RISK MANAGEMENT PROCEDURE GUIDANCE

Transcription

1 RISK MANAGEMENT PROCEDURE GUIDANCE East and North Hertfordshire Clinical Commissioning Group Page 1 of 25

2 DOCUMENT CONTROL SHEET Document Owner: Director of Nursing and Quality Document Author(s): Company Secretary, Head of Risk Management Version: 2.4 FINAL Directorate: Nursing and Quality Approved By: Governance and Audit Committee Date of Approval: 31 March 2016 Date of Review: November 2016 Change History: Version Date Reviewer(s) Revision Description 1.0 Final March 2013 Helen Edmondson, Associate Director of Governance and Corporate Affairs 1.1 Draft July 2014 Mel Brown, Governance Lead 1.2 Draft October 2014 Jas Dosanjh, Head of Risk Management 2.0 Final 12 November Draft September Final 06 October 2015 Jas Dosanjh, Head of Risk Management Jas Dosanjh, Head of Risk Management Jas Dosanjh, Head of Risk Management 2.3 January 2016 Jas Dosanjh, Head of Risk Management 2.4 March 2016 R Steadman, Interim Head of Risk Management New CCG document, updated from PCT version Updated to reflect current processes Processes re-defined, risk thresholds determined Governance and Audit Committee approval, with minor amendments Local risk assessment and reporting clarified Amendments approved by Executive Team and addition of Appendix 2 Minor amendments following internal audit Minor amendments Implementation Plan: Development/ Consultation Governance and Corporate Affairs Team Executive Team Dissemination Staff can access this policy via the intranet and will be notified of new/revised versions via the staff briefing. This policy will be included in CCG Publication Scheme in East and North Hertfordshire Clinical Commissioning Group Page 2 of 25

3 Training Monitoring Review Equality and Diversity Associated Documents References compliance with the Freedom of Information Act Senior and line managers have responsibility to support staff in implementing good risk management practice. Training on the use of the Risk Management Framework is provided in accordance with the Training Needs Analysis. Further training can be arranged on request to the Governance and Corporate Affairs Team. The RCAD process and Strategic Risk Register are main means by which the risk and control profiles of the CCG will be monitored, up-dated and reported. This will be undertaken at least quarterly. The CCG will measure its performance with regard to the; risk management action plans, effectiveness of the implementation of this policy, effective development of a positive risk management culture. Responsibility for monitoring identified key risks, the effectiveness of current controls and the progress of mitigating actions is that of the risk owner. The risk owner is supported in doing this by other monitoring/assurance processes and oversight exercised by the Head of Risk Management, Internal Audit, other supporting functions, the Executive Team and Governance and Audit Committee. Monitoring and assurance processes and activities undertaken by the risk owner will be subject to review by the Executive Team and Internal Audit. An annual review of the effectiveness of risk management arrangements will be undertaken by Internal Audit. Each Directorate will determine the most appropriate means of risk and control monitoring within its area of responsibility. The effectiveness of Directorate risk and control monitoring will be assessed by the Head of Risk Management and/or Internal Audit on a periodic basis. The CCG will periodically review the risk management arrangements, including the elements of planning, organisation control and monitoring to ensure that the whole system remains effective. 30/10/ Equality Impact Assessment (Appendix 3) 30/10/ Privacy Impact Assessment (Appendix 4) Risk Management Procedure Guidance Serious Incidents Requiring Investigation Policy National Patient Safety Agency (April 2004) Seven Steps to Patient Safety: An Overview Guide for NHS Staff [Online] National Patient Safety Agency Available from: Department of Health (June 2012) The Functions of East and North Hertfordshire Clinical Commissioning Group Page 3 of 25

4 Clinical Commissioning Groups Department of Health (December 2011) The NHS Outcomes Framework 2012 East and North Hertfordshire Clinical Commissioning Group Page 4 of 25

