Risk management strategy 2016 2018...2017/01/03 · Risk management strategy 2016-2018 Version: 3.0...

Risk management strategy 2016-2018

Version: 3.0

Name of approving committee: CCG Board

Audit Committee

Operational date: 01 April 2016

Document review date: March 2018

Document sponsor: Tracey Cox

Chief Officer

Document manager: Julie-Anne Wales

Head of Corporate Governance and Planning

Risk management strategy of 23

Table of Contents

Page

0 Document Information 2

1 Introduction 3

2 Risk management overview 3

3 Strategic objectives and risk management objectives 4

4 Risk management framework 5

4.1 Risk management approach 5

4.2 Roles and responsibilities 6

4.3 Risk management process 6

4.4 Risk appetite 10

4.5 Risk reporting and escalation 12

5 Training 13

6 Communication and consultation 13

7 Equality, diversity and the Mental Capacity Act 13

8 Strategy review and monitoring compliance 13

9 Associated documentation 14

10 References and other source documents 14

Appendix A: BaNES CCG risk management responsibilities 15

Appendix B: Risk scoring and rating matrices 19

0. Document information

Revision History

Revision

Date

Document

version

Summary of Changes Changes made by

Approvals

This document requires the following approvals

Name Job Title Date of Issue Version

Audit Committee N/A 12 Oct 2016 v2.0

CCG Board N/A 12 Jan 2017 v3.0


1. Introduction

As Bath and North East Somerset Clinical Commissioning Group (BaNES CCG), we have

a statutory responsibility to patients, staff and the public to ensure that we have effective

processes, policies and people in place to deliver our objectives and to control any risks

that we face in achieving them.

The BaNES CCG Board recognises that sound risk management is essential for meeting

objectives and identifying and managing future opportunities. The Board ensures risk

management forms a fundamental element of our business rather than a separate

programme, and is committed to ensuring that risk management is embedded throughout

our organisation and is part of our everyday practice.

This risk management strategy has been updated from the 2013 to 2015 strategy and

aims to deliver a pragmatic and effective multidisciplinary approach to risk management,

which is underpinned by a clear accountability structure within BaNES CCG. The purpose

of this document is to set out the overall aims, objectives and process for risk management

within our organisation.

2. Risk management overview

Risk refers to uncertainty, the possibility of incurring misfortune or loss or missing

opportunities. This is measured in terms of the likelihood of something happening and the

impact of the possible consequences. In the CCG, we view a risk to be anything which

has the potential to damage or threaten our achievement of the organisation’s objectives.

For the purposes of this strategy:

• Clinical risk is any issue that may have an impact on the provision of high quality,

safe and effective clinical care for patients;

• Organisational risk is any issue that may have an impact on organisational

objectives, continuity or the organisation’s reputation;

• Financial risk is any issue that may have an impact on financial objectives or

arrangements.

Our task is to effectively identify, analyse and respond to such risks in order to maximise

the likelihood of achieving our purposes and also ensuring the best use of our resources.

We acknowledge that within healthcare some exposure to risks or risk taking will be

necessary, fundamental and tolerated. However, we will only do this under a clear risk

management methodology that enables us to understand:

• risk at all levels within the organisation to facilitate identification, recording and

management;

• consistent risk measurement so that risk priorities can be identified through a

combination of impact and likelihood;


• the type of risk and level of risk exposure that can be tolerated by the organisation in

going about its activities;

• mitigation and control that is proportionate to the level of risk;

• the appropriate mechanisms to ensure that risks can be escalated to a level of

management that can effectively respond to them;

• the on-going monitoring of the effectiveness of mitigation and control; and

• the provision of assurance to responsible committees.

3. Strategic objectives and risk management objectives

This strategy is based on risk management objectives that support the strategic objectives

of the CCG. The risk management objectives are delivered through a set of principles

shown in the diagram below.


4. Risk management framework

The following elements make up the Risk management strategy and these will be

discussed in turn:

4.1 Risk management approach

Our approach to risk management encompasses the breadth of the organisation by

considering financial, organisational, reputational and project risks, both clinical and non-

clinical and for all parts of the organisation.

