risk management policy management policy.pdf · quality managers (or equivalent for non-clinical...

Risk Management Policy Version No.2.0 of 26

RISK MANAGEMENT POLICY

Document Author Authorised

Written By: Governance Advisor Date: 19 March 2018

Authorised By: Chief Executive

Date: 1st July 2019

Lead Director: Director of Quality Governance

Effective Date: 1st July 2019

Review Date: 30th June 2022

Approval at: Policy Management Sub-Committee

Date Approved: 1st July 2019


DOCUMENT HISTORY (Procedural document version numbering convention will follow the following format. Whole numbers for approved versions, e.g. 1.0, 2.0, 3.0 etc. With decimals being used to represent the current working draft version, e.g. 1.1, 1.2, 1.3, 1.4 etc. For example, when writing a procedural document for the first time – the initial draft will be version 0.1)

Date of Issue

Version No.

Date Approved

Director Responsible for Change

Nature of Change Ratification / Approval

19/3/18 0.1 Director of Quality Governance

Total re-write of Policy by Governance Advisor


Amendments following receipt of comments from Director of Quality Governance


Amendments following discussion with Risk Management Team


Amendments following receipt of comments from Risk Management Team


Comments referring to relation between this policy and H&S Policy taken into consideration

Policy Management Sub-Committee


Any comments relating to policy to go to Lead Director

Operational Risk Sub-Committee

08/05/18 1.0 08/05/2018 Director of Quality Governance

Approved at Policy Management Sub-Committee


Draft revisions - subject to DQG review


Voting buttons to members of



Approved via voting buttons by

Policy Management Sub-Committee

NB This policy relates to the Isle of Wight NHS Trust hereafter referred to as the Trust


Contents 1 Executive Summary ....................................................................................................... 4

2 Introduction .................................................................................................................... 4

3 Definitions ...................................................................................................................... 4

4 Scope ............................................................................................................................ 5

5 Purpose (Policy Statement) ........................................................................................... 5

6 Board Assurance Framework ......................................................................................... 5

7 Roles and Responsibilities ............................................................................................. 6

8 Consultation ................................................................................................................... 8

9 Training .......................................................................................................................... 8

10 Monitoring Compliance and Effectiveness...................................................................... 8

11 Links to other Organisational Documents ....................................................................... 9

12 References .................................................................................................................... 9

13 Appendices .................................................................................................................... 9

Appendix 1 Risk Management Process Appendix 2 Objective Setting Process Appendix 3 Process for Including Risks on the Risk Register Appendix 4 Potential Risk Template Appendix 5 Risk Identification Appendix 6 Identifying Controls and Actions Appendix 7 Risk Reporting, Oversight and Escalation Appendix 8 Financial and Resourcing Impact Assessment on Policy Implementation Appendix 9 Equality Impact Assessment (EIA) Screening Tool


1 Executive Summary This Policy clearly sets out the expectations and requirements of individuals and meetings at each level within the Trust regarding the management of risk. It includes a number of useful templates as appendices to support the practical implementation of the Policy.

2 Introduction What is ‘risk’? Risk is defined as an uncertain event or set of events, which should it occur, will have an effect upon (i.e. threaten) the achievement of objectives. Risk consists of a combination of the likelihood of the ‘threat’ happening and the impact of that threat happening.

What is ‘Risk Management’? Risk Management is the term used to describe the activities required to identify, understand and control exposure to uncertain events which may threaten the achievement of objectives.

Why do we do it? Risk Management is a key component of management and clinical practice as it aims to ensure that:

Achievement of objectives is more likely

Adverse (damaging) events are less likely

Costly re-work and ‘fire-fighting’ is reduced

Capital expenditure and revenue resources are utilised more efficiently and effectively

Performance is improved (including quality, finance, operational and workforce)

Decision-making is much better informed

Positive outcomes for patients, service users and stakeholders are increased

Our reputation is protected and enhanced

3 Definitions There are a number of terms used when describing risk management. However, the following table sets out the key terms which are featured within this policy and are therefore applicable to our risk management process.

Key Term Definition

Risk Management

Risk Management is the term used to describe the activities required to identify, understand and control exposure to

uncertain events which may threaten the achievement of objectives.

Risk

Risk is described as the combination of:

Condition (Summary of the risk – this should be concise)

Cause (List all potential causes of the risk – what could make this risk happen?)

