south eastern health & social care trust risk management ... · south eastern health &...
TRANSCRIPT
South Eastern Health & Social Care Trust
Risk Management Strategy 2011 – 2013
Policy Profile
Version: Version 1.0
Date: 30 September 2010
Review date: Annually (January)
Author: Irene Low, Assistant Director: Risk Management & Governance
Lead Director: Eamonn Molloy, Director of Human Resources & Corporate Affairs
Approval Profile
Corporate Control Committee: Via email consultation and 19 January 2011
Governance Assurance Committee:
Via email consultation and 16 March 2011
Trust Board: 30 March 2011
SET RM Strategy – Final (approved March 2011)
Foreword The South Eastern Health & Social Care Trust (the Trust) seeks to deliver high quality care in all aspects of its services to patients/clients, staff, visitors, and the local communities. Risks occur daily in most activities undertaken within the Trust. Failure to manage these risks can result in injury to patients/clients, staff or visitors, claims against the Trust and resources lost from patient care. It is therefore vital to implement a strategy to effectively manage risks, which will result in better quality of care. This is the second Risk Management Strategy developed by the Trust. This document helps us understand what might prevent us from achieving our objectives (the risk) and then working out our response. This means trying to reduce the chance of each risk happening, or reducing the consequences if it does occur. It is not about totally eliminating risk, as that is not always practical especially in a health and social care environment. We must then decide which risks are urgent and more likely to occur, and the importance of their consequences. We live in a constantly changing environment, with circumstances evolving both within and outside the Trust and our strategy will change to reflect that. This version of the strategy reflects current best practice across the National Health Service (NHS) and Health & Social Care (HSC) and the guidances in Departmental circulars and related areas such as risk management, controls assurance and clinical and social care governance. The Trust is fully committed to the effective management of risks in all areas. This strategy provides the tools to make our risk management systems robust and systematic. Please use it to help you understand and appreciate why your job is so important within your department and make the most of the opportunities it gives you for personal development and job fulfilment.
Hugh McCaughey Chief Executive March 2011
i
Executive Summary This is the second Risk Management Strategy of the South Eastern Health & Social Care Trust (the Trust) which is based on current Departmental direction, guidance and best practice. The purpose of this document is to set out the Trust‟s strategic direction for the management of all types of risk for the period 2011 to 2013. The document covers the following key areas:
Context for Corporate Governance and Risk Management;
The System for Risk Management;
Strategy Purpose, Aims, Objectives and Philosophy;
Management Arrangements and Committee Structure;
Performance Management Arrangements for Risk Management;
Related Policies and Procedures;
Arrangements for Education and Training;
Stakeholder Involvement; and
Risk Matrix (based on the AS/NZS standard 4360:2004). The strategy will be implemented by the production of a yearly programme of work developed by the Corporate Control Committee and endorsed by the Governance Assurance Committee. The Trust aims to take all reasonable steps in the management of risk to protect patients/clients, staff and its assets. A primary concern is the provision of safer, risk-reduced environments together with working policies and practices, which take into account assessed risks. The Trust is committed to taking those steps that are feasible to minimize the harmful effects of loss on the organisation – either loss of service quality to patients and clients, loss of a safe environment for patients, clients and staff, financial loss or loss of reputation. Risk Management is everybody‟s responsibility. Its practice must be embedded in the normal management processes and the structures of the organisation. In many respects this has been happening over the past number of years; the difference now required is that it must be more systematic, robust and evident. Embedding the revised processes and responsibilities within the organisation will be supported through a systematic education and training programme. The Corporate Control Committee will review this strategy annually and any recommendations for change will be submitted to the Trust Board for endorsement. A full review of the strategy will be undertaken during the third year of implementation of the strategy.
ii
Contents Page Number
Foreword
i
Executive Summary
ii
1.0 Introduction
1
2.0 Context for Corporate Governance and Risk Management
1
2.1 Background 1 2.2 Statement of Internal Control 1 2.3 Links between Corporate Governance and Risk
Management 1
2.4 Definitions of Common Governance Terminology 2 2.5 Core Controls Assurance Standards: Governance, Risk
Management and Financial Management
3
3.0 Risk Management – Introduction of a Common System for the Management of Risk
4
3.1 Background 4 3.2 Overview of the Risk Management Controls Assurance
Standard 4
3.3 What is Risk Management 5 3.4 Risk Registers 5 3.5 Risk Definition and Classification – Risk Matrix 6 3.6 Definition of Acceptable Risk 6 3.7 Risk Funding
7
4.0 Risk Management Strategy – Purpose, Aims, Objectives and Philosophy
7
4.1 Purpose of the Strategy 7 4.2 Aims and Objectives of the Strategy 8 4.3 Philosophy for Risk Management 9 4.4 Risk Management Strategy: Communication and
Implementation
10
5.0 Management Arrangements and Committee Structure for Risk Management
10
5.1 Roles and Responsibilities 10 5.2 Committee Structure for Risk Management 14 5.3 Risk Management Resources
15
6.0 Performance Review of Risk Management
16
6.1 Reports to Governance Assurance Committee 16 6.2 Performance Management Arrangements: Planning,
Accountability and Assurance 16
6.3 Controls Assurance Self Assessment 16 6.4 Linkages between the Governance, Corporate Control
and the Safety & Quality Committees 17
6.5 Audit – Internal & External 17 6.6 Key Performance Indicators 17 6.7 Linking Risk Management to Service Planning
18
7.0 Related Risk Management Policies and Procedures
18
8.0 Risk Management Education and Training
18
9.0 Stakeholder Involvement
19
10.0 Summary of the Risk Management Policy and Strategy
20
Bibliography
22
Glossary of Terms and Definitions
23
Appendices
25
1 Risk Management Process – AS/NZS standard 4360:2004 26 2 Risk Matrix 27 3 Risk Management Policy Statement 29 4 Governance Organisational Chart (incorporating risk
management) 32
5 Terms of Reference – Corporate Control Committee 34 6 Risk Management Organisational Management Structure 41
1.
1.0 Introduction
The purpose of this document is to set out the Trust‟s strategic direction for the management of all types of risk - clinical, non-clinical and organisational, for the period 2011 to 2013. It provides a framework for the continued development of risk management systems and processes building on already established risk management and governance structures within the Trust.
It takes account of the objectives and direction contained within the Corporate Plan 2009 – 2012, the Trust Delivery Plan, the Corporate Management Plan 2010, the Performance Management Framework and the extant Governance Strategy.
2.0 Context for Corporate Governance and Risk Management 2.1 Background
The need to ensure and demonstrate effective governance arrangements originated in the private sector, due to concern over a series of corporate failures where inadequate governance measures were considered to be a contributory factor. In response to this, the Cadbury Committee was established to examine and advise on some of these issues, in particular the apparently poor quality of financial reporting and the limited ability of auditors to provide the assurances and safeguards, which the users of company reports were entitled to expect. Broader private sector best governance practice was also developed through the Turnbull Committee report on Internal Control (November 1999) and with the July 2003 update to the Stock Exchange‟s Combined Code requirements for listed companies.
2.2 Statement on Internal Control
Since 2003/2004, Chief Executives of bodies sponsored by the Department of Health, Social Services and Public Safety (DHSSPS) have been required in their capacity as Accountable Officers to sign a full Statement on Internal Control. The Department‟s Accounting Officer uses these to inform his Statement on the Department as a whole. Thus all bodies sponsored by the DHSSPS need to provide assurances that they have effective systems of internal control. These systems need to identify risks relating to the achievement of objectives, including the duty of quality, and should be capable of evaluating the nature and extent of those risks and of managing them efficiently, effectively and economically.
The three core controls assurance standards – Risk Management, Governance and Financial Management, together with a number of other standards and processes (particularly in the clinical and social care and organisational areas), will be essential in enabling the organisation‟s objectives to be delivered successfully, including that of the duty of quality.
2.3 Links between Corporate Governance and Risk Management
Corporate governance and risk management have long played a major role in providing stakeholders with evidence that Health and Social Care (HSC) is meeting its needs in a resource efficient manner – as well as being willing and capable of avoiding foreseeable adverse occurrences, or at least of competently managing
2.
them. The corporate governance agenda largely met this expectation with service quality and financial controls at its heart. The corporate governance agenda has evolved to encompass three interrelated concepts:
Clinical and social care governance;
Organisational controls (including Risk Management); and
Financial Controls.
Figure 1 below illustrates the Framework for Corporate Governance. It shows the interrelated concepts of clinical and social care governance, organisational controls and financial controls that together comprise corporate governance in an HSC environment. The diagram also shows the focus of each of these elements and how assurances on their effectiveness are made public. Risk Management is the common theme linking all these processes.
Figure 1 - Framework for Corporate Governance
C&SC
GOVERNANCE
ORGANISATIONAL
CONTROLS
FINANCIAL
CONTROLSFinancial
Assurances
(Annual Accounts)
Organisational
Assurances
(Annual Report)
Financial
Resources
Clinical & Social
Care Assurances
(Clinical Governance
Report/Annual Report)
The
environment
of care
Clinical &
Social Care
Governance
Risk
Management
2.4 Definitions of Common Governance Terminology
Corporate governance is the system by which an organisation is directed and controlled, at its most senior levels, in order to achieve its objectives and meet the necessary standards of accountability, probity and openness. The Audit Commission has defined corporate governance in healthcare as „The systems and processes by which health bodies lead, direct and control their functions, in order to achieve organisational objectives, and by which they relate to their partners and the wider community’.
