SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RISK MANAGEMENT POLICY. Report to the Trust Board 26 May Risk and Compliance Manager

Transcription

1 SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RISK MANAGEMENT POLICY Report to the Trust Board 26 May 2015 Sponsoring Director: Author: Purpose of the report: Key Issues and Recommendations: Director of Governance and Corporate Development. Risk and Compliance Manager The policy sets out the Trust s approach to the identification, assessment, management and reporting of risk and sets the framework for the way in which the Trust will ensure risk management is embedded within the way all members of staff work. The is a policy reserved to the Board for ratification in line with the Trust s Policy on Developing and Managing Procedural Documents. The policy has been subject to review through the Trust s governance groups and approved by the Executive Management Team. Actions required by the Board: The Board is requested to ratify the. May 2015 Public Board - 1 -

2 May 2015 Public Board - 2 -

3 RISK MANAGEMENT POLICY Version: Ratified by: Date ratified: Title of originator/author: 5.2 (Draft) Executive Team TBC Mark Roughan Risk and Compliance Manager Title of responsible committee/group: Regulation Governance Group Date issued: TBC Review date: TBC Relevant staff group/s: All Trust staff This document is available in other formats, including easy read summary versions and other languages upon request. Should you require this please contact the Equality and Diversity Lead on May 2015 Public Board - 3 -

4 DOCUMENT CONTROL Reference Number Version 5.2 Status DRAFT Author Risk and Compliance Manager Amendments: Policy revised in line with the current procedural document template. Addition of new occupational health provider details. Document objectives: To set out the Trust s approach to Risk Management Intended recipients: All Trust staff Committee/Group Consulted: Regulation Governance Group Monitoring arrangements and indicators: Evidence of current risk assessments within services across the Trust. Evidence of Risk Registers within services across the trust and assurance that these registers are reviewed regularly. Assurance of action plans put in place to mitigate or eliminate a particular risk. Training/resource implications: Introduction to Risk Management as part of Corporate Induction. Identify and train sufficient numbers of appropriate members of staff to act as Risk Monitors at a local level. Approving body and date Executive Team Date: TBC Formal Impact Assessment See Appendix C Date: March 2015 Ratification Body and date Trust Board Date: TBC Date of issue Review date Contact for review Lead Director TBC TBC Head of Risk Director of Governance and Corporate Development May 2015 Public Board - 4 -

5 CONTRIBUTION LIST Key individuals involved in developing the document Name All Group Members All Group Members All Group Members Andrew Dayani Phil Brice Sue Balcombe Andy Heron Andrew Sinclair Sara Harding Jeremy Smith Liz Harewood Jean Glanville Michèle Crumb Designation or Group Regulation Governance Group Clinical Governance Group Operational Management Group Medical Director Director of Governance and Business Development Director of Nursing and Patient Safety Chief Operating Officer Head of Corporate Business Head of Operations/Deputy Chief Operating Officer Head of Medical Services Acting Deputy Head Pharmacist Claims and Litigation Manager Head of Risk May 2015 Public Board - 5 -

6 Contents Section Summary of Section Page Document Control 1 Contents 2 1 Introduction 5 2 Purpose and Scope 5 3 Duties and Responsibilities 6 4 The Risk Management Process (how risks are managed) 10 5 Recording and Managing Risks on a Risk Register 13 6 Monitoring compliance and effectiveness 14 7 Specialist Risk Management Advice 14 8 Sustaining effective risk management through training 15 9 Other relevant policies that support the risk management Policy 15 Appendix A Table 1 - An Example Risk Assessment 16 Appendix B Table 2 Grading a risk 17 Appendix B Table 3 The Consequence Score 18 Appendix B Table 4 The Likelihood Score 19 May 2015 Public Board - 6 -

