risk management strategy and policy - southern health · pdf filesh ncp 25 risk management...

1

Risk Management Strategy and Policy Version: 4 May 2017

SH NCP 25

Risk Management Strategy and Policy

Version 4

Summary:

This document details the Trust’s framework within which it directs and controls the risks to its key functions. It sets out the Trust’s approach to the identification, assessment, treatment, and tolerance of risk throughout the organisation. The overall objectives of the document are to provide:

A framework and clear processes for robust risk management at all levels of the organisation.

A framework to deliver assurance that risks are being appropriately identified, assessed, prioritised, addressed and monitored.

Detail staff roles and responsibilities to embed the concept of risk assessment and risk management into the day to day working practices of the Trust.

Support and promote on-going development as a learning organisation.

Keywords (minimum of 5):

(To assist policy search engine)

Risk, risk management, risk register, risk assessment, strategy, tolerance, risk appetite, assurance, assurance framework, mitigation

Target Audience: All staff employed by Southern Health NHS Foundation Trust

Next Review Date May 2018, or sooner if changes are made to the risk framework

Approved and Ratified by:

Trust Board Date of meeting: 27 May 2017

Date issued: June 2017

Author: Jake Pursaill, Risk Manager

Sponsor: Sara Courtney, Acting Chief Nurse

2


Version Control

Change Record

Date Author Version Page Reason for Change

08.12 Fiona Richey Head of Risk and Business Continuity

1.0 Revised following organisational change/ restructure for Southern Health NHS Foundation Trust


2.0 Revised following Trust internal audit Risk Maturity Review to combine and clarify existing separate Risk Strategy and Risk Management Policy in to a single document. Review and clarification of risk appetite and risk escalation.


2.6 5, 22

9 12 20

Revised to remove and reflect current year, person and time sensitive detail. Revised clarification of risk appetite following Board Seminar 24

th June 2014

Revised to clarify risk escalation. Inclusion of Risk Score Guidance

August 2015 Louise Hartland Governance, Quality and Compliance Manager, LEaD

2 Page 14 section 15.2 15.3 3

Revised to reflect training provision for managers Revised to reflect training provision for executive and non-executives. Updated Training Needs Analysis

August - October 2016

Fiona Richey Head of Risk and Business Continuity

3 Page 5 Section 4.2 Section 4.4 P 6 Section 4.12 P 9 Sections 5.3 and 13.1 P10 Sec 7 P11 Sec 9, 10, 11 P13 Sec 11.5 and P 25 Appendix 3 Page 16 Section 15.2

Sponsorship changed to Acting Director of Nursing and Allied Professionals Minor changes to wording for clarity throughout document Revised to reflect risk management responsibilities for all staff Revised to include the post of Divisional Governance Business Partners and their role within the framework Awarded the responsibility for maintaining the Board Assurance Framework to the Company Secretary Interim Head of Patient Safety and Quality and Risk Manager roles added. Trust level risk register replaces Corporate Risk Register Removed risk appetite and tolerance information and referenced separate Board Risk Appetite Statement Trust Executive Risk and Assurance Group included Risk terminology and guidance re-ordered for clarity. Training expectations and requirements for staff and managers updated.

November 16 Ryan Taylor, Interim Head of Incident Management & Patient Safety

3.3 Page 10 Page 12 Page 17 Page 21 Cover page

Amendments requested by Trust Board Changes made to reflected revised application of risk tolerance to reflect the amended risk appetite statement agreed by the Board in October Revised the risk matrix in line with the risk appetite Revised process of obtaining assurance of effectiveness removed ‘internal control’ and ‘local evaluation’, replaced with NHSI, CQC, internal audit and when adverse events occur Amended positive and negative assurance Review - April 2017, at request of the Trust Board due to forthcoming changes with the BAF and high level risk management

December 16 Ryan Taylor, Interim Head of Incident Management & Patient Safety

3.4 Page 14 Page 23

As agreed by the Chief Nurse Added review for moderate level risks. Altered review periods for low level risks Inserted impact matrix that matched the risk appetite document, but which also included an impact domain for Information Governance

May 2017 Jake Pursaill, Risk Manager

4 Page 7 Page 22 & 23 Page 17 & 18

Removed reference to the Head of Risk Management and assigned responsibilities to the Risk Manager Adjusted scoring criteria for fatalities, and references to CIPs and CQUINs Updated committee reporting structure

3


Reviewers/contributors

Related Documents

Title

Board Risk Appetite Statement

Board Assurance Framework Standard Operating Procedure

Policy for Managing Incidents and Serious Incidents

Procedure for Reporting and Managing Incidents and Serious Incidents

Procedure for Reporting and Investigating Deaths

Procedure for Management of Serious Incidents that Require Investigation

Organisational Learning Strategy

Health and Safety Policy

Quality Strategy

Name Position Version Reviewed & Date

Dr Helen McCormack Medical Director December 2013

Non - Executive Directors Southern Health NHS Foundation Trust December 2013 Compliance Team Southern Health NHS Foundation Trust December 2013 Julie Jones Associate Director of Governance December 2013 Divisional Directors Southern Health NHS Foundation Trust December 2013 Executive team Southern Health NHS Foundation Trust September 2016

Fiona Richey Head of Risk September 2016

Jake Pursaill Risk Manager Support September 2016

4


Contents

Page

1 Introduction 5

2 Purpose and Scope of the Strategy and Policy

1. Purpose and Scope of the Strategy and Policy


5

3 Strategy and Policy Objectives 6

4 Duties / Responsibilities

1. Duties / Responsibilities

6

5 Definitions of risk 8

6 Risk Management Overview 9

7 Risk Tolerance and Appetite

1. Risk Tolerance and Appetite

10

8 Risk Management Process Overview 10

9 Risk Register Process 11

10 Risk Identification 11

11 Risk Assessment 11

12 Managing and Mitigating the Risks

12

13 Risk Review, Escalation and Assurance

13

14 Communication of Risk with Third Parties

14

15 Training Requirements 15

16 Equality and diversity 15

17 Strategy/Policy review 16

18 Communication strategy 16

19 Monitoring compliance 16

20 Associated documents 18

21 Supporting references 18

22 Useful websites 18

Appendices

Appendix 1 Risk Management Definitions 19

Appendix 2 Risk Scoring Guidance

21

Appendix 3 Organisational Committee Structure

24

Appendix 4 Training Needs Analysis

25

Appendix 5 Equality Impact Assessment Tool 26

5


Risk Management Strategy and Policy 1. Introduction 1.1 Southern Health NHS Foundation Trust (hereafter known as the Trust) provides community

health, mental health, and learning disability services.