Consequence (resulting in - what is the impact?)

Control Existing arrangements which are in place to assist in the mitigation of the risk and the achievement of an objective. For example, a policy, incident reporting or training programmes.

Assurance Assurance is the evidence which describes how effective our controls are. This is used only for strategic risks reported via the Board Assurance Framework.

Risk Appetite Sets out the levels and types of risk we are prepared to accept (and not accept) in achieving our objectives.

Risk Register A record of all identified risks relating to a set of objectives, including their history, status and risk score. The purpose of a risk register is to evidence and drive risk management activities and it is used as a source or means of risk reporting.

Project / Programme Risks

Project and programme risks are managed in the same way as other risks in the Trust but there are slight differences in the approach. Risk registers or logs will still be maintained for risks to programmes or projects but these are held as part of the project documentation held within the Programme Management Office. However, this project documentation may be referred to as a source of control and / or assurance, within related risks held on the


Risk Register.

Board Assurance Framework

A document that provides details to the Board and Committees of the Board regarding the strategic risks associated with the delivery of strategic objectives and includes information regarding the risk scores, controls and assurances in place, gaps in controls and assurances and planned actions to mitigate the risks.

4 Scope This policy identifies the lines of accountability for management of risk throughout the Trust and is applicable to all staff.

5 Purpose (Policy Statement) The Trust is committed to ensuring that the highest standards of service are provided and recognises the fundamental role that risk management has in enabling this.

6 Board Assurance Framework (BAF) The role of the BAF is to provide evidence and structure to support effective management of Risk within the organisation. The BAF provides evidence to support the Annual Governance Statement. It is a Board level document and is the responsibility of the Chief Executive and the Executive team. The BAF provides this totality of assurance and identifies which of the Trust’s strategic objectives are at risk of not being delivered. At the same time, it provides positive assurance where risks are being managed effectively and objectives are being delivered. This allows the Board to determine where to make most efficient use of their resources and address the issues identified in order to deliver the Trust’s strategic objectives. The process for gaining assurance is fundamentally about taking all of the relevant evidence together and arriving at informed conclusions. The most objective assurances are derived from independent reviewers; these are supplemented by internal sources such as clinical audit, internal management representations, performance management and self-assessment reports. The BAF template will be continuously adapted in line with Trust risk maturity development and risk system development improvements. It includes as a minimum the following:

Strategic objective

Risk description and Lead Director

Key controls

Sources of internal and external /independent assurance.

Gaps in controls

Gaps in assurance.

Inherent risk score and Target risk score.

Comments/planned actions.

Consequence or impact.

Likelihood.

Current risk score.

Direction of travel of risk since last report.


The BAF will cover all of the Trust main activities identifying any risk that may prevent the achievement of the objectives. It will also identify the internal controls in place to manage these risks, and the assurances in place to check whether the listed controls are effective. The BAF will be rated independently of the risk rating using a traffic light system (red, amber, green) based on the overall depth and scope of the controls and assurances in place to meet the objective. These assurances may derive from internal or external sources such as monitoring against key performance targets or establishing effective reporting mechanisms within the Trust to the Trust Board. The Trust Board will use the BAF as a dynamic tool to drive the board agenda through the following activities:-

The BAF will be reviewed on a quarterly basis by each of the relevant Assurance Committees for the areas they are responsible for overseeing.

Each Assurance Committee shall then provide feedback which is collated into a summary report across the BAF as a whole to the Trust Board.

The Board shall receive and approve the risk assessment for each aspect of the BAF on a quarterly basis.

Specific risks or objectives will be subject to more in-depth scrutiny through the production of a report from the executive lead and if necessary the nominated or operational lead. The relevant Assurance Committee will also seek assurance that the overall rating against each objective is in accordance with the confidence in the effectiveness of controls and outcome measures (i.e. current levels of performance).

7 Roles and Responsibilities All staff have a responsibility for risk management; however, the following provides an overview of those with specific responsibilities to ensure the implementation of this policy.


