STRATEGY DOCUMENT Risk Management Strategy Document Number: 1COV-STG-007 Sponsor: Chief Executive Date Created: 01/11/2005 Version: 5.0 Status: Final Date Approved: xxx Next Review Date: xxx Approved By: Trust Board
Table of Contents 1. Document Definition... 3 1.1 Revision History... 3 1.2 Review and Approval History... 3 1.3 References, Further Reading and links to other policies... 4 1.4 Glossary/Definitions... 5 2. Introduction... 6 2.1 Purpose... 6 2.2 Scope... 6 2.3 Rationale... 6 2.4 Regulatory Position... 6 2.5 Principles... 6 2.6 Definition of risks... 7 2.7 Aims... 8 2.8 Objectives... 9 2.9 Special Cases... 9 2.10 Equality Impact Statement... 9 2.11 Comments... 9 3. Strategic objectives... 10 3.1 Trust Strategy / Annual Plan... 10 3.2 Risk management framework... 10 3.3 Operational objectives... 10 4. Responsibility for the management of risk... 12 4.1 Duties... 12 4.2 Responsibility of all managers and staff... 13 4.3 Board / Committees which have responsibility for risk... 14 5. Risk Management Process... 15 5.1 Assurance Framework... 15 5.2 Corporate Risk Register... 15 5.3 Directorate and Specific Area Risk Registers... 16 5.4 Risk Assessment... 17 5.5 Process of risk management and assurance through committees... 17 6. Performance monitoring and key performance indicators in relation to risk 19 7. Education and Training Arrangements... 19 8. Dissemination to Staff and Stakeholders... 19 9. Strategy Review Arrangements... 19 APPENDIX B... 21 Risk Assessment Matrix* SEE SEPARATE HOW TO ASSESS RISK PROCEDURE... 21 APPENDIX D... 24 Risk Management Process Flow Chart 1... 24 APPENDIX E... 25 Risk Management Process Flow Chart 2 - Assurance Framework / Risk Registers... 25 APPENDIX E... 26 Monitoring of Compliance... 26 Printed on 26/07/11 at 10:55 Page 2 of 27
1. Document Definition 1.1 Revision History Version Status CR No. or Reason For Change Date Author 0.0 Draft New document 01/11/2005 J O Donnell 0.1 Draft Incorporated Initial review comments 08/12/2005 D Thomas 1.0 Issued After Final Review 2.0 Draft Rewrite to reflect changed management structure 3.0 Draft Rewrite to reflect changed management structure 11/04/2007 D Thomas/N Hall 16/04/2008 Head of Governance 3.1 Draft Annual review; new Trust name and logo 03/07/2009 Head of Governance 3.2 Draft IG&RC comments incorporated 15/07/2009 Head of Governance 4.1 Draft Appendix D added 10/03/2010 Corporate Risk Manager 4.2 Draft Removed Appendix B and amended Appendix C (previously Appendix D) to incorporate Executive Board comments. 4.3 Draft Incorporated amendments recommended by IGRC (19/03/10) 5.1 Draft Incorporating comments from Audit, Risk and Assurance Committee and having regard WCHS 18/03/2010 Corporate Risk Manager 19/03/2010 Corporate Risk Manager 28.07.11 Company Secretary Legal Services Manager 1.2 Review and Approval History For the avoidance of doubt, the latest approved version of a document remains valid until it is superseded or withdrawn, regardless of whether the date for the next review has passed. Version Reviewer / Approver R / A Scope Date 0.0 Executive Risk Group R Context, completeness and accuracy 06/12/2005 0.1 Trust Board A Current and compliant 2.0 Corporate Governance & Risk Committee A Current and compliant 30/04/2007 3.0 Trust Board A Current and compliant 30/04/2008 3.0 Head of Governance, Clinical Risk & Litigation Mgr, IG Mgr 4.0 Integrated Governance & Risk Committee R Context, completeness and accuracy 15/06/2009 A Approved following incorporation of comments 15/07/2009 5.0 Trust Board A Current and compliant 27/03/2010 Printed on 26/07/11 at 10:55 Page 3 of 27
1.3 References, Further Reading and links to other policies Ref. No. Document Title 1 Being Open Policy Intranet 2 Business Continuity Plans Intranet 3 Claims Management Policy Intranet 4 Complaints Policy and Procedures Intranet 5 Consent Policy Intranet 6 CoSHH Policy Intranet 7 Display Screen Equipment and Guidance Intranet 8 Fire Prevention Policy and Guidance Intranet 9 Health and Safety Policy Intranet 10 Incident Management Policy Intranet 11 Infection and Control Policies and Procedures Intranet 12 Information Governance Strategy and Policy Intranet 13 Major Incident Plan (with appendices and associated documents, including hotline arrangements) Document Location Intranet 14 Manual Handling Policy Intranet 15 Minimising Violence and Aggression in the Workplace Policy Intranet 16 NHSLA Risk Management Standards www.nhsla.com/publications 17 NHSLA Risk Management Strategy Checklist www.nhsla.com/publications 18 Procedure document How To Assess Risk Intranet 19 Resuscitation Policy Intranet 20 Retention of Records Policy Intranet 21 RIDDOR Policy Intranet 22 Terms of Reference for Committees of the Trust Board 23 Public and Internal Disclosure Policy (Whistleblowing) Company Secretary Intranet 24 Women s Risk Management Strategy Intranet 25 Fraud and Corruption Policy Intranet 26 Bribery Policy Intranet 27 Health and Wellbeing including Stress Policy Intranet On 1 June 2011 Wiltshire Community Health Services (WCHS) was integrated into the Great Western Hospitals NHS Foundation Trust. The policies named above refer to those of Great Western Hospitals. However a number of former WCHS policies are still in existent and these should also be referred to. The intention is to integrate policies over the coming months. As part of this process the names of some of the policies may change but the need to refer to them for the purposes of risk management remains the same. The link to WCHS policies is http://nww.wiltshire.nhs.uk/policiesandprocedures/wiltshirepctgeneral/index.htm Printed on 26/07/11 at 10:55 Page 4 of 27
1.4 Glossary/Definitions The following terms and acronyms are used within the document: Assurance Framework Control Corporate Risk Register Directorate Risk Register Staff AMD A document which identifies which of the organisations objectives are at risk because of inadequacies in the operation of controls or where the organisation has inadequate assurances. It also provides structured assurances about where risk is being managed effectively and objectives are being delivered. A measure put in place in order to mitigate risk A register containing a list of risks for the whole organisation with a risk rating score above 15. A register containing a list of risks relating to a specific directors or area. Used to refer to anyone working for the Trust, including NHS staff employed by the Trust, private-sector, voluntary-sector, agency, locum, contract, seconded and volunteer staff. Associate Medical Director CoSSH Control of Substances Hazardous to Health Regulations 2004 DoH Residual risk SIRO Department of Health The level of risk which remains when all practicable control measures have been implemented. Senior Information Risk Owner Printed on 26/07/11 at 10:55 Page 5 of 27
