NHS North Somerset Clinical Commissioning Group Risk Management Strategy and Framework

Transcription

1 NHS North Somerset Clinical Commissioning Group Risk Management Strategy and Framework An Integrated Risk Management Framework Clinical Risk Management Financial Risk Management Corporate Risk Management Approved by: Governing Body Ratification Date: January 2017 Review Date: January 2018

2 Contents 1 Purpose Scope Aims Definitions of Risk Risk Management Controls Open and Fair Culture Accountability, Responsibilities and Management Arrangements Commissioned Services Risk Management Process Risk Management Committee Structure Governing Body Assurance Framework Partnerships to minimise risk Internal Auditors Corporate Risk Register Procedure Education and Training Monitoring Compliance and Effectiveness Appendix

3 1 Purpose North Somerset Clinical Commissioning Group (CCG) has a statutory and regulatory obligation to ensure that systems of control are in place to minimise the impact of all types of risk, which could affect patients, staff, public resources, and the function of the CCG. This includes both the risk to the organisation and the risk to those individuals to whom the CCG owes a duty of care. Risk Management is integral to the CCG s decision making and management processes and will be embedded at all levels across the organisation. The Risk Management Strategy demonstrates the approach to risk management and ensures there is a system for monitoring the application of risk management within the CCG, and that actions are taken in accordance with the risk grading action guidance contained in the Corporate Risk Register Procedure. This Strategy has been developed primarily as a tool to set out the CCG s key aims and objectives for the management of those risks that would impact upon the achievement of its strategic objectives. It has also been developed for the following specific reasons: To comply with legal and statutory requirements To assist compliance with national guidance To encourage proactive risk management To meet the CCG s commissioning responsibilities for risk management through the contracting process. 2 Scope This Strategy applies to all CCG staff regardless of whether they are directly employed and includes: Individuals on the Governing Body, committees and sub committees Employees of the CCG including secondments Third parties acting on behalf of the CCG Agency, locum and other temporary staff engaged by the CCG including, people on work experience, volunteering and apprenticeships 3

4 3 Aims The CCG Governing Body will continuously strive to ensure that there are effective governance and risk management systems and arrangements in place and that these are monitored on an ongoing basis. The CCG stance on risk levels ( Risk Appetite ) varies throughout the organisation with an overall aim for an open appetite in which risk of varying levels is considered and, where appropriate accepted and managed, particularly when there is a benefit to patients. Wherever possible the CCG will mitigate and control risk and will be open and honest about the risk and rewards. The CCG s key strategic risk management aims as a commissioner of health services are as follows: To adopt an integrated approach to the management of risk and to integrate risk into the overall arrangements for clinical and corporate governance To support the achievement of the CCG s objectives To comply with national standards To have clearly defined roles and responsibilities for the management of risk To commission a high quality service for patients and continuously strive to improve patient safety To ensure that risks are continuously identified and assessed, and that they are treated, either by avoidance (by discontinuing a specific activity), taking on or increasing the risk in order to pursue an opportunity, removing the risk source, changing either the likelihood or consequence, sharing or transferring the risk, or retaining the risk by informed decision. To use risk assessments in informing the overall business planning/investment process in the CCG To encourage open and honest reporting of incidents through the use of a single incident reporting system To establish clear and effective communication that enables information sharing To foster an open culture that allows organisation wide-learning. 4