Chief Executive is responsible for:

reviewing the strategic objectives of the Trust with the Board

ensuring that the Trust has a Risk Management Policy in place and that it is delivered Executive Directors are responsible for:

ensuring delivery of the strategic objectives

identification, control, monitoring and reporting of the risks which may threaten achievement of strategic objectives

maintaining accurate and up to date risk registers, relevant to their objectives and report through the Board Assurance Framework

Quality Governance Department is responsible for:

development and review of the Risk Management Policy

provision of education, support and expertise in relation to Risk Management

provision of education and training on the Risk Management Policy

provision of training of Datix Risk Management system

facilitating the reporting of appropriate risks to the Board, Committees and Operational Risk Sub-Committee

facilitating the provision of a Board Assurance Framework to the Board and Committees

monitoring and reporting compliance with the Risk Management Policy

facilitating the reporting of appropriate risks to specialist corporate groups Clinical Directors, Heads of Operations and Heads of Nursing and Quality (or equivalent for non-clinical business areas) are responsible for:

leading and overseeing implementation of the Risk Management Policy at Divisional / Care Group Level which includes the effective identification, control, monitoring and reporting of the risks which may threaten achievement of area objectives.

facilitating the reporting and where necessary, escalation of appropriate risks to the Operational Risk Sub-Committee from the area

maintaining accurate and up to date risk registers, relevant to their area / service objectives

Quality Managers (or equivalent for non-clinical business areas) are responsible for:

facilitating implementation of the Risk Management Policy at Divisional / Care Group Level which includes the effective identification, control, monitoring and reporting of the risks which may threaten achievement of area objectives, in accordance with the procedure set out within this policy

monitoring and reporting compliance with the Risk Management Policy at area level, as directed by the Quality Governance Department

‘Risk Owners’ including all Departmental / Ward / Service Managers are responsible for:

identification, control, monitoring and reporting of the risks which may threaten achievement of Divisional / Care Group area objectives, in accordance with the procedure set out within this policy

maintaining accurate and up to date risk registers, relevant to area objectives Chairs of Specialist Sub-Committees (e.g. Information Governance Sub-Committee) are responsible for:

identification, management and oversight of risks relevant to their specialist subject, ensuring appropriate action is taken

reporting to the relevant Committee

reporting, where appropriate, to the Operational Risk Sub-Committee


Chairs of Specialist Groups (e.g. Infection Prevention Control Group) are responsible for:

identification, management and oversight of risks relevant to their specialist subject, ensuring appropriate action is taken

reporting to the relevant Sub-Committee

8 Consultation This Policy was written by the Governance Advisor to the Trust and drafts were considered by Director of Quality Governance, Risk Management Team, Operational Risk Sub-Committee and Policy Management Sub-Committee.

9 Training

Type of Training

How to Access Training Who Requires Training

Potential Risk Template completion

Step by Step Instructions included on the Potential Risk Template (appendix 4)

Additional support is available from the Quality Governance Department

Any staff member identifying a risk for inclusion on the Risk Register.

Risk Management Policy Training

Quality Governance Department

Clinical Directors

Heads of Operations

Quality Managers

Matrons

Central Functions risk register leads as determined by each Division

Datix Risk Register completion

Quality Governance Department As listed above, or any staff member with delegated authority from the above to input risks directly onto the risk register.

Health & Safety Risk Assessment Training

Quality Governance Department As listed above, or any staff member with delegated authority from the above to input risks directly onto the risk register.

10 Monitoring Compliance and Effectiveness 10.1 Monitoring Arrangements In addition to individual roles and responsibilities for monitoring risks:

Committee Assurance

The Audit Committee is responsible for oversight of the Risk Management Policy and will receive quarterly reports in the form of the Board Assurance Framework.


In addition, the Assurance, Risk and Compliance Committee, the Performance Committee and the Quality Committee will consider Board Assurance Framework Reports which are relevant to their area of strategic oversight.

Audit

The Quality Governance Department will undertake regular reviews of compliance against this policy, including data quality elements and a range of key performance indicators (KPIs), which will be reported as appropriate to the Operational Risk Sub-Committee.

An annual audit of compliance will take place as part of the Internal Audit Programme and will be reported to the Audit Committee / Assurance, Risk and Compliance Committee.

10.2 Review

This policy will be reviewed by the Quality Governance Department at least every three years post ratification, unless it is deemed necessary to do so sooner.

