herefordshire ccg risk framework
TRANSCRIPT
Status: Draft Reviewed: Autumn 2015 Page 1 of 21
Version: 1 Next Review Date: Autumn 2017
Herefordshire CCG Risk Framework
Status: Draft Reviewed: Autumn 2015 Page 2 of 21
Version: 1 Next Review Date: Autumn 2017
Version History
Version Date Issued Brief Summary of Change Author/Contributors
D0.01 17/09/2012 Document Created Lindsey Mclean
D0.02 23/09/2012 Documented updated with governance and escalation processes
Mike Emery/Lindsey Mclean
D0.03 24/09/2012 Cross-referencing and Appendix A updated Mike Emery/Lindsey Mclean
D1.0 10/2012 Agreed by CCG GB Mike Emery
D2.1 6/2015 Revised Policy Mike Emery`
D2.2 20/6/2015 Further updates after feedback from CSU Risk lead & Internal Auditors
Mike Emery/Liz Hill
D2.3 July 2015 Updates with feedback from Audit Committee Mike Emery
D2.4 October 2015 Updates from Consultation with staff Mike Emery
D2.4i December 2015 Reformatting into new corporate logo Gillian Pearson/M Emery
Document Location
Document Location File Name
Q:\CCG\HCCG\1. CCG Policies\2. Draft Policies HCCG0026 Risk Framework Revised v 2.4 20151109.doc
Document sign off
Name Date Signature
SMT 26/09/2012
Audit Committee 09/10/2012
GB October 2012
Audit Committee (revised) July 2015
Document Distribution List
Name Purpose Department/Organisation
SMT and key managers For comment and review Autumn 2015
Status: Draft Reviewed: Autumn 2015 Page 3 of 21
Version: 1 Next Review Date: Autumn 2017
Contents Page 1. Introduction ........................................................................................................ 4
2. Principles of Risk Management ........................................................................ 5
2.1. Introduction ................................................................................................... 5
2.2 Step 1 - Identifying Risk ................................................................................ 7
2.3 Step 2 - Identify Existing Controls And Assess The Risk .............................. 8
2.3.1 Risk Scoring Matrix – Likelihood............................................................. 8
2.3.2 Risk Scoring Matrix - Impact ................................................................... 9
2.3.3 Risk Scoring - Severity ......................................................................... 12
2.4 Step 3: Determine Additional Controls Required ......................................... 13
2.4.1 The 4T’s of Risk Control ....................................................................... 13
2.5 Step 4: Implement Additional Control Measures ......................................... 14
2.6 Step 5: Monitor Completion & Effectiveness of Controls Assurance ........ 15
3 Assurance Framework .................................................................................... 17
3.1 Applying the Process to Opportunity Management ..................................... 19
4 Risk Governance and Escalation ................................................................... 20
4.1 Risk Governance and Escalation Process – Corporate Risk Register ........ 20
4.2 Risk Governance and Escalation Process – Business Area Risk Registers 20
Status: Draft Reviewed: Autumn 2015 Page 4 of 21
Version: 1 Next Review Date: Autumn 2017
1. Introduction
Risk management can be defined “as a means of reducing adverse events occurring in
organisations by systematically assessing, reviewing and then seeking ways to minimise their
impact or possibly prevent their occurrence.” Risk management brings huge benefit to NHS
Herefordshire CCG as it enables us to be positive in the decisions we make.
When we consider potential risks we must remember there is an “upside” as well as a “downside”
in whatever we do and it is important not to focus only on the adverse effects but to balance it
with the opportunities that may arise. Through this guidance CCG aims to manage risk to add
value by achieving the balance between undermanaging risks – unaware and therefore no
control - and over-managing them – an obsessive level of involvement in the fine details, which
could become overwhelming and stifle innovation and creativity.
Risk management is one of the main components of Clinical and Corporate Governance; it
requires us to:
Understand risks that may prevent us from delivering our strategic objectives
Have clear policies aimed at managing risks and grasping opportunities
Undertake risk assessments to identify and manage risk and opportunities
Have action plans and programmes in place to reduce risk.
