risk management policy management policy.pdf · quality managers (or equivalent for non-clinical...
TRANSCRIPT
![Page 1: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/1.jpg)
Risk Management Policy Version No.2.0 Page 1 of 26
RISK MANAGEMENT POLICY
Document Author Authorised
Written By: Governance Advisor Date: 19 March 2018
Authorised By: Chief Executive
Date: 1st July 2019
Lead Director: Director of Quality Governance
Effective Date: 1st July 2019
Review Date: 30th June 2022
Approval at: Policy Management Sub-Committee
Date Approved: 1st July 2019
![Page 2: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/2.jpg)
Risk Management Policy Version No.2.0 Page 2 of 26
DOCUMENT HISTORY (Procedural document version numbering convention will follow the following format. Whole numbers for approved versions, e.g. 1.0, 2.0, 3.0 etc. With decimals being used to represent the current working draft version, e.g. 1.1, 1.2, 1.3, 1.4 etc. For example, when writing a procedural document for the first time – the initial draft will be version 0.1)
Date of Issue
Version No.
Date Approved
Director Responsible for Change
Nature of Change Ratification / Approval
19/3/18 0.1 Director of Quality Governance
Total re-write of Policy by Governance Advisor
20/3/18 0.2 Director of Quality Governance
Amendments following receipt of comments from Director of Quality Governance
23/3/18 0.3 Director of Quality Governance
Amendments following discussion with Risk Management Team
27/3/18 0.4 Director of Quality Governance
Amendments following receipt of comments from Risk Management Team
10/04/18 0.4 Director of Quality Governance
Comments referring to relation between this policy and H&S Policy taken into consideration
Policy Management Sub-Committee
13/04/18 0.4 Director of Quality Governance
Any comments relating to policy to go to Lead Director
Operational Risk Sub-Committee
08/05/18 1.0 08/05/2018 Director of Quality Governance
Approved at Policy Management Sub-Committee
28/05/19 1.1 Director of Quality Governance
Draft revisions - subject to DQG review
27/06/19 1.1 Director of Quality Governance
Voting buttons to members of
Operational Risk Sub-Committee
01/07/19 2.0 Director of Quality Governance
Approved via voting buttons by
Policy Management Sub-Committee
NB This policy relates to the Isle of Wight NHS Trust hereafter referred to as the Trust
![Page 3: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/3.jpg)
Risk Management Policy Version No.2.0 Page 3 of 26
Contents 1 Executive Summary ....................................................................................................... 4
2 Introduction .................................................................................................................... 4
3 Definitions ...................................................................................................................... 4
4 Scope ............................................................................................................................ 5
5 Purpose (Policy Statement) ........................................................................................... 5
6 Board Assurance Framework ......................................................................................... 5
7 Roles and Responsibilities ............................................................................................. 6
8 Consultation ................................................................................................................... 8
9 Training .......................................................................................................................... 8
10 Monitoring Compliance and Effectiveness...................................................................... 8
11 Links to other Organisational Documents ....................................................................... 9
12 References .................................................................................................................... 9
13 Appendices .................................................................................................................... 9
Appendix 1 Risk Management Process Appendix 2 Objective Setting Process Appendix 3 Process for Including Risks on the Risk Register Appendix 4 Potential Risk Template Appendix 5 Risk Identification Appendix 6 Identifying Controls and Actions Appendix 7 Risk Reporting, Oversight and Escalation Appendix 8 Financial and Resourcing Impact Assessment on Policy Implementation Appendix 9 Equality Impact Assessment (EIA) Screening Tool
![Page 4: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/4.jpg)
Risk Management Policy Version No.2.0 Page 4 of 26
1 Executive Summary This Policy clearly sets out the expectations and requirements of individuals and meetings at each level within the Trust regarding the management of risk. It includes a number of useful templates as appendices to support the practical implementation of the Policy.
2 Introduction What is ‘risk’? Risk is defined as an uncertain event or set of events, which should it occur, will have an effect upon (i.e. threaten) the achievement of objectives. Risk consists of a combination of the likelihood of the ‘threat’ happening and the impact of that threat happening.
What is ‘Risk Management’? Risk Management is the term used to describe the activities required to identify, understand and control exposure to uncertain events which may threaten the achievement of objectives.
Why do we do it? Risk Management is a key component of management and clinical practice as it aims to ensure that:
Achievement of objectives is more likely
Adverse (damaging) events are less likely
Costly re-work and ‘fire-fighting’ is reduced
Capital expenditure and revenue resources are utilised more efficiently and effectively
Performance is improved (including quality, finance, operational and workforce)
Decision-making is much better informed
Positive outcomes for patients, service users and stakeholders are increased
Our reputation is protected and enhanced
3 Definitions There are a number of terms used when describing risk management. However, the following table sets out the key terms which are featured within this policy and are therefore applicable to our risk management process.
