Documentation Control. Hazard Identification, Risk Assessment and Management Procedure. (This document is linked GG/CM/007- Risk Management Policy)

Transcription

1 Documentation Control Reference: Date approved: 24 November 2016 Approving Body: (This document is linked GG/CM/007- Risk Management Policy) Trust Board (Medical Director) Implementation Date: 24 November 2016 Version: 8 Supersedes: Version 7 (November 2014) Consultation: Distribution: Target Audience Supporting Policies and Procedures Clinical and Non-Clinical Hospital Staff Organisational Risk Committee Senior Management Team Executive Directors, Divisional Directors, Divisional General Managers, Divisional Nurses, Heads of Service Members of the Quality Assurance Committee, SMT and Committees of SMT Specialists Advisors, as set out in the Trusts Risk Management Policy Relevant External Stakeholders All Trust staff and relevant Stakeholders NUH Risk Management Policy Trust Annual Plan Board Assurance Framework. Review Date: September 2017 Lead Executive(s): Author/Lead Manager: Further Guidance/Information Medical Director Head of Organisational Risk Head of Organisational Risk (ext / 62553) November 2016 Page 1 of 13

2 HAZARD IDENTIFICATION, RISK ASSESSMENT AND MANAGEMENT PROCEDURE 1. Introduction This procedure sets out the Trust operational processes for Hazard Identification, Risk Assessment and the Management of risk. This document should be read in conjunction with the Risk Management Policy. This procedure covers all of the Trust s activities and should be used when assessing any kind of hazard (e.g. clinical, strategic, organisational, financial and health & safety). It can be used by any member of the Clinical or Non-Clinical teams in all Divisions and Corporate Directorates of the Trust. The Hazard Identification, Risk Assessment and Management procedure supports the principle that risks which can be reasonably managed locally should be managed locally. Where this is not practical or where the risk score dictates; the procedure sets out the escalation process to Trust Committees and Groups. The tool has been designed for a wide range of purposes i.e. it can be used to review and manage all known risks, it can be used to assess potential risks from new activities, service development and projects it can also inform business cases and development projects allowing comparisons and prioritisation to be made Carillion Related Risks If you identify a risk resulting from the delivery of the outsourced EFM contract; which adversely impacts on safety or service delivery, then you should assess and record this as a risk on your local or Divisional / Corporate Directorate risk register. You should also report the risk via the Carillion helpdesk (ext 57000) and inform the Trust Contract Monitoring Team Corporate Ventures The Trust has entered into a number of collaborative venture which have the potential to create risk, however due to their nature require special arrangements for their onward management. See section 6.5 of the Trusts Risk Maangement Policy. November 2016 Page 2 of 13

3 2. Risk Registers The Trust requires that all risks are recorded on DATIX. No other systems are permitted. The Trust will maintain a Significant Risk Register which comprises of all 20 or 25 scoring risks (as ratified by the Senior Management Team and the Trust Board). The Significant Risk Register will be reported to the Trust Board each month. The Trust requires that all Divisions and Clinical Directorates (including Specialtie,Wards and Departments) undertake systematic and proactive hazard identification and risk assessment to identify local risks to service provision, service quality, legislative compliance, financial and delivery of the Trusts objectives and operational requirements. Divisional Clinical Directors and Corporate Directroate Heads of Service are responsible for ensuring this happens. All Risk Assessments (irrespective of score) must be recorded on the DATIX system. Please see appendix 4 for the minimum information to be recorded on the Risk Register. The system entry must include details of any mitigating actions required to further mitigate the risk (including responsibilities and timescales). Where Risk Assessment forms are generated these must be uploaded into DATIX in the document section of the electronic record along with any supporting s, reports and documents. The Trust s Risk Register is a dynamic and is continually evolving. The Risk Register provides a focus for the work of the Trust Board and its Committees by communicating risk information throughout the organisation, and provide assurance that risks are being effectively mitigated and managed. 3. Definitions Hazard is defined as a source of potential harm or a situation with a potential to cause loss Risk is defined as the possibility of suffering some form of loss or damage and / or the possibility that objectives will not be achieved or that opportunities will not be taken. This can be opportunities / benefits (Upside risk) or threats to success (Downside Risk). Risk Assessment is defined as the process of determining the level of harm that a hazard poses and the likelihood of its occurrence. November 2016 Page 3 of 13

