Risk Management Strategy and Board Assurance Framework

Risk Management Strategy and Board Assurance Framework Version 1.1 Ratified by Health Commissioning Board Date ratified Audit Committee in Common: 10 th October 2017 Heath Commissioning Board: 8 th November 2017 Names authors Harris, Mark Head of Governance Hutchin, Rebecca Head of Governance Moore Jane - Corporate Governance Manager Date issued December 2017 Review date December 2019 Birmingham CrossCity Clinical Commissioning Group Birmingham South Central Clinical Commissioning Group Solihull Clinical Commissioning Group

Contents Executive Summary... 3 1 Statement of Intent... 3 2. Introduction... 3 3. Purpose of the Strategy... 4 4. Aims and Objectives... 4 5. Accountability and Responsibility... 5 6. Approach to Risk Management... 6 7. Risk Management Tools and Processes... 7 Table 1: Risk Types and Levels... 7 8 Governance, Accountability and Risk Reporting Arrangements to the Board/Governing Body... 9 Chart 1: The HCB and Board Sub Committees... 9 Chart 2: The CCG s Risk Management Process... 11 9. Communication and Training... 12 10. Version Control... 12 Appendix 1: Approach to Risk Management... 13 Appendix 2: Risk Matrix... 15 Appendix 3 Risk Assessment Pro Forma... 17 Appendix 4 Definitions... 18 2

Executive Summary The Risk Management Strategy and Board Assurance Framework underpin the CCGs wider risk management framework and describe the organisation s approach to risk management, including risk appetite. The strategy defines responsibilities for risk management and associated governance arrangements including reporting arrangements to the Board/Governing Body. It is intended to promote and embed best practice throughout the organisation and is applicable to all levels of risk. The strategy facilitates a dynamic approach to risk management thereby enabling the Board/Governing Body to remain sighted on the highest level risks and assure itself that appropriate mechanisms of control are in place. 1 Statement of Intent 1.1 The CCG 1 attaches great importance to the effective management of risks that may be faced by patients, members of the public, staff, partners and other stakeholders, and by the CCG itself. Risk, properly managed can however bring with it positive advantages, benefits and opportunities. The CCG does not therefore aim to create a risk-free environment, but rather one in which risk is considered as a matter of course and appropriately identified and controlled. 1.2 Where possible, the CCG will involve stakeholders in its risk management processes and will work in partnership to identify, prioritise and control shared risks. 1.3 The CCG is committed to making risk management a core organisational process and ensuring that it becomes an integral part of its philosophy, practices and business planning and, that responsibility for its implementation is accepted at all levels of the organisation. It is imperative that a culture of transparency and honest reporting is promoted and upheld throughout the CCG to ensure risks are properly identified, evaluated, documented and managed. 1.4. The CCG is committed to a strategy which provides a robust framework that is underpinned by the concepts of effective governance and other systems of internal control that enables the identification and management of both acceptable and unacceptable risks. 1.5. To support the development of a proactive risk management approach and Board Assurance Framework across the organisation, the CCG commits to: a) Embed effective organisational governance arrangements that respond to strategic change, hold providers to account for ensuring appropriate patient safeguards regarding quality safety and patient experience are in place, support high quality and effective service delivery and receive assurances in these respects. b) Ensure that all lead and support staff are accountable and responsible. c) Have in place a robust Risk Management Framework that delivers compliance with regulatory standards. 2. Introduction 2.1 Alongside business continuity management and emergency planning, risk management forms part of a system wide business resilience framework that seeks to ensure that the CCG is always best placed to achieve its goals and to do so consistently. 1 CCG = BSol CCGs (i.e. Birmingham CrossCity, Birmingham South Central and Solihull CCGs) 3