7 1. INTRODUCTION 1.1 Within the context of the Risk Management Strategy this policy sets out how all staff should approach the management of operational and corporate risks within their Team, Department, Service, Division, or the wider Trust. Statement of Policy 1.2 The Trust is committed to ensuring the safety of its patients and staff and will do this by actively managing the uncertainties of operational and corporate risks through the implementation of a clear and robust Risk Management framework 1. This policy complements the Board Assurance framework through which strategic risks to the Trust s objectives are managed. 1.3 All NHS Trusts are required by the Health and Social Care Act 2008 (Regulated Activities) Regulations to: assess the risks to the health and safety of service users receiving care or treatment doing all that is reasonably practicable to mitigate any such risks 2 PURPOSE AND SCOPE 2.1 The purpose of this document is to set out standards applicable to all levels of Trust staff on the effective management of operational and corporate risks. This policy aims to: explain the methods used to assess, monitor and mitigate both operational and corporate risks effectively 3 set out respective responsibilities for operational, corporate and strategic risk management for staff, the Executive Team, the Chief Executive and the Board, as well as other persons or Trusts, working in cooperation with the Trust to deliver care (see section 6) The scope of this policy is the management of operational and corporate risks. 2.3 The goals of this policy are to: guide all levels of Trust staff to be proactive with patient and staff safety by applying risk management methods 1 Health and Social Care Act 2008, (Regulated Activities) Regs 2014, s 17 (2b) 2 Health and Social Care Act 2008, (Regulated Activities) Regs 2014, s 12 (2a & 2b) 3 Health and Social Care Act 2008, (Regulated Activities) Regs 2014, s17 (2b) 3 Health and Social Care Act 2008, (Regulated Activities) Regs 2014, s 12 (2b) 4 Health and Social Care Act 2008, (Regulated Activities) Regs 2014, s 17 (2a) May 2015 Public Board - 7 -

8 raise awareness through all levels of Trust staff what effective risk management means endorse the importance of risk registers as assurance to the Executive Team and the Trust Board that operational corporate risks are being identified managed effectively at all levels of the Trust provide a clear framework that will deliver the Risk Management Strategy 3 DUTIES AND RESPONSIBILITIES 3.1 This policy applies to those members of staff that are directly employed by the Trust and for whom the Trust has legal responsibility. For those staff covered by a letter of authority/honorary contract or work experience, the Trust s policies are also applicable whilst undertaking duties for or on behalf of the Trust. This policy also applies to all third parties and others authorised to undertake work on behalf of the Trust The following paragraphs set out the respective risk duties and responsibilities for specific groups and individual staff members. The Board 3.3 Executive and non-executive directors share responsibility for the successful management of the Trust, including the effective management of risk. In context of Risk Management the Board is responsible for: championing the Trust s commitment to Patient Safety through: - providing leadership on the Trust s Risk Management Strategy - ensuring that assurances clearly demonstrate that this policy is being applied consistently across the trust protecting the reputation of the Trust for managing risks effectively The Chief Executive 3.4 As Accountable Officer, the Chief Executive has responsibility for maintaining a sound system of internal control that supports the achievement of the Trust s objectives. To fulfil this responsibility the Chief Executive will: ensure that management processes fulfil the responsibilities for risk management as set out in the ensure that their full support and commitment is provided and maintained for the Risk Management Strategy plan for adequate staffing, finances and other resources, to ensure the management of those risks which may have an adverse impact on the staff, finances or stakeholders of the Trust 5 Health and Social Care Act 2008, (Regulated Activities) Regs 2014, s 7 (2d) May 2015 Public Board - 8 -

9 O ensure an appropriate Board Assurance Framework (BAF) is prepared and regularly reviewed and updated and receives appropriate consideration and ensure an Annual Governance Statement, adequately reflecting the risk management within the Trust, is prepared and signed off each year The Executive Team 3.5 Members of the Executive Team will act as senior responsible officers (SROs) for their respective areas and will ensure that within their areas risks are managed effectively this includes: notifying Heads of Division of any strategic or corporate risks to the delivery of defined Divisional objectives. Scrutinising new operational Risk Assessments reported on to the Corporate Risk Register ensuring Divisional Risk Registers are maintained and actively managed within their area ensuring staff with responsibility for Corporate Risks implement short, medium or long-term action plans to mitigate those risks ensuring all staff are aware of and fulfil their appropriate responsibilities for risk management ensuring all activities undertaken within their area are consistent with the safe operation of the Trust. In the context of this policy this means reporting to the Trust Board the raising and closing of corporate risks, via Board Assurance Framework or the Corporate Risk Register 3.6 Executive responsibility for specific areas related to Risk Management has been delegated as outlined in the table below: The Medical Director has delegated responsibility for: assuring the effective management of operational risk within the Medical workforce overseeing the quality and improvement of clinical services research and development strategy, operations and governance overseeing Mental Health Act legislation standards of professional practice (including appraisal and May 2015 Public Board The Director of Nursing and Patient Safety is the Caldicott Guardian for the Trust and has delegated responsibility for assuring the effective management of: clinical governance processes (including clinical audit) patient safety infection prevention and control implementation of national safety alerts Confidentiality, the Caldicott guardian