2. Introduction 2.1 Purpose The purpose of the Risk Management Strategy is to provide a clearly defined and documented strategy framework to ensure that identified risks are managed in an appropriate manner. 2.2 Scope This document applies to all Trust employees, contractors and other third parties working within the Trust. For the avoidance of doubt this strategy applies to the wider organisation encompassing Wiltshire Community Health Services. Risk management is the responsibility of all staff although managers at all levels are expected to take an active lead to ensure that risk management is a fundamental part of their operation. This strategy takes precedence over the Women s Risk Management Strategy which is used within Maternity Services. 2.3 Rationale The Trust is committed to implementing the principles of governance, defined as the system by which the organisation is directed and controlled, at its most senior levels, to achieve its objectives and meet necessary standards of accountability, probity and openness. The Trust recognises that the principles of governance must be supported by an effective risk management system that is designed to deliver improvements in patient safety and care as well as the safety of its staff, patients and visitors. Risk management includes identifying and assessing risks and then responding to them. The Trust is required to have a Board approved strategy for managing risk that identifies accountability arrangements, resources available and contains guidance of what may be regarded as acceptable risk within the organisation. 2.4 Regulatory Position This strategy provides the structured approach to the management of risk as required by the NHS Litigation Authority (NHSLA) Risk Management Standards and Monitor (Independent Regulator of NHS Foundation Trusts). This strategy has been checked for compliance against the NHSLA Risk Management Strategy Checklist (www.nhsla.com). In compiling this Strategy, consideration has been given to the National Audit Office Financial Governance and Audit Practice document November 2009 and January 2010 relating to the role of the Audit Committee. 2.5 Principles Hazard and Risk Hazard is the potential for harm, misfortune, damage or loss, particularly in this context related to healthcare and the environment in which it is delivered. Risk is the likelihood of harm, misfortune, damage or loss due to realisation of a hazard. Risks and hazards are identified both within the organisation and from sources outside of the organisation. Both need to be integrated into the risk management systems and processes. Printed on 26/07/11 at 10:55 Page 6 of 27
Risk and risk management Risk and risk management are defined as follows: - Risk is the uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. It is the combination of likelihood and impact, including perceived importance and risk management is all the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate the, and monitoring and reviewing progress. The Department of Health, the National Patient Agency and Health and Safety Executive all require the Trust to identify and management risk in order to maintain and improve safe systems for patient care and to maintain a safe environment for staff and all visitors to the Trust. Pro-active management of risk and reactive analysis of incidents enables the Trust to implement appropriate actions to improve patient and staff safety. Risk Grading Grading is part of the risk assessment and management process. Risks are graded in accordance to likelihood and consequence. Reference should be made to the How to Assess Risk Procedure. 2.6 Definition of risks Risks come in many forms, such as (not an exhaustive list): - Corporate Strategic Non-clinical Financial Clinical and client related Care processes Equipment Patient safety Infection Health and safety Human resources Organisational reputation For the purpose of this strategy, the terms clinical risk, organisational risk, financial risk, significant risk and acceptable risk are defined as follows: - Clinical risk is any issue that may have an impact on the achievement of high quality, safe and effective care for patients. Organisational risk is any issue that may have an impact on delivery of organisational objectives and / or its reputation. Financial risk is any issue that may have an impact on financial objectives. Significant risks are defined as: - (i) risks which may occur routinely or regularly which would cause serious harm, damage or loss to persons or property; (ii) systematic failures which contravene statutory or mandatory requirements and where the Trust would be judged seriously negligent in its duty of care; (iii) risks that might cause the Trust to fail or have serious difficulty in achieving its financial, performance or governance objectives; (iv) risks that occur rarely or very rarely but might cause death or very serious harm to persons, or potentially catastrophic damage or loss to property, income or reputation; Printed on 26/07/11 at 10:55 Page 7 of 27