2.2 The Governing Body / Health Commissioning Board (HCB) of the CCG is responsible for ensuring that the CCG follows the principles of good governance through its Board Assurance Framework and other processes. This includes the development of systems and processes for financial and organisational control, clinical and information governance and risk management, in order to obtain best value for money from the public funds it is allocated to spend. 2.3 The Governing Body / HCB is committed to an open and honest approach in all matters; staff are encouraged to report risks, and will not be criticised for identifying, reporting and managing risk. 2.4 This document sets out the CCG s approach to the management of risk and the supporting infrastructure which enables informed management decisions in the identification, assessment, treatment and monitoring of the risk environment. 2.5 Assurance involves identifying and analysing risk, taking action to reduce risk, reviewing risk, and providing evidence that risks are being effectively managed, in order that the CCG achieves its strategic and corporate objectives. 2.6 This Strategy identifies the procedures for risk management, encompassing the management of all types of risk to which the CCG may be exposed, including clinical and non-clinical risk. Accordingly, this strategy has been developed to ensure risks within the CCG are identified, and actions taken to eliminate or mitigate the potential impact on patients, staff and the CCG as a whole. 2.7 Through effective organisational governance arrangements the CCG will take a proactive approach to risk management, so that it is well placed to: a. Assess known future changes in service delivery or in the physical environment, b. Assess potential risks to aims and objectives generally or in respect of a new initiative or programme to be delivered, c. Assess potential risks arising from new activities and other significant changes. 2.8 This Strategy reflects a range of governance and risk management standards embedded within current guidance and best practice; it will be reviewed in light of any changes. 3. Purpose of the Strategy 3.1 The purpose of the Risk Management Strategy is to: encourage a culture where risk management is seen as an essential process of the CCG s activities; ensure structures and processes are in place to support the assessment and management of risks throughout the CCG; assure the public, patients, staff and partner organisations that the CCG is committed to managing risk appropriately; ensure that the organization is aware of, and has process in place to manage, risks to the delivery if its statutory functions and organisational objectives. 3.2 The strategy sets out the procedure for the identification and management of risk within the CCG. The strategy applies to all members, employees and those acting in an official capacity on behalf of the CCG, including members of the Governing Body / HCB. 4. Aims and Objectives 4.1 The specific aim of this strategy is to ensure that all risks associated with the business and commissioning of services are effectively managed. To achieve this, risks will be 4

systematically identified and controlled by the CCG so that it minimizes any threats to the achievement of organisational objectives, whilst also ensuring that the CCG maximizes any opportunities to improve services. To this end it promotes: a systematic, consistent and co-ordinated approach for the management of risk across all its activities; the integration of risk management into all key business processes of the CCG including: its financial sustainability; performance; delivery of QIPP targets; business continuity, health and safety and information governance service quality, patients safety and safeguarding; governance and probity; statutory duties; reputation; the development of a positive risk management culture across the organisation ; the development of safe working practices aimed at the reduction and elimination of risk, as far as is reasonably practicable ; awareness of risk and its management through the promotion of a programme of communication, education and training ; continuous improvement through self-assessment. 5. Accountability and Responsibility 5.1 A key component of an effective Assurance Framework is a clearly defined structure that makes explicit the scheme of accountability and identifies the lines of reporting. 5.2 The Governing Body / HCB will demonstrate commitment to risk management through its endorsement and implementation of the Risk Management Strategy, Board Assurance Framework and associated policies and reports, and by receiving regular updates on risk management. 5.3 The Governing Body / HCB will receive a Board Assurance Framework report at least quarterly. 5.4 The CCG governance architecture is shown in section 8, chart 1. The main Committees and groups which have responsibility for aspects of risk management are detailed below: a) Governing Body / HCB - is ultimately responsible for ensuring that the CCG has a robust system of assurance and risk management in place. The Governing Body / HCB will assure itself through endorsement of the Assurance Framework and Risk Management Strategy, supported by a review of the high level strategic risks. b) Audit Committee in Common reports directly to the Governing Body / HCB and has responsibility for reviewing the establishment and maintenance of an efficient and effective assurance and risk management process, as part of its remit to review the adequacy and effective operation of the CCG s system of internal control. The Committee s work will focus upon the framework of risks, controls and related assurances. c) Other CCG Committees/Programme Boards Risk Register and Management will be a regular standing agenda item at meetings of the Board sub-committees and of CCG Programme Boards. See section 8 for further information on governance and reporting arrangements 5.5 Other responsibilities for risk management, are detailed below: - 5

