risk management strategy and policy - southern health · pdf filesh ncp 25 risk management...
TRANSCRIPT
1
Risk Management Strategy and Policy Version: 4 May 2017
SH NCP 25
Risk Management Strategy and Policy
Version 4
Summary:
This document details the Trust’s framework within which it directs and controls the risks to its key functions. It sets out the Trust’s approach to the identification, assessment, treatment, and tolerance of risk throughout the organisation. The overall objectives of the document are to provide:
A framework and clear processes for robust risk management at all levels of the organisation.
A framework to deliver assurance that risks are being appropriately identified, assessed, prioritised, addressed and monitored.
Detail staff roles and responsibilities to embed the concept of risk assessment and risk management into the day to day working practices of the Trust.
Support and promote on-going development as a learning organisation.
Keywords (minimum of 5):
(To assist policy search engine)
Risk, risk management, risk register, risk assessment, strategy, tolerance, risk appetite, assurance, assurance framework, mitigation
Target Audience: All staff employed by Southern Health NHS Foundation Trust
Next Review Date May 2018, or sooner if changes are made to the risk framework
Approved and Ratified by:
Trust Board Date of meeting: 27 May 2017
Date issued: June 2017
Author: Jake Pursaill, Risk Manager
Sponsor: Sara Courtney, Acting Chief Nurse
2
Risk Management Strategy and Policy Version: 4 May 2017
Version Control
Change Record
Date Author Version Page Reason for Change
08.12 Fiona Richey Head of Risk and Business Continuity
1.0 Revised following organisational change/ restructure for Southern Health NHS Foundation Trust
10.13 Fiona Richey Head of Risk and Business Continuity
2.0 Revised following Trust internal audit Risk Maturity Review to combine and clarify existing separate Risk Strategy and Risk Management Policy in to a single document. Review and clarification of risk appetite and risk escalation.
07.14 Fiona Richey Head of Risk and Business Continuity
2.6 5, 22
9 12 20
Revised to remove and reflect current year, person and time sensitive detail. Revised clarification of risk appetite following Board Seminar 24
th June 2014
Revised to clarify risk escalation. Inclusion of Risk Score Guidance
August 2015 Louise Hartland Governance, Quality and Compliance Manager, LEaD
2 Page 14 section 15.2 15.3 Page 23
Revised to reflect training provision for managers Revised to reflect training provision for executive and non-executives. Updated Training Needs Analysis
August - October 2016
Fiona Richey Head of Risk and Business Continuity
3 Page 5 Section 4.2 Section 4.4 P 6 Section 4.12 P 9 Sections 5.3 and 13.1 P10 Sec 7 P11 Sec 9, 10, 11 P13 Sec 11.5 and P 25 Appendix 3 Page 16 Section 15.2
Sponsorship changed to Acting Director of Nursing and Allied Professionals Minor changes to wording for clarity throughout document Revised to reflect risk management responsibilities for all staff Revised to include the post of Divisional Governance Business Partners and their role within the framework Awarded the responsibility for maintaining the Board Assurance Framework to the Company Secretary Interim Head of Patient Safety and Quality and Risk Manager roles added. Trust level risk register replaces Corporate Risk Register Removed risk appetite and tolerance information and referenced separate Board Risk Appetite Statement Trust Executive Risk and Assurance Group included Risk terminology and guidance re-ordered for clarity. Training expectations and requirements for staff and managers updated.
November 16 Ryan Taylor, Interim Head of Incident Management & Patient Safety
3.3 Page 10 Page 12 Page 17 Page 21 Cover page
Amendments requested by Trust Board Changes made to reflected revised application of risk tolerance to reflect the amended risk appetite statement agreed by the Board in October Revised the risk matrix in line with the risk appetite Revised process of obtaining assurance of effectiveness removed ‘internal control’ and ‘local evaluation’, replaced with NHSI, CQC, internal audit and when adverse events occur Amended positive and negative assurance Review - April 2017, at request of the Trust Board due to forthcoming changes with the BAF and high level risk management
December 16 Ryan Taylor, Interim Head of Incident Management & Patient Safety
3.4 Page 14 Page 23
As agreed by the Chief Nurse Added review for moderate level risks. Altered review periods for low level risks Inserted impact matrix that matched the risk appetite document, but which also included an impact domain for Information Governance
May 2017 Jake Pursaill, Risk Manager
4 Page 7 Page 22 & 23 Page 17 & 18
Removed reference to the Head of Risk Management and assigned responsibilities to the Risk Manager Adjusted scoring criteria for fatalities, and references to CIPs and CQUINs Updated committee reporting structure
3
Risk Management Strategy and Policy Version: 4 May 2017
Reviewers/contributors
Related Documents
Title
Board Risk Appetite Statement
Board Assurance Framework Standard Operating Procedure
Policy for Managing Incidents and Serious Incidents
Procedure for Reporting and Managing Incidents and Serious Incidents
Procedure for Reporting and Investigating Deaths
Procedure for Management of Serious Incidents that Require Investigation
Organisational Learning Strategy
Health and Safety Policy
Quality Strategy
Name Position Version Reviewed & Date
Dr Helen McCormack Medical Director December 2013
Non - Executive Directors Southern Health NHS Foundation Trust December 2013 Compliance Team Southern Health NHS Foundation Trust December 2013 Julie Jones Associate Director of Governance December 2013 Divisional Directors Southern Health NHS Foundation Trust December 2013 Executive team Southern Health NHS Foundation Trust September 2016
Fiona Richey Head of Risk September 2016
Jake Pursaill Risk Manager Support September 2016
4
Risk Management Strategy and Policy Version: 4 May 2017
Contents
Page
1 Introduction 5
2 Purpose and Scope of the Strategy and Policy
1. Purpose and Scope of the Strategy and Policy
2. Purpose and Scope of the Strategy and Policy
5
3 Strategy and Policy Objectives 6
4 Duties / Responsibilities
1. Duties / Responsibilities
6
5 Definitions of risk 8
6 Risk Management Overview 9
7 Risk Tolerance and Appetite
1. Risk Tolerance and Appetite
10
8 Risk Management Process Overview 10
9 Risk Register Process 11
10 Risk Identification 11
11 Risk Assessment 11
12 Managing and Mitigating the Risks
12
13 Risk Review, Escalation and Assurance
13
14 Communication of Risk with Third Parties
14
15 Training Requirements 15
16 Equality and diversity 15
17 Strategy/Policy review 16
18 Communication strategy 16
19 Monitoring compliance 16
20 Associated documents 18
21 Supporting references 18
22 Useful websites 18
Appendices
Appendix 1 Risk Management Definitions 19
Appendix 2 Risk Scoring Guidance
21
Appendix 3 Organisational Committee Structure
24
Appendix 4 Training Needs Analysis
25
Appendix 5 Equality Impact Assessment Tool 26
5
Risk Management Strategy and Policy Version: 4 May 2017
Risk Management Strategy and Policy 1. Introduction 1.1 Southern Health NHS Foundation Trust (hereafter known as the Trust) provides community
health, mental health, and learning disability services.
