Committees Audit Committee Human Resources Committee Strategy Committee
Risk management strategy 2016 2018...2017/01/03 · Risk management strategy 2016-2018 Version: 3.0...
Transcript of Risk management strategy 2016 2018...2017/01/03 · Risk management strategy 2016-2018 Version: 3.0...
Risk management strategy 2016-2018
Version: 3.0
Name of approving committee: CCG Board
Audit Committee
Operational date: 01 April 2016
Document review date: March 2018
Document sponsor: Tracey Cox
Chief Officer
Document manager: Julie-Anne Wales
Head of Corporate Governance and Planning
Risk management strategy Page 2 of 23
Table of Contents
Page
0 Document Information 2
1 Introduction 3
2 Risk management overview 3
3 Strategic objectives and risk management objectives 4
4 Risk management framework 5
4.1 Risk management approach 5
4.2 Roles and responsibilities 6
4.3 Risk management process 6
4.4 Risk appetite 10
4.5 Risk reporting and escalation 12
5 Training 13
6 Communication and consultation 13
7 Equality, diversity and the Mental Capacity Act 13
8 Strategy review and monitoring compliance 13
9 Associated documentation 14
10 References and other source documents 14
Appendix A: BaNES CCG risk management responsibilities 15
Appendix B: Risk scoring and rating matrices 19
0. Document information
Revision History
Revision
Date
Document
version
Summary of Changes Changes made by
Approvals
This document requires the following approvals
Name Job Title Date of Issue Version
Audit Committee N/A 12 Oct 2016 v2.0
CCG Board N/A 12 Jan 2017 v3.0
Risk management strategy Page 3 of 23
1. Introduction
As Bath and North East Somerset Clinical Commissioning Group (BaNES CCG), we have
a statutory responsibility to patients, staff and the public to ensure that we have effective
processes, policies and people in place to deliver our objectives and to control any risks
that we face in achieving them.
The BaNES CCG Board recognises that sound risk management is essential for meeting
objectives and identifying and managing future opportunities. The Board ensures risk
management forms a fundamental element of our business rather than a separate
programme, and is committed to ensuring that risk management is embedded throughout
our organisation and is part of our everyday practice.
This risk management strategy has been updated from the 2013 to 2015 strategy and
aims to deliver a pragmatic and effective multidisciplinary approach to risk management,
which is underpinned by a clear accountability structure within BaNES CCG. The purpose
of this document is to set out the overall aims, objectives and process for risk management
within our organisation.
2. Risk management overview
Risk refers to uncertainty, the possibility of incurring misfortune or loss or missing
opportunities. This is measured in terms of the likelihood of something happening and the
impact of the possible consequences. In the CCG, we view a risk to be anything which
has the potential to damage or threaten our achievement of the organisation’s objectives.
For the purposes of this strategy:
• Clinical risk is any issue that may have an impact on the provision of high quality,
safe and effective clinical care for patients;
• Organisational risk is any issue that may have an impact on organisational
objectives, continuity or the organisation’s reputation;
• Financial risk is any issue that may have an impact on financial objectives or
arrangements.
Our task is to effectively identify, analyse and respond to such risks in order to maximise
the likelihood of achieving our purposes and also ensuring the best use of our resources.
We acknowledge that within healthcare some exposure to risks or risk taking will be
necessary, fundamental and tolerated. However, we will only do this under a clear risk
management methodology that enables us to understand:
• risk at all levels within the organisation to facilitate identification, recording and
management;
• consistent risk measurement so that risk priorities can be identified through a
combination of impact and likelihood;
Risk management strategy Page 4 of 23
• the type of risk and level of risk exposure that can be tolerated by the organisation in
going about its activities;
• mitigation and control that is proportionate to the level of risk;
• the appropriate mechanisms to ensure that risks can be escalated to a level of
management that can effectively respond to them;
• the on-going monitoring of the effectiveness of mitigation and control; and
• the provision of assurance to responsible committees.
3. Strategic objectives and risk management objectives
This strategy is based on risk management objectives that support the strategic objectives
of the CCG. The risk management objectives are delivered through a set of principles
shown in the diagram below.