5 4 Definitions of Risk and Risk Categories Risk Risk can be defined as the chance of something happening that will have an adverse impact on objectives and is measured in terms of consequences and likelihood Risk can be categorised into 3 main headings (Clinical, Financial and Corporate or Organisational and Business) under which sit specific risk areas. Clinical Risks Clinical risks are defined as those risks which have a cause or effect which is primarily clinical or medical Examples include clinical care activities, consent issues and medicines management. Financial Risks These are defined as those whose principal effect would be a financial loss or a lost opportunity to deliver a financial gain, Examples include poor financial control, fraud and ineffective insurance arrangements. Corporate or Organisational and Business Risks Corporate risks are defined as those risks, which primarily relate to the way in which the CCG is organised, managed and governed. Examples include human resource issues and corporate governance risks concerning the establishment of an effective organisational structure with clear lines of authorities and accountabilities. The risk events can include inappropriate decision making and delegation of authorities. All can result in sub optimal performance and losses for North Somerset CCG. Specific Risk Areas Behind the comprehensive areas of risk above there are more clearly identified risk areas that the CCG may encounter and need to manage. Change: Legal and Compliance: Conflicts of Interest Health & Safety: These concern risks that programmes and projects do not deliver agreed benefits and within agreed budget and or/introduce new or changed risks that are not effectively identified and managed. These include risks around employment practices, employment legislation, the NHS Constitution, Freedom of Information Act, Civil Contingencies Act, Deprivation of Liberty and regulatory issues This concerns risks in relation to both actual and perceived conflicts of interest. It is important that all conflicts of interest are managed effectively and that perceived conflicts are managed as well as actual conflicts. These concern risks around employer/employee related topics. At times risks may be identified which are managed by third 5

6 parties but for which the situation and progress needs to be monitored by the CCG, an example would be buildings management. Operations: Information and Technology: Information Governance: People: Strategic: Clinical: Reputational Risk: These concern the day to day concerns North Somerset CCG is confronted with as it strives to deliver its strategic objectives. They can be anything from loss of key staff to process failure. It covers risk events such as failure by a third party to deliver a service for the operation, breakdown in partnership with third party, failure to manage internal change etc. Operational risks are largely short to medium term where frequency is high/medium likelihood and low to high impact. These concern the day to day issues North Somerset CCG is confronted with as it strives to deliver its strategic objectives. They can be anything from loss of data to failure of a key IT system. It covers risk events such as a technological breakdown, loss of hard or soft copy data, failure by a third party to deliver a service breakdown in partnership with third party, failure to manage internal change etc. These risks include those related to data protection, information security and confidentiality and will apply to all data including clinical, corporate and data for secondary use. All types of data within the organisation will be covered including electronic, paper and oral information that is shared. These concern insufficient staff resources (capacity and capability). These risks can have a significant impact on the performance and reputation of North Somerset CCG These concern the long term strategic objectives of the CCG. They can be affected by external factors such as the economy, changes in the political environment, technological changes, and in legal and regulatory changes. The strategic risks are mainly significant risks that can potentially impact on the whole CCG. These concern risks that arise directly from the commissioning of healthcare to patients. This includes safeguarding, clinical errors and negligence, healthcare associated infection and failure to obtain consent. It is important that the reputation of the CCG is protected through robust systems of communication with stakeholders. Systems of communication with external stakeholders that contribute to minimising risk need to be in place, including regular meetings, patient surveys, publications and public meetings. The CCG has a large and diverse range of stakeholders with whom it needs to continue to develop engagement 6

7 5 Risk Management Controls The risk management controls are to: Maintain business continuity through integrated governance arrangements, in order to commission and deliver required services. Achieve specific, measurable, achievable, realistic, timed (SMART) corporate objectives. Improve the quality of care through a robust review and evaluation programme. Avoid damage to reputation, as a result of litigation or from failures in organisations from which services have been commissioned by having a process of effective corporate and clinical governance arrangements. Minimise avoidable financial loss, or the cost of risk transfer through a robust financial strategy. Minimise chances of adverse incidents, risks, complaints and claims (clinical and non clinical). Learn lessons and implement change. 6 Open and Fair Culture The CCG supports an open, fair and a positive learning culture. A culture of openness is central to improving patient safety and the quality of healthcare systems. Encouraging openness and honesty about how and why things have gone wrong will help improve the safety of NHS Services. All employees should be familiar with the CCG s whistle-blowing, bullying and harassment policies and procedures. These procedures support staff to raise concerns in accordance with the Public Interest Disclosure Act ( 7 Accountability, Responsibilities and Management Arrangements The management of risk is a key organisational responsibility. The Governing Body and the Chief Clinical Officer (Accountable Officer) is responsible for the CCG s risk management and control framework with operational responsibility for risk and control delegated to the Chief Operating Officer. The Clinical Commissioning Leadership Group will provide assurance on risk management and controls to the Governing Body. All staff must accept the management of risks as one of their fundamental duties, and must have a sense of ownership and commitment to identifying and minimising risks. Risk issues are present in the CCG at all times and the day to day management of those risks is the responsibility of all staff employed by the CCG. As a commissioner of healthcare the CCG is committed to ensuring that services are provided to high standards, and that any risk to patients, staff or the organisation are treated by a process of identification, assessment, management, and, where possible, elimination. To facilitate understanding 7