5 Contents Section No. Section Name Page No. 1.0 Introduction Scope Purpose Definitions Role and Responsibilities Risk Assessment and Reporting Process Risk Identification Assessing Inherent Risk Profile Identifying Existing Controls and Gaps Identifying Assurances Assessing Current Risk Profile Controls Evaluation Identifying Further Mitigation Actions Assessing Target Risk Profile Risk Reporting and Monitoring Closure of Risks 20 Appendix 1 Risk Scoring Guidance (Impact and Likelihood) 21 Appendix 2 Risk Reporting Arrangements 23 Appendix 3 Equality Impact Assessment Stage 1 Screening 24 Appendix 4 Privacy Impact Assessment Stage 1 Screening 25 East and North Hertfordshire Clinical Commissioning Group Page 5 of 25

6 1.0 Introduction The NHS East and North Hertfordshire Clinical Commissioning Group (the CCG) is an organisation that is committed to the commissioning of high quality, cost efficient, effective and safe healthcare services for the population(s) its serves. In doing so, the CCG recognises that it will face all manner of risks. This guidance has been prepared to both supplement and assist the practical application of the CCG s Risk Management Framework (the Framework). 2.0 Scope The Framework sets out the risk management approach and structure established for the purpose of managing risk across the CCG. This guidance complements the Framework, however, this guidance is not intended to be a complete set of detailed instructions on how risk is managed across the CCG, and its effective application is instead built of the grounds of accountability and thinking by those responsible for, or contributing to the management of risk across the CCG. Guidance on the application of this framework should, in the first instance, be sought from the Head of Risk Management. The following diagram sets out the main components of the CCG Risk Management Framework. East and North Hertfordshire Clinical Commissioning Group Page 6 of 25

7 3.0 Purpose The purpose of this guidance is to; Outline the CCG s risk management structure, Highlight the responsibilities of all staff for the management of risks on a day to day basis, Define the risk assessment process, risk identification and management requirements on all parts of the CCG. 4.0 Definitions 4.1 Risk Risk is the combination of the likelihood of an event and its impact. Impact may range from positive to negative. 4.2 Risk Assessment A systematic method of identifying and prioritizing risks and then determining the most appropriate risk response. 4.3 Primary Risks Risks that score 16 and above (Red Zone Risks) following assessment of their Current Risk Profile. 4.4 Principal Risks Amber and Red zone risks with a score of 12 and above, following assessment of their Current Risk Profile. 4.5 Strategic Risk Register A summary of key risks that the CCG faces in delivering its objectives. 4.6 Risk, Controls and Assurance Dashboard (RCAD) This is a tool that enables the CCG to have an understanding of its risk profile, and the effectiveness of controls to mitigate the risks. 4.7 Risk Appetite The amount and type of risk that the CCG is willing to take on in pursuit of its strategic objectives and as determined by the Governing Body (see Risk Management Framework). East and North Hertfordshire Clinical Commissioning Group Page 7 of 25

8 5.0 Role and Responsibilities The risk management roles and responsibilities of the CCG s key risk management stakeholders are defined below although they are not intended to replace existing accountabilities, nor are they an exhaustive list of tasks to be undertaken. 5.1 Governing Body: Must be satisfied that the key and emerging risks to the CCG have been identified and managed appropriately. Approves the Annual Governance Statement. Reviews and approves the level of risk that CCG takes on. Reviews, in accordance with the Annual Cycle of Business, risk reporting via the Strategic Risk Register and monitoring of Primary Risks from the RCAD', including any ad-hoc escalated risk information. Exercises challenge of key risks and current control effectiveness. Reviews an annual report from the Governance and Audit Committee on the adequacy and effectiveness of the CCG s Management of Risk. 5.2 Governance and Audit Committee: Advises the Governing Body on the outcome of their quarterly Review of the Strategic Risk Register and Risk, Controls and Assurance Dashboard. Reviews and approves risk based internal and external audit plans. Receives and considers reports from compliance, internal and external audit in relation to risk issues. Reviews, in accordance with the Annual Cycle of Business, risk reporting and any ad-hoc risk escalation, including the Strategic Risk Register and Principal Risks via the RCAD. Reviews the Annual Governance Statement. 5.3 Quality Committee The role of the committee is to work to ensure that commissioned services are being delivered in a high quality and safe manner, ensuring that quality sits at the heart of everything the clinical East and North Hertfordshire Clinical Commissioning Group Page 8 of 25

