INTEGRATED RISK MANAGEMENT FRAMEWORK (STRATEGY AND POLICY)

INTEGRATED RISK MANAGEMENT FRAMEWORK (STRATEGY AND POLICY) Version 1.5 (DRAFT) RATIFIED DATE BY WHOM Fylde and Wyre CCG Governing Body

Fylde and Wyre CCG (F&W CCG) is committed to ensuring that, as far as it is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on the basis of their age, disability, gender, race, religion/belief or sexual orientation. Should a member of staff or any other person require access to this policy in another language or format (such as Braille or large print) they can do so by contacting the Fylde and Wyre CCG who will do its utmost to support and develop equitable access to all policies. Senior managers within the CCG have a responsibility for ensuring that a system is in place for their area of responsibility that keeps staff up to date with new policy changes. It is the responsibility of all staff employed directly or indirectly by the CCG to make themselves aware of the policies and procedures of the CCG. This Framework is individual to Fylde and Wyre CCG. Fylde and Wyre CCG does not accept any liability to any third party that adopts or amends this policy.

CONTENTS Section Description Page 1. Introduction 4 2. Statement on Risk Management 4 3. Risk Appetite 4 4. Risk Management Strategy 4 5. Policy Statement 5 6. Accountabilities for Risk Management 5 7. Risk Management Framework 11 8. Risk Management Training and Information 13 9. Monitoring the Effectiveness of the Policy 13 10. Consultation and Communication with Stakeholders 14 11. Review and Revision of the Policy 14 12 Equality and Diversity Statement 14 14 List of Appendices to the Policy 14 Appendix 1 Fylde & Wyre CCG Governing Body Reporting Structure 15 Appendix 2 Fylde & Wyre CCG Risk Assurance Process 16 Appendix 2 Risk Rating Matrix 17 Appendix 3 Risk Assessment Form 21 Appendix 4 Version Control Tracker 23

1. INTRODUCTION As a Clinical Commissioning organisation, Fylde and Wyre Clinical Commissioning Group (F&W CCG) understands that the activities it undertakes, or commissions others to undertake on its behalf, brings with it some element of risk that has the potential to undermine or prevent the organisation achieving its Strategic objectives. The Integrated Risk Management Framework (Strategy and Policy) sets out F&W CCG s attitude to risk, its risk appetite and the strategy and framework for managing risk. This framework and the culture which underpins it enables the organisation to have a clear view of the risks affecting each area of its activity; how those risks are being managed, the likelihood of occurrence and their potential consequence on the successful achievement of the strategic objectives. This framework outlines F&W CCG s approach to the identification, recording and management of all risks within its activities and premises. This framework applies to all activities and all premises controlled or occupied by F&W CCG and to its employees and contractors. This framework outlines the accountability of all members of staff with regard to compliance with the framework. 2. F&W CCG s STATEMENT ON RISK MANAGEMENT The F&W CCG acknowledges that risk is a part of its activities and creates uncertainty in its potential outcome. In order to commission high quality services, undertake service redesign and innovate to achieve its priorities and strategic objectives, the CCG acknowledges that risk management will be a fundamental part of its business processes. By assessing and quantifying risks and ensuring an appropriate level of risk management, the CCG will create the ability to be flexible and dynamic whilst retaining oversight of its risks and clear standards of internal control. The F&W CCG Governing Body, the Accountable Officer, Chief Officers and Managers ensure that risk management is a fundamental part of F&W CCG s approach to the governance of the organisation and will provide leadership and encourage open discussion on risk to ensure that its risk management principles are embedded throughout the organisation. 3. RISK APPETITE The appetite for risk is determined by F&W CCG s vision, strategic objectives, priorities and responsibilities. Elimination of all risk in its activities is neither possible nor desirable. F&W CCG will therefore undertake, through its risk management framework, assessment and evaluation of risk. The appropriate level of control and monitoring will be determined according to the level of risk, thus allowing both compliance with regulatory requirements and innovation. 4. RISK MANAGEMENT STRATEGIC APPROACH The aim of F&W CCG is to commission high quality, safe and effective health services that meet patients needs, are delivered on time and within resources and benefit all their patients. 4