1.2 Our overall aim is to improve the health, wellbeing and independence of the people we serve by improving patient and service user experience, improving clinical outcomes and giving value for money. The Trust is committed delivering care in a safe environment to protect patients, visitors, staff and the organisation from harm.

1.3 The aim of this strategy and policy is to support the delivery of the organisational aims and objectives through effective management of risks across all of the Trust’s functions and activities through effective risk management processes, measurement, analysis and organisational learning.

1.4 The Trust recognises that Risk Management forms an integral part of its philosophy, practices and the business planning cycle. The Trust Board must be able to assure itself the organisation is operating effectively and meeting key aims, goals and principle strategic objectives.

1.5 The Trust’s approach to risk management aims to be forward looking, innovative and comprehensive; to make the effective management of risk an integral part of everyday practice. It also aims to support a culture which encourages continuous improvement and development and a focus on proactive rather than reactive risk management, and to support well thought through decision making.


2.1 The purpose and scope of the Trusts Risk Management Strategy and Policy is to detail the

framework within which the Trust leads, directs and controls the risks to its key functions in order to comply with Health and Safety legislation, Foundation Trust Terms of Authorisation and its strategic objectives. The Risk Management Strategy and policy underpins the Trust’s reputation and performance and is fully endorsed by the Trust Board.

2.2 The Trust acknowledges its legal and moral duty to safeguard staff, patients and members

of the public. There are also sound moral, financial and good practice reasons for identifying and managing both clinical and non-clinical risks. Failure to manage risks effectively can lead to harm/loss or damage in terms of both personal injury but also in terms of loss or damage to the Trust’s reputation; financial loss; potential for complaints; litigation and adverse or unwanted publicity.

2.3 This document is intended for use by all Trust employees and contractors. All staff

members will be made aware of the contents on commencement of employment as part of their induction.

2.4 Significant changes to this document will also be cascaded via the Trusts staff update

communication process and/or line management cascade. 2.5 The Trust uses a web-based Risk Management system, Ulysses for the recording,

management, and reporting of incidents and risks at local, Divisional, Corporate and Strategic levels.

2.6 This Strategy and Policy should be read in conjunction with the Policy for Managing Incidents, the Board Assurance Framework Process and Standard Operating Procedure,

6


the Policy for Investigations, Analysis and Improvement, the Health and Safety Policy, Fire Policy, the Trust Quality Strategy and Trust Organisational Learning Strategy.

3. Strategy and Policy Objectives

3.1 The objectives of this Risk Management Strategy and Policy are as follows:

To set out the Trust’s approach to risk and provide a framework and clear process for robust risk management at all levels within the organisation.

To outline the framework to provide assurance that risks at all levels of the organisation are being appropriately identified, assessed, prioritised, addressed and monitored.

To detail the expectations in terms of roles and responsibilities of all staff in order to embed the concepts and ideas of risk assessment, risk management and risk accountability into the day to day working practices of the organisation.

To support and promote on-going development as a learning organisation.

4. Duties / Responsibilities

4.1 The management of risk is an integral part of management and clinical practice. Every

individual within the Trust is therefore responsible for identifying and managing risk. The following individuals have specific risk management responsibilities, accountability and authority, as part of their existing roles.

4.2 All Employees (including contracted employees) are responsible for:

The identification of both clinical and non-clinical risks that exist or emerge within the area in which they work, and the escalation of these identified risks to managers, risk leads, or senior management as appropriate.

Undertaking working practices that comply with all policies, regulations, procedures and Department/ workplace/Task specific safe systems of work.

Ensuring they act in a manner which is safe and secure for themselves, colleagues, patients, visitors and others who may be affected by their actions, being aware they have a duty to take reasonable care for their own safety and safety of others who may be affected by their acts or omissions.

Report any hazardous situations and accidents/ near-miss incidents to the relevant manager(s) as soon as possible and through the Trust incident and near miss reporting system in line with the Managing Incidents Policy.

4.3 Senior/Line Managers are responsible for:

Ensuring that they and their staff fulfil their responsibility for risk management by identifying, reporting, monitoring and managing risk in line with this and other associated policies, including the policy for managing incidents.

Ensuring that appropriate and effective governance processes are in place to pro-actively identify, assess and manage risk within their designated area and scope of responsibility.

Ensure that identified risks are recorded, properly assessed, escalated, communicated and managed effectively and appropriately in line with guidance within their area of responsibility so that the consequences of a risk – patient harm, financial loss, reputational damage, etc. – are minimised.

7


4.4 Divisional Governance Business Partners

Play a key role in supporting the systems and processes for the review and recording of all risks from team level to divisional board providing expert advice on the grading and escalation / de-escalation where appropriate. This will involve working closely with underperforming teams, providing education and encouragement of how risk reporting improves patient safety.

Will provide education throughout the division on the reporting of risks and incidents through the Ulysses system.

Support their division in the identification, assessment and reporting of risk.

4.5 Chairs of all Trust Meetings are responsible for:

Ensuring all relevant risks are brought to the meeting on a regular basis for review to ensure they are up to date and being effectively managed.

Agreeing proposed risk tolerance score or risk appetite score for each risk and ensure risks are transferred to risk registers and are correctly assessed.

4.6 Risk Manager is responsible for:

The development of strategic plans, policies, procedures and statement of purpose documents with regard to risk management. Provision of training, information and support for Trust staff in relation to risk management.

Will support the Divisional Governance Business Partners in developing and educating staff regarding risk management including risk registers and the Board Assurance Framework.