Financial controls are a cornerstone of corporate governance. Within HSC much emphasis has been placed on the need to identify and control financial risks. The notion of “accountable officers” was introduced sometime ago, along with the related concepts of conduct, accountability and openness in the management of HPSS services. The functions of Internal and External Audit, Standing Financial Instructions and Standing Orders, as well as formal annual reporting and Remuneration and Audit Committees, has proved a sound base for the management of financial risk.
3.
Clinical and social care governance is a key aspect of risk management for the Trust and a major determinant of organisational success through its controlling influence and potential for mitigating clinical and social care risks. It is defined as: “A framework through which HPSS organisations are accountable for continuously improving the quality of their services and safeguarding high standards of care by creating an environment in which excellence in clinical care will flourish” (A First Class Service, DOH 1998).
Integrated Governance is defined as: „Systems, processes and behaviours by which trusts lead, direct and control their functions in order to achieve organisational objectives, safety and quality of service and in which they relate to patients and carers, the wider community and partner organisations‟ (Integrated Governance Handbook, DOH, February 2006). Organisational controls - Controls Assurance is a holistic concept based on best governance practice. It is a process designed to provide evidence that the Trust is doing its reasonable best to manage itself so as to meet its objectives, protect patients, staff the public and other stakeholders against risks of all kinds. It is a fundamental process of governance, which will assist the Trust in identifying its risks, determining unacceptable levels of risk and deciding where best to direct our limited resources to eliminate or reduce those risks. There are 19 Controls Assurance Standards covering significant organisational and financial risk areas. Risk Management is the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects (AS/NZS standard 4360:2004)
2.5 Core Controls Assurance Standards: Governance, Risk Management and
Financial Management
The Governance Standard is a high-level „overarching‟ core controls assurance standard and is supported by two additional core standards covering Financial Management and Risk Management. Compliance with the core standards is mandatory as they are central to the whole risk management and controls assurance agenda and form the foundations of best governance practice.
The Governance Controls Assurance standard is principally concerned with ensuring that all HSC bodies have the basic building blocks in place for good governance through development and implementation of a comprehensive system of internal control. The Risk Management Control is principally concerned with ensuring that all HSC bodies have the basic building blocks in place for managing risk through development and implementation of a comprehensive risk management system. The Financial Controls Assurance Standard is principally concerned with ensuring that organisations have robust financial management systems in place and an effective system of internal control over the use of its financial resources.
Together the three standards provide the basis for statutory reporting for the Statement of Internal Control as set out by the Department of Finance and Personnel in relevant circulars.
4.
3.0 Risk Management – Introduction of a Common System for the Management of Risk within HPSS organisations
3.1 Background
Circular HSS (PPM) 3/2002, issued on 21 June 2002, announced that the Department had decided to adopt a common risk management model for itself and all of its associated bodies. The Department chose the internationally recognised Standard, AS/NZS 4360:1999 (subsequently issued under cover of Circular HSS (PPM) 6/2002). In June 2005, the Department updated its licence agreement with Standards Australia and a CD copy of the new AS/NZS 4360: 2004 Standard was issued to all HPSS bodies under cover of circular HSS (PPM) 4/2005. Whilst the substance of the Standard remains unchanged, some updating has taken place to reflect lessons learnt from the application of the 2003 version and these have been included in this strategy.
3.2 Overview of the Risk Management Controls Assurance Standard
This standard is principally concerned with ensuring that all HSC bodies have the basic building blocks in place for managing risk through development and implementation of a comprehensive risk management system. This standard, together with the Governance and Financial Management Standards, provides the basis for statutory reporting for the Statement on Internal Control. Risk management should be recognised within an organisation as an integral part of good practice and should be part of the organisation‟s culture. It should be integrated into its philosophy, practices and business plans, and not be viewed or practiced as a separate programme. When this is achieved, risk management becomes the business of everyone in the organisation.
The design of a risk management system will be influenced by and tailored to the existing structure of the HSC body, the services provided and the processes and specific practices followed. A specific risk management approach applicable to all organisations is, therefore, unlikely to be serviceable. However, common principles can be identified and used to form the basis for the Standard. These in large part originate from the Australia/New Zealand Standard on risk management, which defines a set of generic principles for establishing a risk management system in any organisation. The Standard has been licensed for the HSC and the full Standard has been made available to all HSC bodies, which are encouraged to make good use of the information and guidance contained in AS/NZS 4360:2004. The Trust has fully adopted the methodology of this standard as outlined in figure 2 below. Each section is further explained in detail in Appendix 1.
5.
Figure 2 – Risk Management Overview 3.3 What is Risk Management?
Risk Management is recognised as an integral part of good management practice. It is an iterative process consisting of steps, which, when undertaken in sequence, enable continual improvement in decision-making. Good risk management awareness and practice at all levels is a critical success factor for the Trust. Risk is inherent in all that we do. There is no area of the organisation where zero risk exists. For the purpose of this strategy, risk management is defined as:
“The culture, processes and structures that are directed towards the effective management of potential
opportunities and adverse effects” (ASNZS 4360: 2004).
The Risk Management process is defined as “the systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluation, treating monitoring and communicating risks” associated with any activity, function or process in a way that will enable organisations to minimise losses and maximise opportunities.
3.4 Risk Registers
In order to develop and be aware of its risk profile and to identify the key areas for investment in risk reduction/management, the Trust has developed a framework for risk registers. This comprises both Corporate and Directorate risks. The risk registers will enable the Trust to identify the totality of its risk and quantify those that are deemed as acceptable or present significant risks that may affect the objectives of the Trust. A Risk Register is a log of significant risks (clinical, non-clinical, financial etc) that threaten the Trust‟s success in achieving its aims and objectives. It is populated through the various risk assessments undertaken within the organisation, together with external reviews and reports. This enables risk to be quantified and ranked to inform the Trust Board and aid decision-making and resource allocation processes.
Establish the context
Treat risks
Com
munic
ate
and c
onsult
Risk Register
Analyse risks
Identify risks
Assess risks
Evaluate risks
Mo
nitor
and r
evie
w
6.
The Risk Management & Governance Directorate will provide advice and assistance on how to develop both Corporate and Directorate risk registers. Each Directorate is responsible for maintaining and updating its own individual registers on a regular basis. These in turn will inform and populate the overarching Corporate Risk Register.
The Corporate Risk Register will act as a Trust-wide risk profile and will be monitored on behalf of the Trust Board by the Governance Assurance Committee. The Corporate Control Committee will act as a filter for risk issues from Directorate risk registers for entry onto the Corporate Risk Register. The Assistant Director: Risk Management & Governance is the nominated Assistant Director responsible for the co-ordination and management of the Corporate Risk Register.
3.5 Risk Definition and Classification – Risk Matrix
The Australian Standard defines risk as “the chance of something happening that will have an impact on objectives.” Therefore there needs to be a consistent and measurable method of quantifying risk, the results of which can be processed to define the levels of acceptable risk to an organisation. The Trust‟s risk matrix (Appendix 2) is based on Australia/New Zealand standard. This has been modified as appropriate to meet the needs of the Trust. In addition, the Trust has also produced a grading table to help it determine the level of acceptable risk. This is further explained in paragraph 3.6 below.
Use of the matrix enables a list of prioritised risks to be developed with an indication of the action that may be required. It provides a mechanism for the most significant risk issues to be considered by the Corporate Control Committee and/or Governance Assurance Committee.
3.6 Definition of Acceptable Risk
The Trust recognises that it is impossible and not always desirable, to eliminate all risks and that systems of control should not be so rigid that they stifle innovation and imaginative use of limited resources in order to achieve health benefits for our patients and clients. Acceptable risk is defined using the following principles:
Tolerability does not mean acceptability. It refers to a willingness to live with the risk so far as to secure certain benefits and in the confidence that it is being properly controlled. To tolerate risk does not mean to disregard it but rather that we review it and aim to reduce it further;
No person should be exposed to serious risk unless they agree to accept the risk; and
It is reasonable to accept a risk that under normal circumstances would be unacceptable if the risk of all other alternatives, including doing nothing, is even greater.
Risks can be split between those which are acceptable and those, which are not acceptable. If a risk is deemed unacceptable, action should be planned to reduce it to an acceptable level. This should then be entered on the appropriate risk register together with a detailed action plan. The acceptance of a risk should
7.
represent an informed decision to accept the consequences and likelihood of that risk.
An acceptable risk is one, which has been accepted after proper evaluation and is one where appropriate controls have been implemented. All risks (including those for new work activities), whether resulting from accidents, incidents, adverse events, hazard reports or any form of risk assessment must be graded in accordance with the Trust‟s Risk Matrix and entered on the appropriate risk register/s. The level of decisions on acceptability and actions required are based on the quantification of risk and are listed in Table 1 below (extracted from the Risk Matrix).