1.2 Our overall aim is to improve the health, wellbeing and independence of the people we serve by improving patient and service user experience, improving clinical outcomes and giving value for money. The Trust is committed delivering care in a safe environment to protect patients, visitors, staff and the organisation from harm.
1.3 The aim of this strategy and policy is to support the delivery of the organisational aims and objectives through effective management of risks across all of the Trust’s functions and activities through effective risk management processes, measurement, analysis and organisational learning.
1.4 The Trust recognises that Risk Management forms an integral part of its philosophy, practices and the business planning cycle. The Trust Board must be able to assure itself the organisation is operating effectively and meeting key aims, goals and principle strategic objectives.
1.5 The Trust’s approach to risk management aims to be forward looking, innovative and comprehensive; to make the effective management of risk an integral part of everyday practice. It also aims to support a culture which encourages continuous improvement and development and a focus on proactive rather than reactive risk management, and to support well thought through decision making.
2. Purpose and Scope of the Strategy and Policy
2.1 The purpose and scope of the Trusts Risk Management Strategy and Policy is to detail the
framework within which the Trust leads, directs and controls the risks to its key functions in order to comply with Health and Safety legislation, Foundation Trust Terms of Authorisation and its strategic objectives. The Risk Management Strategy and policy underpins the Trust’s reputation and performance and is fully endorsed by the Trust Board.
2.2 The Trust acknowledges its legal and moral duty to safeguard staff, patients and members
of the public. There are also sound moral, financial and good practice reasons for identifying and managing both clinical and non-clinical risks. Failure to manage risks effectively can lead to harm/loss or damage in terms of both personal injury but also in terms of loss or damage to the Trust’s reputation; financial loss; potential for complaints; litigation and adverse or unwanted publicity.
2.3 This document is intended for use by all Trust employees and contractors. All staff
members will be made aware of the contents on commencement of employment as part of their induction.
2.4 Significant changes to this document will also be cascaded via the Trusts staff update
communication process and/or line management cascade. 2.5 The Trust uses a web-based Risk Management system, Ulysses for the recording,
management, and reporting of incidents and risks at local, Divisional, Corporate and Strategic levels.
2.6 This Strategy and Policy should be read in conjunction with the Policy for Managing Incidents, the Board Assurance Framework Process and Standard Operating Procedure,
6
Risk Management Strategy and Policy Version: 4 May 2017
the Policy for Investigations, Analysis and Improvement, the Health and Safety Policy, Fire Policy, the Trust Quality Strategy and Trust Organisational Learning Strategy.
3. Strategy and Policy Objectives
3.1 The objectives of this Risk Management Strategy and Policy are as follows:
To set out the Trust’s approach to risk and provide a framework and clear process for robust risk management at all levels within the organisation.
To outline the framework to provide assurance that risks at all levels of the organisation are being appropriately identified, assessed, prioritised, addressed and monitored.
To detail the expectations in terms of roles and responsibilities of all staff in order to embed the concepts and ideas of risk assessment, risk management and risk accountability into the day to day working practices of the organisation.
To support and promote on-going development as a learning organisation.
4. Duties / Responsibilities
4.1 The management of risk is an integral part of management and clinical practice. Every
individual within the Trust is therefore responsible for identifying and managing risk. The following individuals have specific risk management responsibilities, accountability and authority, as part of their existing roles.
4.2 All Employees (including contracted employees) are responsible for:
The identification of both clinical and non-clinical risks that exist or emerge within the area in which they work, and the escalation of these identified risks to managers, risk leads, or senior management as appropriate.
Undertaking working practices that comply with all policies, regulations, procedures and Department/ workplace/Task specific safe systems of work.
Ensuring they act in a manner which is safe and secure for themselves, colleagues, patients, visitors and others who may be affected by their actions, being aware they have a duty to take reasonable care for their own safety and safety of others who may be affected by their acts or omissions.
Report any hazardous situations and accidents/ near-miss incidents to the relevant manager(s) as soon as possible and through the Trust incident and near miss reporting system in line with the Managing Incidents Policy.
4.3 Senior/Line Managers are responsible for:
Ensuring that they and their staff fulfil their responsibility for risk management by identifying, reporting, monitoring and managing risk in line with this and other associated policies, including the policy for managing incidents.
Ensuring that appropriate and effective governance processes are in place to pro-actively identify, assess and manage risk within their designated area and scope of responsibility.
Ensure that identified risks are recorded, properly assessed, escalated, communicated and managed effectively and appropriately in line with guidance within their area of responsibility so that the consequences of a risk – patient harm, financial loss, reputational damage, etc. – are minimised.
7
Risk Management Strategy and Policy Version: 4 May 2017
4.4 Divisional Governance Business Partners
Play a key role in supporting the systems and processes for the review and recording of all risks from team level to divisional board providing expert advice on the grading and escalation / de-escalation where appropriate. This will involve working closely with underperforming teams, providing education and encouragement of how risk reporting improves patient safety.
Will provide education throughout the division on the reporting of risks and incidents through the Ulysses system.
Support their division in the identification, assessment and reporting of risk.
4.5 Chairs of all Trust Meetings are responsible for:
Ensuring all relevant risks are brought to the meeting on a regular basis for review to ensure they are up to date and being effectively managed.
Agreeing proposed risk tolerance score or risk appetite score for each risk and ensure risks are transferred to risk registers and are correctly assessed.
4.6 Risk Manager is responsible for:
The development of strategic plans, policies, procedures and statement of purpose documents with regard to risk management. Provision of training, information and support for Trust staff in relation to risk management.
Will support the Divisional Governance Business Partners in developing and educating staff regarding risk management including risk registers and the Board Assurance Framework.
