Risk Management Strategy, Policy and Procedure

Transcription

1 Title: Purpose: Risk Management Strategy, Policy and Procedure The overarching purpose of the risk management strategy is to describe the framework and processes within Cornwall Partnership NHS Foundation Trust (CFT) to: Identify, manage, eliminate, or reduce to an acceptable level, risks that threaten the delivery of high quality care and services. Maintain a safe environment for individuals who are legitimately accessing trust services Minimise financial loss to the organisation and to Demonstrate to the public, regulators, staff and commissioners, that the Trust is a safe and efficient organisation. Applicable to: Document Author: All staff Alison Whittaker Board Assurance Lead Rosie Wotherspoon Risk Coordinator Reviewed by Kylie Ward Risk Coordinator Freedom of Information: Ratified by and Date: This document can be released Sharon Linter - Director of Quality and Governance / Executive Nurse 5 December 2017 Review Date: June months prior to the expiry date Expiry Date: December years after ratification unless there are any changes in legislation or changes in clinical practice Policy library location: Corporate: Governance Related legislation and national guidance: ISO 31000:2009 Risk Management Principles and Guidelines The Health and Social Care Act 2008 Delivering the Forward View: NHS planning guidance 2016/ /21 DOH (2002) Code of conduct for NHS managers NHS Improvement Single Oversight Framework 2013 NHS Leadership Academy The Healthy NHS Board 2013 NHS Audit Committee Handbook 2014 NHS Foundation Trust Code of Governance updated July 2014 Page 1 of 46

2 Associated Trust Policies and Documents: Policy and procedure for the reporting and Management of Accident, Incident and Near Misses Clinical Risk Assessment and Risk Management Policy Corporate Curriculum Annual Governance Statement Equality Impact Assessment: Training Requirements: The Equality Impact Assessment Form was completed on 10 th November The provision of information, education and training is an important means of achieving competence and helps to facilitate safe working practices. This contributes to the organisation s risk management culture and is required at all levels, including the Executive Team and Trust Board. During induction, all members of staff within the organisation will be advised on the processes of risk management. All staff will be made aware of the concepts of risk management, health & safety, and incident and near miss reporting procedures. A training needs analysis, reviewed annually, identifies the training needs of all Trust staff, and training programmes are developed to ensure that these needs are met. The Board will agree the risk management training needs annually through the approval of the Corporate Curriculum. The Trust has a responsibility to ensure that staff are released from the workplace to attend training sessions. In addition, any staff unable to attend their mandatory training, due to physical or other constraints, must be notified to the training department. The Risk Co-ordinators provide one to one, or group, training on request. The Trust has a responsibility to ensure that adequate resources are available to implement the organisation s training programme for all staff. The Trust will ensure that all staff (qualified, unqualified, other clinical staff, bank and agency staff) are appropriately trained in line with the organisation s training requirements. Trust Board members and senior managers are also required to undertake Risk Management Training annually. This will be recorded, monitored and non-attendance followed up by the Director of Nursing. The organisation trains staff in line with the requirements set out in its training needs analysis and published in its Corporate Curriculum. Training which is categorised as statutory or essential must be completed in line with the training needs analysis and Corporate Page 2 of 46

3 Curriculum. Compliance with statutory and essential training is monitored through the Learning and Development team with monthly manager s reports and staff individual training records twice yearly. Training reports are also submitted quarterly through the Trust Quality and Governance Committee Meeting. Staff failing to complete this training will be accountable and could be subject to disciplinary action. Monitoring Arrangements: To ensure compliance with this strategy there will be an annual audit by the Internal Audit Department. The outcome of the audit will be reported to the Audit Committee and the Quality and Governance Committee. Training compliance will be monitored by the Workforce and Development Department Implementation: The implementation of this Strategy will be through the organisational Risk Management framework. Page 3 of 46

4 Version Control Version Date Reviewed Changes By Whom v1 Jan 2012 Amended for Board Geraldine Lavery Interim Director of Consultation Quality and Governance v2 Nov 2012 Amended for NHSLA Gillian Dinnis Patient Safety and Risk Manager Sara Bailey Head of Safety and Compliance v3 Oct 2013 Annual review Sara Bailey Head of Safety and Compliance v4 April 2014 Changes to risk appetite Trust Board April 2014 Amendment to Principal Risk definition v5 October 2014 Annual review Sara Bailey, Head of Governance v6 August 2015 Annual review Rosanna Wotherspoon, Risk Coordinator v7 February 2016 Review for the enlarged Sharon Linter, Director of Quality and organisation at 1 st April Governance / Executive Nurse 2016 (Adult Community Changes made on pages 8, 13, 16, Physical Health Services) v8 1 March 2016 Appendix D added along with narrative in section , 18, 27, 28 and 31 Alison Whittaker, BAF Lead Changes made on pages 24 and 38 v9 20 October 2016 Annual review Governance Risk Team v10 8 November 2016 Amendments requested by Executive Management Group Amendments to reporting structures and accountabilities v11 November 2017 Annual Review Quality & Governance Committee This document Replaces: GOV/016/16 Risk Management Strategy, Policy and Procedure Page 4 of 46

5 Contents 1. Introduction Policy Statement Purpose and Aim Scope Definitions Roles and Responsibilities Risk Assessment and Scoring Risk Management Process Internal Control Training Monitor and Review Arrangements Appendix A Risk Identifiers Appendix B Risk Scoring Guide Appendix C Adequacy of Assurance Scoring Matrix Equality Impact Assessment Proforma Initial Screening Page 5 of 46

6 1. Introduction Cornwall Partnership NHS Foundation Trust s (The Trust) Board is committed to ensuring that effective risk management is a fundamental part of its management approach and underpins all activities. The British Standard BS31000:2009 states that a systematic, structured and timely approach to risk management contributes to efficiency and to consistent, comparable and reliable results. As such, The Trust s approach to risk management is one of proactively identifying, mitigating, monitoring and reviewing. Risk management is an essential part of any organisation and must be integrated into a responsible, and fair, culture led by the most senior management. It should methodically address the risks relating to the organisation s activities past, present and future in order to support the delivery of high quality care, and services. Effective risk management should protect and add value to the organisation and its stakeholders and in turn robustly support the organisation s objectives by: Providing a framework that enables future activity to take place in a consistent and controlled manner. Improving decision making, planning and prioritisation by comprehensive and structured understanding of business activity, volatility and project opportunity/threat. Contributing to the efficient use/allocation of capital and resources within the organisation. Protecting individuals who come into contact with the organisation. Protecting and enhancing assets and organisational reputation. Developing and supporting people and the organisation s knowledge base. Optimising operational efficiency. The Trust recognises that health and social care is, by its very nature, a high risk activity. A positive risk management culture supports staff to make sound judgements and informed decisions concerning the management of risk and risk taking. In these circumstances, where staff have undertaken and documented a risk assessment, identified the appropriate action, monitored the implementation of such action and complied with Trust policies and procedures, they can be assured of the Trust s commitment and support for their actions. 2. Policy Statement The Trust Board is committed to delivering services to a high standard, and ensuring that any risks are minimised through organisation wide robust risk management processes. The Trust s strategic objectives and associated strategies, policies and plans demonstrate a commitment to raise standards and continuously improve the quality of services through making risk management part of normal daily work practice. In setting out processes which seek to effectively identify, analyse and control risk, this strategy is consistent with the requirements of the International Organisation for Standardisation (ISO) 31000:2009 Risk Management Principles and Guidelines. In addition this strategy will support The Trust to demonstrate compliance with regulatory requirements. 3. Purpose and Aim Page 6 of 46

7 The overarching purpose of the risk management strategy is to describe the processes within Cornwall Partnership NHS Foundation Trust (CFT) to: Create a culture where staff recognise and acknowledge risk as the responsibility of everyone to manage Identify, manage, eliminate, or reduce to an acceptable level, risks that threaten the delivery of high quality care and services Maintain a safe environment for individuals who are legitimately accessing trust services and premises. Minimise financial loss to the organisation Allocate appropriate resources to manage risk Demonstrate to the public, regulators, staff and commissioners, that the Trust is a safe and efficient organisation able to meet statutory obligations Support the Trust s system of internal control 3.1 In order to achieve the above, the strategy has the following aims: Through robust reporting routes, ensure the Board is aware of the risks to the achievement of statutory obligations and the strategic objectives which are agreed by the Board annually. 3.2 In addition the Board will: Identify, control, eliminate or mitigate to an acceptable level all risks which may adversely affect the quality of care or the health, safety and welfare of those who legitimately come into contact with the organisation. Provide training to staff, including the Board members, to enable them to understand the risks the Trust faces, their causes and how they may be controlled. Work together with partner organisations, and agencies, to facilitate a cohesive approach to the management of risks across organisations and across care pathways. Ensure that every member of staff has a sense of ownership and commitment to identifying and minimising risk. 4. Scope The strategy relates to the identification and management of the risks relating to the Trust and applies to all Trust employees, contractors, bank, locum and agency staff. Risk covers the physical environment and the process of delivery of care and services as well as the risks associated with not taking a course of action, which could prevent foreseeable harm to an individual or to Trust property, financial resources, projects and credibility. 5. Definitions 5.1 Acceptable Risk accepting a risk means agreeing to live with it as it stands. A risk can be accepted if it is small enough to have an immaterial effect on the Trust s objectives, or where all reasonable action has been taken by the Trust but some risk still remains and, practicably, this cannot be reduced any further. 5.2 Accident is an unplanned and uncontrolled event that could lead to injury, ill health, or damage to property or equipment. Page 7 of 46

