risk management policy and procedure - bdct€¦ · page 1 of 34 risk management policy and...

of 34

Risk Management Policy and Procedure

The 5 key messages the reader should note about this document are:

1. Risk is integral to everything we do 2. All staff have a responsibility to raise and share identified

risks with their risk guardian for consideration for input to their appropriate risk register

3. Managers have a responsibility to review and manage risks related to their service

4. Identified and implemented actions are essential contributions to a safer and more resilient environment for all

5. Risk that cannot be managed within the capability and resource of the service must be escalated accordingly

You & Your Care www.bdct.nhs.uk

http://www.bdct.nhs.uk/

of 34

This document has been approved and ratified. Circumstances may arise where staff become aware that changes in national policy or statutory or other guidance (e.g. National Institute for Health and Care Excellence (NICE) guidance and Employment Law) may affect the contents of this document. It is the duty of the staff member concerned to ensure that the document author is made aware of such changes so that the matter can be dealt with through the document review process.

NOTE: All approved and ratified policies and procedures remain extant until notification of an amended policy or procedure via Trust-wide notification, e.g. through the weekly e-Update publication or global e-mail and posting on the Intranet (Connect).

Document details: Risk Management Policy and Procedure

Version: 8-03 Final

Persons / committees consulted: Quality and Safety Committee/ Deputy Directors/ Involvement & Equality/ Heads of Service/ Senior Managers/ Specialist (Risk Officers)

Approved by: Directors’ Meeting

Date approved: 18/08/2015

Ratified by: Quality & Safety Committee

Date ratified: 18/09/2015

Title of originator / author: Lynn Pearl, Risk and Resilience Manager

Title of responsible committee / group (or Trust Board):

Quality and Safety Committee

Title of responsible Director: Andy McElligott, Medical Director

Date issued: 27/10/2015

Review date: 18/09/2018

Frequency of review: 3 yearly

Target audience: All staff

Responsible for dissemination: Risk and Resilience Manager Darren Shipman, Governance and Clinical Audit Manager (responsible for uploading to the Intranet/Connect).

Copies available from: Connect on BDCFT Intranet

of 34

Where is previous copy archived (if applicable)

Connect on BDCFT Intranet

Amendment Summary: This policy and procedure has been streamlined and updated to reflect current working practices.

Amendment detail:

Amendment number

Page Subject

1 15 onwards

Risk management process streamlined from five stages to four

2 19 Updated to reflect current practice regarding the escalation of risks

3 16 Updated to include a 9th risk group

of 34

Contents 1 INTRODUCTION .......................................................................................................... 6

2 PURPOSE .................................................................................................................... 6

3 SCOPE ......................................................................................................................... 6

3.1 Principles ................................................................................................................ 7

3.2 Objectives ............................................................................................................... 7

4 DEFINITIONS ............................................................................................................... 8

4.1 Risk ......................................................................................................................... 8

4.2 Risk Management ................................................................................................... 8

5 ACCOUNTABILITY, ROLES AND RESPONSIBILITIES .............................................. 8

5.1 Trust Board ............................................................................................................. 9

5.2 Committees........................................................................................................... 10

5.3 Localities ............................................................................................................... 10

5.4 Risk Management Department ............................................................................. 11

6 BOARD ASSURANCE FRAMEWORK ....................................................................... 11

7 RISK MANAGEMENT PROCEDURE ......................................................................... 12

8 TRAINING .................................................................................................................. 12

9 EQUALITY IMPACT ASSESSMENT .......................................................................... 12

10 MONITORING COMPLIANCE AND EFFECTIVENESS OF THE PROCEDURAL DOCUMENT ............................................................................................................... 13

11 REFERENCES ........................................................................................................... 15

12 ASSOCIATED DOCUMENTATION ............................................................................ 15

13 APPENDIX 1 – RISK MANAGEMENT FRAMEWORK ............................................... 17

14 APPENDIX 2: EQUALITY IMPACT ASSESSMENT ................................................... 18

15 APPENDIX 3 – RISK MANAGEMENT PROCEDURE ................................................ 20

16 RISK PROCESS ......................................................................................................... 22

16.1 Step 1 – Identification ........................................................................................ 22

16.2 Step 2 – Assessment ......................................................................................... 22

16.3 Step 3 – Management ....................................................................................... 23

16.4 Step 4 – Monitoring & review ............................................................................. 24

of 34

17 ATTACHMENT 1 – EXAMPLES OF AREAS OF CONSIDERATION THAT MAY HIGHLIGHT RISK ....................................................................................................... 25

18 ATTACHMENT 2 – TRUST RISK ASSESSMENT MATRIX (TRAM) .......................... 27

18.1 TABLE 1 – Guidance for the rating of risks ....................................................... 28

18.2 Table 2 – Likelihood / Probability rating ............................................................. 33

18.3 Table 3 – Risk rating .......................................................................................... 33

19 ATTACHMENT 3 – RISK ASSESSMENT TEMPLATE ............................................... 34

of 34

1 INTRODUCTION The Trust has a statutory responsibility to service users, the public and commissioners to ensure that it has effective processes, policies and resources in place to ensure effective control of any identified risks.

The Trust embraces the management of all types of risk at all levels of the organisation, recognising and acknowledging the importance of effective risk management which contributes to and supports the successful delivery of the Trust’s strategic aims.

The Trust Board is committed to being able to assure itself that it effectively discharges its responsibilities for the safety of the Trust by ensuring the best practice arrangements are in place for risk management.

The Trust Board is also committed to the continued development of qualitative risk management and safety; this contributes to the delivery of the highest quality care.

Systematic identification, analysis and control of risk is afforded a high priority within the Trust. It is recognised that risk management is an integral part of good management and therefore an essential element of the organisation’s culture.

