Risk Management Framework Policy (incorporating the Risk Management Policy and Strategy)

Transcription

1 Corporate Risk Management Framework Policy (incorporating the Risk Management Policy and Strategy) Document Control Summary Status: Version: Replacement. Replaces: Management of the Assurance Plan and Risk Register Policy (R/GRE/rm/10) v1.0 Date: March 2016 Author/Title: Owner/Title: Approved by: Ratified: Related Trust Strategy and/or Strategic Aims Implementation Date: Review Date: Key Words: Associated Policy or Standard Operating Procedures Sarah Hankey - Risk and Claims Manager Liz Lockett - Associate Director of Quality & Risk Policy and Procedures Committee Date: 17/03/2016 Trust Board Date: 22/03/2016 Provide high quality. Recovery focused services and Deliver regulatory, financial, performance and quality standards. March 2016 March 2019 Board Assurance Framework; Risk Register; Appetite Risk Register SOP Assurance Plan SOP

2 Contents Paragraph Title Page 1 Introduction 3 2 Strategic Aims 3 3 Board Intent 4 4 Scope of Framework 4 5 Risk Management Framework 5 6 Strategic Risks Board Assurance Framework Assurance Plan Risk Register Risk Appetite 5 7 Risk Management Organisational Structures Organisational Development Corporate Accountability Arrangements Individual Responsibilities 12 8 Systems and Processes for Managing Risk Establishing the Context Identifying Risks Analysing Risks Trust Risk Scoring Matrix Evaluating Risks Treating Risk 20 9 Performance, Audit and Review Training Arrangements Communication Other Relevant Procedural Documents Framework Review References 23 Appendix Appendix 1 Good Governance Risk Appetite Matrix 24 Change Control Amendment History Version Dates Amendments Page 2 of 24

3 1. Introduction Risk Management is a systematic approach to minimising exposure to risk by operating a risk management suite of policies, procedures and practices that work in unison to identify, analyse, evaluate, address and monitor risk. The Trust aims to establish a philosophy which ensures that risk management is embedded within the culture of the organisation and is an integral part of its operating systems and processes. The Trust actively encourages and fosters innovation and creativity however it recognises that alongside this risks need to be clearly identified, interpreted and proactively managed. Robust risk management is central to the effective running of the organisation and therefore it is the responsibility of all managers and staff throughout the Trust. The assessment and management of all risks is intended to manage out the potential for adverse events to occur. It is recognised that not all risks can be eliminated or avoided therefore when things do go wrong, a culture that values learning rather than blaming helps to promote a response that encourages the reporting of adverse events. This in turn provides the necessary information and subsequent actions to help minimise the risk of such incidents recurring. This can be achieved through partnership working and the involvement of all, including our service users and their carers. The Trust has is a legal requirement to ensure that assessments of health and safety risks to employees, and the organisation are carried out, and should be reviewed at regular intervals to ensure that they remain accurate and valid. The Management of Health and Safety at Work Regulations 1999 and the Workplace (Health, Safety and Welfare) Regulations 1992 (As Amended 2002) require that employers carry out assessments of the risks created by their operations, which may affect their employees, users of their services or anyone else who might be affected. Furthermore, the Corporate Manslaughter and Corporate Homicide Act 2007 highlights the commitment required of senior management to take reasonable steps to protect employees, users of their services or anyone else who might be affected where risks are created by their operations; therefore the implementation of robust risk management systems is of paramount importance. This framework therefore lays out the Trusts systematic approaches to risk management. 2. Strategic Aims The Trust s corporate strategy for risk management is fundamentally preventative; aiming to develop an organisational culture that openly supports the identification and management of risk and fosters positive risk behaviour. Therefore the strategic aims of this Risk Management Framework are: To protect service users, carers, personnel, contractors, members of the public and others who come into contact with the Trust, together with safeguarding the physical and electronic assets of the Trust. To integrate risk management into all business decision making, planning, performance reporting and delivery processes to support the Trust in achieving a rigorous basis for decision making. To identify and assess risks (including near misses) that could cause harm, disrupt services, impact on health and safety or lead to loss or damage. Page 3 of 24