The F&W CCG s risk management strategy is to recognise that Risk Management is an integral part of effective management practice which, to be most effective, must be embedded within the culture of Fylde and Wyre CCG. This framework recognises the need to ensure that the risks involved in the delivery of the CCG s Strategic Objectives, QIPP targets (including CIP) and outcomes are identified, assessed, managed to an acceptable level, reported and monitored. This allows for flexibility, innovation, the development of best practice and the delivery of its strategic objectives, whilst enabling well-controlled risks to be taken and for unacceptable levels of risk to be reduced or eliminated. Through the implementation of the risk management framework, F&W CCG will ensure that positive risk management underpins activities, contributes to the achievement of its strategic objectives and embeds good governance practice. 5. POLICY STATEMENT It is the Policy of F&W CCG: To provide clear leadership and direction on risk management, promoting openness and transparency; To embed a culture where risk management principles are implemented and risk management is an essential function of the organisation s activity. To ensure structures, processes and sufficient resources are in place to support the identification, assessment, management and monitoring of risks throughout F&W CCG. To assure the public, patients, staff, partner organisations and other stakeholders that F&W CCG implements its commitment to manage risk effectively. The framework applies to all members and staff of the F&W CCG, including locum, interim and agency staff and its contractors. The Midlands and Lancashire CSU embedded staff must familiarise themselves with the CCG Framework, whilst also operating to the CSU Risk Management Framework. Managers at all levels are expected to take an active lead to ensure that risk management and systems of internal control are of the highest standard and integral to the operation of the organisation. 6. ACCOUNTABILITIES FOR RISK MANAGEMENT 6.1 The F&W CCG Governing Body 6.1.1 The CCG Governing Body has overall responsible for risk management within F&W CCG. It is responsible for ensuring that a framework of systems and processes for effective risk management are in place within F&W CCG and for monitoring compliance. It will provide leadership, scrutiny, challenge and support for risk management across the F&W CCG. The Governance structure, which includes the processes for monitoring risk management activities, is included at Appendix 1. 6.1.2 The Governing Body is responsible for assuring itself that the Fylde and Wyre CCG, (via the Programme Management Office structure,) identifies and manages effectively any risks within their activities which could affect the achievement of the Strategic objectives, and for monitoring and agreeing further actions to mitigate these risks and any other 5

significant non-strategic risks, where the F&W CCG Governing Body feels that further control is required. 6.1.3 The Governing Body Assurance Framework (GBAF) is the tool used to identify, evaluate and monitor strategic risks to achievement of its objectives and record any actions taken to mitigate these risks. The Governing Body is responsible for reviewing the GBAF three times per year and for directing its Committees to review specific risks as appropriate. 6.1.4 The CCG Governing Body is also responsible for receiving assurance from the Audit Committee, supported by Internal and External Audit activities and from the other Committees of the Governing Body as appropriate, regarding the effectiveness of risk management within F&W CCG, to enable this to contribute to its annual judgement on the effectiveness of internal controls within F&W CCG. 6.1.5 The Governing Body will hold an annual Governing Body Development Session in order to undertake a detailed review of the risk register and assurance framework. The development session will be attended by Governing Body members and those members of staff who have ownership of an entry on the risk register. The workshop will: Enable constructive dialogue and information-sharing regarding risks to the achievement of the CCG objectives Evaluate the mitigating controls and action plans in place. Determine the adequacy of the mitigating controls and action plans Determine what operational, current and future risks the CCG is subjecting itself to in carrying out its strategic plan. 6.2 The Audit Committee 6.2.1 The Audit Committee is a formal committee of the F&W CCG Governing Body and is responsible for providing assurance to the Governing Body that its systems of governance, risk management and internal control for the CCG Corporate & Commissioned activities are effective and are being maintained across the organisation. The Committee reports formally to the F&W CCG Governing Body following each of its meetings. 6.2.2 The Audit Committee is also responsible for:- Reviewing the effectiveness of F&W CCG s internal controls, assurance framework, integrated governance and risk management systems. Reviewing the adequacy of all risk and control related disclosure statements (in particular the Annual Governance Statement), together with any reports from internal or external audit or other appropriate independent assurances, before making recommendations to the CCG Governing Body. Reviewing the underlying assurance processes that indicate the degree of the achievement of Strategic Objectives, the effectiveness of the management of principal risks and the appropriateness of disclosure statements. Reviewing compliance with relevant regulatory, legal and code of conduct requirements. Submitting minutes to the Governing Body after each meeting. Providing exception reports to the Governing Body, highlighting any key developments /achievements or potential risks/ issues. 6