8 and ownership of responsibility for risk management the CCG encourages a culture of openness and honesty in relation to reporting adverse incidents and near misses. Adverse incident reporting will be used in a positive way as learning opportunities to eliminate or reduce risks in the future. Key responsibilities are: The Governing Body is ultimately accountable for ensuring that it is doing its reasonable best to achieve the requirements of the Governing Body Assurance programme. The Governing Body is responsible for: Approving the Risk Management Strategy and Framework The system of internal control and risk management Ensuring that national and CCG clinical governance issues are addressed. The Chief Clinical Officer is responsible for risk management and accountable for having in place an effective system of risk management and internal control. The Chief Operating Officer, who has operational responsibility, is required to have an ability to understand the CCG s risk environment, including knowledge and understanding of the strategies that have been adapted by the CCG and the risks inherent in any transformation strategies. The Chair of the Governing Body is expected to have the skills, knowledge and experience to assess and confirm that appropriate systems of internal control are in place for all aspects of governance, including financial and risk management, including any risks to the delivery of the QIPP programme. The Lay Member on the governing body with a lead role in overseeing key elements of governance is expected to have the skills knowledge and experience to assess and confirm that appropriate systems of internal control and assurance are in place for all aspects of governance, including financial and risk management. The senior nurse within the CCG has a lead role for the safeguarding of children and of vulnerable adults and clinical risk. The Chief Finance Officer has overall responsibility for the integrity of the system of internal financial controls, financial risk and for specific responsibilities as set out in the Standing Financial Instructions. The Chief Finance Officer: Holds executive responsibility for financial risk management, financial, performance management and is accountable to the Accountable Officer. Has professional responsibility for internal audit. Ensures the effectiveness of the organisations financial control systems, including counter fraud measures. 8

9 Ensures that the significant financial risks faced by CCG are identified and managed effectively. Oversees clinical audit and clinical best practice development and benchmarking. The Corporate Manager is accountable to the Chief Operating Officer for the management of the Corporate Risk Register and Assurance Framework. Senior Managers are responsible for ensuring that risk management is embedded within the CCG and their teams, and that risks are properly identified, assessed and managed. All members of staff have an individual responsibility for the management of risk and all levels of management must understand and implement the CGG s Risk Management Strategy and supporting processes. Contractors and other external staff must be made aware of their responsibilities under health and safety and CCG risk management procedures by the CCG manager responsible for their contract. All staff will: Accept personal responsibility for maintaining a safe environment, which includes being aware of their duty under legislation to take reasonable care of their own safety and all others that may be affected by the CCG S business Comply with incident reporting procedures Be responsible for attending mandatory, statutory and relevant education and training events Participate in the CCG s system of risk management, including the risk assessments within their area of work and the notification to their line manager of any perceived risk which may not have been assessed Be aware of the CCG s Risk Management Strategy and processes and comply with them. 8 Commissioned Services North Somerset CCG expects risk management to be prioritised by all organisations from which it commissions services and to support this will require evidence of robust risk management systems. The Governing Body will be informed of all significant risks that arise from commissioned services. Risk is monitored through Contract Review meetings held with service providers and any significant or notable risks will be escalated through the corporate risk register to the Governing Body. It is suggested that any risk with a score of 12 or higher should be considered for this process. 9

