Risk Management Policy. NHSLA relevant? B Can be disclosed to patients and the public

Transcription

1 Policy: R1 Risk Management Policy Version: R1/ 12 Ratified by: Trust Management Team Date ratified: 14 th November 2012 Title of Author: Head of Risk, Health and Safety Title of responsible Director Nursing & Patient Experience Governance Committee Quality Committee Date issued: 16 th November 2012 Review date: November 2015 Target audience: NHSLA relevant? Disclosure Status All Staff Yes B Can be disclosed to patients and the public EIA / Sustainability Implementation Plan G:\Trust Policies and G:\Trust Policies and Monitoring Plan G:\Trust Policies and Other Related Procedure or Documents: G:\Trust Policies and West London Mental Health NHS Trust Page 1 of 46

2 Equality & Diversity statement The Trust strives to ensure its policies are accessible, appropriate and inclusive for all. Therefore all policies will be required to undergo an Equality Impact Assessment and will only be approved once this process has been completed Sustainable Development Statement The Trust aims to ensure its policies consider and minimise the sustainable development impacts of its activities. All policies are therefore required to undergo a Sustainable Development Impact Assessment to ensure that the financial, environmental and social implications have been considered. Policies will only be approved once this process has been completed West London Mental Health NHS Trust Page 2 of 46

3 R1 Risk Manag ement Version Control Shee t Version Date Title of Author Status R1/ 01 April 2001 New policy Comment R1/02 August Director of Nur sing 2004 and Facilities R1/02 August 2004 August 2004 R1/03 December 2008 R1/04 27th January 2009 R1/05 20 August 2009 R1/06 29th Sept 2009 Director of Nursing and Facilities Director of Nursing and Facilities Risk Reduction Service Risk Reduction Service Risk reduction Service Risk reduction Service R1/07 Dec 2009 Medical Director Revised policy Working draft to go to risk management committee in January 2009 Revised policy circulated Revised draft policy to Quality & Risk Committee On 23/1/06, the policy was reviewed. No change. Review date extended to August 2006 Policy revised May 2007 and replaced on 28th November 2008 with working document- also out for consultation until 25/1/08 Endorsed at Risk Management Committee to go to January 2009 Board, pending minor amendments Revised strategy and policy approved at January 2009 Board. Revised policy issued In July 2009, the policy was revised and sent to Medical Director. The revisions were required to reflect changes to the Trust organisational (governance) structure Revised Policy Approved by Sept 09 Board Draft revised Revisions required to Policy presented reflect changes to the to Dec 09 ED and Dec 09 Q&R Cttee Trust governance structures. R1/08 26th Jan Medical Director Revised Policy Approved by Jan Cascaded Board R1/09 29th April 2010 Medical Director Revised Policy Cascaded Revisions made and approved at March West London Mental Health NHS Trust Page 3 of 46

4 R1/10 30th July 2010 R1/11 9th Feb 2011 R1/11 11th April 2011 Head of Health and Safety Head of Health and Safety Head of Health and Safety R1/12 Nov 2012 Head of Risk, Health and Safety Revised Policy Issued Revised Policy issued as working document, under consultation ending 28th February 2011 Revised Policy Issued Revised Policy issued 2010 Board Revised to ensure NHSLA compliance. Policy presented to Policy Review Group 20th July 2010 approved. Trust Board informed of changes and way forward See July CEO Report Policy and strategy (for ) separated (to facilitate regular review and monitoring of strategy). Additional tweaks to policy to ensure NHSLA compliance. Policy subsequently approved at Policy Review Group in March 2011 No changes made to working document version. Policy updated to reflect new Trust structure and to ensure compliance with NHSLA risk management standards 2012/13. To be presented to November 2012 TMT. Approved West London Mental Health NHS Trust Page 4 of 46

5 Content Page No. 1. Introduction (includes purpose) 6 2. Scope 7 3. Definitions Duties Chief Executive Executive Directors Service Managers Front-line Managers All Staff Risk Assessors Risk, Health and Safety Service CSU Risk, Health and Safety Advisers Internal Audit Clinical Audit Project and Partnership Lead Managers Risk Governance Groups Risk Management Risk Control (Response) Options Risk Register Board Assurance Framework Training Monitoring Fraud Statement (not required) References Supporting documents Glossary of Terms/Acronyms 27 Appendices West London Mental Health NHS Trust Page 5 of 46

6 1. INTRODUCTION West London Mental Health NHS Trust will, through the involvement of its employees, ensure that risk management serves as a mechanism for risk reduction. Also, by taking a proactive approach to managing risk exposure, the Trust will ensure protection of its patients, staff, visitors, assets and reputation. By successfully implementing the risk management strategy through this policy, the Trust will: support the achievement of the Trust s strategic aims; integrate risk management into the overall arrangements for clinical and corporate governance; have clearly defined roles and responsibilities for the management risk; improve patient safety through the adoption of a co-ordinated and multidisciplinary approach to the management of risk; encourage open and honest reporting of incidents through the use of a single incident reporting system; establish clear and effective communication that enables information sharing; of foster an open culture that allows organisation wide learning; ensure that risks are identified, assessed and prioritised for action; ensure that the staff, reputation and finances of the Trust are protected through the process of risk identification, assessment, control and elimination; and promote professional accountability and responsibility in multi disciplinary teams. The Trust will communicate the requirements of this policy to appropriate stakeholders through various communication mechanisms, including staff training and induction programmes, internal newsletters, the Trust Intranet site and the Trust s web site. West London Mental Health NHS Trust Page 6 of 46