8 5.3 Annual Governance Statement provides assurance that the Trust has a generally sound system of internal control that supports the achievement of its policies, aims and objectives, and provides details of any significant internal control issues. 5.4 Assurance evidence that control measures are working effectively to manage risk. This can be internal (e.g. workplace review, scrutiny by a Committee or the Board) or external (e.g. audit by an outside body such as the Health and Safety Executive or Care Quality Commission). Assurance can be positive (providing evidence that controls are achieving the desired outcome) or negative (providing no such comfort and perhaps indicating the need for further action). 5.5 Board Assurance Framework (BAF) the Board Assurance Framework is a dynamic board level summary document. It identifies which of the organisation s strategic objectives are at risk because of inadequacies in the operation of controls or where the organisation has insufficient assurance that controls are effective. It also provides a summary of action being taken to address such deficiencies. At the same time, it records structured positive assurances about where principal risks are being managed effectively and objectives are being delivered. 5.6 Clinical risk is any clinical activity, which could have a direct effect on patient care. This may include the lack of availability of services, supervision and competency of staff or adherence to Trust policies. 5.7 Consequence a measure of the impact that the predicted harm, loss or damage would have on the people, property or objectives affected. 5.8 Controls a measure that is in place to manage risk and assist in securing the delivery of objectives. Controls are designed to make a risk less likely to happen, or reduce (mitigate) its effect if it does happen. The controls recorded on the Board Assurance Framework should focus on the key strategic controls that help the Trust to manage principal risks and secure delivery of the organisation s strategic objectives. The Risk Register may document additional controls in more detail, along with actions to address perceived gaps, as it serves as an action planning tool to manage risk, rather than a Board level summary. 5.9 Employee risk may include an activity that may hinder an individual employee s contribution to the achievement of the organisation s objectives Financial business risk may include financial restraints, losses, irregularities or lost opportunities to deliver financial gain which may affect the Trust s ability to resource the services it provides Financial impact (if risk materialises) where appropriate, risks should be assessed for their financial impact. This is the cost that the Trust accepts in order to achieve adequate management of the risk and should be considered alongside the maximum cost that the Trust is willing to tolerate by way of losses if the risk were to materialise. The Trust recognises that not all risks are easily assessed in terms of their financial impact Health and safety risk may include fire safety, security, buildings, plant and machinery, unsafe systems of work, failure to comply with health and safety legislation. Page 8 of 46

9 5.13 Hazard is something with the potential to cause injury, ill health or damage and may include substances, buildings, equipment, or work practice Incident is an event or circumstance which could have resulted, or did result, in damage, loss or harm to patients, staff, visitors or members of the public. This may be clinical or nonclinical e.g. suspected suicide, drug error, missing person, violence, fire, theft Information risk may include the potential for the loss, disclosure or breach of Trust information (whether clinical or corporate) or an information asset Integrated Governance Systems, processes and behaviours by which trusts lead, direct and control their function in order to achieve organisational objectives, safety and quality of services and in which they relate to patients and carers, the wider community and partner organisations Likelihood a measure of the probability that the predicted harm, loss or damage will occur Major risk any risks, including principal risks, with an overall score of at least 15 (minimum of Consequence x 5 and Likelihood x 3 or Consequence x 3 and Likelihood x 5) Near miss is an incident that had the potential to cause harm but was prevented. Evaluation of near miss events can provide valuable lessons to strengthen procedures, processes and systems Operational risk results from the day to day running of the Trust and includes a broad range of risks including clinical, financial, health and safety, information governance. Operational risks are usually managed by the service in which they are identified Organisational risk is any activity, which could have a detrimental effect on the day-today performance of the Trust, and the services it provides. This may include the recruitment and selection of staff; training and education; finance and information systems; confidentiality and communication Physical controls may include locked cupboards for controlled drugs, passwords on information management systems, clearly defined roles and responsibilities, separation of duties, training programmes and management controls including: policies, procedures and guidelines Principal risks any risks that could prevent the achievement of one or more of the Trust s strategic objectives, as recorded in the Board Assurance Framework, and where the risk rating matches, or exceeds, the risk appetite score for the strategic objective in question. Principal risks must be approved / removed by the Board and are recorded on both the BAF and the Corporate Risk Register Proactive risk management identifies risks that arise from forward looking plans, such as the Annual Plan, high level projects, national policy developments and other formal work plans. These risks reflect the circumstances, actions, situations or events that may threaten the achievement of strategic and operational objectives, or may arise if the objective is not met. Page 9 of 46

10 5.25 Reactive risk management identifies risks that occur as a result of something that has already happened, such as an incident, complaint or claim, or issues raised by internal or external audit. An over-arching risk may also be identified as result of analysis of trends in data, or from the results of physical (health and safety) risk inspections, for example, ligature audits Risk The International Risk Management Standard ISO BS 31000:2009 defines risk as being the effect of uncertainty on objectives. An effect may be positive, negative or a deviation from the expected. Also, risk is often described by an event, a change in circumstances or a consequence Risk appetite The amount and type of risk that an organisation is willing to pursue or retain. The risk appetite for principal risks is documented in section Risk assessment the process used to evaluate the hazard / risk and to determine whether precautions are adequate or whether more should be done. This gives rise to a risk rating Risk identification for a list of risk identifiers see Appendix A Risk management is defined in ISO BS 31000:2009 as coordinated activities to direct and control an organisation with regard to risk. The purpose of risk management is not to remove all risk but to ensure that risks are recognised and their potential to cause loss fully understood. Action can then be taken to direct appropriate levels of resource at controlling the risk or minimising the effect of the potential loss Risk mitigation the process of determining what will be done and who will be responsible for the risks that have been identified. Risk mitigation converts the risk assessment into an action plan Risk rating the overall score assigned to each risk, based on the initial likelihood and consequence scores assigned in accordance with the Trust s risk matrix. As action to mitigate the risk is taken, the risk rating may reduce Risk Register a log of risks of all kinds and levels that may threaten the achievement of the organisation s objectives and key activities. It is a dynamic living document which is populated through the organisation s risk assessment and evaluation process. The risk register enables risks to be quantified and ranked. It provides a structure for collating information about risks Risk treatment option includes the action(s) taken to remove or reduce the consequence and / or likelihood of an identified risk. Risk treatment is evaluated in terms of feasibility, costs and benefits with the aim of choosing the most appropriate and practical way of reducing risk to an acceptable level. The option chosen should result in an action plan to deal with risks as soon as possible and before they materialise, and a contingency plan that provides for recovery if a risk is realised. Risk action plans will manage different risks in different ways. They may seek to; Page 10 of 46

11 Avoid, such as deciding not to proceed with the activity to eliminate the likelihood of occurrence; Adopt, having appropriate contingency plans in place, such as sharing the risk with another party e.g. insurers; Adapt, introduction of controls, that are balanced between the cost of the controls and the cost if the risk is realised; Accept, following risk reduction methods the risk may still be accepted by the organisation 5.35 Strategic objective A broadly defined objective that an organisation must achieve to make its strategy succeed. 6. Roles and Responsibilities 6.1 Committees / Groups The corporate responsibility for achieving the objectives of the risk management agenda rests with the Board, delegated committees of the Trust Board and high level committees. The delegated and high level committees with the overarching responsibility for risk identification and management are listed below. Committee / Group Audit Committee Responsibility To receive the full BAF and Corporate Risk Register, at least, four times a year for assurance and scrutiny. To review the establishment and maintenance of an effective system of risk management across the Trust activities. To provide assurance to the Board on the adequacy of its wider organisational controls. To review the establishment and maintenance of an effective system of integrated governance, risk management and internal control that supports the achievement of the organisation s objectives. Page 11 of 46

12 Board of Directors To oversee the process of risk management and approve the strategic objectives, at least, annually. To review the BAF at least four times a year considering and, where appropriate, approving BAF amendments recommended by the Executive Management Group (EMG) and Quality and Governance Committee (Q&G), including the removal or addition of principal risks. In the intervening months, changes to principal risk entries recorded on the Risk Register and agreed by EMG will be presented to the Private & Confidential Board for approval, thus not requiring agreement from Q&G. A schedule of such amendments will be presented to Q&G for information. Receive for assurance the corporate risk register in order to review decisions made by the Executive Management Group in relation to non-principal risks (which do not need Board approval). Executive Clinical Risk Group Executive Management Group To receive serious incident reports and identify any resultant risks to the organisation or to patient safety. To consider the Corporate Risk Register at each of its meetings, and the Board Assurance Framework at least four times a year. To discuss the Board Assurance Framework and corporate risk register including the identification of new principal risks. Material amendments to principal risks are to be reported to the Quality and Governance Committee (Q&G) by way of the BAF, for recommendation to the Board four times a year. In the intervening months, changes to principal risk entries recorded on the risk register and agreed by EMG will be presented to P&C Board for approval, thus not requiring agreement from Q&G. A schedule of such amendments will subsequently be presented to Q&G for information. The EMG may update controls and actions relating to nonprincipal risks on the Corporate Risk Register, and agree the inclusion or removal of non-principal risks rated at 15, or above, without the approval of the Board. Responsibility for the approval of any decisions to amend a principal risk, or to agree its inclusion or removal from the BAF, remains with the Board. To review relevant strategic objectives on the Board Assurance Framework. Fire Safety Committee Health and Safety Committee To identify and manage any fire related risks. To receive reports to identify any organisational health and safety risks and to manage them as considered appropriate. Page 12 of 46