11 Links to other Organisational Documents

Risk Management Strategy

Incident Management Policy

Health & Safety Policy

12 References None

13 Appendices Appendix 1 Risk Management Process Appendix 2 Objective Setting Process Appendix 3 Process for Including Risks on the Risk Register Appendix 4 Potential Risk Template Appendix 5 Risk Identification Appendix 6 Identifying Controls and Actions Appendix 7 Risk Reporting, Oversight and Escalation Appendix 8 Financial and Resourcing Impact Assessment on Policy Implementation Appendix 9 Equality Impact Assessment (EIA) Screening Tool


Appendix 1 Risk Management Process

Strategic Objectives are set annually by the Board Business area Objectives are set as part of the Annual Planning Process

Identification of risks is an ongoing process. Risks are described as a statement which comprises the condition, cause and consequence. All risks should be aligned to objectives but will often emerge from an operational level. The process for entering risks onto the Risk Register is at appendix 3. The Potential Risk Template is at appendix 4. Further guidance on Risk Identification is in appendix 5.

Risks should be assessed for their impact and likelihood using the Risk Rating Matrix. When using the matrix, you should assess the likelihood of the cause (how likely is this to happen) and the impact (what level of harm or consequence could this risk have). The Risk Scoring Matrix is at appendix 4.

Identify the existing controls which are in place to mitigate against the risk and achieve the objective. For example policies, procedures, incident reporting and training. See appendix 6 for further guidance.

Identify the gaps in controls that will be used to identify actions (see below).

Identify the further actions (including responsible leads and timescales) which are needed to reduce the likelihood or impact of the risk. See appendix 6 for further guidance.

The format, frequency and forum for reporting and oversight of risks is determined by the type of risk (i.e. strategic, corporate, business area) and the level of risk. Some risks will require escalation which means that they will be subject to a greater level of oversight. The oversight, reporting and escalation process can be found at appendix 7.

Objective

Setting

Risk

Identification

Risk Rating

Identify

Controls

Identify Gaps

in Controls

Identify

Actions

Risk Reporting,

Escalation &

Oversight


Appendix 2

Objective Setting Process

Annual Strategic Objective Review / Setting Mechanism: Trust Board

Annual Objective Review / Setting Mechanism: Operational Business Plan Refresh and Divisional

Board


Appendix 3 Process for Including Risks on the Risk Register

Risk Identified

Potential Risk considered using the Potential Risk

Template (appendix 4).

Potential Risk Template submitted to Business area / Service Line to review the risk and to consider

inclusion on the risk register.

If a decision has been taken to include the risk on the Risk Register this should be entered onto the Datix

System.

Training and support for completing the

Potential Risk Template is available

from the Quality Governance

Department.

If a risk is submitted but not accepted by the Business area /

Service Line, the Potential Risk

Template can be escalated to the

Quality Governance Department for

advice and a view.


Appendix 4 Potential Risk Template

A. DESCRIPTION OF POTENTIAL RISK

Condition: (Risk Title)

Cause:

*Consequence:

*when describing the ‘consequence’, consider the following:

Impact on the safety of patients, staff or public (physical / psychological harm)

Impact on Quality / Complaints / Audit

Impact on Human Resources / Organisational Development / Staffing / Competence

Impact on Statutory Duty / Inspections

Impact on Adverse Publicity / Reputation

Impact on Business Objectives / Projects

Impact on Finance including Claims

Impact on Service / Business Interruption / Environment

B. LIKELIHOOD AND IMPACT ASSESSMENT Step 1: To assess the likelihood of your risk, you must focus on the cause of your risk description and determine the frequency that the cause might happen / recur.

Likelihood Descriptions Likelihood Score

Rare This will probably never happen / recur. Not expected to occur for years.

1

Unlikely Do not expect it to happen / recur but it is possible it may do so. Expected to occur at least annually.

2

Possible Might happen or recur occasionally. Expected to occur at least monthly.

3

Likely Will probably happen / recur but it is not a persisting issue. Expected to occur at least weekly.

4

Almost Certain Will undoubtedly happen / recur, possibly frequently. Expected to occur at least daily.

5

Step 2: To assess the impact of your risk, you must focus on the consequence of your risk description, using the Impact Score Matrix below.

It is possible that your risk may have more than one impact, for example financial loss, service disruption and patient safety. You should use this table to impact score each of these categories separately and then select the one that has the highest impact.