Risk management strategy Page 5 of 23
4. Risk management framework
The following elements make up the Risk management strategy and these will be
discussed in turn:
4.1 Risk management approach
Our approach to risk management encompasses the breadth of the organisation by
considering financial, organisational, reputational and project risks, both clinical and non-
clinical and for all parts of the organisation.
Our risk management approach comprises a number of elements which will help us
manage our risks:
Risk management strategy Page 6 of 23
4.2 Roles and responsibilities
The roles and responsibilities of key individuals and committees including accountability
levels with regard to risk management are shown in Appendix A. A detailed account of
individual and committee responsibilities is provided in job descriptions and committee
terms of reference.
4.3 Risk management process
Everyone is encouraged to contribute to the management of risk and all staff have a
responsibility to engage with the risk management process. The risk management process
is a continual cycle, taking a systematic approach to all risks, as illustrated below:
4.3.1 Risk identification
Risk identification establishes the organisation’s exposure to risk and uncertainty. There is
no one correct way to identify risks and, in practice, the use of multiple methods by
different staff groups, is more successful. All staff are responsible for identifying risks and
ways in which they can do this include:
Risk management strategy Page 7 of 23
• Adverse event report, including trends and data analysis - All staff are required
to report incidents and near misses using the Datix system or subsequent
arrangements. Line managers and service managers use these reports to identify
risks and take immediate and/or planned risk management action. Risks may also
be included on the risk register.
• Serious Incidents Requiring Investigation (SIRI) - We receive reports regarding
the most serious incidents that occur in provider services in accordance with the
national framework. The reports investigate the incident to identify contributory
factors and root causes where risk treatment will be instigated to prevent future
occurrence. We are responsible for considering and closing these incidents and to
monitor the risk treatment as appropriate. Serious Untoward Incident (SUI) data and
reports are an important source of information for the commissioning process.
Provider SUIs are considered at the Serious Incident, Complaints and Safeguarding
Committee which reports into the Quality Committee. We and primary care
providers may be involved in SI’s.
• Claims and complaints data – We may identify risks by analysing any trends from
claims and complaints and by looking at the particulars of each. Complaints data is
considered at the Serious Incident, Complaints and Safeguarding Committee which
reports into the Quality Committee.
• Business decision making and project planning - Risk identification is an
essential part of business planning and project planning to identify those risks that
could impact on achievement of objectives and risks that would be present if
objectives are not achieved.
• Strategy and policy development analysis - Developments in strategy and policy
can and do have considerable impact on business activities, plans, organisational
form and staff. Our senior managers look to their own field and specialism to
identify potential risks and opportunities to be added to the risk register and to
inform the Board Assurance Framework (BAF).
We are required to maintain a comprehensive BAF. The BAF is a high-level
management assessment process and record of the primary risks relating to the
delivery of strategic objectives and the strength of internal control to prevent risks
occurring. It identifies sources of assurance and evaluates them for suitability. By
receiving and reviewing actual assurances and using findings, the adequacy of
internal control can be confirmed or modified.
The Board Assurance Framework is regularly reviewed at the Audit Committee and
Board and is fully updated annually in line with strategic objectives.
Risk management strategy Page 8 of 23
• External/Internal audits findings - By commissioning internal and external audit,
issues of control may come to light.
4.3.2 Risk recording
There is a corporate risk register which is a record that aims to illustrate the complete risk
profile of the CCG by reflecting the extent to which our objectives are threatened by the
uncertainty that risk presents. The risk register is owned by the Chief Officer and is held
centrally by the Head of Programme Management Office (PMO) and updated by senior
managers regularly (see risk assessment). Any new risks that are identified need to be
approved for inclusion on the risk register by the CCG Executive team. New risks are
collated by the Head of PMO for this purpose.
The format and process of our risk registers have been approved by the Board and, at a
minimum, would include the following:
• Description of the risk
• Initial risk score (likelihood & impact)
• Summary risk treatment plan
• Progress
• Date of review
• Current risk rating
• Target risk rating
• Who owns and manages the risk
A risk register is not a static record but should be viewed as an action plan giving details of
current controls and auditable actions for risk treatment.