13 Information Governance Steering Group Clinical Quality Assurance Groups (CQAG) and Departmental Lead Meetings To be responsible for the development and implementation of effective information governance systems to assess information governance incidents and risks and make recommendations in relation to action. To review and agree risk registers including identifying, and recommending to the Risk Co-ordinators, risks that have the potential to become corporate risks ie risks scored at 15 or above, or have the potential to threaten the achievement of a strategic objective and which may need further consideration as possible principal risks. To manage service / departmental / locality risks with a risk score of between 8 and 14 and conduct a full review of all risks within the service / department on a six monthly basis. To receive and review reports to identify actions and learning in respect of risks, incidents and complaints. Performance, Finance and Investment Committee Performance, Information Management Meeting Quality and Governance Committee To receive assurance that financial risks, investments and related items are being appropriately identified, assessed and managed. To review, discuss and make recommendations in relation to service risk registers. To review the BAF at least four times a year and to consider suggestions emanating from the Executive Management Group (EMG) regarding proposed changes to the information recorded on the Board Assurance Framework, including the removal or addition of principal risks and in order to make recommendations to the Board for approval. To receive, for information, a schedule of any changes to principal risks as recorded on the risk register, which have been proposed by EMG and approved by the P&C Board in the intervening period since the previous Q&G review. To review relevant strategic objectives on the Board Assurance Framework. 6.2 Chief Executive The Chief Executive is the Accountable Officer for effective risk management and the system of internal control within the Trust. The system of internal control is designed to manage risk to a reasonable level rather than to eliminate all risk of failure to achieve objectives, aims and policies. The Chief Executive is also responsible for meeting all statutory requirements including health and safety and ensuring risk management systems are established, implemented and maintained in accordance with organisational arrangements. Page 13 of 46

14 The Chief Executive has delegated responsibilities for overseeing and implementing risk management to other individuals, committees and groups within the organisation, however, it is the responsibility of the Chief Executive to determine the allocation of resources to adequately manage risks. 6.3 Trust Board The Trust Board is responsible for the annual approval, implementation and overseeing of the Risk Management Strategy and processes and for advising the Chief Executive as necessary. The Trust Board is also responsible for: 1) Annual agreement of the Trust s strategic objectives; 2) At least annual approval of principal risks affecting the Trust s strategic objectives; 3) At least four times a year, reviewing and approving the content of the Board Assurance Framework (BAF), including taking any decisions on the removal and acceptance of principal risks; 4) Reviewing decisions made by the Executive Management Group on the non-principal risks contained within the corporate risk register, and to review and approve any proposed changes to principal risks which are recorded on both the corporate risk register and the BAF; 5) Identification and allocation of appropriate resources required to implement risk management initiatives; 6) Provision of continuing support to the key committees of the Board and its subcommittees or groups; 7) Provision of appropriate and adequate training in the identification and management of risk to all members of the Trust including Trust Board members. 6.4 Executive Directors Executive Directors are responsible for the implementation of risk management and its assurance mechanisms, bringing together all risk agendas, and shall: 1) Make the care and safety of patients and staff their first concern and act to protect them from risk (Code of Conduct for NHS Managers). 2) Collectively share responsibility for risk management and for formally reviewing, at least four times a year, the management of principal risks against strategic objectives as identified in the Board Assurance Framework. 3) Have individual and collective responsibility for the monthly review of risks relating to the corporate risk register. 4) Acknowledge, and demonstrate, their responsibility and accountability for Trust activities as recorded in job descriptions, annual appraisal and objectives. 5) Ensure staff undertake training to enable them to implement the risk assessment process. 6) Raise risk awareness amongst staff through job descriptions, appraisal, objective setting, training compliance and learning from audit, accidents, incidents, complaints and patient experience contacts. 7) Proactively assess and mitigate risks to the organisation through review of national reports, guidance and statute. 8) Continuously monitor and review the effectiveness of the Risk Management Strategy and contribute to its annual review. Page 14 of 46

15 9) Be accountable to the Trust s Chief Executive for ensuring that all risks relating to their area(s) of responsibility are identified, managed, mitigated and reported, identifying actions and controls. 10) Have individual responsibility for the review of principal and corporate risks, and any wider risks, for which they are responsible. 6.5 Non-Executive Directors Non-Executive Directors are responsible for providing independent assurance to the Trust Board on the risk management structure and processes. Non Executives should also provide challenge and scrutiny of risk management processes. 6.6 The Chief Operating Officer The Chief Operating Officer is the Executive with delegated responsibility for Health and Safety which includes: 1) Operational Health and Safety, Fire Safety and Security, and securing specialist advice. 2) Emergency Planning. 3) Ensuring the annual service planning process takes place engaging clinicians and managers in identifying and mitigating risks. The Chief Operating Officer is also the Nominated Security Director. 6.7 Care Quality Commission (CQC) Nominated Individual The Nominated Individual is a role required by the Care Quality Commission which is responsible for ensuring that notifications are reported to the CQC as required. 6.8 Director of Finance, Performance and Information The Director of Finance, Performance and Information has delegated responsibility for financial control, information and performance including: 1) Information management and technology 2) Contract management 3) Performance improvement information 4) Contracting 5) Estates and facilities 6) Internal Audit 7) Counter fraud And, through contract arrangements shall: 1) Provide a safe and reliable estate, including facilities management, and report through relevant Trust reporting structures 2) Require that staff and contractors are trained and supervised in accordance with organisational policy and the Health and Safety at Work Act 1974 especially in relation to the specialist areas of work they are accountable for. Page 15 of 46

16 6.9 The Medical Director The Medical Director is the professional lead for medical staff and is involved in a range of risk management areas within the Trust, including the co-ordination of clinical audit processes where risks are identified. The Medical Director is also the nominated Caldicott Guardian The Director of Human Resources and Organisational Development The Director of Human Resources and Organisational Development is responsible throughout the organisation for: 1) Human resources and workforce planning, recruitment, staff engagement and retention. 2) Equality and diversity 3) Including obligations in respect of risk management in job descriptions, annual appraisals and objectives of all relevant staff The Director Nursing The Director of Nursing is responsible for risk management throughout the Trust with particular responsibility for: 1) Information risk 2) Organisational governance 3) Information Governance 4) Organisational Reputation 5) Regulatory compliance 6) Organisational risk management, including the management of risk registers 7) Infection Prevention and Control 8) Serious incidents 9) Adult and child safeguarding 10) Privacy and dignity including gender sensitive services 11) Training and education. 12) Legal services The Director of Nursing is the Senior Information Risk Owner (SIRO) for the Trust and provides the focus for the management of information risk at Board level Associate Directors / Locality Directors / Service Managers / Departmental Heads Associate Directors / Locality Directors / Service Managers and Departmental Heads are responsible for the identification, management, mitigation and reporting of risk in their individual areas, supported by a wider range of clinical and corporate information. Day to day risk management is devolved to team managers with risk identification being the responsibility of all individuals. Associate Directors / Locality Directors / Service Managers and Departmental Heads should ensure that all risks within their areas are reviewed in full, on a six monthly basis as a minimum, and are responsible for ensuring that processes are in place for managing risks with a risk score of between 1 and 14, with risks scored between 8 and 14 reviewed at each meeting of the Clinical Quality Assurance Group or equivalent. Page 16 of 46

17 In urgent circumstances, the service Associate Director, or Locality Director, with notification to the Chief Operating Officer, may raise urgent risks scoring 15 or above directly to the risk register without prior approval by an appropriate committee / group, for consideration by the Executive Management Group Managers and Team Leaders Managers, and Team Leaders, are responsible for identification of risks and for implementing and monitoring any identified risk management control or assurance measures within their designated area of responsibility. They are expected to address risks as they arise and escalate those that they are unable to manage. Any potentially serious risks to the achievement of service objectives or Trust strategic objectives must be brought to the attention of an Associate Director, or Director, immediately by , or telephone conversation, in order that a decision can be reached, through the appropriate Committee, on whether to escalate the risk to the Executive Management Group for inclusion on the Corporate Risk Register and consideration as a potential principal risk. In urgent circumstances, approval by a committee/group can be bypassed and the risk escalated directly to the risk register by the service Associate Director with notification to the Chief Operating Officer. Any potential principal risks will need to have Board approval before they can be added to the BAF The Board Secretary The Board Secretary provides the Trust with advice and support on NHS Improvement compliance and Trust legal responsibilities, working with the Trust solicitor where appropriate. The Board Secretary will also seek Board approval of the strategic objectives for the coming financial year and co-ordinate the delivery of the Annual Governance Statement Associate Director of Governance The Associate Director of Governance is responsible for the development of the Risk Management Strategy and overseeing the effective delivery of risk management processes Patient Safety and Compliance Lead The Patient Safety and Compliance Lead is responsible for: 1. Developing processes to improve and monitor patient safety within the Trust. 2. Promoting a learning culture and implementing processes to support the delivery of the risk management strategy in the area of patient safety. 3. The development and management of the Safeguard system in relation to incident management and for discussing any potential changes to the Safeguard system with the Associate Director of Governance or Risk Co-ordinators to determine any potential impact on the risk process Deputy Director of Nursing The Deputy Director of Nursing is responsible for the identification, and reporting, of risks that arise from complaints and patient contacts. Page 17 of 46

18 6.18 Board Assurance Lead The Board Assurance Lead is responsible for the maintenance of, and reporting on, the Trust s Board Assurance Framework, encompassing all principal risks with controls and assurances logged, updated and reported to inform the Board agenda Risk Coordinators The Risk Coordinators are responsible for: 1. Development, management and maintenance of the overall Trust electronic risk management system, known as Safeguard, as it relates to the risk register component. 2. Provision of training to staff. 3. Making suggested amendments to the Risk Management Strategy to reflect operational arrangements. 4. Providing support to the Board Assurance Lead including the provision of cover, when required Specialist / Professional Leads All Specialist / Professional Leads have the responsibility to: 1. Act as a resource to develop generic risk assessments and review and update as required 2. Support staff to localise these to their own area of work, developing actions where required. The Local Counter Fraud Specialist (LCFS) The LCFS provides staff with advice and support relating to countering fraud in the NHS in accordance with the NHS Counter Fraud Strategy. The LCFS carries out both national and local pro-active work to raise awareness of fraud and to reduce the likelihood and impact of fraud. The LCFS will investigate all suspected cases of fraud and corruption in accordance with the NHS Fraud and Corruption Manual. Where system weaknesses are identified these will be reported to the Trust. Internal Audit Internal Audit plays a central role in maintaining a sound system of internal control. While the responsibility for identifying and managing risks belongs to management, one of the key roles of internal audit is to provide assurance that those risks have been properly managed. Additionally, Internal Audit undertakes an annual review of the Trust s arrangements to manage risk. This is a key audit which informs the Head of Internal Audit Opinion (HoIAO) and the Annual Governance Statement. Health and Safety Managers The Health and Safety Managers provide operational advice to staff to support the identification, management and reporting of health and safety risks. Page 18 of 46