4 To introduce and maintain cost-effective risk control measures to eliminate or minimise risks to an acceptable level, e.g., risk assessment, cost benefit analysis, identification of opportunity costs, planning risk treatments along with their monitoring and evaluation. To reduce the number and severity of incidents and actual loss and to ensure that remedial action reduces the probability of recurrence. To ensure that risk reduction measures are based on evidence based processes to measure effectiveness. To promote corporate, divisional, team and individual responsibility for risk, including staff understanding of the process for incident reporting and risk assessment, identification and management. To monitor the implementation and adoption of standards that control risks at the lowest reasonably practicable level. To ensure that there are fast, clear pathways where decisions need to be made quickly and to ensure support systems are in place working to agreed standards. To promote positive risk taking in the context of clinical care and controlled circumstances in conjunction with service users, carers and other members of staff. To encourage learning (individual and organisational) from all incidents To ensure that a robust Assurance Framework is embedded throughout the Trust and that the Annual Governance Statement can be signed with confidence. 3. Board Intent The Trust Board of Directors is committed to leading the organisation in the delivery of quality services through the continual development and implementation of robust Integrated Governance structures and processes. To achieve success in the delivery of quality it is essential that governance themes, assurance and risk are aligned to the Trusts strategy and that its strategic objectives are delivered in a coherent way. The Board of Directors intends that the risk management processes laid out within this framework will support the Trust in the achievement of its strategic objectives whilst ensuring that the best use is made of public funds. The purpose of this framework is to create within the Trust a positive risk culture that encourages its employees to consistently use its risk management policies and procedures and its Assurance Plan and Risk Register in order to: identify and control risks which may adversely the Trust operational ability and affect its annual governance statement; compare one risk with another using the Trusts risk scoring and grading matrix; where possible, eliminate or transfer risks or reduce them to an acceptable and cost effective level; otherwise ensure the organisation openly accepts the remaining risk; ensure that issues and concerns raised by internal and external audit and external assessment are addressed and resolved 4. Scope of the Framework This Framework applies to all employees of the Trust, including contractors and temporary/agency staff who are engaged on Trust work and in respect of any aspect of that work. Page 4 of 24

5 5. Risk Management Framework The risk management approach adopted by South Staffordshire and Shropshire Healthcare NHS Foundation Trust is based on the Australian Risk Management Standard AS/NZ 4360/2004 as summarised in figure 1 below. The Australian Risk Management Standard definition for risk is: The chance of something happening that will have an impact on objectives, which is measured in terms of consequences and likelihood Figure 1 Communicate and Consult Establish Context Objectives Stakeholders Criteria Define key elements Identify Risks What can happen? How can it happen? Analyse Risks Review controls Likelihood Consequenc e Level of risk Evaluate Risks Evaluate risks Rank risks Treat Risks Identify options Select best responses Develop risk plan Implement Monitor and Review The Trust Board is responsible for driving South Staffordshire and Shropshire NHS Foundation Trust forward to achieve its organisational objectives. This risk management strategy and its guiding framework are intended to support the Trust Board in achieving this aim by identifying any potential risks that could threaten achievement of its objectives and ensuring robust processes are in place to manage or mitigate any gaps identified in assurance. Further details of the Trust s strategic objectives are outlined in the South Staffordshire and Shropshire NHS Foundation Trust Strategic Plan Page 5 of 24

6 6. Strategic Risks 6.1 Board Assurance Framework Strategic and other risks confronting the organisation, and associated action plans form the Board Assurance Framework, and these risks are recorded using the South Staffordshire and Shropshire NHS Foundation Trust Assurance Plan and Risk Register Trust Assurance Plan The Trust Assurance Plan is a high level document that records the principal risks that could impact on the Trust achieving its strategic objectives. It provides assurance of where risks are being managed effectively and where objectives are delivered. It also identifies objectives where there are gaps in controls and therefore insufficient assurance. The Trust operates an Assurance Plan at a Trust Board level and the Assurance Plan is presented to the Trust Board on a quarterly basis with overall review of its delivery being undertaken by the Audit Committee. In addition to this each principal risk identified within the Trust Assurance Plan is allocated to a Trust Board Committee who are responsible for monitoring key controls and sources of assurance for each principal risk assigned to them. The Board Committees are also responsible for monitoring gaps in control and assurance for those principal risks assigned to them, ensuring that the level of risk is assessed, scored and reviewed Risk Register The Risk Register is a log that holds the main record of all identified risks that present a continuing threat to the Trust s objectives and operations. The risk register is derived from a number of sources and is a dynamic working log which covers all risks. The Trust operates a three tier Risk Register system which includes a trust level risk register, divisional risk registers and team risk registers. The trust level risk register is presented to the Trust Board on a quarterly basis and is monitored by each of the Board committees at each of their meetings. The Audit Committee take an overarching role for the monitoring of the trust level risk register and ensure that risks are reviewed in line with the timescales detailed within the register. As a further source of assurance The Divisional Management Team reviews the trust level risk register on a monthly basis. Divisional risk registers are monitored through the divisional governance groups at each meeting. Team level risk registers are monitored by the divisional leads with exceptions being reported through to the divisional governance groups. Details of the processes for creating and maintaining the Trust s Assurance Plan and risk registers are described in the Trust s Standard Operating Procedure for the Management of the South Staffordshire and Shropshire NHS Foundation Trust Assurance Plan and Risk Register Risk Appetite The Trust strives to be a risk embracing organisation which understands the importance of informed risk taking and recognises that there is an element of risk in most if not all of the activities it undertakes. The level of risk the Trust is willing to accept is intrinsically linked to each of its corporate objectives and for this reason it has been agreed that the risk appetite should not be prescriptive. The Trust s willingness to accept a risk will depend on which of the corporate objectives is at risk and the impact that the risk would have, should it materialise. This flexible approach is seen as Page 6 of 24