10 9 Risk Management Process The Australian Risk Management Standard AS/NZS 4360:2004 Risk Management) has been adapted by the CCG in order to allow the organisation to identify the best and safest standards of working. Identified risks will be assessed, evaluated and risk treatment plans implemented so that the risks are controlled to the lowest practicable level. All risk assessments will be undertaken using the approved Risk Assessment Matrix (Appendix 1). The Corporate Risk Register will be maintained and managed in accordance with the Corporate Risk Register Procedure. The CCG will make use of the NHS Litigation Authority to provide insurance cover where directed by the NHS England or it is deemed appropriate by the Governing Body. 10 Risk Management Committee Structure The following CCG committees and groups have specific delegated responsibilities with regard to the management of risk: The Clinical Commissioning Leadership Group (CCLG) will regularly review the risk register, ensure appropriate management of the risks and provide assurance on the operation of the Risk Management Framework to the Governing Body bi monthly. Contract review meetings with providers will consider as a standing agenda item service risks. The Senior Officers will formally consider any new high scoring risks on a day to day basis but will consider the full risk register bi monthly, opposite month to the CCLG review. The Audit Committee will satisfy itself that the systems and processes in place for risk management and the assurance framework are working as they should be and provide assurance to the Governing Body. The Remuneration Committee will minimise the risks arising from the employment terms relating to those officers and governing body members covered by its terms of reference. 11 Governing Body Assurance Framework All principal risks and their links to CCG corporate objectives are set out in the Governing Body Assurance Framework. The risk register is a key feeder to the Assurance Framework. The Assurance Framework serves as the key document to assure the Governing Body that risk management is firmly embedded in the organisation and is a source for identifying links to CCG s Corporate Risk Register, risk management plans and the achievement of corporate objectives. One of the primary purposes of the Governing Body Assurance Framework is to identify gaps in control or assurance in relation to these principal risks. 10

11 The steps for populating the assurance framework are as follows: The Governing Body agrees the annual strategic objectives for the year. Principal/strategic risks that may threaten the achievement of these objectives are identified. Key controls intended to manage these principal risks are identified. Arrangements for obtaining assurance on the effectiveness of key controls across all areas of principal risk are put in place. Assurance across all areas of principal risk is evaluated. Positive assurances and areas where there are gaps in controls and /or assurances are identified. Plans to take corrective action where gaps have been identified in relation to principal risks are put in place.. Dynamic risk management arrangements including a risk register are maintained. The assurance framework needs to be revised annually in light of any changes to the CCGs annual objectives. The Assurance Framework and Risk Register are reviewed by the Governing Body at least quarterly. 12 Partnerships to minimise risk The CCG will work closely with partner organisations to achieve a shared ownership of risks facing the health economy and the solutions that are implemented. The CCG expects risk management to be a priority for those from whom it commissions services, and will require evidence of robust risk management systems within service level agreements. 13 Internal and External Auditors A level of independent assurance is provided on the whole process of risk identification, evaluation and control. This is done through the independent assessments made by the Internal Auditors on their review of the CCG's risk management arrangements, the Head of Internal Audit (HOIA) Opinion, the External Auditor s assessments and through external accreditation. 14 Corporate Risk Register Procedure This sets out the process for the maintenance of the Corporate Risk Register and the risk assessment and scoring system. 15 Education and Training The Governing Body remains committed to the education and development of its entire staff and recognise its legal and ethical responsibility to create and maintain a work environment that will ensure the welfare and health and safety of staff, patients and the public. 11

12 16 Monitoring Compliance and Effectiveness The CCG will monitor compliance and effectiveness through the overview of the Governing Body, Clinical Commissioning Leadership Group and other committees of the Governing Body. 12