9 commissioning CCG does. This could be extended to include jointly commissioned services. The remit of the committee is to bring together information from a variety of sources, including the risk management framework i.e. via a review of the RCAD with regards to issues or alerts associated with the quality of the care commissioned and to triangulate or critically review this for action by the CCG, the commissioning support organisation or providers from whom the CCG commissions. The committee will support the Audit and Governance Committee by providing assurance and information on quality, so as to enable the Audit and Governance Committee to fulfil its role and responsibility. 5.4 Chief Executive: Ensures that all parts of the business implement the CCG s Risk Management Framework. Fosters a culture of open discussion and debate, promote risk owner accountability and a risk aware culture. Ensures the Executive Team member s personal objectives have an appropriate focus on risk and risk management. Manage opportunity and risk commensurate with the CCG s business and risk appetite. 5.5 Executive Team The Executive Team plays a key role in providing assurance to the Governing Body and Governance and Audit Committee on the effectiveness of the Framework, its application and the management of key risk areas through on-going monitoring. The Executive Team will be supported in its monitoring role by the Head of Risk Management. The Executive Team will; Ensure that key and emerging strategic risks are identified, assessed and managed by undertaking on-going analysis of risk information to assess risk criticality, common themes and trends and identify areas of emerging risk requiring further quantification or scenario analysis, Ensure that there is an appropriate organisation and reporting structure in place to support the delivery and execution of the CCG s Risk Management Framework, by developing and East and North Hertfordshire Clinical Commissioning Group Page 9 of 25

10 maintaining appropriate analysis to review risk aggregation provide risk analysis of common themes and trends, Promote a risk aware culture and an environment that creates positive risk taking behaviour and clear accountability, Monitor the overall level of risk assumed by the CCG and the effectiveness of risk assessment, risk mitigation strategies and internal control processes for key risks identified, including monitoring progress of critical risk mitigation and the implementation and maintenance of reliant key controls, Receive and review updates and recommendations from the Head of Risk Management on the management of significant risk and the effectiveness of the risk management process inclusive of the ownership of risk within the organisation, Request the attendance of the CCG s management and risk owners at meetings and receive presentations on specific key risks and framework application effectiveness, Ensure all major contracts have an appropriate consideration of risk exposure factored into the selection process. 5.6 Company Secretary: Develops, implements, maintains and evolves the Framework taking account of evolving good industry/regulatory practice. Oversees the application and on-going use of the Framework. Monitors the overall level of risk assumed by the CCG and the strength of the control environment. Production of the Annual Governance Statement. 5.7 Head of Risk Management: Facilitates risk identification and assessment with Executive Team. Raises risk and risk management awareness and understanding at all levels. Provides summary, regular (through RCAD) and ad-hoc reporting on key business risks, control strength, the risk environment, progress of critical action and risk process effectiveness (business and delivery risk) to the Executive Team, Governance and Audit Committee and Board. East and North Hertfordshire Clinical Commissioning Group Page 10 of 25

11 Attends the Executive Team as required to provide an on-going view of risk management performance. Provides on-going risk management advice and training to all parts of the business. 5.8 Internal Audit: Develops risk based annual internal audit plans. Reviews the effectiveness of controls in place to manage key risks identified. Provides an annual review and opinion on the effectiveness of the CCG s risk management arrangements by reviewing the Framework and its application on behalf of the Governance and Audit Committee and report findings. 5.9 Directorates Each Directorate must ensure that any risks potentially impacting their service provision are identified, assessed and reported based on the corporate approach as defined within this document. Specifically, actions include: Identify and assess key risks within the business Directorate (and wider) for management through the RCAD process, Take ownership of key risks as directed by the Executive Team, Oversee the progress of actions to manage risks identified and ensure the risks are kept up to date, with a review during directorate/team meetings at least quarterly, Ensure teams within area of responsibility put into practice the requirements of the Framework and hold them to account for this as appropriate, Attend risk oversight forums as directed to discuss risks in relation to own area of responsibility and framework application, Ensure personal objectives have an appropriate focus on risk and risk management, Ensure appropriate resources are in place to deliver the requirements of the Framework effectively within area of responsibility, East and North Hertfordshire Clinical Commissioning Group Page 11 of 25