Key Term Definition
Risk Management
Risk Management is the term used to describe the activities required to identify, understand and control exposure to
uncertain events which may threaten the achievement of objectives.
Risk
Risk is described as the combination of:
Condition (Summary of the risk – this should be concise)
Cause (List all potential causes of the risk – what could make this risk happen?)
Consequence (resulting in - what is the impact?)
Control Existing arrangements which are in place to assist in the mitigation of the risk and the achievement of an objective. For example, a policy, incident reporting or training programmes.
Assurance Assurance is the evidence which describes how effective our controls are. This is used only for strategic risks reported via the Board Assurance Framework.
Risk Appetite Sets out the levels and types of risk we are prepared to accept (and not accept) in achieving our objectives.
Risk Register A record of all identified risks relating to a set of objectives, including their history, status and risk score. The purpose of a risk register is to evidence and drive risk management activities and it is used as a source or means of risk reporting.
Project / Programme Risks
Project and programme risks are managed in the same way as other risks in the Trust but there are slight differences in the approach. Risk registers or logs will still be maintained for risks to programmes or projects but these are held as part of the project documentation held within the Programme Management Office. However, this project documentation may be referred to as a source of control and / or assurance, within related risks held on the
![Page 5: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/5.jpg)
Risk Management Policy Version No.2.0 Page 5 of 26
Risk Register.
Board Assurance Framework
A document that provides details to the Board and Committees of the Board regarding the strategic risks associated with the delivery of strategic objectives and includes information regarding the risk scores, controls and assurances in place, gaps in controls and assurances and planned actions to mitigate the risks.
4 Scope This policy identifies the lines of accountability for management of risk throughout the Trust and is applicable to all staff.
5 Purpose (Policy Statement) The Trust is committed to ensuring that the highest standards of service are provided and recognises the fundamental role that risk management has in enabling this.
6 Board Assurance Framework (BAF) The role of the BAF is to provide evidence and structure to support effective management of Risk within the organisation. The BAF provides evidence to support the Annual Governance Statement. It is a Board level document and is the responsibility of the Chief Executive and the Executive team. The BAF provides this totality of assurance and identifies which of the Trust’s strategic objectives are at risk of not being delivered. At the same time, it provides positive assurance where risks are being managed effectively and objectives are being delivered. This allows the Board to determine where to make most efficient use of their resources and address the issues identified in order to deliver the Trust’s strategic objectives. The process for gaining assurance is fundamentally about taking all of the relevant evidence together and arriving at informed conclusions. The most objective assurances are derived from independent reviewers; these are supplemented by internal sources such as clinical audit, internal management representations, performance management and self-assessment reports. The BAF template will be continuously adapted in line with Trust risk maturity development and risk system development improvements. It includes as a minimum the following:
Strategic objective
Risk description and Lead Director
Key controls
Sources of internal and external /independent assurance.
Gaps in controls
Gaps in assurance.
Inherent risk score and Target risk score.
Comments/planned actions.
Consequence or impact.
Likelihood.
Current risk score.
Direction of travel of risk since last report.
![Page 6: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/6.jpg)
Risk Management Policy Version No.2.0 Page 6 of 26
The BAF will cover all of the Trust main activities identifying any risk that may prevent the achievement of the objectives. It will also identify the internal controls in place to manage these risks, and the assurances in place to check whether the listed controls are effective. The BAF will be rated independently of the risk rating using a traffic light system (red, amber, green) based on the overall depth and scope of the controls and assurances in place to meet the objective. These assurances may derive from internal or external sources such as monitoring against key performance targets or establishing effective reporting mechanisms within the Trust to the Trust Board. The Trust Board will use the BAF as a dynamic tool to drive the board agenda through the following activities:-
The BAF will be reviewed on a quarterly basis by each of the relevant Assurance Committees for the areas they are responsible for overseeing.
Each Assurance Committee shall then provide feedback which is collated into a summary report across the BAF as a whole to the Trust Board.
The Board shall receive and approve the risk assessment for each aspect of the BAF on a quarterly basis.
Specific risks or objectives will be subject to more in-depth scrutiny through the production of a report from the executive lead and if necessary the nominated or operational lead. The relevant Assurance Committee will also seek assurance that the overall rating against each objective is in accordance with the confidence in the effectiveness of controls and outcome measures (i.e. current levels of performance).
7 Roles and Responsibilities All staff have a responsibility for risk management; however, the following provides an overview of those with specific responsibilities to ensure the implementation of this policy.