Table 1 – Decisions on level of acceptability
Level of risk Action related to the adequacy of controls (Level of management decision on acceptability)
Green Low risk Manage by routine procedures
Yellow Moderate risk Management responsibility specified
Orange High risk Senior management attention required
Red Extreme risk Immediate action required
Significant risks are defined as those which could severely impact upon the organisation and threaten organisational and services objectives or could have a large financial impact upon the Trust, impact on patient safety or could generate press interest and adverse publicity for the Trust. The Trust Board will, therefore, be continuously informed of significant risks to the Trust via a range of methods for example, reports on the Board Assurance/Corporate Risk Register, reports from the Governance Assurance Committee and other management reports.
3.7 Risk Funding
Risk Management is an integral part of the Trust‟s business. The Risk Management & Governance Directorate will undertake a work programme consistent with the level of funding available. Likewise, operational Directorates will also develop their own programmes commensurate with available funding.
4.0 Risk Management Strategy 4.1 Purpose of the strategy
The purpose of this strategy is to set out the Trust‟s strategic direction for the management of all types of risk (clinical, non-clinical and organisational) for the period September 2011 – September 2013. It provides a framework for the development of the risk management system throughout the organisation, building on its recently reviewed Governance structures. The Trust‟s commitment to risk management is outlined in its policy statement at Appendix 3.
8.
4.2 Aims and objectives of the strategy
The Trust will take all reasonable steps in the management of risk to protect patients/clients, staff and assets. A primary concern is the provision of safer, risk-reduced environments together with working policies and practices, which take into account assessed risks. The Trust is committed to taking those steps that are feasible to minimize the harmful effects of loss on the organisation – either loss of service quality, loss of a safe environment for patients, clients and staff, financial loss or loss of reputation.
The Trust aims to:-
Have clear management structures, accountability and responsibility levels throughout the organisation leading to the Trust Board;
Ensure that staff have the knowledge, skills and support to implement the policies and procedures associated with this strategy;
Integrate the activities of individuals responsible for different aspects of risk management to ensure no gaps or overlaps in control;
Agree and implement risk management objectives for the organisation via an annual programme of work/action plan (that support and deliver the out workings of this strategy);
Take cognisance of best practice, research and shared learning in respect of risk management activities;
Promote a risk management culture that enables learning from adverse events and the taking of careful decisions on risk which will increase the quality of care/quality of life for the Trust‟s patients/clients;
Introduce appropriate auditing and monitoring processes to ensure that risk management standards are implemented and risk reduced to the lowest reasonably practical levels;
Demonstrate compliance with relevant laws and legislation and compliance with the risk management standards set out in the Controls Assurance and other quality improvement programmes adopted by the Trust;
Ensure all trust employees are aware of risk management and the importance of managing risk;
Work in partnership with statutory and staff side safety representatives to promote a partnership approached to the management of risk.
Risk management should be viewed as an integral part of day-to-day management practices and culture and it will utilise a single risk matrix to the identification, assessment and management of all types of risk. In March each year, the Corporate Control Committee will develop and agree objectives (via its annual action plan) to support the delivery of this strategy for endorsement by the Governance Assurance Committee. The Trust Board will review the strategy on an
9.
annual basis, so that it can assure itself that risk management processes within the organisation remain appropriate and effective. This strategy is a key part of the Trust‟s approach to governance, which underpins the ability of the Trust to deliver its goals, corporate strategies and annual plans.
4.3 Philosophy for Risk Management
Risk Management must be an explicit process in every activity within the Trust, from conceptual business planning to the delivery of operational services. The Trust is required to manage its risks in such a way that people are not harmed and losses are minimised to the lowest acceptable level.
The management of risk is everyone‟s responsibility. Good risk management underpins quality care, through direct clinical care or indirectly from support services. No area of life is without risk. In every activity that occurs in the workplace there is a level of risk, but at work employers are required by law to eliminate the risk where possible. If this is not possible then as far as reasonably practicable the risk should be reduced by the use of control measures. This applies equally to tasks such as mopping the floor or caring for patients. The level of risk varies but the requirements to manage the risks remain the same.
This Risk Management Strategy is based upon the following principles:
A culture where risk management is considered an essential and positive element of the provision of health/social care;
Risk management is both a collective and an individual responsibility;
The identification of risk is considered in all areas of the Trust‟s work from strategic planning to operational delivery;
The success of the Risk Management Programme is dependent upon the defined and demonstrated support and leadership offered by the Trust Board and, in particular, the Chief Executive and the Director with designated responsibility for risk management;
The identification and management of risks requires the active involvement of staff at all levels throughout the Trust. Staff operating within a service are best placed to understand the risks and to manage change; this will be achieved through well structured communication and support systems;
The promotion of an open objective culture where mistakes can be reported in a fear free culture, which supports them and enables them to learn from the experience. For this to occur there must be commitment and open support by management at all levels;
Risk control solutions must be directed at causes rather than symptoms to reduce the number, severity and cost of incidents and claims. Most incidents are not the fault of individuals but the systems that they operate within;
10.
The risk management programme must be sufficiently flexible to allow continuous improvement in order to adapt to the broadening and expanding clinical and operational environment.
4.4 Risk Management Strategy: Communication and Implementation 4.4.1 Communicating the strategy
This strategy will be made widely available, both internally and to external stakeholders, via a range of communication modes including:
The Trust‟s intranet and internet site;
Direct distribution to stakeholders, where appropriate;
A summary leaflet to all staff;
Staff Communication briefings;
Team Briefings;
Cascaded through the Directorate communication structures.
It is the responsibility of individual Managers and Heads of Departments to ensure that the strategy is effectively communicated to their staff.
4.4.2 Implementation of the strategy
The Trust‟s structure for Corporate Control is a top-down bottom-up approach. The strategy is set by the Corporate Control Committee and endorsed by the Governance Assurance Committee and Trust Board. Day to day implementation of the strategy and associated activities is directed by the Assistant Director: Risk Management & Governance and delivered at local Directorate level by managers and staff.
To support the implementation of this strategy, the Corporate Control Committee will produce an annual programme of work/action plan and objectives for endorsement by the Governance Assurance Committee. This will include the key work initiatives required to maintain and develop the risk management system and processes.
5.0 Management Arrangements and Committee Structure for Risk Management 5.1 Roles and Responsibilities
The following section summarises the roles and responsibilities of the Trust Board, Chief Executive, Non-Executive Directors, Directors, managers, clinicians and staff in relation to delivering the Risk Management agenda:
5.1.1 Trust Board: The Trust Board is responsible for reviewing the effectiveness of internal controls – financial, risk management (including organisational) and clinical and social care. They are required to produce statements of assurance that it is doing its “reasonable best” to ensure the Trust meets its objectives and protect patients, staff, the public and other stakeholders against risks of all kinds. To inform the annual Statement of Internal Control (SIC) made by the Chief Executive in the annual accounts, the Board need to be able to demonstrate:
11.
That they have been informed through assurances about all risks not just financial;
That they have arrived at their conclusions on the totality of risk based on all the evidence presented to them.
Whilst it is recognised that all members of staff within the Trust are responsible for the identification and management of risk (appropriate to their own role) responsibility for the effectiveness of organisational systems rest unequivocally with the Board.
The Trust Board is also responsible for ensuring that appropriate risk management and governance structures and arrangements are in place within the organisation and for receiving assurances from the Chief Executive and/or the Director of Human Resources and Corporate Affairs (lead Director for Governance) that these are operating satisfactorily.
5.1.2 Chief Executive: Overall accountability and responsibility for risk management
and governance ultimately rests with the Chief Executive. He is the Executive Director designated accountable for the implementation of risk management and controls assurance. He has delegated responsibility for risk management on a management level to the Director of Human Resources and Corporate Affairs (non-clinical risk management activities) and the Medical Director (clinical risk management activities).
5.1.3 Non-Executive Directors: Two Non-Executive Directors will be members of the Corporate Control Committee. They will be responsible for providing the Chairman and the Trust Board with an assurance of the effectiveness of the Trust‟s risk management arrangements. As members of the committee they will assure themselves and the Trust Board that the committee and its related sub committees are addressing key risk management issues within the organisation and that key issues or concerns and best practice are being brought to the attention of the Trust Board.
5.1.4 Director of Human Resources and Corporate Affairs (Lead Director for
Governance): The Director of Human Resources and Corporate Affairs is the lead Director for Governance. He is managerially responsible for the Assistant Director: Risk Management & Governance. He is primarily responsible for ensuring that a comprehensive organisation-wide system of risk management is introduced at all levels within the organisation. He will work closely with all Directors in relation to this activity but, in particular, the Medical Director in respect of clinical risk management activities. He will be consulted on the strategic direction of all such activities.
5.1.5 Medical Director (Lead Director/Clinician responsible for Clinical Governance
and Clinical Risk Management): The Medical Director is accountable to the Chief Executive for the overall strategic management and delivery of the Trust‟s clinical and social care governance programme. He is responsible for ensuring that effective processes and reporting mechanisms are in place in order to promote safe and effective care. He is also responsible for setting the direction of clinical risk management within the organisation. He will work closely with, and consult, the
12.