Our risk management approach comprises a number of elements which will help us

manage our risks:


4.2 Roles and responsibilities

The roles and responsibilities of key individuals and committees including accountability

levels with regard to risk management are shown in Appendix A. A detailed account of

individual and committee responsibilities is provided in job descriptions and committee

terms of reference.

4.3 Risk management process

Everyone is encouraged to contribute to the management of risk and all staff have a

responsibility to engage with the risk management process. The risk management process

is a continual cycle, taking a systematic approach to all risks, as illustrated below:

4.3.1 Risk identification

Risk identification establishes the organisation’s exposure to risk and uncertainty. There is

no one correct way to identify risks and, in practice, the use of multiple methods by

different staff groups, is more successful. All staff are responsible for identifying risks and

ways in which they can do this include:


• Adverse event report, including trends and data analysis - All staff are required

to report incidents and near misses using the Datix system or subsequent

arrangements. Line managers and service managers use these reports to identify

risks and take immediate and/or planned risk management action. Risks may also

be included on the risk register.

• Serious Incidents Requiring Investigation (SIRI) - We receive reports regarding

the most serious incidents that occur in provider services in accordance with the

national framework. The reports investigate the incident to identify contributory

factors and root causes where risk treatment will be instigated to prevent future

occurrence. We are responsible for considering and closing these incidents and to

monitor the risk treatment as appropriate. Serious Untoward Incident (SUI) data and

reports are an important source of information for the commissioning process.

Provider SUIs are considered at the Serious Incident, Complaints and Safeguarding

Committee which reports into the Quality Committee. We and primary care

providers may be involved in SI’s.

• Claims and complaints data – We may identify risks by analysing any trends from

claims and complaints and by looking at the particulars of each. Complaints data is

considered at the Serious Incident, Complaints and Safeguarding Committee which

reports into the Quality Committee.

• Business decision making and project planning - Risk identification is an

essential part of business planning and project planning to identify those risks that

could impact on achievement of objectives and risks that would be present if

objectives are not achieved.

• Strategy and policy development analysis - Developments in strategy and policy

can and do have considerable impact on business activities, plans, organisational

form and staff. Our senior managers look to their own field and specialism to

identify potential risks and opportunities to be added to the risk register and to

inform the Board Assurance Framework (BAF).

We are required to maintain a comprehensive BAF. The BAF is a high-level

management assessment process and record of the primary risks relating to the

delivery of strategic objectives and the strength of internal control to prevent risks

occurring. It identifies sources of assurance and evaluates them for suitability. By

receiving and reviewing actual assurances and using findings, the adequacy of

internal control can be confirmed or modified.

The Board Assurance Framework is regularly reviewed at the Audit Committee and

Board and is fully updated annually in line with strategic objectives.


• External/Internal audits findings - By commissioning internal and external audit,

issues of control may come to light.

4.3.2 Risk recording

There is a corporate risk register which is a record that aims to illustrate the complete risk

profile of the CCG by reflecting the extent to which our objectives are threatened by the

uncertainty that risk presents. The risk register is owned by the Chief Officer and is held

centrally by the Head of Programme Management Office (PMO) and updated by senior

managers regularly (see risk assessment). Any new risks that are identified need to be

approved for inclusion on the risk register by the CCG Executive team. New risks are

collated by the Head of PMO for this purpose.

The format and process of our risk registers have been approved by the Board and, at a

minimum, would include the following:

• Description of the risk

• Initial risk score (likelihood & impact)

• Summary risk treatment plan

• Progress

• Date of review

• Current risk rating

• Target risk rating

• Who owns and manages the risk

A risk register is not a static record but should be viewed as an action plan giving details of

current controls and auditable actions for risk treatment.

4.3.3 Risk assessment and scoring

Once risks are identified, further evaluation is required to establish the exposure of the

organisation or service to risk and uncertainty. This assessment is used to rate the

significance of the risk and to determine the treatment of the risk. We use a locally

modified form of the former National Patient Safety Agency (now part of NHS England) 5

by 5 likelihood and impact matrix to assign a risk score.