7 the most appropriate way to allow the Trust to make informed decisions for each specific risk exposure. The Trust endeavours to reduce risks to the lowest possible level reasonably practicable. Where risks cannot reasonably be avoided, every effort will be made to mitigate the remaining risk. However there is the recognition that by understanding the organisations risk appetite, this will ensure the Trust supports a varied and diverse approach to providing safe and effective services. Risk appetite is amount of risk that the organisation is prepared to accept, tolerate or be exposed to at any point in time. It can be influenced by personal experience, political factors and external events. Risks need to be considered in terms of both opportunities and threats and should not be confined to money. They will also invariably impact on the capability of the Trust, its performance and its reputation. The Board will set boundaries to guide staff on the limits of risk they are able to in the pursuit of achieving its strategic objectives. The Board will set these limits annually and review them as appropriate. The Board will set these limits based on whether the risk is: A threat: the level of exposure which is considered acceptable; An opportunity: what the Board is prepared to put at risk to encourage innovation in creating changes. To assist the Board in setting its risk appetite limits it utilises the Good Governance Institute Risk Appetite Matrix (Appendix 1). 7. Risk Management Organisational Structure 7.1 Organisational Development Overall corporate responsibility for the management of risk rests with the Trust Board; however, the Executive Director with overall responsibility for the co-ordination of risk management is the Chief Executive. Operationally, the Chief Executive has delegated responsibility for implementation of risk management as detailed in Figure 3 on page 14. All Trust directors and managers are responsible for the management of risk in areas over which they have direct responsibility. Other risks may be delegated as agreed with the Chief Executive and / or the Quality Governance Committee. There should be a joint approach between managers and staff to increase the effectiveness of risk management activities. All members of staff have a responsibility to co-operate with managers in identifying, assessing, monitoring and taking appropriate action to eliminate or minimise all risks. Staff will be supported and represented in this respect by the Trust s Health and Safety Committee, which are sub-committees of the Quality Governance Committee. The Board will aim to empower individuals in respect of these responsibilities and will support individuals where risk has been taken to an appropriate and acceptable level. Page 7 of 24

8 7.2 Corporate Accountability Arrangements Trust Board of Directors The Trust Board receives, approves, adopts, ratifies, and reviews reports on risk management and the strategies and policies developed to support risk management processes. Receives and approves the Trust s Assurance Plan and Risk Register and agrees priorities for action, including the approval of associated business plan objectives. Trust Management Team (TMT) The Trust Management Team is authorised to support the Board in ensuring compliance with all statutory and regulatory duties. This will include all compliance with Monitor Licence and Care Quality Commission registration duties and requirements. It will also ensure compliance with all quality and contractual issues relating to our contracts and commissioning arrangements. Further it will be responsible for ensuring all Board decisions are implemented and deployed. TMT is responsible for managing the risks associated with ensuring continued compliance against Trust terms of authorisation and all other prescribed compliance requirements and targets. As part of this responsibility TMT reviews the assurance framework on a monthly basis. Trust Board Committees All Committees: Are responsible for developing systems that ensure our services are safe, sound and compliant and that we learn from and manage all types of risk. Monitor the implementation of strategy, policy, control measures and action plans through reports produced by Directorates and sub-groups of the Committee. Explore any issue related to clinical and non-clinical risk including risk financing, business, litigation, PALS issues, complaints, incidents and clinical processes Are responsible for developing awareness and a risk management culture throughout the Trust through the production and dissemination of related information Advises on the co-ordination of strategy and policy, prioritises control measures, monitors performance and recommends improvements in the overall management of risk Are responsible for identifying, managing and reviewing risks assigned to them on the Trust Assurance Plan and Risk Register, liaising with other committees as required. In addition they are responsible for ensuring risks assigned to them are updated and that these updates are communicated to the Audit Committee who are responsible reviewing the Assurance Framework Provide evidence that all principal objectives, both Divisional and Trust, have been identified and the principal risks to achieving them are being managed Provide assurance that all significant risks, linked to the Trust strategic objectives and key delivery areas, have been identified and are being effectively managed Ensure that Trust policy relating to clinical and non-clinical risk is implemented and regularly reviewed. Page 8 of 24