19 Head of Security / Local Security Management Specialist (LSMS) Document Reference Code: GOV/016/17 The Head of Security and LSMS has responsibility for security matters and will provide advice and assistance on all risks associated within the remit of security. The primary responsibility remains at local level. The Head of Security and LSMS promotes the reporting of all incidents within the security remit through the Trust s incident reporting system and where appropriate to the Police and / or the Security Management Director. Support and advice is also provided in relation to security, staff support and violence and aggression management as recommended. All staff, including permanent, fixed term, bank, agency or volunteers The Trust is committed to ensuring that every member of staff has a sense of ownership and commitment to identifying and minimising risk. Staff at all levels are responsible for reporting and responding to risks. All staff are required to participate in training sessions and carry out any agreed control measures and duties as instructed. 7. Risk Assessment and Scoring The risk assessment process should take place alongside entering the risk onto the Trust Risk Management System, Safeguard. Once a risk has been entered it will appear on the Trust risk register and will be reported taking account of the risk score, originating department and relevant stakeholder(s). Risk assessment can be very subjective and entirely dependent upon an individual s view of risk. In addition an individual s knowledge and expertise (both real and perceived) can adversely affect their consideration of the significance of a risk. Multi-disciplinary team involvement in assessing risk can result in a more rounded view and is encouraged wherever possible. Once identified, risks should be assessed in terms of the likelihood of the risk materialising, and the consequences if the risk did occur. Risks should be assessed using the 5 x 5 Trust risk matrix below: Guidance on the risk assessment process for allocating a score for risk likelihood and consequence is available in Appendix B. Once the risk likelihood and consequence has been assessed, the risk score, level and management level will be realised, as detailed below: Page 19 of 46

20 Risk Score Risk Level Responsibility Score 1-3 Low Managers and Supervisors bands 6 and 7 Score 4-7 Moderate Managers and Supervisors bands 6 and 7 Score 8-14 High Associate Directors / Service Managers /Locality Managers, Departmental Heads, Professional Leads E.g. Operational Assurance Groups Score 15+ Extreme Directors And all approved principal risks, regardless of score 8. Risk Management Process 8.1. Process Overview The risk management process is the means by which the Trust will manage the risks to the organisation. The process for the management of risk in the Trust is based on the International and British Risk Management Standard ISO/BS 31000:2009 as demonstrated in the diagram below: The Trust accepts that it will not be possible to eliminate, or minimise, all risks identified immediately. Some may require further research and development; others may require financial planning or require time to undertake the work. Eliminating organisational risk altogether would go against the best interests of any organisation. If risk is not taken then improvement may not occur and new opportunities may not progress. Effective risk management, therefore, will enable the Trust to manage the risks associated with opportunities. Failing to consider the context of the risk or performing appropriate analysis and evaluation may mean those undertaking the risk assessment put in place inadequate quick fixes. It is, therefore, important to consider underlying systems when undertaking these assessments, such as existing actions or planned schedules. In some cases, it may be necessary to implement short term solutions, but in considering all the information, the risk assessment process can help to inform longer term planning processes and provide a means to consistently identify, prioritise and manage the risks involved in all business activities. It requires a balance between the cost of managing risks and the anticipated benefits that will be derived. Page 20 of 46

21 The risk register should not be a static document but should be seen as a risk action planning tool where potential risks are identified, actions taken to reduce the impact of the risk if an event were to occur, or reduce the likelihood of the risk occurring. 8.2 Authority for the Management of Risk A risk owner should be identified to manage the risk, alongside a Director/Associate Director or Locality Director. The risk owner should have sufficient seniority to identify appropriate controls and implement appropriate actions to address the risk and ensure that any action plan is followed through. They must be able to identify and request additional resources and know when to escalate a risk which is beyond their capability, or authority, to manage. Managers are responsible for managing risks locally through the risk register. Risks should be managed as soon as they arise, wherever possible. Prioritisation of risk is undertaken by reference to the risk score which is based on the potential risk rating. Potential principal risks are reviewed by the Executive Management Group for consideration for inclusion on the Corporate Risk Register regardless of the risk score. All principal risks require Board approval before they can be acknowledged as such on the Corporate Risk Register and entered onto the BAF. Responsibility is detailed below: Risk Score Risk Level 1 3 Low 4-7* Moderate 8-14* High Responsibility Risk assessment conducted, ideally involving a number of staff. Entered onto Safeguard. Ward/team managers and supervisors, band 6 7, to monitor risk and deliver action plan. Risk assessment conducted, ideally involving a number of staff. Entered onto Safeguard. Ward / team manager advised. Ward / team managers bands 6 and 7, to monitor risk and deliver action plan. Risk assessment conducted, ideally involving a number of staff. Entered onto Safeguard. Risk reported to Associate Director/Locality Director. Action plan should include urgent action to reduce risk. Associate/Locality Directors, Band 8 Managers Specialist/Professional Process Held on risk register at ward, team and nominated individual committee/group level. Reviewed by manager, at a minimum, quarterly and at Clinical Quality Assurance Group or relevant committee at least 6 monthly. Held on risk register at ward, team and nominated individual committee/group level. Reviewed by manager monthly and Clinical Quality Assurance Group or relevant committee at least 6 monthly. Responsibility for monthly review of risks closed, or assessed and removed, at the level below. Reviewed by Clinical Quality Assurance Groups / Departmental Lead meetings monthly and any relevant nominated corporate committee at each meeting. Responsibility for monthly review of risks closed, or assessed and removed at the level below and for the inclusion and removal of risks at this Page 21 of 46

22 15-25* Extreme Leads and Clinical Quality Assurance Groups / Departmental Leads to monitor risk and delivery of actions. Risk assessment conducted, ideally involving a number of staff. Risk to be reported to Associate Director/ Locality Director who should consider reporting to an Executive immediately but at least within the month following discussion of the risk at the relevant Clinical Quality Assurance Group / Committee where agreement was reached to raise the risk to Executive Management Group. Action plan should include immediate actions to reduce risks. Executive Management Group and Directors to monitor risk and delivery of action plan and consider whether the risk should be considered a principal risk. Document Reference Code: GOV/016/17 level Executive Management Group review monthly and make decisions with regard to the inclusion or removal of non-principal risks scored at 15 or above. The Quality and Governance Committee (Q&G), following proposals from the Executive Management Group (EMG), make recommendations on assessing, amending, agreeing or removing principal risks to the Board for approval, except where such recommendations are taken direct from EMG to the P&C Board in the intervals between Q&G meetings Clinical Quality Assurance Groups receive for information and should review and update the risk actions, at least monthly, relating to their area of responsibility *But with the exception of those that are identified as matching or exceeding the risk appetite and posing a risk to the achievement of one or more strategic objectives (i.e. principal risks). The management of these risks is determined by the Executive Directors, the Executive Management Group, Quality and Governance Committee and Trust Board. 8.3 General Risk Assessments General risk assessments are assessments of specific processes or areas ie Lone Working or use of equipment. It is important that these assessments are kept up to date and made available to everyone who needs to know about them. However, review periods will normally be longer than individual assessments, which are reviewed sometimes on a daily basis. General risk assessments should be managed locally and escalated as appropriate. General risk assessments are often accepted risks and could be reviewed on an annual basis or when a change occurs. 8.4 Process for managing extreme and principal risks (Corporate Risk Register) The corporate risk register contains significant risks across the organisation and includes principal risks and any risks which are rated at a score of 15 or above. The risk register is formally reviewed, by the Executive Management Group which determines whether or not any such non-principal risks should be included onto, or removed from, the Corporate Risk Register, or otherwise amended. The Board of Directors receive the full corporate risk register at each meeting. The Board reviews decisions made by the Executive Management Group, in relation to non-principal risks, for assurance of appropriate management of these risks. Page 22 of 46