Impact Domains

Impact Score and Examples of Descriptions

1 2 3 4 5

Negligible Minor Moderate Major Catastrophic

Impact on the safety of patients, staff or public (physical / psychological harm)

Minimal injury requiring no/minimal intervention or treatment. No time off work

Minor injury or illness, requiring minor intervention Requiring time off work for >3 days Increase in length of hospital stay by 1-3 days

Moderate injury requiring professional intervention Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients

Major injury leading to long-term incapacity/disability Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with long-term effects

Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients

Quality / Equality / Complaints / Audit

Peripheral element of treatment or service suboptimal Informal complaint/inquiry

Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved

Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on

Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report

Totally unacceptable level or quality of treatment/service Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Gross failure to meet national standards

Human Resources / Organisational Development / Staffing / Competence

Short-term low staffing level that temporarily reduces service quality (< 1 day)

Low staffing level that reduces the service quality

Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Low staff morale Poor staff attendance for mandatory/key training

Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Loss of key staff Very low staff morale No staff attending mandatory/ key training

Non-delivery of key objective/service due to lack of staff Ongoing unsafe staffing levels or competence Loss of several key staff No staff attending mandatory training /key training on an ongoing basis

Statutory Duty / Inspections

No or minimal impact or breech of guidance/ statutory duty

Breech of statutory legislation Reduced performance rating if unresolved

Single breech in statutory duty Challenging external recommendations/ improvement notice

Enforcement action Multiple breeches in statutory duty Improvement notices Low performance rating Critical report

Multiple breeches in statutory duty Prosecution Complete systems change required Zero performance rating Severely critical report

Adverse Publicity / Reputation

Rumours

Potential for public concern

Local media coverage – short-term reduction in public confidence Elements of public expectation not being met

Local media coverage – long-term reduction in public confidence

National media coverage with <3 days service well below reasonable public expectation

National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Total loss of public confidence

Business Objectives / Projects

Insignificant cost increase/ schedule slippage

<5 per cent over project budget Schedule slippage

5–10 per cent over project budget Schedule slippage

Non-compliance with national 10–25 per cent over project budget

Incident leading >25 per cent over project budget Schedule slippage


Schedule slippage Key objectives not met

Key objectives not met

Finance including Claims

Small loss Risk of claim remote

Loss of 0.1–0.25 per cent of budget Claim less than £10,000

Loss of 0.25–0.5 per cent of budget Claim(s) between £10,000 and £100,000

Uncertain delivery of key objective/Loss of 0.5–1.0 per cent of budget Claim(s) between £100,000 and £1 million Purchasers failing to pay on time

Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Claim(s) >£1 million

Service / Business Interruption / Environmental Impact

Loss/interruption of >1 hour Minimal or no impact on the environment No impact on other services

Loss/interruption of >8 hours Minor impact on environment Impact on other services within the Division

Loss/interruption of >1 day Moderate impact on environment Impact on services within other Divisions

Loss/interruption of >1 week Major impact on environment Impact on all Divisions

Permanent loss of service or facility Catastrophic impact on environment Impact on services external to the Trust

Information Security / Data Protection

Potential breach of confidentiality with less than 5 people affected Encrypted files

Serious potential breach of confidentiality with 6 – 20 people affected Unencrypted clinical records lost

Serious breach of confidentiality with 21 – 100 people affected Inadequately protected PCs, laptops and remote device

Serious breach of confidentiality with 101 – 1000 people affected Particularly sensitive details (i.e. sexual health)

Serious breach of confidentiality with over 1001 people affected Potential for ID theft

Step 3: To identify your risk score, you must take the result of your likelihood assessment and the result of your impact assessment and use the multiplication table below.

For example, if the likelihood score is ‘3’ and the impact score is ‘4’, when multiplied together, these you will give you a risk score of ‘12’.

Impact Score

1 2 3 4 5

Lik

elih

oo

d

Sc

ore

1 1 2 3 4 5

2 2 4 6 8 10

3 3 6 9 12 15

4 4 8 12 16 20

5 5 10 15 20 25

The numerical risk score will fall within a range as shown below, this will determine whether the risk is either, ‘low, ‘moderate’, ‘high’ or ‘extreme’.