9 Audit Committee: Is Responsible for ensuring that the Trust Board receives independent assurance and that the risk management systems in place are operating effectively. Reviews the Assurance Framework to ensure risks are being appropriately identified and managed by the Trust Board Committees Ensures that an internal audit plan is developed which periodically reviews the operation of the Risk Management system and grades the Trust s risk management process. The Trust aspires to reach the top grading of Risk Maturity. Ensures that follow up audits are conducted where appropriate. Considers the effectiveness of the risk management process when reviewing the Annual Governance Statement Reporting directly to the Board this Committee is a statutory requirement under corporate governance arrangements for the Trust. Periodically reviews the Risk Management Framework and Policy The Quality Governance Committee: Is responsible for the co-ordination of clinical effectiveness and clinical risk management activities to protect and conserve the human and physical assets of the Trust and of those who come into contact with the Trust Provides assurance to the Trust Board that clinical procedures are regularly reviewed in order to ensure their continuing effectiveness (Clinical Audit) To receive and consider reports on incidents, complaints and claims and ensuring follow up action and organisation wide learning takes place. To ensure that Divisions take ownership of respective risk management issues and develop local risk registers which feed into the trust level register To raise the level of awareness and accountability for health, safety and security of human and physical resources and to develop clinical and non-clinical risk management as part of the culture of the Trust. Health and Safety Committee: Develops and reviews risk related policies and procedures for consideration by the Quality Governance Committee. Prepares action plans and monitoring reports. Develops and reviews Divisional and Trust Risk Registers and ensures appropriate information is passed to the Trust Board and to individual Divisional Teams. Page 9 of 24

10 Receives information from the Divisions and assists with the co-ordination and development of risk management programmes throughout the Trust. Assists with the dissemination of learning and makes recommendations for training. Assists with the co-ordination and response to all related external assessments i.e. NHS Litigation Authority, Care Quality Commission Health & Safety Executive This group reports directly to the Quality Governance Committee on all risk related issues. Divisional Management Teams: Will appoint a member of the team to act as Risk Co-ordinator who will ensure that a Divisional Risk Register and risk treatment plan is developed. The Risk Co-ordinator will provide a single point of contact for members of the Trust s risk management team. They will receive information and reports from the team and ensure the same is disseminated throughout the Division. They will represent the Divisions interests at the Health & Safety Committee and provide reports for the Quality Governance Committee as required. Are responsible for ensuring the identification of clinical and non-clinical risks in the Division in accordance with the Risk Management policies of the Trust. Develop and formulate the Risk Management Programme for the Division including a Divisional contribution to the Trust s Risk Register and risk treatment programmes. Develop risk reduction measures and identify financial implications, with appropriate assistance. Implement action on risk management in their areas of control and monitor outcomes. Provide regular monitoring reports on clinical and non-clinical risks for the Quality Governance Committee. Consider areas such as insurance proposals, claims information, potential losses, actual losses, adverse events, near misses, PALS issues and complaints. In considering this information Teams will: o o o o Monitor risk management activities, particularly with regard to the standards set by the NHS Litigation Authority (NHSLA) and the Care Quality Commission. Consider and make recommendations on the development and implementation of risk management initiatives, including training programmes, audit and monitoring, communication exercises, policies, procedures and systems. Provide an overview of the Trust s risks in connection with the Division and develop a programme of risk management activities including risk treatment action plans. Highlight any particular areas of concern and make recommendations on risks to the Quality Governance Committee and when requested to the Trust Board on the most appropriate and cost effective utilisation of the resources for risk management. Page 10 of 24

11 Support services, for example, Executives, Corporate Administration, Quality, Risk Management, Health and Safety, Facilities and Estates, Finance and Human Resources will provide operational assistance to the teams as required. Heads of Clinical and other Professions and Risk Management service providers, including Auditors and Solicitors, will also provide support as required. Where risks or related issues are not discrete to one Division or organisation those involved will agree a lead and others to be involved appropriate to the prevailing circumstances at the time. The Terms of reference for all the key committees highlight their responsibilities in relation to this Risk Framework and are reviewed on an annual basis. Figure 2 Risk Management Accountability and Reporting Structure Audit Committee Trust Board of Directors Trust Management Team Finance and Performance Committee Quality Governance Committee Service User and Carer Committee Business Development Investment Committee Human Resources and Organisational Development Committee Sub Groups Sub Groups Business Continuity Group Medicines Optimisation Committee Policies and Procedures Committee Clinical Audit Project Group Infection Control Committee Mental Health Act Legislation Committee Research Development and Innovation Group Health and Safety Committee Medical Devices Group Page 11 of 24