23 The monthly review of the Corporate Risk Register by the Executive Management Group will necessarily include consideration of principal risks as these are included on that register. However, only the Board can approve amendments to principal risks. Updates to principal risks, as part of the BAF update, are formally reviewed by the Executive Management Group (EMG) and reported to the Quality and Governance Committee at least four times a year before going to Board for approval. If updates to principal risks are required outside the scheduled reporting cycle, e.g. to agree a new principal risk or remove an existing one, addition or closure of actions, new controls etc., these changes may be reported to the Private and Confidential Board by the relevant Executive, after discussion at the Executive Management Group meeting, and presented to the P & C Board for consideration and approval without discussion at the Quality and Governance Committee (Q&G). A schedule of such amendments will subsequently be presented to Q&G for information. See also Section 9 regarding the BAF/ 8.5 Accepted Risk An accepted risk is a risk that the risk owner feels comfortable in facing and which, if the worst happened, would not threaten the survival of an individual or the organisation or its capability to meet its objectives. Only the Board can accept a principal risk. Deciding what is an accepted risk involves taking account of, and recording, the financial loss/cost, likelihood or occurrence and/or threat that the particular risk poses, if the individual or the organisation were exposed to it. 8.6 Closure of a risk Risks may be closed at the level of individual responsibility recorded within this document. This applies to all risks except those which are identified as principal risks. Closure of these risks remains the responsibility of the Board. 8.7 Links to incident management Some hazards may be identified as a result of an accident, incident or near miss (e.g. concerning patient or staff safety). In such cases, it is important to follow the Trust s Policy and Procedure for the Reporting and Management of Accident, Incident and Near Misses and to ensure the details are properly recorded on the Safeguard incident management system, in addition to completing the risk assessment process, to ensure that lessons are learnt and measures put in place to try to reduce the risk of the hazard reoccurring. The Trust will learn from investigations and incidents that have materialised. The Governance Team will review the incident reporting system on a regular basis to determine whether incidents pose a risk to the organisation. They will also support staff in this process. 8.8 Links to clinical audit, policy compliance monitoring and service evaluation During the above processes risks may be identified. It is essential that these are escalated to the relevant Associate/Locality Director and the Medical Director at the first opportunity. The information collated should be used to generate a new risk or to update the risk where these risks are already in place and held on the risk register. Page 23 of 46

24 9. Internal Control The Trust s system of internal control is based upon an on-going risk management process designed to identify the principal risks to the achievement of the organisation s objectives; to evaluate the nature and extent of those risks, and to manage them efficiently, effectively and economically. The system of internal control includes: 9.1 Board Assurance Framework (BAF) The Board Assurance Framework (BAF) provides clarity over the risks (defined as principal risks) that may impact on the Trust s ability to deliver its strategic objectives. This simplifies Board reporting and prioritisation, which in turn allows more effective performance management. The Board Assurance Framework, which is reported to Board at least four times a year, also facilitates the preparation of the Board agenda and the reporting of key information to the Board. At the same time, it records structured positive assurances about where risks are being managed effectively and objectives are being delivered. Any new principal risks will be considered and approved by the Board before being accepted as such and added to the BAF. The Board will also consider for approval any recommendations to remove principal risks from the BAF. The populated BAF articulates clearly the key strategic controls in place to ensure that principal risks are being managed and the sources of evidence, or assurance, that the controls are operating effectively to secure delivery of the organisation s strategic objectives. Assurances, or evidence, about the efficacy of control measures are assessed against an adequacy matrix (See Appendix C) to inform the Trust of the degree of reliance that can be placed on an assurance. The BAF is formally reviewed and updated at least four times a year, with recommendations proposed by EMG and Q&G Committee going to the Board for approval. In the intervening months, changes to principal risk entries recorded on the Risk Register and agreed by EMG will be presented to the P&C Board for approval, thus not requiring agreement from Q&G. A schedule of such amendments will be presented to Q&G for information. The BAF also receives scrutiny from the Audit Committee at least four times a year. Individual Executive Directors review their BAF entries, normally monthly, to monitor progress against actions and to identify changes that need to be reported in the next BAF update. This process is illustrated in the diagram on the following page: Page 24 of 46

25 BAF PROCESS Document Reference Code: GOV/016/17 BOARD Full BAF agreed (lockdown) Reviewed by Executives Individual reviews with BAF Lead Amendments / changes reflected to EMG If updates to principal risks are required outside the scheduled reporting cycle, EMG may recommend these to the P & C Board for approval without discussion at Q&G. A schedule of such amendments will subsequently be presented to Q&G for information EMG Amendments / changes reflected to Q&G Reviewed and amendments agreed and proposed by Executives for Q&G QUALITY & GOVERNANCE COMMITTEE Reviewed and amendments agreed and proposed by Q&G for Board Page 25 of 46

26 In addition, the Audit Committee reviews the BAF at least 4 times per year with a particular focus on the quality and reliability of assurances. This is part of the Audit Committee's overarching role in reviewing the establishment and maintenance of an effective system of internal control which supports the achievement of the Trust's strategic objectives, and providing assurance to the Board on the adequacy of the organisation's controls. 9.2 Risk registers A risk register is a prioritised record of risks faced by the Trust, used to help ensure that appropriate action is taken to control, reduce or eliminate each risk. The Trust holds one risk register from which tailored reports can be produced for each directorate / Service / Locality / Team. The management of each risk depends on the level of the risk score and if there are any other groups or committees with an interest (Stakeholders). An individual risk may be reviewed by more than one committee/group, although it will only have one dedicated owner who is responsible for managing the risk and ensuring that it is reviewed and updated at appropriate, defined intervals. The risk register s content is derived from best practice, including the international risk management standards. It includes the following: A unique identifying number which is allocated on the data base and remains constant throughout the life of the risk. (The BAF risk reference for principal risks may be different but will be cross-referenced to the Corporate Risk Register reference) Date the date the risk was added in the following format 03/08/12 (day, month, year) Risk description, controls, likelihood and consequence (as previously defined) Initial risk score the risk score as the risk stands when it was first identified, based upon the Trust s 5 x 5 scoring matrix. Current risk score - the up to date risk rating at the date of review, amended where necessary to reflect any controls that are in place, (which may, for example, impact on the likelihood of the risk) RAG the red / amber / green risk rating Modified date the date which the risk actions or progress was last updated, or reviewed. Owner the person responsible for the risk Action responsibility details who is responsible for implementing any actions associated with each risk alongside a timeframe for delivery and any progress to date. Up / down arrow this identifies any proposed change in score since the last review. Action completed date. When required actions have been completed, dates should be entered (day, month, year ) Review details provides information on what took place at the last review i.e. control s /actions updated, risk score changed. The assessments of risk, and the associated risk reports, are a key component part of the Trust s risk management strategy. The risk register reports also support decision making on how resources should be allocated. The risk register is populated through adding a risk to the electronic risk register. The corporate risk register records principal risks and any risks which are rated at a score of 15 or above. Each service line is responsible for maintaining its own risks and for taking action as soon Page 26 of 46

27 as possible to reduce, eliminate or manage risks, escalating these through the organisation as appropriate. 9.3 Risk appetite The risk appetite, as defined in section 5, has been translated into a narrative risk appetite statement for each strategic objective along with a numerical risk rating score to identify the degree of tolerance the Trust has for its principal risks. The risk appetite statements and risk scores are set out in the table below: Strategic Objective 1. To deliver high quality, safe and accessible services 2. To maximise the potential of our workforce to deliver high quality patient care 3. To achieve best value and ensure the Trust is sustainable and financially sound into the future 4. To diversify and develop services that meet commissioner and patient needs and expectations 5. To improve health and wellbeing by working in partnership to create life opportunities for our patients Risk Appetite Statement The Trust will manage risks from front line services to Board level and where risks exist, demonstrate that improvements are made The Trust will establish a positive safety culture, delivering compassionate care, where unsafe practice is not tolerated. Every member of staff is expected to identify, correct and / or escalate safety weaknesses 5 The Trust will deliver safe, high quality services and maximise value for money and ensure adherence to its accountability and compliance frameworks The Trust will encourage entrepreneurial activity, seek new ventures and improve existing services to fulfil our strategic direction The Trust s staff members will work in collaboration with each other, patients and carers to minimise risk, promote well-being and achieve good clinical outcomes Risk Appetite Score (the maximum tolerable score for a risk threatening this strategic objective) All risks are given a numerical risk rating based on a 5 x 5 risk matrix, multiplying the potential consequence (impact) of the risk by its likelihood. The Risk Appetite Scores will be used to determine the level of scrutiny given to risks which impact on the achievement of the strategic objectives. Any such risk where the risk rating matches, or exceeds, the risk appetite score for that strategic objective, and which is considered to have the potential to threaten the achievement of that strategic objective, will be deemed a principal risk (subject to Board approval) and will be added to the BAF. 10. Training If effective risk management is to remain part of the Trust s culture, it is essential that regular training and professional development is provided to, and undertaken by, all staff, senior Page 27 of 46

28 management and Board members, as appropriate. The provision of information, education and training is an important means of achieving competence and helps to facilitate safe working practices. During induction all members of staff within the organisation will be advised of the processes of risk management. All staff will be made aware of the concepts of risk management, health and safety, accident, incident and near miss reporting procedures. The training package Risk and Incident Reporting is a requirement for all staff to undertake. A training needs analysis, reviewed annually, identifies the training needs of all Trust staff, and a Corporate Curriculum is developed to ensure that these needs are met. The Trust has a responsibility to ensure that staff are released from their workplace to attend training sessions. In addition, any staff who are unable to attend their mandatory training due to physical or other constraints, must be notified to the training department. The Trust Board has a responsibility to ensure that adequate resources are available to implement the organisation s training programme for all staff. The Trust will ensure that all staff (qualified, unqualified, other clinical staff, bank and agency staff) are appropriately trained in line with the organisation s training needs analysis. Trust Board members and senior managers are required to undertake Risk Management Training annually. This will be recorded, monitored and non-attendance followed up by the Director of Nursing. Additional training may be conducted by members of the Governance Team as required via various methods including face to face, development and distribution of how-to guides and attendance at workshops and developmental sessions. 11. Monitor and Review Arrangements To ensure compliance with this strategy there will be an annual review undertaken by Internal Audit. The audit will be reported to the Audit Committee. Additionally, this strategy will be reviewed on an annual basis to ensure that the content reflects current best practice requirements. Page 28 of 46

