Risk Management Strategy and Standard Operating Procedure

Transcription

1 Risk Management Strategy and Standard Operating Procedure Document Status Equality Impact Assessment Draft Completed no impact Document Ratified/Approved By Date Issued Date To be Reviewed Distribution Author TBC December 2014 All Staff Debra Elliott Senior Governance Manager Version Version 2 North of England Commissioning Support Unit Reference No Location TBC TBC

2 Section Content Page number 1. Introduction 3 2 Definitions 3 3 Approach to Risk Management: Principles, Aims and Objectives 4 4 Roles and Responsibility for Implementation 5 5 Approach to Risk Management and Assessment 7 6 Distribution and Implementation 8 7 Training Plan 8 8 Monitoring 9 9 Equality and Diversity 9 10 Associated Documents 9 Appendices 1 Further risk management definitions 10 2 Safeguard Incident Risk Management System Risk register Standard Operating Procedure 3 Risk management strategy and Standard Operating Procedure Work Plan

3 1. Introduction 1.1 This strategy and related risk register standing operating procedure (SOP) sets out the approach and arrangements for management within the South Tees Clinical Commissioning Group (CCG) 1.2 The principles are consistent with those within the NHS England s Risk Management Strategy and Risk Management Policy and Procedure issued in July This strategy sets out the CCG approach to risk and the management of risk in fulfilment of its overall objectives. In addition, the adoption and embedding within the organisation of an effective risk management framework and processes will ensure that the reputation of the CCG is maintained and enhanced, and its resources are used effectively to ensure business success, continuing financial strength and to ensure continuous quality improvement in its operating model. 1.4 As part of this strategy it is also acknowledged that not all risks can be eliminated. Ultimately it is for the organisation to decide which risks it is prepared to accept based on the knowledge that an effective risk assessment has been carried out and the risk has been reduced to an acceptable level as a consequence of effective controls. 1.5 At its simplest, risk management is good management practice and risk assessment provides an effective management technique for managing the organisation (through the identification of risks and the development of mitigating action). Through this strategy and SOP the CCG is keen to ensure that risk management is not seen as an end in itself, but rather a part of an overall management approach that supports the organisation in developing achievable management action plans. 2. Definitions The strategy and SOP are based on the following definitions: Risk is the chance that something will happen that will have an impact on the achievement of the CCG objectives. It is measured in terms of likelihood (frequency or probability of the risk occurring) and consequence (impact or magnitude of the effect of the risk occurring). Risk Management is the systematic application of management policies, procedures and practices to the tasks of identifying, analysing, assessing, treating and monitoring risk. Risk Assessment is the process used to evaluate the risk and to determine whether precautions are adequate or more should be done. The risk is compared against predetermined acceptable levels of risk. Further definitions of terms are set out in Annex 1. 3

4 3 Approach to Risk Management: Principles, Aims and Objectives 3.1 This strategy sets out the CCG s approach to the way in which, in general terms, risks are managed. This will be achieved by having a thorough process of risk assessment in place. This will provide a useful tool for the systematic and effective management of risk and will inform and guide staff as to the way in which all significant risks are to be controlled. 3.2 The aims of the strategy are summarised as follows: to ensure that risks to the achievement of CCG s objectives are understood and effectively managed; to maintain a risk management framework to assure the Governing Body that strategic and operational risks are being effectively managed; to ensure that risk management is a cohesive element of the internal control systems within the CCG s corporate governance framework; to ensure that risk management is an integral part of the CCG culture and its operating systems; to ensure that the CCG meets its statutory obligations including those relating to health and safety and data protection, and to assure all stakeholders, staff and partner organisations that the CCG is committed to managing risk appropriately. 3.3 In order to achieve these aims the CCG is committed to ensuring that: risk management is embedded as an integral part of the management approach to the achievement of objectives; the management of risk is seen as a collective and individual responsibility, managed through the agreed committee and management structures; patient feedback, complaints and staff feedback are used as an integral part of the approach to risk management; risk management support, training and development will be provided by the Commissioning Support Unit governance team; a training needs analysis will be undertaken to identify staff members affected by the roll out of the strategy. Based on the findings of the analysis a risk management training programme will be put in place; and risk management guidance will be provided to all staff. 4

