Risk Management Strategy and Standard Operating Procedure · TBC . Section : Content . Page number...

Risk Management Strategy and Standard Operating Procedure

Document Status Final Equality Impact Assessment Completed – No impact

Document Ratified/ Approved By Governance and Risk Committee/ Governing Body

Date Issued December 2013 Date to be reviewed December 2014 Distribution All Staff

Author Debra Elliott, Senior Governance Manager North of England Commissioning Support Unit

Version 2 Reference No TBC Location TBC

Section Content Page number

1. Introduction 3

2. Definitions 3

3. Approach to Risk Management Principles 4

4. Roles and Responsibility for Implementation 5

5. Approach to Risk Management and Assessment 7

6. Distribution and Implementation 9

7. Training Plan 9

8. Monitoring 9

9. Equality and Diversity 10

10. Associated Documents 10

Appendices

1. Further risk management definitions 11

2. Safeguard Incident Risk Management System Risk Register Standard Operating Procedure 13

3. Risk Management Strategy and Standard Operating Procedure Work Plan 36

2

1. Introduction 1.1 This strategy and related risk register standing operating procedure

(SOP) sets out the approach and arrangements for management within the South Tees Clinical Commissioning Group (CCG)

1.2 The principles are consistent with those within the NHS England’s Risk

Management Strategy and Risk Management Policy and Procedure issued in July 2013.

1.3 This strategy sets out the CCG approach to risk and the management of

risk in fulfilment of its overall objectives. In addition, the adoption and embedding within the organisation of an effective risk management framework and processes will ensure that the reputation of the CCG is maintained and enhanced, and its resources are used effectively to ensure business success, continuing financial strength and to ensure continuous quality improvement in its operating model.

1.4 As part of this strategy it is also acknowledged that not all risks can

be eliminated. Ultimately it is for the organisation to decide which risks it is prepared to accept based on the knowledge that an effective risk assessment has been carried out and the risk has been reduced to an acceptable level as a consequence of effective controls.

1.5 At its simplest, risk management is good management practice and risk

assessment provides an effective management technique for managing the organisation (through the identification of risks and the development of mitigating action). Through this strategy and SOP the CCG is keen to ensure that risk management is not seen as an end in itself, but rather a part of an overall management approach that supports the organisation in developing achievable management action plans.

2. Definitions

The strategy and SOP are based on the following definitions:

• Risk is the chance that something will happen that will have an impact on the achievement of the CCG objectives. It is measured in terms of likelihood (frequency or probability of the risk occurring) and consequence (impact or magnitude of the effect of the risk occurring).

• Risk Management is the systematic application of management policies, procedures and practices to the tasks of identifying, analysing, assessing, treating and monitoring risk.

• Risk Assessment is the process used to evaluate the risk and to determine whether precautions are adequate or more should be done. The risk is compared against predetermined acceptable levels of risk.

Further definitions of terms are set out in Annex 1.

3

3. Approach to Risk Management: Principles, Aims and Objectives

3.1 This strategy sets out the CCG’s approach to the way in which, in

general terms, risks are managed. This will be achieved by having a thorough process of risk assessment in place. This will provide a useful tool for the systematic and effective management of risk and will inform and guide staff as to the way in which all significant risks are to be controlled.

3.2 The aims of the strategy are summarised as follows:

• to ensure that risks to the achievement of CCG’s objectives are understood and effectively managed;

• to maintain a risk management framework to assure the Governing Body that strategic and operational risks are being effectively managed;

• to ensure that risk management is a cohesive element of the internal control systems within the CCG’s corporate governance framework;

• to ensure that risk management is an integral part of the CCG culture and its operating systems;

• to ensure that the CCG meets its statutory obligations including those relating to health and safety and data protection, and

• to assure all stakeholders, staff and partner organisations that the CCG is committed to managing risk appropriately.

3.3 In order to achieve these aims the CCG is committed to ensuring that:

• risk management is embedded as an integral part of the management approach to the achievement of objectives;

• the management of risk is seen as a collective and individual responsibility, managed through the agreed committee and management structures;

• patient feedback, complaints and staff feedback are used as an integral part of the approach to risk management;

• risk management support, training and development will be provided by the Commissioning Support Unit governance team;

• a training needs analysis will be undertaken to identify staff members affected by the roll out of the strategy. Based on the findings of the analysis a risk management training programme will be put in place; and

• risk management guidance will be provided to all staff.

4

4. Roles and Responsibility for Implementation of the Risk Management Strategy and SOP

The following staff have specific responsibilities with regards to risk management:

4.1 The Chief Officer has overall responsibility for ensuring the effective

implementation of this strategy and SOP. 4.2 The Chief Finance Officer is the nominated lead for co-ordination of

governance and risk management throughout the CCG. 4.3 Officers (including commissioning support staff) will:

• be familiar with the main risks in their area of activity, leading the management of risks where required;

• ensure the processes for managing risk within services/teams are clearly understood by managers, appropriately delegated and effective. and

• ask for feedback from managers about risk assessments relevant to their portfolio and team(s); carry out further risk assessment to determine if the risk is common across the service/CCG teams; in conjunction with the wider team, determine the level of risk and required actions to eliminate or control the level of risk and report back to the team any progress and outcome in relation to action agreed.