Risk management is a cornerstone of safety and the Trust embraces an open and learning culture which encourages all staff to report risks, incidents and near misses thereby facilitating individuals and the organisation to learn from such reports.

The risk management process has been designed to manage, and where appropriate, mitigate and reduce risk in order to provide safer services. This document sets out the risk management policy and procedures by which staff will manage and mitigate risk.

The risk management policy is the overarching document for risk management in the Trust and as such should be read in conjunction with the risk management strategy and procedure as well as associated Trust policies and procedures. The development of the risk management policy has taken into consideration external requirements and assessments, for example, Monitor’s Risk Assessment Framework.

This Policy and Procedure should not be confused with the Clinical Risk Assessment and Management in Mental Health Policy and Procedures. This can be found on Connect.

2 PURPOSE The aim and purpose of the policy is to create a sound, healthy balance between innovation, opportunity and risk and to provide a structured and systematic approach to risk management that is effective across the organisation. It aims to foster a culture that is resilient, involves staff, service users and partners and improves capacity to manage risk at all levels of the organisation.

3 SCOPE This policy sets out the arrangements for effective risk management which is both fundamental and integral to good management. This policy is implemented through the risk management framework at appendix 1

of 34

3.1 Principles

Risk management is managed and facilitated through the Trust’s quality and safety governance arrangements and should be embedded into daily practice to build a resilient safety culture.

Risk management should be implicit in every activity undertaken by Trust employees, from conceptual business planning to the delivery of all operational services.

The following principles guide and underpin the development of the risk management strategy, policy and procedures.

• Risk identification, analysis, evaluation and management:

- is everyone’s responsibility;

- will be properly recognised and dealt with across the Trust;

- will be delivered through the Trust’s normal business processes

- will support the achievement of the Trust’s strategic objectives

• There will be clarity of responsibility, accountability and communication • There will be a demonstrable continual improvement - proactive learning from

ourselves, partners and stakeholders. • The Trust will work in partnership with other agencies to secure and enhance its

analysis, assessment and management of risk • The Trust will use the frameworks and guidance provided through national

standards and guidance requirements to assist in the further development of a systematic, holistic approach to risk management

Delivery of the risk management policy will be achieved through:

• dedicated time and top-level commitment and leadership; • accountability, scrutiny and challenge; • effective team, group and committee structures; • effective employee engagement; • risk judgements dependant on sound information; • systematic identification, assessment and control of risks; • application, management and monitoring of the risk management process; • wider understanding of cross-departmental risks and joint working to manage them; • Investigation of incidents and implementation of remedial actions; • effective learning and action; • the application of care planning and individual risk assessment; • effective reporting arrangements; • compliance with external standards and requirements

3.2 Objectives To lead and support a proactive approach towards a safe culture through facilitation and embedding of the: - risk management strategy, policy procedure

of 34

- incident management policy - other related policies and procedures

To actively benchmark data such as Safety Thermometer and National Reporting and Learning Service (NRLS) to support learning and improvement

To manage the risk management safeguard system to deliver organisational, commissioner and partner requirements

To comply with national standards on risk management

To explore and scope implementation of proposed new developments

4 DEFINITIONS 4.1 Risk There are several well-known definitions of risk including:

• The chance of something happening that will have an impact on individuals and/or organisations

• Consequence and likelihood of something going wrong

• Possibility of incurring misfortune or loss

• Likelihood of adverse consequences arising from an event

• The chance of something happening that will have an impact upon objectives

Risk is measured in terms of cause/effect/consequence/impact and likelihood/probability.

4.2 Risk Management The design and implementation of relevant strategies, policies, procedures, systems and processes to limit the likelihood of a risk occurring and/or to limit its impact should it occur. Identifying, assessing analysing, understanding and acting on risk issues in order to reach an optimal balance of risk, benefit and cost.

5 ACCOUNTABILITY, ROLES AND RESPONSIBILITIES This policy applies to all employees of the Trust and requires management and leadership from all team leaders, managers and Directors to ensure that effective risk management is fundamental to the Trust’s approach to quality, governance and assurance. Staff will be expected to comply with the systems and associated policies and procedures and ensure all efforts are made to mitigate, eliminate, or minimise risks.

Effective employee engagement is vital to the Trust’s success and aspiration to be one of the safest and effective NHS organisations in the country

This section provides a brief synopsis of the roles and responsibilities of key individuals and committees.

of 34

5.1 Trust Board The Trust Board has overall accountability for the risk management strategy, policy, procedures and risk activity of the organisation. The Board is responsible, on behalf of the Secretary of State for Health and in the public interest for the effectiveness of internal controls.

The Board assesses emergent risks and considers external factors and influences. This will be facilitated through quarterly management report on corporate / significant risks and their associated actions. The report is presented alongside the Board Assurance Framework (BAF) (see section 6), ensuring internally and externally driven risks are robustly identified and embedded in the corporate risk register (CRR) and BAF.

The Chief Executive has overall accountability for the organisational approach to risk management. The Chief Executive will sign the Annual Governance Statement on behalf of the Board, after reviewing the effectiveness of the system of internal control.

The Medical Director is responsible to the Board and Chief Executive in relation to risk management and has overall responsibility for the corporate risk register.

The Commercial Director has lead responsibility for the Board Assurance Framework and takes lead responsibility for commercial risks across the organisation.

Executive Directors are accountable for ensuring the risk management policy and procedure is consistently applied within their respective area of responsibility.