10 regulation) and codes of conduct for the Medical workforce medicines management Implementation of National Institute for Health and Clinical Excellence (NICE) guidelines Safeguarding children and vulnerable adults standards of professional practice (including appraisal and regulation) and codes of conduct for the Nursing workforce Strategic management of the medical workforce The Director of Governance and Corporate Development is the CQC Nominated Individual and the Data Protection Officer for the Trust and has delegated responsibility for assuring the effective management of: all Risk Management processes compliance with CQC Fundamental Standards Information Governance (including Data Protection) Freedom of Information the health and safety of staff, patients and visitors as required by Health and Safety legislation The Director of Finance and Business Development is the Senior Information Risk Officer for the Trust and has delegated responsibility for managing: financial risk financial and other fraud financial balance asset management, maintenance and insurance information security risk fire safety environmental risk through waste disposal, pollution and food handling. untoward event reporting adverse media issues, May 2015 Public Board

11 The Director of Human Resource and Workforce Development has delegated responsibility for managing: recruitment Chief Operating Officer has delegated responsibility for managing: operational risk within the Trust s provider services pre-employment checks professional registration terms and conditions of employment advice on employment legislation policies and procedures relating to staffing issues training and workforce development Senior Managers 3.7 Senior managers are responsible for ensuring that the requirements of this Policy are effectively implemented in their areas of responsibility. Heads of Division, Divisional Managers, Matrons or Ward Managers and Risk Monitors 3.8 They will be accountable for the proactive, timely and accurate review and update of all Risk Assessments owned by their division or service. This will include supporting risk owners, those responsible for current controls and those responsible for action plans to scrutinise their existing risks and progress to reduce or eliminate a risk. 3.9 It is good practice for these members of staff to manage and monitor risks on a Risk Register to provide a complete overview of all potential risks that a Division or Service is exposed to It is important that staff feel empowered to take action to identify (for example from incident reporting patterns or trends), assess and mitigate risks. Senior managers should seek assurance that their teams are encouraged to proactively manage risk to improve the safety of care and services. Responsibilities of all staff 3.11 All Trust staff are, directly or indirectly, responsible for the safety of patients and service users. Their specific responsibilities for safety are to: May 2015 Public Board

12 be familiar with this policy in addition to the Trust s Risk Management Strategy and Health and Safety procedures and comply with these comply with all other Trust policies and procedures that are applicable to their area of work as this will, directly or indirectly enhance the safety of patients and service users be vigilant for potential risks and take responsibility for reporting or where appropriate completing a Risk Assessment. Potential risks should be reported to a Line Manager, Head of Division, Risk and Compliance Manager or Head of Risk as appropriate report adverse incidents and near misses in accordance with Trust policy be aware that they have a duty under legislation to take reasonable care of their own safety and the safety of others who may be affected by the Trust s business 4 THE RISK MANAGEMENT PROCESS 4.1 The Trust has a statutory and ethical responsibility to assess, monitor and mitigate operational, corporate and strategic risks or eliminate the risk completely where it is reasonably practicable. It is not usually possible to eliminate all risks but Trust staff also have a duty to protect patients and service users as far as reasonably practical. It is best to prioritise risks by scoring them (see below) on a Risk Assessment. Keep the risk assessment simple do not use techniques that are overly complex for the type of risk being assessed. A Risk Assessment is not the same as an incident report. 4.2 Definitions: Hazard Risk (Operational or Corporate) Corporate (High level) Risks So far as is reasonably Practicable Risk Management Risk Management Maturity The source of a risk or an event with the potential to cause harm A measure of the probability and severity that an adverse event will occur in a specific time period or as a result of a specific situation Risks that are rated and scored at 12 or above Taking action to control the health and safety risks in your workplace except where the cost (in terms of time and effort as well as money) of doing so is grossly disproportionate to the reduction in the risk The systematic identification, reduction an/or elimination of risks The level of skills, knowledge and attitudes displayed by people in the Trust, combined with the level of sophistication of risk management processes and systems in managing risk within May 2015 Public Board