4.4 All staff – risk management is everyone’s responsibility and all staff must

be familiar with the main risks in their area of activity. All staff must work within the guidance of the Risk Register SOP - see Appendix 2 for full guidance.

4.5 The Commissioning Support Unit, working with and on behalf of the CCG, will:

• provide advice to ensure consistency in grading risks to identify the level of priority required in addressing risks;

• support staff throughout the risk assessment process as outlined in the SOP;

• support and monitor the implementation of CCG risk registers. • collate and analyse data showing trends and patterns and generate

appropriate reports as agreed within the CCG risk management portfolio;

• support the development and reporting of the Governing Body Assurance Framework and Annual Governance Statement working closely with the Chair, lay members and other Governing Body members to ensure strategic risk is accurately reflected and managed.

4.6 The CCG has developed clear lines of accountability with defined responsibilities and objectives, the risk management reporting committees are outlined below:

5

• The Governance and Risk Management Committee is responsible for reviewing and providing verification on the systems in place across the CCG for governance and risk management including internal control.

• The Quality, Performance and Finance Committee is responsible for ensuring that risks to the delivery of the principles of patient safety, quality, safeguarding, performance and finance are identified, addressed and reported to the Governing Body as appropriate.

• The Audit Committee is responsible for ensuring that organisational risk management systems and processes are in place.

• The Remuneration Committee advises the Governing Body regarding appropriate remuneration and terms of service for the Accountable Officer and other senior employees.

• The Governing Body monitors high level, principal risks relating to the achievement of the strategic objectives through the Governing Body Assurance Framework.

Governance infrastructure enabling effective risk management:

Supporting working groups as required 4.7 The Governance and Risk Management Committee is chaired by the

Chief Finance Officer and has overall responsibility for overseeing the implementation of this strategy and SOP. The committee will also:

• review all risks on the risk register and monitor progression of stated action on a bi monthly basis;

• review trend analysis for all risks; • ensure the established processes to manage risk by each team is in

place and provide support for action where necessary; • ensure the processes for managing risk within the CCG are clearly

understood, appropriately delegated and effective, and • escalate issues to the Governing Body as appropriate, in particular the

identification of new significant risks or areas of concern of risks graded high or extreme.

6

4.8 The members of the Executive Group will:

• maintain awareness of the main risks facing the organisation; • take ownership where relevant of principal (strategic) risks that pose a

threat to the achievement of strategic objectives and ensure appropriate action is taken to mitigate and manage risks ensuring regular updates to the Governing Body through contributing to the Assurance Framework;

• review all Extreme and High risks on a monthly basis; • take or delegate ownership, where relevant, of risks that pose a threat

to the achievement of objectives or the business of the CCG and ensure appropriate action is taken to mitigate and manage risks ensuring regular updates are added to the risk register;

• ensure the processes for managing risk within the CCG are clearly understood, appropriately delegated and effective.

4.9 Significant CCG projects/work streams require project / programme leads to ensure there are arrangements in place to develop, maintain and regularly review a project risk register to ensure effective management of risk. Red risks (graded as extreme or high) should be escalated to the CCG risk register if they are likely to impact on the CCG strategic objectives.

4.10 Assurance Framework

The CCG will produce and maintain a Governing Body Assurance Framework (AF). The AF forms part of the overall governance arrangements of the CCG and is a key component of the organisation’s internal control arrangements. The AF forms a significant part of the assurance given by the Accountable Officer in the Annual Governance Statement. It will be prepared at the start of each financial year when the CCG’s strategic objectives are known. It should be prepared with the involvement of senior leaders, reviewed by the committee with oversight for it (e.g. the Governance and Risk Committee) on a regular basis and the Audit Committee. It will also be approved and reviewed by the Governing Body at least six monthly.

5. Approach to Risk Management and Assessment

5.1 Definition of Risk 5.2 Types of risks to be managed

Examples of the types of risk that the CCG might encounter and need to mitigate against include:

• Corporate risks – operating within powers, fulfilling statutory responsibilities and ensuring accountability;

7

• reputational risks – associated with quality of services, communication with customers, staff and stakeholders;

• financial risks – associated with achievement of planned surpluses, reduction in costs and revenue growth;

• environmental risks including health and safety – ensuring the

wellbeing of staff and visitors whilst using CCG premises;

• strategic risk - a significant risk that will impact organisation wide and not just upon a function or team, and

• operational risk - a key risk, which impacts on a team’s

operational achievement. 5.3 Assessment of Risk

5.3.1 Whenever risks have been identified it is important to assess and record the risk so that appropriate controls are put in place to eliminate the risk or mitigate its effect. To do this a CCG risk register has been developed with an aligned risk register SOP. The SOP has been developed based on current national guidance - see Appendix 1 Safeguard Incident Risk Management System (SIRMS) South Tees CCG Risk Register SOP.