7 2. SCOPE This policy applies to all those who work either for or on behalf of the Trust. Also, when working in partnership with other organisations, equally or more effective risk management policies, processes and procedures to those described in this policy will be used to provide greater assurance that those Trust partnerships will achieve their objectives. 3. DEFINITIONS Action Owner - the person who is given and accepts responsibility taking specific action to control a risk for Board As surance - a method for the effective and focussed management Framework of the principal risks to meeting the Trust s objectives Harm - means the possibility of death, injury, damage, loss or disease, dependant on the situation Hazard - something with the potential to either affect, adversely or otherwise, the achievement of business objectives or, in health and safety terms, cause harm. Residual Risk - after the consideration of the existing risk controls currently in place, the product of a hazard s potential impact and likelihood Risk - the likelihood of that hazard realising its potential, its likely severity and, if relevant, the size of the population likely to be affected Risk Assessment - is a process of identifying, controlling and managing etc. the significant risks both to the achievement of business objectives and, in health and safety terms, arising out of the work activity Risk Commissioner - the person who identified a risk, authorising its entry onto the risk register. Risk Management This person is responsible for assigning a risk to a risk owner. It may be appropriate for the risk commissioner to check, periodically, that the risk owner is taking appropriate action to control the risk. - The systematic application of principles, approach and processes to the tasks of identifying and assessing risks, and then planning and implementing risk responses West London Mental Health NHS Trust Page 7 of 46

8 Risk Owner - the person who is given and accepts responsibility for managing and controlling a specific risk. This person is responsible for identifying what actions are required (and who by) to control a risk more effectively. They will assign actions to an Action Owner and monitoring the completion in a timely manner of the actions. They will report progress periodically to the Risk Commissioner Risk Rating - the product of a hazard s potential Impact x Likelihood occurrence of 4. DUTIES 4.1 Chief Executive The Chief Executive is responsible for ensuring the Trust has in place an effective Board Assurance Framework and risk management arrangements. Therefore, he/she will: (i) ensure the Board Assurance Framework is kept current and provides the Board with high quality up-to-date information on the matters affecting achievement of the Trust s objectives; (ii) (iii) (iv) review and endorse the risk management policy and any associated risk management strategy; ensure adequate resources are made available to implement the risk management strategy; ensure the Executive Directors observe their risk management responsibilities; (v) working with the Executive Directors, at least six monthly, review the Trust s risk management performance; and (vi) ensure the Executive Directors review and take appropriate action on any risks identified at level 1 of the Trust Risk Register. Furthermore, annually, the Chief Executive will sign a Governance Statement, commenting on the ability of the Trust s systems of internal control to complement achievement of the Trust s objectives. 4.2 Executive Directors The Executive Directors are responsible for ensuring effective risk management arrangements exist in their directorates. In particular, they are responsible for West London Mental Health NHS Trust Page 8 of 46

9 maintaining the level 2 risk registers and managing the BAF/level 1 risks for which they are the risk owner. Therefore, Executive Directors will, in particular: (i) (ii) (iii) (iv) (v) assist the Chief Executive in meeting his/her risk management obligations, by effectively managing any risks arising from their work; ensure their directorate risk management arrangements are adequate and effective and that those working in or on behalf of their directorate observe the requirements of this risk management policy; recommend to the Trust Management Team for its consideration the addition of any new risks to the BAF/level 1 risk register; for any risks for which they are the risk owner, particularly those appearing at level 1 on the Risk Register, review and take appropriate risk management action (see section 7, below); on their level 2 risk register, consider and ratify the entry of any new risks (including those escalated from level 3), the deletion of obsolete risks and changes in the rating of existing risks; and (vi) recommend to the Statutory and Regulatory Compliance Group (or directly to Trust Management Team if there is no intervening Statutory and Regulatory Compliance Group meeting) for its endorsement, any directorate level 2 risks which they feel should be escalated to the BAF/level 1 risk register. (vii) review their risks at least monthly, particularly those identified at level 2 of the risk register. 4.3 Service Managers These senior managers are responsible for ensuring effective risk management arrangements exist in their services. In particular, they are responsible for maintaining the level 3 risk registers. Therefore, this includes ensuring: (i) (ii) (iii) all risks relating to their service(s) are adequately assessed and subsequently treated or controlled, as appropriate; the Trust s risk register is used as intended and risks are entered and maintained on that register in accordance with the requirements of this policy; they notify their director of any serious, imminent risks that pose an immediate threat to their service, clinical service unit etc or the Trust; West London Mental Health NHS Trust Page 9 of 46