The full benefits of risk management will only be obtained if there is a comprehensive and
coordinated approach which is supported at every level of management throughout the
Herefordshire CCG. This Guidance is intended to be used by all staff and departments in the
organisation.
The purpose of this policy is to define and document the CCG’s approach to risk and risk
management and to;
Enable the Governing Body to have an overview of the risks it faces, taking into account
all aspects of its business, developing a risk-aware culture throughout the organisation
Provide assurance to the Governing Body that actions are being taken to mitigate risks to
acceptable levels
Embed consideration and assessment of risk in all aspects of planning, commissioning
and delivery
Ensure a consistent approach to risk management across the organisation
Assure the public, patients, member practices, staff and our partner organisations that the
CCG is managing its risks effectively and appropriately
Enable resources to be deployed effectively to manage risk
Status: Draft Reviewed: Autumn 2015 Page 5 of 21
Version: 1 Next Review Date: Autumn 2017
Enable constant and consistent improvement of healthcare provision and patient
experience.
The policy relates to the management of CCG risks. Its scope therefore relates to resources
directly managed within or by the CCG. Where activities of other providers and partners in
collaborative arrangements and the actions of other organisations outside of the CCG acting on
its behalf through commissioning agreements involve risk that can have an impact on whether
the CCG achieves its objectives, these activities and actions come within the scope of this policy
2 Principles of Risk Management
2.1 Introduction
A risk can be defined as “an uncertain event or set of events which, should it occur, will have an
effect on the achievement of objectives. A risk is measured by a combination of the probability of
a perceived threat or opportunity occurring and the magnitude of its impact on objectives” (OGC
Glossary of Terms, 2008)
Risk management brings huge benefits to NHS Herefordshire CCG as it enables us to be positive
in the decisions we make.
There are Five Steps of Managing Risk:
Identify Risks from Hazards and Threat events.
Evaluate the level of risk based on adequacy of existing controls.
Determine additional controls required.
Implement control measures and action plan.
Monitor controls, Record & Review assessment i.e. Assurance.
Status: Draft Reviewed: Autumn 2015 Page 6 of 21
Version: 1 Next Review Date: Autumn 2017
The five steps for the managing of risk are described below:
Step 1 - Identify the risks from hazards and/or threats in your area;
and factors that could prevent or inhibit delivery of strategic objectives
Step 2 - Identify the existing controls in place and evaluate the level of risk (likelihood/impact) and the adequacy of the existing controls
to reduce risk in your area.
Step 3 – Determine additional controls which may be required to further reduce the risk or threat ensuring that you allocate a risk
owner.
Step 4 – Implement the additional control measures, record and review your assessment on a regular basis.
Identify audit (including clinical) topics
Identify future training and development needs
Address the risks and action plan in the business / service
plan
Step 5 – Monitor that identified actions are completed and these, together with existing controls are effective i.e. assurance
Status: Draft Reviewed: Autumn 2015 Page 7 of 21
Version: 1 Next Review Date: Autumn 2017
2.2 Step 1 - Identifying Risk
Risk identification is concerned with identifying events that can impact on the business objectives
and delivery of services (strategic and operational) – ‘what could happen’ (these objectives are
outlined in the annual integrated business plan and CCG clinical strategy). This should be
considered from both the positive and the negative effect and so ask ‘what could happen if we do’
as well as ‘what could happen if we don’t…’, this will enable confident risk taking and exploitation
of opportunities.
Common areas to prompt identification of risk include:
Clinical: the clinical delivery of health and healthcare and access to services
Patient Experience/Quality – poor patient experience and unacceptable quality
Patients /public: understanding their needs; delivery of and access to services and care
People: risks associated with all employees, managers, directors and Non- Executive
Directors.
Operational: delivery of health and social care services, quality of services, continuity of
business and clinical governance assurance i.e. doing the right things in the wrong way
Finance: losing monetary resources or incurring unacceptable liabilities
Strategic: successful achievement of the organization’s objectives i.e. doing the wrong
things as an organisation; missing opportunities
Reputation: the image of NHS Herefordshire CCG, loss of public confidence
Legal / Regulatory: non-compliance with standards (CQC),claims against CCG
Information: loss or inaccuracy of data, systems or reported information
In order to really be able to manage risks well you need to be explicit about how the events you
have listed could impact on what you want to achieve in order to focus the action in the right
area. This is done by:
Identify the objective/tasks - involved in the job or activity you are undertaking, this will
help you to break the activity down into its component parts and more easily see the
hazards involved. E.g. providing services (clinical or social) to people in their own homes.