4 Risk Control is defined as the part of the risk management process that is concerned with the implementation of policies, processes, tools, and techniques that accept, eliminate, remove or transfer risk; or establish business continuity processes. Controls may be preventative, detective or post-event. Risk Treatment is defined as the selection and implementation of options for managing risks. Risk Transfer is defined as the treatment or control of risk through sharing the burden of loss or benefit from a risk with another party. A Risk Register is a formal record that captures all known Trust Risks. For each risk, the Risk Register will capture the source of the risk, a description of the risk, the risk score (Consequence x Likelihood), the actions required to further mitigate the risk, a review date and an assessment of the affect of those further mitigating actions on the risk (Residual Risk). 4. The process Step 1 IDENTIFING HAZARDS At local level, there will be different people leading on different aspects of risk management, e.g. Clinical Governance Co-ordinators, Health & Safety link persons, Divisional and Clinical Directorate managers, risk assessors, infection control link persons, Trust Specialist Advisers to name a few. It is not intended that these activities are merged into a single role. It is more about people working together to integrate activity at a local level and to work together in the identification, assessment and management of risk. Hazard identification can take many forms including; Through the local review of Incident, Claims and Complaints data, As a result of an Health & Safety audit / inspection, Following a Patient Safety conversation, In response to an Internal Audit report, In response to an external report / directive / Alert, In response to a Department of Health directive, To respond to gaps identified from the Health & Safety Compliance review, Accreditation Standards compliance (CQC etc.) To respond to Trust requirements such as CIP s, Essence of Care Benchmarks, CQuins, HR including Mandatory Training performance To meet legislative requirements Through review of service specific standards, service quality and service delivery In response to advice received from Specialist Advisers November 2016 Page 4 of 13

5 The above list is not exhaustive and the Integrated Governance Team can help facilitate hazard identification sessions if required. When assessing any service or activity, you will identify a number of hazards. You will need to decide if you are going to record these as a single risk or as a collective group on Datix. Either way is perfectly legitimate. It is strongly recommended that initially you record your assessment on the Trust approved Generic Risk Assessment Form (see Appendix 2). Which ever route you adopt you will need to ensure that the action plan addresses all component hazards and not just the highest scoring one. The hazards identified should be recorded in the Hazards, Controls and Assessment section on the Trust approved Generic Risk Assessment Form (see Appendix 2). For each hazard identified you will also need to decide who or what can be harmed (and how) and document any controls that are in place. The next step will be to determine the consequence and likelihood scores for each i.e. the risk (see steps 2&3 below). No other risk assessment forms are permitted. Step 2 DETERMINE THE CONSEQUENCE The tool incorporates 5 consequences factors against which a hazard could impact, 1. Objectives / Financial, (A-Objectives) 2. Degree of Harm (to Staff, Patient, Visitor or Member of the Public), (B-Harm) 3. Claims & Complaints / Patient Experience, (C-Experience) 4. Impact on Services / Business Interruption / Projects, (D-Service Delivery) 5. Adverse Publicity / Reputation/ Inspection / Audit / Enforcement Action. (E-External) Appendix 3, sets out the 5 consequence factors along with descriptors for each that depict a range of outcomes from 1 to 5. For each hazard identified, you will need to determine a consequence score for each of the factors, which will need to be recorded on the form. You should look at the controls in place when deciding the level. If any of the factors don t apply to the hazard being assessed then add a score of 1 in the appropriate column on the Generic Risk Assessment Form. Helpful Process Definitions Primary Objective Trust Key Task For 2016/17, the Trust s Objectives are detailed in the Trusts Annual Plan. These are the major things that the Trust has declared it want to achieve in year to meet its Strategic aims. For each of the Objectives the Annual Plan also describes a number of sub-issues that could impact on the delivery of the primary objective. These are important things the Trust wants to deliver on but failure of one or more would not necessarily prevent the Primary Objective being achieved. November 2016 Page 5 of 13