![Page 7: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/7.jpg)
Risk Management Policy Version No.2.0 Page 7 of 26
Chief Executive is responsible for:
reviewing the strategic objectives of the Trust with the Board
ensuring that the Trust has a Risk Management Policy in place and that it is delivered Executive Directors are responsible for:
ensuring delivery of the strategic objectives
identification, control, monitoring and reporting of the risks which may threaten achievement of strategic objectives
maintaining accurate and up to date risk registers, relevant to their objectives and report through the Board Assurance Framework
Quality Governance Department is responsible for:
development and review of the Risk Management Policy
provision of education, support and expertise in relation to Risk Management
provision of education and training on the Risk Management Policy
provision of training of Datix Risk Management system
facilitating the reporting of appropriate risks to the Board, Committees and Operational Risk Sub-Committee
facilitating the provision of a Board Assurance Framework to the Board and Committees
monitoring and reporting compliance with the Risk Management Policy
facilitating the reporting of appropriate risks to specialist corporate groups Clinical Directors, Heads of Operations and Heads of Nursing and Quality (or equivalent for non-clinical business areas) are responsible for:
leading and overseeing implementation of the Risk Management Policy at Divisional / Care Group Level which includes the effective identification, control, monitoring and reporting of the risks which may threaten achievement of area objectives.
facilitating the reporting and where necessary, escalation of appropriate risks to the Operational Risk Sub-Committee from the area
maintaining accurate and up to date risk registers, relevant to their area / service objectives
Quality Managers (or equivalent for non-clinical business areas) are responsible for:
facilitating implementation of the Risk Management Policy at Divisional / Care Group Level which includes the effective identification, control, monitoring and reporting of the risks which may threaten achievement of area objectives, in accordance with the procedure set out within this policy
monitoring and reporting compliance with the Risk Management Policy at area level, as directed by the Quality Governance Department
‘Risk Owners’ including all Departmental / Ward / Service Managers are responsible for:
identification, control, monitoring and reporting of the risks which may threaten achievement of Divisional / Care Group area objectives, in accordance with the procedure set out within this policy
maintaining accurate and up to date risk registers, relevant to area objectives Chairs of Specialist Sub-Committees (e.g. Information Governance Sub-Committee) are responsible for:
identification, management and oversight of risks relevant to their specialist subject, ensuring appropriate action is taken
reporting to the relevant Committee
reporting, where appropriate, to the Operational Risk Sub-Committee
![Page 8: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/8.jpg)
Risk Management Policy Version No.2.0 Page 8 of 26
Chairs of Specialist Groups (e.g. Infection Prevention Control Group) are responsible for:
identification, management and oversight of risks relevant to their specialist subject, ensuring appropriate action is taken
reporting to the relevant Sub-Committee
8 Consultation This Policy was written by the Governance Advisor to the Trust and drafts were considered by Director of Quality Governance, Risk Management Team, Operational Risk Sub-Committee and Policy Management Sub-Committee.
9 Training
Type of Training
How to Access Training Who Requires Training
Potential Risk Template completion
Step by Step Instructions included on the Potential Risk Template (appendix 4)
Additional support is available from the Quality Governance Department
Any staff member identifying a risk for inclusion on the Risk Register.
Risk Management Policy Training
Quality Governance Department
Clinical Directors
Heads of Operations
Quality Managers
Matrons
Central Functions risk register leads as determined by each Division
Datix Risk Register completion
Quality Governance Department As listed above, or any staff member with delegated authority from the above to input risks directly onto the risk register.
Health & Safety Risk Assessment Training
Quality Governance Department As listed above, or any staff member with delegated authority from the above to input risks directly onto the risk register.
10 Monitoring Compliance and Effectiveness 10.1 Monitoring Arrangements In addition to individual roles and responsibilities for monitoring risks:
Committee Assurance
The Audit Committee is responsible for oversight of the Risk Management Policy and will receive quarterly reports in the form of the Board Assurance Framework.
![Page 9: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/9.jpg)
Risk Management Policy Version No.2.0 Page 9 of 26
In addition, the Assurance, Risk and Compliance Committee, the Performance Committee and the Quality Committee will consider Board Assurance Framework Reports which are relevant to their area of strategic oversight.
Audit
The Quality Governance Department will undertake regular reviews of compliance against this policy, including data quality elements and a range of key performance indicators (KPIs), which will be reported as appropriate to the Operational Risk Sub-Committee.
An annual audit of compliance will take place as part of the Internal Audit Programme and will be reported to the Audit Committee / Assurance, Risk and Compliance Committee.
10.2 Review
This policy will be reviewed by the Quality Governance Department at least every three years post ratification, unless it is deemed necessary to do so sooner.