6.3 The Finance and Performance Committee 6.3.1 The Finance and Performance Committee (FPC) is a formal committee of the F&W CCG Governing Body and is responsible for providing a performance framework which proactively manages the CCG s Financial, Performance and Quality Innovation, Productivity and Prevention (QIPP) agenda and for providing assurance in the delivery of these areas to the Governing Body. This includes assurance on the management of risks identified through the work of the Committee. 6.3.2 The FPC is responsible for ensuring that, within their area of work, the management arrangements for the CCG are appropriate to discharge the Committee s responsibilities and have oversight of those arrangements, ensuring that they comply with relevant legislation including HR, E&D and H&S requirements, including requirements for risk management. 6.3.3 The FPC oversees the corporate work programmes that support delivery of the Group s commissioning and operational plans including the Group s systems of internal control, including its processes for managing risk. 6.3.4 The FPC is responsible for submitting minutes to the Governing Body after each meeting and providing exception reports to the Governing Body, highlighting any key developments /achievements or potential risks/ issues. 6.4 The Clinical Commissioning Committee 6.4.1 The Clinical Commissioning Committee (CCC) is a formal committee of the F&W CCG Governing Body and is responsible for providing assurance to the Governing Body that the CCG is commissioning and decommissioning services in line with the needs of the local population and the strategic objectives of the CCG. The CCC is responsible for providing assurance to the Governing Body that the CCG s commissioning plans are being delivered and that risks associated with delivery are being mitigated. 6.4.2 The CCC is responsible for ensuring that, within their area of work, the management arrangements for the CCG are appropriate to discharge the Committee s responsibilities and have oversight of those arrangements, ensuring that they comply with relevant legislation including HR, E&D and H&S requirements, including requirements for risk management. 6.4.3 The CCC is responsible for ensuring that the commissioning decisions taken by the CCG are legally sound and consistent with national procurement guidance and that arrangements are put in place to mitigate the risk of challenge. 6.4.4 The CCC is responsible for submitting minutes to the Governing Body after each meeting and providing exception reports to the Governing Body, highlighting any key developments /achievements or potential risks/ issues. 6.5 The Quality Improvement, Governance & Engagement Committee 6.5.1 The Quality Improvement, Governance & Engagement Committee (QIGEC) is a formal committee of the F&W CCG Governing Body and is responsible for assuring the Governing Body of the quality and the safety of the services that it commissions and for ensuring that early warning systems are in place to identify and respond to concerns relating to the quality and safety of services. 6.5.2 The QIGEC is responsible for assuring the CCG s Governing Body that CCG corporate governance arrangements are robust (e.g. regarding risk identification and risk management; FOIs; statutory Health and Safety responsibilities; Annual Report). 7

6.5.3 Oversee and provide assurance that effective risk management arrangements are in place for clinical governance and for managing clinical quality, medicines management, the safeguarding of vulnerable adults and children, complaints, claims and incidents and for the sharing of lessons learned. 6.5.4 The QIGEC is responsible for proposing and have operational oversight of the CCG s risk management strategy; considering the risks facing the group and identifying those risks which are strategically significant for inclusion in the CCG s Governing Body Assurance Framework. It will also recommend, where appropriate, shared arrangements to mitigate financial and clinical risk and provide assurances to the Governing Body and Audit committee on the controls that are in place to manage risk. 6.5.5 The QIGEC receives and approves corporate governance policies on behalf of the Governing Body in line with the Corporate Governance Framework. 6.5.6 The QIGEC is responsible for overseeing exceptions and assurance received from reporting groups. 6.5.7 The QIGEC is responsible for submitting minutes to the Governing Body after each meeting. 6.6 The Assurance Group 6.6.1 The Assurance Group (AG) is accountable to the Quality Improvement, Governance & Engagement Committee and its purpose is to assure the QIGEC Committee that there are effective governance systems operating within the CCG which identify and accurately record risks to the CCG fulfilling its responsibilities, the mitigating controls and progress with on-going actions. 6.6.2 The AG is also responsible for: Critically reviewing the CCG s risk assessments for entry onto the risk register and the risks which escalate to the Assurance Framework; Ensuring that all business (clinical commissioning, finance, and governance) and health and safety-related risks are described and risk-scored accurately; that identified controls are effective and that risk owners are making progress with actions to deliver greater control and assurance; Escalating to the relevant Committee, any concerns regarding the CCG s effective management of risks, whether they be clinical commissioning, financial, health and safety, governance or corporate in nature; Providing the CCG forum for raising, recording, addressing, communicating and reporting assurance to the Quality Improvement, Governance & Engagement Committee regarding Health and Safety, fire, security and welfare issues and actions and ensuring that effective arrangements are operating to engage with regulators and enforcement bodies on matters concerning health and safety, security and fire; Reviewing incidents and incident trends for incidents reported to and recorded by the CCG, ensuring in addition that anything which needs to be implemented in the CCG as a result of learning from within the work of the group is communicated promptly; Reviewing the CCG list of policies and procedures and overseeing the prioritisation for their review; Maintaining a strong relationship and clear communication with the CCG s CSU services as they relate to supporting the group s work on CCG assurance; 8