12 7.3 Individual Responsibilities Chief Executive Has overall responsibility for risk management within the Trust and, as such, must prepare an Annual Governance Statement, as part of the statutory accounts and annual report. The Annual Governance Statement provides assurance that the organisation has systematically identified its objectives and managed the principal risks to achieving them. Director of Finance and Performance Has overall responsibility for the financial performance of the Trust and ensuring a sound system of internal control. Is the executive director lead for Information Governance and Counter Fraud and as such provides assurance report of this to the Trust Board and Audit Committee. Director of Quality and Clinical Performance Is the executive director lead for risk management, health and safety and security management and as such provides assurance reports on these areas to the Trust Board, Audit Committee and Quality Governance Committee. Has overall responsibility for the development of the Trust s risk management processes including external compliance with Care Quality Commission Essential Standards. Has management responsibility for the Associate Director of Quality and Risk and the Associate Director of performance for those aspects of work related to risk. Director of Nursing / Chief Operating Officer Is the executive director responsible for ensuring all clinical directorates operate in accordance with the risk management framework and other risk related policies and procedures. Has overall responsibility for all nursing issues as they relate to risk management. In addition they are responsible for infection control, medicines management, complaints, PALS, Safeguarding and Emergency planning. All Executive Directors All executive Directors must ensure that: Staff are clear about their responsibilities for risk management and the implementation of this strategy and associated policies. Staff are performance managed in their directorates, including objective setting, appraisal, training and development. The performance management process should reflect the corporate objectives and individual objectives and how risks to achieving them will be mitigated Risks are identified, assessed and managed across their areas of responsibility Their directorate assurance plan and risk register are reviewed regularly and reported accordingly Assurance surrounding risk controls are in place and actions arising from both internal and external reviews are reflected in the assurance plan and risk register Associate Director of Quality and Risk The Associate Director of Quality and Risk: Is responsible for leading the implementation of the Trust risk management systems and processes, and for the high level monitoring of all clinical and non-clinical risks, including external assessment by the NHSLA and any other risk management related assessments. Page 12 of 24

13 Is responsible for promoting effective risk management throughout the Trust and ensuring appropriate advice and training is provided. Is responsible for developing the Trusts risk and quality agenda and provides specialist knowledge, advice and assistance to Directors, managers and staff regarding risk management. Is required to develop and maintain risk related policies and procedures and provides a link to related governance and risk groups. Is required to provide operational management to the Trusts Risk Management Team and work closely with the Trusts Service Relations departments to ensure a consistent approach to the management of all risk related issues. Is required to ensure there is a systematic approach to the aggregation of incidents, complaints and claims on an ongoing basis. This is to ensure that there is an overarching regular report that links to the continual improvement of patient safety through a combined process for identifying trends and learning lessons. Risk and Claims Manager Supports the Associate Director of Quality and Risk in the coordination of the Trusts risk management systems and processes including: Reviewing, developing and publishing of risk management policies and procedures Management of the trusts incident reporting system and ensure incident reporting is in line with Trust policy Development and review of the Trusts Assurance Plan and Risk Register Supporting directorates with the development and maintenance of their assurance plans and risk registers Quality checking all risk registers to ensure consistent scoring of risks is undertaken in line with the Trusts risk scoring matrix Coordinate the Trusts Serious Incident reporting and investigation process and provide advice and support to lead investigators Prepare for external assessments from the National Health Service Litigation Authority and Health and Safety Executive Security Management Specialist Is responsible for the investigation and reporting of security related incidents in accordance with national guidelines. Develops related policies and procedures and works closely with the Trust s Risk Management Team. Health and Safety Lead Is responsible for: Providing general health and safety advice to managers and staff. For providing risk assessment support to managers. For training on health and safety related topics. For supporting the accident/incident reporting process. For developing health and safety related policies and procedures Chairing the Trust s Health and Safety Committee and working closely with the Trust s Risk Management Team. Page 13 of 24