6 Temporary Non-Compliance Non Achievement Control Measures This applies where you have an objective or key task, which at the time of assessment is not being complied with, but there is a plan in place that will bring the objective back into compliance within year. This applies when the objective or key task, which at the time of assessment is not being complied with, and there is no plan in place or possibility that compliance will be achieved in year. These are the things that have already been put into place to manage/ mitigate the risk. These can be things such a Policies, training, safe systems of work, physical safeguards etc.. These are only control measures once they are in place. If things are planned but not in place, they should be recorded as actions. Generally as action are completed these will become controls. Step 3 DETERMINE THE LIKELIHOOD Once you have determined the consequence (for each of the hazards you identified), you will need to determine the likelihood of the level of consequence you have identified being realised. Remember it s the likelihood of the consequence you have selected occurring, not how often the activity takes place. It is also important that any existing control measures are taken into account when determining the likelihood score. The derived score should also evaluate whether: the control adequately addresses the hazard the control measure is documented and communicated the control measure is in operation and applied consistently. Once you have determined the score enter the score(s) in the Likelihood box on the Generic Risk Assessment Form. TIP: The worst-case scenario doesn t always yield the highest risk. You can have a catastrophic consequence such as a death (consequence = 5) which due to the controls in places gives a likelihood of 1 and therefore a risk score of 5. But the same hazard may cause less severe harm (consequence = 3) each month (likelihood = 4) giving a risk score of 12. Step 4 ASSESS THE RISKS The risk score is determined by multiplying the consequence and likelihood scores you have recorded for each hazard. It has been recognised that by using a 5 by 5 tool there will be limited stratification of risks within the possible score bandings. (i.e. the possible scores (CxL) that can be achieved are 1, 2, 3, 4, 5, 6, 8, 9, 10, 12, 15, 16, 20 and 25). To aid prioritisation of risks particularly within the higher scoring bandings (15, 16, 20 and 25) a second score is determined by adding together the 5 individual consequence scores to give a unique score for each risk. November 2016 Page 6 of 13

7 This Priority Indicator Score will then be used to help stratify the risks recorded against a given scoring banding. The PI Score for each risk should be recorded on the Generic Risk Assessment Form. Step 5 MANAGE THE RISK By comparing the Risk Score (Risk Rating) obtained with the table below, you will be able to determine whether the risk you have assessed is unacceptable, tolerable or acceptable. The table also prescribes where the risk needs to be communicated and the management action required. Table 1 Levels of Risk, Reporting and Accountability Risk Rating Significant (20 or 25) Unacceptable High (15 or 16) Unacceptable Moderate (10 or 12) Unacceptable Low (4-9) Tolerable, manageable Very Low (1-3) Acceptable Level at which the risk must be reported Senior Management Team (SMT) Appropriate Sub Committee of SMT Who needs to be informed Trust Board Senior Management Team Specialty / Directorate Division / Corporate Directroate Management Actions Required Immediate action required to eliminate or manage risk. Report to Divisional Clinical Director / Head of Corporate Directorate, Senior Management Team and the Trust Board. Risks scoring 20 or 25 will be routinely monitored and actions performance managed via the Senior Management Team. Operational management and oversight of these risks will be apportioned to the relevant governance committee / forum, for example clinical risks will be forwarded to the Clinical Risk Committee for monitoring delivery of agreed actions. Urgent action/senior management attention required to eliminate or reduce the risk. Report to Divisional Clinical Director / Head of Corporate Directroate. Risks scoring between 15 or 16 will be reviewed by the Organisational Risk Committee who will agree at what level the risk and subsequent actions should be managed. Action/ management attention required to eliminate or reduce the risk. Report to Divisional Clinical Director / Head of Clinical Directorate. Risk can be managed at Divisional / Corporate Directorate Level if appropriate. Specialty / Directorate N/A Action if cost efficient to reduce or manage risk. Local actions. Delivery against any plans will be monitored via the Divisional / Corporate Directorate Governance arrangements. Specialty / Directorate N/A Manage situation with routine procedures at a Specialty or Department Level. Action if easy to implement and inexpensive. Delivery against any plans will be monitored via the Divisional / Corporate Directorate Governance arrangements. If any actions / controls are required to further mitigate the risk these should be recorded in the Action Planning & Monitoring section of the form along with named persons responsible for undertaking the action and the timescale for completion. The responsibility for ensuring that any actions identified are taken forward will be dependant upon the risk score. For example a risk scoring 8 (from the table above) would be reported / managed by the Specialty / Department whereas a risk scoring 12 would be reported / managed by the Division / Corporate Directroate. November 2016 Page 7 of 13