5 4. Roles and Responsibility for Implementation of the Risk Management Strategy and SOP. The following staff have specific responsibilities with regards to risk management: 4.1 The Chief Officer has overall responsibility for ensuring the effective implementation of this strategy and SOP. 4.2 The Chief Finance Officer is the nominated lead for co-ordination of governance and risk management throughout the CCG. 4.3 Officers (including commissioning support staff) will: be familiar with the main risks in their area of activity, leading the management of risks where required; ensure the processes for managing risk within services/teams are clearly understood by managers, appropriately delegated and effective. and ask for feedback from managers about risk assessments relevant to their portfolio and team(s); carry out further risk assessment to determine if the risk is common across the service/ccg teams; in conjunction with the wider team, determine the level of risk and required actions to eliminate or control the level of risk and report back to the team any progress and outcome in relation to action agreed. 4.4 All staff risk management is everyone s responsibility and all staff must be familiar with the main risks in their area of activity. All staff must work within the guidance of the Risk Register SOP - see Appendix 2 for full guidance. 4.5 The Commissioning Support Unit, working with and on behalf of the CCG, will: provide advice to ensure consistency in grading risks to identify the level of priority required in addressing risks; support staff throughout the risk assessment process as outlined in the SOP; support and monitor the implementation of CCG risk registers. collate and analyse data showing trends and patterns and generate appropriate reports as agreed within the CCG risk management portfolio; support the development and reporting of the Governing Body Assurance Framework and Annual Governance Statement working closely with the Chair, lay members and other Governing Body members to ensure strategic risk is accurately reflected and managed. 4.6 The CCG has developed clear lines of accountability with defined responsibilities and objectives, the risk management reporting committees are outlined below: The Governance and Risk Management Committee is responsible for reviewing and providing verification on the systems in place across the CCG for governance and risk management including internal control. 5

6 The Quality, Performance and Finance Committee is responsible for ensuring that risks to the delivery of the principles of patient safety, quality, safeguarding, performance and finance are identified, addressed and reported to the Governing Body as appropriate. The Audit Committee is responsible for ensuring that organisational risk management systems and processes are in place. The Remuneration Committee advises the Governing Body regarding appropriate remuneration and terms of service for the Accountable Officer and other senior employees. The Governing Body monitors high level, principal risks relating to the achievement of the strategic objectives through the Governing Body Assurance Framework. Governance infrastructure enabling effective risk management: Supporting working groups as required 4.7 The Governance and Risk Management Committee is chaired by the Chief Finance Officer and has overall responsibility for overseeing the implementation of this strategy and SOP. The committee will also: review all risks on the risk register and monitor progression of stated action on a bi monthly basis; review trend analysis for all risks; ensure the established processes to manage risk by each team is in place and provide support for action where necessary; ensure the processes for managing risk within the CCG are clearly understood, appropriately delegated and effective, and escalate issues to the Governing Body as appropriate, in particular the identification of new significant risks or areas of concern of risks graded high or extreme. 4.8 The members of the Executive Group will: maintain awareness of the main risks facing the organisation; take ownership where relevant of principal (strategic) risks that pose a threat to the achievement of strategic objectives and ensure appropriate action is taken to mitigate and manage risks ensuring 6

