Risk Management Strategy

Risk Management Strategy July 2004 Version 1 This document will be reviewed regularly. Printed copies should not be considered the definitive version. Contact the Risk Management Support Unit (RMSU x54645) for advice.

Statement of Intent The purpose of NHS Grampian (NHSG) is to secure the best possible health for the people of Grampian by working together to provide people centred clinical care, planned in partnership looking towards the future. Nevertheless, we recognise that risk is inevitable in an environment as complex as healthcare, no matter how dedicated and professional NHS staff. If we are to focus on the needs of patients, prevent ill health and simplify the journey of care, it is vital that we build on our good work to date to sustain an environment of No Surprises. By effectively managing the risk involved we will make best use of available resources and provide a service which is as safe as possible for patients and for staff. NHSG have agreed a strategy that that aims to create a culture of risk management that focuses on assessment and prevention rather than reaction and remedy. To support this, an honest and open environment is to be developed, where risks and untoward incidents are identified quickly and acted upon in a positive and constructive way. However, risk extends further than harm to patients, staff or the public. Risk management also concerns itself with managing the threats to the achievement of our objectives. We aim to fully embed risk management within the Grampian Health Plan and our clinical and corporate processes so that risk is considered an integral part of patient care, strategic planning and decision making. To oversee the implementation of this strategy, NHSG have established a corporate Performance Governance Committee (PGC) with the authority to coordinate and direct the risk agenda. Arrangements for the day-to-day management of risk will be devolved to Sectors under the leadership of the Chief Operating Officer (COO) supported by the Operational Management Team (OMT). Performance management arrangements have been introduced at all organisational levels and risk management will be regularly monitored as a part of that process. This is a two-way process to ensure that arrangements are in place within each Sector of NHSG and that corrective action is taken when necessary. It also enables those providing services to escalate issues of concern to a more senior level with the expectation that action will be taken as necessary. The Board of NHSG will seek assurance on behalf of the public, patients and staff that we are doing our best to manage risk effectively. Our challenge is to ensure that risk is managed as part of our day-to-day activity and I'm confident that all leaders will sign up to this. Likewise, I'm confident that staff, where equipped with the necessary competencies and support, will actively participate in the management of risk as a normal part of their individual professional role. I am sure you will agree that effective risk management is everyone's business. I'm confident that the approach described in this strategy will help to develop the detailed arrangements for specific risks required in our various workplaces so we can build on a culture of 'No Surprises' over the coming years. Jim Royan Chairman July 2004 - i -

Contents Statement of Intent i Contents ii 1. Introduction 1 1.1 Why is Risk Management so Important to us? 1 1.2 What is the Purpose of the Risk Management Strategy? 1 1.3 What is the Scope of the Risk Management Strategy? 1 2. Organisation 1 2.1 Responsibility for Risk Management 2 2.2 Organisational Arrangements 2 3. Our Commitments 3 3.1 Underpinning Principles 3 3.2 Risk Management Framework 4 3.3 Risk Management in Partnership 5 4. Implementation of the Risk Management Strategy 6 5. Conclusion 6 Appendix A: Glossary of Terms 7 Appendix B: Risk Management Structure 8 Appendix C: Universal Risk Criteria 9 Appendix D: Risk Management Framework One Pager 10 - ii -