Ensuring relevant risks are reported to external agencies such as commissioners through the oversight groups.

Ensuring the Ulysses risk management system and associated processes are maintained and updated in line with Organisational requirements.

Undertaking consultations with the Executives and NEDS the annual review of the Trust Risk Appetite statement.

Through oversight provides a ‘check and challenge’ process for all risks on the register with the risk owners through a systematic and documented process.

Ensuring an appropriate Board Assurance Framework (BAF) is prepared and regularly updated, and that it receives appropriate consideration at relevant committees and groups.

4.7 Associate Director of Quality Governance has:

Operational management responsibility for the implementation of all aspects of the Governance and Risk Management agenda through management of the Governance Team.

4.8 Chief Nurse for:

Executive sponsorship of the Trust Risk Management Strategy and Policy.

Ensuring that the Annual Governance Statement adequately reflects the risk management process within the Trust.

4.9 The Executive Team

In addition to their roles as senior managers; members of the executive team will act as Accountable Lead Directors for their respective areas of the business and will ensure

8


that within their directorates all risk management issues are coordinated, managed, monitored and reviewed including:

Lead in the management of risk by devising and implementing short, medium and long-term strategies to tackle identified risk.

Recommending to the Board of Directors the raising and closing of identified strategic risks, using the Board Assurance Framework.

4.10 Non-Executive Directors

Challenge risk management and governance arrangements within the organisation and provide assurance of the robustness of these arrangements as part of their role as members of the Trust Board and its sub-committees.

4.11 Chief Executive has responsibility for:

Maintaining a sound system of internal control and assurance that supports the achievement of the Organisation’s objectives.

Ensuring that full support and commitment is provided and maintained in every activity relating to risk management

Planning for adequate staffing, finances and other resources, to ensure the management of those risks which may have an adverse impact on the staff, finances or Trust stakeholders.

Ensuring and signing off the Trust Annual Governance Statement, which adequately reflects the risk management issues within the Trust.

Operationally, the Chief Executive delegates responsibility for the implementation of the Risk Management Strategy to other individuals, as described above

4.12 The Board

Executive and non-executive directors share collective responsibility for the success of the Trust, including the effective management of risk and compliance with relevant legislation. Providing the strategic direction and leadership to the Trust including:

Protecting the reputation of the Trust;

Providing leadership on the management of risk and ensuring the approach to risk management is consistently applied; Determining the risk appetite for the Trust;

Ensuring that assurances demonstrate that risk has been identified, assessed and all reasonable steps taken to manage it effectively and appropriately; and

Endorsing risk related disclosure documents. 5. Definitions of Risk 5.1 At its best risk management will radically improve the quality of services provided and

provides strategic direction to the Organisation by guiding staff on the appropriate level of risk they are permitted to take and enables staff to seize important opportunities.

5.2 Risk can relate to:

A threat - an event or circumstance which could cause harm or loss, or affect the ability of the organisation to achieve its objectives.

An opportunity – the organisation must take some risks in order to obtain a benefit, to innovate, grow and improve.

9


5.3 All risks are managed through the Trust’s risk register; the risk register has four levels of management:

Strategic – Any risk affecting the whole organisation and its ability to achieve the Organisational Objectives.

Trust – Any risk which may affect more than one Division or require Corporate Management.

Divisional – Any risk that affects Divisional services or the service only. Risks that are within the Divisional Directors/local managers delegated budgetary limits and financial resources.

Local/ Service/Team – Any risk that affects service or team level only. Risks that are within the Deputy Directors/local managers delegated budgetary limits and financial resources.

Further detailed risk management definitions can be found as Appendix 1. 6. Risk Management Overview

6.1 By its very nature healthcare is a high risk activity and effective management is often based on taking calculated risks. Risk management helps to ensure that those judgements can be made from a measured range of fully identified options and from a sound knowledge of the risk causes, effects, and consequences.

6.2 Effective risk management is best achieved in an environment of openness and

transparency in which it is recognised that whilst risk can never be eliminated, it can and must be managed.

6.3 The Trust Board has delegated the responsibility for the management of risk to key

committees. These Committees are responsible for ensuring individual Directors undertake a full programme of risk management activities, maintain up-to-date risk registers and take action to control these risks commensurate with their risk management responsibilities.

6.4 Each Committee has Terms of Reference which have been agreed by the Board. Terms of

Reference for formal Board sub-Committees are held by the Company Secretary. A full depiction of the Trust’s Governance Structure and the purpose of each Key Committee can be found within the Trust’s Board Assurance Framework Standard Operating Procedure.

6.5 Risk management is also monitored by external and internal agencies. Performance is

monitored against national standards and is subject to self-assessment review and audit. Where performance in these assessments falls below acceptable levels, detailed action plans will be produced and work programmes put in place to improve standards.

6.6 There are a number of indicators that support the implementation of the Trusts Risk

Management Strategy and Policy, for example; adverse incidents, complaints and litigation. These indicators are reported monthly via the Trust Quality Dashboard and are reported on in more detail by the Divisions and the Governance Team via Divisional Performance Review meetings, Quality & Safety Committee, and the Health and Safety Forum.

6.7 The Process for Managing Incidents is provided in the Trust Policy for Managing Incidents

and Trust Procedure for Grading and Managing Incidents. The Management of Serious Incidents Requiring Investigation (SIRIs) is also included in the Incident Management Policy and Procedure and which are available to staff via the trust web site.

10


6.8 The Trust’s approach to investigating and learning from incidents focuses on what went

wrong and not on who to blame. However if staff have a concern or feel unable to report an incident via the incident reporting system, they should follow the policies: Speak Up (Whistle Blowing) Policy.

7. Risk Tolerance and Appetite

7.1 The Board recognises risk is inherent in the provision of healthcare and its services, and

therefore a defined approach is necessary to identify risk context, ensuring that the Trust understands and is aware of the risks it’s prepared to accept in the pursuit of the delivery of the Trust’s aims and objectives.