In all cases it is important to set the risk into context for evaluation. Unfortunately, some

types of incident are more commonplace than others and may be linked to a particular

service or client group. This does not mean that some incidents should be tolerated but it

could mean that risk treatment may take a different form.

It is also important to consider how the identified risk may impact on other tasks, functions

or services. The risk itself may be of low significance but dependencies may raise the

profile of the risk.

In order to assess a risk, we ask how likely is it to occur and what the impact would

generally be if it occurs by using a scale of 1 to 5 (see matrix below). The likelihood and

impact scores are then multiplied to determine the level of risk severity which is then used

to classify or prioritise the risk.


Risk Matrix (likelihood x impact)

Likelihood of occurrence

1 Rare

2 Unlikely

3 Possible

4 Likely

5 Very likely

Impact 5 Critical 5 10 15 20 25

4 Major 4 8 12 16 20

3 Moderate 3 6 9 12 15

2 Minor 2 4 6 8 10

1 Negligible 1 2 3 4 5

Risk rating 1-6 8-10 12 15-25

Classification Low risk Moderate

risk High risk

Critical risk

This process is used for all types of risk, including clinical, non-clinical, strategic, financial,

operational, information governance etc. Further description to aid with the assessment of

risks within these specific areas can be found at Appendix B.

4.3.4 Risk planning

Following the completion of the risk assessment, we must consider the existing controls

and processes that are already in place that under normal circumstances would prevent,

mitigate or control the risk. Consideration must then be given to whether the risk requires

further management actions that ideally would minimise the likelihood and/or impact of the

risk. The senior managers who are risk managers are responsible for the action planning

against each identified risk. Controls and action plans are recorded on the risk register.

It is not always possible to identify and then fully implement actions that eliminate or

minimise a risk. Where this is the case, it is essential that the significance of the risk that

remains is understood and the organisation in accordance with the risk management

governance confirms they it is prepared to accept that level of risk. This is known as the

residual risk – this is recorded as the target risk on the risk register.

4.3.5 Risk monitoring and review

The implementation of the action plan and the level of risk must be kept under review.

Reviews will take place as set out in the roles and responsibilities (Appendix A) and in the

‘delegation and authority’ section of the risk appetite statement below.

Where the implementation of action plans is not producing the anticipated results, the risk

should be reassessed and a revised action plan agreed as necessary. Once all possible

actions have been completed or the event has passed, the risk should be closed and

moved to the closed risk register for audit purposes.


4.4 RISK APPETITE

4.4.1 Definition

An organisation’s risk appetite defines the amount of risk that it is prepared to accept,

tolerate or be exposed to at any point in time. An organisation’s risk appetite should

consider different dimensions of how a risk can materialise and how much exposure they

are willing to accept for the different types of risk. We have set out our risk appetite in a

statement which is part of this risk management strategy.

4.4.2 Risk appetite statement

Introduction

The Board acknowledges that risk is a component of change and improvement and

therefore does not expect the absence of risk or consider this as a necessarily positive

position. As such it recognises that risks present both challenges and opportunities and

should not be considered solely in terms of their potential financial consequences.

Our risk appetite statement helps our staff and our stakeholders understand the level of

risk that we are prepared to accept across the CCG. It describes the levels of risk we are

prepared to tolerate and how they will be treated and by whom.

Risk treatment

We require all staff to take responsibility for the treatment of identified risks. Identifying

and reporting a risk does not end the responsibility of the individual staff member. We

expect all reported and registered risks to be managed using the following risk treatment

options:

• TREAT: implementing controls and action plans to contain, minimise or mitigate

• TERMINATE: removing the risk completely

• TRANSFER: transferring the uncertainty of the risk (for example by insurance)

• TOLERATE: making a decision to tolerate the risk in line with this risk appetite

statement.

We believe that the majority of our risks will need to have controls implemented to reduce

the likelihood or severity of the risk. Existing control mechanisms/activities and the level of

confidence in these existing controls must be considered when identifying options for

additional control measures.

The cost-effectiveness of the control needs to be considered to ensure that the risk

reduction benefits outweigh the cost of the control. We will, where necessary, tolerate

overall levels of risk that are classified as high risk (scoring 12 or lower) where actions to

mitigate that risk is not cost effective or reasonably practicable.