7 regular updates to the Governing Body through contributing to the Assurance Framework; review all Extreme and High risks on a monthly basis; take or delegate ownership, where relevant, of risks that pose a threat to the achievement of objectives or the business of the CCG and ensure appropriate action is taken to mitigate and manage risks ensuring regular updates are added to the risk register; ensure the processes for managing risk within the CCG are clearly understood, appropriately delegated and effective. 4.9 Significant CCG projects/work streams require project / programme leads to ensure there are arrangements in place to develop, maintain and regularly review a project risk register to ensure effective management of risk. Red risks (graded as extreme or high) should be escalated to the CCG risk register if they are likely to impact on the CCG strategic objectives Assurance Framework The CCG will produce and maintain a Governing Body Assurance Framework (AF). The AF forms part of the overall governance arrangements of the CCG and is a key component of the organisation s internal control arrangements. The AF forms a significant part of the assurance given by the Accountable Officer in the Annual Governance Statement. It will be prepared at the start of each financial year when the CCG s strategic objectives are known. It should be prepared with the involvement of senior leaders, reviewed by the committee with oversight for it (e.g. the Governance and Risk Committee) on a regular basis and the Audit Committee. It will also be approved and reviewed by the Governing Body at least six monthly. 5. Approach to Risk Management and Assessment 5.1 Definition of Risk 5.2 Types of risks to be managed Examples of the types of risk that the CCG might encounter and need to mitigate against include: corporate risks operating within powers, fulfilling statutory responsibilities and ensuring accountability; reputational risks associated with quality of services, communication with customers, staff and stakeholders; financial risks associated with achievement of planned surpluses, reduction in costs and revenue growth; environmental risks including health and safety ensuring the wellbeing of staff and visitors whilst using CCG premises; 7

8 strategic risk - a significant risk that will impact organisation wide and not just upon a function or team, and operational risk - a key risk, which impacts on a team s operational achievement. 5.3 Assessment of Risk Whenever risks have been identified it is important to assess and record the risk so that appropriate controls are put in place to eliminate the risk or mitigate its effect. To do this a CCG risk register has been developed with an aligned risk register SOP. The SOP has been developed based on current national guidance - see Appendix 1 Safeguard Incident Risk Management System (SIRMS) South Tees CCG Risk Register SOP By all staff using the CCG risk register SOP it will ensure that risk assessments are undertaken in a consistent manner using agreed definitions and evaluation criteria. Additionally, this will allow for comparisons to be made between different risk types and for decisions to be made on the resources needed to mitigate the risk Risks are assessed in terms of the likelihood of occurrence and the consequences of impact. In order to arrive at an overall risk rating of the residual risk, the risk is rated to take account of the effectiveness of the controls, i.e. whether they are considered to be satisfactory, have some weaknesses or to be weak. This then provides the overall residual risk rating. Once the residual risk rating is determined an action plan identifying further mitigating action is put in place For each risk that is not adequately controlled, an action plan to reduce or eliminate the risk is required. The implementation of the action plan and residual risk assessment must be kept under review, to assess whether planned actions have reduced or eliminated the risk as expected Any risk that is identified through the risk assessment process and which the CCG is required legally to report will be reported accordingly to the appropriate statutory body, e.g. Health and Safety Executive or Information Commissioner. 5.4 Risk Appetite South Tees CCG endeavours to reduce risks to the lowest possible level that is reasonably practicable. All risks can be avoided, transferred or retained. Where risks cannot reasonably be avoided, every effort will be made to mitigate the remaining risk. 5.5 Risk Tolerance The threshold level of risk exposure which, when exceeded, will trigger an escalation to bring the situation to the attention of a senior manager. Any risks scored as 12 or above should be escalated to a senior manager and the Governance and Risk Committee for review and monitoring and reported to the Governing Body quarterly. Low, moderate & high risks will be managed and monitored at team level, any risks of concern even if not scoring as an 8

9 extreme risk can be highlighted to the Governance and Risk Committee for escalation to the Governing Body. 6. Distribution and Implementation 6.1 This strategy and risk register SOP will be made available to all staff via CCG internal communications. 6.2 Notifications of strategy and SOP changes will be shared via internal CCG communications. 6.3 Any further guidance will be provided via the CSU governance team. 7. Training Plan 7.1 Risk management training will be provided to all executive members on an annual basis. 7.2 A training needs analysis will be undertaken by the CSU Senior Governance Manager (lead for Risk Management). 7.3 Based on the findings of that analysis, a CCG risk management training plan will be developed for staff. 8. Monitoring 8.1 The Governance and Risk Committee will review the strategy and SOP annually and the Governing Body Assurance Framework on a quarterly basis and function / team risk registers on a bi monthly basis 8.2 Senior leads will ensure that teams review their risk registers on a monthly basis (or within individually agreed review times). 9. Equality Impact Assessment 9.1 This document has been developed in line with NHS England s commitment to create a positive culture of respect for all staff and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age religious or other belief, marriage or civil partnership, gender reassignment and pregnancy and maternity) as well as to promote positive practice and value the diversity of individuals and communities. 9.2 As part of its development this document s impact on equality has been analysed and no detriment identified. 10. Associated documentation 10.1 POL Risk Management Strategy 10.2 POL 1000 Risk Management: Policy and Procedure 9