11 Links to other Organisational Documents
Risk Management Strategy
Incident Management Policy
Health & Safety Policy
12 References None
13 Appendices Appendix 1 Risk Management Process Appendix 2 Objective Setting Process Appendix 3 Process for Including Risks on the Risk Register Appendix 4 Potential Risk Template Appendix 5 Risk Identification Appendix 6 Identifying Controls and Actions Appendix 7 Risk Reporting, Oversight and Escalation Appendix 8 Financial and Resourcing Impact Assessment on Policy Implementation Appendix 9 Equality Impact Assessment (EIA) Screening Tool
![Page 10: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/10.jpg)
Risk Management Policy Version No.2.0 Page 10 of 26
Appendix 1 Risk Management Process
Strategic Objectives are set annually by the Board Business area Objectives are set as part of the Annual Planning Process
Identification of risks is an ongoing process. Risks are described as a statement which comprises the condition, cause and consequence. All risks should be aligned to objectives but will often emerge from an operational level. The process for entering risks onto the Risk Register is at appendix 3. The Potential Risk Template is at appendix 4. Further guidance on Risk Identification is in appendix 5.
Risks should be assessed for their impact and likelihood using the Risk Rating Matrix. When using the matrix, you should assess the likelihood of the cause (how likely is this to happen) and the impact (what level of harm or consequence could this risk have). The Risk Scoring Matrix is at appendix 4.
Identify the existing controls which are in place to mitigate against the risk and achieve the objective. For example policies, procedures, incident reporting and training. See appendix 6 for further guidance.
Identify the gaps in controls that will be used to identify actions (see below).
Identify the further actions (including responsible leads and timescales) which are needed to reduce the likelihood or impact of the risk. See appendix 6 for further guidance.
The format, frequency and forum for reporting and oversight of risks is determined by the type of risk (i.e. strategic, corporate, business area) and the level of risk. Some risks will require escalation which means that they will be subject to a greater level of oversight. The oversight, reporting and escalation process can be found at appendix 7.
Objective
Setting
Risk
Identification
Risk Rating
Identify
Controls
Identify Gaps
in Controls
Identify
Actions
Risk Reporting,
Escalation &
Oversight
![Page 11: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/11.jpg)
Risk Management Policy Version No.2.0 Page 11 of 26
Appendix 2
Objective Setting Process
Annual Strategic Objective Review / Setting Mechanism: Trust Board
Annual Objective Review / Setting Mechanism: Operational Business Plan Refresh and Divisional
Board
![Page 12: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/12.jpg)
Risk Management Policy Version No.2.0 Page 12 of 26
Appendix 3 Process for Including Risks on the Risk Register
Risk Identified
Potential Risk considered using the Potential Risk
Template (appendix 4).
Potential Risk Template submitted to Business area / Service Line to review the risk and to consider
inclusion on the risk register.
If a decision has been taken to include the risk on the Risk Register this should be entered onto the Datix
System.
Training and support for completing the
Potential Risk Template is available
from the Quality Governance
Department.
If a risk is submitted but not accepted by the Business area /
Service Line, the Potential Risk
Template can be escalated to the
Quality Governance Department for
advice and a view.
![Page 13: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/13.jpg)
Risk Management Policy Version No.2.0 Page 13 of 26
Appendix 4 Potential Risk Template
A. DESCRIPTION OF POTENTIAL RISK
Condition: (Risk Title)
Cause:
*Consequence:
*when describing the ‘consequence’, consider the following:
Impact on the safety of patients, staff or public (physical / psychological harm)
Impact on Quality / Complaints / Audit
Impact on Human Resources / Organisational Development / Staffing / Competence
Impact on Statutory Duty / Inspections
Impact on Adverse Publicity / Reputation
Impact on Business Objectives / Projects
Impact on Finance including Claims
Impact on Service / Business Interruption / Environment
B. LIKELIHOOD AND IMPACT ASSESSMENT Step 1: To assess the likelihood of your risk, you must focus on the cause of your risk description and determine the frequency that the cause might happen / recur.
Likelihood Descriptions Likelihood Score
Rare This will probably never happen / recur. Not expected to occur for years.
1
Unlikely Do not expect it to happen / recur but it is possible it may do so. Expected to occur at least annually.
2
Possible Might happen or recur occasionally. Expected to occur at least monthly.
3
Likely Will probably happen / recur but it is not a persisting issue. Expected to occur at least weekly.
4
Almost Certain Will undoubtedly happen / recur, possibly frequently. Expected to occur at least daily.
5
Step 2: To assess the impact of your risk, you must focus on the consequence of your risk description, using the Impact Score Matrix below.
It is possible that your risk may have more than one impact, for example financial loss, service disruption and patient safety. You should use this table to impact score each of these categories separately and then select the one that has the highest impact.