Identify the hazards/threats – what could prevent this objective/task being achieved. E.g.
hazards/threats from recruitment difficulties making it difficult to employ correctly qualified
staff.
Identify the Consequence/Impact – should the hazard or threat be realised what would
happen e.g. People may not receive necessary clinical or social care resulting in
deterioration in their condition.
Sometimes it can help to phrase the risk or opportunity into three parts: Event – Consequence – Impact
Status: Draft Reviewed: Autumn 2015 Page 8 of 21
Version: 1 Next Review Date: Autumn 2017
2.3 Step 2 - Identify Existing Controls And Assess The Risk
Once the risk or opportunity has been identified it needs to be assessed for how likely it is the
event could occur and the impact it will have if it should. This assessment should take into
consideration existing controls and their effectiveness.
Typical examples of existing controls will include written policies and procedures, staff training,
referral or admission criteria and the physical environment. In describing the controls it is
important to consider how effective they are, when they were last reviewed or tested or when
staff were last trained. The assessment should be based on the risk scoring matrix below to
ensure all risks are assessed objectively. Focus should be on the descriptor not the number.
Once the levels of likelihood and impact have been assessed, the two scores are multiplied to
give an overall objective assessment of the existing (residual) level of risk.
2.3.1 Risk Scoring Matrix – Likelihood Description and definitions of LIKELIHOOD of RISK occurring:
Level Description Probability
5 Risk almost Certain to occur >50 per cent
4 Risk likely to occur 10 to 50 per cent
3 Risk could possibly occur 1-10 per cent
2 Risk unlikely to occur 0.1 to 1 per cent 0.2
1 Risk highly unlikely to occur (rare) <0.1 per cent
Status: Draft Reviewed: Autumn 2015 Page 9 of 21
Version: 1 Next Review Date: Autumn 2017
2.3.2 Risk Scoring Matrix - Impact
Consequence Types
1
Insignificant
2
Minor
3
Moderate
4
Major
5
Catastrophic
Financial
Overspend of less than or euql to £10,000
Less than or equal to
0.1% of budget
Overspend in range of greater than £10,000 to
less than or equal to £50,000
Loss of budget greater than
0.1-02.5% of budget
Overspend in range of greater than £50,000 to
less than or equal to £250,000
Loss of budget greater
than 0.25% to less than or equal to 0.5% of budget
Overspend of greater than £250,00 to less than or equal
to £2,000,000
Loss of budget greater than 0.5% to less than or equal to
1% of budget
Overspend of greater than £2,000,0000
Loss of Budget of >1%
Service redesign
Insignificant cost
increase.
Minimal project
timescale slippage.
< 5%over project
budget.
Minor project
timescale slippage.
5-10%over project
budget.
Moderate project
timescale slippage.
1—25%over project
budget
Major project timescale
slippage.
A key objective not
met.
>25%over project
budget.
Catastrophic project
timescale slippage.
Multiple key
objectives not met.
Commissioning
Some minor impact to
the quality and cost
effectiveness of
commissioning.
Manageable within
project/team/work
stream.
Minor impact on the
quality and cost
effectiveness of
commissioning
activities. Less than two
week delay to
milestones/plans.
Short term impacts
to quality and cost
effectiveness of
commissioning.
Resources used from
other parts of the
organisation.
Significant delays or
quality reduction in
provision of effective
commissioning across
multiple work streams
(<1month delay to
work stream).
Realisation of risk
would prevent the
Group from
delivering significant
services through its
contracts with
providers to the
public.
People - Patient
Safety/Safeguarding/staff
safety
Minimal injury
requiring no/minimal
intervention.
Mortality rates or
serious incidents which
require routine
monitoring.
Major injury or
illness, requiring
minor intervention.
Mortality rates
within normal limits
or individual serious
incidents that require
monitoring.