8 Step 6 IF RISK CAN T OR SHOULDN T BE MANAGED LOCALLY Where possible, risks should be managed at the lowest practical level. However where this is not possible (e.g. due to the resources required) the risk should be escalated to the next level. i.e. if a Department can t manage a risk it should pass to the Divisional / Corporate Directorate Governance Forum. If the Divisional / Corporate Directorate Governance Forum cannot action it sohlud imitially be passed to the ORC. It is also acknowledged that certain risks shouldn t be managed locally, i.e. where the issue impacts across the Trust. In these instances it is appropriate to escalate the risk so that a Trust wide response can be actioned and implemented. A key part of the process within the Organisational Risk Committee will be to agree the route for handling those issues that can t or shouldn t be handled at Divisional / Corporate Directroate level. The Organisational Risk Committee will oversee these risks and ensure that appropriate committees / groups are taking action. Risks may have to be accepted or, in the case of significant risks, shared with the commissioners of services, members of the health care community and other stakeholders. If you are unsure what to do please seek advice from a member of the Divisional / Corporate Directroate Governance Team or the Integrated Governance Team who will advise you on action to be taken. Step 7 UPDATE THE RISK REGISTER All risks identified, along with the risk score, controls and actions, need to be recorded on the DATIX Risk Management System in order to inform the Trust Risk Register. Each Division and Corporate Directorate has a named lead who will be able to assist with this process. All relevant information to support the risk assessment should be imported into the record. To ensure that all key information is captured in the Risk Register a number of fields have been made mandatory (see Appendix 4).Staff adding risks to DATIX will need to access the training provided. Data can be copied and pasted from the Generic Risk Assessment Form into the DATIX risk entry. All risks scoring 20 or more will be added to the Trusts Significant Risk Register and Board Assurance Framework. This will help to facilitate the management of risks, the identification of trends and significant risks, as well as the monitoring of risk management. All risks scoring 15 or above must be formally reviewed at least quarterly at Trust, Divisional / Corporate Directorate, Speciality and Departmental Governance Forums. At each review the risk register needs to be updated to reflect progress on actions and to review risk scores. November 2016 Page 8 of 13