(v) (vi) risks of never events as defined by the NPSA. These are serious patient safety incidents that should not occur if preventative measures have been put in place. A list of never events is published by the NPSA and should they occur are reportable and require investigation as a Serious Untoward Incident; and risks which occur occasionally or routinely and might cause serious harm to persons and which require significant resources to reduce or control. Acceptable risks are those risks which: - (i) may occur rarely or routinely but which are minor in nature, with minimal financial loss or minimal damage to structure, equipment or property; (ii) occur rarely which would not cause serious harm, damage or loss to persons or property; (iii) occur rarely and might cause serious harm, damage or loss but which would take disproportionate resources to eliminate or reduce and have been agreed acceptable by the Board. The Trust recognises that it is not possible to eliminate all risks and systems and controls should not be so rigid that they stifle innovation and imaginative use of limited resources in order to achieve health benefits. When all reasonable control measures have been put in place some residual risk will inevitably remain in many Trust processes and this level of risk must be accepted. Risk acceptance by the Trust will be systemic, explicit and transparent. The high costs of eliminating a risk in comparison with the potential severity of the risk being realised means that risks will not always be eliminated. The financial consequences of risk acceptance will be transferred through participation in NHSLA risk pooling schemes. Unacceptable risk is a significant risk to the fulfilment of the Trust s objectives. 2.7 Aims The aim of risk management is to reduce the risks of the Trust failing to deliver its objectives. It is a systematic and cyclical process, in which potential risks are identified, assessed, managed, monitored and reviewed. It is applicable at all levels corporate, directorate, department, team and individual. Risk management is best undertaken in a constructive, open, honest, learning and multidisciplinary environment. Healthcare is by its very nature a high-risk activity and the process of risk management is a required control mechanism if risks are to be identified and managed. Risk Management is a proactive approach which: identifies the various activities of the organisation; identifies the hazards that exist within those activities and the risks associated with those hazards; assesses those risks for likelihood and potential severity; eliminates the risks that can be eliminated; reduces the effect of those risks that cannot be eliminated; acknowledges those risks that can be tolerated; and regularly reviews all risks. The Board recognises that complete control and avoidance of risk is impossible, but that risks can be minimised by making sound judgements from a range of fully identified options. Printed on 26/07/11 at 10:55 Page 8 of 27
This strategy aims to ensure that patients, staff and visitors are provided with a safe environment in which healthcare can be safely delivered. This strategy will establish a consistent and integrated approach to the management of all risk across the whole Trust. 2.8 Objectives The key objectives of this strategy are to provide the framework for achieving: - robust corporate governance; the control and management of risk to achieve organisational objectives; by implementing this strategy the Trust will achieve: - - continued compliance with the Care Quality Commission s Annual Health Check and the NHSLA Risk Management Standards; - production of the assurance framework to allow the annual governance statement to be signed; - the integration of risk management within the Trust s strategic aims and objectives; - integrated governance encompassing financial, clinical, corporate, information, performance and research governance systems. Failure to implement a strategy for managing risk could have a severe impact on patient health, the Trust s reputation and the health and safety of staff and visitors. It could have serious financial consequences. It would also be a breach of our statutory obligations. This document and related documents set out the processes by which all risks are identified and controlled. It identifies the resources for managing risk, how they relate to each other, and roles and responsibilities. The Trust supports an open culture which encourages all staff and contractor to operate within the systems and structures outlined in this strategy. The Trust will provide appropriate training in relation to risk management to ensure this strategy is implemented. 2.9 Special Cases None. 2.10 Equality Impact Statement Great Western Hospitals NHS Foundation Trust aims to design and implement services, policies and measures that meet the diverse needs of its service, population and workforce, ensuring that none are placed at a disadvantage over others. This document has been assessed against the Trust s Equality Impact Assessment Tool. document has been assessed as not relevant to the duty. This 2.11 Comments Any comments on this document should, in the first instance, be addressed to the author. Printed on 26/07/11 at 10:55 Page 9 of 27
3. Strategic objectives 3.1 Trust Strategy / Annual Plan The Trust set out its strategic objectives in the Great Western Hospitals NHS Foundation Trust Strategy for 2010-2015. They are: 1. To provide consistently high quality, safe services which deliver desired patient outcomes and we will perform in the top 25% of comparable acute trusts in delivering Hospital Standardised Mortality Rates (HSMR), patient satisfaction and staff satisfaction. 2. To improve the patient and carer experience of every aspect of the service and care that we deliver. 3. To ensure that staff are proud to work for the Trust and would recommend the Trust as a place to work, or to receive treatment. 4. To secure the long term financial health of the Trust. 5. To adopt new approaches and innovation so that we improve services as healthcare changes whilst continuing to become even more efficient. 6. To work in partnership with others so that we provide seamless care of the patients In addition Trust will set out its objectives in the Annual Plan which is published on the Monitor website (ref. www.monitor-nhsft.gov.uk). These reflect the requirements of the Care Quality Commission s Essential Standards of Quality and Safety (See Appendix A). 