a) Chief Executive (or Accountable) Officer - has responsibility for ensuring an effective risk management system and Board Assurance Framework are in place and for meeting all statutory guidance in respect of Governance. The Chief Executive Officer, through the Governing Body / HCB has a responsibility to review the output from the risk management processes and approve any additions or deletions. b) Governing Body / HCB members are collectively and individually responsible for the effective management of risk at strategic, corporate, local and committee levels, in particular for the areas included in their portfolios and as reflected in individual job descriptions. c) Each team leader is operationally responsible for ensuring effective structures and systems for managing risks, reflecting this strategy, exist within their teams. d) All members of staff are accountable for their own working practice, as stated in contracts of employment. Employees, contractors, voluntary and agency staff have a responsibility to co-operate with managers in order to achieve the objectives of the CCG, by: Being aware of risks and recognising their duty to report them, so that appropriate action can be taken, Being aware of existing risk assessments related to their areas of work, and relevant procedures or control measures to be adopted to reduce identified risks, Contributing to minimising risks, wherever possible, Being familiar with this Risk Management Strategy, and with associated standard operating procedures. Recognising their duty under legislation to take reasonable care for their own safety and of the safety of others who may be affected by the CCG s business, Reporting untoward and serious incidents, Attending Risk Management training as required. 5.6 In situations where significant risks have been identified, and where local control measures are considered to be potentially inadequate, managers are responsible for bringing these risks to the attention of the Executive Management Team. 5.7 Internal Audit: The Internal Audit team supports the risk management process by evaluating its effectiveness and recommending improvements. Specifically, the internal audit process supports and facilitates the identification of risks and the development of processes and procedures to assess and effectively respond to risks; identifies and recommends potential process improvements; provides advice to manage risks in developing systems, processes, projects, and procedures; and encourages best practice. 6. Approach to Risk Management 6.1 The risk management model upon which this strategy is based comprises 7 key stages: 1. the context; 4. prioritise risk; 2. identify risks, hazards and 5. treat and mitigate risk; opportunities 6. monitor and review; 3. analyse risk, including 7. communicate and consult. acceptability in terms of risk appetite; See appendix 1 for full details 6.2 Risk identification may be proactive or retrospective: lessons can be learnt from examining why an adverse incident occurred and taking appropriate action to avoid a re-occurrence. 6

Risks may be identified at all levels within the organisation from local/project level through to Board level. 6.3 Once a risk has been identified, it should be analysed by assessing its consequence and the likelihood of it occurring. The CCG uses a standard 5 x 5 risk grading matrix (see appendix 2). This matrix gives equal weighting to both the impact and the likelihood of the risk providing both a qualitative and quantitative analysis of the risk. 6.4 This standard method of risk assessing and scoring risks will also be applied as appropriate to incidents, complaints, claims, risk assessments and risk registers. 6.5 If a risk is deemed acceptable after evaluation it will be entered on the appropriate risk register (see appendix 1 and table 1 in section 7). 6.6 Monitoring of risk is the responsibility of the Chief Executive/Accountable Officer supported by the Executive Management team and 2 Governance group. At local level monitoring is by the appropriate manager in close liaison with their team. 6.7 The CCG s Risk Appetite is not necessarily static. The Governing Body / HCB may vary the amount of risk that it is prepared to tolerate depending on the circumstances at the time. See table 1 for guidance on risk thresholds. 7. Risk Management Tools and Processes 7.1 Risk Assessment See appendix 3 - risk assessment form a. The CCG has a statutory duty to risk assess hazards; record significant findings; inform employees and other stakeholders about risks and take actions to reduce risk levels. In order to fulfil this duty the CCG uses a range of Risk Assessment tools to identify and quantify risks and to decide what action needs to be taken to reduce or eliminate risks. b. The outcome of the risk assessment and analysis will identify an appropriate means of managing the risk. Guidance on this is given below: Table 1: Risk Types and Levels Level of Risk register Risk Strategic Board Assurance Framework Corporate Corporate risk register Residual Risk Type risk score 15 or above strategic linked to the CCG s objectives; support the Annual Governance Statement require Board-level and Executive Director scrutiny and oversight 12 or above high-level operational cannot be managed locally; consequences may have an organisation wide effect 2 Pending confirmation of the merged BSol CCGs final governance structure, the Executive Management Team (EMT) will receive risk register reports including the Corporate Risk Register and BAF report prior to its submission to the HCB and Audit Committee. It is envisaged that a Governance Group will be convened during 2017/18 to receive these reports on behalf of the EMT. 7