10 10.3 POL 1002 Health & Safety: Policy & Corporate Procedures 10.4 POL 1003 Incident management: Policy & Corporate Procedures 10.5 POL Business Continuity Policy: Policy & Corporate Procedures 10

11 Appendix 1 Definitions Action plan Assurance Framework (AF) Consequence Control Directorate risk register External assurance Gaps in controls or assurances Impact Issue Likelihood How the identified gap is to be addressed and how the risk is to be diminished. The AF is an integral part of the system of internal control and defines the significant potential risks which may impact on delivery of the organisation priorities. It also summarises the controls and assurances that are in place, or are planned, to mitigate against them. Gaps are identified where key controls and assurances are insufficient to reduce the risk of non-delivery of objectives. This enables the governing body to develop and subsequently monitor an assurance action plan for closing the gaps. This is a numerical value from one to five (five = catastrophic) for the impact that a risk may have on the organisation or individual, and may be physical, financial, reputational etc. The control of risk involves taking steps to reduce the risk from occurring such as application of policies or procedures. The directorate risk register is a summary of the risks identified through internal processes. External evidence that risks are being effectively managed (e.g. planned or received audit reviews). Where an additional system or process is needed, or evidence of effective management of the risk is lacking. A measure of the impact that the predicted harm, loss or damage would have on the people, property or objectives affected. A relevant event that has happened was not planned and requires action. It can be any concern, query and request for change. A measure of the probability that the predicted harm, loss or damage will occur. This is a numerical value from one to five (five = almost certain) for the potential of the risk to be realised. Management assurance/actions What are we doing to manage the risk and how this is evidenced? Sources of information used to ascertain whether controls are working or not. Examples include minutes of meetings, internal or external audit reports, survey results and reports to the Executive Group 11

12 Operational risks Risk appetite Residual risk Risk Risk assessment Risk management Risk owner Risk tolerance Strategic risks A key risk that impacts on individual directorate operational achievement. Operational risks are managed locally within the directorate and are the responsibility of the appropriate Director /Senior Manager. The organisation s unique attitude towards risk taking that, in turn, dictates the amount of risk that it considers is acceptable. The risk remaining after the risk response has been applied. An uncertain event or set of events that, should it occur, would have an effect on the delivery of objectives. It is measured in terms of consequence and likelihood. The process used to evaluate the risk and to determine whether precautions are adequate or more should be done to mitigate the risk. The risk is compared against predetermined acceptable levels of risk. The systematic application of management policies, procedures and practices to the task of identifying, analysing, assessing, treating and monitoring risk. A named individual who is responsible for the management, monitoring and control of all aspects of a particular risk assigned to them. The threshold level of risk exposure which, when exceeded, will trigger an escalation to bring the situation to the attention of a senior manager. Any risks scored as 12 or above should be escalated to a senior manager for review at Executive Group for review and monitoring. A significant risk that has the potential to impact across the organisation. These risks have been mapped to the business plan objectives and will be presented to the Governing Body in the AF. 12

13 Appendix 2 SIRMS Safeguard Incident & Risk Management System Standard Operating Procedure Risk Register South Tees CCG Version 12 Review date: 31/03/

14 Contents General points Accessing the web-based risk register How to add a new risk Entering a risk Select organisation s risk register Directorate Date of risk Source of risk Description of risk Strategic/Operational Risks Corporate objective Risk Co-ordinator Risk Owner and Responsible Director Responsible committee Initial risk rating Controls and assurances Action plans Risk updates Review details Residual risk rating Closing a risk Risk register reports Appendix 1 Risk assessment and escalation process Appendix 2 Describing a risk Appendix 3 New Risk Form