5.3.2 By all staff using the CCG risk register SOP it will ensure that risk assessments are undertaken in a consistent manner using agreed definitions and evaluation criteria. Additionally, this will allow for comparisons to be made between different risk types and for decisions to be made on the resources needed to mitigate the risk.

5.3.3 Risks are assessed in terms of the likelihood of occurrence and the consequences of impact. In order to arrive at an overall risk rating of the residual risk, the risk is rated to take account of the effectiveness of the controls, i.e. whether they are considered to be satisfactory, have some weaknesses or to be weak. This then provides the overall residual risk rating. Once the residual risk rating is determined an action plan identifying further mitigating action is put in place.

5.3.4 For each risk that is not adequately controlled, an action plan to reduce or eliminate the risk is required. The implementation of the action plan and residual risk assessment must be kept under review, to assess whether planned actions have reduced or eliminated the risk as expected.

5.3.5 Any risk that is identified through the risk assessment process and which

the CCG is required legally to report will be reported accordingly to the appropriate statutory body, e.g. Health and Safety Executive or Information Commissioner.

8

5.4 Risk Appetite

South Tees CCG endeavours to reduce risks to the lowest possible level that is reasonably practicable. All risks can be avoided, transferred or retained. Where risks cannot reasonably be avoided, every effort will be made to mitigate the remaining risk.

5.5 Risk Tolerance

The threshold level of risk exposure which, when exceeded, will trigger an escalation to bring the situation to the attention of a senior manager. Any risks scored as 12 or above should be escalated to a senior manager and the Governance and Risk Committee for review and monitoring and reported to the Governing Body quarterly. Low, moderate & high risks will be managed and monitored at team level, any risks of concern even if not scoring as an extreme risk can be highlighted to the Governance and Risk Committee for escalation to the Governing Body.

6. Distribution and Implementation 6.1 This strategy and risk register SOP will be made available to all staff via

CCG internal communications. 6.2 Notifications of strategy and SOP changes will be shared via internal

CCG communications. 6.3 Any further guidance will be provided via the CSU governance team.

7. Training Plan

7.1 Risk management training will be provided to all executive members on

an annual basis. 7.2 A training needs analysis will be undertaken by the CSU Senior

Governance Manager (lead for Risk Management). 7.3 Based on the findings of that analysis, a CCG risk management training

plan will be developed for staff. 8. Monitoring

8.1 The Governance and Risk Committee will review the strategy and SOP

annually and the Governing Body Assurance Framework on a quarterly basis and function / team risk registers on a bi monthly basis

8.2 Senior leads will ensure that teams review their risk registers on a

monthly basis (or within individually agreed review times).

9

9. Equality Impact Assessment 9.1 This document has been developed in line with NHS England’s

commitment to create a positive culture of respect for all staff and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age religious or other belief, marriage or civil partnership, gender reassignment and pregnancy and maternity) as well as to promote positive practice and value the diversity of individuals and communities.

9.2 As part of its development this document’s impact on equality has

been analysed and no detriment identified. 10. Associated documentation

10.1 POL - 1015 Risk Management Strategy

10.2 POL – 1000 Risk Management: Policy and Procedure

10.3 POL – 1002 Health & Safety: Policy & Corporate Procedures

10.4 POL – 1003 Incident management: Policy & Corporate Procedures

10.5 POL – Business Continuity Policy: Policy & Corporate Procedures

10

Appendix 1 – Definitions Action plan How the identified gap is to be addressed and how the risk isto

be diminished.

Assurance Framework (AF)

The AF is an integral part of the system of internal control and defines the significant potential risks which may impact on delivery of the organisation priorities. It also summarises the controls and assurances that are in place, or are planned, to mitigate against them. Gaps are identified where key controls and assurances are insufficient to reduce the risk of non-delivery of objectives. This enables the governing body to develop and subsequently monitor an assurance action plan for closing the gaps.

Consequence This is a numerical value from one to five (five = catastrophic) for the impact that a risk may have on the organisation or individual, and may be physical, financial, reputational etc.

Control The control of risk involves taking steps to reduce the risk from occurring such as application of policies or procedures.

Directorate risk register

The directorate risk register is a summary of the risks identified through internal processes.

External assurance

External evidence that risks are being effectively managed (e.g. planned or received audit reviews).

Gaps in controls or assurances

Where an additional system or process is needed, or evidence of effective management of the risk is lacking.

Impact A measure of the impact that the predicted harm, loss or damage would have on the people, property or objectives affected.

Issue A relevant event that has happened was not planned and requires action. It can be any concern, query and request for change.

Likelihood A measure of the probability that the predicted harm, loss or damage will occur. This is a numerical value from one to five (five = almost certain) for the potential of the risk to be realised.

Management assurance/actions

What are we doing to manage the risk and how this is evidenced? Sources of information used to ascertain whether controls are working or not. Examples include minutes of meetings, internal or external audit reports, survey results and reports to the Executive Group

11

Operational risks A key risk that impacts on individual directorate operational achievement. Operational risks are managed locally within the directorate and are the responsibility of the appropriate Director /Senior Manager.