12 Sponsor a culture of risk awareness and positive team behaviour in relation to risk and risk management, Review and challenge key risks, control effectiveness and the progress of mitigation actions through on-going dialogue, Conduct ad-hoc emerging risk identification sessions with teams Programme Office The Programme Office is part of the Commissioning Directorate and is managed by the Head of Programme Office. Each project has an assigned Project Manager to enable objectives to be met, and the reporting of project specific risks is based on the corporate approach as defined within this document. Specifically, actions include: Project Initiation Documents capture risks that could potentially impact upon the delivery of the project, Once the project has been agreed, the relevant risks are transferred to the Project Risk Register, Project risks are included within the Project Highlight Report update and are reviewed by each stakeholder group with a lead Director, Projects are reviewed at the Organisational Performance Delivery meetings on a 3 to 4 monthly basis and significant risks and issues are highlighted through these updates Information Risk Management ICT The Information Governance Policy, incorporating the Information Governance Framework and Strategy, and the Information Security Policy provide details of the role of the Senior Information Risk Owner (SIRO) as being responsible for the organisation s information risk management. The CCG s ICT function is provided via Hertfordshire, Bedford and Luton (HBL) ICT Shared Services, who also provide services to other NHS providers/ccg s within HBL. The ICT risk management function is managed centrally via the ICT Shared Services Board Risk Owners: Ensure compliance to the Framework in respect of owned risk, escalation, reporting and monitoring. East and North Hertfordshire Clinical Commissioning Group Page 12 of 25

13 Oversee the delivery of key action plans agreed with action owners. Ensure the risk owned is kept up to date at all times. Monitor the status of owned risks with a particular focus on monitoring circumstances that may alter the severity of risks All staff: Awareness of the requirements of the Framework. Identify and escalate risk exercise a duty of care. 6.0 Risk Assessment and Reporting Process The CCG s risk assessment process consists of the following key steps, this is a continuous process. East and North Hertfordshire Clinical Commissioning Group Page 13 of 25

14 6.1 Risk Identification Risk identification and assessment is an on-going activity across all parts of the CCG driven through the following; Strategic Risk Register, and Risk, Controls and Assurance Dashboard process. Both are essential in ensuring that our organisation remains successful as the risk and environment around us changes. This section defines our risk assessment process and the risk identification, assessment and management requirements it places on all parts of the CCG Identifying risks to our business The first and perhaps most important task in developing the CCG risk profile is to identify the key and emerging risks to our business. Each Directorate must ensure that risk identification is sufficient to capture all significant risks from within their area of the business. The outputs of this risk identification must be managed through the RCAD process and where applicable escalated to the Strategic Risk Register. The Framework requires that we carefully consider the risk, principal causes that may give rise to the risk and the effects for the CCG should the risk materialise. The words that are used to describe risk, cause and effect are important and must be reflected accurately to help determine risk severity and how risks can best be mitigated. The CCG will undertake proactive risk identification exercises, including but not limited to; Top-down assessment of strategic risks facilitated by the Company Secretary and the Head of Risk Management, involving the Governing Body, Executive Team and wider management, as required, Bottom-up risk reporting and risk discussions at a local level, supported by the Company Secretary and the Head of Risk Management as required, to ensure a consistent approach across the Directorates, Project risks identified by the Programme Office via the Project Initiation Documentation and on-going review against the delivery and success factors of the project, East and North Hertfordshire Clinical Commissioning Group Page 14 of 25

15 Assessment of emerging risk areas and horizon scanning coordinated by the Company Secretary and the Head of Risk Management, in conjunction with the Executive Team, as well as through the RCAD process, Risk identification to support business planning and the determination of strategic priorities. When risk has been identified and described, risk ownership needs to be agreed and assigned. A member of the Executive Team will typically own each strategic risk. The role of the risk owner is described in Section Assessing Inherent Risk Profile When a risk has been identified the risk owner will need to make an assessment about the potential severity of the risk should it occur. Inherent risk is the level of risk The CCG takes on prior to the influence of existing or proposed controls. It is important that we understand inherent risk as this better reflects the level of exposure we face should risks materialise. This assessment is made by considering both the likelihood of the risk occurring and its potential impact on our business. A set of common risk assessment criteria has been developed, in line with the CCG s tolerance for risk and should be used to assess both impact and likelihood. An assessment of 1 to 5 for both impact and likelihood should be made for all risks. The assessment of inherent impact and likelihood will combine to provide an Inherent risk severity. East and North Hertfordshire Clinical Commissioning Group Page 15 of 25