15 General points Users are responsible for familiarising themselves with their duties for risk management as laid out in the CCG risk management strategy. Access rights Access will only be set up for nominated staff. Security access levels will be set by the governance team as specified by CCG risk lead. Assessing risks Risks should be assessed according to the Risk assessment and escalation process procedure (Appendix 1) using the NPSA risk matrix. Consequence Likelihood Negligible Minor Moderate Major Catastrophic 5 Almost Certain Likely Possible Unlikely Rare Printing reports The system allows for both single risk reports which provide all the details logged against a single risk and also a full risk register report. The content of these reports is fixed, however it is possible for the NECS governance team to design other reports on an ad hoc basis that can be scheduled to run and be forwarded to users automatically on a periodic basis. Accessing the web-based risk register To access SIRMS (Safeguard Incident and Risk Management System) go to or you should log into the system with the username and password you log into your computer with. If you require access to the risk register, a request should come from your nominated risk co-ordinator, to NECSU.riskmanagement@nhs.net This document, along with other relevant risk management guidance, can be accessed via the CCG..TBC. And for NECS staff via NECS Intranet site under Risk and Assurance in the Governance section. 15

16 Once signed in, open the Risk module here. How to add a new risk To add a new risk click here You will then be asked to decide whether the new risk is Extreme (risk score 15 to 25) or Low, Moderate, High (risk score 01 to 12). Select Extreme or Low, Mod, High risk. Extreme Risks are those rated 15 to 25 which have the potential to impact adversely on the organisation s ability to deliver its corporate (strategic) objectives 16

17 Entering a risk The system will assign a sequential number that should be used to identify the risk. The sequence runs across all the organisations that are using SIRMS. To change risk level: use drop down option before saving. If you change after saving, you will need to provide a reason for escalation/de-escalation. A new version must be created BEFORE existing risks are updated. The orange fields are mandatory sections that must be completed. The risk reference number will not appear until you have saved these details. 17

18 Select organisation s risk register Select your CCG from drop down list: this will assign the risk to the correct risk register Directorate Select CCG lead responsible for the risk. Select CCG Director responsible for the risk. 18

19 Date of risk This is the date the risk was first identified. The default date will always be the current date, to change, use drop down calendar. Source of risk The source of the risk identifies how you became aware of the risk, i.e. through national guidance, through a reported incident, complaint etc. 19

20 Description of risk The risk cause, event and effect allow you to describe the risk in detail. Take care to describe the consequence of a risk rather than the cause. E.g. management of staff sickness is not a risk, but failure to deliver a high quality service due to inability to manage staff sickness effectively would be. See Appendix 2 for further guidance. Strategic/Operational Risks Identify whether the risk is strategic or operational or Click on the drop down arrow and select the type of risk here. both. Choose your organisation from drop down list. (Please note this field ties the organisation to its corportate objectives.) 20

21 Select South Tees CCG 21

22 Corporate Objectives From the list of your CCG objectives, select one that the risk affects. Risk co-ordinator Select the risk co-ordinator for your team/ccg from drop down list Risk owner and responsible director Type the surname in and the relevant person will be found please note, you have to click on the name to select them. If the name does not appear in the system please contact 22

23 Responsible Committee Select the committee that is responsible for monitoring risk from drop down list. Initial Risk rating Apply the initial risk rating. This is the score that is given to the risk before controls have been applied. Either select the score from the table, or use the drop down boxes. See How to assess risk in appendix 1. Click save after completing initial risk rating. You will now need to save the risk before you can complete the rest of the form. If you have not completed all of the mandatory (orange) fields, you will not be able to save. 23

24 Controls and Assurances Please enter any control measures already in place as well as any new ones that will be implemented to manage the risk. For example in the case of a litigation risk, you could list Claims Procedure or Claims handling service provided by NECS as part of the existing control framework. To add a control choose New Complete details, selecting level of effectiveness of the control from drop down box. Then go to Action Plan To add a new action, click new 24

25 Action plans Click on the Action Details tab and complete If you are updating actions, click on the Progress tab and complete section. 25