14 Service Relations Manager Is responsible for the Trust s complaints procedures and provides regular management reports to Directors and the Trust Board and works closely with the Trust s Risk Management Team. PALS Co-ordinator Is responsible for receiving and acting upon all PALS related issues, providing appropriate reports to the Directors and the Trust Board and works closely with the Trust s Risk Management Team. Divisional Risk Co-ordinators Responsible for co-ordinating risk management activities within their respective Directorates. Receiving reports and disseminating information throughout the Directorate to ensure learning takes place. Developing the Directorate risk register and monitoring the risk assessment process. Providing the Trust s Risk Manager with regular updates of the Directorate risk register to ensure the Trust s risk register is kept up to date. Providing a single point of contact for the Risk Management Team and representing the Directorate at the Risk Co-ordinator s Group. Managers All managers are responsible for identifying risk and implementing and monitoring the effectiveness of any identified risk control measures within their area and scope of responsibility. Where significant risks have been identified and local control measures are considered to be inadequate these should be brought to the attention of the Directorate Risk Co-ordinator. These will then be included in the Directorate Risk Register and priorities for action set by the Directorate Team. Where such risks are rated as significant (score over 15) these will then be fed back to the Clinical Effectiveness and Risk Committee and the Board through the Trust s risk register. All Staff All staff have a responsibility to co-operate with managers in the overall management of risk. This includes the requirement to report all accidents, incidents and near misses, and to be familiar with and comply with all relevant Trust policies and procedures. Staff should be aware of all relevant emergency procedures and attend related training as required. All professionally qualified clinical staff members are responsible for the assessment and management of clinical activity risks. Patient's care coordinators, and staff covering their absence, have the lead responsibility. All staff are responsible for assisting in assessing, monitoring and acting to minimise Organisational and clinical risks. Page 14 of 24

15 Figure 3 Key Personnel Structure Chief Executive Director of Finance and Performance Director of Nursing / Chief Operating Officer Director of Quality and Clinical Performance Medical Director Director of Business Development Service Relations Manager PALS Co-ordinator Associate Director Quality and Risk Risk and Claims Manager Security Management Specialist Serious Incident Review Coordinator Health, Safety & Security Advisor Divisional Risk Co-ordinators 8. Systems and Processes for Managing Risk As previously stated the Trust has adopted the Australian/New Zealand risk management model. This is a generic model for identifying, prioritising and managing risks in all situations and at all levels and will be implemented by the Trust as follows: 8.1 Establishing the Context There is a close relationship between our mission, strategic objectives, key delivery areas and management of all the risks to which we are exposed. Decisions concerning risk acceptability and risk treatment may be based on operational, technical, financial, legal, social, humanitarian or other criteria. These often depend on policy, goals, objectives, and the interests of stakeholders, internal and external perceptions and legal requirements. It is important that appropriate criteria be determined at the outset for the identification, analysis and review of risks. 8.2 Identification of Risks All risks, whether under the control of the organisation or not need to be considered in order to operate safely, and a comprehensive log of risks that may affect processes or interventions undertaken within the Trust needs to be developed. Approaches used to identify risks include checklists, judgements based on experience and records, flow charts, discussion, systems Page 15 of 24

16 analysis, scenario analysis and systems engineering techniques. The approaches used will depend on the nature of the process or intervention to be undertaken and the type of risk. The Trust has a separate policy that details approaches to risk assessment and the ranges of procedures and risk assessment pro-forma that can be used depending on the type of assessment being undertaken Directors must ensure that for all potential hazards identified across their area of responsibility that risk assessments are carried out. This process should be inclusive and involve internal and external stakeholders as appropriate. 8.3 Analysing Risks Analysis of risk is undertaken to determine the potential of the risk to affect the process or intervention to be undertaken, and ultimately the risk to the Trusts ability to deliver its strategic objectives. Analysis of risk is based on consideration of the source of risk and the likelihood of its occurrence multiplied by the impact of affect should it occur. This analysis should also consider the effectiveness of existing controls for each risk identified. The Trust uses the Australian/New Zealand Standard (1999) Risk Rating Process to assess the impact of its risk against the likelihood of occurrence. This risk rating tool is shown in Figures 4, 5 and 6 on pages and is taken from guidance issued by the National Patient Safety Agency ( and further details of this process are provided in the Trusts Policy for the Management of the South Staffordshire and Shropshire NHS Foundation Trust Assurance Plan and Risk Register Trust Risk Scoring Matrix Figure 4: Probability score (P) What is the likelihood of the consequence occurring? The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency. Probability score Rare Unlikely Possible Likely Almost Certain Frequency How often might it/does it happen This will probably never happen/recur Do not expect it to happen/recur but it is possible/it may do so Might happen or recur occasionally Will probably happen/recur but it is not a persisting issue Will undoubtedly happen/recur, possibly frequently Figure 5: Impact score (I) Choose the most appropriate domain for the identified risk from the left hand side of the table, then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column Page 16 of 24