10 (iv) (v) they consider and ratify, if necessary, the entry on their level 3 risk register of any risks those that report to them feel should be escalated from level 4; and their risks are reviewed periodically (at least monthly), particularly those identified at level 3, bringing to the attention of their Director, any risks they feel should be escalated to the Director s level 2 Risk Register. 4.4 Front office managers e.g. Ward Managers and Team leaders Front office and clinical line managers are responsible for ensuring effective risk management arrangements exist in their wards and teams etc. In particular, they are responsible for maintaining the level 4 risk registers. This includes ensuring: (i) (ii) (iii) (iv) risks are adequately assessed and subsequently treated or controlled, as appropriate; the Trust s risk register is used as intended and risks are entered on that register in accordance with the requirements of this policy; they notify their manager of any serious, imminent risks that pose an immediate threat to their ward or team etc; and they review periodically (at least monthly) and take effective controlling action on all risks concerning their ward or team identified at level 4 of the Trust Risk Register, bringing to the attention of their Service Manager any risks they feel should be escalated to the Service Manager s level 3 Risk Register. 4.5 All Staff Employees will assist managers in meeting their risk management obligations. In particular, employees will: (i) (ii) (iii) cooperate with their manager etc and colleagues in using any identified measures to treat or control risks; report to their managers any hazards of which their manager was previously unaware; and notify their manager of any serious, imminent risks that pose an immediate threat to their ward, team, staff, service users & others. 4.6 Risk assessors Where there is an explicit requirement to carry out an assessment for a specific risk area, the persons responsible for carrying out the risk assessment will be detailed in the relevant policy. West London Mental Health NHS Trust Page 10 of 46

11 For example, the responsibilities of those who are required to carry out clinical risk assessments are described in the Clinical Risk policy, C27. Similarly, the responsibilities of those who are required to carry out health and safety risk assessments are described in the Health and Safety policy, H Risk, Health and Safety Service The Risk, Health and Safety Service is responsible for: (i) advising the Trust on best practice both in risk management and Board Assurance Framework matters; and (ii) monitoring Trust-wide compliance with the requirements of this policy by sampling aspects of the Trust risk management arrangements, in particular, at level 1 and 2 of the risk register, and reporting to the risk owner both the findings from the monitoring exercises and any recommendations for improvement. Working in this service, the Head of Risk, Health and Safety is responsible for reporting periodically to the Executive Directors, Trust governance groups and others on both the level of compliance with this policy and relevant changes to the BAF and risk register entries (e.g. by the monthly production of level 1 and leve l 2 risk scorecards) 4.8 Clinical Service Unit Risk, Health and Safety Advisers These Risk, Health and Safety Advisers are responsible for: (i) (ii) (iii) advising their Clinical Service Unit (CSU) on best practice in risk management matters; monitoring CSU-wide compliance with the requirements of this policy by sampling aspects of the CSU risk management arrangements, in particular, at level 3 and 4 of the risk register, and reporting the findings from the monitoring exercises and any recommendations for improvement to the risk owner; and reporting periodically (at least six-monthly) to their CSU Director the CSU-wide level of compliance with this policy. 4.9 Internal Audit The Internal Audit service is responsible for providing the Trust with independent assurance on: (i) the Trust risk management arrangements, including the effectiveness and appropriateness of those arrangements; and (ii) the BAF, including the effectiveness of the risk controls, the validity of the assurances listed and the appropriateness of the actions being taken to secure more effective risk control. West London Mental Health NHS Trust Page 11 of 46

12 4.10 Clinical Audit The Clinical Audit service is responsible for providing the Trust with independent assurance on: (i) (ii) (iii) clinical processes, in regard to the appropriateness of their design and how well they are working; the management of key clinical risks, including the effectiveness of the controls and other responses to these; and the reporting and management of clinical risk Project and Partnership Lead managers Project and partnership lead managers are responsible for ensuring any Trust project s, partnerships or joint ventures either use this Trust policy or have in place adequate risk management arrangements which are equally or more effective than the processes and procedures detailed in this policy. 5. RISK GOVERNANCE GROUPS 5.1 Trust Board The Board is accountable to the Strategic Health Authority (NHS London) for the performance of the Trust. The Board is responsible for ensuring the Trust achieves its objectives. The Board requires regular assurance from various Trust groups and individuals that the Trust is doing its reasonable best to meets its objectives and to protect from adverse events its patients, staff, the public and other stakeholders. Therefore: (i) (ii) (iii) monthly, the Board will receive an extract of certain details from the current level 1 risk register, presented in a risk scorecard, showing the risk descriptions, associated current risk ratings and associated risk owner; bi-monthly the Board will review the Board Assurance Framework, noting the controls, assurances, gaps and actions associated with each level 1 risk register entry; and at each meeting, Board will receive assurance, directly and indirectly, from (the Chairs of) each of those governance groups to whom TMT have allocated risks (the responsible committees ) regarding the degree to which its risks are real and, also, the degree to which appropriate action is being taken to manage the risks effectively. West London Mental Health NHS Trust Page 12 of 46