Moderate injury requiring
professional intervention.
An increasing
mortality rate or serious
incident/never event trend requiring monitoring with
Major injury leading to
long-term
incapacity/disability.
Increased mortality
rates or serious
incident/never event
trend indicating urgent
interventions e.g.
improvement
Incident leading to
Death or multiple
fatalities.
Increased
mortality
rates or serious
incidents/never
event trend
indicating failure of
Status: Draft Reviewed: Autumn 2015 Page 10 of 21
Version: 1 Next Review Date: Autumn 2017
action plan to mitigate risk.
plan/contractual action.
Well being jeopardised,
abuse, neglect, assault.
the service to deliver
patient safety
requiring immediate
intervention such as
suspension of service
or escalation.
Quality/Patient experience Peripheral element of
treatment or service
suboptimal.
Unsatisfactory patient
experience not directly
related to patient care.
Overall treatment or
service suboptimal.
Single failure to meet
internal standards.
Minor implications
for patient safety if
unresolved.
Reduced
performance rating if
unresolved.
Unsatisfactory
patient experience –
readily resolvable.
Treatment or service has significantly
reduced effectiveness.
Repeated failure to meet internal
standards. Major patient safety
implications if findings are not acted
on. Mismanagement of patient care – short
term effects.
Non-compliance with
national standards with
significant risk to
patients if unresolved.
Low performance
rating.
Critical report.
Mismanagement of
patient care – long
term effects.
Totally unacceptable
level or quality of
treatment/service.
Gross failure of
patient safety if
findings not acted on.
Inquest/ombudsman
Inquiry.
Gross failure to meet
national standards.
Totally
unsatisfactory
patient outcome or
experience.
Delivery of Services/Strategic No impact on ability to
operate local services.
Could threaten the
efficiency of effectiveness
of some services but dealt
with internally.
Severe disruption to a
service. Non achievement
of local delivery plan.
Loss of a service. Loss of
stars / reduction in score in
national performance review.
Threatens the viability of
the organisation.
Organisational Objectives Management
information does not
meet business
requirements.
Service objectives not met
or project failures in one
service.
Seviceobjectives not met
or project failure in
multiple services.
Failure to meet one key
organisational objective.
Failure to meet multiple
key organisational
objectives.
Reputation No impact on the
reputation of the CCG.
Increase in
patient/customer
complaints or staff
dissatisfaction.
Short term
reduction in public
Negative press in local
paper. Greater scrutiny by
external bodies e.g. NHS
England or CQC
Moderate loss of
public confidence in
National media
coverage with < 3 days
service well below
reasonable public
expectation.
Long term reduction in
public confidence.
National media
coverage with > 3
days service well
below reasonable
public expectations.
Possible International
Status: Draft Reviewed: Autumn 2015 Page 11 of 21
Version: 1 Next Review Date: Autumn 2017
confidence. the CCG,
Intervention by SHA / Central
Government.
television coverage.
External investigation
(CQC, HSE, Police)
Prosecution.
Replacement of Board.
MP concerned
(questions in House).
Staffing & Human Resources Short-term low staffing
level that temporarily
reduces services quality
(<1 day).
No impact on staff
morale.
Low staffing level
that reduces the
service quality (>1
day)
Staff dissatisfaction.
Late delivery of key
objective/service due
to lack of staff.
Increased staff sickness
and absenteeism.
Uncertain delivery of
key objective/service
due to lack of staff.
High rate of staff leaving &
very low staff morale.
Non-delivery of key
objective/service due
to lack of staff.
Ongoing unsafe.
Inability to recruit or
retain.
Industrial action.
Legal No breaches of law or
local procedures /
standards.
Breaches of local
procedures / standards.
Breaches of regulation
national procedures /
standards.
Breaches of law punishable
by fines.
Breaches of law
punishable by
imprisonment.