26 Risk Updates NB: A new version should be created with each update in order to ensure that the movement of the risk is captured. Risks should be reviewed and updated on a regular basis and the frequency of review should be considered when assessing the risk. Every time an update is conducted you should make a note in this section of the date the risk was reviewed and by whom. The process should involve: Create new version (either by changing the risk level or clicking on new version ). Provide assurances on control measures. Review and update the action plan. Reassess and apply the residual risk score (this is score following implementation of control measures). Enter the actual date of review and by whom. 1. If you change the risk level, SIRMS will automatically create a new version. 2. If risk level to remain unchanged click here to add new version. 3. Information box click ok. N.B. if you know that the risk level is going to change (from Extreme to Low, Moderate, High or vice versa), change this first as this will automatically create a new version number, however if the risk level is to remain the same then please click on New Version. 26

27 Review details Describe what has been updated: controls and assurance; action plan; review frequency; residual risk rating. This section can also highlight suggested actions, such as discussing at a committee or recommended closure of the risk. New risks see Appendix 3 for new risk form. When entering a new risk, select from drop down list how often it is to be To add review details (i.e. date of review, reviewer and details of the fields that have been updated) click new. The next review date will be displayed this is dependent on the date entered when adding the review (update). Complete sections to record when the risk was reviewed and by whom. The details of the review should be a summary of what has been updated in this version i.e. assurance on controls, progress update in action plan, reduction in residual risk rating etc. You can also use this field to note if the risk is to be considered for removal. Residual risk rating This is the consequence and likelihood after the control measures have been applied. If the risk rating has changed following review, apply the residual risk rating score. Either select the score from the table, or use the drop down boxes. Please note changing the residual risk rating will not automatically change the risk level at the top of the screen. The risk level has to be changed manually. Remember changing the risk level will create a new version therefore it is best practice to change the risk level at the start of your update. See Risk assessment and escalation process in appendix 1. 27

28 Closing a risk Follow the steps to create a new version. Scroll down to the Controls and Assurances section, click on existing control measures and click on the Effectiveness drop down list, select Action Plan Completed Risk Removed. Scroll to the bottom of the page and select Closed from options: You can then select a reason for closing the risk. 28

29 Risk register reports Whatever is highlighted in this window will be the report that is generated. To print a report there are 2 options. Click on Print from top ribbon then: Single report Register style report Choose the type of report then click print. This will generate a PDF copy of the report. As the system is developed, more reports will become available. 29

30 Appendix 1 Risk assessment and escalation process Step 1: Determine the consequence score This is offered as guidance when completing a risk assessment, either when an incident has occurred or if the consequence of potential risks is being considered. Choose the most appropriate domain for the identified risk from the left hand side of the table. Then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column. Note consequence will either be negligible, minor, moderate, major or catastrophic. Table 1: Consequence score Consequence score (severity levels) and examples of descriptors Domains Negligible Minor Moderate Major Catastrophic Impact on the safety of patients, staff or public (physical/psychol ogical harm) Minimal injury requiring no/minimal intervention or treatment. No time off work Minor injury or illness, requiring minor intervention Requiring time off work for >3 days Increase in length of hospital stay by 1-3 days Moderate injury requiring professional intervention Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients Major injury leading to long-term incapacity/disability Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with long-term effects Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients Quality/complaints/a udit Peripheral element of treatment or service suboptimal Informal complaint/inquiry Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report Totally unacceptable level or quality of treatment/service Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Gross failure to meet national standards 30