3.2 Risk management framework The Trust s Risk Management Strategy is integral to delivering the Trust Strategy and Annual Plan. A proactive Assurance Framework is maintained throughout the year which identifies significant risks which may compromise our ability to delivery our strategic objectives. Control measures are put in place and assurances are taken throughout the year that these controls remain effective. In addition individual staff members are mindful of risk and are encouraged to raise any risks they may have through the use of systematic risk assessment. Significant risks raised this way are escalated through the use of Directorate and Specific Area Risk Registers and a Corporate Risk Register. Our Risk Management Strategy can therefore be best described as being both top-down and bottom up. It is also proactive and reactive as risks are identified both through the use of proactive risk assessment and also following incidents that have occurred through the implementation of an effective Incident Management Policy. The use of an effective Assurance Framework, Corporate and Directorate / Specific Area Risk Registers, proactive risk assessment and incident management form the core of the Trust s Risk Management Strategy. 3.3 Operational objectives In order to support delivery of the strategic objectives, the Risk Management Strategy will set the following operational objectives for risk management at the Trust: 1. By 31 July 2011, to undertake a fundamental review of the content, format and presentation of the Assurance Framework to ensure that it continues to be in line with best practice. 2. By 31 July 2011, to undertake a fundamental review of the content, format and presentation of the Corporate and other Risk Registers to ensure that they continue to be in line with best practice and that they are in a consistent format. Printed on 26/07/11 at 10:55 Page 10 of 27
3. By 1 October 2011, to re-emphasis Trust wide process for assessing all types of risk as detailed in the How to Assess Risk procedure available on the intranet. 4. By 31 December 2011 to facilitate a self assessment by the Audit, Risk and Assurance Committee using the Financial Management and Governance checklist to help inform the Committee on its continued role and responsibility to be tied in to the annual review of the Committee s terms of reference which shall have regard to the NHSLA criterion relating to risk management committees. 5. By 31 December 2012, to implement the Risk Management Module of the Ulysses Safeguard system across the Trust. Printed on 26/07/11 at 10:55 Page 11 of 27
4. Responsibility for the management of risk 4.1 Duties Board of Directors The Board is responsible for ensuring that the Trust has effective systems for identifying and managing all risk; clinical, financial and organisational. The Board has established a risk management structure to help deliver its responsibility for implementing risk management systems within the Trust which is explained below. An organisational structure for the Trust is set out at Figure 1 below. Chief Executive The Chief Executive has overall accountability to the Board for ensuring that an effective risk management system is in place within the Trust and for meeting all statutory requirements. The Chief Executive is responsible for implementation of risk management as outlined below and is the Executive Lead on maintaining the Board Assurance Framework. The Chief Executive is the Accounting Officer. Executive Directors Executive Directors are directly accountable to the Board for effective risk management within their areas of responsibility. They are required to ensure that risks are identified promptly and managed effectively in accordance with this Strategy and any associated documents, policies and procedures. Executive Directors are responsible for ensuring that Associate Medical Directors are aware of their responsibilities under this Strategy and for compliance. The Medical Director is the Executive Lead for risk management reports that result from claims. Associate Medical Directors (AMDs) AMDs are responsible for the management of both strategic and operational risk within their Directorates. This includes the implementation of risk management procedures and for escalating risks that cannot be managed at a local level. They are responsible for the Directorate and Specific Area Risk Registers and accountable to the Executive Committee on risk management. They are responsible for: - Promoting a risk management culture within the Trust by actively encouraging the identification of risks; Identifying a suitable local forum (usually monthly directorate meetings) for the discussion of risk management issues; Consideration and discussion of risk management issues at that forum; Development and implementation of work plans to ensure risks are identified and treated; Ensuring directorate risk registers are maintained and reviewed at least once a month to ensure timely and systematic risk management and communication of risk; Ensuring escalation of risks from directorates for inclusion in the Corporate Risk Register / attention of the Board. Confirming to the Executive Committee on an annual basis that risk is being managed effectively by completing the risk management check list. Appendix B sets out the check list in respect of risk management for directorates / specific areas. General Managers General Managers are responsible for supporting the AMDs in managing risk within their Directorates / Specific Areas. They are responsible for: - Ensuring that appropriate and effective risk management processes are in place within designated areas and scope of responsibility and that all staff are made aware of the risks within their work environment and of there personal responsibilities; Implementing and monitoring any identified risk management control measures within their designated area and scope of responsibility ensuring that they are appropriate and adequate; Ensuring that risks are captured onto directorate / special area risk registers; and Printed on 26/07/11 at 10:55 Page 12 of 27