Ensuring relevant risks are reported to external agencies such as commissioners through the oversight groups.
Ensuring the Ulysses risk management system and associated processes are maintained and updated in line with Organisational requirements.
Undertaking consultations with the Executives and NEDS the annual review of the Trust Risk Appetite statement.
Through oversight provides a ‘check and challenge’ process for all risks on the register with the risk owners through a systematic and documented process.
Ensuring an appropriate Board Assurance Framework (BAF) is prepared and regularly updated, and that it receives appropriate consideration at relevant committees and groups.
4.7 Associate Director of Quality Governance has:
Operational management responsibility for the implementation of all aspects of the Governance and Risk Management agenda through management of the Governance Team.
4.8 Chief Nurse for:
Executive sponsorship of the Trust Risk Management Strategy and Policy.
Ensuring that the Annual Governance Statement adequately reflects the risk management process within the Trust.
4.9 The Executive Team
In addition to their roles as senior managers; members of the executive team will act as Accountable Lead Directors for their respective areas of the business and will ensure
8
Risk Management Strategy and Policy Version: 4 May 2017
that within their directorates all risk management issues are coordinated, managed, monitored and reviewed including:
Lead in the management of risk by devising and implementing short, medium and long-term strategies to tackle identified risk.
Recommending to the Board of Directors the raising and closing of identified strategic risks, using the Board Assurance Framework.
4.10 Non-Executive Directors
Challenge risk management and governance arrangements within the organisation and provide assurance of the robustness of these arrangements as part of their role as members of the Trust Board and its sub-committees.
4.11 Chief Executive has responsibility for:
Maintaining a sound system of internal control and assurance that supports the achievement of the Organisation’s objectives.
Ensuring that full support and commitment is provided and maintained in every activity relating to risk management
Planning for adequate staffing, finances and other resources, to ensure the management of those risks which may have an adverse impact on the staff, finances or Trust stakeholders.
Ensuring and signing off the Trust Annual Governance Statement, which adequately reflects the risk management issues within the Trust.
Operationally, the Chief Executive delegates responsibility for the implementation of the Risk Management Strategy to other individuals, as described above
4.12 The Board
Executive and non-executive directors share collective responsibility for the success of the Trust, including the effective management of risk and compliance with relevant legislation. Providing the strategic direction and leadership to the Trust including:
Protecting the reputation of the Trust;
Providing leadership on the management of risk and ensuring the approach to risk management is consistently applied; Determining the risk appetite for the Trust;
Ensuring that assurances demonstrate that risk has been identified, assessed and all reasonable steps taken to manage it effectively and appropriately; and
Endorsing risk related disclosure documents. 5. Definitions of Risk 5.1 At its best risk management will radically improve the quality of services provided and
provides strategic direction to the Organisation by guiding staff on the appropriate level of risk they are permitted to take and enables staff to seize important opportunities.
5.2 Risk can relate to:
A threat - an event or circumstance which could cause harm or loss, or affect the ability of the organisation to achieve its objectives.
An opportunity – the organisation must take some risks in order to obtain a benefit, to innovate, grow and improve.
9
Risk Management Strategy and Policy Version: 4 May 2017
5.3 All risks are managed through the Trust’s risk register; the risk register has four levels of management:
Strategic – Any risk affecting the whole organisation and its ability to achieve the Organisational Objectives.
Trust – Any risk which may affect more than one Division or require Corporate Management.
Divisional – Any risk that affects Divisional services or the service only. Risks that are within the Divisional Directors/local managers delegated budgetary limits and financial resources.
Local/ Service/Team – Any risk that affects service or team level only. Risks that are within the Deputy Directors/local managers delegated budgetary limits and financial resources.
Further detailed risk management definitions can be found as Appendix 1. 6. Risk Management Overview
6.1 By its very nature healthcare is a high risk activity and effective management is often based on taking calculated risks. Risk management helps to ensure that those judgements can be made from a measured range of fully identified options and from a sound knowledge of the risk causes, effects, and consequences.
6.2 Effective risk management is best achieved in an environment of openness and
transparency in which it is recognised that whilst risk can never be eliminated, it can and must be managed.
6.3 The Trust Board has delegated the responsibility for the management of risk to key
committees. These Committees are responsible for ensuring individual Directors undertake a full programme of risk management activities, maintain up-to-date risk registers and take action to control these risks commensurate with their risk management responsibilities.
6.4 Each Committee has Terms of Reference which have been agreed by the Board. Terms of
Reference for formal Board sub-Committees are held by the Company Secretary. A full depiction of the Trust’s Governance Structure and the purpose of each Key Committee can be found within the Trust’s Board Assurance Framework Standard Operating Procedure.
6.5 Risk management is also monitored by external and internal agencies. Performance is
monitored against national standards and is subject to self-assessment review and audit. Where performance in these assessments falls below acceptable levels, detailed action plans will be produced and work programmes put in place to improve standards.
6.6 There are a number of indicators that support the implementation of the Trusts Risk
Management Strategy and Policy, for example; adverse incidents, complaints and litigation. These indicators are reported monthly via the Trust Quality Dashboard and are reported on in more detail by the Divisions and the Governance Team via Divisional Performance Review meetings, Quality & Safety Committee, and the Health and Safety Forum.
6.7 The Process for Managing Incidents is provided in the Trust Policy for Managing Incidents
and Trust Procedure for Grading and Managing Incidents. The Management of Serious Incidents Requiring Investigation (SIRIs) is also included in the Incident Management Policy and Procedure and which are available to staff via the trust web site.
10
Risk Management Strategy and Policy Version: 4 May 2017
6.8 The Trust’s approach to investigating and learning from incidents focuses on what went
wrong and not on who to blame. However if staff have a concern or feel unable to report an incident via the incident reporting system, they should follow the policies: Speak Up (Whistle Blowing) Policy.
7. Risk Tolerance and Appetite
7.1 The Board recognises risk is inherent in the provision of healthcare and its services, and
therefore a defined approach is necessary to identify risk context, ensuring that the Trust understands and is aware of the risks it’s prepared to accept in the pursuit of the delivery of the Trust’s aims and objectives.
The Trust recognises it will have to in some circumstances accept a level of risk. Accepting
risk is often required to achieve overall objectives. It must, however, take and accept risks in a controlled manner, thus reducing its exposure to unacceptable risk. Further information can be found in the Trust’s Board Risk Appetite Statement, separate from this document.
