Risk Management Procedure. Version Number: 6.0 Controlled Document Sponsor: Controlled Document Lead:

Transcription

1 Risk Management Procedure CONTROLLED DOCUMENT CATEGORY: CLASSIFICATION: PURPOSE Controlled Document Number: Procedure Governance To detail the procedure for the management of risk 419 Version Number: 6.0 Controlled Document Sponsor: Controlled Document Lead: Will this Controlled Document impact upon any contracts held by the Trust? Approved By: Director of Corporate Affairs Corporate Risk Lead Yes 1 No Director of Corporate Affairs On: November 2018 Review Date: November 2021 Distribution: Essential Reading for: Executive Directors, Divisional, Specialty and Department Managers, Risk Leads Information for: All staff 1 If this Controlled Document will have an impact on any contracts held by the Trust, once approved, this will need to be sent to the Procurement Team requesting that it be added to the Procurement Policy Portal Page 1 of 11

2 Risk Management Procedure All RED operational risks will be reviewed each month by the risk owner and any updates in relation to current level and progress of actions will be recorded. Approved RED operational risks will be reported on the Corporate risk register. GREEN and AMBER operational risks will be reviewed on a quarterly basis by the owner and any updates will be recorded. Where a risk cannot be managed within the available resource or within an agreed timescale i.e. the target score or the target date cannot be met, then the risk should be escalated to the next level of management. Strategic risk will be reviewed on a quarterly basis. Risks may be identified from various sources by Specialties and Departments. New risks will be notified to the appropriate risk lead. Strategic risks will be identified and managed by Executive Directors. 4. Review 1. Identify RISK 3. Manage 2. Assess Risks may be managed (Transfer, Tolerate, Treat or Terminate) by a Specialty, Division or Executive owner. Level and proximity of the risk should be considered in the monitoring of controls and development of a SMART action plan. Page 23 of 11 Assessment of risk is undertaken in terms of likelihood / consequence. This gives the risk a score and a level as follows: GREEN: 1, 2, 3, 4 or 5 (5x1) AMBER: 5 (1x5), 6, 8, 9, 10 or 12 RED: 15, 16, 20 or 25 The initial score (before any control activities are considered) should be recorded. The current score (with controls in place) should then be recorded. A risk with a current score that is RED must be presented to the appropriate Division or Executive for approval. A target score and date that reflects risk appetite should also be recorded.

3 1. Introduction 1.1. To ensure a systematic and consistent approach to Risk Management, University Hospitals Birmingham NHS Foundation Trust (the Trust) uses the Datix Risk Management system to ensure that Risks are recorded, managed, escalated and reported at the appropriate organisational level in a consistent manner. A guide on how to use this system is available on the Intranet. A Glossary of agreed terminology can be found in the associated Risk Management Policy Once a Risk is identified it must be documented on a Datix online Risk Assessment form, assessed and an action plan developed and implemented to reduce the Risk to an appropriate level. 2. Risk Management Procedure The Trust procedure for the effective management of Risk is made up of 4 sequential steps: I. IDENTIFY the Risk (see para 2.1) II. ASSESS the Risk (see para 2.2) III. MANAGE the Risk (see para 2.3) IV. REVIEW the Risk (see para 2.4) 2.1. IDENTIFY the Risk The Risk identification process must be both wide-ranging and comprehensive. Undertaking a Risk Assessment can be subjective and will involve using professional judgment about what constitutes a Risk. Identifying Risk involves thinking about the objectives of the service(s) provides and considering the following questions: What service does the Department/Speciality/Division provide? Who is the service delivered to? Who undertakes the activity? When is the service provided? Where is the service delivered? Is there any information available which could threaten the Trust s ability to deliver the service? Page 3 of 11

4 Appendix C in the associated Risk Management Policy identifies common sources of internal and external information that may help to identify Risks Any new Risk must be discussed with the relevant Risk Lead who will be responsible for confirming the appropriate Risk Owner within the Specialty, Department, Division or Executive. Advice on the Risk Lead role can be found at Appendix A and further details obtained from the Clinical and Corporate Governance Teams ASSESS the Risk Having identified and described the Risk, the next step is to assess the Risk. This allows for the Risk to be assigned a rating or score which determines how the Risk will be managed and monitored within the Trust and prioritise remedial action and availability of resources to address Risks Risks are assigned a score based on a combination of likelihood and consequence using the Risk Assessment Matrix (Appendix B in the associated Risk Management Policy) The Trust uses three Risk scores as follows: Initial Score: This is the score when the Risk is first identified and is assessed without any existing controls in place. This score will not change for the lifetime of the Risk and is used as a benchmark against which the effect of management can be measured. Current Score: This is the score with existing controls in place. It is expected that the Current Score will reduce and move toward the Target Score as controls are implemented and action plans to mitigate the Risks are developed. Target Score: This score should reflect the Risk Appetite for the type of Risk identified. The target date when the Target Score will be achieved, must also be recorded Assessing Risks will involve looking at: What is the likelihood of a Risk being realised? What is the consequence if the Risk is realised? What controls are in place to prevent a Risk occurring? Page 4 of 11