17 Impact score Domains Insignificant Minor Moderate Major Catastrophic Impact on safety of patients, staff or public (physical/ psychological harm) Minimal injury requiring no/minimal intervention or treatment. No time off work Minor injury or illness, requiring minor intervention Requiring time off work for>3 days Increase in length of hospital stay by 1-3 days Moderate injury requiring professional intervention Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agenc y reportable incident An event which impacts on a small number of patients Major injury leading to longterm incapacity/disabi lity Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with long-term effects Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients Service/ business interruption Environmental impact Loss/interruption of >1 hour Minimal or no impact on the environment Loss/interruption of >8 hours Minor impact on environment Loss/interruption of >1 day Moderate impact on environment Loss/interruption of >1 week Major impact on environment Permanent loss of service or facility Catastrophic impact on environment Quality/ complaint/audit Peripheral element of treatment or service suboptimal Informal complaint /inquiry Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report Totally unacceptable level or quality of treatment/ service Gross failure of patient safety if findings not acted on Inquest/ombuds man inquiry Gross failure to meet national standards Reduced performance rating if Major patient safety implications if Page 17 of 24

18 unresolved findings are not acted on Human resources/ organisational development/ staffing/ competence Short-term low staffing level that temporarily reduces service quality (< 1 day) Low staffing level that reduces the service quality Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Low staff morale Poor staff attendance for mandatory/key training Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Loss of key staff Very low staff morale No staff attending mandatory/ key training Non-delivery of key objective/service due to lack of staff Ongoing unsafe staffing levels or competence Loss of several key staff No staff attending mandatory training /key training on an ongoing basis Statutory duty/ inspections No or minimal impact or breech of guidance/ statutory duty Breech of statutory legislation Reduced performance rating if unresolved Single breech in statutory duty Challenging external recommendatio ns/ improvement notice Enforcement action Multiple breeches in statutory duty Improvement notices Low performance rating Critical report Multiple breeches in statutory duty Prosecution Complete systems change required Zero performance rating Severely critical report Adverse publicity/ reputation Rumours Potential for public concern Local media coverage short-term reduction in public confidence Elements of public expectation not being met Local media coverage long-term reduction in public confidence National media coverage with <3 days service well below reasonable public expectation National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Total loss of public confidence Business objectives/ Insignificant cost increase/ <5 per cent over project budget 5 10 per cent over project Non-compliance with national Incident leading >25 per cent Page 18 of 24

19 projects Financial, including claims schedule slippage Small loss Risk of claim remote Schedule slippage Loss of per cent of budget Claim less than 10,000 budget Schedule slippage Loss of per cent of budget Claim(s) between 10,000 and 100, per cent over project budget Schedule slippage Key objectives not met Uncertain delivery of key objective/loss of per cent of budget Claim(s) between 100,000 and 1 million Purchasers failing to pay on time over project budget Schedule slippage Key objectives not met Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Claim(s) > 1 million Figure 6: Risk scoring = Likelihood x Impact (Severity) (LxI) IMPACT (SEVERITY) Likelihood Insignificant 2 Minor 3 Moderate 4 Major 5 Catastrophic Rare Unlikely Likely Highly Likely Certain LOW RISK = 1-7 MODERATE RISK = 8-14 HIGH RISK = Page 19 of 24

20 8.4 Evaluation Risks Evaluation of risk is carried out on the basis of risk score (Figure 6 above). The risk score will determine the priority of the risk, further action to be taken, and the level within the organisation at which the risk will be reviewed. Low-level risks scoring between 1 and 7 will be managed at a department level and should be included within the department risk register. Medium-level risks scoring between 8 and 14 should be managed at a directorate level and should be included within the directorate risk register. High-level risks scoring 15 and over will be managed by the directorates but should be included in both the directorate risk register and the corporate risk register. High-level risks will be reviewed by the committee to the Trust Board to which they have been assigned and the Quality Governance Committee has an overarching responsibility for monitoring all corporate risks. 8.5 Treating Risks There are a range of options of dealing with or treating risk, dependant on the type of risk identified, its environment and the sufficiency of its control measures. The options for treating risk are given below in a suggested order of consideration: Avoid risk: Deciding not to proceed with the activity likely to generate the risk, ensuring that this option would not lead to missed opportunities, increased risk in other areas or inefficient use of resources Reduce impact: Setting limits or restrictions on activities that may help to reduce the impact of the risk or finding a different way to achieve the same result. Reduce likelihood: Which might include training and supervision, quality assurance, delegated authority levels, policies and procedures. Retain risk: Having reduced risk level through the implementation of control measures some risks may be retained, this is known as residual risk. Residual risks should be kept under review to see if the risk score can reduce further or if consistently low if the risk can be removed Transfer risk: Sharing or bearing the risk with another party. Where risks are transferred in whole or in part the organisation acquires a new risk in that the organisation to which the risk is transferred may not manage the risk appropriately. 9.0 Performance, Audit and Review The Trust operates a performance review process within Divisions on a six monthly cycle whereby the Director of Finance and Performance and Director of Quality and Clinical Performance will review performance against business plan objectives using key performance indicators. Risk Management is part of this performance review process and a range of objectives within Divisional business plans will reflect issues identified in the Division s Risk Register. The review process will also assess Divisional risks linked to the Trust Assurance Plan and ensure that risks associated with the achievement of principal objectives are being managed. Page 20 of 24