8. Risk Management Process Overview
8.1 Systems for risk management provide a structured method to identify and manage risks:
8.2 Detailed information around the risk management process, specific guidance and risk
management tools are available via the Trust website.
11
Risk Management Strategy and Policy Version: 4 May 2017
9. Risk Register Process
9.1 The principle tool The Trust uses for managing its identified risks is the Risk Register which
can be described as “a log of all the risks identified, both clinical and non-clinical, that might have an impact on the Trust’s delivery of its aims and objectives”.
9.2 The Trust has a single Risk Register which operates at a local/ Service Team, Divisional,
Trust-wide and Strategic levels. The Risk Management and escalation process is outlined in detail in the Trust’s Board Risk Appetite Statement.
9.3 The Risk Register will be reviewed at all levels in line with Trust Board Assurance
Framework Standard Operating Procedure and the Board Risk Appetite Statement which further define roles, responsibilities, and reporting schedules.
10. Risk Identification
10.1 Risks will be identified from both internal and external sources. The Trust aims to be as
proactive as possible, as this makes a managed response to risk possible. This avoids the need to make decisions under unnecessary pressure without adequate information or resource.
10.3 The Trust has a comprehensive range of risk assessment tools to identify risk and potential
risks associated with its activities. Examples include; Visual Display Risk assessments, Falls Prevention Assessment, Ligature Risk Assessment, and Risk Register Assessment pro formas.
11. Risk Assessment
11.1 Southern Health NHS Foundation Trust deploys a standardised approach to risk
assessment across the entire organisation to ensure consistency. 11.2 Risks are assessed based on the impact of the risk and the potential likelihood to occur: The impact is based on a number of factors, for example; the financial implications, the number of service users or staff potentially affected the ability of the Trust to achieve its objectives or the effect on Trust reputation. The likelihood is based on the probability of the risk emerging, and the timeframes in which the risk might occur, e.g. weekly, monthly, etc. 11.3 Evaluation and ranking of risks (risk scoring)
The Trust uses a standard 5x5 risk scoring matrix for assessing the impact and likelihood of the risk (see table below).
5 Catastrophic
5 10 MONTHLY
MONITORING BY EXECUTIVE
TEAM
15 20 25
4 Major
4 8 12 MONTHLY
MONITORING BY EXECUTIVE
TEAM
16 20
All RED RISKS: MONTHLY MONITORING BY EXECUTIVE TEAM
12
Risk Management Strategy and Policy Version: 4 May 2017
3 Moderate
3 6 9 12 MONTHLY
MONITORING BY EXECUTIVE
TEAM
15
2 Low
2 4 6 8 10
1 Negligible
1 2 3 4 5
1 Extremely Unlikely
2 Unlikely
3 Possible
4 Likely
5 Almost Certain
Risk scores are not intended to be precise mathematical measures of risk, but are a useful tool to help in the prioritisation of control measures for the treatment of risk. The scoring system allows the levels of risk to be easily identified and therefore prioritised. Further detail on risk scoring and effective assessment is given in Appendix 2.
11.4 As part of the risk assessment process, a course of action must be agreed in line with the
Trust’s defined Risk appetite approach and risk tolerance levels. Courses of action to be taken are to:
Treat
Tolerate
Transfer
Terminate
Take the opportunity
Further guidance on action required with each option is provided within the Trust’s Board Risk Appetite Statement.
11.5 The Trust Executive Risk Group has responsibility to review monitor on a monthly basis all risks scored at 15 and above outside the tolerance threshold of the Trust and the course of action to take. In addition the Executive Group will in also review on a monthly basis any and all risks rating of 10 with a Likelihood rating of unlikely (2) and an Impact rating of Catastrophic (5).
12. Managing and Mitigating Risks
12.1 As part of the risk assessment process discussed in 11. Risk Assessment, each identified
risk will be assessed a total of three times:
Inherently, as though there were no controls in place, or that all of the controls are failing;
Residually, assuming the controls in place are adequately designed and operating effectively.
Target, the risk score that should be achieved through implementing actions, bringing the risk in line with articulated appetite and tolerance.
13
Risk Management Strategy and Policy Version: 4 May 2017
12.2 Controls to manage the risk and assurance measures can then be applied to provide a proportionate response with need to revisit should the risk assessment score change over time.
12.3 Measures of Assurance should indicate the adequacy of the controls in place. Assurance
should be identified as internal or external and the information gathered using these measures should be identified as reflecting either positively or negatively on the effectiveness of controls in place.
12.4 Gaps in controls should also be clearly identified with actions in place to address. Actions
should be specific, measurable, achievable, realistic and timely and should have an identified action owner. The target date to achieve the action must also be recorded.
12.5 Recorded risk information, controls, and actions should be reviewed thoroughly by the
monitoring committee to ensure these are adequate effective, and current. 12.6 The target risk score should be agreed in line with the risk appetite and tolerance by the
monitoring committee to establish at what point the risk becomes acceptable and can simply be monitored.
13. Risk Review, Escalation and Assurance
13.1 All Risks are managed on the Risk Register. Within the Risk Register there are several
levels of risk management as identified in the following table:
14
Risk Management Strategy and Policy Version: 4 May 2017
Risk Review 13.2 The frequency of review of risks, dependent on their risk score, risks graded as:
Red will be reviewed at least monthly and;
Amber risks will be reviewed at least quarterly (with the exception of risks 5x2 which will also be monthly)
Yellow risk will be reviewed at least every 6 months
Green risks will be reviewed at least annually. Risk review frequency may be increased based on the risk’s alignment with the Trust’s identified risk appetite.
Risk Escalation
13.3 All parts of the Trust will, on a regular basis, review their identified risks and the controls put in place to manage those risks. All levels of risk will be monitored and escalated to the relevant level of the Risk Register dependant on:
The risk score
The area of affect
The budgetary requirements to manage/mitigate the risk
Assurance 13.4 To support increasing levels of assurance the Trust Board Assurance Framework, and Risk
Control Framework will undergo continuous review and development to ensure a focused approach to the strength of assurance received by Board and Sub - Committees. The process for rating and mapping assurance received against the relevant risks will be undertaken through the use of the three key lines of defence assurance model of:
Service Management;
Functional oversight;
Independent review. Additional information on assurance is provided in the Trust Board Assurance Framework Standard Operating Procedure.