Risk appetite The organisation’s unique attitude towards risk taking that, in turn, dictates the amount of risk that it considers is acceptable.

Residual risk The risk remaining after the risk response has been applied.

Risk An uncertain event or set of events that, should it occur, would have an effect on the delivery of objectives. It is measured in terms of consequence and likelihood.

Risk assessment The process used to evaluate the risk and to determine whether precautions are adequate or more should be done to mitigate the risk. The risk is compared against predetermined acceptable levels of risk.

Risk management

The systematic application of management policies, procedures and practices to the task of identifying, analysing, assessing, treating and monitoring risk.

Risk owner A named individual who is responsible for the management, monitoring and control of all aspects of a particular risk assigned to them.

Risk tolerance The threshold level of risk exposure which, when exceeded, will trigger an escalation to bring the situation to the attention of a senior manager. Any risks scored as 12 or above should be escalated to a senior manager for review at Executive Group for review and monitoring.

Strategic risks A significant risk that has the potential to impact across the organisation. These risks have been mapped to the business plan objectives and will be presented to the Governing Body in the AF.

12

SIRMS

Safeguard Incident & Risk Management System

Standard Operating Procedure Risk Register

NHS South Tees CCG Version 14 Review date: 31/03/2015

Appendix 2

13

V14 D.Elliott / K.Watson

Contents

General points 3

Access rights 3

Assessing risks 3

Printing reports 3

Accessing the web-based risk register 3

How to add a risk 4

Entering a risk 5

Select organisation’s risk register 5

Date added to risk register 6

Risk Source 6

Description of risk 6

Organisational risk type

NECS/CCG

7 7

Corporate objective 8

Risk Co-ordinator 8

Risk Owner and Responsible Director 8

Responsible committee 9

Initial risk rating 9

Controls and assurances 10

Action plans 11

Risk updates 12

Review details 13

Residual risk rating 13

Closing a risk 14

Risk register reports 15

Appendix 1: Risk assessment and escalation process 16

Appendix 2: Describing a risk 22

Appendix 3: New Risk Form 23

14


General points Users are responsible for familiarising themselves with their duties for risk management as laid out in the CCG risk management policy.

Access rights Access will only be set up for nominated staff. Security access levels will be set by the

governance team as specified by your risk lead.

Assessing risks Risks should be assessed according to the ‘Risk assessment and escalation process’ procedure (Appendix 1) using the risk matrix below.

Consequence

Likelihood 1 2 3 4 5

Negligible Minor Moderate Major Catastrophic

5 Almost Certain 5 10 15 20 25

4 Likely 4 8 12 16 20

3 Possible 3 6 9 12 15

2 Unlikely 2 4 6 8 10

1 Rare 1 2 3 4 5

Printing reports The system allows for both single risk reports which provide all the details logged against a single risk and also a full risk register report. The content of these reports is fixed, however it is possible for the NECS governance team to design other reports on an ad hoc basis that can be scheduled to run and be forwarded to users automatically on a periodic basis.

Accessing the web-based risk register To access SIRMS (Safeguard Incident and Risk Management System) go to https://sirms.necsu.nhs.uk

You should log into the system with the username and password you log into your computer with. If you require access to the risk register, a request should come from your nominated risk lead, to [email protected]

This document, along with other relevant risk management guidance, can be requested

from Kate Watson 0191 217 2659 [email protected], Wendy Marley 0191 374

4157 [email protected] or Debra Elliott 0191 374 2749 [email protected]

15

https://sirms.necsu.nhs.uk/

mailto:[email protected]





How to add a new risk

You will then be asked to decide whether the new risk is ‘extreme’ (risk score 15 to 25)

or ‘high, moderate, low’ (risk score 01 to 12).

To add a new risk

click here.

Once signed in,

open the Risk

module here.

Select Extreme or Low, Mod, High

risk.

Extreme Risks are those rated 15

to 25 which have the potential to

impact adversely on the

organisation’s ability to deliver its

corporate (strategic) objectives

16


Entering a risk

Select organisation’s risk register

Select your organisation from the drop down list. The first four fields select the register

the risk will appear on. Please take care to select the options for YOUR organisation.

Select your organisation

from drop down list: this

will assign the risk to the

correct risk register.

The orange fields are mandatory sections

that must be completed.

The risk reference number will not appear

until you have saved these details.

To change risk level: use drop down

option before saving. If you change after

saving, you will need to provide a reason

for escalation/de-escalation.

NB: Changing the risk level will generate

an automatic email notification to the risk

owner and responsible director.

The system will assign a

sequential number that

should be used to identify the

risk.

The sequence runs across all

the organisations that are

using SIRMS.

A new version must be

created BEFORE existing

risks are updated.

17


Date added to risk register

This is the date the risk is added to the risk register.

Risk Source

Description of risk

The default date will always

be the current date. If you

wish to change this, use the

drop down calendar.

NB: if the date of entry

differs from the date the risk

was identified do not worry

as the new risk form can be

uploaded to the risk to form

part of the audit trail.