13 To help inform the Governance Statement, made annually by the Chief Executive, the Trust needs to be able to demonstrate to its stakeholders that the Board: is being kept informed through assurance products about all (clinical and non-clinical) risks and risk controls; and understands the totality of risk, based on all the evidence presented. The Board is supported in its work by various individuals, groups and committees (see Appendix 1 for the Trust governance group chart). However, the four committees listed below (see 5.2 to 5.4, below) have key supporting roles. Those four committees, plus the Broadmoor and St Bernard s Programme Redevelopment Boards, will provide assurance directly to the Board; other governance groups, who are appointed by Trust Management Team as a responsible committee, will provide assurance indirectly to Board through one of the four committees listed in 5.2 to 5.4 below. 5.2 Quality Committee Reporting directly to the Trust Board, and indirectly to the Audit Committee, this Committee has overall responsibility for the Trust risk management arrang ements. Therefore, the Quality Committee provides assurance to the Board (and indirectly to the Audit Committee) that there are effective risk management systems in place. The Committee will monitor and review the effectiveness of the risk management policy and any associated risk management strategies. In carrying out this work, it will monitor the adequacy of any of the related Trust policies in place for ensuring there is compliance with relevant regulatory, legal and codes of conduct requirements. 5.3 Finance & Investment Committee Reporting directly to the Trust Board, this Committee provides assurance to the Board on the Board Assurance Framework risks from which it is the responsible committee, financial management, commercial activity and information management. 5.4 Trust Management Team Trust Management Team (TMT) will: (i) monthly, review the Board Assurance Framework (BAF) and level 1 risk register, debating and ratifying additions to, deletions from and changes to the risk ratings in the BAF and level 1 register. When a new risk is entered in the BAF/ level 1 risk register, TMT will appoint a risk owner to manage the risk and a Trust governance group (as the responsible committee) to provide assurance to the Board that a risk is real and appropriate action is being taken to manage the risk; West London Mental Health NHS Trust Page 13 of 46

14 (ii) six monthly, review Trust-wide compliance with the requirements of this policy (by receiving and considering the contents of a report from the Head of Risk, Health and Safety) and, where any areas for improvement have been identified, task individual Directors with taking suitable action, as appropriate; and (iii) provide assurance to the Board on the effectiveness of the Trust risk management arrangements and the Board Assurance Framework risks for which it is responsible. 5.5 Audit Committee The Audit Committee provides independent assurance to the Board that there are effective systems of internal control and risk management in place. In particular, the Committee will: (i) review the adequacy of the policies for ensuring that there is compliance with relevant regulatory, legal and codes of conduct requirements; (ii) review the adequacy of the policies and procedures for all work related to fraud and corruption as set out in Secretary of State Directions and as required by the Counter Fraud Services; and (iii) review the adequacy and effectiveness of the Board Assurance Framework. The Audit Committee will review the Board Assurance Framework at least quarterly. 5.6 Statutory and Regulatory Compliance Group As a sub-group of the Trust Management Team, the Statutory and Regulatory Compliance Group will: (i) periodically (at least bi-monthly) review the level 2 risk register compliance with the requirements of this policy and, where any areas for improvement have been identified, task the Group s directorate representative with taking suitable action, as appropriate; and (ii) Recommend to Trust Management Team the escalation to the Board Assurance Framework/level 1 risk register of any risks appearing on the level 2 risk register which are not represented already in the BAF/level 1 risk register. The Assistant Company Secretary will ensure the terms of reference of the governance groups that have responsibility for risk have in them suitable reference to risk. West London Mental Health NHS Trust Page 14 of 46

15 6. RISK MANAGEMENT Risk management, a key element in the Trust s assurance framework, is defined as The systematic application of principles, approach and processes to the tasks of identifying and assessing risks, and then planning and implementing risk responses Therefore, risk management includes the process of identifying risks, risk assessment, formulating a risk response, risk reporting and risk review. Risk management is as much about exploiting potential opportunities as preventing potential problems. The ris k register is used to record those risks which are most likely to materialise and significantly affect either the (a) (b) achievement of business objectives; business continuity; and (c) statutory and regulatory compliance. The re gister should also be used to record significant new business opportunities and innovation possibilities. There are several key steps in the risk assessment process; they are listed below: 6.1 Step 1 - List the service, business or activity objectives Each Trust Clinical Service Unit, division, department or service will have its annual objectives, derived from the Trust s overall annual objectives. In the case of a project, this will have its own project objectives. In the case of health and safety, for this stage, should be listed e.g. portering or ward nursing (both of which give rise to a risk of injury from, amongst other things, manual handling) 6.2 Step 2 - Hazard Identification For each objective, identify the main things (hazards) that might occur which might affect (positi vely or negatively) the ability of the service (or business or Trust) to either: (a) (b) achieve its objectives; or continue to provide a minimum business continuity). standard of service (i.e. threaten West London Mental Health NHS Trust Page 15 of 46