16 Appendix 1 provides risk descriptors for determining the risk profile (impact/likelihood) to help ensure that the risks are scored consistently. 6.3 Identifying Existing Controls and Gaps Having identified key risks and assessed the severity, we must be clear on the high level, key existing controls and processes that are in place to manage each risk. Existing controls should be identified and documented. For the avoidance of doubt, existing controls are controls, processes and policies that are currently in place and working. Controls in the process of being implemented are considered to be actions. There are likely to be multiple high level controls in place for each risk identified. 6.4 Identifying Assurances In addition, the team or individual that provides primary oversight over the control with the key sources of assurance that are in place should be documented. In doing so, the risk owner should consider management oversight and review, as well as reviews undertaken by internal audit, compliance audits, health and safety audits and other more formal assurance processes. This will allow the CCG to review the adequacy of assurance in relation to assessed risk severity and determine the nature and level of assurance that needs to be provided. See sections on the strategic risk register and RCAD. 6.5 Assessing Current Risk Profile Controls Evaluation The assessment of current impact and likelihood will combine to provide the current risk severity (using the Matrix in section 6.2). Assessing the effectiveness of current controls is subjective but nevertheless an important part of the risk assessment process as it helps to determine both the need for further mitigation and the key controls that we rely upon most. Documenting the current controls ensures that there is a clear indication of what is being relied upon to prevent the risk from realising. This is achieved initially in outline via the RCAD process then in more detail as a strategic risk register entry. An inherent part of the risk assessment process includes evaluating the effectiveness of risk controls. This allows for a combination of effectiveness of controls design and application as well as assurance i.e. how we know that the control is effective. 6.6 Identifying Further Mitigating Actions The residual severity of the risk will help to identify whether action is required to further mitigate risk to a level that we are comfortable with, East and North Hertfordshire Clinical Commissioning Group Page 16 of 25

17 based on a clear appreciation of risk appetite and tolerance that is set by the Governing Body and reflected in the risk assessment criteria. Where residual risk is assessed and action is required then a plan will put in place to ensure that the action is implemented. There are four types of risk response that should be considered in determining the required action. Terminate Terminating or avoiding the activity or circumstance that gives rise to the risk or by choosing another approach with a lower risk. Treat Implementing controls and other mitigation actions (including contingency plans) that will reduce the likelihood and impact of risks identified. Tolerate Accepting the consequences of the risk should it occur. This may be appropriate when the resources required to reduce the risk in other ways exceed the consequences of the risk occurring. If a risk is accepted, a contingency plan will be of increased importance. Transfer Transferring the risk by sharing it with or passing it to suppliers, customers or contractors including the use of insurance and defined liability contracts. In practice, it is more likely that only some elements of a risk can be passed on, for example financial implications. Reputation risk is more likely to be retained. Action Owners must be assigned for all actions deemed appropriate together with timeframes/deadlines for action completion. Actions and timeframes will be reviewed and challenged by the Head of Risk Management and at the Executive Team where risks are assessed as Very High or High. Risk owners / Risk Action Owners are required to update an action status assessment for all actions agreed through the RCAD process. The need for further risk mitigation must be considered in the context of CCG s risk appetite principles. It is not the intention of this framework to remove all risks or to manage risks to a low assessment. The CCG need to take informed risks in order to be successful and therefore allocating further resource to mitigate assessed residual risk that is already within our view of acceptability does not always best serve to support the achievement of our business objectives. Risk owners must give clear consideration to action priority and ensure that risk mitigation is prioritised on the basis of ease, cost and impact of implementation. 6.7 Assessing Target Risk Profile East and North Hertfordshire Clinical Commissioning Group Page 17 of 25

