the left hand side of the table, then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column. If in doubt grade UP not down. CONSEQUENCE/ SEVERITY Of The Event Occurring Domains 1 - Negligible 2 - Minor 3 - Moderate 4 - Major 5 - Catastrophic Impact on the safety of patients, staff or Minimal injury requiring no/minimal Minor injury or illness, requiring minor Moderate injury requiring professional Major injury leading to long-term Incident leading to death Page 14 of 20

15 public (physical/psychologic al harm) Quality/complaints/ audit intervention or treatment. No time off work Peripheral element of treatment or service suboptimal intervention intervention incapacity/disability Requiring time off work for >3 days Increase in length of hospital stay by 1-3 days Overall treatment or service suboptimal Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients Treatment or service has significantly reduced effectiveness Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with longterm effects Non-compliance with national standards with significant risk to patients if unresolved Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients Totally unacceptable level or quality of treatment/service Informal complaint/inquiry Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on Multiple complaints/ independent review Low performance rating Critical report Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Gross failure to meet national standards Page 15 of 20

16 Human resources/ organisational development/staffing/ competence Statutory duty/ inspections Adverse publicity/ reputation Short-term low staffing level that temporarily reduces service quality (< 1 day) No or minimal impact or breech of guidance/ statutory duty Rumours Potential for public concern Low staffing level that reduces the service quality Breech of statutory legislation Reduced performance rating if unresolved Local media coverage Short-term reduction in public confidence Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Non-delivery of key objective/service due to lack of staff Ongoing unsafe staffing levels or competence Low staff morale Loss of key staff Loss of several key staff Poor staff attendance for mandatory/key training Very low staff morale Single breech in statutory duty Challenging external recommendations/ improvement notice Local media coverage Long-term reduction in public confidence No staff attending mandatory/ key training Enforcement action Multiple breeches in statutory duty Improvement notices Low performance rating Critical report National media coverage with <3 days service well below reasonable public expectation No staff attending mandatory training /key training on an ongoing basis Multiple breeches in statutory duty Prosecution Complete systems change required Zero performance rating Severely critical report National media coverage with >3 days service well below reasonable public expectation. MP concerned Total loss of public confidence Page 16 of 20

17 Business objectives/ projects Insignificant cost increase/ schedule slippage Elements of public expectation not met <5 per cent over project budget 5 10 per cent over project budget Non-compliance with national per cent over project budget Incident leading >25 per cent over project budget Schedule slippage Schedule slippage Schedule slippage Schedule slippage Key objectives not met Key objectives not met Finance including claims Service/business interruption Environmental impact Small loss Risk of claim remote Loss/interruption of >1 hour Minimal or no impact on the environment Loss of per cent of budget Claim less than 10,000 Loss/interruption of >8 hours Minor impact on environment Loss of per cent of budget Claim(s) between 10,000 and 100,000 Loss/interruption of >1 day Moderate impact on environment Uncertain delivery of key objective/loss of per cent of budget Claim(s) between 100,000 and 1 million Purchasers failing to pay on time Loss/interruption of >1 week Major impact on environment Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Claim(s) > 1 million Permanent loss of service or facility Catastrophic impact on environment Step 3 Calculate the risk score the risk multiplying the consequence by the likelihood: consequence x likelihood = risk rating: RISK MATRIX Likelihood Consequence 1 Rare 2 - Unlikely 3 Possible 4 Likely 5 Almost Certain 1 Negligible Minor Moderate Major Catastrophic Page 17 of 20

18 Step 4 Identify the existing controls that are in place, assess their adequacy and then score the residual risk as above. Step 5 Take action according to the risk appetite as described below: Low risk 1-3 The CCG accepts risks in this category that are likely to result in identified impact. Moderate risk 4-6 The CCG is willing to accept risks that may result in identified impact. Significant risk 8-12 The CCG is willing to accept some risks in certain circumstances High risk The CCG is not willing to accept any risk under any circumstances Normal risks which can be managed by routine procedures Responsibility for assessment and action planning allocated to a named individual Urgent senior management attention needed with action plan Immediate action required by an Executive Director/Governing Body member i.e. If a risk s residual score is higher than the risk appetite, more will need to be done to manage the risk and this may require additional resources. If the risk s residual score is the same as or lower than the risk appetite, the risk will be considered tolerable (although it will continue to be monitored if risk-rated at a 4 or above). Page 18 of 20

19 Appendix E Risk Register template Team/Committee Lead Date Date of Review Risk Rating quantified in terms of Likelihood and Consequence (L x C) (refer to detailed risk descriptors) Corporate Objective Ref Description of Risk (what can happen and how it can impact) Risk Rating (LxC) Existing Controls (to reduce likelihood of risk happening) Assurances of Controls Current Risk Rating (L x C) Target Risk Rating (LxC) Gaps in controls Progress with timebound action plan to fill gaps/achiev e target risk rating Lead Page 19 of 20

20 Appendix F Key Questions for an Audit Committee to ask Taken from the HM Treasury Audit and Risk Assurance Committee Handbook This list of questions is not intended to be exhaustive or restrictive nor should it be treated as a tick list substituting for detailed consideration of the issues it raises. Rather it is intended to act as a prompt to help an Audit and Risk Assurance Committee ensure that their work is comprehensive. On the strategic processes for risk and control, how do we know that: the risk management culture is appropriate? the board has clearly articulated and communicated its risk appetite? there is a comprehensive process for identifying and evaluating risk, and for deciding what levels of risk are tolerable? the Risk Register is an appropriate reflection of the risks facing the organisation? appropriate ownership of risk in place? management has an appropriate view of how effective the control environment is? risk management is carried out in a way that really benefits the organisation or is it treated as a box ticking exercise? the organisation as a whole is aware of the importance of risk management and of the organisation s risk priorities? the system of control will provide timely indicators of things going wrong? On risk management processes, how do we know: how senior management and Ministers support and promote risk management? how well people are equipped and supported to manage risk well? that there is a clear risk strategy and policies? that there are effective arrangements for managing risks with partners? that the organisation s processes incorporate effective risk management? if risks are handled well, considering: key strategic risks can change very quickly? scenario planning and stress testing? bubbling under risks? the risk focus is wide enough? considers external and emerging risks? reviews financial risks and non-financial risks? if risk management contributes to achieving outcomes? that management are regularly reviewing top risks? Page 20 of 20