1. Introduction 'Risk management' provides a framework to minimise adverse events through systematic assessment, review and monitoring of risk and methods of control to reduce risk to an acceptable level. It balances rewards from responsible risk-taking, which might help us improve the quality of our services, against unacceptable risk that might threaten the ability to deliver services to the level of safety and quality we desire. (Appendix A: Glossary of Terms on page 7, explains the terms in this document which may be unfamiliar.) 1.1 Why is Ri sk Management so Important to us? Risk is inevitable in any complex system and no matter how dedicated and professional NHS staff, it is impossible to completely eliminate risk from healthcare. Nevertheless, NHS Grampian (NHSG) believes that a co-ordinated approach to risk management can help: Protect the safety of patients, staff and visitors. Minimise risks affecting the delivery of services. Secure our services, reputation and finances. Thus, it's essential that we actively manage all of the risks involved in the delivery of healthcare as a routine part of our existing day-to-day activities. 1.2 What is th e Purpose of the Risk Management Strategy? All NHS organisations must have a top-level strategy for managing the risks associated with their business. This is NHSGs Risk Management Strategy which, along with supporting strategies for patient safety, occupational health and safety management (OH&S) and specific operational policies, describes how we will manage risk in Grampian. The purpose of this strategy is to: Improve the capability to manage risk across all areas of clinical, staff and corporate governance. Eliminate or control risk to an acceptable level by creating focus on assessment and prevention rather than reaction and remedy. Support Sectors to manage risk locally using a common risk management framework operating within a set of underpinning principles. Firmly embed the management of risk within our clinical and corporate processes so that risk is considered as an integral element of patient care, strategic planning and decision making. 1.3 What is th e Scope of the Risk Management Strategy? The strategy applies to the management of all risk in NHSG. It applies to everyone employed by NHSG, wherever they are based and includes permanent, temporary, locum, contracted, agency and bank staff. 2. Organisation There needs to be clarity of who does what otherwise risk may remain unidentified, causing loss that could otherwise be controlled or avoided. The strategy defines individual and organisational arrangements at local, system wide and board levels: - 1 -

2.1 Responsib ility for Risk Management Risk should be managed by those best placed to control it. Day-to-day responsibility for risk sits with the clinicians and other staff at the operational level closest to the risk. The responsibility rises through the organisational structure, ultimately to the Board. Local Level Responsibility Clinicians and other staff: those at the operational level closest to the risk with the competence and capacity to manage a particular risk. Clinical Leads and Service Managers: day-to-day implementation of risk management within their areas. Overarching Control Sector General Managers and Directors: accountable to the Chief Operating Officer (COO) for ensuring the day-to-day implementation of risk management within their area. Each Sector & Directorate will identify a Local Risk Management Co-ordinator with defined role profile to support their General Manager or Director. Chief Operating Officer: provides day-to-day operational leadership for risk management across all of NHSG, including review of system wide risks and overview of Sector risk management performance. Board Level Accountability Medical & Nursing, Human Resources and Finance Directors: provides leadership and co-ordination of the patient safety; occupational heath, safety and environment; financial and business risk agendas as part of the wider risk management strategy. Director of Performance Improvement: executive designated with overall responsibility for the co-ordination and development of risk management and its reporting to the Board. Chief Executive: accountable to the Board for ensuring that an effective system of risk management is in place. 2.2 Organisat ional Arrangements Risk will be managed as a routine part of day-to-day business at the operational level closest to the risk: Local Level Responsibility Clinical & Non-clinical Management Teams: day-to-day implementation of risk management including responsibility for risk assessment; occurrence recording; root cause analysis of adverse events; dissemination of risk notices and lessons; and promotion of learning. Sector & Directorate Management Teams: provide leadership, driving the agenda and setting the tone for risk management; review of aggregated risk data and overview of local risk management performance. Overarching Control Operational Management Team (OMT): leads implementation, resourcing and performance management of Sector and Directorate risk management; commissions corporate risk policy; maintains the risk control plan; reviews aggregated risk - 2 -