Director of Human Resources and Corporate Affairs and the Assistant Director: Risk Management & Governance on this matter.
5.1.6 Other Executive Directors and Directors: Each Director is accountable for the management of risks within their own areas of specific responsibility. They are responsible for ensuring that appropriate systems are embedded to ensure effective risk management arrangements across all services for which they are responsible. These systems should be in line with the strategic and operational arrangements detailed within this strategy and should integrate with existing management and professional arrangements and processes.
5.1.7 Professional Leads: Directors with accountability for professional agendas ie, nursing, social work and medical staff are responsible for ensuring effective risk management and governance arrangements across the Trust in respect of their professional group. These Director level professional leads have a network of professionals who ensure that professional standards of care and practice are maintained across Directorates and Specialities.
5.1.8 Assistant Director: Risk Management & Governance: The Assistant Director: Risk Management & Governance is accountable to and reports to the Director of Human Resources and Corporate Affairs and is the nominated operational Assistant Director for the delivery of the strategic and operational management agenda for risk management, incorporating both clinical and non-clinical risks.
5.1.9 Clinical Risk Director: The Clinical Risk Director is accountable, and reports to,
the Medical Director in respect of all clinical risk management activities. He/she works closely with the Assistant Director: Risk Management & Governance on the day-to-day delivery of this agenda.
5.1.10 Assistant Directors/Clinical Directors: In conjunction with relevant Director, Assistant Directors/Clinical Directors are responsible for ensuring that an effective governance framework and systems, including risk management, are put in place in their area of responsibility. This should reflect the strategic risk management and governance arrangements within the Trust to ensure the delivery of safe and effective care to patients/clients to which they provide a service.
5.1.11 Senior Managers: All levels of management are responsible for understanding,
implementing and embedding the risk management strategy and processes. They have operational responsibility for the management of risk within their specific area. They will:
Apply the Risk Management Strategy and any associated policies and procedures within their respective departments and ensure that day-to-day risk management standards are maintained;
Ensure that all staff that report to them are given sufficient information, instruction, training and adequate supervision with respect to risk management in their relevant sphere of work;
Actively implement any risk management policies and initiatives disseminated by the Corporate Control Committee and its sub committees;
Prepare Directorate Risk Registers and local risk management policies and procedures, as required;
13.
Maintain local strategies that reflect the individual risk profile of their Directorate;
Facilitate attendance of staff at risk management and training and education programmes organised by the Trust and facilitate and or organise departmental specific risk management training, as required.
5.1.12 Ward, Department and Facility Manager: Ward/departmental and facility
managers have responsibility for the specific elements of Risk Management within the ward/department/facility for which they are responsible.
5.1.13 Individual Staff Members: Each member of staff is responsible for providing each
patient/client with the highest possible quality of care/services and for taking all appropriate actions to promote patient and staff safety by minimising risk. There is an onus on each staff member to highlight any issues of concern, which he/she may have in relation to patient/client care and safety. This should be via the existing professional and/or managerial lines of accountability. Where individual staff members continue to have specific concerns which impact on the delivery of safe and effective care, they have a duty to highlight this in accordance with the Trust‟s Whistle Blowing Policy. All members of staff should:-
Demonstrate an awareness of risk and its consequences at all times;
Consider the risks involved in what they do and to minimise those risks, where possible, to an agreed and acceptable level;
Practice in accordance with their professional codes of conduct;
Comply with the Risk Management Strategy and associated policies and procedures for eg, Incident Reporting, Consent etc;
Notify line managers/supervisors of any hazard or risk identified in their particular work areas which cannot be managed and requires attention;
Actively participate in the Trust‟s risk management training and education programmes;
Accept personal responsibility for maintaining a safe working environment; and
Comply with Trust policies and procedures relevant to their area of work.
5.1.14 Chairpersons of Corporate Control Sub Committees: The Chairpersons of sub committees will:
Chair their respective committees;
Prepare and update on an annual basis the terms of reference for their respective committee;
Prepare and submit annual action plans to the Corporate Control Committee for endorsement;
Attend the Corporate Control Committee meeting as and when required;
Ensure that minutes of each sub committee meeting are prepared and circulated as required. Copies of minutes of sub committees meetings should be made available to the Assistant Director: Risk Management & Governance for the attention of the Corporate Control Committee;
Submit quarterly reports to the Corporate Control Committee in line with the agreed reporting schedule.
14.
5.1.15 Contractors and Agency Staff: It is essential that Contractors and agency staff
are advised of their responsibilities to work safely within the Trust and acknowledge that the management of risk is an individual as well as a collective responsibility. They should be informed of the reporting mechanisms in the local area they are working in for reporting any hazards, risks and incidents whether they impact upon the contractor, agency staff, patient, client, staff or visitor. All service level agreements and contracts will include a section on risk management for eg, the need to ensure that staff provided have appropriate risk management training etc.
5.2 Committee Structure for Risk Management
A structure for the co-ordination and development of governance was presented to and ratified by the Trust Board in March 2010. This structure (Appendix 4) identifies an overarching committee, which is responsible for agreeing the strategic direction in relation to governance and for co-ordinating the various building blocks, which comprise the governance agenda. The main strands within the structure are risk management (including controls assurance), safe and effective care, financial governance and operational performance and service improvement processes. These strands are linked to a framework of sub-committees.
5.2.1 Corporate Control Committee and Associated Sub-Committees
A Corporate Control Committee was established with effect from 1 April 2010. The role of the Committee is to be the overarching strategic committee responsible to the Governance Assurance Committee on all matters pertaining to integrated governance issues, ie, Financial and Risk Management (including Organisational Controls). Clinical and Social Care Governance remains within the responsibility of the Safety & Quality Committee. It will support the governance and risk management accountability arrangements within the organisation and ensure that all significant risks are properly considered and communicated to the Governance Assurance Committee and/or the Trust Board, as appropriate. It meets on a quarterly basis. It oversees the work of all specialist risk management committees, the chairpersons of which report direct to the committee.
The committee is a sub-committee of the Governance Assurance Committee and comprises representation from Executive Directors, Directors, and appropriate managerial and professional representation. Two Non-Executive Directors are also members of the committee. The Chief Executive chairs the Committee. A copy of its Terms of Reference is included at Appendix 5. It has a range of sub committees (both clinical and non-clinical) that assist it with the management of risk within the Trust (these are listed in Appendix 4).
5.2.2 Corporate Control Committee Communication Process with Sub Committees
There is a clear communication process, with the various sub-committees reporting to the Corporate Control Committee. The chairperson of each committee is responsible for the management of his/her sub committee. They will be required to develop an annual action plan and to submit a quarterly report to the Corporate Control Committee. This will detail progress achieved to date. A pro forma has
15.
also been developed to allow sub committee chairpersons to escalate any issues of concern, significant risk issues or issues requiring attention to the Corporate Control Committee. Each Chairperson can attend the Corporate Control Committee on request should they require to do so.
Minutes of each sub committee will be copied to the Corporate Control Committee (via the Assistant Director: Risk Management & Governance). There will be a standing agenda item on the Corporate Control Committee agenda addressing the work of sub committees.
5.2.3 Corporate Control Committee Communication process to Governance
Assurance Committee and Trust Board
The chair of the Corporate Control Committee produces a quarterly report on Risk Management for discussion at the Governance Assurance Committee. This includes details about the work of the Committee and also any significant risk issues that the Committee needs to be made aware of (including any issues raised by Corporate Control Committee sub committees). The Governance Assurance Committee subsequently reports to the Trust Board on a quarterly basis.
5.3 Risk Management Resources
The Trust has a dedicated Risk Management & Governance Directorate. The primary function of the department is to provide a central support service to managers and staff in co-ordinating, facilitating and developing appropriate responses to risk. The following staff are available to provide specialist risk management advice.
Director of Human Resources & Corporate Affairs (lead Director for Governance)
Assistant Director: Risk Management & Governance
Clinical Risk Director
Corporate Governance and Risk Manager
Clinical Risk Adviser/s
Litigation Services Manager
Health & Safety Adviser/s
Emergency Planning & Information Governance Manager
Information & Governance Officer
Complaints/Patient Liaison Manager
A copy of the organisational management chart for Risk Management & Governance is included at Appendix 6. In addition to the resources located within the Risk Management & Governance Department there are also a number of specialist risk advisers within the Trust such as Decontamination, Estates, Fire, Infection Control, Manual Handling, Medicines Governance, Occupational Health, Resuscitation and Security. Contact details for these services can be found on the Intranet.
16.
6.0 Performance Review of Risk Management
There are two levels at which to review the performance management of risk. The first is to implement either national or local validated standards for risk management and audit implementation of compliance, for example, Controls Assurance Standards, EFQM, HQS and other quality improvement programmes. The second is to identify key performance indicators, which will trigger a review if the indicators indicate a gap or lack of progress. These standards and the key performance indicators are the tools the Trust will use in the first instance to review risk management performance and are described below.
6.1 Reports to Governance Assurance Committee
The Governance Assurance Committee will receive routine reports which detail the management of risk and resources on a regular basis based on an agreed reporting schedule of reports throughout each year. Examples include regular financial reports, complaints, incident and litigation reports and minutes of committee meetings. Increasingly, these reports will become integrated with progress reports on achievement of objectives etc as the new Trust evolves and reporting mechanisms are streamlined.