31 Human resources/ organisational development/staffi ng/ competence Statutory duty/ inspections Short-term low staffing level that temporarily reduces service quality (< 1 day) No or minimal impact or breech of guidance/ statutory duty Low staffing level that reduces the service quality Breach of statutory legislation Reduced performance rating if unresolved Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Low staff morale Poor staff attendance for mandatory/key training Single breach in statutory duty Challenging external recommendations/ improvement notice Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Loss of key staff Very low staff morale No staff attending mandatory/ key training Enforcement action Multiple breaches in statutory duty Improvement notices Non-delivery of key objective/service due to lack of staff On-going unsafe staffing levels or competence Loss of several key staff No staff attending mandatory training /key training on an on-going basis Multiple breaches in statutory duty Prosecution Complete systems change required Low performance rating Zero performance rating Adverse publicity/ reputation Rumours Potential for public concern Local media coverage short-term reduction in public confidence Elements of public expectation not being met Local media coverage long-term reduction in public confidence Critical report National media coverage with <3 days service well below reasonable public expectation Severely critical report National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Business objectives/ projects Finance including claims Service/business interruption Environmental impact Insignificant cost increase/ schedule slippage Small loss Risk of claim remote Loss/interruption of >1 hour Minimal or no impact on the environment <5 per cent over project budget Schedule slippage Loss of per cent of budget Claim less than 10,000 Loss/interruption of >8 hours Minor impact on environment 5 10 per cent over project budget Schedule slippage Loss of per cent of budget Claim(s) between 10,000 and 100,000 Loss/interruption of >1 day Moderate impact on environment Non-compliance with national per cent over project budget Schedule slippage Key objectives not met Uncertain delivery of key objective/loss of per cent of budget Claim(s) between 100,000 and 1 million Purchasers failing to pay on time Loss/interruption of >1 week Major impact on environment Total loss of public confidence Incident leading >25 per cent over project budget Schedule slippage Key objectives not met Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Claim(s) > 1 million Permanent loss of service or facility Catastrophic impact on environment 31

32 Step 2: Determine the likelihood Now determine what is the likelihood of the impact occurring. The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency. The frequency-based score will either be classed as rare, unlikely, possible, likely or almost certain. Table 2: Likelihood score Likelihood score Descriptor Rare Unlikely Possible Likely Almost certain Frequency How often might it/does it happen This will probably never happen/recur Do not expect it to happen/recur but it is possible it may do so Might happen or recur occasionally Will probably happen/recur but it is not a persisting issue Will undoubtedly happen/recur, possibly frequently Step 3: Assigning a risk rating Now apply the consequence and likelihood ratings to give you a risk rating for each of the risks you have identified. Calculate the risk rating by multiplying the consequence by the likelihood: C (consequence) x L (likelihood) = R (risk score) Table 3: Risk rating = consequence x likelihood (C x L) Consequence Likelihood Negligible Minor Moderate Major Catastrophic 5 Almost Certain Likely Possible Unlikely Rare For grading risk, the scores obtained from the risk matrix are assigned grades as follows: 1-3 Low risk 4-6 Moderate risk 8-12 High risk Extreme risk Step 4: Assessing the effectiveness of the control(s) For each of the risks (and especially extreme and high risks) identify the controls that are in place. For example, in an operational setting and where an incident may have occurred, the controls may take the form of a policy, guideline, procedure or process, etc. For risks that have been identified as preventing achievement of organisational objectives then the control is likely to be a management action plan. 32

33 Review the control(s) for each of the risks and apply the following criteria; Satisfactory: Controls are strong and operating properly, providing a reasonable level of assurance that objectives are being delivered. Some Weaknesses: Some control weaknesses/inefficiencies have been identified. Although these are not considered to present a serious risk exposure, improvements are required to provide reasonable assurance that objectives will be delivered. Weak: Controls do not meet any acceptable standard, as many weaknesses/inefficiencies exist. Controls do not provide reasonable assurance that objectives will be achieved. Step 5: Determining the residual risk Taking into account the initial risk rating and the assessment of the effectiveness of the control together, you can now assess the residual risk that needs to be managed. The consequence and likelihood ratings should be applied, as in table 3 above. Step 6: Developing an action plan An action plan must be developed for all risks, regardless of the risk rating in order to record progress on control measures and who is responsible for carrying them out as the system is capable of generating automatic reminders to action owners. Step 7: Risk Management Action Guide Where risks have been identified and scored, more likely as a consequence of an incident, then the following escalation arrangements should be used. The table below provides a suggested action guide for the management of a risk: Risk Rating RAG Rating Action Level of Authority 25 Red Halt activities IMMEDIATELY and review status Red Significant probability that major harm will occur if control measures are not implemented URGENT action required. Director may consider limiting or halting activity 8-12 Amber Unacceptable level of risk exposure which requires constant monitoring and controls at Directorate level 4-6 Yellow Moderate probability of moderate harm if control measures are not implemented. Action in mediate term 1-3 Green The majority of control measures are in place. Harm severity is small. Action may be long term Warrants Chief Officers / Chief Finance Officers attention Warrants Chief Officers Chief Finance Officers attention Warrants Head of Service attention Warrants Head of Service/Senior Lead Attention Warrants manager attention 33