Submitting minutes to the Quality Improvement, Governance & Engagement Committee after each meeting. 6.7 The Primary Care Co-Commissioning Group 6.7.1 The Committee is established as a committee of the Governing Body of the CCG in accordance with Schedule 1A of the NHS Act (2006 (as amended). The purpose of the Committee is to enable members to make collective decisions on the review, planning and procurement of primary care services in Fylde and Wyre under delegated authority from NHS England. The Committee will: Provide a forum, with delegated decision making powers, for approval of commissioning intentions where the recommended providers are GP practices. Provide assurance to the Governing Body, Audit Committee, NHS England and general public that the CCG has the necessary governance arrangements in place to manage conflict of interest in regard to the procurement of services provided by GP practices. Facilitate a culture of openness and probity around the local commissioning of GP services. Demonstrate that the CCG and member practices are acting fairly and transparently and that final commissioning decisions are made in ways that preserve the integrity of the decision making process. Agree a strategy in relation to the CCG s assistance to NHS England in determining the commissioning of dental, eye health, community pharmacy and public health services. 6.8 Within the structure of the Executive Management Team (EMT) the following individuals have responsibilities within this framework. The EMT will review the updated Risk Register and Governing Assurance Framework every 4 months (three times per year). 6.9 The Clinical Chief Officer (Accountable Officer) 6.9.1 The Clinical Chief Officer is responsible for working with the CCG Governing Body to ensure that effective systems of governance and internal control exist within Fylde & Wyre CCG. This includes obtaining assurance that effective risk management systems are implemented throughout the organisation and that processes are effective for generating assurance on the effectiveness of risk management and internal control. 6.9.3 The Clinical Chief Officer also has responsibility for approving a comprehensive system of internal control and arrangements for risk sharing or risk pooling with other organisations. 6.10 The Chief Operating Officer 6.10.1 The Chief Operating Officer is responsible for the corporate management of the organisation and for ensuring the operational implementation of the Risk Management Framework. 9

6.11 The Chief Finance Officer 6.11.1 The Chief Finance Officer is responsible for advising the CCG and Governing Body on appropriate systems of governance for the CCG, including its arrangements for risk management. 6.12 The Chief Nurse 6.12.1 The Chief Nurse is responsible for clinical governance, incorporating clinical risk management and the Integrated Risk Management Framework. The Chief Nurse also has responsibility for workforce strategy, policies & procedures. 6.12.2 The Chief Nurse has responsibility for managing the Quality and Governance Team, who take the lead in the implementation, maintenance and development of robust arrangements for governance, including all aspects of risk management. 6.13 The Quality and Governance Team 6.13.1 The Quality and Governance Team has responsibility for: Ensuring that the Governing Body Assurance Framework and Corporate risk register are developed, maintained and reviewed regularly by the Assurance Group and relevant Committees of the Governing Body, in liaison with the Midlands and Lancashire Commissioning Support Unit (MLCSU); Acting as a central reference point for risk management; Engaging with staff to ensure risk management processes are implemented operationally; Working collaboratively with Internal Audit as required. Ensuring risk of a strategic nature are highlighted to the Governing Body secretariat. 6.14 Managers 6.14.1 Managers are responsible for ensuring the implementation of the Risk Management Framework within their own areas of control by: Demonstrating personal involvement and support for the promotion of risk management Ensuring that staff accountable to them understand and pursue risk management in their areas of responsibility; Ensuring that Contractors, locum staff and agency workers are informed of their responsibilities for risk management and their responsibilities under all relevant CCG Policies; Ensuring risks are identified, documented within a risk assessment and managed and mitigating actions implemented in functions for which they are accountable. Ensuring action plans for risks relating to their respective areas are prepared and reviewed on a regular basis. Ensuring risks are escalated to the Quality & Governance team where they are of a strategic nature and, where the risk is of a strategy nature, the team will ensure they are reported to the Governing Body secretariat. 10