18 The RCAD process also identifies the target level of risk. The target level of risk is the risk s profile following the application of existing controls, assurances and additional actions to mitigate the risk. The assessment of target impact and likelihood will combine to provide the agreed target risk severity that is acceptable (using the Matrix in section 6.2) Escalating Risks A combination of the current risk profile and the target risk severity assessment will define the need for escalating risk through the RCAD process and potentially the Strategic Risk Register. A Primary Risk (Red Zone) will require more immediate action although this should by no means encourage a lower severity rating. Initial responsibility for escalating risks rests with the individual identifying the risk and subsequently with their line manager, in conjunction with the Head of Risk Management. 6.8 Risk Reporting and Monitoring The emphasis of the CCG s Risk Management Framework is very much focused on continuous proactive engagement on key risk issues as part of everyday business management. One output of this is the on-going process of reporting risks and controls. Reporting of risk and control information is not a one way process as it promotes oversight, challenge and business engagement that seeks to improve risk and performance. The Framework requires a combination of formal reporting and risk specific reporting based on risk severity or specific instruction from the Governing Body, Governance and Audit Committee, and the Executive Team (as outlined in section 5 also see Appendix 2) Strategic Risk Register The strategic risk register contains those key risks that by their nature could have a fundamental detrimental effect on the CCG s objectives. It is up-dated through monitoring and evaluation of the CCG risk environment by the Executive Team as well as outputs of the RCAD process. The CCG uses a Strategic Risk Register for capturing and documenting for each key risk identified: the assessment of risk severity via a combination of impact and likelihood, existing key controls, assurances, actions underway and risk and action ownership. East and North Hertfordshire Clinical Commissioning Group Page 18 of 25

19 These strategic risks are aligned with the CCG s strategic objectives, recognising that one risk may impact on the achievement of several objectives. This will be demonstrated via a strategic risk and objective correlation exercise, which will be kept under review as part of the ongoing risk monitoring arrangements by the Executive Team Risk, Controls and Assurance Dash Board (RCAD) Use of the RCAD enables the CCG to have an understanding of its risk profile and the effectiveness of management controls that mitigate the risk, making use of assurances provided. The main point of the RCAD approach is to ensure that risks are actively managed by those responsible. By ensuring that the risk is managed at the level at which it exists it avoids unnecessary elevation of the risk and increases accountability amongst those responsible for managing risk. This also ensure that Strategic Risk Register includes only exceptional risks that need to be managed and continually monitored rather than business as usual items. The objectives of the RCAD are to; Use a systematic approach to provide an overall understanding of the CCG s risk exposure and level of assurance over the effectiveness of the control environment in the CCG s key activities/functions, Provide a basis for early warnings, and Identify actions for improvement (above and beyond those already identified / being pursued). The RCAD approach and process is reliant on those assigned ownership of key processes acknowledging and taking professional responsibility for the management of the risk. The RCAD approach and up-date will be facilitated by the CCG Head of Risk Management, therefore providing for objective check and challenge as well as ongoing guidance to assist with embedding. For each risk an owner is identified. The owner will be responsible for keeping this activity under review and providing an evaluation of the associated risk with the Head of Risk Management. The outcomes of the evaluation will be reported via the RCAD process Directorate Risk Registers East and North Hertfordshire Clinical Commissioning Group Page 19 of 25

20 The Directorate Risk Registers are accessed by using the filter within the RCAD to generate a register for the specific Directorates, which are reviewed during their meetings. Progress against the actions to mitigate the risks are recorded and centrally reported via the RCAD process Project Risk Register The Project Risk Register combines the potential risks from each of the open project strands that are managed by the Programme Office. The Project Highlight Report is reviewed by each stakeholder group with a lead Director, and this includes an overview of the project status with issues and risks. Project updates are reviewed at the Organisational Performance Delivery meetings on a three to four monthly basis and significant risks and issues are highlighted through these updates. Risks that have been assessed to have a rating of 12 or above will be reviewed by the Assistant/Associate Director for the project. Where the impact and likelihood are high, the Director will escalate the risk as a corporate risk for addition to the RCAD. 6.9 Closure of Risks Risks can be considered for closure if the risk no longer applies (i.e. the process that gave rise to the risk no longer exists) or the risk has reached its target level and no outstanding actions remain. Risk closure is decided at Executive meeting following the process shown in appendix 2. There are two categories for closed risk which determine the level of ongoing review. Risk Closed: Risk still exists but is within target level. These risks will be reviewed once a year to ensure they remain at the target level. Risk Closed: Risk no longer applies. These risks will not be subject to further review East and North Hertfordshire Clinical Commissioning Group Page 20 of 25