The Trust recognises it will have to in some circumstances accept a level of risk. Accepting

risk is often required to achieve overall objectives. It must, however, take and accept risks in a controlled manner, thus reducing its exposure to unacceptable risk. Further information can be found in the Trust’s Board Risk Appetite Statement, separate from this document.

8. Risk Management Process Overview

8.1 Systems for risk management provide a structured method to identify and manage risks:

8.2 Detailed information around the risk management process, specific guidance and risk

management tools are available via the Trust website.

11


9. Risk Register Process

9.1 The principle tool The Trust uses for managing its identified risks is the Risk Register which

can be described as “a log of all the risks identified, both clinical and non-clinical, that might have an impact on the Trust’s delivery of its aims and objectives”.

9.2 The Trust has a single Risk Register which operates at a local/ Service Team, Divisional,

Trust-wide and Strategic levels. The Risk Management and escalation process is outlined in detail in the Trust’s Board Risk Appetite Statement.

9.3 The Risk Register will be reviewed at all levels in line with Trust Board Assurance

Framework Standard Operating Procedure and the Board Risk Appetite Statement which further define roles, responsibilities, and reporting schedules.

10. Risk Identification

10.1 Risks will be identified from both internal and external sources. The Trust aims to be as

proactive as possible, as this makes a managed response to risk possible. This avoids the need to make decisions under unnecessary pressure without adequate information or resource.

10.3 The Trust has a comprehensive range of risk assessment tools to identify risk and potential

risks associated with its activities. Examples include; Visual Display Risk assessments, Falls Prevention Assessment, Ligature Risk Assessment, and Risk Register Assessment pro formas.

11. Risk Assessment

11.1 Southern Health NHS Foundation Trust deploys a standardised approach to risk

assessment across the entire organisation to ensure consistency. 11.2 Risks are assessed based on the impact of the risk and the potential likelihood to occur: The impact is based on a number of factors, for example; the financial implications, the number of service users or staff potentially affected the ability of the Trust to achieve its objectives or the effect on Trust reputation. The likelihood is based on the probability of the risk emerging, and the timeframes in which the risk might occur, e.g. weekly, monthly, etc. 11.3 Evaluation and ranking of risks (risk scoring)

The Trust uses a standard 5x5 risk scoring matrix for assessing the impact and likelihood of the risk (see table below).

5 Catastrophic

5 10 MONTHLY

MONITORING BY EXECUTIVE

TEAM

15 20 25

4 Major

4 8 12 MONTHLY


TEAM

16 20

All RED RISKS: MONTHLY MONITORING BY EXECUTIVE TEAM

12


3 Moderate

3 6 9 12 MONTHLY


TEAM

15

2 Low

2 4 6 8 10

1 Negligible

1 2 3 4 5

1 Extremely Unlikely

2 Unlikely

3 Possible

4 Likely

5 Almost Certain

Risk scores are not intended to be precise mathematical measures of risk, but are a useful tool to help in the prioritisation of control measures for the treatment of risk. The scoring system allows the levels of risk to be easily identified and therefore prioritised. Further detail on risk scoring and effective assessment is given in Appendix 2.

11.4 As part of the risk assessment process, a course of action must be agreed in line with the

Trust’s defined Risk appetite approach and risk tolerance levels. Courses of action to be taken are to:

Treat

Tolerate

Transfer

Terminate

Take the opportunity

Further guidance on action required with each option is provided within the Trust’s Board Risk Appetite Statement.

11.5 The Trust Executive Risk Group has responsibility to review monitor on a monthly basis all risks scored at 15 and above outside the tolerance threshold of the Trust and the course of action to take. In addition the Executive Group will in also review on a monthly basis any and all risks rating of 10 with a Likelihood rating of unlikely (2) and an Impact rating of Catastrophic (5).

12. Managing and Mitigating Risks

12.1 As part of the risk assessment process discussed in 11. Risk Assessment, each identified

risk will be assessed a total of three times:

Inherently, as though there were no controls in place, or that all of the controls are failing;

Residually, assuming the controls in place are adequately designed and operating effectively.

Target, the risk score that should be achieved through implementing actions, bringing the risk in line with articulated appetite and tolerance.

13


12.2 Controls to manage the risk and assurance measures can then be applied to provide a proportionate response with need to revisit should the risk assessment score change over time.

12.3 Measures of Assurance should indicate the adequacy of the controls in place. Assurance

should be identified as internal or external and the information gathered using these measures should be identified as reflecting either positively or negatively on the effectiveness of controls in place.

12.4 Gaps in controls should also be clearly identified with actions in place to address. Actions

should be specific, measurable, achievable, realistic and timely and should have an identified action owner. The target date to achieve the action must also be recorded.

12.5 Recorded risk information, controls, and actions should be reviewed thoroughly by the

monitoring committee to ensure these are adequate effective, and current. 12.6 The target risk score should be agreed in line with the risk appetite and tolerance by the

monitoring committee to establish at what point the risk becomes acceptable and can simply be monitored.

13. Risk Review, Escalation and Assurance

13.1 All Risks are managed on the Risk Register. Within the Risk Register there are several

levels of risk management as identified in the following table:

14


Risk Review 13.2 The frequency of review of risks, dependent on their risk score, risks graded as:

Red will be reviewed at least monthly and;

Amber risks will be reviewed at least quarterly (with the exception of risks 5x2 which will also be monthly)

Yellow risk will be reviewed at least every 6 months

Green risks will be reviewed at least annually. Risk review frequency may be increased based on the risk’s alignment with the Trust’s identified risk appetite.

Risk Escalation

13.3 All parts of the Trust will, on a regular basis, review their identified risks and the controls put in place to manage those risks. All levels of risk will be monitored and escalated to the relevant level of the Risk Register dependant on:

The risk score

The area of affect

The budgetary requirements to manage/mitigate the risk

Assurance 13.4 To support increasing levels of assurance the Trust Board Assurance Framework, and Risk

Control Framework will undergo continuous review and development to ensure a focused approach to the strength of assurance received by Board and Sub - Committees. The process for rating and mapping assurance received against the relevant risks will be undertaken through the use of the three key lines of defence assurance model of:

Service Management;

Functional oversight;

Independent review. Additional information on assurance is provided in the Trust Board Assurance Framework Standard Operating Procedure.