information; co-ordinates system wide issues. In practice an OMT Sub-group led by the COO will fulfil most of the OMT's risk management responsibilities. Risk Management Network: an advisory group, led by the Head of Risk Management, providing technical and operational advice to the OMT and Sector & Directorate Management Teams, facilitating co-operation and learning between Sectors and facilitating development and consultation of NHSG risk management policy and practice. It will comprise Sector Risk Management Co-ordinators, clinicians, partnership representatives and relevant advisors. Board Level Accountability Clinical & Staff Governance Committees: provision of topic specific risk assurance to the Board, providing confidence that all of the principal risks in the clinical and staff governance domains have been identified and effectively controlled. Performance Governance Committee (PGC): single point of co-ordination to integrate, oversee and direct the risk management agenda, sign off corporate risk policy and consolidate assurances from the Governance Committees that all significant risks are adequately managed. In addition, the PGC will also provide oversight of financial and other enterprise risks such as business continuity/ contingency planning in the same manner as the other Governance Committees. Audit Committee, through Internal Audit and other assurance processes, will provide an independent objective opinion to the Board on whether the risk management arrangements described in this strategy are in place and effective. The Board: corporately responsible for owning NHSG's risk management strategy and to ensure that significant risks are adequately controlled. Collectively and individually Board members personally accept vicarious liability for the actions of NHSG and criminal sanctions for breaches of statutory obligations to protect employees and the public from risks arising from NHSG s activities or omissions. These arrangements are summarised in Appendix B: Risk Management Structure on page 8. During the next 12 months, this structure will be developed further through consultation led by the Director of Performance Improvement on behalf of the Performance Governance Committee to ensure that all groups and committees who support NHSG in the management of risk are identified and their line of accountability to the OMT clearly defined. 3. Our Commitments The following commitments form the basis of the Risk Management Strategy and will be evident across all of NHSG. They will influence the design of local risk management systems, supporting policies, performance measures and the production of training and support materials. 3.1 Underpinn ing Principles The following ten principles describe how risk management will be approached in Grampian: 1. Building on the views of regulatory bodies, NHSG recognises that risk identification and assessment are core competencies for all staff and underpin everything we do. - 3 -

2. There will be a consistent approach to risk assessment using common criteria, involving clinicians and other key stakeholders, to inform decision making and support prioritisation of local risk control plans. 3. Leaders will actively promote awareness of risk and foster a supportive culture to enable risk judgements to be handled with confidence. 4. The management of risk will be systematically integrated into existing processes. 5. Risk will be managed at the operational level closest to the risk with the competence and capacity to do so. Unmanageable risks will be escalated to the next level. 6. An open, honest and trusting environment is to be developed and sustained to promote the identification of risk and learning from adverse events and near misses. 7. Risk will be managed by targeting underlying systems weaknesses rather than blaming staff for error (providing they are not wilful, criminal or evident professional misconduct). 8. Responsibility for management, escalation, monitoring and communication of key risks will be clearly defined. 9. Effectiveness of risk management will be subject to performance review and independent audit. 10. The Board will regularly seek assurance on behalf of patients, staff and the public that risk controls are in place and remain effective. 3.2 Risk Mana gement Framework The Risk Management Framework, which will be explained in detail within the Risk Management Policy, describes the practicalities of how risk management will be approached in Grampian: Risk assessment: A universal approach will be defined for identifying and assessing the significance of risk to judge whether additional controls are required or whether the risk can be accepted. The Universal Risk Criteria (Table 1 in Appendix C: Universal Risk Criteria, page 9) will be adopted as standard for all types of risk assessment. All departments will have arrangements in place for a regular programme of risk assessment. Occurrence recording and sharing of learning: Errors, complaints and claims tend to fall into recurrent patterns regardless of the people involved, mainly due to system weaknesses. Occurrence recording of all types of adverse events and near-misses will enable trends to be identified, system weaknesses to be captured and action taken. A policy will be developed to equip staff in NHSG with the competencies to conduct Root Cause Analysis in a consistent and transparent way to enable further lessons to be learned. Lessons will be shared and auditably actioned through improvement of the Risk Notice system. Risk control plans and escalation: A risk information system will be implemented to help maintain NHSG's 'risk control plan' containing risk assessments and details of necessary control measures. Its purpose is to help every level of the organisation prioritise available resources to minimise risk to best effect and provide assurances that progress is being made. Significant risks deemed impossible or impractical to manage at a lower level will be escalated to a more senior level. A mechanism will be devised to ensure that risk assessments within Board and OMT papers are incorporated into the Risk Control Plan. - 4 -