21 The Trust utilises a comprehensive risk management database (Ulysses Safeguard) to record all reported complaints, PALS issues, incidents and claims. From this information quarterly Trust and Divisional risk management reports are produced. These are discussed with Divisional Teams and the Quality Governance Committee in order to identify areas for improvement and learning. The Trust also produces a set on annual Quality Accounts, one of the components of this document is a summary of the Trusts key risk management issues and achievements. These accounts are publically available and are issued to all stakeholders. An annual audit plan will be developed by Internal Audit to verify the performance of the risk management systems in place and their effectiveness. This will enable any improvements to be identified and actioned, and also provide independent assurance to the Trust Board and Audit Committee. The Trust will also review performance through the results of the annual staff opinion survey along with other specific questionnaires and audits. The Trust s Clinical Audit department will also set out an annual clinical audit forward programme and report results back to the Quality Governance Committee. The range of benchmarks and internal and external performance indicators are utilised by the Trust to support its annual governance statement these include CQC inspections, compliance with fundamental standards and Intelligent Monitoring Reports NPSA National Reporting and Learning Service Combined Risk Management Reporting Incident and Serious Incident Reporting Complaints response times and outcomes Progress against Risk Register actions Training evaluation Clinical Negligence and Liability claims Sickness absence figures RIDDOR reports against national benchmarks PALS issues reported and response 10.0 Training Arrangements The provision of appropriate training is central to the successful implementation of the Risk Management Framework and policies. All staff members, including Board members and senior managers should undertake relevant risk management training. A management checklist identifying statutory and mandatory training for staff has been developed. This will be used for new employees and as part of the annual appraisal process for existing employees. Monitoring of attendance at such courses will be undertaken by the Training Department and fed back to managers for further action where necessary. Page 21 of 24

22 11.0 Communication To be effective this strategy must be communicated widely. To achieve this once approved the framework will be made widely available, both internally and externally to our key stakeholders. The framework will be released via a range of communication modes including: Trust intranet and internet, included within the Trust Policies section under Corporate Policies. Cascaded via the policy implementation process by authorised distributors to all staff Communicated via key committees and groups including, Quality Governance Committee, Trust Management Team, Health and Safety Committee Trust monthly indication programme Risk related training courses Direct distribution to stakeholders Communicated via Trust Learning Lessons Bulletin The Trusts previous Risk Management Strategy (R/GRE/rm/i) will be removed from the Trust policies web page Other Relevant Procedural Documents This framework should be read in conjunction with the following policies: Clinical Risk Assessment & Management Policy Assurance Plan Standard Operating Procedure Risk Register Standard Operating Procedure Non Clinical Risk Assessment and Management Standard Operating Procedure Health and Safety Policy Incident Policy Incident Reporting Standard Operating Procedure Serious Incident Reporting Standard Operating Procedure Duty of Candour Standard Operating Procedure Claims Management Policy Claims Management Standard Operating Procedure Security Management Policy Infection Control Policy 13.0 Framework Review This is a three year framework however it will be reviewed on an annual basis by the Quality Governance Committee or as changes in the assurance process require. The Associate Director of Quality and Risk will take the lead responsibility for co-ordinating the development, implementation, review and upkeep of this document and the processes and procedures detailed within it. Page 22 of 24

23 14.0 References Australian Risk Management Standard, AS/NZ Care Quality Commission (2015) Regulations for service providers and managers Department of Health (2003) Building and Assurance Framework: A Practical Guide for NHS Boards Good Governance Institute Risk Appetite for NHS Organisations (2012) HMSO (1974) Health and Safety at Work Act HMSO (1999) The Management of Health and Safety at Work Regulations Ministry of Justice (2007) Corporate Manslaughter and Corporate Homicide Act Monitor NHS Foundation Trust Reporting Manual (2014/15) NHS Litigation Authority (2010/11) Risk Management Standards for Mental Health Trusts National Patient Safety Agency (2008) A risk matrix for risk managers The Risk Register Working Group (2002) A Guide for Risk Managers on How to Populate a Risk Register Page 23 of 24

24 Appendix 1 Page 24 of 24