RISK MANAGEMENT STRATEGY

Transcription

1 Directorate of Performance Assurance RISK MANAGEMENT STRATEGY Reference: DCP086 Version: 7.0 This version issued: 24/07/15 Result of last review: Minor changes Date approved by owner (if applicable): 23/07/15 Date approved: 31/03/15 Approving body: Trust Board Date for review: March, 2016 Owner: Wendy Booth, Director of Performance Assurance Document type: Policy Number of pages: 28 (including front sheet) Author / Contact: Wendy Booth, Director of Performance Assurance / Jill Mill, Head of Risk Management Northern Lincolnshire and Goole NHS Foundation Trust actively seeks to promote equality of opportunity. The Trust seeks to ensure that no employee, service user, or member of the public is unlawfully discriminated against for any reason, including the protected characteristics as defined in the Equality Act These principles will be expected to be upheld by all who act on behalf of the Trust, with respect to all aspects of Equality.

2 Contents Section... Page 1.0 Introduction & Purpose Area Philosophy Definitions Risk Management Process - Actions Risk Management Process - Local Level Actions Risk Management Duties & Responsibilities Strategy Approval and Ratification Process Strategy Review and Revision Strategy Implementation Strategy Dissemination Monitoring Compliance and Effectiveness Further Reading / Associated Documentation References Equality Act (2010) Appendices: Appendix A - Risk Management Objectives 2015 / Appendix B - Governance / Risk Management Structure (Revised) Appendix C - Governance / Risk Management Strategy Designated Responsibilities Appendix D - Governance / Risk Management Meeting Structure (Revised) Printed copies valid only if separately controlled Page 2 of 28

3 1.0 Introduction & Purpose 1.1 As with any organisation the NHS carries a number of risks, which if not properly managed/controlled have the potential to cause harm to patients, staff and visitors and loss to its assets and reputation. 1.2 It is accepted that given the nature of the service provided by the NHS, some risks may never be totally eliminated. However it is essential that NHS Trusts have in place good risk management systems and practices which eliminate risk wherever possible and reduce the impact of those risks which cannot be eliminated to an acceptable level. 1.3 The Northern Lincolnshire & Goole NHS Foundation Trust takes a holistic approach to the management of risk, in accordance with the principles of Integrated Governance, and this document sets out the commitment of the Trust to managing risk (both clinical and non-clinical) and the Strategy for achieving this objective. In respect of patient safety, the Risk Management Strategy and indeed the Trust s risk management arrangements also reflect the NPSA s Seven Steps to Patient Safety principles. 1.4 The Trust acknowledges that the provision of a strong system of governance and risk management can enhance the care and well-being of patients and those staff who look after them and is a key driver for change and modernisation. The Risk Management Strategy is an integral part of the Trust s approach to continuous quality improvement and is intended to support and assist the organisation in delivering the key objectives within the Trust s Quality Strategy as well as ensuring compliance with external standards, duties and legislative requirements including those relating to the Trust s License with Monitor as a Foundation Trust. 1.5 The Trust agrees annual risk management objectives (see Appendix A), which are shared through the business planning and performance management frameworks. However, the overall objective of the Risk Management Strategy is to have an organisation which: is fully risk aware where risk management is embedded within the organisation s culture, is integrated into the working practices of all grades and disciplines of staff and encourages and empowers those staff to identify and control risk which may affect the Trust s ability to achieve its objectives encourages the open reporting of mistakes made, within a fair blame culture, and ensures that lessons are learnt from those mistakes and that measures to prevent recurrence are promptly applied accepts that Risk Management is everyone s responsibility This in turn will assist in ensuring the achievement of the organisation s overall objective which is to provide quality healthcare for the local health community. 1.6 The Trust s Governance & Assurance Committee is responsible for overseeing the ongoing development and implementation of the Risk Management Strategy. 1.7 The Trust Board will be responsible for the ratification and annual review of the Risk Management Strategy. Printed copies valid only if separately controlled Page 3 of 28

4 2.0 Area 2.1 This Strategy applies to all staff employed by or contracted to the Trust. 3.0 Philosophy 3.1 The Northern Lincolnshire & Goole NHS Foundation Trust is committed to the management of risk (both clinical and non-clinical) in order to: improve the quality of care provide a safe environment for the benefit of patients, staff and visitors by reducing and, where possible, eliminating the risk of loss, harm or damage protect its assets and reputation meet statutory and regulatory requirements (e.g. Monitor, CQC, HSE) 3.2 This will be achieved through a process of identification, analysis, evaluation, control, elimination and transfer of risk. 3.3 The Trust aims to be pro-active in its approach to the management of risk and will endeavor to identify, control and, where possible, eliminate the risk before incidents of actual loss, harm or damage have occurred. 3.4 For this approach to be effective it is recognised that there must also be: an ongoing raising of awareness of risk management involvement/participation of all staff integration of risk management into operational management early escalation and mitigation/resolution of risk issues a live and meaningful organisational wide Risk Register which is populated with all types of risk e.g. financial, strategic, clinical and non-clinical and is regularly updated and reviewed through the Trust governance structure through to the Trust Board clear, communicated arrangements/designated responsibilities for risk management training in risk assessment/management a robust incident reporting system development of risk management within a fair blame culture. The Trust s approach following adverse incidents will therefore focus on what went wrong, not who went wrong Printed copies valid only if separately controlled Page 4 of 28