The Corporate Control Committee has responsibility for overseeing the implementation of this strategy and taking all actions associated with risk management. This committee will ensure that progress is monitored regularly and that quarterly reports are submitted to the Governance Assurance Committee and/or Trust Board, as appropriate. This will include production of an annual report, which will demonstrate the continuing effectiveness of the risk management system.
6.2 Performance Management Arrangements: Planning, Accountability and Assurance The Trust has introduced an annual operating cycle which incorporates an integrated reporting system for Performance Management issues, including Priorities for Action, Trust Delivery Plan objectives, Corporate and Directorate Plans. This system requires the production of a Corporate Score Card (supported by Directorate Scorecards) and includes objectives for risk management and governance. The Planning and Performance Management Directorate will review implementation of the objectives on a regular basis. The Corporate Management Plan also includes a section on Governance (including Risk Management objectives).
6.3 Controls Assurance Self Assessment
As part of the controls assurance programme, the Trust is required to conduct a yearly baseline self-assessment of compliance with the controls assurance standards. Each standard has an allocated level of compliance – non, minimal, moderate, substantive and full. The risk management standard must achieve substantive compliance (70-99%) on a yearly basis. The Trust‟s internal auditors ratify independent verification of the score.
17.
A Controls Assurance Project Team chaired by the Director of Human Resources & Corporate Affairs has been established and meets on a regular basis to ensure compliance with the progress of work. Action plans have been developed for each standard to ensure all areas of non compliance are addressed. Key performance indicators (KPIs), based on the content of the standards, have been developed. These KPIs will be monitored by the respective sub committees and reported to the Corporate Control Committee on a regular basis.
6.4 Linkages between the Governance, Corporate Control and the Safety &
Quality Committees
The Governance Assurance Committee is accountable to the Trust Board, and provides strategic direction in relation to governance and integrates the three strands, which comprise the Trust‟s integrated governance model. Its two main sub committees – Corporate Control and Safety & Quality lead the strategic and operational agendas in relation to risk management (clinical and non-clinical) and the delivery of safe and effective care.
6.5 Audits – Internal & External
The Trust‟s Internal Auditors are required to conduct an annual review of the Trust‟s internal control systems and report their findings to the Audit Committee/ Governance Assurance Committee and ultimately the Trust Board. A yearly schedule of audits will be established at the outset of each year. The three core controls assurance standards – Governance, Risk Management and Financial must be included. After each audit an action plan will be prepared and presented to the Corporate Control Committee and/or Audit Committee, for approval. The Trust‟s nominated external auditors also undertake external audits as part of the financial audit schedule.
6.6 Key Performance Indicators
The under noted list describes a variety of other methods by which the Trust can also measure its performance on Risk Management. This is not an exhaustive list:
Identification of Key Performance Indicators across all categories of risks;
Quarterly reports to Corporate Control Committee by lead Directors on Controls Assurance standards;
Risk Assessments;
Outcome of reports from audits and inspections to include external assessments such as RQIA, HSE, HQS etc;
Number of claims made, amounts paid in damages;
Number of complaints made;
Number of complaints that proceed to Independent Review and or the Ombudsman;
Number of serious incident reviews, numbers of SAI reports made to the DHSSPS;
Annual Controls Assurance Report;
Controls Assurance KPI report;
Number of staff trained in risk management
Implementation of recommendations from internal and external reports.
18.
Further key performance indicators will require to be developed over time following implementation and review of this strategy.
6.7 Linking Risk Management to Service Planning
In making its plans and setting financial priorities the Trust will take account of risks as set out in its Corporate and Directorate Risk Registers. A bid for funding that demonstrates that a high priority risk on the register will be mitigated if approved will be given preference over a bid that cannot demonstrate such a linkage. The Trust will therefore direct funding to reduce risk as far as it is able to do so.
7.0 Related Risk Management Policies and Procedures
The Trust has a range of extant risk management related policies and procedures in operation within the Trust and these are available to all staff via the intranet. One of the most important policies relates to incident reporting. In this regard the Trust views near miss and incident reporting as the cornerstone of an effective risk management system. Trust staff are encouraged to undertake individual reporting of near misses, errors or mistakes, and to look critically at their own actions/omissions and those of their teams, to ensure we can provide good quality services for our patients/clients, staff and visitors. Incident reporting is seen as a mechanism for quality improvement and is a key component of clinical and social care governance. The Trust promotes an open, just, honest and participative culture in which errors or service failures can be admitted, reported and discussed without fear of reprisal. This will enable lessons to be identified and allow active learning to take place and the necessary changes put into our policies, procedures and practices.
8.0 Risk Management Education and Training
The Trust recognises that the provision of appropriate training and education is central to the implementation, maintenance and development of its Risk Management strategy. An on-going training and education programme will be developed to ensure that Board members, Directors, Assistant Directors, Senior, middle and first line managers, professional and other staff obtain training and education to the required levels and standards appropriate to their role within the Trust. All employees, including members of the Board, Clinicians, Managers, Bank, Locum, Agency Staff and Volunteers should receive appropriate risk management training. Training will include:
An introduction to risk management as part of the Trust‟s induction for all employees;
Training for new managers in line with identified needs in relation to their responsibilities for risk management;
Training for anyone with responsibility for undertaking any aspect of risk management such as risk identification, assessment and management, incident reporting, complaints or claims management, responsibility for controls assurance standards, use of computerised risk management systems and root cause analysis;
19.
Specialist training where particular risks exist (eg, consent, moving and handling, basic life support etc).
The Risk Management & Governance Directorate will co-ordinate, design and/or deliver training for all relevant staff in respect of risk management to enable them to carry out their duties and responsibilities for risk management. Risk Management will be part of the corporate and local induction programmes for all staff. Through routine appraisal of all staff, training needs will be identified and personal development plans defined.
9.0 Stakeholder involvement
It is good practice to involve key stakeholders, as appropriate, in all areas of the Trust activities and this includes consulting on relevant significant high-risk areas/activities. The Trust has a wide range of communication and consultation mechanisms in existence with relevant stakeholders, both internal and external (see list below). Raising general public awareness of the Trust‟s Risk Management Policy and Strategy will be achieved by appropriate means.
List of stakeholders (this is not an exhaustive list) Internal
All staff
Internal Auditors
Patient/Client User Forums
Risk Management Specialists for eg, risk and governance, fire, health & safety, back care, infection control, NIAIC Liaison Officer, security, health records, clinical risk and estates
Corporate Control Committee
Corporate Control Sub Committees (clinical and non-clinical)
Safety & Quality Committee and associated sub committees
Governance Assurance Committee
Executive Management Team
Trust Board External
Department of Health, Social Services and Public Safety
Health & Social Care Board
External Auditors
General Practitioners
General Public
Health & Personal Social Services Trusts
Health & Safety Executive for Northern Ireland
Health Estates Agency
HM Coroner
Legal Advisers
Media
Members of the Local Assembly (MLAs)
Mental Health Commission
20.
Patients and clients
Police Service for Northern Ireland
Politicians
Regulation and Quality Improvement Authority
Social Services Inspectorate
Patients and the Public
Feedback on risk issues will be encouraged through the User Consultation strategy and other relevant bodies. All managers and employees must understand the potential value of risk reporting from patients and or members of the public, and adopt a welcome attitude to comments and complaints. The Trust adopts a positive approach to the official complaints process with strict and thorough follow up of any potential risks identified. Information in the public domain (eg, website, newsletter, annual reports etc) should contain clear points of contact and stress the importance of public feedback.
10.0 Summary of the Risk Management Policy and Strategy
This risk management strategy is a working document that charts the future direction that the Trust will follow based on Departmental direction, guidance and best practice. It is a living document in that it exists within an environment of corporate change and development and, as such, it too will evolve and mature. The document reflects the Trust‟s approach to risk management as it stands at September 2010 and its vision for the next three years.
The Corporate Control Committee will review this strategy annually and any recommendations for change submitted to the Governance Assurance Committee and ultimately the Trust Board for endorsement. A full review of the strategy will be undertaken during the third year of implementation.
EQUALITY STATEMENT This policy has been drawn up and reviewed in the light of Section 75 of the Northern Ireland Act (1998) which requires the Trust to have due regard to the need to promote Equality of Opportunity. In line with the duty of equality this policy has been screened against particular criteria and as a result no major issues requiring further impact assessment have been identified. This policy has also been considered and prepared with regard to the Trust’s obligation under the Human Rights Act 1998. The Trust is satisfied that the policy complies with its obligations under the Act. If at any stage of the life of the policy there are any issues within the policy which are perceived by any party as conflicting with his/her rights, that party should bring these to the attention of the Director of Human Resources or raise a complaint through the published complaints procedure.
21.
_________________________________ Date: 31 March 2011 Hugh McCaughey Chief Executive ___________________________________ Date: 31 March 2011 Eamonn Molloy Director of Human Resources & Corporate Affairs (Lead Director for Governance)
22.