16 Various tools can be used to help identify hazards which might threaten the achievement of business objectives etc; these include: (i) (ii) (iii) (iv) (v) (vi) PEST analysis (which is an acronym for Political, Economic, Social and Technological); SWOT analysis (which is an acronym for Strength, Weaknesses, Opportunities and Threats), using the findings of the PEST analysis; Stakeholder analysis, using a Power/Interest matrix; Brainstorming; Cause and effect diagrams; and Root cause analysis. There are a variety of sources of information which can be consulted to identify potential hazards/ problems and their associated risks. These are shown in the table below. (Proactive source) (Reactive source) M HRA safety alerts Adverse Incident/ incident / accident reports HSE guidance NHSLA risk management standards Internal/ external targets Specialist committee recommendations External assessments, reviews and inquiries e.g. Care Quality Commission, NHS Litigation Authority (NHSLA) Complaints Claims Sickness/ absence data Workplace checklists/ monitoring Accreditation body reports Information f rom other healthcare organisations Insurers Patient satisfaction surveys Staff opinion surveys Other external regulatory authorities Service/ business plans bodies/ Organisational change Staff turnover/ exit interviews National standards and guidance e.g. NICE, Confidential Inquiries, PEAT, Improving Working Lives, standards for better health Audit (Clinical and Internal) Staff/ patient concern, experience, Internal inquiries and reviews West London Mental Health NHS Trust Page 16 of 46

17 observation, feedback Office / ward patterns moves/ changes to working Equality Impact Assessments 6.3 Step 3 - Analyse and evaluate the hazard to identify the principal risks For each hazard, the risk must be estimated of whether or not the hazard will actually materialise and affect achievement of the objective (see appendix 3 for details of typical risk types) Then, for each risk, estimate the impact (see appendices 3 and 4) and likelihood of its occurrence (see appendix 5 for the likelihood/impact matrix) When considering the impact, take into account things such as the: consequences to the Trust of failing to achieve the objective; importance, in business continuity terms, to the service of achieving the objective; number of people/patients likely to be affected; vulnerability of the people concerned e.g. elderly, infirm, children, disabled; and frequency with which the hazard will materialise. The risk (its likelihood and impact) should be considered as it currently presents itself. From the values of likelihood and impact, a risk rating (the score) can be made (see appendix 6); this allows risks to be quantified, enabling focus on those highest scoring risks i.e. the principal risks. The scoring of the risks will make them fall into one of the three categories below: (i) (ii) (iii) those risks scoring high (red); those risks scoring medium (amber); and those risks scoring low (green). Using these categories helps the Trust/service identify the principal risks to achievement of its objectives and to determine what action should be taken to control and mitigate these risks. At the very least, the principal risks (i.e. those scoring red or amber) should be entered onto the risk register. The risk should be articulated fully in relation to the risk and its consequence. For example, the risk of a negative effect on the achievement of an objective West London Mental Health NHS Trust Page 17 of 46

18 might be articulated as 'Failure to achieve... resulting in.....', ' Failure to obtain..., resulting in...', 'Failure to implement..., resulting in...' The manager/person who identified the risk and authorised its entry onto risk register is known as the Risk Commissioner The Risk Commissioner will appoint a Risk Owner who will be responsible for managing the risk, taking steps 4 and 5, below. NB Individual risks (centring on a patient) are managed through clinical risk management procedures (see the Clinical Risk policy, C27) Step 4(a) - Identify the additional controls required If the Risk Owner decides to Retain (and Reduce) a risk (see Section 5, below), for each of the principal, highest scoring, risks which are either red or amber, the risk owner must identify the further controls (i.e. investment, policies, procedures, protocols, training or physical controls) that need to be put in place to mitigate or manage the risk and secure successful achievement of the objective( or adequate control of the health and safety risk). All these additional controls can be aggregated into an Action Plan Periodically, (for example, every time an action is completed and, in any event, every month) the Risk Owner should review the Action Plan and its implementation, ensuring each specific action is implemented on time Step 4(b) - Forecast the target risk Forecast the target risk level, which will assume the additional required controls will all be implemented on time. 6.5 Step 5 - Implement the Action Plan A n individual must be named (with their consent) as being responsible for ensuring each specific action is carried out by the due date; this person will be the Action Owner. All significant risks requiring capital or revenue funding should, if necessary, be incorporated into service business plans. Once all the actions in the action plan have been implemented, the risk entry should be review ed. If the risk has been adequately controlled, such that it is now rated low (i.e. green), then the entry should be archived. If, after the actions have all been implemented, the rating remains either high (red) or medium (amber) and no further actions are possible or planned, following discussion on the way forward with the senior line manager, the risk should remain on the register with the endorsement of the senior line manager and the justification noted. The risk entry should be reviewed periodically (e.g. monthly) and, if necessary, revised. West London Mental Health NHS Trust Page 18 of 46 the