The source of the risk

identifies how you became

aware of the risk, i.e.

through national guidance,

through a reported incident,

complaint etc.

The risk cause, event and effect

allow you to describe the risk in

detail. Take care to describe the

consequence of a risk in addition

to the cause. E.g. ‘management of

staff sickness’ is not a risk, but

failure to deliver a high quality

service due to inability to manage

staff sickness effectively’ would

be.

13

18


Orginisation Risk Type

First select ‘organisational risk type’ to select South Tees risk type.

Then in ‘risk type’ select the appropriate South Tees risk is type:

NECS/CCG

Choose your organisation from drop down list. (Please note this field ties the organisation to its

corportate objectives.)

Click on the drop

down arrow and select

the type of risk here.

Select NHS South

Tees CCG

19


Corporate Objectives

Risk co-ordinator

Risk owner and responsible director

From the list of corporate

objectives, select which

one the risk impacts on.

Select the risk co-

ordinator for your CCG

from the drop down list.

Type the surname in and the relevant

person will be found – please note, you

have to click on the name to select

them. If the name does not appear in

the system please contact

[email protected]

20



Responsible Committee

Initial Risk rating

You will now need to save the risk before you can complete the rest of the form.

If you have not completed all of the mandatory (orange) fields, you will not be able to

save.

Apply the initial risk rating. This is the

score that is given to the risk before

controls have been applied. Either select

the score from the table, or use the drop

down boxes.

See ‘Risk assessment and escalation

process’ in Appendix 1..

Click ‘save’ after

completing initial

risk rating.

Select the committee that is

responsible for monitoring

risk from drop down list.

21


Controls and Assurances

Please enter any control measures already in place as well as any new ones that will be

implemented to manage the risk. For example in the case of a litigation risk, you could

list ‘Claims Procedure’ or ‘Claims handling service provided by NECS’ as part of the

existing control framework. You will also need to enter the control measures that need

to be in place so that you can record the gaps that need to be addressed in order to

achieve the control.

To add a control

choose “New”

Complete details,

selecting level of

effectiveness of

the control from

drop down box.

22


Then go to Action plan

Action plans

To add a new

action, click ‘new’.

Click on the ‘Action

Details’ tab and complete.

If you are updating actions,

click on the ‘Progress’ tab and

complete section.

23


Risk Updates

NB: A new version should be created with each update in order to ensure that

the movement of the risk is captured.

Risks should be reviewed and updated on a regular basis and the frequency of review

should be considered when assessing the risk.

Every time an update is conducted you should make a note in this section of the date

the risk was reviewed and by whom. The process should involve:

Create new version (either by changing the ‘risk level’ or clicking on ‘new

version’).

Enter assurance against each control measure.

Review and update the progress on the action plan.

Reassess and apply the residual risk score (this is the score following

implementation of control measures).

Enter the actual date of review and by whom.

1. If you know that the ‘risk level is

going to change (from ‘Extreme’ to

‘Low, Moderate, High’ or vice

versa), change this first as this will

automatically create a new version

number, however of the risk level

is to remain the same then please

click on ‘New Version’. You will

need to provide an explanation for

‘Escalation’ or ‘De-escalation’, and

enter the names of the Risk Owner

and Responsible Director. This will

generate a notification email of this

action.

2. If the risk level

is to remain

unchanged click

on ‘New Version’

instead. You will

need to click ‘OK’

to confirm creation

of the new version.

24


Review detail

Describe what has been updated: controls and assurance; action plan; review frequency;

increase/decrease to residual risk rating. This section can also highlight suggested actions,

such as discussing at a committee or recommended closure of the risk.

Residual risk rating

This is the consequence and likelihood score

Review details

Complete sections to record

when the risk was reviewed

and by whom.

The details of the review should be a summary of

what has been updated in this version i.e.

assurance on controls, progress update in action

plan, reduction in residual risk rating etc. You can

also use this field to note if the risk is to be

considered for removal.

If the risk rating has changed

following review, apply the

residual risk rating score. Either

select the score from the table,

or use the drop down boxes.

See ‘Risk assessment and

escalation process’ in appendix

1.

New risks

When entering a new risk, select from the

drop down list how often it is to be reviewed.

To add review details (i.e. date of

review, reviewer and details of the

fields that have been updated) –

click ‘new’.

The next review date will be displayed –

this is dependent on the date entered

when adding the review (update).

Please note – changing the residual risk rating will not automatically

change the risk level at the top of the screen. The risk level has to be

changed manually. Remember – changing the risk level will create a

new version therefore it is best practice to change the risk level at the

start of your update.

25


Closing a risk

Scroll to the bottom of the page and select ‘Closed’ from current status options:

In the Controls and

Assurances section, click on

each control measure and

provide your assurance

regarding the closure of the risk,

and select ‘Action Plan

Completed Risk Removed’ from

the ‘Effectiveness’ drop down

list.

You should also provide

progress on your action plan

and provide a completion

date and outcome.