5 What is the current level of Risk in light of these considerations? What is the level of Risk that is acceptable according to the relevant Risk Appetite? What actions need to be implemented to reduce the Current Score to the Target Score? The Risk Owner will be supported in assessing the Risk by the relevant Risk Lead Risks are approved at three different levels before they are recorded on the Risk Register as detailed in Table 1 below. Table 1: Approval of Risk Approval Status Risk in review by Risk Owner Awaiting approval by Risk Lead Awaiting final approval by Governance Risk Content The Risk Owner must input the Risk onto Datix and complete the mandatory sections of the form. When this is complete the Risk Owner will advance the status to awaiting approval by Risk Lead. The Risk Lead will review the Risk to ensure that it meets all of the quality indicators for a Risk Assessment. If the Risk Lead agrees with the assessment they will change the status to awaiting final approval. If the Risk Lead identifies any concerns then they will change the status to Risk in review by Risk Owner and discuss the amendments required with the Risk Owner. A member of the Clinical or Corporate Governance Teams will review the Risk Assessment to ensure that all quality indicators are met and then change the status of the Risk to Risk Register. If the review identifies any concerns then they will change the status to awaiting approval by Risk Lead and discuss the amendments or additions required with the Risk Lead New Operational Risks with a Current Score of 15 or above must be presented to the appropriate Executive or Divisional Management Team for approval within 1 month of being reported on Datix. Risks with a Current Score of 12 or below will take a maximum time of 3 months to proceed from the initial submission to approval onto the Risk Register. Page 5 of 11

6 2.3. MANAGE the Risk Once the Risk has been assessed and the Initial, Current and Target Scores have been established, then the Risk Owner, in agreement with the relevant management team, must decide on what action to take in managing the Risk. There are a number of options available which are outlined in the table below: Table 2: Options for Managing Risk Risk Status Transfer a Risk Tolerate a Risk Treat a Risk Terminate a Risk Description Where the Current Score is higher than an acceptable Target Score the decision reached may be to Transfer the consequence of the Risk to another owner, e.g. purchase an insurance policy so that if the Risk transpires then financial loss is covered. Where the Current Score is within an acceptable limit the decision reached may be to Tolerate or accept the Risk with no further action required. Where the status of a Risk is to Tolerate, the controls must be monitored and the Risk reviewed on a six monthly basis. Where the Current Score is higher than an acceptable score the decision reached may be to Treat the Risk. Where the status of a Risk is to Treat, a SMART action plan will be developed. When an action is complete the Current Score must be reviewed to determine the change to the likelihood or consequence score. If the Current Score is 15 or above then the Risk must be reviewed on a monthly basis. Where the Current Score is less than 15 then the Risk must be reviewed on a quarterly basis. Where the Current Score is higher than an acceptable score and there is no option to Transfer, Tolerate or Treat the Risk, the decision reached may be to NOT proceed with the activity. In this case the only option is to choose to Terminate the Risk The majority of Risks will be Treated and in this case an action plan will be developed that details how the Risk will be mitigated to reach the Target Score. This could involve changing a process or introducing a safer system which will prevent, correct, direct, or detect the likelihood or consequence of a Risk When managing identified Risks, the following must be considered: Page 6 of 11

7 What are the existing Controls and are there any gaps? What further Controls are practical and sustainable? Is the design of the Control right? Is it helping to achieve objectives? What further actions are needed to manage the Risk? Table 3 summarises how the different levels of Risk will be managed: Table 3: Management of Risk at Different Levels Level Current Score (LxC) Management Low 1,2,3, 4 or 5 (5x1) Green Risks will be managed locally by the relevant Risk Owner supported by the Risk Lead. The progress in managing these Risks will be reviewed quarterly (at a minimum) by the Risk Owner. Moderate 5 (1x5),6,8,9,10 or 12 Amber Risks will be reviewed quarterly by the Risk Owner. Amber Risks will be reported to the Division who will monitor their management and consider the requirement for additional assurance. High 15,16,20 or 25 New Red Risks will be reported immediately to the appropriate member of the Clinical or Corporate Governance team. They will be approved by the relevant Divisional Management Team or Director. Where Red Risks are approved by the Division/ Director they will be included on the Corporate Risk Register and Report. Red Risks will be reviewed monthly by the Risk Owner and Divisional Management Team All Specialties and Departments will need to agree a programme of actions to manage identified Risks. Each action plan must: Record any actions needed to manage the Risk indicating the agreed time scale for each action; and Page 7 of 11