29 Appendix A Risk Identifiers Risks can be identified through a number of internal and external sources, for example through project risk assessments, audits, performance monitoring. Risk identification can be pro-active (what might happen that we need to manage) or reactive (what is happening that we need to manage). The following list is not exhaustive but covers internal and external as well as proactive and reactive sources which should be looked at when considering where potential risks to the organization may be identified. Health and Safety Inspections: Any risks identified from health and safety inspections should be documented and reported to the Health and Safety Committee, or Fire Committee, for consideration. Security Management Systems Security risks are identified through security management arrangements including Security Inspections, review of lone working and management of Violence and Aggression. Audit Clinical, Financial, Internal and External Audit: The co-ordination of clinical audit is the responsibility of the Medical Director. Risks identified by this method will be documented and risk assessed. Audit responsibility will rest with the Director of Finance who will bring the internal and external audit reports and any counter fraud investigation reports to the attention of the Audit Committee. Through this process, any identified risks will be discussed as to whether they are placed on the Corporate Risk Register. The Audit Committee chair will recommend to the Quality and Governance Committee insertion of risks onto Risk Register. This will be minuted accordingly. Legislation / Policy: All staff have a duty to understand their responsibilities under current legislation. The policies and procedures generated within the Trust will refer to current legislation where applicable. Where legislation is breached, or policies are not followed this, may put the Trust at risk of receiving a complaint, legal challenge or prosecution. Reports from assessments / inspections by External Bodies: All members of staff have a duty to highlight risks identified within external body reports. The Trust Board and the Quality and Governance Committee will review new reports from the CQC, Serious Case Reviews and Homicide Inquiries, Coroner Preventing Future Death reports and appropriate reports from any other external agency relating to quality and/or governance, to identify learning applicable to the Trust and will disseminate this to the Operational Assurance Groups to develop, and implement action plans if required. Any other external reports will be discussed as part of the Quality and Governance Committee unless requested by the Department of Health to be discussed at Board. National Reports: The Trust will consider all national reports and policies for action, and consider their relevance to the services the Trust delivers. Surveys and Questionnaires A summary of the feedback from patient, staff and external stakeholder surveys should be reported to the Board by the Director of Nursing in order to identify common trends or risk issues and issues that rise through routine Patient and Public Involvement activities: Page 29 of 46

30 The Trust leads or participates in a range of activities to learn from service users, patients and their carers, including specific focus group work. Incident, Complaints, Claims and PALS Reporting: Summaries of the data relating to incidents, complaints, serious incidents, claims and PALS (Patient Advice and Liaison Service) are reported regularly to the Trust Board. The responsibility for co-ordinating the production of the data rests with the Director of Nursing. The Governance team provides monthly reports to services, Directors and others, containing incident and complaints data. In addition, there are specific monthly reports provided to each inpatient ward/unit. Copies of individual incident forms are also sent to relevant managers in respect of, for example, medication errors, violence and aggression towards staff, racial abuse, and hotel services related incidents. Summary reports are also provided for specific services on request to assist with their clinical risk assessment of individual service users. Training: Managers will monitor any risks in meeting mandatory training requirements set by the Trust. Any significant risks for the organisation will be raised by the Director of Nursing and reported to the Quality and Governance Committee through receipt of reports from the Workforce Department. Media: The Communications Team is responsible for identifying any media issues that may impact on the Trust and for notifying these to the Chief Executive for consideration. Staff also have a duty to alert the Communications Team of any events that could generate media interest for the Trust. Patient Safety Alerts arising from the Central Alert System (CAS): Hazard / safety notices are received by the designated Central Alert System (CAS) officer to identify any actions necessary in consultation with relevant staff across the Trust. Responses are monitored and reported on the national CAS website. Freedom to Speak Up: Speaking up about any concern you have at work is really important. In fact, it s vital because it will help us to keep improving our services for all patients and the working environment for our staff. Concerns can be raised about a risk, malpractice or wrongdoing that is thought to be harming the service / patients that we deliver to. Examples of this might include; unsafe patient care, unsafe working conditions, inadequate induction or training for staff etc. The Trust s Freedom to Speak Up Policy advises on how staff can speak up when they have concerns about care delivery and associated issues. The Freedom to Speak Up Guardian is the Director of Nursing. Any information obtained as a result of the identification of a risk should be communicated to any Director in a confidential manner and dealt with according to Policy. Staff are encouraged to report any areas of concern in accordance with the Trust s Freedom to Speak Up arrangements. Page 30 of 46

31 Grapevine and intuition: Some pertinent risk management issues can be picked up through ad hoc comments, hearsay or intuition. All staff have a responsibility to discuss issues of concern with either their line manager or a senior manager. All such issues should be brought to the attention of the relevant Director or senior manager. Trade unions: All union representatives are required to feedback risks, which have been identified both locally and / or nationally to the Director of Nursing through the Joint Consultative Committee or the Health and Safety Committee. Exit Interviews with staff: Exit interviews with staff are the responsibility of the line manager and/or HR and should be carried out every time a member of staff leaves. The information obtained by the HR department regarding comments made at exit interview might not necessarily relate directly to risk management but could include issues pertaining to poor training, lack of line management supervision / support, poor equipment, etc. which could put the patients, staff and / or the organisation at risk. Backlog maintenance: The Head of Estates is accountable for maintenance records and estates returns and is responsible for highlighting areas of risk from backlog maintenance and the estate. Coroner s inquests: Any relevant information from a Coroner s inquest should be reviewed at an Executive Clinical Risk Group. Any recommendations received will be considered and implemented; those that cannot be implemented immediately will be progressed via the relevant action plan. Professional body guidelines: The Trust will monitor all professional body recommendations or guidelines. Any risks identified will be risk assessed and dealt with according to the risk identification guidelines. Observation: Any members of staff within the organisation may observe or become aware of potential risks or hazards and as such have a responsibility to highlight their concerns for further investigation. Summary All risks, hazards or concerns identified via any of these risk identifier methods must be documented and assessed as per the guidelines in order for them to be considered for inclusion on to the local or corporate risk register, if necessary. The above list is not exhaustive but raises awareness and identifies responsibility for formally addressing risk issues throughout all levels within the organisation and in all formats. Page 31 of 46

32 Appendix B Risk Scoring Guide Choose the most appropriate domain for the identified risk from left hand side of the table, then work along the columns in the same row to assess the consequence (impact) of the risk on the scale of 1-5 to determining the score, which is the number given at the top of the column. Risk Domains Contractual/Performance Management Contractual and commercial matters, performance breaches Compliance (Non Quality and Safety) Examples: Compliance with the Trust s statutory duties which are non-patient facing, eg statutory financial duties. Statutory standards set by regulatory or enforcement bodies such as the Information Commissioner, Equality Commission Compliance (Quality & Safety) Examples: Trust compliance with statutory duties/inspection /regulatory requirements relating to patient care, eg CQC, HSE Consequence Score (consequence levels) and example descriptors Negligible Minor Moderate Major Catastrophic Isolated noncompliance or breach; negligible financial impact No or minimal impact or breach of guidance/ statutory duty No or minimal impact or breach of guidance/ statutory duty Contained noncompliance or breach with short term significance and minor financial impact. Breach of statutory Legislation Reduced performance rating if unresolved Breach of statutory legislation Reduced performance rating if unresolved Serious breach involving regulatory authority or investigation; prosecution possible with significant financial impact Improvement Notice Single breach in statutory duty Single breach in statutory duty Challenging external recommendations/ improvement notice Improvement notices Major breach with fines and litigation; long term significance and major financial impact. Enforcement action Improvement notices Non-compliance with national standards Low performance Enforcement action Multiple breaches in statutory duty Low performance rating Critical report Extensive fines and litigation Threat to loss of significant service Severe loss of contract / payment Multiple breaches in statutory duty Prosecution/Monet ary penalty Suspension of registration Non delivery of service Multiple breaches in statutory duty Suspension of registration Prosecution Complete systems change required Zero performance rating Equipment Examples: Design, maintenance and use of equipment Estates & Facilities Examples: Design, maintenance and use of facilities and premises No harm to an individual No disruption to service delivery No delay in transfers or discharges due to lack of equipment No harm or failure Single device not available minimal disruption to patient care or service delivery Faulty low risk equipment failure causing minimal harm Single failure to meet statutory requirements (< 1 week) Moderate disruption to patient care or service delivery Moderate harm to an individual Temporary loss of equipment or premises (> 2 days) Contractor Severe disruption to patient care Severe delays to transfers/discharge due to unavailability of equipment Faulty high risk equipment leading to Major injuries to an individual Temporary loss of equipment or premises (< 1 week) Severely critical report Statutory non compliance Single or Multiple device unavailability leading to loss of service Catastrophic harm to an individual Permanent loss of equipment or premises Failure of Page 32 of 46