![Page 14: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/14.jpg)
Risk Management Policy Version No.2.0 Page 14 of 26
Impact Domains
Impact Score and Examples of Descriptions
1 2 3 4 5
Negligible Minor Moderate Major Catastrophic
Impact on the safety of patients, staff or public (physical / psychological harm)
Minimal injury requiring no/minimal intervention or treatment. No time off work
Minor injury or illness, requiring minor intervention Requiring time off work for >3 days Increase in length of hospital stay by 1-3 days
Moderate injury requiring professional intervention Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients
Major injury leading to long-term incapacity/disability Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with long-term effects
Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients
Quality / Equality / Complaints / Audit
Peripheral element of treatment or service suboptimal Informal complaint/inquiry
Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved
Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on
Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report
Totally unacceptable level or quality of treatment/service Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Gross failure to meet national standards
Human Resources / Organisational Development / Staffing / Competence
Short-term low staffing level that temporarily reduces service quality (< 1 day)
Low staffing level that reduces the service quality
Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Low staff morale Poor staff attendance for mandatory/key training
Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Loss of key staff Very low staff morale No staff attending mandatory/ key training
Non-delivery of key objective/service due to lack of staff Ongoing unsafe staffing levels or competence Loss of several key staff No staff attending mandatory training /key training on an ongoing basis
Statutory Duty / Inspections
No or minimal impact or breech of guidance/ statutory duty
Breech of statutory legislation Reduced performance rating if unresolved
Single breech in statutory duty Challenging external recommendations/ improvement notice
Enforcement action Multiple breeches in statutory duty Improvement notices Low performance rating Critical report
Multiple breeches in statutory duty Prosecution Complete systems change required Zero performance rating Severely critical report
Adverse Publicity / Reputation
Rumours
Potential for public concern
Local media coverage – short-term reduction in public confidence Elements of public expectation not being met
Local media coverage – long-term reduction in public confidence
National media coverage with <3 days service well below reasonable public expectation
National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Total loss of public confidence
Business Objectives / Projects
Insignificant cost increase/ schedule slippage
<5 per cent over project budget Schedule slippage
5–10 per cent over project budget Schedule slippage
Non-compliance with national 10–25 per cent over project budget
Incident leading >25 per cent over project budget Schedule slippage
![Page 15: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/15.jpg)
Risk Management Policy Version No.2.0 Page 15 of 26
Schedule slippage Key objectives not met
Key objectives not met
Finance including Claims
Small loss Risk of claim remote
Loss of 0.1–0.25 per cent of budget Claim less than £10,000
Loss of 0.25–0.5 per cent of budget Claim(s) between £10,000 and £100,000
Uncertain delivery of key objective/Loss of 0.5–1.0 per cent of budget Claim(s) between £100,000 and £1 million Purchasers failing to pay on time
Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Claim(s) >£1 million
Service / Business Interruption / Environmental Impact
Loss/interruption of >1 hour Minimal or no impact on the environment No impact on other services
Loss/interruption of >8 hours Minor impact on environment Impact on other services within the Division
Loss/interruption of >1 day Moderate impact on environment Impact on services within other Divisions
Loss/interruption of >1 week Major impact on environment Impact on all Divisions
Permanent loss of service or facility Catastrophic impact on environment Impact on services external to the Trust
Information Security / Data Protection
Potential breach of confidentiality with less than 5 people affected Encrypted files
Serious potential breach of confidentiality with 6 – 20 people affected Unencrypted clinical records lost
Serious breach of confidentiality with 21 – 100 people affected Inadequately protected PCs, laptops and remote device
Serious breach of confidentiality with 101 – 1000 people affected Particularly sensitive details (i.e. sexual health)
Serious breach of confidentiality with over 1001 people affected Potential for ID theft
Step 3: To identify your risk score, you must take the result of your likelihood assessment and the result of your impact assessment and use the multiplication table below.
For example, if the likelihood score is ‘3’ and the impact score is ‘4’, when multiplied together, these you will give you a risk score of ‘12’.
Impact Score
1 2 3 4 5
Lik
elih
oo
d
Sc
ore
1 1 2 3 4 5
2 2 4 6 8 10
3 3 6 9 12 15
4 4 8 12 16 20
5 5 10 15 20 25
The numerical risk score will fall within a range as shown below, this will determine whether the risk is either, ‘low, ‘moderate’, ‘high’ or ‘extreme’.