Executive and Non-executive Directors have a collective responsibility to provide leadership on the management of risk; to mitigate, reduce, eliminate and exploit risk in order to create safer services and resilience, to protect the reputation of the Trust and to ensure an open and honest culture is developed where mistakes, errors lapses and incidents are identified quickly and dealt with in a positive and constructive wayNon-Executive Directors provide an independent judgement in relation to the working of the Trusts risk management programme.

The Executive Management Team (EMT) reviews the CRR and significant risks on a quarterly basis. They approve additions to the CRR, including new risks and escalated risks, they also approve de-escalation or closure of existing risks on the CRR. Their key duties include ensuring that robust risk management processes are implemented across all services; reviewing monitoring, evaluating and scrutinising risks placed on the BDCFT CRR; and informing the relevant committee or Board of any key issues and / or unresolved risks that may pose a significant threat to the operations, resources or reputation of BDCFT

The Directors’ Group is responsible for assuring the EMT that risk management processes are being actively being addressed within services. Quarterly quality risk reports, which inform them of current compliance with risk register requirements, support debate in relation to the effective use of risk registers and the meeting may request further assurances where required in relation to any issues raised.

of 34

5.2 Committees All Committees of the Board have responsibilities for risk management; these responsibilities vary, dependant on the role and function of each Committee.

All Committees routinely undertake the following;

• Reviewing the allocated aspects of the corporate risk register to ensure those risks are being managed appropriately

• Overview and scrutiny and quantification of risks in relation to their area of speciality

The Audit Committee provides overview and scrutiny of risk management, its primary role is to conclude upon the adequacy and effective operation of the organisations internal control system.

The Quality and Safety Committee is the responsible committee for monitoring achievement on the risk management policy and procedure on behalf of the Board.

A number of Quality and Safety forums run throughout the year (usually 4 as a minimum) the key aim of each event is to share and learn from best practice leading to improvement in the delivery of care. Where appropriate risk issues will be included to support trust wide learning and sharing on key areas of risk.

5.3 Localities Each ‘operational’ locality has a Quality and Safety Group (QSG) in place which is responsible for obtaining evidence of assurance on the adequacy of the Quality and Safety & Risk processes within each locality. Each QSG reports routinely to the Quality and Safety Committee providing assurance against Governance & Risk standards as determined by the Trust and will also promote a risk awareness culture across the locality

Deputy Directors have specific responsibilities to review locality risks and ensure the high quality of risk registers. They will provide assurance to the Directors’ Group and escalate any rising issues, themes or trends. They will ensure that risk management processes are implemented and functional within their respective services.

Heads of Services are responsible for the effective application of all risk management procedural documents, maintaining their service risk registers, implementing action plans and ensuring systems are in place to identify, analyse, evaluate, treat and reduce risks. They will ensure risk registers are used as a live dynamic process across all their services/wards and departments and will review risks to the achievement of objectives and delivery of services.

Senior Managers/Ward Managers have a responsibility to develop and apply risk management processes in line with the overall strategy for the Trust. The risk registers will feature as a regular agenda item in appropriate meetings, risk registers will be reviewed routinely, with risks being escalated as required.

Risk guardians are responsible for the logging of risks and the maintenance of their relevant risk register. They will ensure the risk register is reviewed and updated by an appropriate group.

All staff across the Trust have a responsibility to:

of 34

• ensure they make themselves aware of and comply with the risk management strategy, policies and procedures

• participate in all relevant mandatory/required training as defined in the training prospectus

• report all identified hazards and incidents • undertake reasonable actions as required to reduce or eliminate risks associated

with identified hazards or incidents • implement any learning identified through assessment of risks, incidents,

complaints and claims • if unable to make progress through the usual procedures, to report concerns

through the Whistleblowing or Hearing the Concerns of Workers policies.

5.4 Risk Management Department The Risk Management Department is responsible for:

• The facilitation of the corporate risk register and related reports • Leading and advising the Trust in risk management • Developing the risk management strategy, policies and procedures • The provision of expert advice to directors, senior managers and staff on risk

management • Ensuring the continued development and progress of risk management • Ensuring that there is an effective quality control process for risk registers • The incident reporting and management system • The development and provision of appropriate training that will encourage staff to

take responsibility for risk management within their area and minimise risk where possible

• Liaising with relevant agencies or enforcing authorities • Attending management groups as appropriate, internal and external of the Trust • Compliance with national standards as appropriate • Ensuring that PDF versions of all risk registers are saved on a monthly basis for

business continuity purposes

The risk management department will support services in the application of all risk management processes and the implementation of the Risk Management Strategy, Policy and Procedures.

6 BOARD ASSURANCE FRAMEWORK The Board Assurance Framework (BAF) identifies potential risks in relation to the Trust’s strategic objectives. The Board reviews the whole BAF every quarter. In addition, every two months, the Board considers one strategic risk in more depth, in the private Board meeting. The Audit Committee considers the BAF prior to the quarterly submission to Board, to inform Board discussion.

To improve the relationship between the BAF and Corporate Risk Register (CRR) the Board have agreed;

• to build a stronger link between the BAF and the CRR by ensuring these items are consecutive when on Board agendas;

• to use the outcome of the BAF and CRR to influence future Board agendas, linked directly to the Board business cycle agenda item;

of 34

• to identify any gaps in controls and factor these into the Board and Committee work programmes;

• to align the BAF with the self-certification process for foundation trusts; and • to amend the timetabling of the BAF and CRR to align with quarterly monitoring reports

for Monitor.

7 RISK MANAGEMENT PROCEDURE This policy is underpinned by the risk management procedure which highlights the four key stages in the risk management process i.e. identification, assessment, management and monitoring & review. The procedure is available at appendix 2.