Status: Draft Reviewed: Autumn 2015 Page 12 of 21
Version: 1 Next Review Date: Autumn 2017
2.3.3 Risk Scoring - Severity The risk rating then equals LIKELIHOOD x IMPACT/SEVERITY
Consequence
Likelihood 1 Insignificant
2 Minor
3 Moderate
4 Major
5 Catastrophic
5 Certain
5
10
15
20
25
4 Likely
4
8
12
16
20
3 Possible
3
6
9
12
15
2 Unlikely
2
4
6
8
10
1 Rare
1
2
3
4
5
Risk Rating:
Extreme Risk 20 to 25 (Red)
Serious Risk 15-16 (Amber)
Moderate Risk 8 to 12 (Yellow)
Low Risk 1 to 6 (Green)
The score of a particular risk will determine at what level decisions on acceptability of the risk
should be made and where it should be reported to.
General guidelines are:
Level of risk before mitigation
Level of risk after mitigation
How the risk should be managed Who to make aware
Extreme
(20-25)
Extreme or serious risk Score 16 or above
Requires active management and clear action plan, assurance to Governing Body High impact / High likelihood: risk requires active management to manage down when possible and maintain exposure at an acceptable level.
Audit Committee and CCG Governing Body* Reviewed monthly by CCG SMT
Extreme and
Serious Risk
(15 -16)
Extreme, serious or moderate risks Score 8 or above
Clear action plan and assurance to lead committee Significant impact, likely to occur requires clear actions to mitigate risk, without which could become an ‘extreme risk’
GB Committees responsible for functional risk register where risk resides Reviewed monthly by CCG SMT
Extreme, Serious
and Moderate Risk
All inc- low risk Contingency plans A robust contingency plan may
Reviewed monthly by CCG SMT
Status: Draft Reviewed: Autumn 2015 Page 13 of 21
Version: 1 Next Review Date: Autumn 2017
(8-12) suffice together with early warning mechanisms to detect any deviation from profile.
All inc - Low Risk
(1-6)
All inc- low risk Review periodically Risks are unlikely to require mitigating actions but status should be reviewed frequently to ensure conditions have not changed.
Reviewed by SRO, Programme Management Office monthly and Programme Managers
*the Governing Body will receive in addition to the corporate risks it identifies annually those ’extreme risks’ that require escalation.
2.4 Step 3: Determine Additional Controls Required
Once risks and opportunities have been identified and assessed for likelihood and impact,
this will provide you with a Current/Residual risk rating. The rating will identify those risks
where further resources may need to be allocated to reduce the risk. This will be included on
the risk assessment form as the Action Plan.
An Action Plan should be completed for all residual risks rated extreme, serious or
moderate and should include the following information:
Risk Owner - Each risk will be assigned a risk owner who will own and determine
how the risk/opportunity will be managed, controlled or exploited.
Action Description- A detailed description of the action required to manage or treat
the risk. Should the risk be avoided, eliminated, reduced, transferred or accepted? A
useful framework for considering these questions is the “4 T’s”
2.4.1 The 4T’s of Risk Control
Risk Control Type Description
Terminate Stop the activity
altogether
Rarely an option in public sector activity though this may be possible for some non-core activities.
Tolerate Accept the risk and live
with it
Applies to risks within the tolerance threshold or those where the costs of treatment far outweigh the benefits.
Should be backed up by appropriate contingency plans, business continuity plans and recovery plans.
Transfer To a third party or through insurance
Can transfer all or part of the risk.
Beware – although responsibility can be transferred, accountability rarely can, so it requires close monitoring.
Treat Take action to control the likelihood and/or
impact
This is where the bulk of the risk management action falls. The purpose of treating a risk is to continue with the activity which
Status: Draft Reviewed: Autumn 2015 Page 14 of 21
Version: 1 Next Review Date: Autumn 2017
gives rise to the risk but to bring the risk to an acceptable level by taking action to control it in some way through either:
containment actions (lessen the likelihood or consequences and apply before the risk materialises) or
contingent actions (put into action after the risk has happened, i.e. reducing the impact. Must be pre-planned)
When completing an Action Plan it is important to ensure that:
The action is proportionate to the risk.
Whether new risks are caused by the action.