Risk tolerance

Our risk appetite is mapped in the following table which shows the level of risk we will

tolerate against the categories of risk we face across all business areas.


We will not accept levels of risk rated critical (scored 15 or above on the risk matrix) and

will ensure that plans are put into place to lower the level of risk whenever a critical risk

has been identified. Likewise, we will not tolerate any of the different types of risk at a

rating greater than those shown in the table. Plans to reduce the risk to a rating that will be

tolerated will be put in place.

Willingness to accept risk

Category of risk Classification Risk rating

Public, patient and staff safety Low 1-6

Quality/patient experience Low 1-6

Finance Moderate 8-10

Capacity and capability Moderate 8-10

Business management and reputation Moderate 8-10

Information governance Low 1-6

Delegation and authority

We have clear lines of delegation and authority associated with the treatment of risks for

all business areas and these are shown in the table below.

Level

Authority / Ownership

Action

Low risk

1-6

Individuals Individuals should manage low risks by maintaining routine procedures and taking proportionate action to implement any additional new control measures to reduce risk where possible. Individuals must escalate higher levels of risk. The CCG Executive team reviews all risks.

Moderate risk

8-10

Managers Managers must ensure that an action plan is identified to reduce risk or remove the risk. The risk must be entered on the risk register. Managers must escalate higher levels of risk. The CCG Executive team reviews all risks.

High risk

12

Senior Managers

Senior Managers must prepare an action plan for high risks. Appropriate management assurance must evidence and control the risk and oversee the action plan to reduce the risk. Senior Managers must consider any developing implications of the risk and report to Directors if appropriate. The risk must be reported on the risk register. The Audit Committee reviews all risks scored 12 and above.

Critical risk

15-25

Directors Management action is required to ensure immediate risk treatment, in line with the context of the risk. Action plans must be overseen by a responsible lead, who will ensure that the risk is reported on the Corporate Risk Register or BAF. The risk will be monitored at the Audit Committee. The CCG Board reviews risks scored 15 and above.


Review

Our statement of risk appetite is dynamic and represents an iterative process that reflects

the challenging environment facing the CCG and the wider NHS. We will review our risk

appetite at least biennially.

4.5 RISK REPORTING AND ESCALATION

4.5.1 Risk Reporting

The risk register is the main vehicle for reporting the CCGs risks and enables the Board

and Audit Committee to be assured of the management of risks. Reporting and reviewing

of the risk register takes place as set out in the roles and responsibilities shown in

Appendix A.

In addition to the risk register, a quarterly report is generated from the Datix system and

the CCG Quality Team logs and reports relevant Serious Untoward Incidents (SUIs) using

the STEIS system. These incidents are investigated and reported to the Quality Committee

in detail for discussion and to the Audit Committee as part of general risk information.

Patient safety incidents reported using the STEIS system or the provider risk management

systems is reported automatically (not by CCG) to the National Reporting and Learning

System (NRLS). Learning from CCG and other reports is shared across the organisation

and where appropriate with other NHS organisations.

4.5.2 Risk escalation

The diagram below sets out the process for escalating risk.


The treatment of risks will be aligned to the delegation and authority given to individuals as

stated in the risk appetite statement.

5. TRAINING

Training to ensure competency at all levels is recognised as one of the most cost effective

controls for good risk management. We are committed to providing risk management

training periodically for those involved in it and the reading of this strategy is part of our

induction programme for new starters at the CCG.

6. COMMUNICATION AND CONSULATION

In addition to the regular monitoring, annual review and reports to the Board and its

committees, key issues and actions arising from risk management, audit reports and

related processes are communicated to staff, patients, public and other relevant

stakeholder groups where necessary. If appropriate and/or required these key risk issues

and actions can be communicated to external performance management/review bodies.

The Chief Officer makes suitable arrangements to circulate bulletins and alerts, when

necessary, to raise awareness of particular risk issues.

This strategy will be made available to contracted bodies.

This strategy is published on the organisation’s website and intranet and staff are also

made aware through training sessions and by staff briefing sessions.