8 TRAINING Risk management training will be delivered in many formats and bespoke. The formats the training is delivered in are:

- Corporate induction for all new staff - 5 yearly refresher for all staff

- Safety and risk workshops - Refresher training for risk guardians every 2 years

- Refresher training for incident managers every 2 years - Bespoke team sessions as requested

9 EQUALITY IMPACT ASSESSMENT The Trust has no intent to discriminate and endeavours to develop and implement policies that meet the diverse needs of our workforce and the people we serve, ensuring that none are placed at a disadvantage over others. Our philosophy and commitment to care goes above and beyond our legal duty to enable us to provide high-quality services. Our Equality Analysis and equality monitoring is a core service improvement tool which enables the organisation to address the needs of disadvantaged groups. The aim of Equality analysis is to remove or minimise disadvantages suffered by people because of their protected characteristics.

of 34

10 MONITORING COMPLIANCE AND EFFECTIVENESS OF THE PROCEDURAL DOCUMENT

Criteria Evidence identified to

indicate compliance with

policy

Method of monitoring,

i.e. how/where will this be gathered?

Frequency of

monitoring

Lead responsible

for monitoring

The Organisation’s risk management structure, detailing committees and groups which have some responsibility for risk

Risk management framework; Minutes of Trust Board, EMT, SGC, Audit Committee, Directorates Governance Groups

WYAC Risk Management Audit Report; Risk Management reports to QSC

Annual Risk and Resilience Manager

How the Board or high level risk committee(s) review the organisation-wide risk register and BAF

Corporate Risk Register; BAF; Minutes of Trust Board, EMT, SGC, Audit Committee, FBI

WYAC Risk Management Audit Report; Risk management reports to QSC

Annual Risk and Resilience Manager

How risk is managed locally reflecting the organisation wide risk management strategy via the risk registers including: source/description/score/ action/review date/residual grading

Risk Activity Reports; Directorate risk registers; Service risk registers; department and local risk registers; Directorate/Services Governance Group minutes

WYAC Risk Management Audit Report; Risk register module – Safeguard;

Annual WYAC; Risk and Resilience Manager; Deputy Directors

Risk Management awareness training for Board members and Senior Managers

Board Development day agenda; Content of training

Attendance records

Every 5 years

Company Secretary

of 34

Criteria Evidence identified to

indicate compliance with

policy

Method of monitoring,

i.e. how/where will this be gathered?

Frequency of

monitoring

Lead responsible

for monitoring

Duties of key individuals for risk management activities

Job descriptions Risk Management reports to QSC. Other reports to sub committees

Annual WYAC; Risk and Resilience Manager.

Authority of all managers with regard to managing risk

Archived risk registers; Evidence of escalation of risks

Risk Management reports to QSC;

Annual WYAC; Risk and Resilience Manager; Deputy Director of Quality and Governance

How all risks are assessed

Risk registers Risk Management reports to QSC;


How risk assessments are conducted consistently

Risk registers; TRAM, risk activity reports

Risk Management reports to QSC;


of 34

11 REFERENCES • NPSA August 2004 Seven Steps to Patient Safety

• NPSA March 2007 Healthcare Risk Assessment Made Easy

• Turnbull Report (1999) Internal Control – guidance for directors on the combined code. Institute of chartered accountants in England and Wales

• The Mid Staffordshire NHS Foundation Trust Public Inquiry 2013

• Berwick review into Patient Safety 2013

12 ASSOCIATED DOCUMENTATION In respect of this policy, specific related Procedural Documents / Trust documents are:

• Risk Escalation and Reporting Process

• Board Assurance Framework

• Corporate Risk Register

• Integrated Business Plan

• Statement of Internal Control

• Quality Strategy

• Policy for Incident Reporting and Management

• Serious Incidents Policy

• Health and Safety Policy

• Resilience Policy

• Resilience Communication Plan

• Development and Management of Procedural Documents Policy

• Trust Training Prospectus

• Equality and Diversity Strategy and NHS Equality Delivery System

• Information Governance Policy

• Analysing, Learning From and Responding to, Inspections, Guidance and Internal/External Reports Policy

• Standing Financial Instructions

• Investigation of Incidents, Complaints and Claims Policy

• Being Open Policy

For more information on this policy, please contact:

of 34

Risk Management Department

Medical Directorate

Bradford District Care Foundation Trust

New Mill

BD18 3LD

Tel: 01274 228297

Email: [email protected]

mailto:[email protected]

of 34

13 APPENDIX 1 – RISK MANAGEMENT FRAMEWORK

of 34

14 APPENDIX 2: EQUALITY IMPACT ASSESSMENT Area Response

Policy Risk Management Policy and Procedure Manager Risk and Resilience Manager Directorate Medical Date August 2015 Review date August 2018 Purpose of Policy The Trust is required to have internal controls and processes

to manage risk. This strategy and policy provides a framework to manage risk

Associated frameworks e.g. national targets NSF’s

Who does it affect All staff Consultation process carried out Quality and Safety Committee

Specialist (Risk) Officers, Deputy Directors, Directors, Head of Service, Clinical Managers

QA Approved by Directors’ meeting

Equality protected

characteristic Impact

Positive Impact

Negative Rationale for response

Age √ The policy has been developed to meet the physical health and mental wellbeing of all generations.

Disability √ The policy has been developed to meet the physical health and mental wellbeing of all people regardless of their physical or mental impairment / disability. Policies and systems are in place to ensure reasonable adjustments are being met to meet the needs of all disabled people regardless of their gender.

Gender Reassignment

√ The policy has been developed to meet the physical health and mental wellbeing of both women and men regardless of transition from FtM or MtF transition.

Race √ The policy has been developed to meet the physical health and mental wellbeing of both women and men regardless of their race, nationality or ethnicity.