4.3.3 Risk assessment and scoring
Once risks are identified, further evaluation is required to establish the exposure of the
organisation or service to risk and uncertainty. This assessment is used to rate the
significance of the risk and to determine the treatment of the risk. We use a locally
modified form of the former National Patient Safety Agency (now part of NHS England) 5
by 5 likelihood and impact matrix to assign a risk score.
In all cases it is important to set the risk into context for evaluation. Unfortunately, some
types of incident are more commonplace than others and may be linked to a particular
service or client group. This does not mean that some incidents should be tolerated but it
could mean that risk treatment may take a different form.
It is also important to consider how the identified risk may impact on other tasks, functions
or services. The risk itself may be of low significance but dependencies may raise the
profile of the risk.
In order to assess a risk, we ask how likely is it to occur and what the impact would
generally be if it occurs by using a scale of 1 to 5 (see matrix below). The likelihood and
impact scores are then multiplied to determine the level of risk severity which is then used
to classify or prioritise the risk.
Risk management strategy Page 9 of 23
Risk Matrix (likelihood x impact)
Likelihood of occurrence
1 Rare
2 Unlikely
3 Possible
4 Likely
5 Very likely
Impact 5 Critical 5 10 15 20 25
4 Major 4 8 12 16 20
3 Moderate 3 6 9 12 15
2 Minor 2 4 6 8 10
1 Negligible 1 2 3 4 5
Risk rating 1-6 8-10 12 15-25
Classification Low risk Moderate
risk High risk
Critical risk
This process is used for all types of risk, including clinical, non-clinical, strategic, financial,
operational, information governance etc. Further description to aid with the assessment of
risks within these specific areas can be found at Appendix B.
4.3.4 Risk planning
Following the completion of the risk assessment, we must consider the existing controls
and processes that are already in place that under normal circumstances would prevent,
mitigate or control the risk. Consideration must then be given to whether the risk requires
further management actions that ideally would minimise the likelihood and/or impact of the
risk. The senior managers who are risk managers are responsible for the action planning
against each identified risk. Controls and action plans are recorded on the risk register.
It is not always possible to identify and then fully implement actions that eliminate or
minimise a risk. Where this is the case, it is essential that the significance of the risk that
remains is understood and the organisation in accordance with the risk management
governance confirms they it is prepared to accept that level of risk. This is known as the
residual risk – this is recorded as the target risk on the risk register.
4.3.5 Risk monitoring and review
The implementation of the action plan and the level of risk must be kept under review.
Reviews will take place as set out in the roles and responsibilities (Appendix A) and in the
‘delegation and authority’ section of the risk appetite statement below.
Where the implementation of action plans is not producing the anticipated results, the risk
should be reassessed and a revised action plan agreed as necessary. Once all possible
actions have been completed or the event has passed, the risk should be closed and
moved to the closed risk register for audit purposes.
Risk management strategy Page 10 of 23
4.4 RISK APPETITE
4.4.1 Definition
An organisation’s risk appetite defines the amount of risk that it is prepared to accept,
tolerate or be exposed to at any point in time. An organisation’s risk appetite should
consider different dimensions of how a risk can materialise and how much exposure they
are willing to accept for the different types of risk. We have set out our risk appetite in a
statement which is part of this risk management strategy.
4.4.2 Risk appetite statement
Introduction
The Board acknowledges that risk is a component of change and improvement and
therefore does not expect the absence of risk or consider this as a necessarily positive
position. As such it recognises that risks present both challenges and opportunities and
should not be considered solely in terms of their potential financial consequences.
Our risk appetite statement helps our staff and our stakeholders understand the level of
risk that we are prepared to accept across the CCG. It describes the levels of risk we are
prepared to tolerate and how they will be treated and by whom.
Risk treatment
We require all staff to take responsibility for the treatment of identified risks. Identifying
and reporting a risk does not end the responsibility of the individual staff member. We
expect all reported and registered risks to be managed using the following risk treatment
options:
• TREAT: implementing controls and action plans to contain, minimise or mitigate
• TERMINATE: removing the risk completely
• TRANSFER: transferring the uncertainty of the risk (for example by insurance)
• TOLERATE: making a decision to tolerate the risk in line with this risk appetite
statement.
We believe that the majority of our risks will need to have controls implemented to reduce
the likelihood or severity of the risk. Existing control mechanisms/activities and the level of
confidence in these existing controls must be considered when identifying options for
additional control measures.