5 sound clinical practice which is: evidence based undertaken by appropriately skilled & equipped staff undertaken in accordance with policies, procedures and guidelines effective communication within and between Directorates and also with patients and the public safe systems of work & safe practices which are undertaken in accordance with up to date policies, procedures and guidelines which are known and understood by the staff concerned ongoing monitoring of actions/controls put in place to minimise the organisation s risk exposure pro-active management of complaints and claims routine and ongoing learning of lessons / closing the loop when things do go wrong ongoing audit and monitoring of the effectiveness of the Trust s risk management/governance arrangements and appropriate escalation and remedial action where shortfalls are identified 4.0 Definitions 4.1 Risk is defined as a hazard/exposure to danger/chance of loss or harm. As the consequences of taking risks can be damaging, steps must be taken to manage or minimise these risks. (*Harm is defined as 'injury (physical, emotional or psychological), disease, suffering, disability or death.) 4.2 Risk Management is defined as the systematic process of risk identification, analysis, evaluation and correction of potential and actual risks to which an organisation is exposed (whether affecting patients, visitors, staff or property). Clinical Risk Management concentrates on identifying and correcting risks associated with direct patient care, whilst Non-Clinical Risk Management is associated with all other Trust activities. Printed copies valid only if separately controlled Page 5 of 28

6 5.0 Risk Management Process - Actions 5.1 Risk Identification It is self-evident that risk management requires risk identification and inevitably, through risk assessments/audits, workplace assessments, complaints/claims, day to day practice, etc. many risks will be identified and appropriate action taken before instances of loss, harm or damage have occurred. These risks will be recorded, as appropriate, as part of the relevant Directorate/Group Risk Register, which in turn will inform the overall organisation-wide Risk Register. However, in an organisation as large and complex as the NHS, it is accepted that an element of risk management is reactive and that some risks will not be identified until something has gone wrong and therefore an essential part of the Trust s Risk Management Strategy is the system for identifying/reporting untoward incidents/accidents. The effectiveness of the Trust's Incident Reporting arrangements requires the participation and co-operation of all staff The Trust s Incident Reporting arrangements, which have been developed with an emphasis on fair blame, places on staff the requirement to report any accident, incident or potential incident (i.e. a near miss ) that could adversely affect the individual(s) involved (i.e. lead to loss, harm or damage), lead to further action and ultimately loss to the Trust s reputation and/or assets Risks identified from the incident reporting process (and indeed the complaints and claims management processes) will also inform Directorate/Group and, in turn, the organisation-wide Risk Register; details of the numbers and severity of related incidents which occur informing the grading/ranking of a particular risk on the Risk Register The Trust has adopted a universal Incident Report Form which is used for the reporting of all incidents/accidents (whether clinical or non-clinical) involving patients, members of staff or visitors to the Trust The Trust recognises that analysis and review of incident data is essential in order to inform the process of learning and change. Whilst Directorates/Groups will regularly review information on incidents in their individual areas within their Governance Groups (or equivalent forums within Non-Clinical Directorates), review of central aggregate incident data (and also data on complaints/concerns and claims) will also be undertaken in order to: identify Trust-wide patterns or trends not noticeable or seen as significant from individual analysis reports provide additional valuable information for learning assure the Trust Board that risks of all kinds are being identified and managed The Trust's Incident Reporting System will be continually reviewed and refined in order to meet the needs of the organisation and ensure that all areas and all staff groups are reporting incidents (including the use of on-line reporting facilities) and in order to ensure compliance with National requirements; not least the requirement to report patient safety incidents to the NHS England National Reporting & Learning System (NRLS) and the requirement to report security incidents to the National Security Management Services via the Security Incident Reporting System (SIRS). Printed copies valid only if separately controlled Page 6 of 28