13.5 The Risk Management Strategy and Policy, Trust Board Assurance Framework, Risk Management Standard Operating Procedures and guidance tools will be updated to reflect developments in line with Trust risk management and assurance development and Trust Quality Programmes as well as document review schedules.

14. Communication of Risk with Third Parties 14.1 If an organisational risk is identified which is shared with or wholly relates to another

organisation the risk must be shared with that organisation. Advice on the appropriate method of communicating and sharing the risk must be sought from the relevant Executive or Divisional Director. The third party must not be named in the Risk Register and the risk

15


must not be entered on to the Risk Register without the knowledge of the third party organisation.

15. Training Requirements

15.1 All staff

All staff will be provided with and governance risk management training as part of the Trust induction process. Attendance will be recorded and monitored in accordance with the Organisational Induction Policy. The Governance and Risk Management e-learning and e-assessment module is mandatory for all staff. Staff members that are unable to achieve the required level of e-assessment competency will be identified through the Trust electronic training monitoring system; with face-to-face training for these staff provided regularly in response to need. Attendance will be recorded, monitored and appropriate follow up will occur in line with the Trust Organisational Policy.

Please refer to the training needs analysis at Appendix 4.

15.2 Managers An e-learning module that covers all aspects of risk management is available for all staff on the LEaD website. The e-learning module is mandatory for all managers with a responsibility for managing risk. It is expected that it will be completed by all Band 6 posts and above. Specific learning on the completion of risk registers is delivered by the risk team, and bookable via the staff intranet. Specific training delivered face to face by the risk manager is available on request. Please contact the risk team for more details.

15.3 Trust Board Risk Management training is assessed, identified and provided for all executive and non-executive Directors as part of the Board Annual Development Programme. Individual Directors will receive risk training as required and or as part of Trust induction. The Board will assess the need for whole Board additional training as necessary. Individual training will be recorded as part of Induction and individual training records. Board Wide Training attendance will be monitored by the Company Secretary and recorded via the Board Development Programme.

16. Equality and diversity

16.1 The Trust aims to ensure that its healthcare and facilities are not discriminatory and,

wherever possible, attend to the physical, psychological, spiritual, and social and communication needs of any patient or visitor showing no discrimination on the grounds of ethnic origin or nationality, disability, gender, gender reassignment, marital status, age, sexual orientation, race, trade union activity or political or religious beliefs.

16.2 The process for identifying and managing risk, and the manner in which this is undertaken,

should not inadvertently discriminate against any groups in society based on their race, disability, gender, age, sexual orientation, religion and belief. Any person who has concerns regarding the equality & diversity impact of risk management activity within the Trust should refer them in the first instance to the Equality & Diversity Lead, who may require equality impact assessments to be undertaken in order to determine whether any particular groups

16


of patients are experiencing variations in practice. The Policy Equality Impact Assessment is provided as Appendix 5.

17. Strategy and Policy Review

17.1 This Risk Management Strategy and Policy should be reviewed following the first year of

implementation, the review cycle should be 3-yearly. However due to the changes with the BAF the Trust Board have agreed it should be reviewed in April 2017. This Risk Management Strategy and Policy should be reviewed twice in the first year following the approval of this policy unless a significant change or organisational learning indicates otherwise. Following the first year of approval, the review cycle should be 3-yearly.

18. Communication Strategy

18.1 This Strategy and Policy will be circulated to all members of the Trust Board, Divisional

Directors, Heads of Services, Corporate Service Leads and Locality Managers, and Service leads for disseminated and cascade to their staff.

The full document will be available for download on the Trust web site so that patient and

members of the public can access it. 19. Monitoring Compliance

19.1 Effective monitoring is important to identify successful delivery of this Strategy. 19.2 A Risk Management Annual Report will be presented to the Trust Board. It will summarise

the Trust’s achievements against the annual work plan for risk management, including:

An assessment of the organisational risk management culture and how this is changing over time

Performance against NHS high–level risk management indicators and assessment of the key risks facing the organisation and how these are being managed

Benchmarking activity internally and externally

Use of risk management tools by departments

Compliance with Induction and mandatory training standards relating to risk management

19.3 The Annual Report will make recommendations for the ongoing development and

improvement of risk management and processes in order to achieve the strategic vision and objectives of this Strategy.

19.4 The effectiveness of the Risk Management processes and systems will be evaluated

against the following:

Findings and recommendations from internal and external audit reports (typically annually)

External reviews, such as the NHSI or the CQC

In the event of adverse incidents

19.5 Progress will also be reported as part of the Annual Governance Statement provided by the Chief Executive in the Trust Annual Report.

17


19.6 Internal Audit will verify compliance with the Annual Programme on a yearly basis and will assure the Trust Board that progress is in line with predicted performance, and highlight any areas for concern. These will be reported with an attached Action Plan to address the concerns.

19.7 The following table outlines how the Trust will monitor compliance with key elements of this

Strategy:

Monitoring Compliance

Element to be monitored Lead Tool/Method Frequency Reporting arrangements

Process for ensuring continual, systematic approach to all risk assessments is followed throughout the organisation

Risk Manager Divisional Performance Review reports

Monthly Divisional Performance Reviews

Incident and Risk Report Monthly Trust Executive Risk & Assurance Group

Annual strategy and policy review report and Internal Audit process

Annually

Trust Executive Risk & Assurance Group

a) Appropriate assignment of the management responsibility / escalation for different levels of risk within the organisation is carried out

Risk Manager Annual strategy and policy review report and action plan

Annually / Quarterly

Audit, Assurance and Risk Committee

Internal audit Annually

Sources of risk are comprehensive, internal and external (including, but not limited to, incident reports, risk assessment and Divisional and Corporate level registers)

Risk Manager High level Risk register review

description of Risk

risk score

summary risk treatment plan

date of review

residual risk rating

Audit, Assurance and Risk Committee

Quality and Safety Committee, Service Performance and Transformation Committee, Strategic Workforce Committee

Delivery and record of attendance of risk management awareness training to board members and senior managers, in line with the training needs analysis

Risk Manager Trust Board - Recorded in Board minutes / Non-attendance will be documented via Company Secretary

Annually

Quality Safety Committee

For senior managers – LEaD training report which will be monitored via Annual Strategy and Policy Review.