7. EQUALITY, DIVERSITY AND MENTAL CAPACITY ACT

No significant equality or diversity issues have been identified as a result of this strategy.

This strategy meets requirements of the Mental Capacity Act 2005.

8. STRATEGY REVIEW AND MONITORING COMPLIANCE

This risk management strategy is a rolling two year document. The strategy will be

reviewed by the Audit Committee on at least an annual basis or earlier where there has

been a significant change to the CCG or our objectives.

The Audit Committee will approve any changes to the strategy and submit it to the Board

for ratification on a biennial basis (or sooner if the Audit Committee recommend changes).

The Audit Committee is also responsible for ongoing monitoring of this strategy, to ensure

that the framework described is working effectively.

Independent assurance will be gained when required, by means of the Internal Auditors, to

assess the operation of the risk management framework of the organisation. Internal Audit


support may also be requested to assess specific controls, areas or risks identified through

the risk management process.

9. ASSOCIATED DOCUMENTATION

The following policies will help to implement this strategy.

Health & Safety Policy Incident Reporting

Policy

Serious Incidents

Policy

Security Management

Policy Complaints Policy Whistleblowing Policy

Counter Fraud Policy Claims Policy Information

Governance Policy

Supporting staff involved

in a Incident, Complaint

or Claim Policy

Learning &

Development Policy –

Training Needs

Analysis

10. REFERENCES AND OTHER SOURCE DOCUMENTS

A Risk Matrix for Risk Managers, NPSA, January 2008

Bath and North East Somerset Clinical Commissioning Group Risk Management Strategy

2013 to 2016.

NHS England Risk Management Policy and Process Guide

15

Appendix A – BaNES CCG risk management responsibilities

Title Responsibilities

CCG Board • Having overall accountability for the management of governance, risk and assurance, determining the strategic approach to risk and setting the risk appetite for the organisation;

• Ensuring and approving the structure and framework for risk management; • Considering whether the organisation has implemented an effective system of internal control, including appropriate risk management

arrangements, with reference to available assurance; • Regularly receiving the Board Assurance Framework (BAF) and the Corporate Risk Register which contain the most significant risks that

can impact on the achievement of the strategic objectives • Receiving and responding to risk assurance reports and issues raised by the Audit Committee in regards to risk, internal control and

assurance. • Ensuring risks are considered and managed whilst discharging specific responsibilities as Board members e.g. Lay members of the

Board have specific responsibilities regarding audit, remuneration, conflict of interest matters and public and patient engagement. The roles of other Board members are given below.

Audit Committee • Providing assurance to the Board on the effectiveness and adequacy of the processes for managing principle risks and risk management framework

• Challenging the way in which risk is managed, particularly where there is uncertainty or concerns over the effectiveness of existing arrangements. This could include requesting attendance at meetings for the purpose of providing relevant information for assurance purposes

• Recommending specific risk management issues for investigation • Receiving issues referred by the Board for scrutiny • Ensuring that arrangements for risk management are regularly included in the cycle of independent audits • Being accountable for providing the Board with overall assurances that the management of risk is effective, arranging sub-committees as

required • Overseeing and monitoring governance and performance, including corporate, information, clinical and non-clinical governance and risk

management and quality. It will report regularly to the Board on these areas • Overseeing the operation of the risk management framework to ensure that the organisation is appropriately managing risks, including

operating safely and legally and exploiting potential opportunities, providing assurance of its effectiveness to Board • Programming work related to external and internal assessments of the organisation’s risk management arrangements, including any

assessment by the NHSLA • Receiving and regularly reviewing the Corporate Risk Register (for risks scored 12 and above) and Board Assurance Framework • Reviewing the adequacy and effectiveness of policies for ensuring compliance with relevant regulatory, legal and code of conduct

requirements and related reporting and self-certification on behalf of the organisation • Reviewing any serious untoward incidents (SUIs).