9 Appendix 1 HAZARD IDENTIFICATION, RISK ASSESSMENT AND MANAGEMENT PROCEDURE FLOWCHART Directorates and Departments - supported where appropriate, by the Integrated Governance Team STEP 1 Record the details of the activity being assessed on the Generic Risk Assessment Form. Use the tools and techniques available to identify and record the key hazard to the activity, process or task being assessed. Refer to Governance Checklists, Policies and Guidance to identify risks. (Checklists to incorporate legislation, external accreditation standards, best practice, etc.) Incident, Claims and Complaints data STEP 2 For each hazard identified determine the Consequences STEP 3 - Determine the corresponding Likelihood (for the highest scoring Consequence) STEP 4 Determine the Risk Rating and Priority Indicator score See Generic Risk Assessment Form Add to Divisional / Corporate Directorate, Specialty, Department Governance Action Plan STEP 5 - Manage the risk Performance Managed by Division / Corporate Directorate STEP 6 - Issues that can t/shouldn t be managed by the Specialty / Department, OR can t be accepted, as they score 10 or more Add to Divisional / Corporate Directorate Governance Action Plan Manage the risk Performance Managed by Organisational Risk Committee STEP 6 - Issues that can t/shouldn t be managed by Divisional / Corporate Directorate OR can t be accepted, as they score 15 or more STEP 7 Update Risk Register on Datix Filtered by Organisational Risk Committee and referred to relevant Committee/group/individual for action, e.g., to Clinical Risk Committee to be added to Trust Governance Action Plan Performance Managed by the SMT or relevant Trust Board Committee STEP 6 - Issues that can t be managed OR can t be accepted, as they score 20 or more Any risks scoring 20 or more Raise at the Board November 2016 Page 9 of 13

10 A- Objectives B- Harm C- Experience D- Service Delivery E- External Likelihood Risk Score (Highest Score A-E x Likelihood) Appendix 2 GENERIC RISK ASSESSMENT FORM Assessment No. Campus: Division / Corporate Directorate: Speciality/Department: Location: Assessor: Job Title: Date: Description of activity Supporting information (for example, case of need, explanation of activity) Hazards, Controls and Risk Assessment Priority Indicator Score (A+B+C+ D+E) Does the control adequately address the risk? Yes / No Is the control measure documented and communicated? Yes / No Is the control Measure in operation and applied consistently? Yes/ No No. Hazard Identified Controls in place

11 Summary of action taken to date Action Planning and monitoring (dependant upon score) Hazard Ref No. Action required Cost ( ) (If known) By Whom Due Date Review Date Revised / Residual Risk Score post action Official Use Only Approval Group Added to the Risk Register Y / N Date Score Approved Date added to the Register 11