21 Appendix 1 Risk Scoring Guidance Table 1: Rating 1 - NEGLIGABLE 2 - MINOR 3 - MODERATE 4 - MAJOR 5 - CATASTROPHIC Clinical Safety (Including equipment) No risk of harm in line with national guidance. Small risk of minor harm. Guidance not regularly reviewed. High risk of harm, possibly serious. Guidance insufficient / poor training. Serious risk of harm possibly leading to loss of life. Investigation resulting in loss. Potential to cause one or a number of fatalities Compliance breach, causing serious fine, investigation, legal action. Reputation External Partners not impacted or aware of problem. Some external Partners aware of the problem, but impact on Partners is minimal. Significant numbers of external Partners aware of problems. Reputation damage extends to include Partners and Third parties. Due to our action, Partners and Third parties suffer major loss or cost. Media Attitude No adverse media or trade press reporting. Routine sniping at public services. Critical article in press or TV Public criticism from industry body. Story in multiple media outlets and / or national TV main news over more than one day. Governmental or comparable political repercussions Loss of confidence by public. Impact Descriptions Regulatory Action High compliance standards recognised. Oral comments received. Findings in written examination report. Multiple or repeat violations. Action brought against for significant violation Very large penalty / fine. Legal Action Unsupported threat of legal action. Legal action with limited potential for decision against. Probable settlement out of court. Leal action against CCG for major violation with limited opportunity for quick settlement. Actions brought CCG against for significant violation. Health and Safety Minimal effect on staff. Potential for minor harm or intruding into normal nonworking time. Incident requiring hospital treatment for more than one member of staff. Intrusion into normal nonworking time. Significant injuries, potential death. Major intrusion into staff s time. Deaths and / or major effect on staff lives. Criminal High control standards maintained and recognised. Attempted unsuccessful access to operation systems; minor operational information leaked or compromised. Logical or physical attack into operational systems. No loss of private confidential data. Police investigation launched: Potential loss of confidential data. Major successful fraud; prosecution brought against for significant failure; Loss of confidential data. Finance < or = 2% of Free Reserves* > 2% - 5% of Free Reserves > 5% - 10% of Free Reserves > 10% - 25% of Free Reserves > 25% of Free Reserves Regulatory / Healthcare Industry Status No or little change to regulation in recent history / near future. Limited recent or anticipated changes. Modest changes recently or anticipated. Significant changes to industry. Major complex changes to industry. East and North Hertfordshire Clinical Commissioning Group Page 21 of 25

22 Table 2: Likelihood Description Rating Likelihood Percentage Example of Loss event Frequency 1 - RARE This will probably never happen / recur 0-5% 5 years or less frequently 2 - UNLIKELY Do not expect it to happen / recur but it is possible it may do so 5-10% Once every 2-5 years 3 - POSSIBLE Might happen or recur occasionally 10-25% Once every 1-2 years 4 - LIKELY Will probably happen /recur but it is not a persisting issue 25-75% Every 6 12 Months 5 - ALMOST CERTAIN Will undoubtedly happen /recur, possibly frequently % At least every 6 Months Risk scoring and grading: Define the risk(s) explicitly in terms of the adverse impact that might arise from the risk. Use Table 1 to determine the Impact score for the potential adverse outcome(s) relevant to the risk being evaluated. Use Table 2 to determine the Likelihood score for those adverse outcomes. Score the likelihood by assigning a predicted frequency of occurrence of the adverse outcome or assign a probability to the adverse outcome occurring within a given time frame, such as the lifetime of a project or a patient care episode. If a numerical probability cannot be determined, use the likelihood descriptions to determine the most appropriate score. Calculate the risk score by multiplying the Impact by the Likelihood: Impact x Likelihood = Risk Profile * Table 1 - Financial Reserve = The CCG s financial headroom, which is made up of; Forecast outturn compared to plan, Uncommitted transformation reserves, Uncommitted contingency reserves, and Any other uncommitted reserves East and North Hertfordshire Clinical Commissioning Group Page 22 of 25