13 the Trust. Risk Matrix Board Assurance Framework Risk Register Risk Treatment Residual Risk The mechanism through which all risks are rated and scored A report that provides the Trust Board with assurance(s) that the key risks associated with not achieving the Corporate objectives are being mitigated The method used to record identified risks, their rating, scores, control measures and where evidence of controls can be located Proposed control measures that may reduce the risk of the impact from an identified hazard Level of acceptable risk following implementation of risk treatment Important Risk Management concepts: 4.3 As part of the Trust s commitment to effective risk management: there should be an environment where risks are openly discussed and where mistakes and untoward events are dealt with in a non-punitive and responsive manner Human Factors should be taken into account when assessing risks (for specialist advice on this matter contact the Risk Management team) Risks should be assessed objectively not subjectively. This means when completing a (non-clinical) Risk Assessment refer to fact and not opinion, and explanation instead of judgement when a Risk Assessment is completed it needs to be reviewed accordingly. The higher the Risk Rating score the more frequently a Risk Assessment should be reviewed. Risk Management is a dynamic continuous process. Identifying a risk 4.4 There are many methods to identify risks, for example: adverse incident trend reports (available from the Risk Management Team) a serious incident requiring investigation (SIRI) pro-active risk assessment (e.g. in preparation for a major project) audit, clinical, financial, process, internal or external reports from assessments or inspections by external bodies feedback from patient, carer or service user surveys or questionnaires May 2015 Public Board

14 PALS enquiry or complaints claims reporting national and regional safety alert asset registers or maintenance backlog Coroner s hearings NICE and other professional guidance from regulatory bodies observation Assessing a risk (see Appendix A) 4.5 A risk is assessed using Trust Risk Assessment form. A risk assessment seeks to answer four simple questions: Hazards the source of a risk or an event with the potential to cause harm Risks are a measure of the probability and severity an adverse event will occur in a specific time period or as a result of a specific situation. Grading a risk how bad a risk is 4.6 We can prioritise risks by grading them. This will highlight risks that are a greater impact and therefore require immediate action or need to be reviewed more frequently and managed more rigorously from those that are more tolerable. 4.7 To prioritise Risk Assessments effectively risk grading should be consistent across the Trust. Risks are graded by combining estimates of consequence (also described as severity) and likelihood (frequency or probability) taking into consideration (the context) existing control measures. 4.8 The rating of a given risk is established using a 5x5 grid (see Appendix A Table 2). The risk grading is an estimated score (the combination of likelihood and consequence) to show the magnitude of a risk from a specific hazard (refer to Appendix A Table 2 for detail instructions). A risk rating score needs to an objective and appropriate reflection of the impact of risk May 2015 Public Board

15 5 RECORDING AND MANAGING RISKS ON A RISK REGISTER 5.1 Where risks are of a significant level and cannot be immediately resolved they will be recorded on a Local, Divisional or Corporate Risk Register (a summary table of risks). 5.2 Once a risk is identified and assessed it is recorded on to a local Risk Register, for example a Divisional Risk Register (a template is available from the Risk Management page on the trust intranet). If the risk rating score is 12 or higher the Risk Assessment may be considered a Corporate Risk (refer to 5.4) 5.3 The purpose of a Risk Register is to: provide a summary overview of all potential risks to which a Service, Division or the Trust may be exposed evaluate the level of existing internal control in place to address the risk be an active document to record and report risks during the Risk Management process. This means it is regularly reviewed and updated. Continuous monitoring and review of risk assessments encourages a safety culture. Regular risk assessment monitoring ensures that new risks are detected and managed, action plans are implemented and managers and stakeholders are kept informed. The availability of regular information on risks can assist in identifying trends or areas for improvement Escalating a Risk Assessment to the Corporate Risk Register 5.4 When a risk has been identified locally which is estimated to be of sufficient magnitude that it is a Corporate Risk (that is scoring 12 or more) and cannot be managed locally by the responsible member of staff, the risk should be considered for inclusion onto the Corporate Risk Register. For recording on the Corporate Risk Register a completed Risk Assessment should be submitted for consideration to the Regulation Governance Group, the Clinical Governance Group or the Caldicott & Information Governance Group, whichever is appropriate. When risks are accepted by the relevant Governance Group to be included to the Corporate Risk Register the Responsible Risk Owner will be the Divisional Manager and the Lead will be designated to an Executive Director. 6 MONITORING COMPLIANCE AND EFFECTIVENESS 6.1 The Integrated Governance Committee has overall responsibility for monitoring compliance and effectiveness of this policy. 6.2 Other groups with responsibilities for monitoring: The Clinical Governance Group will monitor clinical Risks within mental health and community services. This will include working with operational managers to monitor care planning as well as ensuring compliance with national clinical standards. The Regulation Governance Group will monitor risks relating to statutory and regulatory compliance, including risk/claims management, Health and Safety and security and complaints processes. May 2015 Public Board