Bibliography An exemplar risk management strategy – NHS Estates Circular HSS (PPM) 13/2002 – Governance in the HPSS – Risk Management Circular HSS (PPM) 3/2002 – Corporate Governance: Statement of Internal Control Circular HSS (PPM) 5/2003 - Governance in the HPSS – Risk Management Circular HSS (PPM) 8/2004 – Governance in the HPSS: Controls Assurance standards – update Clinical Governance: in the new NHS – HSC 1999/065 Establishing an Assurance Framework – March 2009 Governance in the New NHS - Controls Assurance Statements 1999/2000: Risk Management and Organisational Controls Health Quality Service Accreditation Standards HSC Controls Assurance Standards – Governance and Risk Management HM Treasury Orange Book Integrated Governance Handbook, DOH, February 2006 Risk Management in the NHS – NHS Management Executive - December 1993 Risk Management in the NHS Estates – HTM 2050 Standards Australia Risk Management – AS/NZS 4360:2004
23.
Definitions and Glossary of Terms
AS/NZS 4360: 2004
Australian/New Zealand standard on risk management licensed by the Department of Health, Social Services and Public Safety
Clinical & Social Care Governance
A framework within which HPSS organisations are accountable for continuously improving the quality of their services and safeguarding high standards of care and treatment. Clinical and social care governance is about organisations taking corporate responsibility for performance and providing the highest possible standard of clinical and social care (Best Practice – Best Care, DHSSPS, 2002)
Controls Assurance
Is a process designed to provide evidence that HPSS organisations are doing their „reasonable best‟ to manage themselves so as to meet their objectives and protect patients, staff, the public and other stakeholders against risks of all kinds.
Corporate Governance
The systems and process by which health and social care organisations lead, direct and control their functions in order to achieve organisational objectives, and by which they relate to their partners and wider community (Audit Commission 2000).
Hazard A source of potential harm or a situation with a potential to cause loss. Is anything, which has the potential to cause harm eg, falling ladder, and substances hazardous to health.
RQIA Non-departmental public body established on 1 April 2004 will provide independent monitoring of clinical and social care governance and report to the Minister for Health.
Integrated Governance
Systems, processes and behaviours by which trusts lead, direct and control their functions in order to achieve organisational objectives, safety and quality of service and in which they relate to patients and carers, the wider community and partner organisations.
Likelihood Used as a qualitative description of probability or frequency.
Probability The likelihood of a specific event or outcome, measured by the ratio of specific events or outcomes to the total number of possible events or outcomes. Probability is expressed a number.
Risk (AS/NZS standard)
The chance of something happening that will have an impact on objectives. It is measured in terms of consequence and likelihood.
Risk (in health & safety terms)
Is the likelihood, great or small, that somebody or something will be harmed by the hazard. The extent of the risk is measured by the likelihood/frequency of the harm occurring and the potential severity of harm.
24.
Risk Assessment The overall process of risk analysis and risk evaluation.
Risk Avoidance An informed decision not to become involved in a decision.
Risk Evaluation The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria.
Risk Identification
The process of determining what can happen, why and how.
Risk Management
The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects (AS/NZS standard 4360:2004).
Risk Management Process
The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risks. (AS/NZS standard 4360:2004).
Risk Reduction The application of appropriate techniques and management principles to reduce or eliminate risk.
Risk Register Is a log of significant risks (clinical, non-clinical, financial etc) that threaten the Trust‟s success in achieving its aims and objectives. It is populated through the various risk assessments undertaken within the organisation, together with external reviews and reports. This enables risk to be quantified and ranked to inform the Trust Board and aid decision-making and resource allocation processes.
Statement of Internal Control
Is the process employed by an organisation to ensure that an organisation‟s established objectives are met. It involves identifying and evaluating risks to an organisation and stating how these will be managed and mitigated. An HPSS organisation is required to produce an annual statement on internal control, alongside its annual accounts, summarising the process employed and the results of all evaluations undertaken on the organisation‟s abilities to meet its objectives and discharge its functions.
25.
List of Appendices
1 Risk Management Process – AS/NZS standard 4360:2004
2 Risk Matrix (March 2011)
3 Risk Management Policy Statement
4 Governance Organisational Chart (incorporating risk management)
5 Terms of reference – Corporate Control Committee (March 2011)
6 Risk Management Organisational Management Structure
26.
Appendix 1
RISK MANAGEMENT PROCESS (AS/NZS standard 4360:2004)
Establish the context
■ The strategic context
■ The organisational context
■ The risk management context
■ Develop criteria
■ Decide the structure
Identify risks
■ What can happen?
■ How can it happen?
Analyse risks
Determine existing controls
Evaluate risks
■ Compare against criteria
■ Set risk priorities
Treat risks
■ Identify treatment options
■ Evaluate treatment options
■ Select treatment options
■ Prepare treatment plans
■ Implement plans
Accept Risks
Co
mm
un
ica
te a
nd
co
nsu
lt
Mo
nit
or
an
d r
ev
iew
Yes
No Assess risks
Determine likelihood
Determine consequences
Estimate level of risk
27.
SOUTH EASTERN HEALTH & SOCIAL CARE TRUST – RISK MATRIX Risk Impact (Consequence/Severity) Table
Appendix 2
Category
Patient Safety/
Clinical Safety (Injury/ Harm
to Staff/ Public) Quality &
Professional Guidelines/ Standards
Reputation/ Publicity Legal/statutory Issues
Potential financial cost/loss
Service Continuity
Targets, Objectives and Service Provision
Impact
Catastrophic
Multiple deaths/ fatalities
Multiple deaths/ fatalities
Gross failure to meet professional standards
National Adverse Publicity
Full Public Inquiry
Litigation certain
Certain criminal prosecution (individual)
Unlimited fine and possible imprisonment of senior executives
Above £2m
Loss of multiple essential service/s in critical areas
Significant failure/s to meet a major target/s over a prolonged period of time
Possible termination of senior executives contracts of employment
Major
Death
Permanent harm/ disability, lasting greater than 1 year
15 days+ extended stay
Death
Permanent physical/ emotional injuries/trauma/ harm (lasting greater than 1 year to resolve)
Failure to meet Board, regional and national standards
Repeated failure to meet professional standards
Regional adverse publicity
Questions in the Assembly/ House
Independent external enquiry
MP concern
High level external investigation
Litigation expected/certain
Criminal prosecution likely
Unlimited fine
£250K to £2m
Extended loss of an essential service/s in more than one critical area
Failure to meet major target/s resulting in Departmental sanctions
Moderate Treatment
Temporary significant harm/ disability
Prolonged patient stay
Semi-permanent disability, lasting over 1 month and less than a year, 8-15 days extended stay
Semi permanent physical/ emotional injuries/trauma/ harm (recovery expected within 1 year)
Outside agencies notified (SAI)
>3 days absence, RIDDOR Reportable
Repeated failure to meet internal standards or follow protocols/ policies and guidelines
Expected/high potential for complaint
Needs careful PR handing
Local adverse publicity
High level internal investigation
Litigation possible but not certain
High potential for complaint
Prohibition Notice
Possible minor criminal prosecution up to £20K fine
£100K to £250K
Loss of a service/s in any critical area
Failure to meet major targets. Significant departmental/public attention in respect of non compliance with standard
Minor Minor harm
Increased patient monitoring
Non permanent harm lasting less than a month, 1-7 days extended stay
Short term injury/ harm, eg first aid
Emotional distress (recovery expected within days/weeks)
<3 days absence
Required IR2/IR3
Outside agencies notified
Single failure to meet internal standards, policy or protocol
Complaint possible
Informal unsubstantiated allegations
Complaint possible
Litigation unlikely
Improvement notice
£10K to £100K
Loss of a service in a number of non critical area/s
Failure to meet target /standard – no significant resulting consequence
Insignificant/ None
No harm No injury/harm or no intervention required
Near Miss
Minor property loss/damage
Minor non-compliance with internal standards, policy or protocol
Minimal risks to Trust
Informal complaint
Unlikely to cause complaint
Litigation risk = remote
£1K to £10K
Minor loss of a non critical service
Failure to meet target, objectives, service provision – no sanctions applied
SET Risk Matrix – Version 1.0 (March 2011)
28.
RISK MATRIX & RISK ASSESSMENT FRAMEWORK
Risk Grading – Action Guidance
Green Low Yellow Moderate Amber High Red Extreme
Manage by routine procedure
Management responsibility must be specified
Senior management attention needed
Immediate action required
Risk Likelihood Table
Descriptor Score Description Chance
Very likely/almost certain
5 It is expected to occur in most circumstances (more than once a week)
1 in 10
Likely 4 Will probably occur in most circumstances (once or twice per month)
1 in 100
Possible 3 Might occur at some time (once or twice per year) 1 in 1,000
Unlikely 2 Could occur at some time (may happen once every 3-5 years) 1 in 10,000
Rare 1 May occur only in exceptional circumstances (not in the next 5 years)
1 in 100,000
(Based on AS/NZS 4360:2004 standard)
Impact (Consequence/Severity)
Likelihood
Insignificant(1)
Minor (2)
Moderate (3)
Major (4)
Catastrophic (5)
Almost Certain (5)
High High Extreme Extreme Extreme
Likely (4)
Moderate High High Extreme Extreme
Possible (3)
Low Moderate High Extreme Extreme
Unlikely (2)
Low Low Moderate High Extreme
Rare (1)
Low Low Moderate High High
Green
Low risk. Identified risks which fall in the green area are deemed low acceptable risks and require no immediate action. These should be managed by routine procedure and must be monitored regularly at departmental level.