13.5 The Risk Management Strategy and Policy, Trust Board Assurance Framework, Risk Management Standard Operating Procedures and guidance tools will be updated to reflect developments in line with Trust risk management and assurance development and Trust Quality Programmes as well as document review schedules.
14. Communication of Risk with Third Parties 14.1 If an organisational risk is identified which is shared with or wholly relates to another
organisation the risk must be shared with that organisation. Advice on the appropriate method of communicating and sharing the risk must be sought from the relevant Executive or Divisional Director. The third party must not be named in the Risk Register and the risk
15
Risk Management Strategy and Policy Version: 4 May 2017
must not be entered on to the Risk Register without the knowledge of the third party organisation.
15. Training Requirements
15.1 All staff
All staff will be provided with and governance risk management training as part of the Trust induction process. Attendance will be recorded and monitored in accordance with the Organisational Induction Policy. The Governance and Risk Management e-learning and e-assessment module is mandatory for all staff. Staff members that are unable to achieve the required level of e-assessment competency will be identified through the Trust electronic training monitoring system; with face-to-face training for these staff provided regularly in response to need. Attendance will be recorded, monitored and appropriate follow up will occur in line with the Trust Organisational Policy.
Please refer to the training needs analysis at Appendix 4.
15.2 Managers An e-learning module that covers all aspects of risk management is available for all staff on the LEaD website. The e-learning module is mandatory for all managers with a responsibility for managing risk. It is expected that it will be completed by all Band 6 posts and above. Specific learning on the completion of risk registers is delivered by the risk team, and bookable via the staff intranet. Specific training delivered face to face by the risk manager is available on request. Please contact the risk team for more details.
15.3 Trust Board Risk Management training is assessed, identified and provided for all executive and non-executive Directors as part of the Board Annual Development Programme. Individual Directors will receive risk training as required and or as part of Trust induction. The Board will assess the need for whole Board additional training as necessary. Individual training will be recorded as part of Induction and individual training records. Board Wide Training attendance will be monitored by the Company Secretary and recorded via the Board Development Programme.
16. Equality and diversity
16.1 The Trust aims to ensure that its healthcare and facilities are not discriminatory and,
wherever possible, attend to the physical, psychological, spiritual, and social and communication needs of any patient or visitor showing no discrimination on the grounds of ethnic origin or nationality, disability, gender, gender reassignment, marital status, age, sexual orientation, race, trade union activity or political or religious beliefs.
16.2 The process for identifying and managing risk, and the manner in which this is undertaken,
should not inadvertently discriminate against any groups in society based on their race, disability, gender, age, sexual orientation, religion and belief. Any person who has concerns regarding the equality & diversity impact of risk management activity within the Trust should refer them in the first instance to the Equality & Diversity Lead, who may require equality impact assessments to be undertaken in order to determine whether any particular groups
16
Risk Management Strategy and Policy Version: 4 May 2017
of patients are experiencing variations in practice. The Policy Equality Impact Assessment is provided as Appendix 5.
17. Strategy and Policy Review
17.1 This Risk Management Strategy and Policy should be reviewed following the first year of
implementation, the review cycle should be 3-yearly. However due to the changes with the BAF the Trust Board have agreed it should be reviewed in April 2017. This Risk Management Strategy and Policy should be reviewed twice in the first year following the approval of this policy unless a significant change or organisational learning indicates otherwise. Following the first year of approval, the review cycle should be 3-yearly.
18. Communication Strategy
18.1 This Strategy and Policy will be circulated to all members of the Trust Board, Divisional
Directors, Heads of Services, Corporate Service Leads and Locality Managers, and Service leads for disseminated and cascade to their staff.
The full document will be available for download on the Trust web site so that patient and
members of the public can access it. 19. Monitoring Compliance
19.1 Effective monitoring is important to identify successful delivery of this Strategy. 19.2 A Risk Management Annual Report will be presented to the Trust Board. It will summarise
the Trust’s achievements against the annual work plan for risk management, including:
An assessment of the organisational risk management culture and how this is changing over time
Performance against NHS high–level risk management indicators and assessment of the key risks facing the organisation and how these are being managed
Benchmarking activity internally and externally
Use of risk management tools by departments
Compliance with Induction and mandatory training standards relating to risk management
19.3 The Annual Report will make recommendations for the ongoing development and
improvement of risk management and processes in order to achieve the strategic vision and objectives of this Strategy.
19.4 The effectiveness of the Risk Management processes and systems will be evaluated
against the following:
Findings and recommendations from internal and external audit reports (typically annually)
External reviews, such as the NHSI or the CQC
In the event of adverse incidents
19.5 Progress will also be reported as part of the Annual Governance Statement provided by the Chief Executive in the Trust Annual Report.
17
Risk Management Strategy and Policy Version: 4 May 2017
19.6 Internal Audit will verify compliance with the Annual Programme on a yearly basis and will assure the Trust Board that progress is in line with predicted performance, and highlight any areas for concern. These will be reported with an attached Action Plan to address the concerns.
19.7 The following table outlines how the Trust will monitor compliance with key elements of this
Strategy:
Monitoring Compliance
Element to be monitored Lead Tool/Method Frequency Reporting arrangements
Process for ensuring continual, systematic approach to all risk assessments is followed throughout the organisation
Risk Manager Divisional Performance Review reports
Monthly Divisional Performance Reviews
Incident and Risk Report Monthly Trust Executive Risk & Assurance Group
Annual strategy and policy review report and Internal Audit process
Annually
Trust Executive Risk & Assurance Group
a) Appropriate assignment of the management responsibility / escalation for different levels of risk within the organisation is carried out
Risk Manager Annual strategy and policy review report and action plan
Annually / Quarterly
Audit, Assurance and Risk Committee
Internal audit Annually
Sources of risk are comprehensive, internal and external (including, but not limited to, incident reports, risk assessment and Divisional and Corporate level registers)
Risk Manager High level Risk register review
description of Risk
risk score
summary risk treatment plan
date of review
residual risk rating
Audit, Assurance and Risk Committee
Quality and Safety Committee, Service Performance and Transformation Committee, Strategic Workforce Committee
Delivery and record of attendance of risk management awareness training to board members and senior managers, in line with the training needs analysis
Risk Manager Trust Board - Recorded in Board minutes / Non-attendance will be documented via Company Secretary
Annually
Quality Safety Committee
For senior managers – LEaD training report which will be monitored via Annual Strategy and Policy Review.