26


You should then enter the date of closure and select the appropriate reason for closing

the risk from the drop down list. In the Details box you should enter an explanation for

the closure.

Risk register reports

To print a report click on ‘Print’

icon, this will generate a PDF

copy of the report. As the system

becomes more developed, more

reports will become available.

Whatever is

highlighted in this

window will be the

report that is

generated.

NB: Closed risks will be archived

but you can still access them by

changing the filter at the top left to

‘Closed’.

27


Appendix 1

Risk assessment and escalation process

Step 1: Determine the consequence score

This is offered as guidance when completing a risk assessment, either when an incident has occurred or if the consequence of potential risks is being considered.

Choose the most appropriate domain for the identified risk from the left hand side of the table. Then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column. Note consequence will either be negligible, minor, moderate, major or catastrophic.

Table 1: Consequence score

Consequence score (severity levels) and examples of descriptors

1 2 3 4 5

Domains Negligible Minor Moderate Major Catastrophic

Impact on the safety of patients, staff or public (physical/psychological harm)

Minimal injury requiring no/minimal intervention or treatment.

No time off work

Minor injury or illness, requiring minor intervention

Requiring time off work for >3 days

Increase in length of hospital stay by 1-3 days

Moderate injury requiring professional intervention

Requiring time off work for 4-14 days

Increase in length of hospital stay by 4-15 days

RIDDOR/agency reportable incident

An event which impacts on a small number of patients

Major injury leading to long-term incapacity/disability

Requiring time off work for >14 days

Increase in length of hospital stay by >15 days

Mismanagement of patient care with long-term effects

Incident leading to death

Multiple permanent injuries or irreversible health effects

An event which impacts on a large number of patients

Quality/complaints/audit

Peripheral element of treatment or service suboptimal

Informal complaint/inquiry

Overall treatment or service suboptimal

Formal complaint (stage 1)

Local resolution

Single failure to meet internal standards

Minor implications for patient safety if unresolved

Reduced performance rating if unresolved

Treatment or service has significantly reduced effectiveness

Formal complaint (stage 2) complaint

Local resolution (with potential to go to independent review)

Repeated failure to meet internal standards

Major patient safety implications if findings are not acted on

Non-compliance with national standards with significant risk to patients if unresolved

Multiple complaints/ independent review

Low performance rating

Critical report

Totally unacceptable level or quality of treatment/service

Gross failure of patient safety if findings not acted on

Inquest/ombudsman inquiry

Gross failure to meet national standards

28


Human resources/ organisational development/staffing/ competence

Short-term low staffing level that temporarily reduces service quality (< 1 day)

Low staffing level that reduces the service quality

Late delivery of key objective/ service due to lack of staff

Unsafe staffing level or competence (>1 day)

Low staff morale

Poor staff attendance for mandatory/key training

Uncertain delivery of key objective/service due to lack of staff

Unsafe staffing level or competence (>5 days)

Loss of key staff

Very low staff morale

No staff attending mandatory/ key training

Non-delivery of key objective/service due to lack of staff

Ongoing unsafe staffing levels or competence

Loss of several key staff

No staff attending mandatory training /key training on an ongoing basis

Statutory duty/ inspections

No or minimal impact or breech of guidance/ statutory duty

Breach of statutory legislation

Reduced performance rating if unresolved

Single breach in statutory duty

Challenging external recommendations/ improvement notice

Enforcement action

Multiple breaches in statutory duty

Improvement notices

Low performance rating

Critical report

Multiple breaches in statutory duty

Prosecution

Complete systems change required

Zero performance rating

Severely critical report

Adverse publicity/ reputation

Rumours

Potential for public concern

Local media coverage – short-term reduction in public confidence

Elements of public expectation not being met

Local media coverage – long-term reduction in public confidence

National media coverage with <3 days service well below reasonable public expectation

National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House)

Total loss of public confidence

Business objectives/ projects

Insignificant cost increase/ schedule slippage

<5 per cent over project budget

Schedule slippage

5–10 per cent over project budget

Schedule slippage

Non-compliance with national 10–25 per cent over project budget

Schedule slippage

Key objectives not met

Incident leading >25 per cent over project budget

Schedule slippage

Key objectives not met

Finance including claims

Small loss Risk of claim remote

Loss of 0.1–0.25 per cent of budget

Claim less than £10,000

Loss of 0.25–0.5 per cent of budget

Claim(s) between £10,000 and £100,000

Uncertain delivery of key objective/Loss of 0.5–1.0 per cent of budget

Claim(s) between £100,000 and £1 million

Purchasers failing to pay on time

Non-delivery of key objective/ Loss of >1 per cent of budget

Failure to meet specification/ slippage

Loss of contract / payment by results

Claim(s) >£1 million

Service/business interruption Environmental impact

Loss/interruption of >1 hour

Minimal or no impact on the environment

Loss/interruption of >8 hours

Minor impact on environment

Loss/interruption of >1 day

Moderate impact on environment

Loss/interruption of >1 week

Major impact on environment

Permanent loss of service or facility

Catastrophic impact on environment

29


Step 2: Determine the likelihood score

Now determine what is the likelihood of the impact occurring.