Annually

Follow up of non-attendance at training.

Risk Manager Board – Appraisal process Annually / Escalated via line management

For managers – LEaD training report which will be monitored quarterly and reported via Annual Strategy and Policy Review.

Six monthly

Escalated via line management

All staff – See Organisational Induction Policy

Annually

Escalated via line management

18


20. Associated Documents

Board Assurance Framework Standard Operating Procedure

Risk Management Standard Operating Procedure

Policy and Procedure for Managing Incidents

Policy for Investigations, Analysis and Improvement.

Health and Safety Policy

Southern Health NHS Foundation Trust Assurance Process and Infrastructure (July 2013)

Organisational Learning Strategy

21. Supporting References

The Institute for Risk Management guidance papers (2011): ‘Risk Appetite and Tolerance Guidance Paper’

HM Treasury (2004): ‘The Orange Book – Management of Risk – Principles and Concepts

National Health Service Litigation Authority (2008): Risk Grading Tool

National Health Service Litigation Authority (2008): Policy for the Management of the NHSLA Assurance Framework and Risk Register

Audit Commission (2009): ‘Taking it on trust – National Health Report

National Health Service Litigation Authority (2009): Risk Management Strategy

National Health Service Litigation Authority (NHSLA) Risk Management Standards 2011-12

CEAC (2009) ‘Board Assurance: A Benchmarking Review.

Oxford University Hospitals NHS Trust (2013) – Published by Foundation Trust Network (Foundations for Excellence): ‘Making Risk Management a Reality’

Good Governance Institute (2010): ‘What every healthcare board needs to understand about patient safety’

Good Governance Institute (2012): ‘Risk Appetite for NHS Organisations – A matrix to support better risk sensitivity in decision taking.’

Good Governance Institute (2012): ‘ GGI Board Briefing: Defining risk appetite and managing risk by Clinical Commissioning Groups and NHS Trusts’

Care Quality Commission essential standard of quality and safety March 2010

Health and Safety at Work etc. Act 1974

Section 2 – Duties of Employers to Employees

Section 3 – Duties of Employers to Persons other than Employees

Management of Health and Safety at Work Regulations 2003

Regulation 3 – Requirement to Assess Risk

22. Useful Websites

a. Good Governance Institute http://www.good-governance.org.uk/ b. National Health Service Litigation Authority – Risk Management Standards 2011/12

www.nhsla.com c. National Patient Safety Agency www.npsa.nhs.uk d. Health and Safety Executive www.hse.gov.uk

http://www.good-governance.org.uk/

http://www.nhsla.com/

http://www.npsa.nhs.uk/

http://www.hse.gov.uk/

19


APPENDIX 1 – Definitions

Governance - the management systems, processes and behaviours by which the Trust leads, directs and controls its functions to achieve its organisational objectives, safety and quality and the way in which it relates to patients and carers, the wider community and partner organisations.

Integrated Governance - the streamlined pulling together of intelligence of the competing pressures on the Trust and its staff, advisors, systems, and processes which enables the Trust to avoid the handling of issues in management silos.

Board Assurance Framework (BAF) - enables the Board to: Identify and understand the key risks to achieving its strategic objectives; receive assurance that suitable controls are in place to manage these risks and where improvements are needed, action plans are in place and are being delivered; provide an assessment of the risk to achieving the objectives based on the strength of controls and assurances in place.

Risk Scoring /rating - A process by which risks are graded/ scored based on the impact of their occurrence and the likelihood of their occurrence

Risk Tolerance – The maximum level of risk the organisation is prepared to take in line with the type of risk and the potential level of harm, recognising the Trust has a low appetite for risks that could affect patient safety

Risk Appetite - The levels and types of risk the Organisation wants to take in pursuance of its objectives. This informs all planning and objective setting, as well as underpinning the threshold used when determining the tolerability of individual risks

Risk Controls – Processes or activities already in place to effectively manage the risk to achieve the desired outcome

Gaps in Controls – processes or activities not yet in place in order to effectively manage the risk

Risk Assurance– evidence that supports the measurement of controls in place, to ensure they are operating effectively and the desired outcome is being achieved

Inadequate Assurance- Where assurance or evidence is limited and cannot provide full assurance that controls are effectively managing the risk. Gaps should be identified and listed with actions to close.

Gaps in Assurance – lack of measures or evidence to support the measurement of controls

Internal Assurance - Assurances provided by reviewers, auditors and inspectors who are part of the organisation, such as Clinical Audit or management peer review

External Assurance / Independent Assurance –Assurances provided by reviewers, auditors and inspectors from outside the organisation such as External Audit, NHSLA, CQC, Commissioners

Positive and Negative Assurances- Adequate / Positive assurance indicates how controls are operating to mitigate the risk to the achievement of desired outcome.

20


Inadequate / Negative assurance is the reverse, where evidence shows that controls are not operating effectively to mitigate the risk to the achievement of the desired outcome

Residual Risks - are those which remain after considering the controls in place to reduce the risk and the implementation of any additional controls that may have been identified as necessary. Acceptance of residual risk will be made by joint consultation between department leads and the Director with responsibility for the area.

21


Appendix 2 – Risk scoring guidance The Trust uses a standard 5x5 risk scoring matrix for assessing the impact and likelihood of the risk (see table below).