Controls are SMART – Specific, Measurable, Achievable, Realistic and Timebound.
c) Resources Required – Are resources required to implement the actions and if so what
type i.e. personnel or financial and how can they be secured. The cost of management and
control of the risk should be proportionate to the risk that is being addressed
d) Target/ Review Date – enter target date for completion of action(s) or when the actions
will be reviewed. As a guide it is suggested that the following timescales be used:
Extreme Risk Score 20 to 25 – Within 3 months
Serious Risk 15-16 - within 6 months
Moderate risk 8 to 12 - within 12 months
e) Target Risk Rating – unless a risk is terminated it is impossible to remove it completely
and so the risk owner needs to identify what is acceptable as a target.
2.5 Step 4: Implement Additional Control Measures
It is important to ensure that any new controls are implemented and that the assessment is
regularly reviewed. Controls may need to be included in service or business plans or
identified as part of future training & development needs.
An essential element of the risk management process is that risks / opportunities can be
cascaded up or down according to the levels of risk and available resource – see 2.3 Step 2,
Management Response to Risk Rating. For example a risk identified at specialty level may
be managed or contained adequately until a sudden change in the internal or external
environment means the service does not have capacity, authority or resources to manage or
contain the risk. The risk is then cascaded up to the next level (e.g. Directorate or Board).
Status: Draft Reviewed: Autumn 2015 Page 15 of 21
Version: 1 Next Review Date: Autumn 2017
The risk is then assessed at that level and management determined. This clear process
enables assurance to the highest level that risks (and opportunities) are being managed at
their appropriate level.
2.6 Step 5: Monitor Completion & Effectiveness of Controls Assurance
Circumstances and organisational priorities can, and do, change, and therefore risks, opportunities and their circumstances need to be regularly reviewed. Some risks will move down the priority rating, some may leave, and others will be identified. The risk management process requires that risk owners review their risks each month at Directorate, Departmental or team meetings. That review should incorporate the following questions:
Is the risk still relevant (what changes have occurred in the internal / external
environment)?
How do I know the controls have been effective – have there been any internal or
external reports to provide assurance?
What progress has been made in managing the risk?
Given the progress (or not), does the risk score need revising?
Are any further controls required, if so what should these be?
Risk management should be included as an item of the agenda of all department management team/Governing Body meetings. 2.7 Accountabilities [revised section]
Risk accountabilities, are invested in the following roles:
The Chief Officer has overall accountability for having an effective Risk Management
system in place within the CCG and for meeting all the statutory requirements and
adhering to the guidance issued by the Department of Health in respect of
Governance.
The Director of Operations is the executive director for risk management and has
delegated responsibility for leading the organisation in responding to Risk and Health
and Safety, ensuring systems are in place to manage Health & Safety and that the
CCG complies with Health & Safety legislation, including the legal requirements for fire
safety. The Director will report through the SMT/Audit Committee on all non-clinical
risk management activities.
The Chief Finance Officer is responsible for all finance risks, control of assets and
provisions for liabilities
The Executive Board Nurse: is the Caldicott Guardian and the Governing Body
member with delegated responsibility for aspects of clinical risk management,
Status: Draft Reviewed: Autumn 2015 Page 16 of 21
Version: 1 Next Review Date: Autumn 2017
ensuring quality and governance systems are in place and inclusion of risk
management processes in commissioning mechanisms. The Caldicott Guardian will
review confidentiality breach and data loss incident assessments for the purposes of
ensuring appropriate use of the HSCIC IG Toolkit Incident Reporting Tool.
The Director of Operations is the Senior Information Risk Owner (SIRO). The SIRO
will review confidentiality information security incident assessments for the purposes of
ensuring appropriate use of the HSCIC IG Toolkit Incident Reporting Tool.
The Chair of the Audit Committee is the Lay Member lead for risk management.
CCG Risk Management Policy.
The Business Delivery Manager with responsibility for Information Governance will
review Information Governance related incidents for the purpose of ensuring
appropriate use of the HSCIC IG Toolkit Incident Reporting Tool.
GP Governing Body Members and SMT members are responsible for the day to day
management of risks within their respective areas of responsibility, including
assurance that appropriate controls are in place, and that action plans are owned,
being progressed and monitored. They must ensure that all staff are aware of the
CCG’s Risk Management Policy and guidance, and their individual responsibilities for
management risk. They also take responsibility for Directorate Registers.