6.15 Staff 6.15.1 All staff working for and with the CCG are responsible for: Being aware that they have a duty under legislation to take reasonable care of their own safety and the safety of others who may be affected by the CCG s business and to comply with appropriate organisational rules, regulations, instructions, policies, procedures and guidelines; Taking action to protect themselves and others from risks; Identifying and reporting risks to their line manager using the F&W CCG s risk processes and documentation Ensuring incidents and complaints are reported using the appropriate procedures and channels of communication; Co-operating with others in the management of risks; Attending mandatory and statutory training as determined by F&W CCG or their Line Manager/employer; Being aware of and complying with F&W CCG s Risk Management Policies, including for emergency procedures. 6.16 Contractors, Agency and Locum Staff 6.16.1 Staff employed or contracted by the F&W CCG will be given appropriate induction and are responsible for: Taking action to protect themselves and others from risks; Reporting risks which they are facing to their line manager or nominated CCG contact, to ensure that F&W CCG can implement appropriate protective action; Reporting incidents and complaints using the agreed processes; Co-operating with others in the management of risks; Complying with all F&W CCG Risk Management Policies. 7. RISK MANAGEMENT FRAMEWORK 7.1 Introduction 7.1.1 F&W CCG recognises the importance of integrated risk management in maintaining effective corporate governance, high standards of quality and patient safety. The framework for managing risk ensures that risks can be identified, assessed and evaluated and that risk management principles and activities are applied consistently throughout the organisation. The framework ensures that the level of risk can be established and decisions taken on the best methods for mitigating, managing or eliminating them. The framework is supported by clear accountabilities and reporting lines to establish assurance on the effectiveness of risk management throughout F&W CCG. 11

7.2 Systems for Managing Risk 7.2.1 Corporate Risk Register (CRR) 7.2.1.1 Upon identification of a risk a Risk Assessment form will be completed. All Risks assessed in the CCG are held on the CRR and a risk owner is assigned. The management of the identified risks is monitored by the Assurance Group bi-monthly and reports to the QIGEC. 7.2.1.2 Risk owners are responsible for ensuring that their risks are under review at appropriate intervals and the risk register is updated under the co-ordination of CSU Governance & Risk team at the agreed frequency, through meeting/correspondence with the risk owner at appropriate intervals. 7.2.1.3 Risks on the CRR which may prevent strategic objectives from being achieved are also included in the GBAF. This includes all risks rated as High (risk score 15 and above) and Medium (risk scores of 9-12). 7.2.1.4 The Audit Committee will provide expertise in determining whether the management of risks is satisfactory and provide assurance to the Governing Body. 7.2.2 Local Risks 7.2.2.1 Risks identified locally, and which rate as Low or Very Low are accepted by the CCG and are managed by the relevant manager. These risks remain identified on the risk register are they are not routinely monitored. 7.2.2.2 Managers are responsible for keeping such risks under review and for submitting risk assessments to the Quality and Governance Team if the level of risk increases above a Low rating. 7.2.2.3 Risk relating to specific commissioning projects are recorded separately in line with the Risk Management Framework of the CCG. The CSU Governance & Risk team and the CCG project office will liaise to ensure that all risks identified which will impact on the achievement of the CCG strategic objectives are escalated to the Corporate Risk Register. 7.2.3 Governing Body Assurance Framework (GBAF) 7.2.3.1 The GBAF identifies the strategic objectives of F&W CCG and the risks that could threaten their achievement. The GBAF is informed by the corporate risk register and describes the risk and the risk level and sets out the controls which the responsible CCG risk owner has or will put in place to mitigate the risk, together with sources of assurance which will inform the CCG Governing Body as to the effectiveness of such controls. 7.2.3.2 The GBAF identifies the target risk the level of risk which is expected to be achieved once implementation of the proposed controls is complete. This is the projected residual risk. The GBAF additionally records any areas in which the controls or sources of assurance require improvement and sets out the actions necessary to secure improvement. 7.2.3.3 When assessing the adequacy of controls, consideration must be given not only to the design but also the likelihood of their being effective, given the governance and risk management framework within which they will actually operate. In determining reasonable assurance, a balance needs to be struck between the likelihood of a risk 12