Religion or Belief

√ The policy has no intent to discriminate it has been developed to meet the physical health and mental wellbeing of all people. Due consideration must be given to meeting the spiritual, religious and philosophical beliefs of individuals

Pregnancy & Maternity

√ The Equality Impact Assessment screening has found no evidence to suggest this policy would have an adverse impact on pregnancy & maternity

of 34

Equality protected characteristic

Impact Positive

Impact Negative

Rationale for response

Sex √ The policy has been developed to meet the physical health and mental wellbeing needs of both women and men.

Sexual Orientation

√ The policy has been developed to meet the physical health and mental wellbeing needs of both men and women regardless of their sexual orientation.

Equality Analysis SIGN - OFF Have any adverse impacts been identified on any equality groups which are both highly significant and illegal?

No

Are you satisfied that the conclusions of the EqIA Screening are accurate? The Trust will publish a summary of the impact analysis carried out to meet the duty and make this available to the public on the Trust Internet site.

Yes

Completed by Manager Risk and Resilience Manager

Q A approved Directors’ Meeting Director approved Medical Director

of 34

15 APPENDIX 3 – RISK MANAGEMENT PROCEDURE 1. Risk Registers

NHS organisations are required to produce a comprehensive organisation-wide risk register that is capable of recording all types of risk. The safeguard risk module hosts the Bradford District Care Foundation Trust risk registers.

The Trust recognises that identified risks should be managed at the appropriate level and decisions on whether to act or otherwise are taken within an appropriate timescale. Therefore a structure of risk registers is managed and monitored by guardians at all levels. The risk registers are living dynamic documents which support and inform decision making.

There are currently five levels of risk register used within the Trust; local, service manager, locality/operational, directorate and corporate risk register.

2. Risk Assessment A risk can be described as; the chance of something happening that will have an impact on objectives. The types of risk faced by the Trust, fall into nine risk groups: • Impact on the safety of staff or public (Physical/Psychological harm) • Impact on the safety of service users (Physical/Psychological harm) • Quality • Service/Business Interruption/Environmental impact • Adverse Publicity/reputation • Human Resources/Organisational development/staffing/competence • Finance/Resource • Statutory Duty/Compliance • Information, Management and Technology (IM&T)

Risks can be identified on a daily basis throughout the Trust by any employee. Within the Trust, sources of risk fall into the following 14 categories:

• National Inquiry Assessment/CQC/HSE • CAS alert • Service User Experience • Objectives • Performance outcomes • Complaint • Incident • Audit • Claim • Service review • Interdependent i.e. partner/stakeholders • Benchmarking • Environmental/Political/Social issues • Transforming care programme

of 34

Risks will vary significantly in the scope, content, likelihood and impact and hence the measures for addressing them will also vary. Having identified a risk, a thorough risk assessment should be carried out following the guidance for ongoing risk assessment, described in section 3. Risks that cannot be resolved by remedial action should be raised through the line managers, as appropriate.

Risk assessment is the overall process of risk identification, risk analysis and risk evaluation. The process assists the Trust to manage, reduce or eradicate identified risks in order to protect the safety of patients, staff, visitors and the organisation as a whole. The identification of risk takes many forms and involves both a pro-active approach and one which reviews issues retrospectively. When the risks have been identified, each one will be analysed in order to assess the likelihood of it recurring, how often it is likely to occur and what the likely impact would be. When evaluating risks; consideration of the controls in place for that risk and more importantly the adequacy and effectiveness of those controls will form part of the assessment.

The assessment process provides an opportunity to scrutinise each area honestly, and make plans to work towards rectifying or minimising the risks that have been identified. These assessments form the local, service manager, locality/operational, directorate and corporate risk registers.

It is important to realise that not every risk can be controlled. Risks that cannot be managed will be escalated as appropriate through the line of management, to the executive team and ultimately to the Trust Board, which is notified of all significant risks rated at 15 or above. The Board has ultimate responsibility for ensuring the Trust manages those risks.

3. Who should undertake a risk assessment?

Risk assessment and action plans should be owned and undertaken within each local area, service manager, locality/operational and directorate level as appropriate, so that they are well focussed and relevant to that particular area. The web-based risk registers allow all risks and actions to be assigned to specific members of staff and ensures that start dates, target dates and reminder dates are set for every action.

Any individual can and should, identify hazards in their area as part of their responsibilities under the Trust Risk Management Strategy and Policy. Each risk register has at least one nominated risk guardian who is responsible for overseeing the process and maintaining the relevant risk register. Each guardian will have an understanding of risk management and in particular the principles of risk assessment.

of 34

16 RISK PROCESS 16.1 Step 1 – Identification

The first and most important step is to consider what possible hazards there are or could be, e.g. what, when and how something could happen that represents a source of potential harm or damage. It is important that risk assessment is multi-disciplinary wherever possible. It is also important to make use of information that is already being collated, e.g. serious incidents, complaints, incidents, legal claims, clinical audit, patient experience and other assessments already being carried out, for example, equality, Health & Safety, fire, security.

Risk assessment should be carried out as an integral part of day to day business, and is particularly important when there is a change in service provision or circumstances. Risks which pose a threat to the achievement of set objectives should assessed and recorded.

The risk description will be the consequence of the hazard/s occurring. This should then be considered along with the risk group and source of the risk.

This information should be logged on the appropriate risk register.

Attachment 1 provides a list of questions and risk issues that provide example guidance of what could be considered.

16.2 Step 2 – Assessment

Having identified hazards and evaluated the risks, it is important to consider and document the controls that are currently in place, which prevent the hazard from occurring or help limit the damage they could cause. Controls improve resilience.