19 Appendix 2 shows a worked example Service managers are responsible for ensuring health and safety risk assessments are carried out. They can obtain guidance on how to complete these assessments from the Exchange Health and Safety web pages and, also, help in performing these assessments from Risk, Health and Safety Advisers who have received appropriate health and safety risk assessment training. 7. RISK CONTROL (RESPONSE) OPTIONS There are 5 main options on how to control/respond to a risk: 7.1 Option 1 Avoid (or Eliminate) the risk This means either not proceeding with an activity or withdrawing from it. Risk avoidance may be seen as a cost-effective way to manage a risk. 7.2 Option 2 Seek the risk Risk which could impact favourably on the Trust /service business objective or activity, can make pursuing or continuing with that activity more attractive 7.3 Option 3 Retain (and reduce) the risk The majority of risks are managed in this way. The purpose of modification is to optimise potential opportunities and minimise threats. Risk modification may involve taking steps to change either the likelihood of occurrence, the risk consequences or the population affected (or all three factors). 7.4 Option 4 Transfer the risk This might be done by conventional insurance, contractual arrangements, or through partnerships. Where risks are transferred, a new risk is created in rela tion to the ability of the transferring organisation to manage the insurer or contractor. The Trust will purchase insurance both as necessary and desirable, and where required by law or contractual agreement, to provide protection against major financial risk to the Trust (see Insurance in the NHS Health Service Circular HSC1998/174). For some categories of risk, the Trust is covered by its membership of pooling schemes administered by the NHS Litigation Authority. The Liabilities to Third Parties Scheme (LTPS), the Clinical Negligence Scheme for Trust s (CNST) and The Property Expenses Scheme (PES) were established in 1999 to provide a means for NHS organisations to fund the cost of legal liabilities and property losses. West London Mental Health NHS Trust Page 19 of 46

20 7.5 Option 5 Tolerate the risk This means taking no further action. This might be an option because no further worthwhile (or cost-effective) actions can be devised. Or it might be because the only available actions are unacceptable for some reason. Whatever the reason, the rationale for tolerating the risk must be clearly documented. In no circumstances should high or medium health and safety risks be retained. Action must always be taken to reduce these health and safety risks to as low as is reasonably practicable 7.6 Which controls for which category of risks? (iii) High (i.e. red) risks Immediate action must be taken to control the risk. Control measures should be put in place, which reduce to an acceptable level either the impact, the likelihood, the population affected or all three. Significant resources may have to be allocated to reduce these types of risk. In the event mitigating action cannot be taken immediately (e.g. for those red risks appearing at levels 1 and 2 of the risk register) and the risk is likely to remain red for more than one month, then the risk owner must ensure their senior manager (or director or chief executive, as appropriate) is aware of the continuing high risk. (ii) Medium (i.e. amber) risks Efforts should be made to reduce the risk to an acceptable level, but the costs of the selected control option should not outweigh the potential benefit. Some such risks may be temporarily acceptable, if new controls are currently in the process of being implemented. In the event mitigating action cannot be taken immediately (e.g. for those red risks appearing at levels 1 and 2 of the risk register) and the risk is likely to remain red for more than two months, then the risk owner must ensure their senior manager (or director or chief executive, as appropriate) is aware of the continuing risk rating. (i) Low (i.e. green) risks No further action or additional control is required. Existing controls should be monitored and adjusted as necessary. Consideration should be given to a more cost-effective solution or improvement that imposes no additional cost burden. Appendix 2 shows a worked example. West London Mental Health NHS Trust Page 20 of 46

21 8. RISK REGISTER A Risk Register details, in order of relative importance, all the significant risks in various categories (see appendix 3) facing the Trust which are most likely to affect (positively or otherwise) achievement of the Trust s objectives. The Trust s risk register is held electronically, on the Exchange (Intranet). 8.1 Level 1- Trust-Wide Risk Register Trust-wide risks are those risks concerned with ensuring overall business success, vitality and viability. These risks comprise the Board Assurance Framework. Therefore, the Risk Register details strategic risks which have a potentially significant effect on the Trust s ability to achieve its objectives in the medium to long term that: (i) (ii) (iii) (iv) have been identified through current and previous Risk Register updates, Executive Directors networks and Trust governance groups; have been identified through adverse events and audits which appear to have Trust-wide implications; have been escalated to the register from a lower level risk register at the recommendation of the risk commissioner because of its Trust-wide impact; and have arisen from the actions or attentions of key stakeholders. The level 1 (Trust-wide) Risk Register will be reviewed at least monthly by the Board (in the form of a risk scorecard). 8.2 Level 2 - Clinical Service Unit/Corporate Service These risks are maintained at Clinical Service Unit (CSU) and Corporate Service directorate level. Therefore, these risks are concerned with ensuring the performance and vitality of the Trust s larger business units The relevant CSU Director or Corporate Service Director is responsible for developing and maintaining these registers, monitoring the risks and identifying actions to treat the risk. For the purpose of internal control, Directors are asked annually to complete and sign Local Risk Register Assurance Statements to confirm the existence of review processes for their local risk register and that reviews are being regularly undertaken. The level 2 risk registers will be reviewed at least monthly by the Statutory and Regulatory Compliance Group (in the form of a risk scorecard). West London Mental Health NHS Trust Page 21 of 46