7 5.1.7 The Trust also has in place a Policy for Dealing with Serious Untoward Incidents (Clinical and Non-Clinical). This outlines specific responsibilities of key individuals on identification of a serious untoward incident including communication with patients, relatives and staff and, where appropriate the wider public, notification to external stakeholders and organisations including the Commissioners, NHS England and, where appropriate, Monitor and the CQC, and investigation and follow-up of the incident The Trust also receives information on risks/hazards from a number of external sources (i.e. Confidential Enquiry Reports, Medicines and Healthcare Products Regulatory Agency (MHRA), NHS England, Department of Health (DOH), the Care Quality Commission (CQC) as well as from high level enquiries and feedback from stakeholders (e.g. Commissioners) etc). On receipt of this information the Trust will respond appropriately, ensuring that the necessary controls are in place to minimise and, where possible, eliminate the risk of loss, harm or damage or other impact to patients, members of staff and visitors to the Trust. Where controls may be inadequate, the risk faced by the organisation will be included on the Risk Register The Trust recognises that as new risks are constantly emerging, the identification of risk needs to be an on-going and pro-active process, which involves all staff and ensures that action is taken before incidents/actual loss, harm or damage have occurred. The Trust has in place general and specific Risk Assessment Tools which use a generic assessment/grading matrix to assist staff in identifying and assessing risk All risks identified, whether from reactive or proactive or internal or external sources will be recorded as part of the relevant Directorate/Group Risk Register, which in turn will inform the overall organisation-wide Risk Register. This in turn will enable risk to be quantified and ranked. Further, it will provide a structure for collating information about risks that will help both in the analysis of risks and in the process of making decisions about whether or how these risks should be treated, including the allocation of resources. Review and monitoring of risks on the risk register will be an ongoing process and will be undertaken via the Trust s governance framework. A Trust-wide Risk Register Confirm or Challenge Group, comprising representations from all Directorates has been set up for this purpose. This group is responsible for confirming or challenging the entry of new risks on the risk register and the grading attached to them and for monitoring the achievement of agreed action plans. Details of those strategic risks faced by the Trust and associated action plans will be provided, for review and monitoring, in quarterly reports to the Trust Governance & Assurance Committee and Trust Board. In order to provide robust challenge in respect of the Trust s response to risks on the risk register, the strategic, high level, risks on the risk register are reviewed at each meeting of the Trust Governance & Assurance Committee and quarterly by one of the Non-Executive Directors (the chair of the Trust Governance & Assurance Committee), who provides comments to the Board as part of the quarterly feedback report allowing any further required action to be agreed. Printed copies valid only if separately controlled Page 7 of 28

8 5.2 Evaluation / Analysis or Assessment of Risk This involves an estimate of the probability of the risk occurring, the frequency of the risk occurring and the impact or severity if it does An assessment of the risks attached to a particular practice or activity may be undertaken using the Trust s generic Risk Assessment Tool/Grading Matrix (see Figure 3 below) by mapping the likelihood of recurrence (Figure 1) against the severity/impact (Figure 2) to determine the risk grading/score. This can be used as the basis of identifying acceptable and unacceptable risk. Figure 1: Likelihood of Recurrence Ratings Descriptor CERTAIN LIKELY POSSIBLE Description Will undoubtedly recur, possibly frequently Will probably recur, but is not a persistent issue May recur occasionally UNLIKELY RARE Figure 2: Severity / Impact / Consequence Ratings Level Descriptor 5 Catastrophic (including Death) 4 Severe Actual or potential unintended or unexpected impact on individual(s) (Examples Only) Any patient safety incident that directly resulted in the death (related to the incident rather than a natural course of the patient s illness or underlying condition Any patient safety incident that appears to have resulted in permanent harm (permanent lessening of bodily, sensory, motor, physiologic or intellectual functions, including removal of the wrong limb or organ or brain damage). Do not expect it to happen again but it is possible Cannot believe that this will ever happen again. Actual or potential impact on organisation (Examples Only) COMBINED (Clinical, Financial, Quality, Litigation, Reputation, Equity) International adverse publicity/severe loss of confidence in the organisation Extended service closure (i.e. 8 days+) Litigation > 1 million Other financial loss > 1 million Significant lost staff working days Definite notification to Monitor, NPSA, NHSLA/other external agencies (e.g. HSE, Police, Coroner etc.) Probable external investigation/ interventions/sanctions by Care Quality Commission, HSE etc. Executive Officer Imprisoned Removal of Executive control / authorisation Public enquiry Serious breach of confidentiality (potential for ID theft or over 1000 people affected) National adverse publicity/major loss of confidence in the organisation Possible temporary service closure/disruption to service (i.e. 2-7 days) Complaint Litigation 500k - 1 million Other financial loss > 500k Increased length of stay >15 days Increased level of care >15 days Significant lost staff working days Definite notification to Monitor, NPSA, NHSLA/other external agencies (e.g. HSE, Police etc.) Possible external investigation/ intervention/sanctions/prosecution by Care Quality Commission, HSE, Police etc. Extended failure to meet national targets Executive officer fined Loss of major civil case Loss of Human Rights Act (HRA) or Disability Discrimination Act (DDA) case Critical Care Quality Commission report Printed copies valid only if separately controlled Page 8 of 28