Ensuring that a local group (usually the monthly directorate / special area meetings) review the directorate / special area risk register monthly. Company Secretary The Company Secretary has responsibility for supporting the Chief Executive in developing and implementing integrated governance and risk management strategies. Corporate Risk Manager The Corporate Risk Manager is responsible for: Supporting Executive Directors in maintaining an effective Assurance Framework; Compiling a Corporate Risk Register in accordance with this Strategy; Supporting Directorates in compiling Directorate Risk Registers; 4.2 Responsibility of all managers and staff Staff with managerial responsibility All staff with managerial responsibility must understand and implement the Trust s risk management strategy and underlying policies. They are responsible for the following: Ensuring they have adequate knowledge of relevant legislation, seeking advice from appropriate experts where necessary and ensuring that compliance with legislation is maintained. Ensuring that this strategy is implemented in their areas and that staff are made aware of their individual responsibilities. Ensuring that staff have access to the necessary information and training to enable them to work safely. These responsibilities extend to anyone affected by the Trust s operations including bank and agency staff, contractors, members of the public and visitors. Ensuring appropriate resources are available and procedures are in place to implement this strategy. Promoting greater risk management and health and safety awareness amongst all staff. Ensuring that risks are identified, evaluated, recorded and reviewed. Ensuring that staff comply with relevant policies including health and safety, fire, occupational health, CoSSH, and first aid. This list is not exhaustive. All Trust Staff All employees are required to comply with all relevant legislation and regulation, attend training where appropriate and maintain their own professional competencies, ensure they are familiar with, and comply with, Trust policies, procedures and other documents. All employees have a responsibility to ensure any risks that they identify are flagged to their line manager in the first instance. Staff should be aware of risk management procedures and be willing to report incidents and risk management issues. Printed on 26/07/11 at 10:55 Page 13 of 27
Figure 1 Organisational Structure 4.3 Board / Committees which have responsibility for risk The Trust Board is responsible for risk management throughout the Trust. It delegates responsibility to the Executive Committee and the Audit, Risk and Assurance Committee and receives assurance from those committees on the effectiveness of risk management. Directorate meetings feed in to the Executive Committee. Monitoring Reference should be made to the Terms of Reference of the Executive Committee and the Audit, Risk and Assurance Committee for their respective roles and responsibilities regarding risk. These are available from the Committee Secretary. Appendix A sets out the process for monitoring compliance with the terms of reference of these committees involved with risk. Process Details of how the Board, Committees and other meetings exercise their responsibility for risk management is set out below under risk management process. Printed on 26/07/11 at 10:55 Page 14 of 27
5. Risk Management Process 5.1 Assurance Framework Purpose To ensure that risks to the Trust achieving its objectives are identified promptly, that control measures are put in place to mitigate those risks to that assurances are taken throughout the year that those control measures are effective in mitigating the risk. Format The format of the Assurance Framework is based on the template included in the Department of Health Integrated Governance Handbook 2003. Content The Assurance Framework will reflect the Trust annual objectives for the year in which it operates. Risks will be identified against those objectives as set out in the Annual Plan. New risks identified through the year will be added by the Executive Committee. Each risk identified will have the following minimum data set: A sequential reference number; Description; Initial risk rating; Key control(s); Source of assurance on those controls (internal and external) Operational lead Responsible Executive Director At least 3 times per year the Assurance Framework will be reviewed by the Legal Services Manager who will add details of: Positive assurances received since the last review; Any negative assurances received; Gaps in control (where identified); Gaps in assurances. Based on the assurances received in the preceding quarter the Executive Committee will review the risk score, requesting amendments where necessary. Risks that are identified on the Assurance Framework that score above a 15 in accordance with the Trust s How to Assess Risk procedure will be added to the Corporate Risk Register. Scrutiny and challenge (including frequency) The Assurance Framework is subjected to scrutiny and challenge at least 3 times per year by the Executive Committee. The Audit, Risk and Assurance Committee will then take assurances from the Executive Committee that the Assurance Framework accurately reflects the risk profile of the Trust and that risks are being appropriately managed. Trust Board will then review the Assurance Framework once the amendments from the Executive Committee and the Audit, Risk and Assurance Committee have been made. 5.2 Corporate Risk Register Purpose The Corporate Risk Register is to identify the top level risks within the organisation to ensure that there is oversight and management of those risks at a corporate level. Content The Trust prescribes the following minimum content: Reference number; Risk description; Printed on 26/07/11 at 10:55 Page 15 of 27
Source of the risk; Nature of risk; Current status (Accepted, Action underway) Original risk score, current risk score, residual risk score; Detailed action plans to include a full explanation of existing controls, and actions required to mitigate risk, with due dates and operational leads in respect of extreme risks. Operational and Executive leads. The Corporate Risk Register (CRR) will be populated by both top down and bottom up risks. All risks which score above a 15 on the Assurance Framework will be added to the CRR by the Legal Services Manager (top down). Similarly all of the risks that score above a 15 on the top risks page of the Directorate and Specific Area Risk Registers will be added to the CRR (bottom up) by the Legal Services Manager. Acceptable risk It is not possible to eliminate every risk associated with the operation of the Trust. Often, a balance must be achieved between cost and benefit. When the Executive Committee considers that all practicable control measures are in place it may deem that a risk with a residual risk score has reached an acceptable level. This risk is then marked as Accepted in the Current Status column. These risks should be reviewed at least every 6 months to ensure the risks remain adequately controlled. Review The Corporate Risk Register is scrutinised and challenged monthly by the Executive Committee. At least once per year, there should be an overview of the corporate risk register by the Executive Committee. This must take place in the last quarter each financial year (October November). 