22 Each CS U and Corporate Service will review its level 2 risk register at least monthly e.g. in a CSU senior management team or performance meeting. 8.3 Level 3 and 4 - Local Registers (level 4 for wards and teams; level 3 for corporate services) These are maintained at service (or team or ward) level and detail risks for that service, which threaten the achievement of service objectives. CSU managers are responsible for developing and maintaining these registers, including monitoring the risks and identifying actions to deal with each risk. Input from other groups (e.g. local Clinical Improvement Groups) can be extremely useful when deciding what action to take. The manager should ensure that any identified risks which fall under the jurisdiction of another service are reported to the responsible person for that service. The manager should continue to liaise with the service to which the risk was reported, to ensure that appropriate action is taken the deal with the risk. The level 3 and 4 risk registers will be reviewed at least monthly by the team manager e.g. in each team meeting. 8.4 Escalating risks Where a risk has not or cannot be resolved locally (e.g. at level 3 or 4, because it involves cross-team/cross-service issues or significant resources), following discussion with and endorsement by the senior service manager or director, the risk may be escalated to the next level up (e.g. from level 3 to level 2). For example, the management of excessive temperatures (either too cold or too hot) in a building may involve several teams and services that share the building and, also, the Capital, Estates & Facilities service. The level of coordination required may mean the risk should be escalated to the next level higher. If any risks emerge (health and safety or otherwise) which present a serious and imminent threat to the Trust, line management should be notified. The diagram in appendix 9 shows the risk escalation levels. 8.5 Reviewing risks All risks must be reviewed at least monthly. Some risks may be changing so qui ckly that the risk owner may need to review them on a more frequent basis Risks must be reviewed if there has been a significant change or event. For example: the nature of the service offered has changed the way the service is delivered has changed West London Mental Health NHS Trust Page 22 of 46

23 there has been an accident / incident; a safety alert (e.g. from the NPSA) has been received new machinery /technology or working procedures have been introduced / changed; or there is reason to believe the present assessment is no longer valid. 8.6 Deletion of Risks from the register Risks should only be removed from the register on the authority of either the risk commissioner or the risk owner. In exceptional circumstances, the removal may be authorised by an Executive Director. Risks must be considered for deletion from the register when either (a) (b) all the actions detailed in the action plan (see section 6.5, above) have been taken, and the risk is being adequately controlled; or the work activities and environment have changed so significantly that the risk is no longer applicable. Red or amber risks that are retained (see section 7.3, above) will remain on the register for as long as they remain relevant. When any risks are deleted from the Trust-wide register (i.e. level 1), this will be reported by the Head of Risk, Health and Safety to the next TMT meeting. The relevant responsible committee (see section 5, above) and the Audit Committee will also be informed of the same. Risks which have been removed from the level 2 risk register will be reported by the Head of Risk, Health and Safety to the next meeting of the Statutory & Regulatory Compliance Group. 9. BOARD ASSURANCE FRAMEWORK The Board Assurance Framework provides the Trust with a simple but comprehensive method for the effective and focused management of the principal risks to meeting the Trust s objectives. In this way it provides a structure for obtaining the evidence to support the Governance Statement. This simplifies Board reporting and the prioritisation of action plans, which, in turn, allows for more effective performance management. The key elements of a Board Assurance Framework (BAF) are the: (i) (ii) establishment of the Trust s principal objectives (strategic & directorate); identification of the principal risks that might threaten the achievement of these objectives; West London Mental Health NHS Trust Page 23 of 46

24 (iii) (iv) (v) (vi) (vii) (viii) identification and evaluation of the key controls intended to manage these principal risks; setting out of the arrangements for obtaining assurance on the effectiveness of the key controls across all areas of principal risk; evaluation of the assurance across all areas of principal risk; identification of the positive assurances and areas where there are gaps in controls and or assurances; putting in place of plans to take corrective action where gaps have been identified in relation to principal risks; and maintenance of dynamic risk management arrangements including, crucially, a well-informed risk register. Therefore, the BAF provides the Trust with a simple framework for reporting key information the Board. It identifies which of the Trust s objectives are at risk either because of inadequacies in the operation of controls or because the Trust has insufficient assurance about them. At the same time it provides structured assurances about where risks are being managed effectively and objectives are being delivered. The primary focus is confidence that effective processes are in place to deliver the strategic objectives of the Trust. This allows the Board to determine where to make efficient use of its resources and address the issues identified in order to improve the quality and safety of care. Where any significant gaps either in assurance or control are identified, they are recorded and an action plan to close the gap is developed and implemented. The Board has developed this framework and reviews the framework periodically to ensure that it gives a balanced view of the significant risks the Trust faces, and gives the Board a sound framework upon which to make judgements about the level of assurance it has that risks are being managed. The Board delegates review of the BAF to the Audit Committee. 10. TRAINING Risk management training and information is available for managers and staff at all levels Induction All new Trust employees attend the corporate induction course, which includes elements of risk management, before they commence their duties in the workplace. This corporate induction is followed by a local induction, delivered by the service line manager, during which time staff receive information on risks specific to that service. West London Mental Health NHS Trust Page 24 of 46