9 3 Moderate Any patient safety incident that requires a moderate increase in treatment (unplanned return to surgery, an unplanned readmission, a prolonged episode of care, extra time in hospital or as an outpatient, cancelling of treatment, or transfer to another treatment area (such as intensive care) and which caused significant, but not permanent harm. Prolonged psychological harm which means psychological harm which a service user has experienced, or is likely to experience, for a continuous period of at least 28 days. 2 Low Minor effect on care or wellbeing, health & safety of any person 1 None/ Near Miss Serious breach of confidentiality (up to 1000 people affected) Moderate service disruption Local adverse publicity/moderate loss of confidence in the organisation Probable complaint Probable litigation 50k - 500k Other financial loss 100k- 499k Increased length of stay 8-15 days Increased level of care 8-15 days Lost staff working days Probable notification to Monitor, NPSA, NHSLA etc. Failure to meet national targets 2 Qtr s Improvement notice Recruitment difficulties in key specialties Persistent same issue complaints HRA or DDA claim Serious potential breach of confidentiality (up to 20 people affected) Minor impact/service disruption (i.e. up to 1 day) Possible complaint Possible litigation < 50k Non-permanent harm requiring Other financial loss < 99k observation or minor treatment Increased length of stay 1-7 days Increased level of care 1-7 days Possible lost staff working days Failure to meet national targets 1 Qtr Minor civil case Minor breach of confidentiality (less than 5 people affected) No obvious harm/injury Minimal impact/no service disruption No or low financial loss No lost staff working days No litigation No loss of reputation No loss of equity Minor breach of confidentiality (single individual affected) Figure 3: Risk Assessment Matrix Likelihood of recurrence None / Near Miss (1) Low (2) Severity / Impact / Consequence Moderate (3) Severe (4) Catastrophic (5) Rare (1) Unlikely (2) Possible (3) Likely (4) Certain (5) RISK Green Risk Score 1-3 Very low Yellow Risk Score 4-6 Low Orange Risk Score 8-12 Moderate Red Risk Score High Printed copies valid only if separately controlled Page 9 of 28

10 5.2.3 It is recognised that the above approach will not be routinely required for all risk assessments and that the professional judgement of the staff working in the areas concerned will continue to be the chosen/most appropriate and indeed acceptable means of assessment. 5.3 Risk Control Following identification and analysis of the risk, a decision will need to be made as to whether the Trust can avoid, reduce, eliminate, accept/retain or transfer the risk: Avoid: whether a particular task can be undertaken a different way so that the risk does not occur Reduce: whether action can be taken to reduce, as far as possible, the probability or impact of the risk exposure Eliminate: whether definitive action can be taken to eliminate the risk exposure Transfer: the most common form of risk transfer is insurance (As part of its approach to minimising financial risk and liabilities, the Trust has joined the NHSLA s clinical and non-clinical risk pooling schemes) Accept/retain: if the risk is small or cannot be reduced, avoided or transferred (it may be that the cost of insurance cover is prohibitive), the Trust will need to accept it and prepare an action plan in order to minimise the effects of the risk exposure Acceptable risk can be defined as the residual risk remaining after controls have been applied to associated hazards that have been identified, quantified, analysed, communicated to the appropriate level of management and accepted after proper evaluation As indicated in above, a simple approach is to quantify risk in terms of frequency and severity using the Trust's Risk Assessment Tool/Grading Matrix. This allows construction of a risk matrix, which can be used as the basis of identifying acceptable and unacceptable risk Acceptability may be defined as those risks that have a score of six or less, although this may depend on the specific risk. It must also be borne in mind that there are some instances where a risk may be deemed unacceptable yet still be tolerated by the Directorate/Group/organisation. For example, a risk may be tolerated, as its removal may prove detrimental to service provision. Similarly, the risk may be untreatable or the cost of treatment/control may be prohibitive. As outlined above (5.3.1), where the Directorate/organisation decides to accept the risk, action will need to be put in place to minimise as far as possible the effects of the risk exposure. N.B. In such instances, the risk should also be added to the Risk Register. Printed copies valid only if separately controlled Page 10 of 28

11 5.3.5 Whilst all staff within the Trust have some responsibility for risk management, where a risk cannot be controlled or eliminated at a specific level, relevant Managers should ensure escalation to the next level for a decision to be made. In line with the principles of devolution within the Northern Lincolnshire & Goole NHS Foundation Trust, responsibility for the management/control and funding of a particular risk rests with the Directorate/Group concerned. However, where action to control a particular risk falls outside the control/responsibility of that Directorate/Group, where local control measures are considered to be potentially inadequate or require significant financial investment or the risk is significant and simply cannot be dealt with at that level, such issues must be referred to the Trust Governance & Assurance Committee or Executive Team/Trust Board. N.B. A significant risk could be defined as one with a risk grading/score of high (red) determined using the Risk Grading Matrix at Figure 3 above (5.2.2) Whilst the above groups will consider the implications of not managing the risk and will make recommendations for action, they will not routinely be responsible for the allocation of resources. Requests for funding (where this cannot be managed within the Directorate/Group) will be considered against the Capital Programme and other designated risk or other allocations. Where there are several risks to consider, all of which may have a cost to control, priorities will have to be made if resources are finite. The grading/ranking of risks using the Trust s Risk Register will assist with this process. The above system will avoid, as far as possible, a situation where unacceptable risks are not managed due to financial constraints. 5.4 Risk Review / Follow-up As risks can change over time and new ones can emerge actions taken to control the risk exposure will be reviewed/audited to ensure they are effective. The frequency of review will depend on the severity of the risk involved When significant risks have been identified, Directorates/Groups will be required to produce an action plan for addressing these. Implementation of agreed action measures in such instances will be escalated to and monitored by the Trust s Governance & Assurance Committee and ultimately the Trust Board Where a risk has been identified in one area of the Trust but has the potential to occur elsewhere, lessons learned will be widely shared. The Trust has in place a range of mechanisms to support this sharing of information (e.g. Internal Risk Management Safety Alerts, Learning the Lessons Newsletter, Quarterly Governance Updates, Governance Liaison Group, Health & Safety Leads Network etc.) The Trust will also work with relevant stakeholders (e.g. Commissioner colleagues) to ensure appropriate learning from and follow-up of incidents and risk issues and the achievement of agreed quality objectives and targets. Printed copies valid only if separately controlled Page 11 of 28