Yellow
Moderate risk. Identified risks which fall in the yellow area are deemed moderate risk to the Trust and may require further action within 12 months to reduce risk to an acceptable level. These would normally be actioned locally within Directorates and monitored by the relevant Local Governance Committee and entered on the Directorate Risk Register, as appropriate.
Amber
High risk. Identified risks which fall in the orange area are deemed high risk to the Trust and require further actions within 6 months to reduce the risk to an acceptable level. These risks and agreed action plans should be considered by the Local Directorate Governance Committee and risks that cannot be actioned or reduced locally should be forwarded to the Corporate Control Committee (via the Assistant Director: Risk Management & Governance) for further consideration/actioning and entry on corporate risk register, if appropriate.
Red
Extreme risk. Identified risks which fall in the red area are deemed extreme risk to the Trust and must be reported to the Local Directorate Governance Committee. These risks require immediate action to reduce the level of risk and the relevant Director will ensure they are forwarded to the Corporate Control Committee (via the Assistant Director: Risk Management & Governance) for further consideration/ action as appropriate. The appropriate Director will ensure the implementation of a time monitored action plan and provide regular reports to the Corporate Control Committee and or the Governance Assurance Committee. These risks will be added to the corporate risk register, if appropriate.
NB: These notes are for guidance only and should not prevent Directors from notifying the Corporate Control Committee / Governance Assurance Committee of frequently re-occurring green / yellow risks or bringing high priority red risks to the Corporate Control Committee due to their urgent nature.
29.
Appendix 3
SOUTH EASTERN HEALTH & SOCIAL CARE TRUST
POLICY STATEMENT ON RISK MANAGEMENT
Title: Policy Statement for Risk Management
Ratified by Relevant Executive Directors: Yes / No
Ownership: South Eastern Health & Social Care Trust
Status: Current
Publication Date:
March 2011 Next Review:
March 2013
Author(s) Assistant Director: Risk Management & Governance
Version 1 (Dec 2007) Version 2 (Sept 2010)
Evidence Base: Extant Risk Management Controls Assurance Standard SET Risk Management Strategy 2007-2010
1.0 POLICY STATEMENT 1.1 The Trust is committed to providing quality health and social care services to the
population it services. Assessing and managing risks is an integral part of the diverse work carried out within the Trust. Making decisions on risk and managing uncertainty are every day realities for Trust staff. The Trust will support its staff where such judgements have to be made and where sometimes difficult decisions need to be taken. A Risk Management Strategy document has been created to provide an overall framework to assist the overall organisation in managing risk and to give support to staff.
1.2 The Trust‟s person-centred ethos, in line with its Corporate and Directorate Plans,
involves working in partnership with service users, carers and the wider community. As part of that process of providing a person-centred service, the Trust accepts that staff will often have to make difficult decisions on risk, in partnership with service users and carers. Sometimes these decisions need to be made in conjunction with other organisations within and outside the service and, accordingly the Trust will seek to foster close links with commissioners and other providers and agencies from the voluntary, statutory and private sectors.
1.3 The Trust recognises that, in order to facilitate the best possible judgement on risk
issues, appropriate support must be provided to staff and managers. This support will be provided, for example, by the work of the Corporate Control Committee, the Assistant Director: Risk Management & Governance, the Corporate Governance &
30.
Risk Manager and the Risk Management & Governance Directorate. Through this support, and always recognising that patients and clients with the capacity to do so are ultimately entitled to reject what the Trust considers to be in their best interests, the Trust aims to continually build on the wealth of existing knowledge of, and skill, in risk management throughout the Trust. This is so that the optimum balance is maintained between good quality care, treatment and support of patients/clients and the provision of services that reduce potential harm as far as possible, to patients, clients and to staff.
1.4 Risk Management policies and procedures will be reviewed on a regular basis in
line with the arrangements for development and maintenance of policies. The management of risk is a key organisational responsibility and it should, therefore, be embedded within the organisational culture. All managers and health and social care professionals and staff must accept the management of risks as one of their most important duties. Additionally, every member of staff must have a real sense of ownership of, and commitment to identifying and minimising risks. However, this should not preclude Trust staff from taking balanced and sometimes difficult, judgements on risk that will increase the quality of life for Trust patients and clients. Judging risk, however, involves making rational judgements, which can be justified professionally, ethically and legally. Any action taken by staff must take into account appropriate legislation for example, health and safety, human rights, equality and disability discrimination.
1.5 To facilitate the reduction of risk the Trust recognises the value of learning from
incidents and near misses that have occurred in the past (including litigation and complaints). Through a process of incident review it will seek to disseminate this learning throughout the organisation. This is best achieved through a culture of openness and honesty, where mistakes and incidents are identified quickly and handled in a supportive and responsive way. This culture will support shared learning across the Trust.
1.6 Whilst risk management is the responsibility of all staff, the Governance Assurance
Committee will seek assurances that the Corporate Control Committee has in place, and regularly reviews, processes and procedures to properly assess and manage risk.
1.7 The Trust will review the risk management strategy on an annual basis and the
manner in which it is operated so that it can assure itself that the Risk Management processes within the organisation remain appropriate and effective. This strategy is a key part of the Trust‟s approach to governance, which underpins the ability of the Trust to deliver it goals, corporate strategies and annual plans.
EQUALITY STATEMENT This policy has been drawn up and reviewed in the light of Section 75 of the Northern Ireland Act (1998) which requires the Trust to have due regard to the need to promote Equality of Opportunity. In line with the duty of equality this policy has been screened against particular criteria and as a result no major issues requiring further impact assessment have been identified.
31.
This policy has also been considered and prepared with regard to the Trust’s obligation under the Human Rights Act 1998. The Trust is satisfied that the policy complies with its obligations under the Act. If at any stage of the life of the policy there are any issues within the policy which are perceived by any party as conflicting with his/her rights, that party should bring these to the attention of the Director of Human Resources or raise a complaint through the published complaints procedure.
_________________________________ Date: 31 March 2011 Mr Hugh McCaughey Chief Executive ___________________________________ Date: 31 March 2011 Mr Eamonn Molloy Director of Human Resources & Corporate Affairs
32.
Appendix 4
Corporate Control
Committee
Safety & Quality
Committee
South Eastern Health & Social Care Trust
Proposed High Level Governance Structure
TRUST BOARD
Governance Assurance Committee
Medical
Professional
Forum
Social Work
Professional
Forum
Nursing
Professional
Forum
AHP Professional
Forum
Board
Committees
Audit
Finance
Joint
Committees
Adoption Panel
Common
Investment Fund
Management assurance Independent assurance
Remuneration &
Terms of Service
Governance
Assurance
Charitable Funds
Sub Committees Sub Committees
Professional
Governance
Fora
Operational
Performance &
Service Improvement
Processes
Executive Management Team
Directorate Governance Committees (x8)
HL Gov Structure – April 2010
33.
SOUTH EASTERN HEALTH & SOCIAL CARE TRUST
Proposed Lower Level Sub Committee Structure
TRUST BOARD
Governance Assurance Committee
Safety & Quality Committee Corporate Control Committee
Clinical Negligence - Preliminary
Advisory Group
Employers/Public Liability Advisory
Group meeting
LL Gov Structure – SET – April 2010 (V2 – Jan 2011)
Operational Performance &
Service Improvement Processes
Decontamination Sub Committee
Lessons Learnt Sub Committee
Medical Devices & Equipment
Sub Committee
Emergency Planning & Service
Continuity Sub Committee
Environmental Cleanliness
Sub Committee
Health & Safety Sub Committee
Information Governance
Sub Committee
Learning & Development
Sub Committee
Blood Transfusion Sub Committee
Policy Sub Committee
Radiation Protection Sub Committee
Research Sub Committee
Clinical & Social Care Guidelines
Sub Committee
Infection Control Sub Committee
Multi-Prof. Audit Steering
Sub Committee
Patient Safety Leadership
Sub Committee
Resuscitation Sub Committee
Safeguarding Sub Committee
Controls Assurance Project Team
Executive Management Team
Public & Personal Involvement
Sub Committee
STANDING ADVISORY GROUPSFire Sub Committee
Environmental/Waste Management
Sub Committee
Fleet & Transport Management
Sub Committee
Security Sub Committee
Drug & Therapeutics Sub Committee
Organ Donation Sub Committee
34.
Appendix 5
Corporate Control Committee
Terms of Reference Date: March 2010 Version: Version 1.1 Review Date: March 2011
TOR – Corporate Control – April 2010
35.
Contents
Page 1.0 Constitution 1 2.0 Membership of committee 1 3.0 Quorum 1
40 Frequency of meetings 1 5.0 Authority 1 6.0 Roles and Responsibilities of the committee 1 7.0 Operational reporting arrangements 3 8.0 Reporting 5
36.