16


CCG Executive Team • Identifying all facets of risk, including operational, clinical, quality, financial and information governance, and providing leadership to deliver a culture of risk awareness

• Reviewing and approving all new risks and before they are included on the risk register and rejecting those that don’t merit inclusion • Working with the Audit Committee to provide assurance to the Board regarding the management of these risks • Working with the other committees to ensure they review the risks relevant to their Terms of Reference to ensure their input into the

management of these risks • Reviewing all risks on the risk register quarterly and the most serious risks i.e. those with a score of 15 or above on a monthly basis • The Chief Officer will ensure that membership of this committee promotes a consistent approach to the identification and management of

risk.

Finance and

Performance

Committee

• Reviewing the financial risks on the risk register • Offering leadership and guidance on mitigating the risks • Working with the CCG Executive team to ensure risks are appropriately managed

Primary Care

Operational Group

• Reviewing the risks to primary care services register • Offering leadership and guidance on mitigating the risks • Working with the CCG Executive team to ensure risks are appropriately managed

Quality Committee • Reviewing the risks to quality and patient experience on the register • Offering leadership and guidance on mitigating the risks • Working with the CCG Executive team to ensure risks are appropriately managed • Receiving themes and issues (if identified at the Serious Incident, Complaints and Safeguarding Committee and reporting to the Audit

Committee.

Joint Commissioning

Committee

• Reviewing joint risks for the CCG and the Council • Offering leadership and guidance on mitigating the risks • Working with the CCG Executive team to ensure risks are appropriately managed

Chief Officer • Ultimately accountable for all risks relating to the operations of the organisation

• Leading on the strategic approach to risk, establishing and maintaining the structure for risk management

• Ensuring that leadership and expertise in the field of risk management is available to the organisation

• Ensuring that the Board Assurance Framework is developed, reviewed and reported to appropriate committees and the Board

• Ensuring that business continuity and disaster recovery plans are established and are regularly tested and that risk transfer mechanisms

are in place.

Chief Financial Officer • Implementing systems to enable internal financial control and sound financial governance

• Ensuring that the relevant financial risks are presented to the Finance and Performance Committee for review and management as

appropriate.

• Ensuring systems are in place for managing information risk as the CCG’s Senior Information Risk Owner (SIRO).

• Ensuring systems are in place for managing performance risk in the CCG.

17


Director of Nursing and

Quality

• Ensuring effective systems are in place to manage the risks to the CCG in commissioning high quality services which are safe and

effective for patients

• Ensuring that the relevant quality risks are presented to the Quality Committee for review and management as appropriate

• Ensuring effective systems are in place to manage risks regarding the confidentiality of patient and service-user information and

enabling appropriate information sharing.

Director of Integrated

Health and Care

Commissioning

• Ensuring effective systems are in place to manage the risks to the CCG and Council in delivery of the strategic priorities for integrated

health and care services.

• Ensuring that the relevant risks for jointly commissioned services are presented to the Joint Commissioning Committee for review and

management as appropriate.

• Ensuring that the relevant risks for the Better Care Fund are presented to the Joint Commissioning Committee for review and

management as appropriate.

Head of

Commissioning

Development

• Ensuring effective systems are in place to manage the risks to delivery of the strategic commissioning priorities set by the clinical

commissioning group

• Ensuring that the relevant primary care risks are presented to the Primary Care Operational Group for review and management as

appropriate.

Head of Corporate

Governance and

Planning

• Managing the risk management strategy document

• Reviewing the risk management processes

• Ensuring Health and Safety legislative requirements are complied with in regard to risk assessments, appropriate control measures,

raising outstanding concerns, staff training, ensuring safe working procedures/ practices and continued monitoring and revision of these.

These responsibilities extend to cover anyone affected by the organisation’s operations including sub-contractors, members of the public

and visitors.

Head of Programme

Management Office

• Maintaining the risk register and the risk management strategy documents • Ensuring that the risk management process is followed and that risk reviews take place, information is gathered and placed on the risk

register to evidence that the risks are being managed • Raise concerns regarding the risk management framework of the organisation, generated through the information received, and act as

critical friend • Contributing, where applicable, to the Board Assurance Framework • Providing specialist advice in support of risk management • Benchmarking organisational information, encouraging learning from best practice • Working closely within the organisation to promote continuous improvement and consistency with risk management approaches and

processes

Quality Team Reviewing the risks to quality and patient experience on the register • Offering leadership and guidance on mitigating the risks • Working with the CCG Executive team to ensure risks are appropriately managed • Receives themes, issues, if identified at Serious Incident, Complaints and Safeguarding Committee and reporting to the Audit

Committee.