12 6.0 Risk Management Process - Local Level Actions 6.1 Directorates/Groups will identify and manage risk in accordance with the principles and processes outlined within this Strategy and will: designate Governance Leads to lead the development and implementation of effective governance and risk management arrangements within the Directorate/Group. N.B. In discharging those responsibilities, Directorates / Groups will be supported by a central governance support team, most notably the Risk & Governance Facilitators, who will assist in co-ordinating governance and risk management activities convene an appropriate group with overarching responsibility for governance and risk management within the Directorate/Group and ensure that regular meetings of this committee are held and that there are links between these committees and the Trust Governance & Assurance Committee (see also 7.6 and Appendix D below) and that issues are escalated to the Trust Governance & Assurance Committee, as required, through the quarterly highlight reports and, convene relevant sub-committees to consider specific risk issues, as necessary/appropriate implement relevant local governance and risk management policies, procedures and guidance as necessary/appropriate identify and assess risks of all types, in accordance with the requirements of the Trust s General Risk Assessment Procedure and other risk assessment requirements in relation to specific risk issues (e.g. moving & handling, violence and aggression, lone working etc.) and ensure that, where controls are not adequate and action is required, these are recorded on the relevant Directorate Risk Register, which in turn will inform the overall organisationwide Risk Register, and ensure that action plans are in place and these are regularly reviewed and updated. In some areas this will be achieved by having in place specific risk register review groups ensure that, where risk has a cost to control, these requirements are included in the Directorate s Capital Programme or bids are submitted against other designated risk or other allocations ensure that risks which cannot be managed within the Directorate are appropriately escalated ensure the effective management of complaints/concerns and claims with an emphasis on learning lessons and ensuring changes in practice occur as necessary/appropriate ensure that all areas and all staff groups report adverse incidents (in accordance with the Trust s Incident Reporting Policy) and ensure that this is monitored be open with patients/relatives when things go wrong (in accordance with the Trust s Being Open Policy and the Duty of Candour ) Printed copies valid only if separately controlled Page 12 of 28

13 learn lessons when things go wrong and ensure that follow-up/ closing of the loop occurs in order to prevent recurrence and that feedback and support is provided to patients/relatives and staff share lessons learned within the Directorate/Group or across the wider organisation, utilising the various mechanisms in place within the Directorate or wider Trust (e.g. Trust-wide Risk Management Learning Lessons Newsletters) analyse and review data on incidents, complaints/concerns and claims in order to ensure that trends are identified and remedial action is taken as necessary/appropriate and that where risks are identified from this process, these are included on the Risk Register escalate and follow-up serious untoward incidents within agreed timescales and targets respond to internal and external alerts and recommendations (e.g. Confidential Enquiry reports, safety alerts, NICE guidance etc.) 7.0 Risk Management Duties & Responsibilities 7.1 In line with the requirements of Clinical Governance, the Chief Executive carries ultimate responsibility for assuring the quality of the services provided by the Northern Lincolnshire & Goole NHS Foundation Trust just as he is for the proper use of resources. Detailed Clinical Governance arrangements are in place within the Trust. 7.2 The Chief Executive, on behalf of the Trust Board, is also ultimately accountable for ensuring the implementation of Corporate Governance. This imposes a requirement for Trusts to be in a position to provide, in the Annual Governance Statement, an overall assurance that the organisation has in place the necessary controls to manage its risk exposure. In order to make such a statement, the Chief Executive and Trust Board will need to have evidence that the Risk Management Strategy is being actively implemented, that systems/procedures are being regularly reviewed and that, where required, developments and improvements are being made. The Trust s Governance & Assurance Committee will oversee this process, although the Internal Audit function will also be required to audit the arrangements in place, not least by verification of evidence captured as part of the Trust Assurance Framework, and provide independent verification of the system of internal control. 7.3 Within these arrangements: The Director of Performance Assurance & Trust Secretary has delegated lead responsibility from the Chief Executive for the co-ordination of the Trust s governance, quality governance and risk management arrangements and for supporting the Medical Director and Chief Nurse in delivering the quality governance and improvement agenda. However, responsibility for the day-to-day management of risk at local level has been devolved to Directorates/Groups see section 6.0. The Director of Performance Assurance & Trust Secretary will however be responsible for assuring the Chief Executive and the Trust Board that the arrangements at corporate and local level are robust Printed copies valid only if separately controlled Page 13 of 28