1.0 Constitution The Governance Assurance Committee hereby resolves to establish a sub
committee to be known as Corporate Control Committee (the Committee).
2.0 Membership of the Committee
Membership of the Committee shall be as follows:
The Executive Management Team;
Two Non-Executive Directors;
Clinical Risk Director;
Assistant Director of Risk Management & Governance (Joint operational lead for Governance);
Assistant Director: Financial Services
Assistant Director: Safe & Effective Care (Joint operational lead for Governance)
Assistant Director, Social Work Regulation, Improvement and Audit
Head of Pharmacy and Medicines Management
Corporate Governance & Risk Manager
The Chief Executive shall be the Chairman of the Committee and he shall be supported in this role by a Vice Chairman who shall be the lead Director for Governance.
3.0 Quorum A quorum shall be one third (5) of the members of the committee (18). 4.0 Frequency of Meetings
The committee shall meet on a quarterly basis. 5.0 Authority The Committee is authorised by the Governance Assurance Committee to
undertake any activity within its terms of reference. In particular, it may seek advice from whatever source it deems to be appropriate in order to fulfil its function.
6.0 Role and Responsibilities of the Committee The role of the Committee is to be the overarching strategic committee
responsible to the Governance Assurance Committee on all matters pertaining to integrated governance issues ie, Financial and Risk Management (including Organisational Controls). Clinical and Social Care Governance remains within the responsibility of the Safety and Quality Committee.
It will support the governance and risk management accountability arrangements
within the organisation and ensure that all significant risks are properly considered and communicated to the Governance Assurance Committee and/or the Trust Board, as appropriate.
37
Governance responsibilities
To provide assurance to the Governance Assurance Committee that the key building blocks of integrated governance - financial governance, risk management (including organisational controls) and clinical and social care governance are being effectively and appropriately managed.
To ensure that key priorities relating to Governance are delivered through a performance management and accountability framework;
To be responsible for the strategic management of the Trust‟s integrated Governance agenda, incorporating financial controls, risk management (including organisational controls) and clinical and social care governance;
To develop and implement an integrated Governance strategy supported by an annual governance plan at Strategic and Director/Directorate levels;
To prepare and submit regular reports to the Governance Assurance Committee on the activities and outcomes of the Corporate Control Committee including the work of related sub committees;
To receive for endorsement the annual programmes of work for the Corporate Control Sub Committees;
To consider and prepare the risk management section of the Trust‟s Annual Statement of Internal Control and any Risk Management Statements for inclusion in the Trust‟s Annual Report;
To develop and implement an Assurance Framework for the Trust ensuring that all significant risks that impact on the achievement of the Trust‟s principal objectives have been identified, recorded, actioned and entered on to the Corporate Risk Register, as appropriate;
To receive regular reports on the operation of the Trust‟s Risk Registers (both Corporate and Departmental) ensuring that regular reports are made to the Governance Assurance Committee and/or Trust Board;
To ensure compliance with the achievement of the Controls Assurance programme and any other similar initiatives for eg, ISO and HQS programmes in accordance with agreed work plans;
To produce an annual report on the activities of the Committee for submission to the Governance Assurance Committee and ultimately the Trust Board;
To ensure appropriate linkages are in place with the Safety & Quality, Financial management and Operational and Performance Management strands of the governance structure to ensure that the risk and safety/quality programmes work in unison.
Risk Management Responsibilities
38
To provide the Governance Assurance Committee with assurances that the Trust has appropriate arrangements for effective internal control, and for the identification and management of risk.
To implement and maintain a strategic framework within which the Trust can develop a dynamic risk management system including relevant policies, procedures and guidelines for clinical and non-clinical risks;
To produce an annual risk management programme of work for endorsement by the Governance Assurance Committee;
To establish a framework of sub committees reporting to the Corporate Control Committee in order to ensure key risk management priorities are being addressed;
To be responsible for the organisation-wide co-ordination and prioritisation of risk management issues and overseeing the work of any specialist risk management groups;
To receive annual action plans and regular reports for all sub committees reporting to the Corporate Control Committee in order to ensure key governance and risk management priorities are being addressed;
To act as a filter mechanism for risk issues from Directorate level risk registers for entry onto the Corporate Risk Register;
To lead on the implementation and monitoring of relevant risk management standards in order to ensure the delivery of high quality, evidence based care for eg, Controls Assurance;
To determine priority areas for the audit programme in respect of governance and risk management activities based on both clinical and non clinical risk programmes.
7.0 Operational arrangements for meetings
7.1 Administrative support to the committee
The Committee shall be supported administratively by the Assistant Director: Risk Management & Governance, whose duties in this respect will include:
Preparation and issue of agenda on behalf of the Chairman;
Collation and distribution of papers sufficiently in advance of each meeting to facilitate their full consideration and discussion at the meeting;
Ensuring appropriate arrangements are in place for the servicing of the committee including the taking of minutes and keeping a record of matters arising and issues to be carried forward.
Advising the Committee on pertinent issues.
7.2 Conduct of meeting
39
All questions arising will be decided by a simple majority of those present. In the case of equal votes, the Chair will have a casting vote. It is intended that meetings will not last more than 2 hours.
7.3 Agenda items and papers for meetings
Agenda items should be submitted to the Assistant Director: Risk Management & Governance 10 days in advance of the meeting. He/she will agree the content of the agenda prior to issue with the chairman of the group.
The Assistant Director: Risk Management & Governance will issue the agenda/papers for the meeting approximately 7 days in advance of the meeting. Should an item need to be raised on the day, this can be covered under Any Other Business, subject to there being available time for discussion. If separate papers require circulation, these should, wherever possible, be issued with the agenda. This is intended to enable the members to have the opportunity to read information in advance.
7.4 Minutes of meetings
The Assistant Director: Risk Management & Governance (or nominee) will provide the secretariat for the meeting. Minutes of meetings will be produced and agreed with the chair prior to issue. These will be circulated as soon as possible after the meeting listing topics discussed, actions agreed and individuals responsible for undertaking those actions.
7.5 Sub Committee Reporting Arrangements
The Committee will oversee the work of all specialist risk management sub committees and will endorse their terms of reference and annual programmes of work. The Committee will receive the minutes of all sub committee meetings and quarterly reports detailing progress reports on work plans.
7.6 Review of terms of reference
The Committee will review its terms of reference on an annual basis. The Governance Assurance Committee should endorse these.
8.0 Reporting
The minutes of the Committee shall be formally recorded and distributed to the members of the Committee and presented to the next Governance Assurance Committee meeting, for information and noting. Regular reports from the Corporate Control Committee will be submitted to the Governance Assurance Committee as per the agreed reporting mechanism.
40
List of members of the Corporate Control Committee – April 2010
The Executive Management Team; o Hugh McCaughey o Eamonn Molloy o Charlie Martyn o John Simpson o Desi Bannon o Kate Thompson o Charlotte McArdle o Seamus McGoran o Neil Guckian
Two Non-Executive Directors; o Donal Flanagan o Dermot O‟Hara
Clinical Risk Director – Mr Maurice Dunlop;
Assistant Director of Risk Management & Governance (Joint operational lead for Governance) – Miss Irene Low;
Assistant Director; Financial Services – Mrs Wendy Thompson;
Assistant Director: Safe & Effective Care (Joint operational lead for Governance) – Mrs Lorna Telford;
Assistant Director, Social Work Regulation, Improvement and Audit – Mrs Barbara Campbell;
Head of Pharmacy and Medicines Management – Miss Jill Macintyre
Corporate Governance & Risk Manager – Mrs Susan McKnight
41.
Appendix 6
STRUCTURE FOR RISK MANAGEMENT AND GOVERNANCE
DIRECTOR OF HUMAN RESOURCES & CORPORATE AFFAIRS
ASSISTANT DIRECTOR OF RISK MANAGEMENT & GOVERNANCE (8C)
Risk Management & Governance
Corporate Governance & Risk
Manager (SM – 8A)Emergency Planning & Information
Governance Manager (SM – 8A)
Complaints/
Patient
Liaison
Manager
(SM–B7)
Litigation/
Systems
Manager
(SM-B7)
Assistant
Complaints
Officer
(Band 6)
Band 4
Band 2
Clinical
Risk
Adviser*
(SM–B7)
Health &
Safety
Adviser*
(SM-B7)
Litigation
Services
Assistant
(Band 4)
Litigation
Services
Assistant
(Band 4)
Litigation
Services
Assistant
(Band 4)
Emergency
Planning
Officer
(SM-B5)
Information
& Records
Management
Officer
(SM-B7)
Admin
Support
Assistant –
NIAIC
(Band 3)
Structure for RM & Gov Directorate – Final Version – 19.12.07 (updated Oct 2010)
SM = Senior Manager
P/T = Part Time
Clinical
Risk
Adviser**
(SM–B7)
Health &
Safety
Adviser**
(SM-B7)
Data Inputers
X5 (P/T)
(Band 2)
Clerical Officer
(Band 2)
Team
Secretary
(Band 3)
Team Secretary
(Band 3)Team Secretary
(Band 3)
Admin
Support
Officer
(Band 4)
(FOI/DP/
Recs)