Risk Score

1 – 3 Low

4 – 6 Moderate

8 – 12 High

15 – 25 Extreme

Overall Risk Score (Likelihood x Impact)

Likelihood: Impact: Score:

C. CONTROLS


Step 4: Review and update your controls and gaps in controls and record in the table below. Guidance on describing controls can be found at appendix 6

Existing Controls Gaps in Controls

D. FURTHER ACTIONS Step 5: Review and update your action plan to address any gaps in controls.

Action Person Responsible

Due Date


Appendix 5 Risk Identification

1. What is a risk and what is not a risk? A risk is an uncertain event or set of events which, should it occur, will have an effect upon the achievement of objectives. Therefore:

Risk is ‘uncertainty’: Risk is not ‘certainty’ which involves:

an event that might happen because of a cause an event that might happen because of current circumstances

an incident, which is an event which has happened an issue which will or is happening

2. How is a risk described? A risk should be described with three components:

3. How risks should not be described

Failure of the Objective

Objective: To expand into more geographical territories Risk: Not expanding into new territories

Questioning the Objective

Expanding into more geographical territories could place us in competition with other providers in those areas.

Composite Risks (i.e. using ‘or’)

Appropriate facilities may not be available or there may be resistance or we may not be able to recruit sufficient staff.

One-word risks ‘Fraud’, ‘Fire’, ‘Reputation’

Statement of fact

There is a risk that projects may fail

Failure to… Failure to recruit enough staff / failure to control costs

Incident Due to the computer system crashing

Issue Because we don’t have enough staff…. / when the new legislation is introduced…

Whinge We’ve been told that a new computer system is being introduced, but nothing has been done to provide training to the staff

Essay

When the computer service centre was moved three years ago, various changes were made to working practices. Break times were extended, section leaders were appointed, cross training was provided as a back-up for absence. Now more changes are underway, so we are likely to have short term additional staffing costs. We are also spending more than planned on support for the new IT system, which may necessitate us to cut back in other areas, leading to an adverse impact on staff morale, lower service levels and damage to our reputation.

Condition Cause Consequence

This part of the description should focus on the condition which will occur if the cause happens.

This part of the description should capture the cause.

This part of the description should describe the consequence of the event. For example, this may be:

Impact upon strategic objectives

financial loss

reputational damage

quality / patient is compromised

operational disruption

legal / regulatory action

Example

Patients may not be evacuated safely

should there be a fire

resulting in legal / regulatory action compromised patient safety, service disruption and financial loss.


Appendix 6 Identifying Controls and Actions

1. Identifying Controls

Generally speaking the purpose of control is to constrain risk rather than to eliminate it. Control relates to any action, taken to manage risk. These actions may be taken to manage either the impact if the risk is realised, or the frequency of the realisation of the risk. When you are identifying controls, these must already be in place. Any controls to further constrain risk which are not in place should be addressed within your action plan. Once in place, they become a control.

Examples of controls can include:

Policies and procedures

People, for example, a person who may have a specific role in delivery of an objective

Training

Processes / practices, for example, a specific process which ensures the delivery of an objective

2. Identifying Actions

Once you have identified your controls and gaps in controls, you will need to identify what further actions need to be taken to achieve your objective / reduce the risk if possible, including timescales and responsible person for each action.


Appendix 7 Risk Reporting, Oversight and Escalation

1. Risk Reporting

Risks should be reported in the form of a Risk Register (except where this policy defines an alternative format in the table under section 2 below). A risk register is simply a record of all identified risks relating to a set of objectives, including their history and their status. A risk register is a tool designed to help managers achieve their objectives and to drive and provide evidence of risk management activities. To ensure risk reporting is meaningful and effective, a Risk Register Report should include the following fields (all of which should be accurately completed within Datix).

ID Number The unique identifier for your risk, automatically generated by Datix.

Risk Title The short title which describes the subject of the risk (the condition).

Risk Owner The person responsible for management of the risk.

Description of Risk

The risk description should include a risk description in line with the guidance set out within appendix 5. The risk description should include a composition of the cause, and the consequence.

Inherent Risk Rating

To confirm the ‘gross’ risk rating which was identified at the point of identifying the risk.

Existing Controls

To identify the controls in place to manage the risk and achieve the objective (as set out within appendix 6).

Gaps in Controls

To identify gaps in controls (as set out within appendix 6).