33 Temporary loss of equipment or premises (< 2 days) withdrawal from contract during work leading to delay Failure to meet statutory requirements (< 1 week) Failure of electrical generator to start during power outage Failure of ventilation systems to critical area (< 1 week) ventilation systems to critical area (> 1 week) Major release of asbestos resulting in multiple contamination of persons Failure of ventilation systems to critical areas (<4 hours) Release of asbestos in confined area (1-2 persons affected) Inability to meet design requirements under HTM/HBN resulting in severe injury or compromised patient safety Multiple failures to meet statutory requirements (> 1 week) P21+ contractor unable to fulfil obligations under contract Death due to electrical safety failing Sustained failure to meet statutory requirements resulting in loss of service Financial Examples: Overspends Loss of income Failure to deliver savings Application of SFIs. Claims NB Risks relating to statutory financial duties fall into the Compliance (Non Quality and Safety) domain. Small loss Risk of claim remote Negligible organisational/ personal financial loss Minor organisational/ personal financial loss Loss of per cent of budget <5 per cent over project budget Claim less than 10k Significant organisational / personal financial loss Loss of per cent of budget Uninsured Claim(s) between 10,000 and 100, per cent over project budget Major organisational / personal financial loss Uncertain delivery of key objective/ Loss of per cent of budget Uninsured Claim(s) between 100,000 and 1 million Purchasers failing to pay on time Severe organisational / personal financial loss Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Uninsured Claim(s) > 1 million Non-compliance with national per cent over project budget Incident leading >25 per cent over project budget Health, Safety, Security (Theft) and Fire Health, safety and wellbeing of patients, staff, visitors and contractors. Injury/harm to staff / patients or public Harm/damage to property NB - See also specific sections below on risks relating to patient safety and violence and aggression incidents No time off work Damage to or loss of equipment (< 100 value) Insignificant loss of property value; staff/patient < 5.00 Area insecure no access No harm or damage caused. Disruption <30 Minor injury or illness requiring first aid or minor intervention Requiring time off work for <3 days Damage to or loss of equipment ( value) Minor loss of property; Staff / Patient: < Moderate injury requiring professional intervention Requiring time off work for 4-14 days RIDDOR/agency reportable event Damage to or loss of equipment ( value) Moderate loss of Major injury / long term incapacity or disability e.g loss of limbs/misdiagnosis or mistreatment leading to poor prognosis Requiring time off work for more than 15 days Damage to or loss of equipment ( value) Incident leading to death or major permanent incapacity Multiple permanent injuries or irreversible health effects Damage to or loss of equipment (> value) Severe loss of property; staff/patient > 500 Page 33 of 46

34 IM&T Examples: IT infrastructure Safety and sustainability of IM&T critical systems Replacement programme Covers information management and information analytics, but information governance covered separately Infection Prevention Infection control, cleanliness and hygiene Information Governance Confidentiality, integrity and availability of information minutes Cause identified within 15 minutes. Minor issues with individual infrastructure such as printers or pcs not working. Other options are available to keep working. Delays of less than an hour to information being available on information systems Individual colonisation but no infection Minimal impact on service Non-compliance with infection control standards - no exposure due to non-compliance with IPC policy/advice No impact on organisation No impact on wider public health Negligible breach of confidentiality Minor security incident contained Damage to property, minor injuries (no related absence) disruption to service >30 minutes Identification of cause >15 minutes Infrastructure or system issues affect an operation area for over an hour affecting the operation of a department Individual short term problem <1 month eg. Delayed discharge, short term treatment Ward under enhanced surveillance, not restricted or closed, minimal need for agency staff Minimal exposure to infection risk due to noncompliance with IPC policy/advice Cross infection with minimal public health impact Temporary loss of confidential/person identifiable property; Staff / Patient: < Area insecure access gained no loss Moderate security incident affecting a single area (no loss of service) Harm or damage resulting in injuries Area closed <24 hrs. (RIDDOR) System issues for over an hour affecting delivery of clinical care Department system failures up to 4 hours. Issues affecting information reporting resulting in fines or moderate operational impact Individual Injury/treatment up to 1year eg. Readmission, prolonged IV treatment Ward closed/ restricted, staff shortages with increased need for agency staff Possible exposure to infection risk due to noncompliance with IPC policy/advice Outbreaks, cross infection affecting hospital service cases eg. Norovirus, MRSA, VRE Loss of confidential/person identifiable Major loss of property; staff/patient < 500 Area insecure access gained with loss Major security incident affecting multiple areas/lockdown of a single area Harm or damage resulting in injuries Area closed hrs. Infrastructure or system failure for over 4 hours but less than a day. For example server infrastructure or network. Single system failure such as RIO, PAS, NHS Mail, e- rostering Errors impacting contracting and national datasets affecting payment where deemed significant. Individual Permanent injury Ward closed/ restricted. High levels of staff shortages due to sickness Definite exposure to infection risk due to noncompliance with IPC policy/advice eg. MRSA, VRE, Norovirus Outbreaks, cross infection with public health considerations 1-60 cases depending on organism eg. 1-2 salmonella, Norovirus Irrecoverable loss of vital records/ confidential/ Severe security incident leading to total lockdown of multiple areas/site Harm or damage resulting in fatal injuries. Area closed >48 hrs. Complete infrastructure failure affecting services for over a day. For example server infrastructure, network or major system such as PAS, RIO NHS Mail. Death due to HAI Ward closed/restricted leading to cancellation/transf er of emergency care to other hospital/closure of hospital Exposure to serious infection risk due to non-compliance eg. SARS, BBV, TB Major public health considerations: 1-60 cases depending on organism: 1 SARS, BBV, MDRTB, or >60 Norovirus Prosecution under Data Protection legislation. Page 34 of 46

35 Partnership Working Accountability, delivery, information sharing, partner relations, transaction costs, conflicts of interest, integrated care Minor breach or near miss of confidentiality readily resolvable - Level 0, non reportable externally Health records / documentation incident no adverse outcome Risks to partnership working, eg linked to breakdown in relationships, clashing organisational priorities, differing legislative/ regulatory requirements, employment conditions, insufficient resourcing, information sharing barriers, conflicts of interest, but no effect on delivering partnership objectives/ services / performance targets /VFM in a satisfactory or timely way information. Minor Breach with potential for investigation Level 1, Non reportable externally Health records incident / documentation incident readily resolvable (Incorrect information filed in patient's notes) Risks to partnership working, eg linked to breakdown in relationships, clashing organisational priorities, differing legislative/ regulatory requirements, employment conditions, insufficient resourcing, information sharing barriers, conflicts of interest but little effect on delivering partnership objectives/ services / performance targets /VFM in a satisfactory or timely way information/ records. Moderate breach of confidentiality Low sensitivity factors - potential for complaint 1 10 persons affected. Level 1, Non reportable externally Health records documentation incident patient care affected with short term consequence (Missing records) Risks to partnership working, eg linked to breakdown in relationships, clashing organisational priorities, differing legislative/ regulatory requirements, employment conditions, insufficient resourcing, information sharing barriers, conflicts of interest with partial failure to achieving partnership objectives, performance targets or loss of access to facility or non-essential service person identifiable information. Serious breach of confidentiality more than 11 person and/or High sensitive Factors. Level 2 Externally reportable breach. Health records / document incident patient care affected - major consequence (Incorrect information used to treat wrong patient) (Missing information within notes contributing to incorrect treatment. Risks to partnership working, eg linked to breakdown in relationships, clashing organisational priorities, differing legislative/ regulatory requirements, employment conditions, insufficient resourcing,, information sharing barriers, conflicts of interest that puts partnership objectives/ key Trust performance targets at major risk or lead to major cost shifting impacting on Trust or loss of access to significant facility or essential service with limited ability to re-provide at short notice Serious breach of confidentiality large numbers (51+) Level 2 Externally reportable breach. Health records / documentation incident catastrophic consequence (large number of records destroyed inadvertently Risks to partnership working, eg linked to breakdown in relationships, clashing organisational priorities, differing legislative/ regulatory requirements, employment conditions, insufficient resourcing, information sharing barriers, conflicts of interest with non delivery of partnership objectives/ key performance targets for the Trust, significant drain on resources of Trust or loss of access to significant facility or essential service with potential adverse impact/outcomes for patients/ vulnerable groups. Patient Safety Examples: Avoidable harm to patients Safe staffing levels Mortality Patient Falls Consent Minimal injury requiring no/minimal intervention or treatment. Incorrect medication Minor injury or illness, requiring minor intervention Increase in length of hospital stay by 1-3 days Moderate injury requiring professional intervention Increase in length of hospital stay by 4-15 days Major injury leading to longterm incapacity/ disability Increase in length of hospital stay by >15 days Incident leading to death (within 366 days) Multiple permanent injuries or irreversible health effects Page 35 of 46

36 Clinical outcomes Medicines management NB See also specific sections elsewhere in this table on risks relating to health and safety and violence and aggression incidents dispensed but not taken Wrong drug or dosage administered with no adverse effects An event which impacts on a small number of patients. Treatment or service that has significantly reduced effectiveness Mismanagement of patient care with long-term effects Wrong drug or dosage administered with adverse effects An event which impacts on a large number of patients Wrong drug or dosage administered with significant effects Wrong drug or dosage administered with potential adverse effects Quality Evidence based care and treatment, care planning, clinical outcomes, clinical audit Patient experience Consent Policies and procedures Compliance with nonstatutory standards, eg peer reviews, accreditation requirements, NICE, etc NB compliance with statutory bodies that are non-patient facing are under Compliance (Non Quality and Safety) Reduced quality of patient experience/ clinical outcome not directly related to delivery of clinical care. Locally resolved verbal complaint. Low number of audit/inspection recommendations minor quality improvement issues Overall treatment or service suboptimal Unsatisfactory patient experience/ clinical outcome directly related to care provision readily resolvable. Justified written complaint peripheral to clinical care. Single failure to meet internal standards Treatment or service has significantly reduced effectiveness Unsatisfactory patient experience/ clinical outcome <1wk An event that impacts on a small number of patients. Justified complaintinvolving lack of appropriate care. Non-compliance with national standards with significant risk to patients if unresolved Unsatisfactory patient experience/clinical outcome >1wk High risk complaint/multiple complaints Critical report Unacceptable patient experience/clinical outcome, continued on-going long term effects Extreme risk complaint/related to SI Ombudsman enquiry Gross failure to meet national standards Low level audit/inspection recommendations which require management actions Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Reputation Examples: Adverse publicity Short term/recoverable reputational damage Rumours within the Trust Potential for public concern Minor concern, no patient harm, no social media interaction Local media coverage short-term Reduction in public confidence Elements of public expectation not being met Moderate audit/inspection recommendations Several sources of local media activity High profile (headline) on local broadcast media Moderate level of social media activity National media coverage but not headline news Widespread social media activity Service well below reasonable public expectation. Sustained national and international headlines Trending on social media outlets Media or demonstrators on site Little effect on staff morale Minor effect on staff morale/public attitudes Regulator concern MP Concern Regulator action Significant effect on staff morale and public perception of the organisation Public confidence in the organisation undermined Use of services affected Patients refusing to use hospital Full public enquiry Regulator enforcement Page 36 of 46