25 10.2 Mandatory Training Training on general risk management (i.e. the content of this policy) is not mandatory. However, the Trust prescribes mandatory training courses in certain specific areas of risk for certain staff grades e.g. clinical risk, manual handling, health and safety, safeguarding, fire, etc. The Trust Risk management principles are incorporated in these courses. A full list of the mandatory training course requirements and the staff grades who must attend these courses is described in the Mandatory Training policy, M Board Members All board members (i.e. the Executive and non-executive Directors) will either receive or have the opportunity to receive a briefing on the Board Assurance Framewo rk and risk management, to ensure they are aware of their risk management obligations. The briefin g provides an understanding of the: legal framework of risk management; theory and practice of risk management; Trust policy and procedures for recording and managing risk; risk management and the Board Assurance Framework responsibilities of a Manager; responsibilities of staff; and responsibilities of the organisation. New Executive Board members will receive this briefing from the Head of Risk, Health and Safety within six months of their joining the Trust. Their receipt of this briefing will be recorded on their Trust Learning & Development record. This briefing is provided in addition to any training they are required to do in accordance with the Mandatory Training policy. Ne w non-executive Board members will be offered a briefing from the Head of Ris k, Health and Safety within six months of their joining the Board. Their receipt of this briefing is not compulsory as they may bring with them to the Trust extensive knowledge about risk management and Board Assurance Frameworks. In the event a non-executive Director does not take up this offer of receiving a br ief ing (i.e. non-attendance ), this will be reported to the Trust Chair. The Trust Chair will discuss this with the non-executive Director concerned (to gauge the extent of their current knowledge of risk management matters etc) and, if necessary, direct them to receive the briefing. Annually, the Internal Audit Service delivers to the Board a briefing, covering risk management and the Board Assurance framework. Those Board members West London Mental Health NHS Trust Page 25 of 46

26 who are unable to attend this briefing will receive a copy of the presentation with the Board agenda or minutes and, if they request it, a personal briefing from Internal Audit Staff All Trust staff will receive basic training on risk management as part of the Trust s Induction course and, also, during their mandatory refresher training. 11. MONITORING The Trust will use several performance measures to monitor compliance with the requirements of this policy (see appendix 8). Those performance measures will be reviewed and revised at least annually to ensure they continue to be an effective measure of policy implementation. Bot h the Trust Management Team and the Quality Committee will review the Trust s performance, in terms of compliance, at least quarterly and take effective action to ensure that performance improves continuously. 12 FRAUD STATEMENT Not applicable 13. REFERENCES (E XTERNAL DOCUMENTS) This policy should be read in conjunction with the following: Management of Risk, Office of Government Commerce Assurance the Board Agenda, Department of Health A Simple Rules Guide for the NHS Board Assurance Framewor ks, Good Governance Institute Taking it on Trust, Audit Commission 14. SUPPORTING DOCUMENTS (TRUST DOCUMENTS) Risk Management Strategy, Health and Safety Policy, H3 Engagement and Observation Policy Responding to External Recommendation from External Organisations, E2 Health Records, H8 Professional Registration policy, R3 Recruitment and Selection policy, R6 Induction policy, I14 Clinical Supervision for Nurses policy, C16 Supervision policy, S26 West London Mental Health NHS Trust Page 26 of 46

27 Mandatory Training policy, M12 Clinical Risk Policy, C27 Hand Hygiene policy, ICP5 Incident Reporting and Management policy, I8 Moving and Handling policy, M5 Security Management policy, S27 Managing Health and Attendance policy, S8 Safeguarding Adults policy, S28 Slips, trips and falls policy, F8 Inoculation and Sharps Injuries, ICP6 Patients Absent Without Leave, P1 Bullying and Harassment policy, B3 Violence Reduction and Management Mental Wellbeing policy, M3 policy, V2 Rapid Tranquilisation policy, R10 Producing Information for Service Users and Carers, I10 Dual Diagnosis policy, D2 Medicines policy, M2 Enhanced Engagement & Observation policy Physical Healthcare policy, P15 Basic Life Support policy, B4 Infection Prevention & Control policy, ICP1 Care Programme Approach policy, C2 Management of Complaints, Concerns, Compliments and Suggestions policy, C1 Claims Handling policy, C14 Clinical Audit policy, C28 NICE-Implementing Best Practice, N1 Management of Recommendations from National Confidential Enquiries, N2 Being Open policy, O2 Diversity & Equality policy, D3 15. GLOSSARY OF TERMS / ACRONYMS NHS - National Health Service BAF - Board Assurance Framework CSU - Clinical Service Unit TMT - Trust Management Team PEST - Political, Economic, Societal, Technological SWOT - Strengths, Weaknesses, Opportunities, and Threats NHSLA - National Health Service Litigation Authority PEAT - Patient Environment Action Team LTPS - Liabilities to Third Parties Scheme CNST - Clinical Negligence Scheme for Trusts PES - Properties Expenses Scheme NPSA - National Patient Safety Agency West London Mental Health NHS Trust Page 27 of 46