19


Senior Managers • Providing leadership for the risk management agenda and ensuring that responsibilities to identify, record, analyse, control and communicate risks via the risk management process are undertaken

• Ensuring that staff receive training in line with the Training Needs Analysis and mandatory training attended • Ensuring that all employees who require Health Surveillance according to risk assessments are identified; ensuring that where Health

surveillance is required no individual carries out specific duties covered by the surveillance until they have attended the Occupational Health Service

• Ensuring that fire and other emergencies are appropriately dealt with and business continuity arrangements are in place • Ensuring compliance with all Information Governance requirements through the Connecting for Health IG Toolkit, subsequent plans and

associated policies

All Staff • Understanding, accepting and implementing the mechanisms in this strategy • Actively identifying and addressing risk • Undertaking their roles with full appreciation for the risks and the potential consequences of their actions • Taking action to protect themselves and others in relation to health and safety risks • Ensuring that they attend training as required • Ensuring that identified risks and adverse events are dealt with swiftly and effectively, and reported to ensure further action/learning may

be taken as necessary • Adherence to their professional codes and the NHS Code of Conduct • Complying with all approved policies and Standard Operating Procedures • Reporting inefficient, unnecessary or unworkable risk controls • Neither intentionally, nor recklessly interfering with nor misusing any equipment provided for the protection of safety and health • Being aware of relevant emergency procedures e.g. resuscitation, evacuation and fire precaution procedures, relevant to their location; • Co-operating with management on incident investigations; • Providing assistance as reasonably requested in times of crisis.

20

Appendix B - Risk scoring and rating matrices (modified locally from the NPSA ‘A risk matrix for risk managers’ January 2008)

Likelihood

Impact Choose the most relevant risk descriptor and use this to measure the impact of the risk.

Likelihood scoring

Score 1 2 3 4 5

Descriptor Rare Unlikely Possible Likely Very Likely

Description of likelihood

May happen in exceptional

circumstances

The event could occur

The event should occur in some circumstances

The event will occur in many circumstances

The event is expected to occur in almost all

circumstances

(% probability) (<2.5%) (2.5 - <10%) (10-49%) (50-80%) (>80%)

Impact scoring

Score 1 2 3 4 5

Descriptor Negligible Minor Moderate Major Catastrophic

Safety - Injury

(physical & psychological) to patient / visitor/ staff

Minimal injury requiring no/minimal intervention or treatment

Minor injury or illness requiring minor intervention

Moderate injury requiring medical treatment and/ or counselling Agency reportable, e.g. Police (violent and aggressive acts) An event which impacts on a small number of patients

Major injuries / long term incapacity or disability (loss of limb) requiring medical treatment and/or counselling

Incident leading to death or major permanent incapacity An event which impacts on a large number of patients

21

Impact scoring

Score 1 2 3 4 5


Service Delivery -

Quality / Complaints/ Audit

Locally resolved verbal (informal) complaint Peripheral element of treatment or service sub optimal

Justified written complaint peripheral to clinical care (overall treatment or service sub optimal) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved

Justified complaint involving lack of appropriate care – treatment or service has significantly reduced effectiveness Formal complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on

Multiple justified complaints/ independent review Non-compliance with national standards with significant risk to patients if unresolved. Low performance rating Critical report

Complex justified complaint – totally unacceptable level or quality of treatment / service Gross failure of patient safety if findings not acted on Inquest / ombudsman inquiry Gross failure to meet national standards

Service Delivery -

Human Resources /

Organisational

development /

Staffing &

Competence

Short term low staffing

level temporarily

reduces service quality

(<1 day).

Short term low staff

level (>1 day) where

there is no disruption to

patient care

Ongoing low staffing

level reduces service

quality

Minor error due to

ineffective training /

implementation of

training

Late delivery of key

objective / service due

to lack of staff.