Current Risk Rating

To confirm the risk rating once the existing controls have been taken into consideration.

Oversight Forum / Assurance Committee

This is the meeting where the risk will be reviewed and / or challenged. Also if there is a specialist element to the risk, then the specialist group (e.g. Infection Prevention Control) should be selected.

Response to Risk

What is the Trust going to do about this risk?

Strategic Objective

To identify which of the Trust’s Strategic Objectives the risk will have an impact upon.

Action Plan To identify the further actions required.

Person Responsible

To identify who is responsible for carrying out the action.

Due Date To identify when the action will be completed.

Completed Date

To confirm the date that the action has been completed.

Within Datix there is a requirement to complete a Response to Risk section. The following are the definitions for each option.

Types of Risk Response(the 4 ‘T’s)

Terminate To close the risk.

Transfer Passes the risk to a third party, who bears or shares the impact.

Treat Reduces the likelihood and / or the impact

Tolerate Accepts the risk, subject to monitoring.


2. Risk Oversight Framework

Risks are overseen at various levels throughout the Trust. The table below sets out the levels at which risks must be reported and overseen:

Level of Escalation / Oversight

Level / Types of Risk

Role and Purpose of Oversight

Style of Report

CO

RP

OR

AT

E O

VE

RS

IGH

T

Board Risks identified against Strategic Objectives

Scrutiny of the risks identified and holding responsible persons to account for the action being taken.

Assurance from the Audit Committee that the process is working effectively

Board Assurance Framework (BAF)

Assurance, Risk and Compliance Committee / Performance Committee / Quality Committee

Risks identified against Strategic Objectives – relevant to their area of focus



Audit Committee

Risks identified against Strategic Objectives

Assurance from the Assurance, Risk and Compliance Committee, Quality Committee and Performance Committee that the process is working effectively


Performance Management Reviews

Top Business Risks

New risks

Risks increases

Risks for escalation


Business Performance Management Review Presentation

Trust Leadership Committee

A summary of risks considered by the Operational Risk Sub-Committee

Assurance that the Operational Risk Sub-Committee is fulfilling its Terms of Reference.

Output Summary Report from Operational Risk Sub-Committee


All risks scoring 12 or above from Business Risk Registers

Scrutiny, challenge of risks scoring 12 or above.

Referral to and assurance from key specialist corporate groups as appropriate.

Risk Oversight Report (taken from Risk Registers)

Specialist Groups

All ‘corporate’ risks relevant to

Identification, management and

Corporate Risk Register


their area of specialism.

oversight of risks relevant to their specialist subject, ensuring appropriate action is taken.

DIV

ISIO

NA

L O

VE

RS

IGH

T

Business Boards

All risks scoring 8 or above

Challenge, review and monitoring of all risks scoring 8 or above.

Escalation of risks to Operational Risk Sub-Committee.

Risk Register

Business Governance Group

All risks

Scrutiny, challenge, review and monitoring of all Divisional risks

Escalation of risks to Business Board

Risk Register

Operational Groups

All relevant risks Scrutiny, challenge,

review and monitoring of all Operational risks

Risk Register

3. Risk Escalation to the Corporate Risk Register

Risk escalation to the Corporate Risk Register is where a risk is specifically drawn to the attention of the Operational Risk Sub-Committee for inclusion on the Corporate Risk Register. Although the Operational Risk Sub-Committee will make a decision on those risks which will be included on the Corporate Risk Register, these will, in most circumstances be:

Emergent risks which span across multiple Business area and are not already subject to corporate oversight

Risks where the action required does not fall within the full control of the Business area

Risks which are overseen by Specialist Groups due to their nature 4. Corporate Risk Register Escalation Process

Division identify risk requiring escalation and report to the Operational Risk Sub-

Committee*

In between monthly Operational Risk Sub-Committee meetings, risks requiring

escalation should be reported to the

Quality Governance Department

Appropriate Executive Lead / Specialist

Corporate Group to be identified

‘Appropriate’ refers to the person / group most suitable for providing a response to the Operational Risk Sub-Committee on the corporate action being taken and for including the risk on the Corporate Risk

Register if / when agreed

Quality Governance Department to inform, on behalf of the Operational Risk Sub-Committee, to the appropriate Executive Lead / Specialist Group to request a response to the escalated risk which can be reported back to the Division at the next Operational Risk

Sub-Committee meeting.