Risk Score
1 – 3 Low
4 – 6 Moderate
8 – 12 High
15 – 25 Extreme
Overall Risk Score (Likelihood x Impact)
Likelihood: Impact: Score:
C. CONTROLS
![Page 16: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/16.jpg)
Risk Management Policy Version No.2.0 Page 16 of 26
Step 4: Review and update your controls and gaps in controls and record in the table below. Guidance on describing controls can be found at appendix 6
Existing Controls Gaps in Controls
D. FURTHER ACTIONS Step 5: Review and update your action plan to address any gaps in controls.
Action Person Responsible
Due Date
![Page 17: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/17.jpg)
Risk Management Policy Version No.2.0 Page 17 of 26
Appendix 5 Risk Identification
1. What is a risk and what is not a risk? A risk is an uncertain event or set of events which, should it occur, will have an effect upon the achievement of objectives. Therefore:
Risk is ‘uncertainty’: Risk is not ‘certainty’ which involves:
an event that might happen because of a cause an event that might happen because of current circumstances
an incident, which is an event which has happened an issue which will or is happening
2. How is a risk described? A risk should be described with three components:
3. How risks should not be described
Failure of the Objective
Objective: To expand into more geographical territories Risk: Not expanding into new territories
Questioning the Objective
Expanding into more geographical territories could place us in competition with other providers in those areas.
Composite Risks (i.e. using ‘or’)
Appropriate facilities may not be available or there may be resistance or we may not be able to recruit sufficient staff.
One-word risks ‘Fraud’, ‘Fire’, ‘Reputation’
Statement of fact
There is a risk that projects may fail
Failure to… Failure to recruit enough staff / failure to control costs
Incident Due to the computer system crashing
Issue Because we don’t have enough staff…. / when the new legislation is introduced…
Whinge We’ve been told that a new computer system is being introduced, but nothing has been done to provide training to the staff
Essay
When the computer service centre was moved three years ago, various changes were made to working practices. Break times were extended, section leaders were appointed, cross training was provided as a back-up for absence. Now more changes are underway, so we are likely to have short term additional staffing costs. We are also spending more than planned on support for the new IT system, which may necessitate us to cut back in other areas, leading to an adverse impact on staff morale, lower service levels and damage to our reputation.
Condition Cause Consequence
This part of the description should focus on the condition which will occur if the cause happens.
This part of the description should capture the cause.
This part of the description should describe the consequence of the event. For example, this may be:
Impact upon strategic objectives
financial loss
reputational damage
quality / patient is compromised
operational disruption
legal / regulatory action
Example
Patients may not be evacuated safely
should there be a fire
resulting in legal / regulatory action compromised patient safety, service disruption and financial loss.
![Page 18: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/18.jpg)
Risk Management Policy Version No.2.0 Page 18 of 26
Appendix 6 Identifying Controls and Actions
1. Identifying Controls
Generally speaking the purpose of control is to constrain risk rather than to eliminate it. Control relates to any action, taken to manage risk. These actions may be taken to manage either the impact if the risk is realised, or the frequency of the realisation of the risk. When you are identifying controls, these must already be in place. Any controls to further constrain risk which are not in place should be addressed within your action plan. Once in place, they become a control.
Examples of controls can include:
Policies and procedures
People, for example, a person who may have a specific role in delivery of an objective
Training
Processes / practices, for example, a specific process which ensures the delivery of an objective
2. Identifying Actions
Once you have identified your controls and gaps in controls, you will need to identify what further actions need to be taken to achieve your objective / reduce the risk if possible, including timescales and responsible person for each action.
![Page 19: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/19.jpg)
Risk Management Policy Version No.2.0 Page 19 of 26
Appendix 7 Risk Reporting, Oversight and Escalation
1. Risk Reporting
Risks should be reported in the form of a Risk Register (except where this policy defines an alternative format in the table under section 2 below). A risk register is simply a record of all identified risks relating to a set of objectives, including their history and their status. A risk register is a tool designed to help managers achieve their objectives and to drive and provide evidence of risk management activities. To ensure risk reporting is meaningful and effective, a Risk Register Report should include the following fields (all of which should be accurately completed within Datix).
ID Number The unique identifier for your risk, automatically generated by Datix.
Risk Title The short title which describes the subject of the risk (the condition).
Risk Owner The person responsible for management of the risk.
Description of Risk
The risk description should include a risk description in line with the guidance set out within appendix 5. The risk description should include a composition of the cause, and the consequence.
Inherent Risk Rating
To confirm the ‘gross’ risk rating which was identified at the point of identifying the risk.
Existing Controls
To identify the controls in place to manage the risk and achieve the objective (as set out within appendix 6).
Gaps in Controls
To identify gaps in controls (as set out within appendix 6).
Current Risk Rating
To confirm the risk rating once the existing controls have been taken into consideration.
Oversight Forum / Assurance Committee
This is the meeting where the risk will be reviewed and / or challenged. Also if there is a specialist element to the risk, then the specialist group (e.g. Infection Prevention Control) should be selected.
Response to Risk
What is the Trust going to do about this risk?
Strategic Objective
To identify which of the Trust’s Strategic Objectives the risk will have an impact upon.