14 Directors/Managers are responsible for ensuring the implementation of effective governance and risk management arrangements within the areas for which they are responsible which are consistent with the principles outlined in the Trust-wide Risk Management Strategy and for ensuring that staff are aware of their responsibilities and are engaged in the risk management process The Director of Finance is responsible for financial risk management and for providing regular, timely and accurate financial reporting to the Board and Monitor. This in turn will enable the Board to provide in the Trust s Annual Accounts an assurance of the safeguarding of assets and the maintenance of proper accounting records and the reliability of financial information 7.4 The Trust s Risk Management Structure is shown at Appendix B. 7.5 Appendix C sets out the duties and responsibilities of staff within the Trust s risk management arrangements including those key staff with specific responsibilities for leading and co-ordinating the Trust s governance and risk management arrangements. 7.6 A Risk Management meeting structure, to drive the Trust s risk management agenda (both clinical and non-clinical) is also in place and is shown at Appendix D. These arrangements ensure that there is full involvement across all Directorates and that the management of clinical and non-clinical risk issues involves the most appropriate personnel and that staff feel both supported and involved in the process and further, provide assurance to the Trust Board that risk issues are being identified, escalated and controlled. 8.0 Strategy Approval and Ratification Process 8.1 The Trust s Governance & Assurance Committee is responsible for overseeing the ongoing development and implementation of the Risk Management Strategy. 8.2 The Trust Board will be responsible for the ratification of the annual review of the Risk Management Strategy. 9.0 Strategy Review and Revision 9.1 This Strategy will be reviewed annually or sooner should the need arise. Printed copies valid only if separately controlled Page 14 of 28

15 10.0 Strategy Implementation 10.1 Training In order to ensure that staff have sufficient awareness of risk management and are competent to identify, assess and manage risk within their working environment and thus ensure that the Risk Management Strategy is effectively implemented and its objectives met, risk awareness/assessment training as well as other risk management training is made available to all staff as part of the Trust s comprehensive Risk Management Training Programme. Managers (and ultimately Directors) with responsibility for the management of staff will be responsible for ensuring that an assessment of the risk management training needs of their staff, as part of individual personal development plans and training needs analysis, is undertaken and that staff are able to access and attend relevant training In respect of new staff, information on risk management including information on incident reporting is included in the corporate and local induction arrangements for all staff For further details of the Trust s requirements in respect of risk management training, staff should refer to the Trust s Mandatory Training Policy and Training Needs Analysis Strategy Dissemination 11.1 The Trust s Risk Management Strategy will be disseminated to: Trust Board Council of Governors Directorates/Groups All staff Commissioners* Monitor* CQC* Patients and the public* User groups (on request and via the Trust Intranet site) Patient Forums* Commissioners* Ambulance Services* Local Authority Scrutiny Lead(s)* *on request and/or via the Trust s Internet site Printed copies valid only if separately controlled Page 15 of 28

16 11.2 Amendments to the Strategy will be communicated to the above as and when they occur The Strategy will also be made available via the Intranet to ensure ease of access and to ensure that changes made are quickly communicated A copy of the Risk Management Summary Leaflet for Staff' will be made available in hard copy to all existing staff and new staff at induction. Managers of staff will however be responsible for ensuring that new staff are able to access the full version of the Strategy either electronically or in printed, hard copy format A leaflet entitled 'Risk Management Summary Leaflet for Patients & Visitors' will be displayed in all areas of the Trust. This invites comments and suggestion on how the Trust may further reduce risk Monitoring Compliance and Effectiveness 12.1 The Trust Board will receive an annual report on progress against key governance/risk management objectives The Trust s Governance & Assurance Committee and the Trust Board will also monitor the Trust s progress against the following key performance indicators, on an ongoing basis: compliance with internal and external risk management standards including the Health and Social Care Act 2008 (Registration Requirements) Regulations 2009/CQC Essential Standards of Quality & Safety; annual and in-year monitoring by the Trust Board of compliance with the Trust s License as part of Monitor s compliance regime through the approval of the annual plan and associated self-certifications and the monthly performance reports; quarterly monitoring of trends/demonstrable learning of lessons from incidents, complaints and claims; monthly monitoring of complaint response times/performance; ongoing risk assessment & development of the Trust-wide Risk Register and the receipt for review of quarterly risk register reports to the Trust Governance & Assurance Committee and the Trust Board; monitoring of risk management training attendance levels; monitoring of the outcome and follow-up of in-year reviews and audits of the Trust s risk management/governance arrangements. N.B. The above is not an exhaustive list but represents key performance indicators Individual Directorate/Group performance in achieving governance/risk management objectives and targets is monitored through the formal performance monitoring arrangements led by the Chief Executive. Printed copies valid only if separately controlled Page 16 of 28