Controls can fall into three main types:

• Prevent– these controls prevent a hazard or problem from occurring. Examples would include policies, procedures, guidelines, techniques, pro-active engagement with service users, carers and partner agencies, processes, training, use of equipment, checklists, computer systems, protective clothing, fire training etc;

• Detect – these controls provide an early warning of control failure. Examples would include audit, inspections monitoring, investigation, incident reporting, smoke detectors, complaints, surveys, tests etc;

• Contingency – these controls provide effective reaction in response to a significant control failure or overwhelming event and are designed to mitigate harm and improve resilience. Examples would include evacuation plans, escalations procedures, continuity plans, backup generators, locum/agency cover, insurance, sprinklers etc.

Examples of controls • Physical controls e.g. protective equipment, lifting and handling equipment,

warning signs,

Task design; e.g. needing 2 people to check drugs prior to administration, computer passwords to restrict access.

• Procedural Controls – Trust policies and procedures

of 34

• Professional controls –Compliance with professional and national guidelines and standards; e.g. CQC Registration, HSE regulations, Clinical Guidelines.

Gaps in controls should be addressed by an action that will reduce, mitigate or eradicate the identified gap.

Controls are ineffective without the necessary information, instruction and training. Therefore, the adequacy of training, equipment, staffing, resources and assurance must also be considered.

The purpose of risk assessment is to determine the level of and exposure to risk and provide input to decisions on where actions to reduce or exploit risk are necessary or likely to be worthwhile. The risk assessment stage will involve the analysis and rating of individual risks to identify the consequences/impact, likelihood/probability. Consequence/Impact can be measured in terms of the actual or potential severity of physical injury and/or damage, impact on services, or impact for the Trust.

To help prioritise the level of risk, it is important to consider the context of the risk, such as: this likely to have an effect upon service user care, staff well-being, financial implications, legal obligations, adverse publicity, the potential for impact on service provision and the possibility of claims or complaints against the Trust.

The likelihood or probability of the hazard occurring should be rated in terms of how often the hazard will occur if the existing controls fail, or if we cannot put in effective safeguards. This rating multiplied by the consequence rating will give an overall risk rate which can be expressed numerically, or in classifications of negligible (green 1-3), minor (yellow 4-7), moderate (orange 8-14), or major/catastrophic (red15-25) risk this level of risk is classed as significant.

Further guidance is provided in Trust Risk Assessment Matrix (Attachment 2)

Identified risks as a result of the assessment process which require action or mitigation must be recorded and entered onto and escalated to the relevant risk register as appropriate. Where staff may require additional guidance with the initial assessment of a risk, a risk assessment template can be used (see attachment 3). Where risks are recorded on a risk assessment template, these will be retained by the relevant guardian.

16.3 Step 3 – Management

After identifying a risk, any controls and the risk rate, it is then necessary to develop a risk actions plan to manage and reduce the risk and this should be detailed in the actions section provided on the web-based risk register.

The purpose of risk action plans are to:

• Prevent loss, harm or injury occurring • Protect patients, staff, services and the organisation from loss, harm or injury • Limit the extent of any loss, harm or injury that might occur • Maximise recovery and disseminate learning from any loss, harm or injury that

occurs.

Risk actions plans should focus on two general principles:

of 34

1. Reducing the frequency of the loss, harm or injury e.g. reducing the likelihood of the risk.

2. Limiting the extent of the loss, harm or injury, when it does occur e.g. reducing the consequence of the risk.

Any control gaps identified should also be covered by the identified actions. When actions are created and assigned, the system ensures that the dates for completion and the responsible member of staff are included. Actions should be monitored. Progress can be updated against ongoing actions by the risk guardian. An automated reminder system ensures that nominated responsible staff receive alerts on their actions when they are initially assigned and as they are due.

Each local area holds its own local register of identified risks. Those risks that cannot be managed at a local level require escalating to the service manager level risk registers to be reviewed by the guardians at this level and to be discussed at the relevant governance/risk meetings. Those risks that cannot be managed at a service manager level should be escalated to the locality/operational level risk register to be reviewed by the guardians at this level. Those risks that cannot be managed at a locality/operational level should be escalated to the directorate level risk register to be reviewed by the guardians at this level. An automated notification ensures that the manager responsible is notified when a risk is escalated or de-escalated but this should not replace the communication that should occur between managers before escalation occurs.

Any risks rating 15 or higher (significant risks) that are felt to have implications for the Trust, or are beyond the control of the directorate to manage should be for consideration of formal entry onto the corporate risk register. This will be AFTER the risk has been discussed within the directorate and the risk rating agreed.

The reason for any escalation of risk should be recorded on the appropriate risk register. The minutes of meetings where risks are discussed should reflect the decisions reached and the rationale for this.

The Trust Board is the final arbiter of the risk rating and may increase or decrease the agreed rating if deemed appropriate.

16.4 Step 4 – Monitoring & review

Risk assessments/review of risk registers are duties that should be carried out on a regular basis. In addition, it should be an agenda item for discussion at all levels of governance/risk management meetings to ensure risks are constantly monitored and re-evaluated throughout the year at all levels of the organisation. As risks are treated, risk ratings may be reduced or the risk eliminated altogether. It is essential to ensure that risk actions are re-visited and updated on the web-based risk register system.

All risks identified and assessed will be monitored and reviewed as required.

of 34

17 ATTACHMENT 1 – EXAMPLES OF AREAS OF CONSIDERATION THAT MAY HIGHLIGHT RISK (This is not an exhaustive list)

Questions

• Are all statutory, regulatory, clinical and contractual requirements being met? • What activities relating to service user care are provided in the local

business/service area or directorate? What patient experience feedback is there?