Local and 3 Strategic programmerelated Project Local risk / programme register Project risk and issues log Residual risk score of 12 or below No determined threshold require Executive Team scrutiny and oversight operational managed effectively at a team, programme or departmental level Relate solely to a specific time-limited project c. Risks should be described so that anyone reading the description can understand the issue, for example each risk description should begin with the wording There is a risk that... d. Potential adverse consequences of the risk should also be described. e. The inherent, residual, and target score of the risk should be determined using the matrix in appendix 2. Scores are obtained by multiplying a risk s consequence by its likelihood. For example a risk with a consequence (C) of 3 and likelihood (L) of 4 would be scored as 12 (3 x 4). Residual score = current score with mitigations in place; Inherent score = initial / uncontrolled risk; Target score = level of risk once all mitigations achieved. 7.2 Board Assurance Framework (BAF) 4 Strategic Risks a) The BAF is a tool for the Governing Body / HCB to satisfy itself that risks are being managed and objectives are being achieved. The Governing Body/HCB agendas should therefore reflect the issues raised on the BAF. The BAF will enable the Governing Body / HCB to be able to sign the Annual Governance Statement with confidence. b) The BAF will reflect risks impacting on the CCG s objectives as identified by members of the Governing Body / HCB and Executive Director team. In addition any risks identified within other risk registers that are scored extreme (15+) will be reviewed by the Executive Management Team or, in urgent circumstances, by the Chief Executive/Accountable Officer for inclusion in the BAF. 7.3 Risk Registers a. A Risk Register is a management tool that enables an organisation to understand its comprehensive risk profile. It is simply a repository for all risk information and can be used as a communication tool. Risk Registers are tools used to enable the CCG to manage risk and provide a mechanism for the identification and prioritisation of risks and associated action plans. b. The Corporate Risk Register. captures high level risks to the delivery of operational objectives. Risks are captured in the context of causes and consequences with actions 3 Risks related to workstreams managed via the Strategic Programme Board 4 The requirement to develop a Board Assurance Framework (BAF) was established by the Department of Health, Assurance: the Board Agenda (July 2002) 8

mitigating the causes. These are based on documented risk assessments and may be linked to incidents, audits, external assessments or other qualitative information. Each risk added to the Register is supported by a risk mitigation and progress on identified actions is monitored at an appropriate level. c. Local and 5 Programme Risk Registers - each Department/Division and Programme workstream of the CCG should maintain a local risk register which reflects those risks which have been identified locally and can be effectively managed at a local level. The risk register should be updated on a regular (e.g. monthly) basis and discussed at team/departmental meetings or the Strategic Programme Board. In accordance with the guidance in table 1, escalating risks will be considered for inclusion on the Corporate Risk Register. d. Risk Leads - Local and project risk registers should have a named risk lead responsible for updating the registers and escalating concerns appropriately. 8 Governance, Accountability and Risk Reporting Arrangements to the Board/Governing Body 8.1 The Governing Body/HCB will receive the BAF on a regular basis. New risks and existing risks with significant open actions and/or negative assurance should be escalated to the Governing Body/HCB straightaway. 8.2 The Audit Committee will receive regular assurance reports (at least quarterly) to enable the Committee to fulfil its remit to review the framework of risks, controls and related assurances as well as the adequacy and effective operation of the CCG s system of internal control. 8.2 Each Sub-committee of the Board and Programme Board will maintain its own risk register consisting of BAF, Corporate risks and any other significant risks. These risk registers will be a standing agenda item of the sub-committee/programme board meetings at least quarterly and at every meeting if risks are escalating or of concern. Chart 1: The HCB and Board Sub-Committees Health Commissioning Board Audit Committee Finance & Performance Committee Commissioning Investment & Disinvestment Committee Primary Care Committee Quality & Safety Committee 5 Related to workstreams managed via the Strategic Programme Board 9

8.3 The Governance Group/Executive Management Team will a. review the Corporate Risk register at least 6 times per year; b. receive the BAF before it is presented to the Governing Body/HCB and Audit Committee; c. consider and advise on actions required for effective risk management and identify risks to be escalated or de-escalated from the BAF or Corporate Risk Register. 8.4 Local and Programme Risk Registers will be a regular agenda item at local team meetings and at the Strategic Programme Board. Risks which are escalating, are of concern, or cannot be managed appropriately at local or programme Board level should be escalated for consideration for management via the Corporate Risk Register or BAF. 8.5 The Annual Governance Statement (AGS): All NHS bodies are required to produce an AGS that summarises the main systems and processes in place for risk management and internal control and discloses any material control weaknesses in any financial year. This is a statutory requirement and must be signed off by the Chief Executive/Clinical Accountable Officer. 10