The cost-effectiveness of the control needs to be considered to ensure that the risk
reduction benefits outweigh the cost of the control. We will, where necessary, tolerate
overall levels of risk that are classified as high risk (scoring 12 or lower) where actions to
mitigate that risk is not cost effective or reasonably practicable.
Risk tolerance
Our risk appetite is mapped in the following table which shows the level of risk we will
tolerate against the categories of risk we face across all business areas.
Risk management strategy Page 11 of 23
We will not accept levels of risk rated critical (scored 15 or above on the risk matrix) and
will ensure that plans are put into place to lower the level of risk whenever a critical risk
has been identified. Likewise, we will not tolerate any of the different types of risk at a
rating greater than those shown in the table. Plans to reduce the risk to a rating that will be
tolerated will be put in place.
Willingness to accept risk
Category of risk Classification Risk rating
Public, patient and staff safety Low 1-6
Quality/patient experience Low 1-6
Finance Moderate 8-10
Capacity and capability Moderate 8-10
Business management and reputation Moderate 8-10
Information governance Low 1-6
Delegation and authority
We have clear lines of delegation and authority associated with the treatment of risks for
all business areas and these are shown in the table below.
Level
Authority / Ownership
Action
Low risk
1-6
Individuals Individuals should manage low risks by maintaining routine procedures and taking proportionate action to implement any additional new control measures to reduce risk where possible. Individuals must escalate higher levels of risk. The CCG Executive team reviews all risks.
Moderate risk
8-10
Managers Managers must ensure that an action plan is identified to reduce risk or remove the risk. The risk must be entered on the risk register. Managers must escalate higher levels of risk. The CCG Executive team reviews all risks.
High risk
12
Senior Managers
Senior Managers must prepare an action plan for high risks. Appropriate management assurance must evidence and control the risk and oversee the action plan to reduce the risk. Senior Managers must consider any developing implications of the risk and report to Directors if appropriate. The risk must be reported on the risk register. The Audit Committee reviews all risks scored 12 and above.
Critical risk
15-25
Directors Management action is required to ensure immediate risk treatment, in line with the context of the risk. Action plans must be overseen by a responsible lead, who will ensure that the risk is reported on the Corporate Risk Register or BAF. The risk will be monitored at the Audit Committee. The CCG Board reviews risks scored 15 and above.
Risk management strategy Page 12 of 23
Review
Our statement of risk appetite is dynamic and represents an iterative process that reflects
the challenging environment facing the CCG and the wider NHS. We will review our risk
appetite at least biennially.
4.5 RISK REPORTING AND ESCALATION
4.5.1 Risk Reporting
The risk register is the main vehicle for reporting the CCGs risks and enables the Board
and Audit Committee to be assured of the management of risks. Reporting and reviewing
of the risk register takes place as set out in the roles and responsibilities shown in
Appendix A.
In addition to the risk register, a quarterly report is generated from the Datix system and
the CCG Quality Team logs and reports relevant Serious Untoward Incidents (SUIs) using
the STEIS system. These incidents are investigated and reported to the Quality Committee
in detail for discussion and to the Audit Committee as part of general risk information.
Patient safety incidents reported using the STEIS system or the provider risk management
systems is reported automatically (not by CCG) to the National Reporting and Learning
System (NRLS). Learning from CCG and other reports is shared across the organisation
and where appropriate with other NHS organisations.
4.5.2 Risk escalation
The diagram below sets out the process for escalating risk.
Risk management strategy Page 13 of 23
The treatment of risks will be aligned to the delegation and authority given to individuals as
stated in the risk appetite statement.
5. TRAINING
Training to ensure competency at all levels is recognised as one of the most cost effective
controls for good risk management. We are committed to providing risk management
training periodically for those involved in it and the reading of this strategy is part of our
induction programme for new starters at the CCG.
6. COMMUNICATION AND CONSULATION
In addition to the regular monitoring, annual review and reports to the Board and its
committees, key issues and actions arising from risk management, audit reports and
related processes are communicated to staff, patients, public and other relevant
stakeholder groups where necessary. If appropriate and/or required these key risk issues
and actions can be communicated to external performance management/review bodies.