• Is there differentiation of experience by equality protected characteristics? • Are carers considered and supported? • Who provides the services? Are staff competent? Are they properly

supervised? Are they suited to the task? Are staffing levels adequate? • How are services which are provided on a 24 hour basis maintained to a safe

and appropriate standard at all times? • How effective are infection prevention and control measures in the area? • Do staff have the appropriate information, instruction and training to use

equipment? Is the equipment maintained in a safe and operational state? Do staff know how to report defects?

• Have the statutory Health and Safety assessments been carried out in the area e.g. Manual Handling, COSHH, DSE

• Is the Trust Waste Management Policy followed correctly e.g. sharps, infected waste

• How are the facts determined in the event of a complaint or litigation? Consider the availability, quality and scope of the clinical records.

• Are record keeping standards sufficient to provide adequate information in the event of queries concerning treatment?

• How effective is Trust-wide communication of clinical issues? Are there systems in place for learning from past experience – utilising internal information from audit, complaints, incident reporting and claims, and external data from national reports, Care Quality Commission publications and Confidential Enquiries?

• Are effective clinical procedures in place that reflect good practice and are they in line with the relevant professional standards? Are all relevant staff aware of them? Do all staff know what is expected of them?

• Are prescribing and administration of drugs reviewed on a regular basis? Are controlled drugs managed safely and legally? How are drugs stored?

• What are the key priorities in the area in the event of a disaster e.g. prolonged power cut, flood, and fire. Are business continuity plans in place? Are staff aware of them?

• Are there any risks to the delivery of objectives ? • Is there a planned or unplanned increase/reduction in activity? • Are all national targets being met? • Is there a lack of capital budget? • Is the reputation of the service threatened? • Is there potential to lose a service with subsequent loss of income? • Are there any significant changes to services planned? • Are service users being cared for as safely as possible?

of 34

Areas that may highlight risk:

Organisational arrangements

• Incident reporting • Litigation • Complaints • Serious incidents • Clinical audit • Dealing with emergencies • Business continuity • Research and development • Access to support and advice • Patient Surveys • PALS • Maintenance and use of equipment • Conveyance arrangements • Food Hygiene • Equality analysis • Fire code

National Benchmarking

• Dissemination of learning from Regional and National reporting systems)

• Recommendations from Confidential Enquiries and other national reports and enquiries e.g. Shipman Enquiry, Mid Staffs

• National Guidance e.g. NICE, NSF’s, • Coroners reports • Health and Safety Executive • Environment Agency • NHS Central Alert Systems • Media and Professional journals

Procedural Documents

• Clinical • Non-clinical • Financial

Staffing

• Numbers • Skill mix • Competence & Staff Training • Access & availability of training • Induction • Supervision • Volunteers • Sickness / Absence • Improving Working Lives

High Risk Areas

• Medical • Clinical • Medicines Management • Information • Infection Prevention & Control • Safeguarding

Record Keeping

• Clinical records • Non-clinical records • Data collection • Storage and retrieval • Content • Filing

Health and Safety

• Manual handling • COSHH • Violence and aggression • Waste

Business Risks

• High levels of demand • Not meeting national targets • Lack of business objectives • Pay /non-pay overspends • Agency costs • Lack of capital budget • Commissioners not supporting business case • External relationships poor • PR / Reputational issues • Compliance with regulations, other statutory

requirements and contracts • Compliance with legislation e.g. Equality Act 2010,

Mental Health Act 2007

of 34

18 ATTACHMENT 2 – TRUST RISK ASSESSMENT MATRIX (TRAM)

Each risk can be measured by multiplying the severity/impact of harm and the likelihood of that harm occurring. This calculation will produce a risk rating which refers to the amount of risk after the identification of current control. Tables 1-3 below provide guidance on risk rating. Residual risk is the level of risk following actions to reduce risk to an acceptable level or ensuring the mechanisms of assurance are adequate to mitigate the allocated level of risk. Table 4 provides guidance on risk predictive rating of incidents which considers other elements of severity besides level of harm.

Because of the subjective nature of the rating process, it’s essential that the person validating the risk assessment has the training/experience to do so.

Risk rating is not intended to be a precise mathematical measure, but is useful when prioritising control measures for the treatment of different risks.

Significant (Major/Catastrophic) Risk (15-25)

Moderate Risk (8-12)

Minor Risk (4-6)

Low Risk (1-3)

of 34

18.1 TABLE 1 – Guidance for the rating of risks

TRAM

Risk Group Negligible Minor Moderate Major Catastrophic

Impact on the safety of staff or public (physical/ psychological harm) NB – Time off work >7 days maybe RIDDOR reportable. Check RIDDOR criteria.

Minimal injury requiring no/minimal intervention or treatment.

Minor injury or illness, requiring minor intervention.

Requiring time off work for <7 days.

Moderate injury requiring professional intervention.

Requiring time off work for >7 days.

Major injury leading to long-term incapacity/disability.

Significant period of time off work.

Incident leading to death, multiple permanent injuries or irreversible health effects.

Unable to return to work.

Impact on the safety of service users

(physical/ psychological harm)

Minimal injury requiring no/minimal intervention or treatment.

Minor injury or illness, requiring minor intervention.

First aid treatment required.

Short term impact.

Moderate injury requiring medical intervention.

An event which impacts on a small number of service users.

Major injury leading to long-term incapacity/disability.

Mismanagement of patient care with long-term effects.

Incident leading to death, multiple permanent injuries or irreversible health effects.

An event which impacts on a large number of service users.

of 34


Quality Unsatisfactory service user experience.

Peripheral element of treatment or service sub-optimal.

PALS concern raised.

Unsatisfactory patient experience.

Local complaint received.

Single failure to meet internal standards.

Minor implications for service user safety if unresolved.

Reduced performance rating if unresolved.

Treatment or service has significantly reduced effectiveness.