occurring and the severity of the consequences should it do so, against the cost of managing it within available resources. This will give the Governing Body an overall assurance level for each of the CCGs strategic objectives. The Annual Governance Statement (AGS) requirement is that each Governing Body understands the links in the organisation s particular assurance chain and for the Governing Body to continuously challenge, support and monitor the effectiveness of its internal control. 7.2.3.4 To make a balanced, fully informed AGS, the Governing Body need to demonstrate that they have been able to identify their objectives and manage the principal risks to achieving them. It is necessary for the Governing Body to determine the level of assurance required to manage their principal risks and take stock of the various forms of assurance available to them. 7.2.3.5 The GAF is reviewed by the F&W CCG Governing Body three times per year. 7.3 Risk Management Process 7.3.1 Risk Identification Risks are identified proactively from project planning activities, objectives, and working environments and reactively from incidents, complaints, claims and performance information. 7.3.2 Risk Assessment 7.3.2.1 Once identified, risks are assessed in order that their nature and impact can be understood. Account needs to be taken of the conditions under which the risk might be realised and the likelihood and frequency of those conditions arising. The impact of the risk being realised should be considered, in terms of a whether this is confined for example to one project, or whether it impacts across the whole CCG. 7.3.3 Risk Evaluation 7.3.3.1 In order to evaluate each risk, the likelihood of it occurring and the potential consequence if it did occur is measured on a numerical scale. This is achieved by using the risk assessment matrix found at Appendix 2. 7.3.3.2 Scores are noted for both likelihood and consequence and the risk rating is determined by multiplying the two scores together to give a numerical value. The level of risk is determined by this value from the final table within the matrix.. 7.3.4 Recording Risk Assessments 7.3.4.1 Risks assessments are recorded on the FW CCG Risk Assessment form (included at Appendix 3) 7.3.4.2 Actions identified to minimise a potential risk must be recorded and include a time scale for expected completion. 7.3.4.3 Risks will be allocated to a CCG Officer the Risk Owner. They are responsible for providing regular updates of the action they are taking to manage the risk and the actions taken to mitigate it (see section 7.1.2). 13

8. RISK MANAGEMENT TRAINING AND INFORMATION 8.1 Training on all aspects of risk management is provided through one to one and formal group training sessions, delivered by relevant staff. This framework and other CCG policies dealing with specific areas of risk management are disseminated via line management and can also be accessed via the CCG website. 9. MONITORING THE EFFECTIVENESS OF THE FRAMEWORK 9.1 The CCG monitors and reviews its performance in relation to the management of risk, and the continuing suitability and effectiveness of the systems and processes in place to manage risk through a programme of internal and external audit work, and through the oversight of the Audit Committee, Finance & Performance Committee, Quality Improvement and Governance Committee, and the Assurance Group and Executive Management Team. 10. CONSULTATION AND COMMUNICATION WITH STAKEHOLDERS 10.1 Systems of communication with external stakeholders are in place to contribute to the minimisation of reputational risk to the organisation. These include a public website, public meetings of the Governing Body and the Annual General Meeting of the F&W CCG, together with patient engagement activities and consultation. 11. REVIEW AND REVISION OF THE FRAMEWORK 11.1 This Risk Management Framework will be reviewed by 1 April 2017. 12. EQUALITY AND DIVERSITY STATEMENT 12.1 The F&W CCG aims to design and implement services, policies and measures that meet the diverse needs of our population and workforce, ensuring that none are placed at a disadvantage over others. All policies and procedures should be developed in line with the CCG s Equality and Diversity policies and should to take into account the diverse needs of the community that is served. An Equality Impact Assessment has been completed by the CCG and a further assessment will be undertaken as part of any subsequent policy reviews. 14

13. APPENDICES TO THE POLICY APPENDIX 1 FYLDE & WYRE CCG ASSURANCE PROCESS APPENDIX 2 FYLDE & WYRE CCG GOVERNING BODY REPORTING STRUCTURE APPENDIX 3 FYLDE & WYRE CCG RISK ASSESSMENT FORM APPENDIX 4 RISK ASSESSMENT MATRIX APPENDIX 5 VERSION CONTROL TRACKER 15

Appendix 1 Fylde & Wyre Clinical Commissioning Group Governing Body Reporting Structure Council of Members Fylde and Wyre CCG Governing Body 19 Practice Clinical Leads Clinical Chief Officer Chief Finance Officer Chief Operating Officer Chief Nursing Officer Chair 8 GP Leads Secondary Care Consultant Clinical Chief Officer (AO) Chief Nursing Officer Chief Operating Officer Chief Finance Officer 2 x Lay Members Primary Care Commissioning Committee Audit Committee Remuneration Committee Finance & Performance Committee Quality Improvement, Governance & Engagement Committee Clinical Commissioning Committee 15