Action Plan To identify the further actions required.
Person Responsible
To identify who is responsible for carrying out the action.
Due Date To identify when the action will be completed.
Completed Date
To confirm the date that the action has been completed.
Within Datix there is a requirement to complete a Response to Risk section. The following are the definitions for each option.
Types of Risk Response(the 4 ‘T’s)
Terminate To close the risk.
Transfer Passes the risk to a third party, who bears or shares the impact.
Treat Reduces the likelihood and / or the impact
Tolerate Accepts the risk, subject to monitoring.
![Page 20: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/20.jpg)
Risk Management Policy Version No.2.0 Page 20 of 26
2. Risk Oversight Framework
Risks are overseen at various levels throughout the Trust. The table below sets out the levels at which risks must be reported and overseen:
Level of Escalation / Oversight
Level / Types of Risk
Role and Purpose of Oversight
Style of Report
CO
RP
OR
AT
E O
VE
RS
IGH
T
Board Risks identified against Strategic Objectives
Scrutiny of the risks identified and holding responsible persons to account for the action being taken.
Assurance from the Audit Committee that the process is working effectively
Board Assurance Framework (BAF)
Assurance, Risk and Compliance Committee / Performance Committee / Quality Committee
Risks identified against Strategic Objectives – relevant to their area of focus
Scrutiny of the risks identified and holding responsible persons to account for the action being taken.
Board Assurance Framework (BAF)
Audit Committee
Risks identified against Strategic Objectives
Assurance from the Assurance, Risk and Compliance Committee, Quality Committee and Performance Committee that the process is working effectively
Board Assurance Framework (BAF)
Performance Management Reviews
Top Business Risks
New risks
Risks increases
Risks for escalation
Scrutiny of the risks identified and holding responsible persons to account for the action being taken.
Business Performance Management Review Presentation
Trust Leadership Committee
A summary of risks considered by the Operational Risk Sub-Committee
Assurance that the Operational Risk Sub-Committee is fulfilling its Terms of Reference.
Output Summary Report from Operational Risk Sub-Committee
Operational Risk Sub-Committee
All risks scoring 12 or above from Business Risk Registers
Scrutiny, challenge of risks scoring 12 or above.
Referral to and assurance from key specialist corporate groups as appropriate.
Risk Oversight Report (taken from Risk Registers)
Specialist Groups
All ‘corporate’ risks relevant to
Identification, management and
Corporate Risk Register
![Page 21: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/21.jpg)
Risk Management Policy Version No.2.0 Page 21 of 26
their area of specialism.
oversight of risks relevant to their specialist subject, ensuring appropriate action is taken.
DIV
ISIO
NA
L O
VE
RS
IGH
T
Business Boards
All risks scoring 8 or above
Challenge, review and monitoring of all risks scoring 8 or above.
Escalation of risks to Operational Risk Sub-Committee.
Risk Register
Business Governance Group
All risks
Scrutiny, challenge, review and monitoring of all Divisional risks
Escalation of risks to Business Board
Risk Register
Operational Groups
All relevant risks Scrutiny, challenge,
review and monitoring of all Operational risks
Risk Register
3. Risk Escalation to the Corporate Risk Register
Risk escalation to the Corporate Risk Register is where a risk is specifically drawn to the attention of the Operational Risk Sub-Committee for inclusion on the Corporate Risk Register. Although the Operational Risk Sub-Committee will make a decision on those risks which will be included on the Corporate Risk Register, these will, in most circumstances be:
Emergent risks which span across multiple Business area and are not already subject to corporate oversight
Risks where the action required does not fall within the full control of the Business area
Risks which are overseen by Specialist Groups due to their nature 4. Corporate Risk Register Escalation Process
Division identify risk requiring escalation and report to the Operational Risk Sub-
Committee*
In between monthly Operational Risk Sub-Committee meetings, risks requiring
escalation should be reported to the
Quality Governance Department
Appropriate Executive Lead / Specialist
Corporate Group to be identified
‘Appropriate’ refers to the person / group most suitable for providing a response to the Operational Risk Sub-Committee on the corporate action being taken and for including the risk on the Corporate Risk
Register if / when agreed
Quality Governance Department to inform, on behalf of the Operational Risk Sub-Committee, to the appropriate Executive Lead / Specialist Group to request a response to the escalated risk which can be reported back to the Division at the next Operational Risk
Sub-Committee meeting.
If deemed appropriate, the escalated risk will be included on the Corporate Risk Register
and monitored in accordance with the Risk Oversight Framework above.
![Page 22: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/22.jpg)
Risk Management Policy Version No.2.0 Page 22 of 26
Appendix 8 Financial and Resourcing Impact Assessment on Policy Implementation
NB this form must be completed where the introduction of this policy will have either a positive or negative impact on resources. Therefore this form should not be completed where the resources are already deployed and the introduction of this policy will have no further resourcing impact.