5

Catastrophic

5 10

15 20 25

4

Major

4 8 12

MONTHLY MONITORING BY

EXECUTIVE TEAM

16 20

3

Moderate

3 6 9 12


EXECUTIVE TEAM

15

2

Low

2 4 6 8 10

1

Negligible

1 2 3 4 5

1

Extremely Unlikely

2

Unlikely

3

Possible

4

Likely

5

Almost Certain

Impact Guidance:

Domain 1 2 3 4 5

Negligible Minor Moderate Major Catastrophic

Impact on the

safety of the

patient, staff or

public (physical/

psychological

harm)

Minimal injury

requiring

no/minimal

intervention

or treatment

No time off work

Minor injury or

illness,

requiring minor

intervention

Increase in length of

hospital stay by 1–3

days

Moderate injury requiring

professional intervention


hospital stay by 4–15 days

RIDDOR/agency

reportable incident

An event which impacts

on a small number of

patients

Incident resulting serious

injury or permanent

disability/incapacity.


hospital stay by >15 days

Mismanagement of

patient care with long-

term effects

Incident resulting in

fatality or multiple

fatalities

An event which

impacts on a large

number of patients

Quality/

Complaints/audit

Peripheral

element of

treatment or

service

suboptimal

Informal

complaint/inquiry

Overall treatment or

service suboptimal

Formal complaint

(stage 1)

Local resolution

Single failure to

meet

internal standards

Minor implications

for

Treatment or service has

significantly reduced

effectiveness

Formal complaint (stage

2)

Local resolution (with

potential to go to

independent review)

Repeated failure to meet

internal standards

Non-compliance with

national standards with

significant risk

to patients if unresolved

Multiple complaints/

independent review

Low performance rating

Critical report

Totally unacceptable

level or quality of

treatment/service

Gross failure of

patient

safety if findings not

acted on

Inquest/ombudsman

inquiry

Gross failure to meet

national standards


EXECUTIVE TEAM RED RISKS: MONTHLY MONITORING BY EXECUTIVE TEAM

22


Domain 1 2 3 4 5


patient safety if

unresolved

Reduced

performance rating

if unresolved

Major patient safety

implications

Human

resources/

organisational

development/

staffing/

competence

Short-term low

staffing level that

temporarily

reduces service

quality (< 1 day)

Low staffing level

that

reduces the service

quality

Late delivery of key

objective/

service due to lack of staff

Unsafe staffing level or

competence (>1 day)

Low staff morale

Poor staff attendance for

mandatory/key training

Uncertain delivery of key

objective/service due to

lack of staff

Unsafe staffing level or

competence (>5 days)

Loss of key staff

Very low staff morale

No staff attending

mandatory/ key training

Non-delivery of key

objective/service due

to

lack of staff

Ongoing unsafe

staffing

levels or competence

Loss of several key

staff

No staff attending

mandatory training

/key

training on an

ongoing basis

Statutory duty/

inspections

No or minimal

impact

or breech of

guidance/

statutory duty

Breech of statutory

legislation

Reduced

performance

rating if unresolved

Single breech in statutory

duty

Challenging external

recommendations/

improvement notice

Enforcement action

Multiple breeches in

statutory duty

Improvement notices

Low performance rating

Critical report

Multiple breeches in

statutory duty /

Prosecution

Complete systems

change required

Zero performance

rating

Severely critical report

Adverse

publicity/

reputation

Rumours

Potential for

public concern

Local media

coverage– short-

term reduction

inpublic confidence

Elements of

publicexpectation

not being met

Local media coverage–

long-term reduction

inpublic confidence

National media

coveragewith <3 days

service wellbelow

reasonable

publicexpectation

National media

coveragewith >3 days

servicewell below

reasonablepublic

expectation.

MP concerned

(questions inthe

House)

Total loss of public

confidence

Business

objectives/

projects

Insignificant cost

increase/

schedule slippage

<5 per cent over

project budget

Schedule slippage

5–10 per cent over

project

budget Schedule slippage

10–25 per cent

over project budget

Schedule slippage

Key objectives not met

>25 per cent over

project budget

Schedule slippage

Key objectives not

met

Finance including

claims

Negligible loss

Loss of less than

£10,000

Loss of between £10,000

and £100,000

Failure to meet CIPs or

CQUINs targets of

between £10,000 and

Loss of between

£100,000 and £1 million

Purchasers fail to pay

promptly

Loss of major contract

/ payment by results

Loss of more than £1

million

23


Domain 1 2 3 4 5


£50,000


CQUINs targets of

between £50,000 and

£0.5 million


CQUINs targets of

more than £0.5

million

Service/business

interruption

Environmental

impact

Loss/interruption

of >1 hour

Minimal or no

impact on the

environment

Loss/interruption of

>8

hours

Minor impact on

environment

Loss/interruption of >1

day

Moderate impact on

environment

Loss/interruption of >1

week

Major impact on

environment

Permanent loss of

service or facility

Catastrophic impact

on

environment

Information Governance

Minor breach of confidentiality. Single individual affected

Breach with potential for theft, loss or communicating/sharing inappropriate information with between 20 – 50 people affected Theft, loss or clinical information of up to 20 people affected (unencrypted media)

Breach with potential for theft, loss or communicating/sharing inappropriate information with over 50 – 100 people affected Loss or misuse of very sensitive / confidential information relating to 2-5 persons

Serious breach with potential for theft, loss or communicating/sharing completely inappropriate information with over 100 - 500 people affected Loss or misuse of very sensitive / confidential information relating to 5-20 persons Damage to an organisation’s reputation/ Local media coverage due to IG breach

Major breach with potential for theft, loss or communicating/sharing completely inappropriate information with over 500 people affected Loss or misuse of extremely sensitive / confidential information relating to over 20 people (e.g. sexual health information, along with names and addresses) Damage to NHS reputation/ National media coverage due to IG breach

Likelihood Guidance

Risk Likelihood Guidance

Likelihood score Descriptor Frequency

Probability Chance of occurrence

1 Rare This will probably never happen/recur

Not expected to occur for years

< 20%

2 Unlikely Do not expect it to happen/recur but it is possible it may do so

Expected to occur at least annually

20%-40%

3 Possible Might happen or recur occasionally

Expected to occur at least monthly

40%-60%

4 Likely Will probably happen/recur, but it is not a persisting issue/circumstances

Expected to occur at least weekly

60%-80%

5 Almost certain Will undoubtedly happen/recur, possibly frequently

Expected to occur at least daily

> 80%

24


APPENDIX 3: Organisational Committee Structure

*In addition, special purpose Committees of finite life may be established, as directed by the Board