34 Appendix 2 Describing a risk In SIRMS, there are three fields in which to describe your risk; the risk cause, event and effect. These are mandatory fields and whilst details will be entered separately, when printed, they will appear in one field on the risk register, called description of risk. Example Risk Cause: Risk Event: Risk Effect: objectives) As a result of. (This is the trigger) There is a risk that.(this is what might happen) Which will result in.(this is the impact on the achievement of 34

35 Risk Register New Risk Risk Ref Leave blank Date Identified Responsible Director Name and job title Risk Owner Name and job title Risk Details Directorate/Function/Risk Type/Delivery Area Frequency of Review Source of Risk Risk Cause Description of Risk Risk Event Risk Effect Risk Assessment Matrix (please circle) Likelihood score Consequence score Rare Unlikely Possible Likely Almost certain 5 Catastrophic Major Moderate Minor Negligible Initial risk rating score: Risk for consideration to risk register? Yes No Control Details Controls (Current) Assurances on Controls (Progress/Evidence) Effectiveness of Controls Gaps in Control Controls & Actions Required Action Details Responsibility / Lead Target Date Form Completed By Name Job Title Contact Details Completed forms should be returned to: Your CCG Risk Co-ordinator 35

36 Risk Management Strategy and SOP reviewed by Governance & Risk Committee. Once agreed strategy and SOP to be sent to the Governing Body meeting for review and approval once approved to be published on CCG website Appendix 3 NHS South Tees CCG Risk Management Strategy and Standard Operating Procedure (SOP) Work Plan December 2013 What How Person Responsible By When Resources Required North of England Lead is NECS Governance Within 5 working days of Staff time and commitment Commissioning (NECS) Administrator working with policy approval governance team to CCG Corporate arrange for Strategy & Governance Risk Officer Within 5 working days of SOP to be uploaded and policy approval (or go live communication to go out of website) internally across the CCG. Ensure CCG and staff are aware of the new Strategy and SOP Targeted to CCG staff Raise at Team meetings Lead is CCG Corporate Governance Risk Officer Within 5 working days of policy approval Staff time and commitment Risk management training needs analysis to be undertaken and risk management training develop for review at Governance and Risk Committee CCG Risk management training today baseline review to be undertaken. Outcome Baseline review to be analyzed, training plan drafted and finalized for CCG review and internal comment. Lead is NECS Senior Governance Manager working with CCG Corporate Governance Risk Officer February 2014 G&R committee meeting Staff time and commitment Risk register management and review All CCG risks to be subject to peer review and internal security. Outcome all risks on the CCG risk All relevant CCG staff Lead is NECS Senior Governance Manager working with CCG Twice a year January & July Staff time and commitment

37 What How Person Responsible By When Resources Required register will be live, well defined, have an agreed risk score and review target date and be aligned to a CCG strategic objective Corporate Governance Risk Officer CCG Risk management maturity assessment Governing Body (GB) Assurance Framework (AF) review and update CCG Risk Management Maturity Assessment to be developed and undertaken. Outcome CCG Risk Management Maturity Assessment Report to be prepared and presented to G&R Committee. The report would include results of assessment, findings and future recommendations to support enhanced risk management across the CCG. CCG AF to be reviewed in line with principal objectives & risks. Reviewing current controls and assurances All relevant CCG staff Lead is NECS Senior Governance Manager working with CCG Corporate Governance Risk Officer All relevant CCG staff Lead is CCG Corporate Governance Risk Officer with support from NECS Senior Governance Manager. June 2014 February 2014 Staff time and commitment Staff time and commitment