Appendix 2 Fylde & Wyre Clinical Commissioning Group Structure for Monitoring & Reporting the Risk Assurance Process RISK REGISTER REVIEW With Risk Owners (6 times per year) EXECUTIVE MANAGEMENT TEAM Risk Register ASSURANCE GROUP Risk Register & Assurance Framework QUALITY IMPROVEMENT, GOVERNANCE & ENGAGEMENT COMMITTEE GOVERNING BODY ASSURANCE FRAMEWORK (3 times per year) AUDIT COMMITTEE Risk Register & Assurance Framework (3 times per year) GOVERNING BODY MEETING GOVERNING BODY ASSURANCE FRAMEWORK (3 times per year) 17

Appendix 3 GENERAL RISK ASSESSMENT FORM Department Assessor Contact Tel Assessor Name Contact email Brief Description/Background (e.g. risk of non-achievement of standard, with relevant history/circumstances leading to recognition of risk) Persons Affected (i.e. Staff, Customers, General Public, Contractors) Risk Description Accurate description of risk (please limit to 250 words) i.e Failure to:. Connected to Strategic Objective No(s) Please tick those that apply Initial risk rating Rating at the time of the assessment Risk Rating=Likelihood X Consequence Controls in place at time of risk assessment Measures in place which are reducing the impact of the risk or are preventing the risk being realised Impact of Controls Make the best use of Resources Commission high quality, safe and cost effective services which reduce health inequalities and improve access to healthcare Develop & Maintain an effective organisation Effectively engage patients and the public in decision making Develop excellent working partnerships which lead to improved health outcomes Likelihood score: Consequence Initial Risk Rating: score: 18

Gaps/weaknesses in controls Any area where controls have not been completely implemented or are failing to mitigate the risk Current risk rating Rating taking into account the current controls in place. Rating=Likelihood X Consequence Action Plan List the actions which need to be taken to mitigate or control the risk Likelihood score: Consequence score: Current Risk Rating: Target Risk Rating Predicted rating once all planned actions have been taken Target completion date for actions to be implemented Responsible Person Person who is responsible for ensuring that the planned actions are taken Risk Owner (Senior Manager) Likelihood score: Name: Job Title: Contact Tel No: Consequence score: Target Risk Rating: Executive Lead (i.e. Chief Finance Officer etc.) Assurance CSU Group/Committee who will monitor that the risk is being managed effectively Gaps in Assurance Resource Requirements (Staffing/Costs etc.) Review Date (Risks rating 15 must be reviewed every month) Please return completed RA Form to: Nick.Medway@fyldeandwyreccg.nhs.uk For completion by Risk Manager Date Risk Assessment Received: Risk Register Reference Number: Agreed for Yes/No AF? Agreed for Yes/No CRR? Date next update is required Date Input For any assistance in the completion of this form please contact ELIZABETH DALTON - M&LCSU Corporate Governance & Risk Manager at elizabethdalton@nhs.net or NICK MEDWAY F&W CCG Practice Engagement, Quality & Governance Manager on 01253 306447 19