5.3 Directorate and Specific Area Risk Registers Purpose Each directorate and specific area is required to have a Directorate / Specific Area Risk Register which identifies the risks within that directorate or specific area to ensure that there is oversight and management of those risks at a directorate / specific area level. Content The Trust prescribes the following minimum content for Directorate / Specific Area Risk Registers: Source of the risk; Description of the risk; Risk score; Summary risk treatment plan; Date of review; Residual risk rating Sources of risk Directorate / specific area risks may be identified from a number of sources including incident reports, complaints and claims data, and proactive risk assessment. The source of the risk should be included on the Directorate / Specific Area Risk Register. Review On a monthly basis the Directorate and Specific Area Risk Registers are reviewed by the Legal Services Manager and risks which score above a 15 are transferred to the Corporate Risk Register. Amendments that are made to risks on the Directorate / Specific Area Risk Registers which have previously been added to the Corporate Risk Register will also be transferred. Where directorate/specific area risks that have previously been added to the Corporate Risk Register are rescored below a 15, they will remain on the Corporate Risk Register in red and bold for 1 month before being removed. Printed on 26/07/11 at 10:55 Page 16 of 27
At least once per year, there should be an overview of the directorate / specific risk registers by the Directorate / specific area meetings. This must take place in the last quarter each financial year (October November). 5.4 Risk Assessment Risk assessment should be effected in accordance with the Trust s How to Assess Risk procedure. The Trust has adopted the widely used 5x5 risk matrix as set out at Appendix B Risk Assessment Matrix. The risk scores are not intended to be precise mathematical measures of risk, but they are useful when prioritising control measures for the treatment of different risk. Directorates / specific areas will have in place processes whereby risks within departments / specific areas are identified pro-actively and controlled. Where risks are high or extreme (above a score of 8), these will be reported to line management. If it is not possible to control the risk and reduce the score at this level, the risk should be reported to the AMD or GM for the directorate/specific area for consideration for inclusion of the Directorate / Specific Area Risk Register. We will monitor this a detailed in Appendix E Monitoring of Compliance. 5.5 Process of risk management and assurance through committees Directorate / Specific Area / Other Meetings Each Directorate or Specific Area will have in place a mechanism which enables risks to be raised, escalated and acted upon within reasonable timeframes. This will usually include a directorate management or governance meeting at which the Directorate/ Specific Area Risk Register is reviewed. Time will be allocated at these meetings to discuss risk management issues. The meetings will be responsible for: - Appropriate population of the risk register and validating all risk score attributed. For high scoring risks, reviewing the action plan in place and re-scoring the risk scores as appropriate. Monitoring the implementation of action plans for locally managed risks. Overview of all risks on the risk register at least once a year to verify they remain valid. Providing the Executive Committee via the Company Secretary with evidence that these responsibilities have been met. On a rotational basis, each month these individual risk registers are presented to the Executive Committee for it to have an overview of the risks and to ensure that they are being managed effectively. Any risks with a scoring above 15 will be added from all risk registers to the Corporate Risk Register. Other Groups and Committees Other committees may have a role to play in identifying, acting on and reviewing risks within their area of expertise, such as the Patient Safety and Quality Committee and Mental Health Committee. All risks they review will already be identified as corporate or directorate risks. Executive Committee Refer to the Terms of Reference for the roles and responsibilities of this committee. This is a committee of the Trust Board with primary responsibility for setting the Assurance Framework and for regular challenge and scrutiny of risks. The Assurance Framework is established once a year by the Executive Committee which is then approved by the Trust Board (principal objectives to achieving the Trust s overall goals are set, the principal risks to achieving those objectives are highlighted, the key controls to mitigate those risks are specified and the assurances on those controls are detailed). An overview of the assurance framework is undertaken at least 3 times per year by the Executive Committee to check that the risks remain relevant and that control mechanisms remain adequate. The Executive Committee will determine if the arrangements in place to achieve the organisation s Printed on 26/07/11 at 10:55 Page 17 of 27