Chart 2: The CCG s Risk Management Process Audit Committee Oversight systems of internal control and all risk management arrangements assurance Health Commissioning Board Approval, oversight and management of strategic risk via the BAF; approval of the risk management strategy Risk score 15+ Risk score less than 15 Strategic risks Corporate risks Board Assurance Framework (BAF) Corporate Risk Register Risks may be escalated to or de-escalated from the BAF by HCB and Audit committee members and on the recommendation of the Governance Committee/ Executive Team Executive Team Board Sub- Committees Primary Care; Finance & Performance; Quality & Safety; Clinical Investment & Disinvestment The committees will maintain their own risk registers consisting of BAF, Corporate Risks and other risks of concern Risk score 12 and /or risk cannot be managed locally Risks may be escalated to or de-escalated from the corporate risk register dependent upon risk score and management Risk score less than Local, programme and project risks Local and programme risk registers; project risk and issues logs 12 Every team, programme workstream and project should maintain a local risk register discussed as a standing agenda item at team/project meetings Strategic Programme Board; Team or Directorate Meetings; Project meetings or Boards 11

9. Communication and Training 9.1 The strategy will be available to all staff, the public and other stakeholders via the CCGs website(s) and will be communicated to staff via management channels. 9.2 Managers are responsible for making their staff aware, as appropriate, of the CCGs approach to risk management and to be clear about their roles and responsibilities within the process. 10. Version Control Version Date Changes Number V1 September 2017 New strategy bringing together existing strategies of the 3 CCGS V1.1 October 2017 Executive summary added; minor updates following review by Audit Committee 12

Appendix 1: Approach to Risk Management 1 The CCG has adopted the Australia/New Zealand model for risk management. This provides a generic approach to identifying, prioritising and dealing with risks in any situation whether at local or corporate level. The model comprises 7 key stages the context ; identify risks, hazards and opportunities; analyse risk; prioritise risk; treat and mitigate risk; monitor and review; communicate and consult. The diagram below below and those steps enclosed by the dotted line are detailed in a step by step way. 2 Step 1 Identify the Risks: Risk identification sets out to identify the exposure to uncertainty and should be approached in a methodical way to ensure that all significant activities within the CCG have been identified and the risks flowing from these activities defined. The identification process can be both proactive and retrospective. Many lessons can be learnt from examining why an adverse incident occurred and the taking appropriate action to avoid a re-occurrence. The risk should be described so that anyone reading the description can understand the issue. 3 Step 2 Analyse and Evaluate the Risks. Once risks have been identified each one will be analysed by assessing both what the consequence/impact and the likelihood would be of it occurring. In the first instance risks are measured with no controls in place, existing controls should then be considered and finally what controls need to be put in place to reduce the risk to an acceptable level. The subsequent risk rating should then be recorded in the appropriate document (risk assessment, incident form or risk register). This process creates a manageable programme of risk management. 4 The CCG uses a 5 x 5 risk grading matrix giving equal weighting to both the impact and the likelihood of the risk. This risk tool provides both a qualitative and quantitative analysis of the risk and is used to assess the severity of the risk for all events e.g. incidents, complaints, claims, risk assessments and risk registers. 13

5 Risk mitigation is the process of selecting and implementing appropriate actions and controls to modify the risk. Mitigation options include: tolerating the risk supplemented by contingency plans if deemed necessary; transferring the risk, by insuring against it or sub-contracting the work (whilst retaining the responsibility); treating the risk in an appropriate way to constrain the risk to an acceptable level or actively taking advantage regarding the uncertainty as an opportunity to gain a benefit or terminating the activity giving rise to the risk, where appropriate. 6 An acceptable risk is one which has been accepted after proper evaluation and is one where appropriate controls have been implemented. For a risk to be deemed acceptable it will be: Identified and entered on a risk register; Analysed in the context of the current controls in place; Analysed using the risk grading matrix (impact & likelihood); Escalated to the appropriate level of management for action; Action taken to reduce the risk and then kept under review. 7 Step 3 Monitoring & Reviewing Risks. Monitoring is undertaken at all levels from local / project level to Board level monitoring of strategic risks. The thresholds for risk escalation are included within section 8 below. 8 The CCG s Risk Appetite is not necessarily static. The Governing Body / HCB may vary the amount of risk that it is prepared to tolerate depending on the circumstances at the time. However, it is not for other parts of the CCG to materially alter the CCG s risk appetite without consultation with the Governing Body / HCB. The CCG s risk appetite ensures that risks are considered in terms of both opportunities and threats and are not usually confined to the financial consequences of a risk materialising. Risks also impact on the capability of the CCG, its performance and its reputation. It is also influenced by the overall objectives set by the CCG, individual programmes of work and the delivery of operational, quality and performance objectives across divisions. 14