The Chief Officer makes suitable arrangements to circulate bulletins and alerts, when
necessary, to raise awareness of particular risk issues.
This strategy will be made available to contracted bodies.
This strategy is published on the organisation’s website and intranet and staff are also
made aware through training sessions and by staff briefing sessions.
7. EQUALITY, DIVERSITY AND MENTAL CAPACITY ACT
No significant equality or diversity issues have been identified as a result of this strategy.
This strategy meets requirements of the Mental Capacity Act 2005.
8. STRATEGY REVIEW AND MONITORING COMPLIANCE
This risk management strategy is a rolling two year document. The strategy will be
reviewed by the Audit Committee on at least an annual basis or earlier where there has
been a significant change to the CCG or our objectives.
The Audit Committee will approve any changes to the strategy and submit it to the Board
for ratification on a biennial basis (or sooner if the Audit Committee recommend changes).
The Audit Committee is also responsible for ongoing monitoring of this strategy, to ensure
that the framework described is working effectively.
Independent assurance will be gained when required, by means of the Internal Auditors, to
assess the operation of the risk management framework of the organisation. Internal Audit
Risk management strategy Page 14 of 23
support may also be requested to assess specific controls, areas or risks identified through
the risk management process.
9. ASSOCIATED DOCUMENTATION
The following policies will help to implement this strategy.
Health & Safety Policy Incident Reporting
Policy
Serious Incidents
Policy
Security Management
Policy Complaints Policy Whistleblowing Policy
Counter Fraud Policy Claims Policy Information
Governance Policy
Supporting staff involved
in a Incident, Complaint
or Claim Policy
Learning &
Development Policy –
Training Needs
Analysis
10. REFERENCES AND OTHER SOURCE DOCUMENTS
A Risk Matrix for Risk Managers, NPSA, January 2008
Bath and North East Somerset Clinical Commissioning Group Risk Management Strategy
2013 to 2016.
NHS England Risk Management Policy and Process Guide
15
Appendix A – BaNES CCG risk management responsibilities
Title Responsibilities
CCG Board • Having overall accountability for the management of governance, risk and assurance, determining the strategic approach to risk and setting the risk appetite for the organisation;
• Ensuring and approving the structure and framework for risk management; • Considering whether the organisation has implemented an effective system of internal control, including appropriate risk management
arrangements, with reference to available assurance; • Regularly receiving the Board Assurance Framework (BAF) and the Corporate Risk Register which contain the most significant risks that
can impact on the achievement of the strategic objectives • Receiving and responding to risk assurance reports and issues raised by the Audit Committee in regards to risk, internal control and
assurance. • Ensuring risks are considered and managed whilst discharging specific responsibilities as Board members e.g. Lay members of the
Board have specific responsibilities regarding audit, remuneration, conflict of interest matters and public and patient engagement. The roles of other Board members are given below.
Audit Committee • Providing assurance to the Board on the effectiveness and adequacy of the processes for managing principle risks and risk management framework
• Challenging the way in which risk is managed, particularly where there is uncertainty or concerns over the effectiveness of existing arrangements. This could include requesting attendance at meetings for the purpose of providing relevant information for assurance purposes
• Recommending specific risk management issues for investigation • Receiving issues referred by the Board for scrutiny • Ensuring that arrangements for risk management are regularly included in the cycle of independent audits • Being accountable for providing the Board with overall assurances that the management of risk is effective, arranging sub-committees as
required • Overseeing and monitoring governance and performance, including corporate, information, clinical and non-clinical governance and risk
management and quality. It will report regularly to the Board on these areas • Overseeing the operation of the risk management framework to ensure that the organisation is appropriately managing risks, including
operating safely and legally and exploiting potential opportunities, providing assurance of its effectiveness to Board • Programming work related to external and internal assessments of the organisation’s risk management arrangements, including any
assessment by the NHSLA • Receiving and regularly reviewing the Corporate Risk Register (for risks scored 12 and above) and Board Assurance Framework • Reviewing the adequacy and effectiveness of policies for ensuring compliance with relevant regulatory, legal and code of conduct
requirements and related reporting and self-certification on behalf of the organisation • Reviewing any serious untoward incidents (SUIs).