objectives and manage risks are effective and operating as intended. The Executive Committee will evaluate the design of the key controls and evaluate the assurance across all areas of principal risk. Positive assurances will be identified along with any gaps in controls and / or assurances. Plans to take corrective action where gaps have been identified will be put in place for principal risks. The Executive Committee will scrutinise the assurance framework to ensure it is effective. Each month the Executive Committee will scrutinise and challenge the Corporate Risk Register. On a rotational basis the directorate and specific area risk registers, will also be scrutinised and challenged by the Executive Committee so that it can be assured that those registers are being managed effectively by the respective directorate meetings. The Executive Committee will ensure that wellfounded risk registers are in place and that action to mitigate risk is being implemented and reviewed. The Executive Committee will take an holistic view of risks to determine whether any risk identified in one area apply to other areas, or whether risks are Trust wide. The directorate and specific area meetings are responsible for scrutinising and challenging their own risk registers on a monthly basis. Any risks with a rating above 15 will be added to the Corporate Risk Register. The Executive Committee reports to the Audit, Risk and Assurance Committee. Audit, Risk and Assurance Committee Refer to the Terms of Reference for the roles and responsibilities of this committee. This is a committee of the Trust Board with primary responsibility for the scrutiny of governance and risk. Information risk is reported to this committee by the Information Governance Steering Group. The Audit, Risk and Assurance Committee scrutinises the Executive Committee s management of the Assurance Framework and the Risk Registers and then provides assurance to the Board at least 3 times per year, making recommendations regarding action plans to mitigate risk as necessary. The Audit, Risk and Assurance Committee supports the Board and the Accounting Officer by reviewing the completeness of assurances and by reviewing the reliability and integrity of those assurances. The Audit, Risk and Assurance Committee is independent and its members have a good understanding of the objectives, priorities and risks to the Trust. Trust Board The Trust Board has overall responsibility for risk management and takes assurance from the Audit, Risk and Assurance Committee that risk is being managed effectively. As necessary the Board puts in place action plans to mitigate risk. Figure 2: Committee Structure Printed on 26/07/11 at 10:55 Page 18 of 27
6. Performance monitoring and key performance indicators in relation to risk It is the responsibility of the Audit, Risk and Assurance Committee to monitor the implementation of this strategy and to ensure that appropriate actions are taken to manage exposure to risk. Audit is the most effective and accurate means to identify, assess and test risk liabilities. Localities and specialties will be subject to a periodic audit of selected clinical and non-clinical audits by a team of internal specialists. Performance indicators Green rating in the annual internal audit on assurance and risk management Green rating from Monitor on governance Level 3 Financial Risk Rating from Monitor The process for monitoring compliance with all the minimum requirements set out within the NHSLA Risk Management Standards in relation to this Risk Management Strategy are detailed in Appendix E Monitoring of Compliance. 7. Education and Training Arrangements All Executive and Non-Executive Directors will receive training on risk management as part of their induction programme and will receive refresher update training as part of the annual strategic business planning process. Training will be hosted at least once a year for all Associate Medical Directors and all General Manager on their duties under this Strategy. Attendance will be recorded and non-attendance will be followed up and training provided. A How to Assess Risk procedure is available to all staff via the intranet. A training programme will be developed to roll out the Safeguard risk management system by 31 May 2012. All staff receive risk assessment training at Trust Induction. All Associate Medical Directors to be advised of their requirements under this Strategy. All Managers receive additional training in their responsibilities for managing their risks in the Managers Responsibilities for H&S training. 8. Dissemination to Staff and Stakeholders As a document that guides practice, this Strategy is available to all staff via the intranet. In addition members of the Executive Directors will cascade the relevant parts of this strategy to their directorates. Associated Medical Directors will be advised of this strategy by the Company Secretary. A copy of this strategy is available to all stakeholders on request to the Company Secretary. 9. Strategy Review Arrangements This Strategy will be reviewed once a year in line with the annual business planning cycle, or sooner if procedural, legislative or best practice changes occur. Next review July 2012. Printed on 26/07/11 at 10:55 Page 19 of 27
APPENDIX A Process for Monitoring Compliance with Terms of Reference of Board Committees involved with Risk For each committee identified as being responsible for elements of risk management an annual review will be completed to assess the achievement of the committee s terms of reference. The review will look at the achievement of: 1. Duties in relation to risk management 2. The receipt of reports from sub-committees or other groups 3. The attendance by members of the committee 4. Quorate meetings 5. Frequency of meetings The results of this review will be reported to the relevant committee. Committee members will be asked to approve the findings and the conclusions drawn from the review. Printed on 26/07/11 at 10:55 Page 20 of 27
APPENDIX B Risk Assessment Matrix* SEE SEPARATE HOW TO ASSESS RISK PROCEDURE The overall risk rating reflects both the likelihood that harm or loss will occur and the severity of its outcome: (i.e. Risk = likelihood x consequence) (1) (2) (3) (4) (5) Catastrophic (5) 5 10 15 20 25 (5) Major (4) 4 8 12 16 20 (4) Consequence Moderate (3) 3 6 9 12 15 (3) Minor (2) 2 4 6 8 10 (2) Negligible (1) 1 2 3 4 5 (1) Rare (1) Unlikely (2) Possible (3) Likelihood Likely (4) Almost certain (5) *based on an NPSA template Low Risk Quick easy measures implemented immediately and further action planned for when resources permit THE OVERALL RESIDUAL RISK RATING Moderate Risk Actions implemented as soon as possible, but not later than a year High Risk Actions implemented as soon as possible and no later than six months Extreme Risk Requires urgent action. Trust Board is made aware and implements corrective action Printed on 26/07/11 at 10:55 Page 21 of 27