37 notice Safeguarding Safeguarding and protecting children and adults from abuse and neglect; including self-neglect domestic abuse, unlawful restraint and restrictions in practice. Service/business interruption Examples: Major incidents Business continuity Emergency preparedness Resilience and response Loss of service Staffing and Competence Examples: Reconfiguration/ Transformation Skill mix changes International recruitment Medical staffing NB risks relating to staffing levels impacting on patient safety/quality will fall into the quality/patient safety domain. Violence & Aggression Examples: V&A to staff / patients / other individuals Minimal harm. No intervention External safeguarding concern. Minor loss of noncritical service i.e. more than 1 hour but less than 8 Minimal or no impact on the environment Financial loss < 10k Short-term low staffing level that temporarily reduces service quality (< 1 day) Concerns about competency and skills mix Verbal threat Minor harm to a child or adult who fits the Care Act definition for safeguarding duties. Breach of Statutory legislation of the Care Act and Mental Capacity Act/DOLs Short term disruption to service with minor impact on patient care or service loss in a number of non-clinical areas i.e. more than 8 hours but less than on day Minor impact on environment Financial loss 10k - 50k Low staffing level that reduces the service quality contract Minor error(s) due to levels of competency (individual/team) Verbal/nonphysical assault (including racial, sexual, gender, homophobic, etc. bias) resulting in minimal victim Moderate harm to a child or an adult who fits the Care Act definition for safeguarding duties. Single breach of duty Some disruption in service with unacceptable impact on patient care, temporary loss of ability to provide service i.e. more than one day but less than a week. Moderate impact on environment Financial loss 50k - 500k Ongoing problems with levels of staffing that results in late delivery of key objectives/service Unsafe staffing level or competence (>1 day) Low staff morale Poor staff attendance for mandatory/key training Verbal/nonphysical assault causing distress to victim. Physical assault with minor physical Major harm to a child or an adult who fits the Care Act definition for safeguarding duties Multiple Breaches in statutory duty Extended loss of essential service which has a serious impact on delivery of patient care resulting in major contingency plans being revoked. Major impact on environment Financial loss 500k to 1m Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Loss of key staff Very low staff morale No staff attending mandatory/ key training Physical assault with moderate harm or absence <6 days. Verbal/nonphysical assault Severe harm or death of a child or an adult who fits the Care Act definition for safeguarding duties. Multiple breaches in statutory duty of the Care Act or the Mental Capacity Act. Suspension of registration Permanent loss of core service faciltiy Catastrophic impact on environment Financial loss > 1m Non-delivery of key objective/service due to lack of staff Ongoing unsafe staffing levels or competence Loss of several key staff No staff attending mandatory training /key training on an ongoing basis Verbal or physical Assault with harm and absence >6 days. Criminal prosecution of Page 37 of 46

38 impact injuries or stress/anxiety (no absence or restricted duties) leading to absence >5 days assailant Page 38 of 46

39 Table 2 Likelihood score (L) To determine the likelihood of the risk occurring use the table below: Document Reference Code: GOV/016/17 Likelihood Score Descriptor Rare Unlikely Possible Likely Almost Certain (Over one year)* (Yearly)* (Monthly)* (Weekly)* (Daily)* Frequency How Often might it/does it happen This will probably never happen/recur Do not expect it to happen/recur but it is possible it may do so Might happen or recur occasionally Will probably happen/recur but it is not a persisting issue Will undoubtedly happen/recur possibly frequently *This is a guide to likelihood Table 3 Risk matrix referred to in policy used to determine Risk Scoring Summary = Consequence (Impact) x Likelihood (CxL) Based on the above judgements a risk assessment can be made of the potential future risk Likelihood Consequence Rare Unlikely Possible Likely Almost Certain 5 Catastrophic Major Moderate Minor Negligible Table 4 Risk grading Risk Score Risk Level 1 3 Low 4 7 Moderate 8 14 High Extreme Page 39 of 46

40 Appendix C Adequacy of Assurance Scoring Matrix Document Reference Code: GOV/016/17 Page 40 of 46

41 Page 41 of 46

42 Document Reference Code: GOV/016/16 Equality Impact Assessment Proforma Initial Screening Name of Procedural document to be assessed: Section: Officer responsible for the assessment: Risk Management Strategy, Policy and Procedure Policy Corporate: Governance Sharon Linter, Director of Nursing Date of Assessment: 10 November 2017 Is this a new or existing procedural document? E 1. Briefly describe the aims, objectives and purpose of the procedural document. The overarching purpose of the risk management strategy is to describe the framework and processes within Cornwall Partnership NHS Foundation Trust (CFT) to: identify, manage and eliminate, or reduce to an acceptable level, risks that threaten the delivery of high quality care and services to meet identified local needs to maintain a safe environment for individuals who are legitimately accessing trust services to minimise financial loss to the organisation and to demonstrate to the public, regulators, staff and commissioners, that the Trust is a safe and efficient organisation. 2. Are there any associated objectives of the No procedural document? Please explain. 3. Who is intended to benefit from this All individuals who come into contact with the organisation. procedural document, and in what way? 4. What outcomes are wanted from this Safe management of risk. procedural document? 5. What factors/forces could contribute/detract Lack of implementation of strategy, attendance at training, lack of resources from the outcomes? 6. Who are the main stakeholders in relation All staff, Trust Board, Lead professionals, managers Page 42 of 46

43 Document Reference Code: GOV/016/16 to the procedural document? 7. Who implements the procedural document, and who is responsible for the procedural document? 8. Are there concerns that the procedural document could have a differential impact on RACIAL groups? What existing evidence (either presumed or otherwise) do you have for this? 9. Are there concerns that the procedural document could have a differential impact due to GENDER What existing evidence (either presumed or otherwise) do you have for this? 10. Are there concerns that the policy could have a differential impact due to DISABILITY? What existing evidence (either presumed or otherwise) do you have for this? 11. Are there concerns that the policy could have a differential impact due to SEXUAL ORIENTATION? What existing evidence (either presumed or otherwise) do you have for this? 12. Are there concerns that the procedural document could have a differential impact due to their AGE? Trust Board, Lead professionals, managers, all staff N Please explain The policy is inclusive. It sets out a standard procedure for all staff who work in the Trust to manage risk. It aims to provide a safe working environment for staff and eliminate risk to patient safety regardless of race. N The policy is inclusive. It sets out a standard procedure for all staff who work in the Trust to manage risk. It aims to provide a safe working environment for staff and eliminate risk to patient safety regardless of gender. N The policy is inclusive. It sets out a standard procedure for all staff who work in the Trust to manage risk. It aims to provide a safe working environment for staff and eliminate risk to patient safety regardless of disability. N The policy is inclusive. It sets out a standard procedure for all staff who work in the Trust to manage risk. It aims to provide a safe working environment for staff and eliminate risk to patient safety regardless of sexual orientation. N Page 43 of 46

44 Document Reference Code: GOV/016/16 What existing evidence (either presumed or otherwise) do you have for this? 13. Are there concerns that the procedural document could have a differential impact due to their RELIGIOUS BELIEF? What existing evidence (either presumed or otherwise) do you have for this? 14. Are there concerns that the procedural document could have a differential impact due to their MARRIAGE OR CIVIL PARTNERSHIP STATUS? (This MUST be considered for employment policies). What existing evidence (either presumed or otherwise) do you have for this? 15. Are there concerns that the procedural document could have a differential impact due to GENDER REASSIGNMENT OR TRANSGENDER ISSUES? What existing evidence (either presumed or otherwise) do you have for this? 16. Are there concerns that the procedural document could have a differential impact due to PREGNANCY OR MATERNITY? What existing evidence (either presumed or otherwise) do you have for this? The policy is inclusive. It sets out a standard procedure for all staff who work in the Trust to manage risk. It aims to provide a safe working environment for staff and eliminate risk to patient safety regardless of age. N The policy is inclusive. It sets out a standard procedure for all staff who work in the Trust to manage risk. It aims to provide a safe working environment for staff and eliminate risk to patient safety regardless of religious belief. N The policy is inclusive. It sets out a standard procedure for all staff who work in the Trust to manage risk. It aims to provide a safe working environment for staff and eliminate risk to patient safety regardless of marital or civil partnership status. N The policy is inclusive. It sets out a standard procedure for all staff who work in the Trust to manage risk. It aims to provide a safe working environment for staff and eliminate risk to patient safety regardless of Gender Re-assignment or Transgender Issues N The policy is inclusive. It sets out a standard procedure for all staff who work in the Trust to manage risk. It aims to provide a safe working environment for staff and eliminate risk to patient safety regardless of regardless of Pregnancy and Maternity. Page 44 of 46

45 Document Reference Code: GOV/016/ How have the Core Human Rights Values of: Fairness; Respect; Equality; Dignity; Autonomy Been considered in the formulation of this procedural document/strategy The policy aims to ensure The Core Human Rights Values are maintained If they haven t please reconsider the document and amend to incorporate these values. 18. Which of the Human Rights Articles does this document impact? The right: To life; Not to be tortured or treated in an inhuman or degrading way; To be free from slavery or forced labour; To liberty and security; To a fair trial; To no punishment without law; To respect for home and family life, home and correspondence; To freedom of thought, conscience and religion; To freedom of expression; To freedom of assembly and association; To marry and found a family; Not to be discriminated against in relation to the enjoyment of any of the rights contained in the European Convention; To peaceful enjoyment of possessions and education; To free elections Y Y Y Y Y Y N N N N N N N N Page 45 of 46