16
Title Responsibilities
CCG Executive Team • Identifying all facets of risk, including operational, clinical, quality, financial and information governance, and providing leadership to deliver a culture of risk awareness
• Reviewing and approving all new risks and before they are included on the risk register and rejecting those that don’t merit inclusion • Working with the Audit Committee to provide assurance to the Board regarding the management of these risks • Working with the other committees to ensure they review the risks relevant to their Terms of Reference to ensure their input into the
management of these risks • Reviewing all risks on the risk register quarterly and the most serious risks i.e. those with a score of 15 or above on a monthly basis • The Chief Officer will ensure that membership of this committee promotes a consistent approach to the identification and management of
risk.
Finance and
Performance
Committee
• Reviewing the financial risks on the risk register • Offering leadership and guidance on mitigating the risks • Working with the CCG Executive team to ensure risks are appropriately managed
Primary Care
Operational Group
• Reviewing the risks to primary care services register • Offering leadership and guidance on mitigating the risks • Working with the CCG Executive team to ensure risks are appropriately managed
Quality Committee • Reviewing the risks to quality and patient experience on the register • Offering leadership and guidance on mitigating the risks • Working with the CCG Executive team to ensure risks are appropriately managed • Receiving themes and issues (if identified at the Serious Incident, Complaints and Safeguarding Committee and reporting to the Audit
Committee.
Joint Commissioning
Committee
• Reviewing joint risks for the CCG and the Council • Offering leadership and guidance on mitigating the risks • Working with the CCG Executive team to ensure risks are appropriately managed
Chief Officer • Ultimately accountable for all risks relating to the operations of the organisation
• Leading on the strategic approach to risk, establishing and maintaining the structure for risk management
• Ensuring that leadership and expertise in the field of risk management is available to the organisation
• Ensuring that the Board Assurance Framework is developed, reviewed and reported to appropriate committees and the Board
• Ensuring that business continuity and disaster recovery plans are established and are regularly tested and that risk transfer mechanisms
are in place.
Chief Financial Officer • Implementing systems to enable internal financial control and sound financial governance
• Ensuring that the relevant financial risks are presented to the Finance and Performance Committee for review and management as
appropriate.
• Ensuring systems are in place for managing information risk as the CCG’s Senior Information Risk Owner (SIRO).
• Ensuring systems are in place for managing performance risk in the CCG.
17
Title Responsibilities
Director of Nursing and
Quality
• Ensuring effective systems are in place to manage the risks to the CCG in commissioning high quality services which are safe and
effective for patients
• Ensuring that the relevant quality risks are presented to the Quality Committee for review and management as appropriate
• Ensuring effective systems are in place to manage risks regarding the confidentiality of patient and service-user information and
enabling appropriate information sharing.
Director of Integrated
Health and Care
Commissioning
• Ensuring effective systems are in place to manage the risks to the CCG and Council in delivery of the strategic priorities for integrated
health and care services.
• Ensuring that the relevant risks for jointly commissioned services are presented to the Joint Commissioning Committee for review and
management as appropriate.
• Ensuring that the relevant risks for the Better Care Fund are presented to the Joint Commissioning Committee for review and
management as appropriate.
Head of
Commissioning
Development
• Ensuring effective systems are in place to manage the risks to delivery of the strategic commissioning priorities set by the clinical
commissioning group
• Ensuring that the relevant primary care risks are presented to the Primary Care Operational Group for review and management as
appropriate.
Head of Corporate
Governance and
Planning
• Managing the risk management strategy document
• Reviewing the risk management processes
• Ensuring Health and Safety legislative requirements are complied with in regard to risk assessments, appropriate control measures,
raising outstanding concerns, staff training, ensuring safe working procedures/ practices and continued monitoring and revision of these.
These responsibilities extend to cover anyone affected by the organisation’s operations including sub-contractors, members of the public
and visitors.