12 Consequence and Likelihood Matrix Appendix 3 1 Minor 2 Moderate 3 Serious 4 Major 5 Catastrophic Objectives* / Financial Minor impact on Trust objective. Barely noticeable reduction in scope or quality Small loss. Temporary non compliance with Trust Key Tasks* Minor reduction in quality / scope Loss > 0.1% of Trust budget Temporary noncompliance with Trust Primary Objective* Reduction in scope or quality. Loss > 0.25% of Trust budget Non-achievement of Trust s Key Tasks* Loss > 0.5% of Trust budget Non -achievement of Trust Primary Objective(s)* Loss > 1% of Trust budget Degree of Harm (to Staff, Patients, Visitors or Members of the Public) Minor injury not requiring first aid or no apparent injury / adverse outcome, Near Miss. Temporary Minor Injury / Illness / Effect. First aid treatment needed, referral to A&E / OH / GP Semi-permanent Injury, Over 3 day reportable injury. RIDDOR / Agency reportable Major injuries, or long term incapacity / disability, Major Specified Injury (RIDDOR) Death or major permanent incapacity Claims & Complaints / Patient Experience / Outcomes Verbal locally resolved Complaint. Reduced quality of patient experience not directly related to the delivery of patient care Small claims (up to 25,000) Justified formal Compliant. Unsatisfactory patient experience directly related to patient care- readily resolvable Independent review. Mismanagement of patient care, short term effects (<1 week) Justified complaint involving lack of appropriate care. Significant claim (up to 250,000) Ongoing National publicity. Regional inquiry. Ombudsman. Serious mismanagement of patient care, long term effects (>1week) Multiple justified complaints. Multiple claims or single major claim (over 250,000). Full National Inquiry. Select Committee. Public Accounts Committee. Totally unsatisfactory patient outcome or experience Impact on Service Delivery / Business Interruption / Projects Negligible impact, brief loss / interruption > 1 hour of service. Insignificant cost increase / schedule slippage. <1%) Local only. Some loss / interruption delays in service provision (> 8 hours) < 5% over budget / schedule slippage. Critical Service loss / interruption, minor delays > 1 day. 5-10% over budget / schedule slippage. Critical Service loss, major reduction in service > 1 week 10-25% over budget / schedule slippage. Total loss of Critical Service or facility. >25% over budget/ schedule slippage. Adverse Publicity / Reputation / Inspection / Audit / Enforcement Action Local interest, rumours within Trust. Little effect upon staff morale. Small number of minor recommendations, which focus on minor quality improvement issues. Minor non-compliance with CQC Local adverse publicity, local media coverage, adverse publicity for < 3 days. Minor effect on staff morale/public attitudes. Internal inquiry reported to local committee structure. Recommendations made which can be addressed by low-level management action. Non-compliance with the Developmental requirements of the CQC Local media coverage, adverse publicity for > 3 days. Significant effect on staff morale / public perception of organisation. Internal inquiry reported to external agency. Challenging recommendations that can be addressed with appropriate action plan. Reduced rating. Non-compliance with core requirements of the CQC National media coverage, adverse publicity for < 3 days. Regional inquiry. Severe effect on staff morale, public confidence in organisation undermined. Enforcement action Low rating / Critical report Major non-compliance with core requirements of the CQC National/international media coverage with adverse publicity for > 3 days. Loss of key staff. Public inquiry / MP Concerns raised in Parliament. Court enforcement. Non-compliance with legal requirement, which may result in Prosecution, Zero rating. Severely critical report x Likelihood Expected to occur no more than once a decade In fewer than 1% individual pt episodes May occur in very exceptional circumstances Expected to occur every 5 years In 1-4% individual pt episodes May occur in exceptional circumstances Expected to occur annually In 5-19% individual pt episodes May occur in unusual circumstances Expected to occur monthly In 20-49% individual pt episodes (operations, course of treatment, procedures, IP stay etc) May occur in usual circumstances Expected to occur weekly (or more frequently) In >50% individual pt episodes Is typical of usual circumstances (or is the now most-likely outcome or is more likely to happen than not) *FOR CURRENT YEAR OBJECTIVES PLEASE REFER TO THE TRUST ANNUAL PLAN. 12

13 Minimum Information to be captured on the Trust Risk Register Appendix 4 In order to ensure that the Trust s Risk Register captures all of the required information upon which the Trust can base subsequent decisions, the following dataset represents the minimum information to be captured within the Trust s DATIX system. Risk Reference (Local reference defined to provide a unique identifier) Title (Title of the Risk to include clear description of impact Description of the Risk (include context and background) Controls in Place (Details of safeguards in place) Adequacy of Controls (Adequate, Inadequate, Uncontrolled) Risk Assessor (name of person completing the risk assessment) Manager (name of the relevant manager for the location / Specialty / Department) Initial Assessment Date (Date of original assessment) Planned review date (Minimum every 3 months) Campus (as applicable from drop down list) Division / Corporate Directorate (as applicable from drop down list) Specialty (as applicable from drop down list) Location Type (as applicable from drop down list) Location Exact (as applicable from drop down list) Divisions / Corporate Directorates affected (as applicable) Source of the Risk (as applicable from drop down list) Category (based on Trust Incident Categories) Impact (Strategic, Tactical or Operational) Trust Objectives (as applicable from drop down list) Initial scoring (Scoring at the time of adding risk to DATIX) Current scoring (Current score at any point in time) Target scoring (Residual risk once all identified action has been taken) Action title (Description of action to be taken) Action assigned to (Name of person responsible for completing the action) Action due date (Date the action is to be completed) 13