APPENDIX C Directorate Risk Register checklist The Trust s Risk Management Strategy requires that each directorate or specific area Risk Register is reviewed by the Executive Committee at least once per year in order to provide assurance to that committee that risk registers are compiled and managed in accordance with the Strategy. In order to facilitate that review process, the Associate Medical Director or the Executive Director are kindly asked to complete the following questionnaire which is designed to be completed electronically for submission to the Executive Committee. 1. What active steps do you take to promote a risk management culture? 2. Are you satisfied that risks are being identified? 3. From which of the following sources of information have you identified risks? a. Incident reports b. Risk assessments c. Complaints documents N.B. It is a mandatory requirement of the NHSLA Standards for Acute Trusts that risks are identified from all of these sources. 4. Have all risks been assessed and scored in accordance with the Trust s How to Assess Risk procedure (available on the intranet)? 5. Have all risks been captured on the Directorate / Specific Area Risk Register? 6. Are you satisfied that your Risk Register accurately reflects the risk profile of your directorate/area? 7. Are risks appropriately described, i.e. do they describe the consequence of the risk rather than the source? 8. Has the Risk Register been reviewed on a monthly basis at a Directorate/area meeting? 9. At those meetings is there a full discussion around risk and its management? 10. Are action plans to mitigate risk being implemented? Printed on 26/07/11 at 10:55 Page 22 of 27
11. Is implementation of action plans to mitigate risk being monitored at the directorate / specific area meetings? 12. Does your Register comply with the Risk Register template (available from Gail White)? 13. Has the Directorate /Specific Area Risk Register been updated each month? If no, explain why and what measures will be put in place to ensure monthly update. Click here to enter text. 14. Are all the risks where the risk rating score is above 15 escalated for inclusion on the Corporate Risk Register? 15. How have you communicated risk within your directorate / specific area? 16. Have you made staff in the directorate / specific area aware of their responsibilities in respect of risk management, namely that all staff are required to comply with all relevant legislation and regulation, attend training where appropriate and maintain their own professional competencies, ensure they are familiar with, and comply with, Trust policies, procedures and other documents. 17. Have you undertaken an annual over view of the Directorate / Specific Risk Register to remove old risks? Please return the questionnaire to Gail White, Legal Services Administrator (gail.white@gwh.nhs.uk) at least 7 working days before the next Executive Committee. Printed on 26/07/11 at 10:55 Page 23 of 27
APPENDIX D Risk Management Process Flow Chart 1 Staff identify a risk Reported to line manager Identified as a local operational matter, which will be managed by line manager Identified as a risk Risk assessed in accordance with How to Assess Risk procedure Risk is captured onto the directorate / specific area risk register by the General Manager Risk Register managed by the directorate / specific area meeting Risks scoring above 15 added to the Corporate Risk Register by Legal Services Manager Printed on 26/07/11 at 10:55 Page 24 of 27
APPENDIX E Risk Management Process Flow Chart 2 - Assurance Framework / Risk Registers Assurance Framework Strategic objectives mapped against Trust s Annual Plan Principal risks to achieving those objectives Key controls Assurances on controls Positive assurances Gaps in controls & negative assurances Gaps in assurances Directorates / specific areas Risks are identified Corporate Risk Register Action plan to address risks which score above a 15 within the Trust includes all risks with risk scoring above 15 only Strategic risks above 15 added from AF Operational risks above 15 added from directorate and other risk registers Executive Committee Scrutinises and challenges the CRR and one DRR on monthly basis (reviews risks and control mechanisms in place, checks action being done, takes holistic overview) DRRs to be presented on rolling programme as follows or more frequently on request: - - Finance (May) - Women s & Children Services (June) - Diagnostics & Outpatients (July) - Planned Care (September) - Unscheduled Care (October) - Workforce & Education (November) - Mental Health (December) - Adult Services (January) - Any other (February, March, April) Assesses the AF at least 3 times per year to check adequacy of controls and assurances and identify any gaps. Directorate & Other Risk Registers (DRRs) Action plan to address risks which originate within directorates Includes all risks with any risk scoring - Finance - Women s & Children Services - Diagnostics & Outpatients - Planned Care - Unscheduled Care - Workforce & Education - Mental Health - Adult Services - Any other Directorate Meetings Makes sure new risks being identified Scrutinises and challenges relevant directorate / other risk registers (reviews risks, scoring and control mechanisms, checks action being done) New risks / measures added / changed Risks with scorings above 15 added to CRR Risk management check list signed off (at least once a year by Associate Medical Director) Audit, Risk & Assurance Committee Receives report from the Executive Committee that the CRR and DRRs are being scrutinised and challenged and actions being implemented. Reviews the completeness of assurances and reviews the reliability and integrity of those assurances. Receives report at least 3 times per year from the Executive Committee to confirm that the AF is being assessed and reviewed and that the AF provides for adequate processes and control mechanisms. Trust Board Receives assurance from the AR&A Committee at least 3 times per year that action plans are in place and being implemented to mitigate risk (CRR and DRRs are being reviewed and risk managed) Receives assurance that AF is being assessed and reviewed and that the AF provides for adequate processes and control mechanisms / gaps in assurance being identified and managed. Printed on 26/07/11 at 10:55 Page 25 of 27