Annually
Follow up of non-attendance at training.
Risk Manager Board – Appraisal process Annually / Escalated via line management
For managers – LEaD training report which will be monitored quarterly and reported via Annual Strategy and Policy Review.
Six monthly
Escalated via line management
All staff – See Organisational Induction Policy
Annually
Escalated via line management
18
Risk Management Strategy and Policy Version: 4 May 2017
20. Associated Documents
Board Assurance Framework Standard Operating Procedure
Risk Management Standard Operating Procedure
Policy and Procedure for Managing Incidents
Policy for Investigations, Analysis and Improvement.
Health and Safety Policy
Southern Health NHS Foundation Trust Assurance Process and Infrastructure (July 2013)
Organisational Learning Strategy
21. Supporting References
The Institute for Risk Management guidance papers (2011): ‘Risk Appetite and Tolerance Guidance Paper’
HM Treasury (2004): ‘The Orange Book – Management of Risk – Principles and Concepts
National Health Service Litigation Authority (2008): Risk Grading Tool
National Health Service Litigation Authority (2008): Policy for the Management of the NHSLA Assurance Framework and Risk Register
Audit Commission (2009): ‘Taking it on trust – National Health Report
National Health Service Litigation Authority (2009): Risk Management Strategy
National Health Service Litigation Authority (NHSLA) Risk Management Standards 2011-12
CEAC (2009) ‘Board Assurance: A Benchmarking Review.
Oxford University Hospitals NHS Trust (2013) – Published by Foundation Trust Network (Foundations for Excellence): ‘Making Risk Management a Reality’
Good Governance Institute (2010): ‘What every healthcare board needs to understand about patient safety’
Good Governance Institute (2012): ‘Risk Appetite for NHS Organisations – A matrix to support better risk sensitivity in decision taking.’
Good Governance Institute (2012): ‘ GGI Board Briefing: Defining risk appetite and managing risk by Clinical Commissioning Groups and NHS Trusts’
Care Quality Commission essential standard of quality and safety March 2010
Health and Safety at Work etc. Act 1974
Section 2 – Duties of Employers to Employees
Section 3 – Duties of Employers to Persons other than Employees
Management of Health and Safety at Work Regulations 2003
Regulation 3 – Requirement to Assess Risk
22. Useful Websites
a. Good Governance Institute http://www.good-governance.org.uk/ b. National Health Service Litigation Authority – Risk Management Standards 2011/12
www.nhsla.com c. National Patient Safety Agency www.npsa.nhs.uk d. Health and Safety Executive www.hse.gov.uk
19
Risk Management Strategy and Policy Version: 4 May 2017
APPENDIX 1 – Definitions
Governance - the management systems, processes and behaviours by which the Trust leads, directs and controls its functions to achieve its organisational objectives, safety and quality and the way in which it relates to patients and carers, the wider community and partner organisations.
Integrated Governance - the streamlined pulling together of intelligence of the competing pressures on the Trust and its staff, advisors, systems, and processes which enables the Trust to avoid the handling of issues in management silos.
Board Assurance Framework (BAF) - enables the Board to: Identify and understand the key risks to achieving its strategic objectives; receive assurance that suitable controls are in place to manage these risks and where improvements are needed, action plans are in place and are being delivered; provide an assessment of the risk to achieving the objectives based on the strength of controls and assurances in place.
Risk Scoring /rating - A process by which risks are graded/ scored based on the impact of their occurrence and the likelihood of their occurrence
Risk Tolerance – The maximum level of risk the organisation is prepared to take in line with the type of risk and the potential level of harm, recognising the Trust has a low appetite for risks that could affect patient safety
Risk Appetite - The levels and types of risk the Organisation wants to take in pursuance of its objectives. This informs all planning and objective setting, as well as underpinning the threshold used when determining the tolerability of individual risks
Risk Controls – Processes or activities already in place to effectively manage the risk to achieve the desired outcome
Gaps in Controls – processes or activities not yet in place in order to effectively manage the risk
Risk Assurance– evidence that supports the measurement of controls in place, to ensure they are operating effectively and the desired outcome is being achieved
Inadequate Assurance- Where assurance or evidence is limited and cannot provide full assurance that controls are effectively managing the risk. Gaps should be identified and listed with actions to close.
Gaps in Assurance – lack of measures or evidence to support the measurement of controls
Internal Assurance - Assurances provided by reviewers, auditors and inspectors who are part of the organisation, such as Clinical Audit or management peer review
External Assurance / Independent Assurance –Assurances provided by reviewers, auditors and inspectors from outside the organisation such as External Audit, NHSLA, CQC, Commissioners
Positive and Negative Assurances- Adequate / Positive assurance indicates how controls are operating to mitigate the risk to the achievement of desired outcome.
20
Risk Management Strategy and Policy Version: 4 May 2017
Inadequate / Negative assurance is the reverse, where evidence shows that controls are not operating effectively to mitigate the risk to the achievement of the desired outcome
Residual Risks - are those which remain after considering the controls in place to reduce the risk and the implementation of any additional controls that may have been identified as necessary. Acceptance of residual risk will be made by joint consultation between department leads and the Director with responsibility for the area.
21
Risk Management Strategy and Policy Version: 4 May 2017
Appendix 2 – Risk scoring guidance The Trust uses a standard 5x5 risk scoring matrix for assessing the impact and likelihood of the risk (see table below).
5
Catastrophic
5 10
15 20 25
4
Major
4 8 12
MONTHLY MONITORING BY
EXECUTIVE TEAM
16 20
3
Moderate
3 6 9 12
MONTHLY MONITORING BY
EXECUTIVE TEAM
15
2
Low
2 4 6 8 10
1
Negligible
1 2 3 4 5
1
Extremely Unlikely
2
Unlikely
3
Possible
4
Likely
5
Almost Certain
Impact Guidance:
Domain 1 2 3 4 5
Negligible Minor Moderate Major Catastrophic
Impact on the
safety of the
patient, staff or
public (physical/
psychological
harm)
Minimal injury
requiring
no/minimal
intervention
or treatment
No time off work
Minor injury or
illness,
requiring minor
intervention
Increase in length of
hospital stay by 1–3
days
Moderate injury requiring
professional intervention
Increase in length of
hospital stay by 4–15 days
RIDDOR/agency
reportable incident
An event which impacts
on a small number of
patients
Incident resulting serious
injury or permanent
disability/incapacity.