23 Appendix 2 Risk Reporting Arrangements Discussion Forum: Reporting requirements: Governing Body Reporting via the Governance Report: - Strategic Risk Register, - Risk Controls and Assurance Dashboard - Primary Risks only (rating 16+). Governance and Audit Committee Reporting via the Risk Profile Report: - Strategic Risk Register, - Risk Controls and Assurance Dashboard - Principal Risks only (rating Amber 12+), - Provided summary of decisions made at Executive Meeting (including new risks and mitigated risks). Quality Committee Reporting of updates related to specific risk areas via the Quality Committee update report to the Governance and Audit Committee updates reported to Head of Risk Management via Quality Team Executive Meeting Reporting updates with regards to: - Strategic Risk Register, - Risk Controls and Assurance Dashboard, Executive Team agree new risks and closure of mitigated risks. Team/Directorate Meetings Risks discussed at team/directorate meetings, All updates provided to Head of Risk Management who holds master copies which inform the reports to the Executive Team, Governance and Audit Committee, and the Governing Body. East and North Hertfordshire Clinical Commissioning Group Page 23 of 25

24 Appendix 3 Equality Impact Assessment Stage 1 Screening 1. Policy EIA Completion Details Title: Risk Management Procedure Guidance Proposed Existing Date of Completion: 30 October 2014 Review Date: October 2016 Names and Titles of staff involved in completing the EIA: - Sarah Feal, Company Secretary - Jas Dosanjh, Head of Risk Management 2. Details of the Policy. Who is likely to be affected by this policy? Staff Patients Public 3. Impact on Groups with Protected Characteristics Probable impact on group? High, Positive Adverse None Medium or Low Age Being married or in a civil partnership Disability (inc. learning difficulties, physical disability, sensory impairment) Having just had a baby or being pregnant Race, (inc. ethnicity, nationality, language) Religion or belief Sex (inc. being a transsexual person) Sexual Orientation Other: No impact on any of the groups above. Please explain and provide evidence 4. Which equality legislative Act applies to the policy? Human Rights Act 1998 Equality Act 2010 Health and Safety Regulations Mental Health Act 1983 Mental Capacity Act How could the identified adverse effects be minimised or eradicated? N/A Please explain your answer 6. How is the effect of the policy on different Impact Groups going to be monitored? N/A East and North Hertfordshire Clinical Commissioning Group Page 24 of 25

25 Appendix 4 Privacy Impact Assessment Stage 1 Screening 1. Policy PIA Completion Details Title: Risk Management Procedure Guidance Proposed Existing Date of Completion: 30 October 2014 Review Date: October 2016 Names and Titles of staff involved in completing the EIA: - Sarah Feal, Company Secretary - Jas Dosanjh, Head of Risk Management 2. Details of the Policy. Who is likely to be affected by this policy? Staff Patients Public Yes No Please explain your answers Technology Does the policy apply new or additional information technologies that have the potential for privacy intrusion? (Example: use of smartcards) Identity By adhering to the policy content does it involve the use or re-use of existing identifiers, intrusive identification or authentication? (Example: digital signatures, presentation of identity documents, biometrics etc.) By adhering to the policy content is there a risk of denying anonymity and de-identification or converting previously anonymous or deidentified data into identifiable formats? Multiple Organisations Does the policy affect multiple organisations? (Example: joint working initiatives with other government departments or private sector organisations) Data By adhering to the policy is there likelihood that the data handling processes are changed? (Example: this would include a more intensive processing of data than that which was originally expected) If Yes to any of the above have the risks been assessed, can they be evidenced, has the policy content and its implications been understood and approved by the department? N/A East and North Hertfordshire Clinical Commissioning Group Page 25 of 25