17 13.0 Further Reading / Associated Documentation 13.1 The above represents the Trust s Risk Management Strategy and does not provide detailed information on the management of a specific area of risk or risk topic. It is recommended, therefore, that this document be read in conjunction with other key documents in place within the Trust including: Trust Constitution/Standing Financial Instructions/Standing Orders Trust Assurance Framework Directorate/Group Risk Management Strategies Policy for Dealing with Serious Untoward Incidents (Clinical & Non-Clinical) Incident Reporting Policy and associated documentation Being Open and Duty of Candour Policy Speaking Out Policy Risk Register Policy Health & Safety Policy Statement General Risk Assessment Procedure Trust Governance & Assurance Committee Terms of Reference Risk Register Confirm or Challenge Group Terms of Reference Learning Lessons Review Group Terms of Reference Audit Committee Terms of Reference Quality & Patient Experience Committee Terms of Reference Mortality Performance Committee Terms of Reference Business Continuity Policy Emergency Preparedness, Resilience and Response Steering Group Membership and Terms of Reference 13.2 The above is not an exhaustive list but represents key documents, which outline arrangements and processes which compliment the approach outlined in this Strategy The above and other risk related policy documents can be accessed on the Trust's Intranet site. Printed copies valid only if separately controlled Page 17 of 28

18 14.0 References 14.1 Guidance about compliance with Health and Social Care Act 2008 (Registration Requirements) Regulations NPSA. (2004). Seven Steps to Patient Safety. London: NPSA Health & Safety at Work Act Australian/New Zealand Standard AS/NZS 4360: NHS Appointments Commission. (2003). Governing in the NHS: A Guide for NHS Boards. London: NHS Appointments Commission NPSA. (2008). A Risk Matrix for Risk Managers. London: NPSA Monitor. (2011). Compliance Framework. London: Monitor Monitor. (2010). NHS Foundation Trust Code of Governance. London: Monitor DOH. (2006). Integrated Governance Handbook: A Handbook for Executives and Non-Executives in Healthcare Organisations. London: DOH NHSLA. (2012). Risk Management Standards for Acute Trusts. London: NHSLA Audit Commission (2009) Taking it on Trust: A Review of How NHS Trusts and Foundation Trusts get their Assurance. London: Audit Commission National Patient Safety Agency (2007) Healthcare Risk Assessment Made Easy. London: NPSA HSE. (2010). Leading Health & Safety at Work: leadership Actions for Directors and Board Members. London: HSE FTN. (2011). The Foundations of Good Governance: A Compendium of Best Practice Equality Act (2010) 15.1 In accordance with the Equality Act (2010), the Trust will make reasonable adjustments to the workplace so that an employee with a disability, as covered under the Act, should not be at any substantial disadvantage. The Trust will endeavour to develop an environment within which individuals feel able to disclose any disability or condition which may have a long term and substantial effect on their ability to carry out their normal day to day activities The Trust will wherever practical make adjustments as deemed reasonable in light of an employee s specific circumstances and the Trust s available resources paying particular attention to the Disability Discrimination requirements and the Equality Act (2010). The electronic master copy of this document is held by Document Control, Directorate of Performance Assurance, NL&G NHS Foundation Trust. Printed copies valid only if separately controlled Page 18 of 28

19 Appendix A RISK MANAGEMENT OBJECTIVES The following represent the key risk management objectives for the Trust for : Objectives of the central governance / assurance team: to support the delivery of the Quality Development Plan including assurance internally and externally regarding the embedding of these actions; to continue to embed Governance Structure working with Directorates & Groups to ensure that these arrangements support the emphasis on outcomes and improved quality & safety; to further develop and strengthen the Trust Assurance Framework ('Board to Ward') and the development and implementation of a ward/department quality & patient safety dashboard and in order to ensure that there is sufficient granularity of information across the Trust that ensures the prompt reporting of downward trends in performance. To further develop the Trust s health & safety and fire safety arrangements including the ongoing monitoring of risk assessments, ensuring that the appropriate controls are in place and the provision of health & safety training including IOSH Managing Safely training and fire training to relevant Trust staff; to further develop the Trust s Incident Reporting System through the use of DatixWeb; to further cascade Root Cause Analysis Training and to provide refresher training for those staff who received this training more than three years ago; to continue to support Directorates / Groups in learning lessons/ closing the loop following complaints/concerns, claims and incidents /SUIs in order to reduce the occurrence of same type incidents and which avoids the occurrence of never events ; to undertake a comprehensive review and further develop systems for sharing lessons learned/feedback to staff following incidents, complaints/concerns and claims via the Learning Lessons Review Group; to support Directorates/Groups to ensure compliance with relevant external standards and guidance e.g. Confidential Enquiries, NICE etc; to continue to strengthen the Trust's emergency planning, resilience and business continuity arrangements and ensure that the Trust is discharging its responsibilities under the Civil Contingencies Act 2004 and other relevant guidance and continues to meet the requirements of its Terms of Authorisation. Further to ensure that the Trust has the necessary arrangements in place under the PREVENT agenda; to continue to develop and refine the Trust s Risk Register to ensure that it remains an accurate and up to date reflection of the organisation s risk profile and ensuring this is more closely aligned with the performance management system; to ensure that the Trust achieves a minimum of Level 2 performance against the key requirements of the Information Governance Statement of Compliance (IGSoC) in Printed copies valid only if separately controlled Page 19 of 28