Risk control and contingency: For all significant risks, proportionate risk control and contingency measures should be introduced to reduce the risk to an acceptable level. To increase confidence of those deciding whether to accept or control a risk, NHSG will retrospectively support all well judged risk assessments using the universal risk control criteria defined in Table 2 in Appendix C: Universal Risk Criteria on page 9. Monitoring progress: We will monitor progress of risk management as a component of the overarching performance management arrangements to identify and prioritise areas requiring additional support. Assurance of effectiveness of control: An assurance framework will be developed to provide the Board with systematic assurance that local systems are capable of identifying their objectives and managing the risk to their achievement. The Performance Governance Committee will aggregate assurance data from the OMT, Audit and Governance committees to provide evidence for the Chief Executive's annual Statement of Internal Control. The Risk Management Framework is summarised in Appendix D: Risk Management Framework One Pager on page 10. 3.3 Risk Mana gement in Partnership Our approach to risk management recognises the importance of working in partnership with all relevant stakeholders: Patients and the Public Risks relating to service availability and quality of service will be managed and communicated. Guidance on dealing with such risks will be developed in conjunction with the Area Clinical Forum and be available within our Patient Safety and Patient Focus Public Involvement strategies and other policies. Because NHSG seeks to inspire public trust, for all such risks, we commit to: Be open and transparent about our understanding of the nature of risks to the public. For patients, this is a key element of our Informed Consent Policy; Seek community involvement in the decision making process of those affected; Act proportionately and consistently in dealing with public risks; Base decisions on evidence; Publish assurance that we are doing our best to manage risk; Staff Risks impacting on staff will be managed in partnership and, along with their controls, brought to the attention of affected staff. Our OH&S Policy will give further detail on how the specific health and safety legislative requirements have been addressed. To achieve these aims, NHSG commits to: Local risk management arrangements facilitating genuine involvement of staff and their representatives at the earliest possible stage in risk management matters; Provide adequate information and training to equip staff with the competencies necessary to effectively manage risk; Joint problem solving and decision making; Production of policy, procedure and guidelines for staff on risk management matters, including a single OH&S Policy Manual; - 5 -

Full support for Union Safety Representatives and non-union Representatives of Employee Safety according to our Safety Representatives policy; Involvement of the Grampian Area Partnership Forum to support the corporate development of risk management arrangements in Grampian. Partner Agencies, Contractors and the Voluntary Sector The delivery of NHSG's objectives relies upon effective co-operation, partnerships and joint working with agencies such as Local Authorities, Universities, the Voluntary Sector and independent contractors such as GPs and Dentists. NHSG commits to minimise risk associated with such partnerships by ensuring: Common objectives are agreed from the outset with all partners; Shared risks are identified and managed in partnership; An adequate risk management framework is incorporated as part of joint management and partnership governance arrangements; Monitoring arrangements exist to provide assurance that risk is managed adequately; 4. Implementation of the Risk Management Strategy The Board recognises that resources and support will be necessary to enable the implementation of this strategy and consequently has directed the Risk Management Support Unit (RMSU) to support Sectors and Directorates to implement this strategy in their areas. 5. Conclusion This strategy sets out NHSG's objectives for risk management, and indicates how we intend to achieve those objectives. All of us who work in NHSG have ethical, legal and professional obligations to manage the risks associated with the delivery of high-quality healthcare. Managing risk effectively is part of our everyday work in caring for patients. Let us implement this strategy to place risk management at the forefront of all of our minds. Alex Smith Interim Chief Executive July 2004-6 -