The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency. The frequency-based score will either be classed as rare, unlikely, possible, likely or almost certain.

Table 2: Likelihood score Likelihood score 1 2 3 4 5

Descriptor Rare Unlikely Possible Likely Almost certain

Frequency How often might it/does it happen

This will probably never happen/recur

Do not expect it to happen/recur but it is possible it may do so

Might happen or recur occasionally

Will probably happen/recur but it is not a persisting issue

Will undoubtedly happen/recur,possibly frequently

Step 3: Assigning a risk rating

Now apply the consequence and likelihood ratings to give you a risk rating for each of the risks you have identified. Calculate the risk rating by multiplying the consequence by the likelihood: C (consequence) x L (likelihood) = R (risk score)

Table 3: Risk rating = consequence x likelihood (C x L) Likelihood score

Consequence score

1 2 3 4 5

Rare Unlikely Possible Likely Almost certain

5 Catastrophic 5 10 15 20 25

4 Major 4 8 12 16 20

3 Moderate 3 6 9 12 15

2 Minor 2 4 6 8 10

1 Negligible 1 2 3 4 5

For grading risk, the scores obtained from the risk matrix are assigned grades as follows:

Green 1 – 3 Low

Yellow 4 – 6 Moderate

Amber 8 – 12 High

Red 15 - 25 Extreme

Step 4: Control measures Consider the control measures that will be put into place to mitigate the risk.

Step 5: Assessing the effectiveness of the control(s)

For each of the risks (and especially extreme and high risks) identify the controls that are in place. For example, in an operational setting and where an incident may have occurred, the controls may take the form of a policy, guideline, procedure or process, etc. For risks that have been identified as preventing achievement of organisational objectives then the control is likely to be a management action plan.

30


Table 4: Assessing the effectiveness of control(s) Review the control(s) for each of the risks and apply the following criteria:

Satisfactory: Controls are strong and operating properly, providing a reasonable level of assurance that objectives are being delivered.

Some Weaknesses: Some control weaknesses/inefficiencies have been identified. Although these are not considered to present a serious risk exposure, improvements are required to provide reasonable assurance that objectives will be delivered.

Weak: Controls do not meet any acceptable standard, as many weaknesses/inefficiencies exist. Controls do not provide reasonable assurance that objectives will be achieved.

Step 6: Determine risk type The risk type should be specified. In South Tees risks can be classified as: Confidential

Step 7: Align risk to corporate objective The risk should be aligned to the corporate objective that it will impact on.

1. Demonstrate measurable improvement in the quality and safety of services.2. Develop primary care strategy to maximise role of primary care.3. Develop CCG as membership organisation with active engagement and

contribution of Practices.4. Fulfil statutory obligation of delivering financial balance, surplus and QIPP.5. Development and implementation of IMProVE.6. Partnership working to improve health and wellbeing of patients and

communities.7. Lead the development of effective urgent care strategy across the local

economy.

Step 8: Developing an action plan An action plan must be developed for all risks, regardless of the risk rating in order to record progress on control measures and who is responsible for carrying them out as the system is capable of generating automatic reminders to action owners.

Step 9: Determine frequency of review

The frequency of review should also be specified as this will need to be added to

SIRMS ‘Review Details’ section by choosing the appropriate option from the drop down

list.

31


Risk Updates

Risks should be reviewed and updated on a regular basis.

Please follow the guidance below:

Before entering your update, ensure you have created a new version – this can be

done in two ways:

1. If your ‘Risk Level’ has changed as a result of review you should change the

risk level to ensure it corresponds with the residual risk rating that has been

applied. This will automatically create a new version.

2. If your ‘Risk Level’ remains the same following review you should click on

‘New Version’.

Scroll down to ‘Controls and Assurances’, click on each control measure in turn and

edit to enter the assurance against each control. You will also need to alter the

control effectiveness accordingly You can also enter any new controls. NB: As long

as you have created a new version you can overwrite the assurance from the

previous version as this will be archived in the previous version, and will provide an

audit trail of progress. This will ensure that only the current position is seen on the

printed risk register.

Scroll down to ‘Action Plan’, add any 'New' actions and update any existing actions

by clicking on each action in turn and edit to provide an update on progress where

possible. NB: Please ensure you provide your update in the 'Progress' section.

Scroll down to ‘Review Details’, click on ‘New’ and enter the actual ‘Review Date’

(you can use the calendar for this). Please also enter the name of the person the

risk was ‘Reviewed By’. Then, in ‘Details of Review’ please describe what has been

updated, e.g. controls and assurances; action plan; changes to residual risk rating.

This section can also be used to highlight where (i.e. which committee) the risk will

be discussed and also if closure is recommended.

Scroll down to ‘Residual Risk Rating’ and where appropriate enter/amend the

residual consequence and likelihood scores. Remember, this should correspond

with the ‘Risk Level’ at the top of the form.

Residual risk rating

This is the consequence and likelihood after the control measures have been applied.