20 the Department of Health s Information Governance Toolkit and to maintain or progress towards achievement of Level 3 compliance; to ensure that the Trust meets its obligations under Freedom of Information Act and responds to requests for information within specified time periods. to continue to develop the Risk Management Training Programme, in the light of national changes and developments, and work with Directorates/Groups to agree methods of delivery which meet the needs and demands of staff and the service and ensure maximum take-up and to include a review of the Trust s Mandatory Training Policy; to strengthen the Trust s arrangements for dealing with complaints and concerns and ensuring ownership and accountability across the organisation; to continue to support Directorates/Groups to achieve compliance with the 95% complaints response target; to continue to develop the arrangements for the management of claims with an increased emphasis on learning lessons/ closing the loop ; To continue to provide advice and support to Trust staff to ensure compliance with the requirements of Mental Capacity Act (MCA) 2005 & Mental Capacity Act Deprivation of Liberty Safeguards (MCA DOLS) 2007 and Mental Health Act 2007, not least through the development and implementation of relevant local policies and training / awareness programmes. Further to respond appropriately to the outcome of MCA and MCA Audit reports; and CQC Guidance Printed copies valid only if separately controlled Page 20 of 28

21 Wider organisational risk management objectives to ensure that the Trust continues to comply with its License and the NHS Constitution. Where risks to compliance with the Trust s Authorisation have been identified to ensure that these are addressed or ensure there are appropriate action plans in place to address the issues in a timely manner; to continue to demonstrate compliance with Monitor s Quality Governance Framework; to achieve compliance with Monitor performance targets and the requirements of the Trust s License; to ensure the achievement of relevant external accreditation of clinical services e.g. Stroke Accreditation; to achieve the agreed CIP target; to ensure that the Trust remains a Going Concern ; to ensure that the recommendations of internal and external audits are acted on in a timely manner; to ensure that the Trust meets the agreed attendance targets for safeguarding adults and children training; to ensure the delivery of the CQUINS scheme; to ensure all medical practitioners providing care on behalf of the Trust have met the relevant revalidation requirement; to ensure that the Trust meets its obligations under equality, diversity and human rights legislation through the provision of: a visible lead to promote awareness of equality and diversity amongst existing staff through effective communications and awareness; the testing of knowledge of new staff through the recruitment process; the monitoring of the Trust s compliance with these obligations via an appropriate assurance system. to ensure that the Trust continues to be compliant with the Climate Change Act, the Carbon Reduction Commitment and Energy Performance Directive through the development and implementation of a Carbon Management Plan; ensure the Trust meet its legislative requirements in the management of its estate and information. Printed copies valid only if separately controlled Page 21 of 28

22 GOVERNANCE / RISK MANAGEMENT STRUCTURE (Revised) Appendix B TRUST BOARD CHIEF EXECUTIVE Organisational Estates & Strategy & Finance Development Facilities Planning Medical Operations Pathlinks Chief Nurse Directorate & Workforce Directorate Directorate Director Directorate Directorate Lead Nurse for Infection Control/ Community Women & Surgery / Medicine Diagnostics, Path Deputy DIPC & Therapy Children s Critical Care Governance Pharmacy & Links Governance Governance Governance Group Central Governance Group Group Group Operations Governance Governance Leads Head of Safeguarding TRUST GOVERNANCE Director of & ASSURANCE PA Performance Assurance COMMITTEE & Trust Secretary Safeguarding Team Secretary Deputy Director of Performance Assurance & Assistant Trust Secretary *Operations Centre & Resilience Manager **Emergency Planning Officer Head of Claims & Membership Head of Head of Risk Head of Quality Quality & Audit Fire, Health, Secretary Legal Services Manager Performance Management Assurance Manager & Safety Manager Assurance Membership Officers Performance Trust Q&A Facilitators Complaints Local Security X2 Co-ordinator Document x5 Manager Management Controller Specialist Q&A Project Complaint Fire Safety Performance NICE Support Facilitators Advisor Assistant Administrator Officer x2 X5 Risk & Governance Facilitators x8 Q&A Assistant Complaints Systems Apprentice Assistants Administrator / X2 Analyst - Secretary Q&A Filing Clerk x2 PALS Team Leader Claims Facilitator PALS Assistants X4 Claims Assistant * Post sits in Directorate of Operations structure, but post holder reports to the Director of Clinical and Quality Assurance & Trust Secretary in respect of the Emergency Preparedness and Resilience element of the role. ** Post sits in Directorate of Clinical and Quality Assurance & Trust Secretary structure, but post holder reports to the Operations Centre & Resilience Manager. Printed copies valid only if separately controlled Page 22 of 28