Trust Executive Risk and Assurance Group

25


Appendix 4

Training Needs Analysis – August 2015

Training Programme

Frequency Course Length Delivery Method Facilitators Recording Attendance Strategic & Operational

Responsibility

Governance and Risk Management

Once only Face to Face – 1 hour e-Learning Face to Face

Governance Team

LEaD

Strategic – Medical Director (Quality) Operational – Risk Manager

Directorate Service Target Audience

MH/LD/SS

Adult Mental Health

All Staff

Specialised Services

All Staff

Learning Disabilities

All Staff

ISD’s

BU1

All Staff

BU2

All Staff

BU3

All Staff

BU4

Corporate

All

All Staff

26


APPENDIX 5 - Southern Health NHS Foundation Trust

Equality Impact Assessment / Equality Analysis Screening Tool

Equality Impact Assessment (or ‘Equality Analysis’) is a process of systematically analysing a new or existing policy/practice or service to identify what impact or likely impact it will have on different groups within the community

For guidance and support in completing this form please contact a member of the Equality and Diversity team on 01256 376358.

Name of policy/service/project/plan: Risk Management Strategy and Policy

Policy Number: SH NCP 25

Department: Quality and Governance

Lead officer for assessment: Head of Risk and Business Continuity

Date Assessment Carried Out: August 2012

1. Identify the aims of the policy and how it is implemented.

Key questions Answers / Notes

Briefly describe purpose of the policy including

How the policy is delivered and by whom

Intended outcomes

The Risk Management Strategy and Policy has been developed to set out the arrangements for the assessment and management of risk across the Trust. This Strategy contributes to the effective management of risk across the organisation. As such it therefore applies to all members of staff who have a role within it.

The Strategy and Policy is publically available on the Trust Web site and Staff Intra Net

All Staff are made aware of the policy and it’s content during mandatory staff Induction Training.

Provide brief details of the scope of the policy being reviewed, for example:

Is it a new service/policy or review of an existing one?

Is it a national requirement?

This is an update and redraft of previous policy and strategy, amalgamating them into one Strategy and Policy document.

It is a requirement of the NHSLA to have a valid Risk Management Policy.

27


2. Consideration of available data, research and information

Monitoring data and other information involves using equality information, and the results of engagement with protected groups and others, to understand the actual effect or the potential effect of your functions, policies or decisions. It can help you to identify practical steps to tackle any negative effects or discrimination, to advance equality and to foster good relations.

Please consider the availability of the following as potential sources:

Demographic data and other statistics, including census findings

Recent research findings (local and national)

Results from consultation or engagement you have undertaken

Service user monitoring data

Information from relevant groups or agencies, for example trade unions and voluntary/community organisations

Analysis of records of enquiries about your service, or complaints or compliments about them

Recommendations of external inspections or audit reports

Key questions Data, research and information that you can refer to

2.1 What is the equalities profile of the team delivering the service/policy?

All staff members, contractors, visitors and volunteers should comply with this Strategy and Policy.

The Equality and Diversity team report on workforce equality monitoring data and is available if required.

2.2 What equalities training have staff received?

The Trust provides equality and diversity training to all staff that includes: Induction, E-Learning and Respect and Values Training.

2.3 What is the equalities profile of service users?

The Equality and Diversity team report on patient/service user equality monitoring data which is available if required.

2.4 What other data do you have in terms of service users or staff? (e.g results of customer satisfaction surveys, consultation findings). Are there any gaps?

The Quality and Safety Committee is a Sub-Committee of the Trust Board, and therefore has a responsibility to receive and scrutinise assurance, and provide onward assurance to the assurance and Audit Committees and Trust Board. It monitors risk management processes to ensure that these are working correctly.

Delegated responsibility for specific areas of risk management is held by the following groups:

Local Divisional / Directorate / Business and Governance Groups

Health and Safety Committee

Trust Resilience Group

2.5 What engagement or consultation has been undertaken as part of this EIA and with whom?

What were the results?

This Section requires completion following completion of the Strategy and Policy consultation. The EIA will be sent out as part of the policy consultation process.

28


2.6 If you are planning to undertake any consultation in the future regarding this service or policy, how will you include equalities considerations within this?

The Trust has embraced the Equality Delivery System and will drive forward a strong engagement plan to involve and communicate with staff and patients so that they can share their skills and expertise on key issues on affecting service delivery

29


Positive impact (including examples of what the policy/service has done to promote equality)

Negative Impact Action Plan to address negative impact

Yes – this strategy and policy includes a section on ensuring that there is no discrimination when risk assessment management processes are undertaken

Actions to overcome problem/ barrier

Resources required

Responsibility Target date

Age

Appropriate action is taken to ensure that the work environment is conducive to the needs of all our staff and service users.

No negative impacts have been identified at this stage of screening

Disability

The Trust will support staff with a disability and provide reasonable adjustments

Personal Emergency Evacuation Plans (PEEP’S) are available to ensure the safety to staff and patients

The Trust has conducted Disability Access Audits on its services

The Trust will provide appropriate interpreting and translation services to respond to requests for information in alternative formats

There is a potential negative impact in making assumptions about the health and safety implications of a person’s disability as it might not make a difference to workplace risks. If you do a risk assessment with no good reason you might discriminate illegally

People hiding a disability that might have health and safety implications

The equality and diversity team will provide support and guidance to the Trust

Equality and Diversity Team

Estates Department

Gender Reassignment

The ethical framework used by the Trust will ensure each patient’s privacy and confidentiality are preserved


30


Marriage and Civil Partnership

No negative impacts identified at this stage of screening

Pregnancy and Maternity

The Trust will ensure risk assessments are undertaken for all new and expectant mothers to ensure preventative measures are undertaken where significant risks are identified.


Race

The Trust responds positively to requests of information in alternative formats. The Equality and diversity Lead can be contacted for information on Interpreting and Translation services


Religion or Belief


Sex No negative impacts identified at this stage of screening

Sexual Orientation

The ethical framework used by the Trust will ensure each patient’s privacy and confidentiality are preserved