16 The Caldicott and Information Governance Group will monitor risks relating to information security, data protection, freedom of information and achievement of the Information Governance Toolkit. 6.3 Methodology to be used for monitoring The type of audit and its frequency will be set out in an annual timetable by the Risk and Compliance Manager and they will conduct the audits in consultation with the Trust Audit team and in accordance with Trust Audit policies. process audits of local and Divisional Risk Registers process audits of local Risk Assessments process audits of plans put in place to mitigate risks monitoring of incident patterns or trends related to Risks entered onto risk registers Trust Internal Auditors periodic review of Risk Management processes 7 SPECIALIST RISK MANAGEMENT ADVICE Head of Risk reports to the Director of Governance and Corporate Development and has overall responsibility for the implementation of this policy, including monitoring incidents, Risk Registers, medical devices, monitoring serious incidents requiring investigation and the maintenance of strategic level reporting to ensure that the executive team is fully aware of all risks (clinical and non-clinical) within the Trust. Risk and Compliance Manager reports to the Head of Risk. They will provide specialist advice for managing Risk to Head of Risk and, in turn to the Director of Governance and Corporate Development, managers, lead clinicians, staff and appropriate agencies to assist the Trust in achieving risk awareness and compliance with relevant CQC regulations. They will assist in the triangulation of intelligence information, including risks, incidents and CQC compliance and risk profiling, in order to identify possible areas of concern Risk Management Information Officer is responsible for the administration of the Trust incident reporting system, Datix. They will assist with incident reporting, thematic incident reports and incident pattern or trend analysis 8 SUSTAINING EFFECTIVE RISK MANAGEMENT THROUGH TRAINING 8.1 Training is essential for the implementation of the and the success of the Risk Management Strategy. The Risk Manager will work in collaboration with the Trust Learning and Development Team to deliver a training programme for staff with Risk Management responsibilities. The Risk Manager will provide Risk Management advice and support to Managers and Risk Leads to facilitate local Risk Management. The Risk Manager will provide ad hoc Risk Management support or advice to all levels of Trust staff as and when needed. May 2015 Public Board

17 9 OTHER RELEVANT POLICIES THAT SUPPORT TRUST RISK MANAGEMENT 9.1 This policy should be read in conjunction with the following policies: 10 APPENDICES Being Open and Duty of Candour Policy Claims Handling Policy and Procedure Counter Fraud Policy Equality and Diversity Policy Major Incident Plan Medicines Policy PALS and Complaints Policy Risk Management Strategy Serious Incident Requiring Investigation (SIRI) Policy Untoward Event Reporting Policy Whistle Blowing Policy 10.1 For the avoidance of any doubt the appendices in this policy are to constitute part of the body of this policy and shall be treated as such. May 2015 Public Board

18 TABLE 1 - EXAMPLE OF A SIMPLE RISK ASSESSMENT APPENDIX A May 2015 Public Board

19 APPENDIX B TABLE 2- GRADING A RISK HOW BAD A RISK IS Likelihood score Consequence score Rare Unlikely Possible Likely 5 Catastrophic Major Moderate Minor Negligible Low risk 4-6 Moderate risk 8-12 High risk Extreme risk How to use the grid Almost certain 1 Define the risk(s) explicitly in terms of the adverse consequence(s) that might arise from the risk. 2 Use table 1 (see appendix B) to determine the consequence score(s) for the potential adverse outcome(s) relevant to the risk you are looking 3 Use table 2 (see appendix B) to determine the likelihood score(s) for those adverse outcomes. If possible, score the likelihood by assigning a predicted frequency of occurrence of the adverse outcome. If this is not possible, assign a probability to the adverse outcome occurring within a given time frame, such as the lifetime of a project or a patient care episode. If it is not possible to determine a numerical probability then use the probability descriptions to determine the most appropriate score. 4 Calculate the risk score the risk multiplying the consequence by the likelihood: C (consequence) x L (likelihood) = R (risk score) May 2015 Public Board