Managers and staff should be familiar with the Risk Management Policy including
Risk Registers and methodologies for risk assessment and risk ratings.
Contractors and other external staff must be made aware of their responsibilities under
health & safety and CCG risk management procedures by the CCG manager
responsible for their contract.
Status: Draft Reviewed: Autumn 2015 Page 17 of 21
Version: 1 Next Review Date: Autumn 2017
3 Assurance Framework
The Assurance Framework enables HCCG to be confident (“be assured”) that the responses
applied in the mitigation of risk are operating effectively. Therefore this is a key element of
the risk management process at HCCG. The application of the Assurance Framework will
help the HCCG Governing Body members to collectively consider the process of securing
assurance via a formal structure that promotes good organisational governance and
accountability in order to deliver on its key objectives.
The Framework puts responsibility for the system of internal control at Governing Body level
and this encompasses the following:
Setting appropriate policies on internal control;
Seeking assurance that will enable the Governing Body to satisfy itself that the system
is functioning effectively; and
The Assurance Framework should provide information on where/how risks are being
managed effectively, the controls in place and also identify which of the CCG objectives are
at risk because of gaps in controls or assurance. The Assurance Framework should outline
the following:
Key Controls - Organisations should ensure that they have key controls in place which
are designed to manage their principal risks. Controls should be documented and their
design subject to scrutiny by independent reviewers, e.g. internal and external
auditors. When assessments are made about controls, consideration must be given
not only to the design but also the likelihood of them being effective in light of the
governance and risk management framework within which they will operate - even the
best controls can fail if staff are not adequately trained.
Assurances on Controls - Where can the organization gain evidence that the controls
are effective? The most objective assurances are derived from independent sources
and these are supplemented from non independent sources such as clinical audit,
internal management representations, performance management and self assessment
reports. These assurances can be separated into internal and external assurance
processes.
Where an assurer’s report is confirmed as relevant, the organisation must endeavour to
confirm that sufficient work has been undertaken in the review to be able to place reliance on
the conclusions drawn. The organisation will need to assess whether a review provides:
Positive Assurances- there are sufficient, relevant, positive assurances to confirm the
effectiveness of key controls and the objectives are met. This should be reported to
the Governing Body and recorded as a positive assurance.
Status: Draft Reviewed: Autumn 2015 Page 18 of 21
Version: 1 Next Review Date: Autumn 2017
Gaps in Control - these should be recorded when there is a clear conclusion, based on
sufficient and relevant work, that one or more of the key controls on which the
organisation is relying are not effective.
A gap in Assurance - there is a lack of assurance, , about the effectiveness of one or
more of the key controls. This may be as a result of lack of relevant reviews, or
concerns about the scope or depth of reviews that have taken place.
Wherever gaps in response or assurance are identified, then an action must be defined and
allocated to appropriate responsible persons. However, in all cases an assessment will need
to be made as to the level of risk to which HCCG is exposed as a result of the response
failure or assurance gap.
Principal risks cannot be considered in isolation, they will be derived from the prioritisation of
risks fed up through the whole organisation and in this way the Risk Register contributes to
the Assurance Framework. Therefore, whilst the Assurance Framework development is co-
ordinated by the Corporate Team the risks and responsibility for providing information on
assurance continues to lie with Directors and Senior Managers.
Levels of assurance will be attributed to a response when it is reviewed. The levels of the
assurance that will be used are displayed in the table below. These levels of assurance will
be applied in all cases.
Level Details
Significant Taking account of the issues identified, the Governing Body can take substantial assurance that the responses upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective.
Adequate Taking account of the issues identified, the Governing Body can take reasonable assurance that the responses upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective. However further action could be taken to improve the effectiveness and efficiency of responses.
Limited Taking account of the issues identified, whilst the Governing Body can take some assurance that the responses upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective, action needs to be taken to ensure this risk is managed.
None Taking account of the issues identified, the Governing Body cannot take assurance that the responses upon which the organisation relies to manage this risk are suitably designed, consistently applied or effective. Action needs to be taken to ensure this risk is managed.