Appendix A: Glossary of Terms Acceptable Risk. An everyday risk, minor in nature, occurring on a routine basis. Adverse Event. An undesirable incident such as a clinical mishap, accident or organisational event that led to harm or loss. Assurance. Stakeholder confidence in our service gained from evidence showing that risk is well managed. Blame. Inappropriate attribution of responsibility to an individual for an adverse event. Contingency. An action or arrangement that can be implemented to minimise impact and ensure continuity of service when things go wrong. Control Measure. Something done to minimise risk to an acceptable level either by reducing the likelihood of an adverse event or the severity of its consequences or both. Controls. Arrangements designed to reduce the likelihood or severity of a risk. Governance. The system by which NHSG is directed and internally controlled to achieve objectives and meet the necessary standards of accountability, probity and openness in all areas of clinical, corporate and staff governance. Likelihood. Chance of circumstances in question actually occurring. Near Miss. An undesirable incident that by chance or design did not result in harm or loss. Occurrence Recording. System to report and learn from adverse events and near misses. Occurrence. An adverse event or near miss. Partnership. Way of working where staff at all levels and their representatives are involved in developing and putting into practice the decisions and policies which affect their working lives. Patient Safety. The identification, analysis and management of patient-related risks and incidents, in order to make patient care safer and minimise harm to patients. Risk Appetite. Extent to which we are willing to take or avoid a risk. Risk Assessment. A process to identify risk and evaluate whether acceptable or not. Risk Control Plan. A database of risks that face NHSG at any one time. Its purpose is to help managers prioritise available resources to minimise risk to best effect and provide assurances that progress is being made. Risk Escalation. The process of delegating upward, ultimately to the board, responsibility for the management of a risk deemed to be impossible or impractical to manage locally. Risk Management Principles. Ideology for the implementation of risk management. Risk Management. A process to balance rewards from responsible risk-taking against those unacceptable risks that might threaten our ability to deliver quality services by systematically assessing, reviewing and monitoring risk and implementing methods of control to reduce risk to an acceptable level. Risk Owner. Someone with the necessary competence and capacity responsible for the management of a particular risk. Risk. The chance of loss or harm expressed as a combination of its likelihood and severity of consequence. Root Cause Analysis. Structured techniques to establish the true systematic causes of an event as opposed to its apparent causes. Severity. Most predictable consequence to the individual or organisation were the circumstances in question to occur. Significant Risk. Broadly, any risk that could adversely affect achievement of NHSG's objectives or present a large loss with no clear opportunity for control. Statement of Internal Control. A statement by the accountable officer within the published Annual Report, required by HDL(2002)11, on the effectiveness of NHSG's systems of internal control, for which risk management is a key component. System Failure. The most likely cause of an adverse event. Typically due to a flaw or flaws in the design or operation of a system of work rather than an individual s actions or inaction. - 7 -

Appendix B: Risk Management Structure Board Level Accountability Board Responsible for obtaining assurance that all significant risks are adequately managed. NHS Board Independent Scrutiny Staff Governance Committee Performance Governance Committee Clinical Governance Committee Focus and oversight for occupational safety, health and environmental matters. PGC has unambiguous lead role to co-ordinate and direct the RM agenda. Reporting RM performance and key risks to the Board. Oversight of financial and other enterprise risks such as business continuity/ contingency planning. Focus and oversight for patient safety matters. Governance committees provide oversight of the risk agenda - ensuring its co-ordination and seeking assurances of its effectiveness. Overarching Control Operational Management Team (OMT) duties dealt by Risk Management Sub Group in practice. Risk Management Network provides technical and operational advice to OMT and Sector Management Teams; develops and consults on NHSG risk management policy and practice. OMT RM Subgroup RM Network OMT OMT responsible for commissioning corporate risk policy and leading implementation, resourcing and performance management of Sectors and Directorates' risk management. Also, maintaining the corporate risk control plan and dealing with risks escalated from Sectors and Directorates. Ensuring Healthcare Governance standards RM Network comprises Sector Risk Management Co-ordinators, risk specialists and partnership representatives. Audit Committee Independently scrutinise the effectiveness of all RM arrangements. Local Level Responsibility Devolution means partnership working with relevant stakeholders on risk management will occur mainly at the local level. Local Partnership Arrangements Sector/ Directorate Management Team Local Risk Management Arrangements Responsibility fully devolved to Sectors and Directorates to manage risk in their areas as they see fit, whilst following the principles contained in agreed NHSG policy. Eg Default responsibility for implementation of the risk management framework and application of risk management principles. Ie partnership working, risk assessment, occurrence recording and investigation, implementing risk control plans and ensuring risk competencies. - 8 -