Document title
Risk Management Policy
Totals WTE Recurring £
Non-Recurring £
Manpower Costs
Training Staff
Equipment & Provision of resources
Summary of Impact: No direct financial impact Risk Management Issues:
Benefits / Savings to the organisation: Equality Impact Assessment Has this been appropriately carried out? YES/NO Are there any reported equality issues? YES/NO If “YES” please specify:
Use additional sheets if necessary. Please include all associated costs where an impact on implementing this policy has been considered. A checklist is included for guidance but is not comprehensive so please ensure you have thought through the impact on staffing, training and equipment carefully and that ALL aspects are covered.
Manpower WTE Recurring £ Non-Recurring £
Operational running costs
Totals:
Staff Training Impact Recurring £ Non-Recurring £
Totals:
![Page 23: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/23.jpg)
Risk Management Policy Version No.2.0 Page 23 of 26
Equipment and Provision of Resources Recurring £ * Non-Recurring £ *
Accommodation / facilities needed
Building alterations (extensions/new)
IT Hardware / software / licences
Medical equipment
Stationery / publicity
Travel costs
Utilities e.g. telephones
Process change
Rolling replacement of equipment
Equipment maintenance
Marketing – booklets/posters/handouts, etc.
Totals:
Capital implications £5,000 with life expectancy of more than one year.
Funding /costs checked & agreed by finance:
Signature & date of financial accountant:
Funding / costs have been agreed and are in place:
Signature of appropriate Executive or Associate Director:
![Page 24: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/24.jpg)
Risk Management Policy Version No.2.0 Page 24 of 26
Appendix 9
Equality Impact Assessment (EIA) Screening Tool
1. To be completed and attached to all procedural/policy documents created within
individual services.
2. Does the document have, or have the potential to deliver differential outcomes or affect in an adverse way any of the groups listed below? If no confirm underneath in relevant section the data and/or research which provides evidence e.g. JSNA, Workforce Profile, Quality Improvement Framework, Commissioning Intentions, etc. If yes please detail underneath in relevant section and provide priority rating and determine if full EIA is required.
Gender
Positive Impact Negative Impact Reasons
Men No impact
Women No impact
Race
Asian or Asian British People
No impact
Black or Black British People
No impact
Chinese people
No impact
People of Mixed Race
No impact
White people (including Irish people)
No impact
Document Title: Risk Management Policy
Purpose of document To identify the responsibilities for risk management throughout the Trust
Target Audience Directors, senior managers, managers and clinicians
Person or Committee undertaken the Equality Impact Assessment
Operational Risk Sub-Committee
![Page 25: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/25.jpg)
Risk Management Policy Version No.2.0 Page 25 of 26
People with Physical Disabilities, Learning Disabilities or Mental Health Issues
No impact
Sexual Orientation
Transgender No impact
Lesbian, Gay men and bisexual
No impact
Age
Children
No impact
Older People (60+)
No impact
Younger People (17 to 25 yrs.)
No impact
Faith Group No impact
Pregnancy & Maternity No impact
Equal Opportunities and/or improved relations
No impact
Notes: Faith groups cover a wide range of groupings, the most common of which are Buddhist, Christian, Hindus, Jews, Muslims and Sikhs. Consider faith categories individually and collectively when considering positive and negative impacts. The categories used in the race section refer to those used in the 2001 Census. Consideration should be given to the specific communities within the broad categories such as Bangladeshi people and the needs of other communities that do not appear as separate categories in the Census, for example, Polish. 3. Level of Impact If you have indicated that there is a negative impact, is that impact:
YES NO
Legal (it is not discriminatory under anti-discriminatory law)
Intended
If the negative impact is possibly discriminatory and not intended and/or of high impact then please complete a thorough assessment after completing the rest of this form. 3.1 Could you minimise or remove any negative impact that is of low significance? Explain how below:
3.2 Could you improve the strategy, function or policy positive impact? Explain how below:
![Page 26: RISK MANAGEMENT POLICY Management Policy.pdf · Quality Managers (or equivalent for non-clinical business areas) are responsible for: facilitating implementation of the Risk Management](https://reader030.vdocuments.us/reader030/viewer/2022040510/5e587ab4d7d5002ee932cb46/html5/thumbnails/26.jpg)
Risk Management Policy Version No.2.0 Page 26 of 26
3.3 If there is no evidence that this strategy, function or policy promotes equality of opportunity or improves relations – could it be adapted so it does? How? If not why not?
Scheduled for Full Impact Assessment Date:
Name of persons/group completing the full assessment.
Date Initial Screening completed