20 TABLE 3-THE CONSEQUENCE SCORE APPENDIX B Score Descriptor Insignificant Minor Moderate Major Catastrophic Physical / Psychological Harm to Patients, staff or the Public Information Governance Quality of Care or Best Practice Delivery of Objectives & Projects / Business Interruption No time off work < 3 days off work 3 15 days off work (RIDDOR reportable) No increased length of stay Minor injury requiring minimal intervention Minor breach of confidentiality 5-20 people affected Peripheral element of treatment / service sub-optimal Potential failure to meet standards identified Informal complaint or inquiry Barely noticeable reduction in scope or quality Insignificant cost increase / schedule slippage Loss / interruption of service for < 1 hour Financial Single loss / capital spend > 10,000 Increased length of stay by < 3 days Minor injury requiring minor intervention Potentially a serious breach. Between 5-20 people affected Encrypted files lost Clinical element of treatment / service sub-optimal Non-compliance with internal standards Formal complaint with local resolution Minor reduction in quality / scope < 5% over budget / schedule slippage. Loss / interruption of service for 1 to 24 hours Single loss / capital spend > 100,000 Increased length of stay 3 15 days Moderate injury requiring professional intervention Potentially a serious breach. Between people affected. Unencrypted files lost Overall treatment / service sub-optimal Non-compliance with national standards Formal complaint with potential to go to independent review Reduction in scope or quality requiring client approval 5-10% over budget / schedule slippage. Loss / interruption of service 1 7 days Single loss / capital spend > 500,000 > 15 days off work Unable to return to work Increased length of stay > 15 days Major injury or long term incapacity Serious breach up to 1000 people affected or Unencrypted sensitive data lost Treatment / service has significantly reduced effectiveness Non-compliance with national standards with significant risk to patients or staff Multiple complaints / independent review Secondary objective not met 10-25% over budget / schedule slippage. Loss / interruption of service for > 1 week Single loss / capital spend > 1,000,000 Serious irreversible health effects Death or major permanent incapacity Serious breach over 1000 people affected with potential for ID Theft Totally unacceptable quality of treatment / service Non-compliance with national standards with serious risk to patient / staff safety Inquest or ombudsman inquiry Key objective not met > 25% over budget / schedule slippage Permanent loss of service or facility Single loss / capital spend > 3,000,000 Recurring loss Recurring loss > 1,000 > 10,000 (e.g. loss of income) (e.g. loss of income) Adverse Rumors Local Media < 3 Publicity or Potential for local Days Risk Management community Policy concern Reputational May 2015 Public Board Recurring loss > 100,000 (e.g. loss of income) Local Media > 3 Days Recurring loss > 500,000 (e.g. loss of income) National Media < 3 Days Recurring loss > 1,000,000 (e.g. loss of income) National Media > 3 Days Questions in the Commons Public Inquiry

21 TABLE 4-THE LIKELIHOOD SCORE May 2015 Public Board

22 Links to Strategic Themes: Quality and Safety X Innovation Viability and Growth Integration X Service Delivery Culture and People Links to the Assurance Framework: Links to the NHS Constitution and Trust Values: This policy relates to all aspects of the Assurance Framework. Identify the Values to which the issues raised in this report relate by including a cross behind the relevant value(s) Working together for patients Respect and dignity Commitment to quality of care X Compassion Improving lives Everyone counts Links to CQC Domains: Identify which of the CQC domains are covered by this report by including a cross behind the relevant domain(s) Is it safe? Is it caring? Is it well-led? X Is it effective? Is it responsive to people s needs? Legal or statutory implications/ requirements: Monitor Risk Assurance Framework; Monitor Code of Governance. Public/Staff Involvement History: Previous Consideration: The has been developed and revised in collaboration with a wide group of staff as detailed in the document control section of the policy. This policy replaces the existing policy that was ratified in March May 2015 Public Board