Status: Draft Reviewed: Autumn 2015 Page 19 of 21
Version: 1 Next Review Date: Autumn 2017
3.1 Applying the Process to Opportunity Management
Good risk management will also help us to explore and take up opportunities as they are identified. The approach is the same as for risk assessment – we need to ask:
Is there an opportunity we could take to help us achieve our objectives?
What is the likelihood of it happening?
What would be the impact if it did?
What needs to be done – how can we develop this, what actions are needed to ensure
it happens?
Status: Draft Reviewed: Autumn 2015 Page 20 of 21
Version: 1 Next Review Date: Autumn 2017
4 Risk Governance and Escalation
4.1 Risk Governance and Escalation Process – Corporate Risk Register
The Herefordshire CCG corporate risk register will manage the risks associated with the
achievement of the organisations strategic objectives as well as any major clinical and financial
risks. This register will be owned by the CCG Governing Body and be reviewed quarterly.
The Quality, Performance & Finance Committee will have lead roles in reviewing CCG
functional risk registers in particular the Finance and Quality Risk registers, on a rolling
quarterly basis.
The Audit and Assurance Committee will also review the risk registers to provide assurance that
a process is in place to monitor, mitigate and manage risks. It will do this in full on a quarterly
basis. The Audit and Assurance Committee may also review functional risk registers from time to
time.
The Governing Body Assurance Framework will be reviewed twice yearly by the Governing
Body and Audit & Assurance Committee, to ensure the CCG has the appropriate controls,
assurances, processes and action in place to manage its business and deliver its strategic
objectives. This process will be used to inform and assure the Governing Body’s forward plan
and work programme.
The Audit & Assurance Committee will also review the Assurance Framework, to aid its
assurance role, and use it to inform the CCG’s audit programme.
The CCGs – senior management team – will review the corporate risk register on a monthly
basis, ensuring that risks and actions are reviewed and that the risk register is relevant and
resonates with daily business and hot issues currently facing the organization. Each member of
SMT will also review on a monthly basis those areas of the assurance framework that relates to
their business area and ensure it is updated in a timely and appropriate way.
Risks may be added in one of two ways. Any CCG member/employee may add a corporate risk
at any time. This will be processed through the Portfolio Office using the specified risk recording
template or will be escalated via a business area risk register.
4.2 Risk Governance and Escalation Process – Business Area Risk Registers
Each business area (as detailed in Figure 1) will maintain an individual risk register. All risks
identified at this level which are identified as potential ‘extreme risks’ will be escalated to the
Corporate Risk Register via the Corporate Team.
Status: Draft Reviewed: Autumn 2015 Page 21 of 21
Version: 1 Next Review Date: Autumn 2017
Clinical Outcomes and Service Transformation Risk Register. The Clinical Outcome
and Service Transformation (COST) risk register will be owned by the Service
Transformation Improvement Group (STIG). The Senior Responsible Officer for this
register will be the Chair of STIG. The risk register will be reviewed monthly and will form
part of the overall STIG report sent to HCCG formal board. These risks will be re-
classified as programme risks and the impact and likelihood reviewed and updated, as
deemed appropriate. Consideration needs to be given if ‘primary care’ risks are
encompassed within this register.
Operations Risk Register(s) (including contracts). The Operations risk register will be
owned by the Corporate Team and the Senior Responsible Officer will be the Director of
Operations. Any member/employee of HCCG may add an Operations risk via the
Corporate Team. The Operations risk register (s) will include key contracts,
communications, OD and performance risks.
Finance Risk Register. The Finance risk register will be owned by the Finance function
and the Senior Responsible Officer will be the Chief Finance Officer.
Quality and Patient Safety Risk Register. The Quality risk register will be owned by the
Quality & Patient Safety Committee. The Senior Responsible Officer for this register will
be the Executive Nurse. The risk register will be reviewed monthly and will form part of
the overall Quality and Patient Safety Report sent to HCCG formal board. Any
member/employee of HCCG may add a clinical risk via the Corporate Team.
Partnership Risk Registers The CCG will also take key risks from system risk registers
in particular any system wide partnership programmes for example System Resilience or
Transformation programmes, they will be reviewed by key partnership boards (eg SRG by
SRG group; BCF by the Joint Commissioning Board).