Increase in length of
hospital stay by >15 days
Mismanagement of
patient care with long-
term effects
Incident resulting in
fatality or multiple
fatalities
An event which
impacts on a large
number of patients
Quality/
Complaints/audit
Peripheral
element of
treatment or
service
suboptimal
Informal
complaint/inquiry
Overall treatment or
service suboptimal
Formal complaint
(stage 1)
Local resolution
Single failure to
meet
internal standards
Minor implications
for
Treatment or service has
significantly reduced
effectiveness
Formal complaint (stage
2)
Local resolution (with
potential to go to
independent review)
Repeated failure to meet
internal standards
Non-compliance with
national standards with
significant risk
to patients if unresolved
Multiple complaints/
independent review
Low performance rating
Critical report
Totally unacceptable
level or quality of
treatment/service
Gross failure of
patient
safety if findings not
acted on
Inquest/ombudsman
inquiry
Gross failure to meet
national standards
MONTHLY MONITORING BY
EXECUTIVE TEAM RED RISKS: MONTHLY MONITORING BY EXECUTIVE TEAM
22
Risk Management Strategy and Policy Version: 4 May 2017
Domain 1 2 3 4 5
Negligible Minor Moderate Major Catastrophic
patient safety if
unresolved
Reduced
performance rating
if unresolved
Major patient safety
implications
Human
resources/
organisational
development/
staffing/
competence
Short-term low
staffing level that
temporarily
reduces service
quality (< 1 day)
Low staffing level
that
reduces the service
quality
Late delivery of key
objective/
service due to lack of staff
Unsafe staffing level or
competence (>1 day)
Low staff morale
Poor staff attendance for
mandatory/key training
Uncertain delivery of key
objective/service due to
lack of staff
Unsafe staffing level or
competence (>5 days)
Loss of key staff
Very low staff morale
No staff attending
mandatory/ key training
Non-delivery of key
objective/service due
to
lack of staff
Ongoing unsafe
staffing
levels or competence
Loss of several key
staff
No staff attending
mandatory training
/key
training on an
ongoing basis
Statutory duty/
inspections
No or minimal
impact
or breech of
guidance/
statutory duty
Breech of statutory
legislation
Reduced
performance
rating if unresolved
Single breech in statutory
duty
Challenging external
recommendations/
improvement notice
Enforcement action
Multiple breeches in
statutory duty
Improvement notices
Low performance rating
Critical report
Multiple breeches in
statutory duty /
Prosecution
Complete systems
change required
Zero performance
rating
Severely critical report
Adverse
publicity/
reputation
Rumours
Potential for
public concern
Local media
coverage– short-
term reduction
inpublic confidence
Elements of
publicexpectation
not being met
Local media coverage–
long-term reduction
inpublic confidence
National media
coveragewith <3 days
service wellbelow
reasonable
publicexpectation
National media
coveragewith >3 days
servicewell below
reasonablepublic
expectation.
MP concerned
(questions inthe
House)
Total loss of public
confidence
Business
objectives/
projects
Insignificant cost
increase/
schedule slippage
<5 per cent over
project budget
Schedule slippage
5–10 per cent over
project
budget Schedule slippage
10–25 per cent
over project budget
Schedule slippage
Key objectives not met
>25 per cent over
project budget
Schedule slippage
Key objectives not
met
Finance including
claims
Negligible loss
Loss of less than
£10,000
Loss of between £10,000
and £100,000
Failure to meet CIPs or
CQUINs targets of
between £10,000 and
Loss of between
£100,000 and £1 million
Purchasers fail to pay
promptly
Loss of major contract
/ payment by results
Loss of more than £1
million
23
Risk Management Strategy and Policy Version: 4 May 2017
Domain 1 2 3 4 5
Negligible Minor Moderate Major Catastrophic
£50,000
Failure to meet CIPs or
CQUINs targets of
between £50,000 and
£0.5 million
Failure to meet CIPs or
CQUINs targets of
more than £0.5
million
Service/business
interruption
Environmental
impact
Loss/interruption
of >1 hour
Minimal or no
impact on the
environment
Loss/interruption of
>8
hours
Minor impact on
environment
Loss/interruption of >1
day
Moderate impact on
environment
Loss/interruption of >1
week
Major impact on
environment
Permanent loss of
service or facility
Catastrophic impact
on
environment
Information Governance
Minor breach of confidentiality. Single individual affected
Breach with potential for theft, loss or communicating/sharing inappropriate information with between 20 – 50 people affected Theft, loss or clinical information of up to 20 people affected (unencrypted media)
Breach with potential for theft, loss or communicating/sharing inappropriate information with over 50 – 100 people affected Loss or misuse of very sensitive / confidential information relating to 2-5 persons
Serious breach with potential for theft, loss or communicating/sharing completely inappropriate information with over 100 - 500 people affected Loss or misuse of very sensitive / confidential information relating to 5-20 persons Damage to an organisation’s reputation/ Local media coverage due to IG breach
Major breach with potential for theft, loss or communicating/sharing completely inappropriate information with over 500 people affected Loss or misuse of extremely sensitive / confidential information relating to over 20 people (e.g. sexual health information, along with names and addresses) Damage to NHS reputation/ National media coverage due to IG breach
Likelihood Guidance
Risk Likelihood Guidance
Likelihood score Descriptor Frequency
Probability Chance of occurrence
1 Rare This will probably never happen/recur
Not expected to occur for years
< 20%
2 Unlikely Do not expect it to happen/recur but it is possible it may do so
Expected to occur at least annually
20%-40%
3 Possible Might happen or recur occasionally
Expected to occur at least monthly
40%-60%
4 Likely Will probably happen/recur, but it is not a persisting issue/circumstances
Expected to occur at least weekly
60%-80%
5 Almost certain Will undoubtedly happen/recur, possibly frequently
Expected to occur at least daily
> 80%
24
Risk Management Strategy and Policy Version: 4 May 2017
APPENDIX 3: Organisational Committee Structure
*In addition, special purpose Committees of finite life may be established, as directed by the Board
Trust Executive Risk and Assurance Group
25
Risk Management Strategy and Policy Version: 4 May 2017
Appendix 4
Training Needs Analysis – August 2015
Training Programme
Frequency Course Length Delivery Method Facilitators Recording Attendance Strategic & Operational
Responsibility
Governance and Risk Management
Once only Face to Face – 1 hour e-Learning Face to Face
Governance Team
LEaD
Strategic – Medical Director (Quality) Operational – Risk Manager
Directorate Service Target Audience
MH/LD/SS
Adult Mental Health
All Staff
Specialised Services
All Staff
Learning Disabilities
All Staff
ISD’s
BU1
All Staff
BU2
All Staff
BU3
All Staff
BU4
Corporate
All
All Staff
26
Risk Management Strategy and Policy Version: 4 May 2017
APPENDIX 5 - Southern Health NHS Foundation Trust
Equality Impact Assessment / Equality Analysis Screening Tool
Equality Impact Assessment (or ‘Equality Analysis’) is a process of systematically analysing a new or existing policy/practice or service to identify what impact or likely impact it will have on different groups within the community
For guidance and support in completing this form please contact a member of the Equality and Diversity team on 01256 376358.