Appendix C: Universal Risk Criteria These tables define NHSGs 'risk appetite', that is, the level of risk we are prepared to accept, the point at which risk controls are considered necessary and when risk should be escalated to a more senior level. These criteria will be used universally in all Risk Assessment and Occurrence Reporting processes in NHSG. By defining risk in this way, we wish to support responsible risk-taking (still remaining within legal, ethical and regulatory frameworks), which might help us improve the quality of our services, whilst at the same time guard against those unacceptable or reckless risks that might threaten the ability to deliver services to the level of safety and quality we desire. Table 1: Universal Risk Criteria Severity x Likelihood Risk Criterion E.g: High severity x Unlikely Moderate Risk Severity of Consequence Most predictable consequence if the event in question was to occur. Low e.g: Zero or minor injury, harm or work absence; or Readily recoverable minor service disruption; or Negligible loss of resource (people, equipment, finance), etc Medium e.g: Moderate but recoverable injury, harm or work absence; or Return to theatre, admission to hospital or extended stay; or Recoverable localised or short-term service disruption; or Moderate loss of resource, etc High e.g: Permanent/ substantial harm, disability or inability to work; or Intensive remedial care or long-term support necessary; or Recoverable widespread or substantial service disruption; or Substantial but recoverable loss of resource, etc Catastrophic e.g: Accidental death; or Irreversible or substantial long-term service disruption; or Irrecoverable substantial loss of resource, etc Very unlikely Little chance of occurrence Likelihood of Occurrence Chance of event occurring within the next year. Unlikely Probably won't occur Likely Probably will occur Very likely Known to be occurring now Negligible Negligible Acceptable Moderate Negligible Acceptable Moderate Substantial Acceptable Moderate Substantial Unacceptable Moderate Substantial Unacceptable Unacceptable Table 2: Response to Risk Negligible: No further action or records required. Acceptable: No additional risk controls required. The person responsible shall document assurance that existing controls or contingency plans remain effective and ensure any weaknesses are addressed. Moderate: Further action shall be taken to reduce the risk but the cost of control should be measured. The person responsible shall ensure additional risk control measures are introduced within a defined timescale. Assurance that risk controls or contingency plans are effective shall be documented and evaluated by the relevant Head of Service and any weaknesses addressed. Substantial: Further action, possibly urgent and requiring considerable resources, shall be taken to reduce the risk. Responsibility for introducing risk control measures within a set timescale shall be explicitly defined, probably within the health plan. Assurance that risk controls or contingency plans are effective shall be documented and evaluated by the relevant Director or General Manager and any weaknesses addressed. Unacceptable: If confirmed to be unacceptable, the situation presenting the risk must be suspended until action led from Director or General Manager level has been taken to reduce the risk. Relevant stakeholders and the Board shall be explicitly informed. If it is not possible to reduce the risk, even with unlimited resources, the situation presenting the risk shall remain prohibited. - 9 -

Appendix D: Risk Management Framework One Pager Identify and assess your risks Plan to control or escalate your risk Risk Control & Contingency Monitor Progress Provide Assurance - 10 - Objective Driven: Risks that threaten local and NHSG objectives and risks generated by those objectives. Risk Control Plan: Prioritise available resources to minimise risk to best effect: Control: Take risk control measures to reduce risk to Occurrence Records: Identify risk by Negligible- No action an acceptable looking back at reported adverse Acceptable- Monitor level. events or near misses. Moderate- Action needed Contingency: Horizon Scan: Identify risk by looking forwards to tomorrow's threats. Substantial- Urgent action Assessment may be wrong Severity: Most predictable Unacceptable- Prohibit or change. consequence to the individual or organisation were the risk in question to occur. Likelihood: Chance of the risk in Escalate Risk: Delegate upwards significant risk impossible or impractical to manage at a lower level. Prepare contingency measures to minimise the question actually occurring. severity in case Strategic Risk: Strategic the risk does Risk Rating: Assess whether the risk control plan owned by happen. combination of likelihood and severity OMT. Identifies planning and is acceptable. Risk Owner: Identify who has spending priorities. Public risk: Be transparent. responsibility to manage risk. Monitor: To ensure that risk Assurance: Key risks to control measures still NHSG kept under review working. by the Board. Confirm effectiveness of key PAF: National performance controls and your ability indicators. to manage threats to the PAF+: Local performance achievement of your indicators, including: objectives. Implementation of RM Statement of Internal Risk assessment Control: NHSG s public assurance to Improving risk control stakeholders that we Open and fair culture manage risk effectively. Improving competency Evaluate: Performance Governance Committee Learning from events will evaluate assurances Local monitoring on key strategic risks. Performance Governance Audit: Evaluate the Committee: Monitor overall quality and robustness of progress & report to Board. assurance given. Know your role & responsibility: All steps should be integrated into all of our processes and embedded in our daily activities. NHS Grampian Risk Management Strategy