8 Ensure a designated person is chosen to take responsibility for managing the Risk and is informed and agrees to the action plan Each action identified on the action plan must be SMART: Specific Measurable Achievable Realistic Timely Action plans must be appropriate and clearly show how they mitigate the level of the Current Score to incrementally move towards the Target Score Where actions cannot be taken within the available resource or within an agreed timescale, i.e. the Target Score or the target date cannot be met, the Risk must be escalated to the next level of management for consideration REVIEW the Risk It is the responsibility of the Risk Owner, supported by the Risk Lead, to review the progress of Risks to ensure that they represent the current situation. Factors which may affect either the consequence or likelihood to be taken into account include: Changes to the context of the Risk Deterioration of Controls Implementation of actions Changes in Risk Appetite Risks must specify the date on which a review of the Risk is due. It is expected that, as action plans are progressed, the Current Score will move towards the Target Score and may be accepted as Tolerable when the Current Score reaches the Target Score. This may be achieved within one review period but it may take longer, in which case a new review date must be set. Page 8 of 11

9 Where a Risk has not made sufficient progress towards meeting the Target Score then it must be escalated to the next level for consideration All Red Risks must be reviewed on a monthly basis. All Green and Amber Risks must be reviewed at least once quarterly A member of the Clinical or Corporate Governance Team will support the review of Risks owned by Specialties, Divisions and Directors TOLERATE (Accept) the Risk 3. Escalation of Risk The status of a Risk will only be Accepted when the relevant Risk Owner is satisfied that the Risk has been managed to an acceptable level. The decision to Accept the Risk will be made in discussion with the Risk Lead and relevant management team. When changing the status to Accepted the Risk Owner will be required to state the rationale for this decision. For example, the majority of Risks will be managed through treatment, which is the implementation of actions to reduce the Current Score to the Target Score When this option is chosen the Risk will be incrementally downgraded as actions are completed. When the Target Score is reached then the Current Score should be recorded at the same level as the Target Score and the Risk Status changed to Accepted Accepting a Risk does not remove it from the Risk Register. If a control fails or the context of the Risk changes then a Risk must be reassessed and the Risk Treated again where appropriate. Accepted Risks must be reviewed on a 6 monthly basis An integral part of effective Risk management is ensuring that Risks are escalated to a higher level in line with the relevant governance structure. This will ensure that appropriate action and prioritisation of resources can take place. Risks will be escalated when the Risk Owner believes that: The Target Score cannot be met within the available resources; and/or The Target Date will not be met (up to a maximum of 24 months). Page 9 of 11

10 3.2. Escalation will take place as set out in Table 4: Table 4: Risk Escalation Escalation from Specialty Division Executive Director Executive Team Escalation to Division Executive Director Executive Team Board of Directors 3.3. When escalation is agreed, the ownership of the Risk will be amended to reflect this. The identified Risk Lead will also be amended as appropriate. 4. References A Risk Management Standard, Institute of Risk Management (2002) A Risk Matrix for Risk Managers, National Patient Safety Agency (2008) ISO Risk Management, International Standards Organisation (2009) updated 2018 Home Office Risk Management Policy and Guidance, Home Office (2011) NHS Audit Committee Handbook, Department of Health (2011) Risk Management Assessment Framework, HM Treasury (2009) Taking it on Trust: A Review of How Boards of NHS Trusts and Foundation Trusts Get Their Assurance, Audit Commission (2009) The Orange Book (Management of Risk Principles and Concepts), HM Treasury (2004) UK Corporate Governance Code, Financial Reporting Council (2010) Understanding and Articulating Risk Appetite, KPMG, (2008) 5. Associated Policy and Procedural Documentation Health and Safety Policy Project Management Policy Risk Management Policy Page 10 of 11

11 Appendix A The Role of the Risk Lead The Risk Lead plays an integral role in the smooth management of risks at Specialty, Department and Divisional levels. This means that the nominated individual must be able to challenge their colleagues in a way that supports the effective management of Risk and allows assurance to be provided at higher levels. The Risk Lead must be of an appropriate seniority and position to allow them to undertake the requirements of their role effectively and the role must not be delegated to a junior member of staff. Each Specialty/Department/Division will nominate a Risk Lead who is responsible for: Ensuring that staff within the Specialty/Department/Division are able to identify Risks and know how to report them to the Risk Lead; Ensuring Risk Assessments are completed for Risks identified within the Specialty/Department/Division and documented on Datix according to the Risk Management Policy and Procedure; Ensuring that Specialty/Department/Divisional staff implement action plans to reduce Risk, according to the Risk management Policy and Procedure; Ensuring that Risks are monitored and reviewed appropriately and that the Risk record is updated to reflect progress and is accepted when the Target Score is met; and Attending Specialty/Department/Division meetings to report information relating to Risk to the relevant management team including whether or not Risks have been escalated and managed appropriately, agreed actions are taking place, and the Risk Level reducing. This information will form a part of reports produced by the Governance facilitation and Corporate Governance Teams to be presented at Specialty/Department and Divisional Quality Groups. In Clinical Specialties and Divisions the default Risk Lead should be a member of the Operational staff but may be another member of the respective management team or another senior member of staff nominated by the management team. In the Corporate areas, where specific Operational staff may not be employed, the Risk Lead will be a senior member of staff nominated by the respective Director. The Governance Facilitation and Corporate Governance teams will support the nominated Risk Leads to ensure that Risks are actively managed and Risk Registers are reviewed according to the requirements of the Risk Management Policy. Page 11 of 11