Name of policy/service/project/plan: Risk Management Strategy and Policy
Policy Number: SH NCP 25
Department: Quality and Governance
Lead officer for assessment: Head of Risk and Business Continuity
Date Assessment Carried Out: August 2012
1. Identify the aims of the policy and how it is implemented.
Key questions Answers / Notes
Briefly describe purpose of the policy including
How the policy is delivered and by whom
Intended outcomes
The Risk Management Strategy and Policy has been developed to set out the arrangements for the assessment and management of risk across the Trust. This Strategy contributes to the effective management of risk across the organisation. As such it therefore applies to all members of staff who have a role within it.
The Strategy and Policy is publically available on the Trust Web site and Staff Intra Net
All Staff are made aware of the policy and it’s content during mandatory staff Induction Training.
Provide brief details of the scope of the policy being reviewed, for example:
Is it a new service/policy or review of an existing one?
Is it a national requirement?
This is an update and redraft of previous policy and strategy, amalgamating them into one Strategy and Policy document.
It is a requirement of the NHSLA to have a valid Risk Management Policy.
27
Risk Management Strategy and Policy Version: 4 May 2017
2. Consideration of available data, research and information
Monitoring data and other information involves using equality information, and the results of engagement with protected groups and others, to understand the actual effect or the potential effect of your functions, policies or decisions. It can help you to identify practical steps to tackle any negative effects or discrimination, to advance equality and to foster good relations.
Please consider the availability of the following as potential sources:
Demographic data and other statistics, including census findings
Recent research findings (local and national)
Results from consultation or engagement you have undertaken
Service user monitoring data
Information from relevant groups or agencies, for example trade unions and voluntary/community organisations
Analysis of records of enquiries about your service, or complaints or compliments about them
Recommendations of external inspections or audit reports
Key questions Data, research and information that you can refer to
2.1 What is the equalities profile of the team delivering the service/policy?
All staff members, contractors, visitors and volunteers should comply with this Strategy and Policy.
The Equality and Diversity team report on workforce equality monitoring data and is available if required.
2.2 What equalities training have staff received?
The Trust provides equality and diversity training to all staff that includes: Induction, E-Learning and Respect and Values Training.
2.3 What is the equalities profile of service users?
The Equality and Diversity team report on patient/service user equality monitoring data which is available if required.
2.4 What other data do you have in terms of service users or staff? (e.g results of customer satisfaction surveys, consultation findings). Are there any gaps?
The Quality and Safety Committee is a Sub-Committee of the Trust Board, and therefore has a responsibility to receive and scrutinise assurance, and provide onward assurance to the assurance and Audit Committees and Trust Board. It monitors risk management processes to ensure that these are working correctly.
Delegated responsibility for specific areas of risk management is held by the following groups:
Local Divisional / Directorate / Business and Governance Groups
Health and Safety Committee
Trust Resilience Group
2.5 What engagement or consultation has been undertaken as part of this EIA and with whom?
What were the results?
This Section requires completion following completion of the Strategy and Policy consultation. The EIA will be sent out as part of the policy consultation process.
28
Risk Management Strategy and Policy Version: 4 May 2017
2.6 If you are planning to undertake any consultation in the future regarding this service or policy, how will you include equalities considerations within this?
The Trust has embraced the Equality Delivery System and will drive forward a strong engagement plan to involve and communicate with staff and patients so that they can share their skills and expertise on key issues on affecting service delivery
29
Risk Management Strategy and Policy Version: 4 May 2017
Positive impact (including examples of what the policy/service has done to promote equality)
Negative Impact Action Plan to address negative impact
Yes – this strategy and policy includes a section on ensuring that there is no discrimination when risk assessment management processes are undertaken
Actions to overcome problem/ barrier
Resources required
Responsibility Target date
Age
Appropriate action is taken to ensure that the work environment is conducive to the needs of all our staff and service users.
No negative impacts have been identified at this stage of screening
Disability
The Trust will support staff with a disability and provide reasonable adjustments
Personal Emergency Evacuation Plans (PEEP’S) are available to ensure the safety to staff and patients
The Trust has conducted Disability Access Audits on its services
The Trust will provide appropriate interpreting and translation services to respond to requests for information in alternative formats
There is a potential negative impact in making assumptions about the health and safety implications of a person’s disability as it might not make a difference to workplace risks. If you do a risk assessment with no good reason you might discriminate illegally
People hiding a disability that might have health and safety implications
The equality and diversity team will provide support and guidance to the Trust
Equality and Diversity Team
Estates Department
Gender Reassignment
The ethical framework used by the Trust will ensure each patient’s privacy and confidentiality are preserved
No negative impacts have been identified at this stage of screening
30
Risk Management Strategy and Policy Version: 4 May 2017
Marriage and Civil Partnership
No negative impacts identified at this stage of screening
Pregnancy and Maternity
The Trust will ensure risk assessments are undertaken for all new and expectant mothers to ensure preventative measures are undertaken where significant risks are identified.
No negative impacts have been identified at this stage of screening
Race
The Trust responds positively to requests of information in alternative formats. The Equality and diversity Lead can be contacted for information on Interpreting and Translation services
No negative impacts identified at this stage of screening
Religion or Belief
No negative impacts identified at this stage of screening
Sex No negative impacts identified at this stage of screening
Sexual Orientation
The ethical framework used by the Trust will ensure each patient’s privacy and confidentiality are preserved
No negative impacts identified at this stage of screening