13 Appendix 1 CORPORATE RISK REGISTER PROCEDURE Purpose These procedures set out the way in which the Clinical Commissioning Group will undertake risk management and provide the Governing Body with assurance on the management of significant risks. Responsibilities The Chief Clinical Officer has overall accountability for ensuring that the CCG meets its statutory and legal requirements and adheres to national guidance issued by the Department of Health. The Chief Operating Officer is accountable to Chief Clinical Officer for risk management and Board assurance. The Corporate Manager is responsible for the management of the Corporate Risk Register and Board Assurance Framework Senior Officers are responsible for ensuring regular updates are made to the assurance frame work and risk register that reflect progress and current positions of identified and or new risks Senior Managers are responsible for ensuring that risk management is embedded within the organisation and that risks are properly identified, assessed and managed, within their teams. Members of staff are responsible for raising any risk concerns with their line manager or with the Corporate Manager Corporate Risk Register Process All risks will be assessed using the Risk Evaluation Matrix (appended). Each senior manager will nominate a member of staff to act as a point of contact and advice on risk management for the staff within their team. The Risk Register is a live document so should be updated whenever a new risk is identified or the level of a risk is considered to have changed. Wherever possible risks will be reported to the Governing Body and other Committee s as part of open agenda s in the interest of transparency but where necessary, a closed or confidential risk can be raised which will be recorded on a 13

14 Probability of happening again closed risk register. Risks which need to be reported confidentially should state the reason for sensitivity eg commercially sensitive, time-sensitive such as in the development of plans, personal information that is sensitive, prejudicial to future negotiating positions. Risks on the closed risk register will be kept under review and may be moved to open/public risk registers once the sensitivity has been reduced eg where plans are finalised or contractual negotiations have concluded. Seek advice from the Chief Operating Officer if closed/confidential risks are identified. The Corporate Risk Register will be updated and changes reported to the CCG Officers Team meeting Risk Management will feature as a standing agenda item at meetings of the Clinical Commissioning Leadership Group and at the informal team meetings of the Senior Officers. The Corporate Risk Register will be reviewed as a minimum bi-monthly by both the Senior Officers and at meetings of the Clinical Commissioning Leadership Group. The Corporate Risk Register will be reviewed quarterly by the Governing Body where the focus will be on risks with an assessment score of 12 or over The Assurance Framework is linked closely to the Corporate Risk Register and as such will be amended when a risk could possibly impact on the achievement of a strategic objective of the CCG. Scoring Risks Risks will be scored using the matrix below. The level of consequence is determined between 1 (insignificant) and 5 (fatal). The probability of the risk happening is then decided between 1(remote) and 5 (certain). Multiplying the two figures together will give the risk score, e.g. Consequence (major) x probability (possible) would be 3 x 3 and would give a risk score of 9. The risk scores are given on the matrix below. Risk Assessment scoring matrix Certain = 5 Probable = 4 Possible = 3 Improbable = Act Soon 10 Act soon Act now 15 Act Soon 12 Act Soon Act now 20 Act Now 16 Act Soon 12 Act Soon 8 Stop 25 Act Now 20 Act Now 15 Act Soon 14

15 Remote = Insignificant = 1 Minor = 2 Major = 3 Severe = 4 Fatal = 5 Consequences/severity 10 15

16 Descriptor Impact on Individual Impact on Organisation Financial Impact Complaint / Litigation 5 Fatal Death Media interest Theft/loss over 50, Severe 3 Major 2 Minor Major injury or permanent incapacity Major clinical intervention or unplanned admission to ITU Injury/illness requiring 3 or more days absence Patient requires additional treatment Minor Injury requiring first aid Minor Illness Adverse publicity Service restriction or closure Needs careful PR Potential for adverse publicity (avoidable with careful handling) Theft/loss 10,000 to 50,000 Litigation expected Theft/loss 1,000 to 10,000 Complaint expected Litigation possible Minimal risk to CCG Theft/loss 100 to 1,000 Complaint possible Litigation unlikely 1 Insignificant No apparent injury No risk to CCG Theft/loss up to 100 Complaint unlikely Litigation risk remote 16