Unsafe staffing level or

competence (>1 day).

Low morale

Poor staff attendance

for mandatory / key

training.

Ongoing problems with

staffing

Uncertain delivery of

key objective / service

due to lack of staff

Unsafe staffing level or

competence (>5 days)

Loss of key staff

Very low staff morale

No staff attending

mandatory / key

training

Non-delivery of key

objective / service due

to lack of staff

Ongoing unsafe staffing

levels or competence

Loss of several key

staff

No staff attending

mandatory training /

key training on an

ongoing basis.

22

Impact scoring

Score 1 2 3 4 5


Service Delivery -

Statutory duty / inspections

No or minimal impact or breach of guidance / statutory duty Small number of recommendations which focus on minor quality improvement issues

Breach of statutory legislation Reduced performance rating if unresolved Recommendations made which can be addressed by low level of management action

Single breach in statutory duty Challenging recommendations that can be addressed with appropriate action plan / improvement notice

Enforcement action Multiple breaches in statutory duty Improvement notices Low performance rating Critical report

Multiple breaches in statutory duty Prosecution Complete systems change required Zero performance rating Severely critical report

Service Delivery -

Business objectives / projects

Insignificant cost increase/ schedule slippage, reduction in scope or quality

<5% over project budget; minor reduction in scope, quality or schedule

5-10% over project budget; reduction in scope or quality of project; project objectives or schedule.

Non-compliance with national 10-25% over project budget; significant project over-run; key objectives not met

Incident leading to >25% over project budget; Inability to meet project objectives; reputation of the organisation seriously damaged

Service Delivery -

Services / Business Interruption Environmental impact

Interruption in a service which does not impact on the delivery of pt care or the ability to continue to provide service Minimal or no impact on the environment

Short term disruption to service with minor impact on patient care Minor impact on the environment

Some disruption in service with unacceptable impact on patient care. Temporary loss of ability to provide service. Moderate impact on the environment

Sustained loss of service which has serious impact on delivery of patient care resulting in major contingency plans being invoked Major impact on the environment

Permanent loss of core service or facility Disruption of facility leading to significant ‘knock-on’ effect Catastrophic impact on the environment

23

Impact scoring

Score 1 2 3 4 5


Reputation -

Adverse Publicity/ Reputation

Rumours, no media coverage but potential for public concern Little effect on staff morale

Local media coverage – short-term reduction in public confidence. Elements of public expectation not being met. Minor effect on staff morale / public attitudes.

Local media coverage – long-term adverse publicity Significant effect on staff morale and public perception of the organisation

National media / adverse publicity, less than 3 days Service well below reasonable public expectation Public confidence in the organisation undermined Use of services affected

National/ International media/ adverse publicity, more than 3 days MSP/MP concern (Questions in Parliament) Court Enforcement Public Inquiry/ FAI Service well below reasonable public expectation. Total loss of public confidence

Financial –

Claims, fraud, overpayment, unavoidable payment

Negligible organisational financial loss (less than £10K)

Minor organisational financial loss (£11k to £50K)

Significant financial organisational loss (£51k to £200k)

Major organisational financial loss (£201k to £500k)

Severe organisational financial loss. (£500k - £200k plus)

Information Governance/ Records Management

Damage to an individual’s reputation. Possible media interest. Potentially serious breach. Less than 5 people affected or risk assessed as low, e.g. files were encrypted

Damage to a team’s reputation. Some local media interest. Serious potential breach & risk assessed high e.g. unencrypted clinical records lost. Up to 20 people affected

Damage to a services reputation/ local media coverage. Serious breach of confidentiality e.g. up to 100 people affected

Damage to an organisation’s reputation/ Local and politically sensitive media coverage. Serious breach with either particular sensitivity e.g. sexual health details, or up to 1000 people affected

Damage to NHS reputation/ National media coverage. Serious breach with potential for ID theft or over 1000 people affected

Risk management strategy 2016 2018...2017/01/03 · Risk management strategy 2016-2018 Version: 3.0...

Documents

Transcript of Risk management strategy 2016 2018...2017/01/03 · Risk management strategy 2016-2018 Version: 3.0...