Head of Programme
Management Office
• Maintaining the risk register and the risk management strategy documents • Ensuring that the risk management process is followed and that risk reviews take place, information is gathered and placed on the risk
register to evidence that the risks are being managed • Raise concerns regarding the risk management framework of the organisation, generated through the information received, and act as
critical friend • Contributing, where applicable, to the Board Assurance Framework • Providing specialist advice in support of risk management • Benchmarking organisational information, encouraging learning from best practice • Working closely within the organisation to promote continuous improvement and consistency with risk management approaches and
processes
Quality Team Reviewing the risks to quality and patient experience on the register • Offering leadership and guidance on mitigating the risks • Working with the CCG Executive team to ensure risks are appropriately managed • Receives themes, issues, if identified at Serious Incident, Complaints and Safeguarding Committee and reporting to the Audit
Committee.
18
19
Title Responsibilities
Senior Managers • Providing leadership for the risk management agenda and ensuring that responsibilities to identify, record, analyse, control and communicate risks via the risk management process are undertaken
• Ensuring that staff receive training in line with the Training Needs Analysis and mandatory training attended • Ensuring that all employees who require Health Surveillance according to risk assessments are identified; ensuring that where Health
surveillance is required no individual carries out specific duties covered by the surveillance until they have attended the Occupational Health Service
• Ensuring that fire and other emergencies are appropriately dealt with and business continuity arrangements are in place • Ensuring compliance with all Information Governance requirements through the Connecting for Health IG Toolkit, subsequent plans and
associated policies
All Staff • Understanding, accepting and implementing the mechanisms in this strategy • Actively identifying and addressing risk • Undertaking their roles with full appreciation for the risks and the potential consequences of their actions • Taking action to protect themselves and others in relation to health and safety risks • Ensuring that they attend training as required • Ensuring that identified risks and adverse events are dealt with swiftly and effectively, and reported to ensure further action/learning may
be taken as necessary • Adherence to their professional codes and the NHS Code of Conduct • Complying with all approved policies and Standard Operating Procedures • Reporting inefficient, unnecessary or unworkable risk controls • Neither intentionally, nor recklessly interfering with nor misusing any equipment provided for the protection of safety and health • Being aware of relevant emergency procedures e.g. resuscitation, evacuation and fire precaution procedures, relevant to their location; • Co-operating with management on incident investigations; • Providing assistance as reasonably requested in times of crisis.
20
Appendix B - Risk scoring and rating matrices (modified locally from the NPSA ‘A risk matrix for risk managers’ January 2008)
Likelihood
Impact Choose the most relevant risk descriptor and use this to measure the impact of the risk.
Likelihood scoring
Score 1 2 3 4 5
Descriptor Rare Unlikely Possible Likely Very Likely
Description of likelihood
May happen in exceptional
circumstances
The event could occur
The event should occur in some circumstances
The event will occur in many circumstances
The event is expected to occur in almost all
circumstances
(% probability) (<2.5%) (2.5 - <10%) (10-49%) (50-80%) (>80%)
Impact scoring
Score 1 2 3 4 5
Descriptor Negligible Minor Moderate Major Catastrophic
Safety - Injury
(physical & psychological) to patient / visitor/ staff
Minimal injury requiring no/minimal intervention or treatment
Minor injury or illness requiring minor intervention
Moderate injury requiring medical treatment and/ or counselling Agency reportable, e.g. Police (violent and aggressive acts) An event which impacts on a small number of patients
Major injuries / long term incapacity or disability (loss of limb) requiring medical treatment and/or counselling
Incident leading to death or major permanent incapacity An event which impacts on a large number of patients
21
Impact scoring
Score 1 2 3 4 5
Descriptor Negligible Minor Moderate Major Catastrophic
Service Delivery -
Quality / Complaints/ Audit
Locally resolved verbal (informal) complaint Peripheral element of treatment or service sub optimal
Justified written complaint peripheral to clinical care (overall treatment or service sub optimal) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved
Justified complaint involving lack of appropriate care – treatment or service has significantly reduced effectiveness Formal complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on
Multiple justified complaints/ independent review Non-compliance with national standards with significant risk to patients if unresolved. Low performance rating Critical report
Complex justified complaint – totally unacceptable level or quality of treatment / service Gross failure of patient safety if findings not acted on Inquest / ombudsman inquiry Gross failure to meet national standards
Service Delivery -
Human Resources /
Organisational
development /
Staffing &
Competence
Short term low staffing
level temporarily
reduces service quality
(<1 day).