Appendix 2: Risk Matrix The risk evaluation matrix quantifies risk by defining qualitative measures of consequence (severity) and likelihood (frequency or probability) using a 1-5 rating system. This allows the construction of a risk matrix, which can be used as the basis of identifying risk. The risk score is Consequence x Likelihood. Consequence (Severity) Consequence score (severity levels) and examples of descriptors Domains 1 Negligible 2 Minor 3 Moderate 4 Major 5 Catastrophic Impact on the safety of patients, staff or public (physical / psychological harm) Quality / complaints / audit Human resources / organisational development / staffing / competence Minimal injury requiring no/minimal intervention or treatment. No time off work Peripheral element of treatment or service suboptimal Informal complaint/inquiry Short-term low staffing level that temporarily reduces service quality (< 1 day) Minor injury or illness, requiring minor intervention Requiring time off work for >3 days Increase in length of hospital stay by 1-3 days Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved Low staffing level that reduces the service quality Moderate injury requiring professional intervention Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Major injury leading to long-term incapacity/disability Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with longterm effects Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients Totally unacceptable level or quality of treatment/service Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Gross failure to meet national standards Non-delivery of key objective/service due to lack of staff Ongoing unsafe staffing levels or competence Statutory duty/ inspections No or minimal impact or breech of guidance/ statutory duty Breech of statutory legislation Reduced performance rating if unresolved Low staff morale Poor staff attendance for mandatory/key training Single breech in statutory duty Challenging external recommendations/ improvement notice Loss of key staff Very low staff morale No staff attending mandatory/ key training Enforcement action Multiple breeches in statutory duty Improvement notices Low performance rating Critical report Loss of several key staff No staff attending mandatory training /key training on an ongoing basis Multiple breeches in statutory duty Prosecution Complete systems change required Zero performance rating Severely critical report 15

Adverse publicity / reputation Business objectives/ projects Finance including claims Service / business interruption Environmental impact Rumours Potential for public concern Insignificant cost increase/ schedule slippage Small loss Risk of claim remote Loss/interruption of >1 hour Minimal or no impact on the environment Local media coverage short-term reduction in public confidence Elements of public expectation not being met <5 per cent over project budget Schedule slippage Loss of 0.1 0.25 per cent of budget Claim less than 10,000 Loss/interruption of >8 hours Minor impact on environment Local media coverage long-term reduction in public confidence 5 10 per cent over project budget Schedule slippage Loss of 0.25 0.5 per cent of budget Claim(s) between 10,000 and 100,000 Loss/interruption of >1 day Moderate impact on environment National media coverage with <3 days service well below reasonable public expectation Non-compliance with national 10 25 per cent over project budget Schedule slippage Key objectives not met Uncertain delivery of key objective/loss of 0.5 1.0 per cent of budget Claim(s) between 100,000 and 1 million Purchasers failing to pay on time Loss/interruption of >1 week Major impact on environment National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Total loss of public confidence Incident leading >25 per cent over project budget Schedule slippage Key objectives not met Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Claim(s) > 1 million Permanent loss of service or facility Catastrophic impact on environment Likelihood (frequency or probability) Likelihood score 1 2 3 4 5 Descriptor Rare Unlikely Possible Likely Almost certain Frequency How often might it / does it happen Probability Will it happen or not? This will probably never happen/recur Do not expect it to happen/recur but it is possible it may do so Might happen or recur occasionally Will probably happen/recur but it is not a persisting issue Will undoubtedly happen/recur, possibly frequently <0.1 per cent 0.1 1 per cent 1 10 per cent 10 50 per cent >50 per cent Risk Score (Consequence x Likelihood) Consequence Likelihood 1 Rare 2 Unlikely 3 Possible 4 Likely 5 Almost certain 1 Negligible 1 (Low) 2 (Low) 3 (Low) 4 (Moderate) 5 (Moderate) 2 Minor 2 (Low) 4 (Moderate) 6 (Moderate) 8 (High) 10 (High) 3 Moderate 3 (Low) 6 (Moderate) 9 (High) 12 (High) 15 (Extreme) 4 Major 4 (Moderate) 8 (High) 12 (High) 16 (Extreme) 20 (Extreme) 5 Catastrophic 5 (Moderate) 10 (High) 15 (Extreme) 20 (Extreme) 25 (Extreme) 16