Taking into account the initial risk rating and the assessment of the effectiveness of the control together, you can now assess the residual risk that needs to be managed. The consequence and likelihood ratings should be applied, as in table 3 above.

32


Risk Management Action Guide

Where risks have been identified and scored, then the following escalation arrangements should be used.

The table below provides a suggested action guide for the management of a risk:

Risk Rating RAG Rating Action Level of Authority

25 Red Halt activities IMMEDIATELY and review status

Warrants Managing Director attention

15 -20 Red Significant probability that major harm will occur if control measures are not implemented URGENT action required. Director may consider limiting or halting activity

Warrants Director attention

8-12 Amber Unacceptable level of risk exposure which requires constant monitoring and controls at Directorate level

Warrants Director attention

4-6 Yellow Moderate probability of moderate harm if control measures are not implemented. Action in mediate term

Warrants Head of Service/Senior Lead Attention

1-3 Green The majority of control measures are in place. Harm severity is small. Action may be long term

Warrants manager attention

33


Appendix 2

Describing a risk

In SIRMS, there are three fields in which to describe your risk; the risk cause, event and

effect. These are mandatory fields and whilst details will be entered separately, when

printed, they will appear in one field on the risk register, called ‘description of risk’.

Example

Risk Cause: As a result of…. (This is the trigger)

Risk Event: There is a risk that….(This is what might happen)

Risk Effect: Which will result in….(This is the impact on the achievement of

objectives)

34


NEW RISK FORM – South Tyneside CCG Appendix 3

Risk Register – New Risk

Risk Ref Leave blank

Date Identified

Responsible Director Name and job title

Risk Owner Name and job title

Risk Details

Delivery Area Frequency of Review Source of Risk

Description of Risk

Risk Cause

Risk Event

Risk Effect (impact)

Risk Assessment Matrix (please circle)

Likelihood score

Consequence score

1 2 3 4 5

Rare Unlikely Possible Likely Almost certain

5 Catastrophic 5 10 15 20 25

4 Major 4 8 12 16 20

3 Moderate 3 6 9 12 15

2 Minor 2 4 6 8 10

1 Negligible 1 2 3 4 5

Initial risk rating score:

(Please include the C x L scores)

Approved to add to risk register:

Yes No

Control Measures Control Details Effectiveness of

Controls Gaps in Control

Actions Required

Action Details Responsibility / Lead Target Date

Form Completed By

Name Job Title Contact Details

Completed forms should be returned to: Your Risk Co-ordinator, for approval to add to Risk Register and entry onto SIRMS.

35

Appendix 3 NHS SouthTees CCG

Risk Management Strategy and Standard Operating Procedure (SOP) Work Plan December 2013

What How Person Responsible By When Resources Required Risk Management Strategy and SOP reviewed by Governance & Risk Committee. Once agreed strategy and SOP to be sent to the Governing Body meeting for review and approval once approved to be published on CCG website

North of England Commissioning (NECS) governance team to arrange for Strategy & SOP to be uploaded and communication to go out internally across the CCG.

Lead is NECS Governance Administrator working with CCG Corporate Governance Risk Officer

Within 5 working days of policy approval

Within 5 working days of policy approval (or go live of website)

Staff time and commitment

Ensure CCG and staff are aware of the new Strategy and SOP

Targeted email to CCG staff Raise at Team meetings

Lead is CCG Corporate Governance Risk Officer

Within 5 working days of policy approval


Risk management training needs analysis to be undertaken and risk management training develop for review at Governance and Risk Committee

CCG Risk management training today baseline review to be undertaken. Outcome Baseline review to be analyzed, training plan drafted and finalized for CCG review and internal comment.

Lead is NECS Senior Governance Manager working with CCG Corporate Governance Risk Officer

February 2014 G&R committee meeting


Risk register management and review

All CCG risks to be subject to peer review and internal security. Outcome all risks on the CCG risk

All relevant CCG staff Lead is NECS Senior Governance Manager working with CCG

Twice a year – January & July


36

What How Person Responsible By When Resources Required

register will be live, well defined, have an agreed risk score and review target date and be aligned to a CCG strategic objective

Corporate Governance Risk Officer

CCG Risk management maturity assessment

CCG Risk Management Maturity Assessment to be developed and undertaken. Outcome CCG Risk Management Maturity Assessment Report to be prepared and presented to G&R Committee. The report would include results of assessment, findings and future recommendations to support enhanced risk management across the CCG.

All relevant CCG staff Lead is NECS Senior Governance Manager working with CCG Corporate Governance Risk Officer

June 2014 Staff time and commitment

Governing Body (GB) Assurance Framework (AF) review and update

CCG AF to be reviewed in line with principal objectives & risks. Reviewing current controls and assurances

All relevant CCG staff Lead is CCG Corporate Governance Risk Officer with support from NECS Senior Governance Manager.

February 2014 Staff time and commitment

37

Risk Management Strategy and Standard Operating Procedure · TBC . Section : Content . Page number...

Documents

Transcript of Risk Management Strategy and Standard Operating Procedure · TBC . Section : Content . Page number...