Short term low staff
level (>1 day) where
there is no disruption to
patient care
Ongoing low staffing
level reduces service
quality
Minor error due to
ineffective training /
implementation of
training
Late delivery of key
objective / service due
to lack of staff.
Unsafe staffing level or
competence (>1 day).
Low morale
Poor staff attendance
for mandatory / key
training.
Ongoing problems with
staffing
Uncertain delivery of
key objective / service
due to lack of staff
Unsafe staffing level or
competence (>5 days)
Loss of key staff
Very low staff morale
No staff attending
mandatory / key
training
Non-delivery of key
objective / service due
to lack of staff
Ongoing unsafe staffing
levels or competence
Loss of several key
staff
No staff attending
mandatory training /
key training on an
ongoing basis.
22
Impact scoring
Score 1 2 3 4 5
Descriptor Negligible Minor Moderate Major Catastrophic
Service Delivery -
Statutory duty / inspections
No or minimal impact or breach of guidance / statutory duty Small number of recommendations which focus on minor quality improvement issues
Breach of statutory legislation Reduced performance rating if unresolved Recommendations made which can be addressed by low level of management action
Single breach in statutory duty Challenging recommendations that can be addressed with appropriate action plan / improvement notice
Enforcement action Multiple breaches in statutory duty Improvement notices Low performance rating Critical report
Multiple breaches in statutory duty Prosecution Complete systems change required Zero performance rating Severely critical report
Service Delivery -
Business objectives / projects
Insignificant cost increase/ schedule slippage, reduction in scope or quality
<5% over project budget; minor reduction in scope, quality or schedule
5-10% over project budget; reduction in scope or quality of project; project objectives or schedule.
Non-compliance with national 10-25% over project budget; significant project over-run; key objectives not met
Incident leading to >25% over project budget; Inability to meet project objectives; reputation of the organisation seriously damaged
Service Delivery -
Services / Business Interruption Environmental impact
Interruption in a service which does not impact on the delivery of pt care or the ability to continue to provide service Minimal or no impact on the environment
Short term disruption to service with minor impact on patient care Minor impact on the environment
Some disruption in service with unacceptable impact on patient care. Temporary loss of ability to provide service. Moderate impact on the environment
Sustained loss of service which has serious impact on delivery of patient care resulting in major contingency plans being invoked Major impact on the environment
Permanent loss of core service or facility Disruption of facility leading to significant ‘knock-on’ effect Catastrophic impact on the environment
23
Impact scoring
Score 1 2 3 4 5
Descriptor Negligible Minor Moderate Major Catastrophic
Reputation -
Adverse Publicity/ Reputation
Rumours, no media coverage but potential for public concern Little effect on staff morale
Local media coverage – short-term reduction in public confidence. Elements of public expectation not being met. Minor effect on staff morale / public attitudes.
Local media coverage – long-term adverse publicity Significant effect on staff morale and public perception of the organisation
National media / adverse publicity, less than 3 days Service well below reasonable public expectation Public confidence in the organisation undermined Use of services affected
National/ International media/ adverse publicity, more than 3 days MSP/MP concern (Questions in Parliament) Court Enforcement Public Inquiry/ FAI Service well below reasonable public expectation. Total loss of public confidence
Financial –
Claims, fraud, overpayment, unavoidable payment
Negligible organisational financial loss (less than £10K)
Minor organisational financial loss (£11k to £50K)
Significant financial organisational loss (£51k to £200k)
Major organisational financial loss (£201k to £500k)
Severe organisational financial loss. (£500k - £200k plus)
Information Governance/ Records Management
Damage to an individual’s reputation. Possible media interest. Potentially serious breach. Less than 5 people affected or risk assessed as low, e.g. files were encrypted
Damage to a team’s reputation. Some local media interest. Serious potential breach & risk assessed high e.g. unencrypted clinical records lost. Up to 20 people affected
Damage to a services reputation/ local media coverage. Serious breach of confidentiality e.g. up to 100 people affected
Damage to an organisation’s reputation/ Local and politically sensitive media coverage. Serious breach with either particular sensitivity e.g. sexual health details, or up to 1000 people affected
Damage to NHS reputation/ National media coverage. Serious breach with potential for ID theft or over 1000 people affected