Consequence Incident and Risk Assessment Matrix March 2016 Appendix 4 Step 1 Consequence Scoring Staff / Patient Safety (physical / psychological) Complaints Human Resources Organisational Development Statutory duty / inspections Adverse Publicity / Reputation Business objectives Projects Financial/ Claims Service Interruption Step 2 Likelihood Scoring Consequence Score 1 - Negligible 2 - Minor 3 - Moderate 4 - Major 5 - Catastrophic Minimal injury requiring no/minimal intervention. No time off work. Informal complaint/ enquiry Short term low staffing level that temporarily reduces service quality (<1 day) No or minimal impact on breach of guidance. Rumours Potential for public concern Insignificant cost, increase in schedule slippage Small loss - risk of claim remote Loss / interruption of <1 hour. Minimal or no impact on the environment. How likely is this to happen, taking into account the controls already in place to prevent or mitigate the harm? Minor injury or illness. Time off work for >3 days. Increase in length of hospital stay by 1-3 days Formal complaint - local resolution Low staffing level that reduces service quality Breech of statutory legislation. Reduced performance. Local media coverage Elements of public expectation not being met <5% over budget, schedule slippage Loss of 0.1-0.25% of budget Claim less than 10,000 Loss / interruption of <8 hours. Minor impact on the environment. Injury requiring professional intervention. Time off work 1-4 days. RIDDOR reportable. Increase in hospital stay 4-15 days. Formal complaint Ombudsman intervention / investigation Unsafe staffing level. Late delivery of key service due to lack of staff Single breach in statutory duty. Local media coverage long term reduction in public confidence 5-10% over budget, schedule slippage Loss of 0.25-0.5% of budget Claims between 10,000 and 100,000 Loss / interruption of <1 day. Moderate impact on the environment. Step 3 Establishing Overall Score and Rating Major injury leading to long term disability. Time off work >14 days. Increase in hospital stay >15 days. Mismanagement of patient care. Non-compliance of national standards Unsafe staffing level (>5 days). Loss of key staff. Uncertain delivery of key service. Multiple breaches in statutory duty, critical report, low performance National media coverage with <3 days service well below public expectation 10-25% over budget, schedule slippage, key objectives not met Loss of 0.5-1% of budget Claims between 100,000 and 1 million Loss / interruption >1 week. Major impact on the environment. Incident leading to death. Multiple permanent injuries or irreversible health effects. Impact on a large number of patients Unacceptable level of quality / treatment Ongoing unsafe staffing levels. Loss of several key staff. Non delivery of key service. Multiple breaches in statutory duty. Prosecution. Zero performance rating. National media coverage. MP concerned. Total loss of public confidence. >25% over budget, schedule slippage, key objectives not met Loss of >1% of budget Claims > 1 million Loss of contract Permanent loss of service. Catastrophic impact on the environment. Using the appropriate score for Consequence, and the appropriate score for Likelihood, follow the table below to obtain the overall Incident / Risk severity rating. Likelihood Frequency Likelihood Score 1 Rare 2 Unlikely 3 Possible 4 Likely 5 Almost Certain Not expected to <1% - Will only occur in 1 Rare occur for years exceptional circumstances 5 Catastrophic 5 (Low) 10 (Medium) 15 (High) 20 (High) 25 (High) Occur at least annually Occur at least monthly Occur at least weekly Occur at least daily 1-5% - Unlikely to occur 2 Unlikely 6-20% - Reasonable chance of occurring 3 Possible 21-50% - Likely to occur 4 Likely >50% - More likely to occur than not 5 Almost Certain 4 Major 4 (Low) 8 (Medium) 12 (Medium) 16 (High) 20 (High) 3 Moderate 3 V (Low) 6 (Low) 9 (Medium) 12 (Medium) 15 (High) 2 Minor 2 (V Low) 4 (Low) 6 (Low) 8 (Medium) 10 (Medium) 1 Negligible 1 (V Low) 2 (V Low) 3 (V Low) 4 (Low) 5 (Low) Step 4 Risk Appetite - Risk Responsibility Level / Remedial Action/ Acceptance High 15-25 Medium 8-12 Low 4-6 Very Low 1-3 Example Level/ acceptance/ action required To be resolved or accepted at CCG Level. Divisional/ senior management action plan Needs to be resolved or accepted at Departmental level. Divisional/ Senior Management action plan Needs to be resolved or accepted at Departmental level. Department / Develop Action Plan Acceptance Senior Manager Unlikely to cause problems. Department / Risk Local Team Meeting Acceptable Timescale Immed. Action Plan Immediate - implementation Immediate action plan implementation 3 months Department/ 6months Issue - Low staffing level that reduces service quality Category - Human Resources Manage by routine procedures no additional cost 12 months / none Step 1 Consequence Scoring Consequence - Low staffing level that reduces service quality Consequence score 2 - Minor Step 2 Likelihood Scoring Likelihood Occurs at least monthly Likelihood score 3 Possible Step 3 - Establish Overall Score and Rating Consequence 2 x Likelihood 3 = 6 (Low) Overall Severity Rating 6 ( Low). 20 Min. Review Minimum monthly Monthly 3-6 months 6 months

Appendix 5 Version Control Tracker Version Number Date Author Title Status Comment/Reason for Issue/Approving Body 1.0 May 2014 Head of Quality Draft Draft document for Governing Body Approval 1.1 20 May 2014 Head of Quality Approved Document approved by Governing Body 1.2 5 Sept 2014 CSU Corporate Governance Manager Draft Page 1: Change to note that risks are now reviewed direct with risk owners rather than via team brief Appendix 1 Page 15: Change to structure chart to note that risk are now reviewed direct with risk owners rather than via team brief Addition of Appendix 4 Version Control Tracker 1.3 11 Aug 2015 CSU Corporate Governance Manager Draft Review of documentation to align with changes in CCG structure. 1.4 5 April 2016 CSU Corporate Governance Manager Draft Revised Risk Assessment Matrix & Risk Assessment Form. Equality & Inclusion Assessment Completed & Submitted to CSU E&I Team. 1.5 20 June 2016 CSU Corporate Governance Manager Draft Addition of annual workshop to review CCG Risk Register and Assurance Framework. 21