Appendix 3 Risk Assessment Pro-Forma Project/Team/Committee Date Executive Director Risk Owner Operational Risk Owner Risk Area e.g. Primary Care; Quality; Finance; Governance; Performance; Contracting; Medicines Management; Mental Health; Risk Description and consequences There is a risk that..... potentially leading to..... Mitigating Actions e.g. allocate extra resources Controls and Assurances e.g. Committee oversight; reports; assurance returns; KPIs; contract management process; Gaps in Controls and Assurances Risk Scores - see table below Inherent score = initial / uncontrolled risk without mitigation; Residual score = current score with mitigations in place; Target score = level of risk once all mitigations achieved. C = consequence; L = likelihood; Score = consequence multiplied by likelihood. For example a risk with a consequence (C) of 3 and likelihood (L) of 4 would be scored as 12 (3 x 4). Inherent Risk Score Likelihood = Consequence = Score (LxC)= Residual Risk Score Likelihood = Consequence = Score (LxC)= Target Risk Score Likelihood = Consequence = Score (LxC)= Review by Executive Lead Name Signature Date Consequence Likelihood Rare = 1 Unlikely = 2 Possible = 3 Likely = 4 Almost certain = 5 Negligible = 1 IL 2L 3L 4M 5M Minor = 2 2L 4M 6M 8H 10H Moderate = 3 3L 6M 9H 12H 15E Major = 4 4L 8H 12H 16E 20E Catastrophic = 5 5L 10H 15E 20E 25E 17

Appendix 4 Definitions Risk: Is the threat that an event or action will adversely affect the organisations ability to achieve its objectives. Risk arises as much from the possibility that opportunities will not be realised as it does from the possibility that threats will materialise or that errors will be made. The extent that an organization is willing to consider taking risks is referred to as its Risk Appetite. Risk Management: Is the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects (Governance in the new NHS HSC1999/123). It is a logical and systematic method of identifying, analysing, assessing, treating, monitoring and communicating risks in a way that will enable the organisation to minimise losses and maximise opportunities. It should be borne in mind that such a process will be based around judgments rather than necessarily explicit facts. It is seen as an iterative process consisting of steps, which when taken in sequence, enable continual improvement in decision-making (Effective Governance IIA Guidance). Patient safety is the identification, analysis and management of patient-related risks and incidents, to make patient care safer and minimise harm to patients. A patient safety incident is any unintended or unexpected incident(s) that could have or did lead to harm for one or more persons receiving NHS-funded healthcare. A prevented patient safety incident, ('near miss' or 'close call') is any patient safety incident that had the potential to cause harm but was prevented, resulting in no harm to patients receiving NHS-funded healthcare. The Risk Register: logs risks that could impact on the success of SWCCG achieving its declared aims and objectives. It is a dynamic living document, which is populated through the CCG risk assessment and evaluation process. It enables risk to be quantified and ranked and it provides a structure for collating information about risks that helps both in the analysis of risk and in decisions about whether or how risks should be treated. Board Assurance Framework: Is the structure and process that enables the organisation to focus on those risks that might compromise achieving its most important aims and objectives including risks that will impact its financial sustainability, performance; delivery of QIPP targets; service quality, patient safety and safeguarding; governance and probity; statutory duties; reputation; The Board Assurance Framework maps out, the controls that should be in place and confirms that the Governing Body / HCB has assurance about the effectiveness of those controls. The assurance framework focuses on the extreme rated risks, namely those with a residual risk rating of 15 and above. Risk assessment is the process of estimating the level of risk, the probability of an event occurring and the magnitude of effects if the event does occur. Risk assessment lies at the heart of risk management; it assists in providing the information required to respond to potential risk. Clinical Risk Management is largely concerned with managing risks associated with non-clinical risk management is associated with all other activities of the organisation. The key areas of CCG activity, clinical, organisational, financial and commissioning are all included in the CCG s system of Risk Management; this will provide the CCG with a single effective system of internal control and governance (DH, 2006). 18