If deemed appropriate, the escalated risk will be included on the Corporate Risk Register

and monitored in accordance with the Risk Oversight Framework above.


Appendix 8 Financial and Resourcing Impact Assessment on Policy Implementation

NB this form must be completed where the introduction of this policy will have either a positive or negative impact on resources. Therefore this form should not be completed where the resources are already deployed and the introduction of this policy will have no further resourcing impact.

Document title

Risk Management Policy

Totals WTE Recurring £

Non-Recurring £

Manpower Costs

Training Staff

Equipment & Provision of resources

Summary of Impact: No direct financial impact Risk Management Issues:

Benefits / Savings to the organisation: Equality Impact Assessment Has this been appropriately carried out? YES/NO Are there any reported equality issues? YES/NO If “YES” please specify:

Use additional sheets if necessary. Please include all associated costs where an impact on implementing this policy has been considered. A checklist is included for guidance but is not comprehensive so please ensure you have thought through the impact on staffing, training and equipment carefully and that ALL aspects are covered.

Manpower WTE Recurring £ Non-Recurring £

Operational running costs

Totals:

Staff Training Impact Recurring £ Non-Recurring £

Totals:


Equipment and Provision of Resources Recurring £ * Non-Recurring £ *

Accommodation / facilities needed

Building alterations (extensions/new)

IT Hardware / software / licences

Medical equipment

Stationery / publicity

Travel costs

Utilities e.g. telephones

Process change

Rolling replacement of equipment

Equipment maintenance

Marketing – booklets/posters/handouts, etc.

Totals:

Capital implications £5,000 with life expectancy of more than one year.

Funding /costs checked & agreed by finance:

Signature & date of financial accountant:

Funding / costs have been agreed and are in place:

Signature of appropriate Executive or Associate Director:


Appendix 9

Equality Impact Assessment (EIA) Screening Tool

1. To be completed and attached to all procedural/policy documents created within

individual services.

2. Does the document have, or have the potential to deliver differential outcomes or affect in an adverse way any of the groups listed below? If no confirm underneath in relevant section the data and/or research which provides evidence e.g. JSNA, Workforce Profile, Quality Improvement Framework, Commissioning Intentions, etc. If yes please detail underneath in relevant section and provide priority rating and determine if full EIA is required.

Gender

Positive Impact Negative Impact Reasons

Men No impact

Women No impact

Race

Asian or Asian British People

No impact

Black or Black British People

No impact

Chinese people

No impact

People of Mixed Race

No impact

White people (including Irish people)

No impact

Document Title: Risk Management Policy

Purpose of document To identify the responsibilities for risk management throughout the Trust

Target Audience Directors, senior managers, managers and clinicians

Person or Committee undertaken the Equality Impact Assessment



People with Physical Disabilities, Learning Disabilities or Mental Health Issues

No impact

Sexual Orientation

Transgender No impact

Lesbian, Gay men and bisexual

No impact

Age

Children

No impact

Older People (60+)

No impact

Younger People (17 to 25 yrs.)

No impact

Faith Group No impact

Pregnancy & Maternity No impact

Equal Opportunities and/or improved relations

No impact

Notes: Faith groups cover a wide range of groupings, the most common of which are Buddhist, Christian, Hindus, Jews, Muslims and Sikhs. Consider faith categories individually and collectively when considering positive and negative impacts. The categories used in the race section refer to those used in the 2001 Census. Consideration should be given to the specific communities within the broad categories such as Bangladeshi people and the needs of other communities that do not appear as separate categories in the Census, for example, Polish. 3. Level of Impact If you have indicated that there is a negative impact, is that impact:

YES NO

Legal (it is not discriminatory under anti-discriminatory law)

Intended

If the negative impact is possibly discriminatory and not intended and/or of high impact then please complete a thorough assessment after completing the rest of this form. 3.1 Could you minimise or remove any negative impact that is of low significance? Explain how below:

3.2 Could you improve the strategy, function or policy positive impact? Explain how below:


3.3 If there is no evidence that this strategy, function or policy promotes equality of opportunity or improves relations – could it be adapted so it does? How? If not why not?

Scheduled for Full Impact Assessment Date:

Name of persons/group completing the full assessment.

Date Initial Screening completed