Formal complaint.

Repeated failure to meet internal standards.

Moderate service user safety implications if findings are not acted on.

Non-compliance with national standards with significant risk to staff/service users if unresolved.

Multiple complaints/independent review.

Low performance rating.

Critical report.

Threat of loss of contract/payment by results.

Major patient safety implications if findings are not acted on.

Totally unacceptable level or quality of treatment/service. Gross failure of service user safety if findings not acted on. Inquest/ombudsman inquiry.

Gross failure to meet national standards.

Loss of contract/payment by results.

Service/ Business Interruption/ Environmental impact

Loss/interruption of >1 hour. Minimal or no impact on the environment.

Loss/interruption of >8 hours. Minor impact on environment.

Loss/interruption of >1 day. Moderate impact on environment.

Loss/interruption of >1 week. Major impact on environment.

Permanent loss of service or facility. Catastrophic impact on environment.

of 34


Adverse publicity/ reputation

Rumours.

Potential for public concern.

Local media coverage. Short-term reduction in public confidence. Elements of public expectation not being met.

Local media coverage. Long-term reduction in public confidence.

National media coverage. <3 days service well below reasonable public expectation.

National media coverage. >3 days service well below reasonable public expectation. MP concerned (questions in the House) Total loss of public confidence.

Human resources/ organisational development/staffing/ competence

Short-term low staffing level that temporarily reduces service quality (< 1 day)

Low staffing level that reduces the service quality

Late delivery of key objective/ service due to lack of staff. Unsafe staffing level or competence (>1 day). Low staff morale.

Poor staff attendance for mandatory/key training.

Uncertain delivery of key objective/service due to lack of staff. Unsafe staffing level or competence (>5 days). Loss of key staff. Very low staff morale. No staff attending mandatory/ key training.

Non-delivery of key objective/service due to lack of staff. Ongoing unsafe staffing levels or competence. Loss of several key staff. No staff attending mandatory training /key training on an ongoing basis.

of 34


Finance/Resource

No obvious/small loss.

Remote risk of claim.

Loss of 0.1-0.25 per cent of budget.

Loss of less then £100k.

Failure to meet financial target 1st quarter.

Claim less than £10k.

Loss of 0.25-0.5 per cent of budget.

Loss of £100k to £750k.

Failure to meet financial target 2nd quarter.

Claim(s) between £10k - £100k.

Uncertain delivery of key objective/Loss of 0.5-1 percent of budget.

Loss of over £750k.

Extended failure to meet financial target 3rd quarter.

Claim(s) between £100k and £1m

Non-delivery of key objective/Loss of >1 per cent of budget. Loss of over £1m. Failure to meet specification/ slippage. Loss of contract/ payment by results.

Claim(s) >£1 million

Statutory duty / Compliance

No or minimal impact or breech of guidance of guidance/statutory duty.

Minor recommendations.

Minor non-compliance with standards.

Breech of statutory legislation.

Recommendations given.

Non-compliance with standards.

Single breech in statutory duty.

Challenging recommendations.

Non-compliance with core standards.

Reduced Rating.

Enforcement Action.

Multiple breeches in statutory duty.

Major non-compliance with core standards.

Low rating, critical report.

Multiple breaches in statutory duty.

Complete systems change required.

Zero performance rating.

Severely critical report.

Prosecution.

of 34


Information, Management and Technology (IM&T)

Loss/interruption of >1 hour.

Cosmetic problems only not affecting delivery of care or objectives

Loss/interruption of >8 hours.

Access and usability/connectivity is affecting a minimal number of people 1-10. Has the potential to affect patient care

Loss/interruption of >1 day.

Access and usability/connectivity is affecting 11-100 people. Will have an impact on patient care

Loss/interruption of >1 week.

Major usability/connectivity issue: important to fix should be given a high priority. Will affect patient care eg phone/RiO/Systm1 systems down

Permanent loss of service or facility.

Imperative to fix asap affecting all IT and/or telecoms system

of 34

18.2 Table 2 – Likelihood / Probability rating

Descriptor 1 2 3 4 5

Rare Unlikely Possible Likely Almost Certain

Frequency Not expected to occur for years Expected to occur at least annually

Expected to occur at least monthly

Expected to occur at least weekly Expected to occur at least daily

Probability < 5% 6-20% 21-50% 50-80% >81%

Will only occur in exceptional circumstances

Unlikely to occur Reasonable chance of occurring Likely to occur More likely to occur than not

18.3 Table 3 – Risk rating

Consequence

Catastrophic (5) 5 10 15 20 25

Major (4) 4 8 12 16 20

Moderate (3) 3 6 9 12 15

Minor (2) 2 4 6 8 10

Negligible (1) 1 2 3 4 5

Rare (1) Unlikely (2) Possible (3) Likely (4) Almost Certain (5)

Likelihood / Probability

of 34

19 ATTACHMENT 3 – RISK ASSESSMENT TEMPLATE It is recommended that this is e-mailed to the appropriate manager/risk guardian so a copy is kept for the record.

Which Directorate does the risk fall within?

Which Locality (if applicable) eg Service does the risk fall within?

Which Local area/Department (if applicable) does the risk fall within

Suggested level at which the risk should be managed? Eg Corporate, Directorate, Locality/operational, Service manager or Local level?

Risk assessment template initiated by:

1. Description of the associated hazards and a description of the risk

2. Identify Existing Controls & Assurances

3. Suggested actions to reduce risk

4. Identify the level of risk - Consider the severity and likelihood

(Circle the relevant risk rating in the below risk matrix)

5. Outcome of assessment

Meeting that the risk was discussed:

The level of risk register to add and/or escalate to:

Reasons for not logging on a risk register if applicable: