risk management strategy - wolverhampton ccg...this risk management strategy, approved by the...

Wolverhampton Clinical Commissioning Group 1

Risk Management Strategy


DOCUMENT STATUS: To be Approved

DATE ISSUED: January 2018

DATE TO BE REVIEWED: January 2020

AMENDMENT HISTORY

VERSION DATE AMENDMENT HISTORY

1.0 June 2012

2.0 December 2013

3.0 February 2016

3.1 January 2018

Revised Version to reflect new CCG Risk Management Operational Arrangements

REVIEWERS This document has been reviewed by:

NAME TITLE/RESPONSIBILITY DATE VERSION

Mike Hastings Director of Operations January 18 3.1

APPROVALS This document has been approved by:

GROUP/COMMITTEE DATE VERSION

Senior Management Team

Audit and Governance Committee

Governing Body

DISTRIBUTION This document has been distributed to:

Distributed To: Distributed by/When

Paper or Electronic

Document Location

DOCUMENT STATUS This is a controlled document. Whilst this document may be printed, the electronic version posted on the intranet is the controlled copy. Any printed copies of the document are not controlled. RELATED DOCUMENTS These documents will provide additional information:

REF NUMBER DOCUMENT REFERENCE NUMBER

TITLE VERSION


Contents Risk Management Statement of Intent .................................................................................. 4

Introduction ........................................................................................................................... 5

Purpose and Scope .............................................................................................................. 5

Roles and Responsibilities .................................................................................................... 6

Definitions and Terms used................................................................................................... 8

Outline of the Risk Management Process ............................................................................. 9

Organisation Risk Management Structure and Governance Arrangements ......................... 10

Risk Quantification .............................................................................................................. 14

Risk Registers ..................................................................................................................... 16

Governing Body Assurance Framework .............................................................................. 16

Communication, Training, Monitoring and Review .............................................................. 17


Risk Management Statement of Intent The overall aim of Wolverhampton Clinical Commissioning Group (CCG) is to be a first class commissioner of healthcare services putting customers and patient/service users at the centre of what they do by commissioning the Right Care, in the Right Place at the Right Time. In order to achieve this overall aim, the CCG has established the following Strategic and Operational priorities:-

1. Improving the quality and safety of the services we commission by checking, monitoring and encouraging providers to improve the quality and safety of patient services

2. Reducing health inequalities in Wolverhampton by leading improvements and innovation in Primary Care across the City and working in partnership with other organisations, including providers and the Local Authority to deliver new models of care closer to home.

3. Achieving System effectiveness delivered within our financial envelope by proactively working with partners across the Black Country in the STP, supporting closer integration between health and social care, delivering improvement in technology and infrastructure across the health economy and continuing to meet our statutory duties as an organisation.

Effectively understanding and managing the risks associated with commissioning health care is integral to the CCG achieving these aims. This risk management strategy sets out how the CCG manage its risks by implementing a comprehensive system of internal controls to enable proactive identification and management of strategic, operational, reputational and financial risks, whilst avoiding any loss of flexibility and innovation in service provision. The management of risk is a key organisational responsibility which is a fundamental part of all management and staff duties. Every member of CCG staff must have a real sense of ownership and commitment to identifying and minimising risks. The Governing Body endorses this Risk Management Strategy as a proactive approach to identifying and analysing risks in order to effectively manage them to either eliminate specific risks or to mitigate their effect to an acceptable level. The Audit and Governance Committee, on behalf of the Governing Body will ensure risk management is actively reported and continuous improvement and learning associated with risk management is being actively managed & reviewed. Chief Officer 2018


Introduction

1. Risks are defined as an uncertain set of events that, should they occur, will have a material effect or harm. The CCG recognises that Risk is inherent in all of its activities, from determining service priorities, taking decisions about future strategies, or even deciding not to take any action at all. Good risk management awareness and practice at all levels is a critical success factor for the CCG and we therefore approach management of risk in a structured, systematic and consistent manner.

2. The CCG, recognises that some risk is unavoidable and therefore will put in place

control measures to mitigate those risks by reducing them to an acceptable level and monitoring and reviewing the effectiveness of these measures. This Risk Management Strategy, approved by the Governing Body and Audit and Governance Committee describes the CCG’s risk management philosophy and associated processes and assigns the relevant responsibilities.

3. The CCG’s risk management arrangements are focussed on ensuring that there is a

clear understanding across the CCG of the risks associated with achieving the CCG’s strategic objectives. This is a common thread through the development of a clear Governing Body Assurance Framework, management of operational risks through CCG teams and committees and by the processes in place to escalate risks between these levels of the organisation.

Purpose and Scope

4. This strategy describes the procedures the CCG will use to minimise risk through a comprehensive system of internal control to ensure it meets the overall aim of commissioning the right care in the right place at the right rime. It covers risks to patients, service users, staff, stakeholders and those working on or visiting CCG premises, as well clinical, organisational and financial risk at strategic and operational levels.

5. The Strategy sets out the way in which the CCG will:-

Identify risks that exist

Analysing those risks to understand the potential likelihood and severity of the consequences occurring

Eliminate risks that reasonably and practicably can be eliminated

Reduce the effect of those risks that cannot be eliminated

Put in to place mechanisms to absorb the consequences of those residual risks that remain.

6. This will ensure that the CCG is able to manage all risks which may adversely affect

the quality of services it commissions and the ability of the CCG to meet and actively manage it‟s organisational responsibilities including those duties defined in law.


Roles and Responsibilities

7. The Governing Body The Governing Body is responsible for setting the overall strategic direction of the CCG and for ensuring that it acts economically, efficiently and effectively. In order to meet these duties, the Governing Body must assure itself that the CCG has properly identified the risks it faces, and that it has processes in place to mitigate those risk(s) and the impact they have on the organisation and its stakeholders. To achieve this, the Governing Body, principally through its Governing Body Assurance Framework (GBAF) will seek to ensure that:

It understands the most significant risks facing the organisation

There are appropriate levels of risk awareness throughout the organisation

The organisation has effective plans in place to manage a crisis

It understands the importance of external confidence in the organisation and how this impacts on the CCG’s overall risk profile

It is assured that the risk management process is working in the organisation

That, through the Audit and Governance Committee, there is a clear risk management strategy that describes the risk management philosophy and responsibilities of the wider CCG

8. The Audit and Governance Committee

The Audit and Governance Committee is responsible for leading the risk management process on the Governing Body’s behalf, taking a strategic view of governance, to give directions to the other CCG committees and groups regarding management of risk and to receive assurance from these Groups where NHS Standards are being achieved/not achieved. It will keep under active review the content of the corporate risk register, addressing corporate issues, and provides assurances to the Board that directorates and departments within the CCG are managing their risks effectively. The Audit and Governance Committee fulfills this role as part of its overall responsibility for scrutiny and verification of the CCG’s corporate governance in accordance with the requirements of standing financial guidance and the requirements of the annual Statement on Internal Control.

9. Other CCG Committees The Other Committees of the Governing Body (Commissioning Committee, Finance and Performance Committee, Primary Care Commissioning Committee and Quality and Safety Committee) are responsible for managing the risks under their areas of responsibility. They will, with the support of the CCG Managers who report to the committees, review and manage the risks under their areas of responsibility and escalate any risks to the Governing Body as they deem appropriate.

10. Accountable Officer The Accountable Officer has overall accountability for the management of risk and the duties regarding quality of service. They will establish and maintain an effective strategy for risk management by:-

Continually promoting risk management and demonstrating personal involvement and support

Ensuring an appropriate committee structure is in place, with regular reports to the Board

Ensuring that Executive Directors are appointed with managerial responsibility for progressing risk management


11. Executive Directors Directors are responsible for directing the implementation of the Risk Management Strategy and associated governance arrangements with staff & stakeholders pertinent to their area of responsibility by:-

Identifying and carrying out risk profiling and assessment of risk across the functions for which they are accountable

Treatment of risk(s) including identification, recording & reporting to demonstrate that all reasonable mitigating actions have been identified & put in place to effectively manage the risk

Continually demonstrating personal involvement and support for the promotion of risk management & reporting on risks associated with their area of control via the CCG’s risk management system

Ensuring that managers and heads of department accountable to them understand and pursue risk management in their areas of responsibility

Setting objectives for risk management and monitoring achievement

Ensuring that staff employed are of an appropriate professional standing and adequately trained for the tasks they are required to undertake

Ensuring the development and implementation of effective integrated governance which will promote safety, address risk and create an environment which pursues excellence

These reflect key operational, and day-to-day, responsibilities delegated to them. All Directors must ensure that the implementation of the policy is fully addressed within their respective areas, and that all their staff members are made aware of its overall content and implications

12. Chief Financial Officer

The Chief Financial Officer has, in addition to their general responsibilities as an Executive Director, accountability for progressing financial risk management and for ensuring that effective risk management is in place.

13. Director of Operations The Director of Operations is accountable for the risk management process across the organisation and will be a firm advocate of the strategy, ensuring effective corporate governance practices duly reflect the principles therein. When determining the effectiveness of corporate governance practices, risk management will be recognised as integral to the CCG so that risks are identified on a pro-active and re- active basis.

14. Corporate Operations Manager

Reporting to the Director of Operations, the Corporate Operations Manager is the lead for risk management within the CCG ensuring that the day to day co-ordination of risk management is undertaken & duly reported to all responsible forums. They will take all reasonable steps to ensure recommendations for improving & responding to risk management information is effectively communicated.

15. Senior Management Team

All Members of the Senior Management Team, Heads of Service are expected to be continually aware of risk management issues and will ensure the risk management system is used as an intrinsic component of their day to day work. This will include leading on the management of the

16. CCG Staff

The risk management Strategy requires the full support of all staff in the assurance and risk management processes. It is the responsibility of all Wolverhampton CCG employees to:-


Take account of and be actively aware of the potential for risks to occur

Report areas of concern including clinical, non-clinical and financial issues (including fraud) to line managers

Participate in risk assessment processes as necessary including through team discussions of risks

Participate in risk management arrangements outlined through project and programme management processes across the CCG.

Be familiar and comply with all Wolverhampton CCG policies, procedures

Be aware of Wolverhampton CCG Risk Management Strategy and Policy and their responsibilities

Attend risk management training as required by the CCG

Definitions and Terms used

17. In line with the roles and responsibilities outlined above, this strategy sets out robust systems for managing risks. The following terms are used throughout the descriptions of these strategies and processes.

Hazard Hazards are the actual „physical‟ situations that can cause the harm.

Risk Risk is the chance that an event will occur and will impact upon the CCG’s objectives. It is measured in terms of likelihood (frequencies probability of the risk occurring) and severity (consequence of effect of the risk occurring). Risk Assessment Risk Assessment is the process used to determine risk management priorities by evaluating and comparing the level of risk against predetermined acceptable levels of risk.

Risk Management Risk Management is the systematic application of management policies, procedures and practices to the tasks of identifying, analysing, assessing, treating and monitoring risk Control The resources, systems, processes, culture, structure and tasks that support staff in the achievement of organisational objectives. Effective control provides a reasonable assurance that the organisation will achieve its objectives reliably, and enables it to respond to significant operational, financial and compliance risks

Clinical Risk Clinical risk can be defined as direct risks relating to the care of the patient and the standards of care received on the patients‟ journey through the organisation. Issues that can have an impact on the standard of clinical care received include patient discharge arrangements, patient research studies, infection prevention & control, medicines management, clinical audit, ensuring that there are sufficient staffing levels and that these staff are appropriately trained Organisational Risk Organisational risk can be defined as risks relating to communication, provision of goods and services, data protection, information systems, human resources, and risks that threaten the achievement of the organisations objectives

Financial Risk Financial risk can be defined as risks that will threaten the effective financial controls, including the systems to maintain proper accounting records and success of QIPP projects. It is important that the organisation is not exposed to avoidable financial risk and that financial information used within Wolverhampton CCG and for external publication is reliable


Information Risk Information risks can be defined as risks that affect personal identifiable information. Information risk management seeks to identify and control information risks in relation to business processes and functions and is led by the Senior Information Risk Owner (SIRO).

Strategic Risk Defined as risks which affect the achievement of the organisation‟s strategic objectives

Operational Risk Is defined as risks which affect the achievement of local objectives

Environmental Risk Is defined as risks associated with organisational actions which may have an impact upon the environment

Reputational Risk Is defined as risks which affect public and stakeholder perception of the organisation

Outline of the Risk Management Process

18. The overall philosophy of risk management in the CCG is to actively identify risk(s), analyse them and ensure that all reasonable control measures have been considered, identified and applied to mitigate the risk. This is achieved through all teams ensuring that they have undertaken risk profiling to determine the profile of risks within their portfolio.

Figure 1 – Risk Profiling

19. A risk profiling template can be found within the appendices of this policy. When completed the responsible person should ensure a suitable and sufficient assessment of risk has been undertaken in line with Health and Safety Executive Guidance (5 Steps to Risk Assessment) http://www.hse.gov.uk/pubns/indg163.pdf)

20. A risk assessment consists of five steps:-

Identify the hazards

Financial

Additional short term costs Long term Cost Pressure

Failure to achieve expected savings

Strategic

Impact on strategic objectives. Risks to overall CCG/ Health

Economy Plans Long Term risks

Profile of Risk

Operational Risks to day-to-day operations not being

completed Infrastructure/ staffing associated risks

Compliance and Reputation

Impact on Public Perception Failure to achieve statutory targets or

duties. Impact on CCG assurance by NHS England

http://www.hse.gov.uk/pubns/indg163.pdf


Who might be harmed

Evaluate the risks

Record significant finds

Regularly review the risk assessment

21. Once the risk assessment has been undertaken, the risk must be recorded on the appropriate risk register. This could be the Team’s risk register, a project risk log, a Committee risk register or the Governing Body’s Corporate Risk Register. The review process should take account of any significant changes and will take place dependent on the grading of the risk as follows:-

Red Risks (Very High) < 1 months

Amber Risks (High) 1-3 months

Yellow Risks (Moderate) 3-6 months

Green Risks (Low) 6-12 months

Organisation Risk Management Structure and Governance Arrangements

22. The CCG has put in place a comprehensive structure of controls to co-ordinate and

manage risk within the organisation. This consists of rigid lines of accountability through which issues of risk can be debated and the effectiveness of Wolverhampton CCG risk management arrangements assured.

23. Figure 2 below shows how the various elements of this structure and how they interrelate to ensure that the Governing Body is kept fully informed and assured of the risk management processes.

Figure 2 – Organisational Monitoring and reporting Structure

Governing Body

Finance &

Committee

Audit &

Committee

Quality and Safety Committee

Primary Care

Committee

CCG Senior Management

Finance & Business

Commissioning Contract & Service

Redesign

Quality & Medicines

Primary Care


24. The CCG’s risk management arrangements are set within an Integrated approach to

governance. This approach recognises the interdependence and interconnectivity between clinical, financial or any other governance domain, highlighting their vital importance. For this reason each of the CCG’s Committees, which have specific roles in the governance arrangements for these areas take a key role in managing risks for these areas. Along with the oversight role for the Audit & Governance Committee, onward reporting to the CCG Governing Body provides the integrated approach across the CCG.

25. This integrated governance approach allows the CCG to examine the risks to its strategic and operational objectives, using the same methodology no matter the nature and context of the risk. This ensures risks are managed in an identical way across different services and teams, providing a uniform method of assurance for the Governing Body via the Audit & Governance Committee.

26. This approach is set out in Figure 3 – Risk Management Framework

27. Policy The policy is set out in this Risk Management Strategy owned by the Operations Department and is overseen by the Corporate Operations Manager. The systems & processes contained within it are actively overseen on a day to day basis via the appropriate staff in the Operations Department but it remains the responsibility of all staff across the CCG to implement the strategy.

Policy

Statement of Intent

Risk Management Processes

Bi-annual Review

Audit

Internal Scrutiny - Team & Organisational Level

Organising

Risk Management Responsibilities

Embed at Team Level

Risk Profiling

Reporting

Senior Management Team Quality

& Safety Committee Audit &

Governance Committee

Governing Body

Risk Recording

Risk Assessment & Recording

Mitigating Controls & Active

Management

Risk Review

Escalation

Monitoring & Review

Team Risk Registers

Trend Identification & Analysis Preparation of Reports

Systems & Processes


28. Organising

The CCG cannot manage its risks effectively unless it knows what the risks are. All directors & heads of service are responsible for ensuring their teams are briefed on the policy and that the processes contained within it are actively implemented and embedded. Therefore, all teams will hold a risk profile and maintain a team risk register to encompass ALL risks the service faces. Risks identified at this level will be assessed against team objectives in the first instance. Key personnel from within teams may be tasked with maintaining such records in support of their team.

Where teams consider that risks they have identified need to be brought to the attention of the appropriate Committee they will inform the Corporate Operations Manager who will arrange for the risk to be added to the Committee Risk Register. The Committee will also assess the risk to determine the assessment at team level remains appropriate when assessed against broader organisational objectives. Once the Committee has considered the risk it will ensure that the risk is appropriately reviewed and, if necessary, escalated to the Governing Body for further attention and assessment if required. An outline of this process is set out in Appendices 1 and 2 to this strategy.

29. Risk Recording

All risks whether controlled or not should be recorded on the CCG’s Risk Management template. Using the five steps to risk assessment outlined above all risk handlers will adopt these principles to record risks and arrange for approval by the responsible manager. Risk assessment is a continuous process and will therefore require all assessments to be regularly reviewed. The CCG recognises that it is impossible to eliminate all risks, but that a robust risk assessment process is essential. Where risks are increasing or not progressing satisfactorily they should be escalated initially to the responsible Head of Service, followed by discussion at Team or Committee meetings as appropriate.

30. Managers and heads of service are responsible for profiling risks within their areas of responsibility. The risk profiling will cover a breadth of types of risks including employer risks, health and safety and statutory risks and Commissioning risks i.e. achievement of QIPP projects. Risks will be identified, assessed and analysed and added to the risk register. Managers are responsible for ensuring that risk assessments are carried out within their respective areas and that a rolling program of risk assessments is determined.

31. The risk identification and assessment will be undertaken by multidisciplinary teams

comprised of suitably competent persons who have detailed working knowledge of the working processes, procedures and systems. In the process of carrying out risk assessments, staff will identify hazards and areas of risk in their workplace or in aspects of their work duties. The results of risk assessments should be reported and communicated to the managers responsible.

32. Monitoring & Review

All teams will maintain their own risk register in line with the CCG’s agreed risk management templates. The Corporate Operations Manager and appropriate staff within the Operations Department will support teams to ensure that the appropriate information is recorded to identify and manage risks.

33. The Corporate Operations Manager and supporting staff will routinely review all risk entries to ensure timely review, scoring, assurance & identify trends for consideration


by teams and where necessary shared routinely at Senior Management Team. The Risk Management Process is defined in figure 3 below.

34. In situations where significant risks have been identified and where local control

measures are considered to be potentially inadequate, they will need to be brought to the attention of the appropriate Committee, if local resolution has not been satisfactorily achieved.

35. Managers should treat risks locally if the risk has scores in low (green) or moderate

(yellow) categories. This will include reviewing and analysing formal assessment reports, establishing risk treatment plans and ensuring the appropriate information is recorded onto the Risk Register. Risks identified as High (amber) or Very High (red) will be brought to the immediate attention of the Responsible Officer(s) for their approval/authorisation.

36. Reporting

A range of groups will receive reports within the CCG, at strategic level the responsible committees and Senior Management Team will receive regular reports for consideration and approval. Where appropriate, groups will also receive reports associated with risks outlined for projects and programmes in line with agreed project or programme management approaches. These reports will be overseen by the Audit and Governance committee and then used to help to develop quarterly reports on the GBAF for the Governing Body.

37. Confidential Risks

There will be occasions when information is deemed confidential and when risks should not be evident in public facing reports all risk owners will have the opportunity to confirm if a risk entry is confidential.

38. Audit

There are two core methods that will be used to scrutinise the risk management system, these are:-

Self-Assessment: The Corporate Operations Manager will lead on internal scrutiny that will determine levels of compliance across the organisation.

Internal Audit: In line with their risk based work plan, the CCG’s Internal audit service will assess the CCG‟s assurance framework to ensure that it covers all of its key business areas and provides a proper balance of all principal objectives and the risks that threaten their achievement.

The Governing Body will be informed, via the Audit Committee and the GBAF, how well the CCG‟s internal control arrangements (including governance and risk management) help it to achieve its objectives.

Where weaknesses are identified in the control environment or any systems and procedures, a timetable for remedial action with the relevant managers will be agreed. Risk management process based on ISO 3100 should be actively applied by all teams and staff within the CCG as follows:-


Risk Quantification

39. The CCG will use a matrix system to determine the level of risk based on both the likelihood of the risk occurring and the potential consequences of the risk occurring. The matrix is scored from 1 to 5 as follows:-

40. Further detail on how risks will be assessed against this matrix can be found in the Guide from the National Patient Safety agency set out at appendix 3 to this strategy. From the matrix, a score will be assigned to each risk to determine the grading of each risk as follows:-

Score Grading

1-3 Low

4-6 Moderate

8-12 High

15-25 Very High

41. Risk Appetite

In line with its responsibilities under the Health & Safety at Work Act 1974 the CCG will balance possible risk reduction activities with the cost and difficulty of implementation to determine what level of risk is “acceptable‟. Wolverhampton CCG will regard those risks that have been reduced until they are as low as is reasonably practicable as being “acceptable risks‟. In effect this means that steps have been taken to reduce the severity of the risk and likelihood of it occurring, and that the resources required for further reduction significantly exceed the potential financial, operational and reputational impact.


42. As a general principle Wolverhampton CCG will seek to eliminate and control all risks which have the potential to:

harm its staff, service users, visitors and other stakeholders;

have a high potential for incidents to occur;

result in loss of public confidence in Wolverhampton CCG and/or its partner agencies;

have severe financial consequences which would prevent Wolverhampton CCG from carrying out its functions on behalf of its residents.

43. The CCG recognises that it is impossible, and not always desirable, to eliminate all risks and that systems of controls should not be so rigid that they stifle innovation and imaginative use of limited resources. All risks that are identified as red that cannot be reduced to an acceptable level will have a supporting contingency plan in place that has been agreed with the responsible director and shared with the appropriate Committee.

44. As a general principle Wolverhampton CCG has determined the following levels of risk:

Acceptable Risks Risks in the low (green) category will be considered to be an “Acceptable risk”. Existing controls should be monitored and adjusted. No further action or additional controls are required. Consideration may be given to a more cost-effective solution or improvement that imposes no additional cost burden. Review 6-12 months intervals.

Unacceptable Risks Risks in the moderate (yellow) and high (amber) categories will be considered to be “Unacceptable risks.” Efforts should be made to reduce the risk, but the costs of prevention should be carefully measured and weighed against the impact of an event. There is also a need to establish more precisely the likelihood of harm as a basis for determining the need for improved control measures. Such risks may be temporarily “acceptable” if new controls are in the process of being implemented. Review 1-3 months intervals.

Significant Unacceptable Risks Risks in the very high (red) category will be considered to be “Significant risks”. Immediate action must be taken be taken to manage the risk. Control measures should be put into place, which will have the effect of reducing the impact of an event or the likelihood of an event occurring. A number of control measures may be required. Significant resources may have to be allocated to reduce the risk. Where the risk involves work in progress urgent action should be taken. Review at no longer than 1 month intervals.

45. Risks that are assessed as ‘Unacceptable’ or ‘Significant Unacceptable’ will be given a target score and an action plan developed to enable that target score to be reached. This will include setting a clear timeframe by which the target score is expected to be reached. Once a risk has reached the target score it will either be closed or, in the case of risks escalated to Committee or Governing Body risk registers, de-escalated as appropriate to either Committee or Team level for further monitoring and review. Where risks fail to meet the agreed timeframe for reaching their target scores, the risk assessment process will include consideration of the impact of any slippage on the overall level of risk.


Risk Registers 46. Managers are responsible for managing risks identified through risk profiling exercises

and continual assessment of risk to their team or programme risk register. Any risks which are escalated to the appropriate committees will be highlighted to the Corporate Operations Manager. The Senior Management Team and Audit and Governance Committee will routinely monitor committee registers and may, where appropriate examine team risk registers.

47. Committee Risk Registers and the Governing Body’s Corporate Risk Register and GBAF will be maintained by the Corporate Operations Manager, who will be responsible for reporting to and taking actions to update these registers following discussions at meetings. The Chair of the relevant Committee and the Governing Body will lead the discussion on these risk registers when appropriate.

48. Risks will be identified by reference to both strategic and operational factors which

may include incidents, complaints and contract non-compliances as well as management assessments of inherent risk. Action plans to address such risks will be clearly defined, as required by the risk management policy, will be endorsed by responsible Manager Director for the risk(s) contained so that the necessary actions can be approved in line with the CCG‟s Risk Management System.

Governing Body Assurance Framework

49. The risk registers and risk management processes outlined in this strategy are designed to provide the Governing Body with assurance that risks are being effectively managed. In line with best practice across the NHS, the GBAF is designed to provide the Governing Body with a method for the effective and focused management of their principal risks to meeting their principal objectives. The CCG’s GBAF is structured around the organisations strategic aims and objectives as follows:-

Strategic Aims Strategic Objectives

1. Improving the quality and safety of the services we commission

a. Ensure on-going safety and performance in the system Continually check, monitor and encourage providers to improve the quality and safety of patient services ensuring that patients are always at the centre of all our commissioning decisions

2. Reducing health inequalities in Wolverhampton

a. Improve and develop primary care in Wolverhampton – Deliver our Primary Care Strategy to innovate, lead and transform the way local health care is delivered, supporting emerging clinical groupings and fostering strong local partnerships to achieve this

b. Deliver new models of care that support care closer to home and improve management of Long Term Conditions Supporting the development of Multi-Speciality Community Provider and Primary and Acute Care Systems to deliver more integrated services in Primary Care and Community settings

3. System effectiveness delivered within our financial envelope

a. Proactively drive our contribution to the Black Country STP Play a leading role in the development and delivery of the Black Country STP to support material improvement in health and wellbeing for both Wolverhampton residents and the wider Black Country footprint.

b. Greater integration of health and social care services across


Strategic Aims Strategic Objectives

Wolverhampton Work with partners across the City to support the development and delivery of the emerging vision for transformation; including exploring the potential for an ‘Accountable Care System.’

c. Continue to meet our Statutory Duties and responsibilities Providing assurance that we are delivering our core purpose of commissioning high quality health and care for our patients that meet the duties of the NHS Constitution, the Mandate to the NHS and the CCG Improvement and Assessment Framework

d. Deliver improvements in the infrastructure for health and care across Wolverhampton The CCG will work with our members and other key partners to encourage innovation in the use of technology, effective utilisation of the estate across the public sector and the development of a modern up skilled workforce across Wolverhampton.

50. The GBAF will be presented to the Governing Body on a quarterly basis highlighting

the key identified risks to the achievement of the strategic objectives that are being managed by committees, a narrative assessment of the overall risk level against each aim and a description of the key controls in place. This then sets out the initial risk of the objective not being achieved and then the quarterly assessment of the impact of controls.

51. The Governing Body will be responsible for identifying gaps where further work is required to provide assurance and for determining any appropriate action to address the level of risk. The Corporate Operations Manager will support the Governing Body and responsible committees of the Governing Body in developing and monitoring action plans as a result.

52. The Governing Body will periodically review the individual strategic aims and objectives within the GBAF in more detail to ensure that the risk level of the aims and objectives being achieved are appropriately represented and where shortfalls have been identified ensure that actions to address gaps have been identified and are being progressed in a timely manner.

Communication, Training, Monitoring and Review

53. Communication and transparency for risk management arrangements is crucial to the effectiveness of the processes defined within the strategy. The strategy will be consulted on among responsible heads of service & directors (Senior Management Team) and shared with stakeholders via distribution at responsible committees, newsletter and by posting on both the Internet and Intranet.

54. The effectiveness of the implementation of Wolverhampton CCG Risk Management Strategy will be measured using the following indicators as the basis for the regular assurance to the Audit and Governance Committee which will review this strategy in line with the review date outlined above.

Indicator Description What this will tell us


Indicator Description What this will tell us

Meet suggested NHSLA Risk Management and ISO 31000 standards as defined within the strategy.

The CCG does/does not have a suitably embedded risk management framework in line with ISO 3100.

Implement Wolverhampton CCG strategy (ie Risk Management Structure, Framework & Process) as per ISO 3100

The CCG has a robust procedure in place for identification and management of risk that is included in the implementation plan. Risk assessments entries are fully

completed including the provision of assurance information.

Risks are being recorded correctly & the information in reports is timely & accurate for the audience(s).

Risk Registers utilising Datix software are fully in place including a range of types of risk in each department and at corporate level.

There is evidence of effective management of risk within the CCG.

Applicable staff attend a Team Briefing using the strategy training presentation as a form of information and instruction on Risk Management training.

That heads of department and their staff have been well-informed of their role and responsibility for risk management. Specifically each are/function that are being maintained to the expected standard.

A Board Assurance Framework exists in line with the requirements of the strategy and is approved by the Governing Body at the beginning of each financial year and they received regular updates on performance & advocate action required to address gaps in assurance.

The Board Assurance Framework is in place and endorsed by the Governing Body who are clear on where the gaps in assurance are for the organization & the actions being taken to address them.

Risk register reporting to responsible forums and persons

Risk register is challenged at SMT by a deep dive into specific risks to ensure risk entries are scored and accurately reflect the latest position.

55. The Strategy comprises if a breadth of responsibilities for all staff and will therefore be reliant on a series of supportive measures lead by the Operations Department. Staff will need to be fully aware of the requirements of this strategy if it is to be effectively implemented. It is the responsibility of all managers to ensure their staff groups receive appropriate information instructions for training and supervision in risk management.

56. Implementation training to support this strategy for each aspect of Risk Management will be developed by the Corporate Operations Manager and will include appropriate training at the following levels:-

Governing Body

Senior Management Team

Risk Handlers

All Staff

19

Appendix 1 – Risk Escalation Process

Team Risks

Committee Risks

Governing Body – Corporate Risks

All risks facing Team identified

Risks assessed – primarily against team/ programme objectives

Risks reviewed regularly

Team Risk Register Maintained

Significant risks escalated to committees

Project & ProgrammeRisks

Risks re-assessed – against corporate objectives

Risks reviewed regularly

Risk Managers may be asked to review risks at committees

Risks to be escalated to Governing Body where trajectory is not effective/ high levels of concern

Significant Corporate level risks

Overall oversight through GBAF

Direct further actions through committees/ teams

Corporate Operations Manager & Governance and risk Co-ordinator

Support and advice

Manage RegistersSupport Risk Assessment

Facilitate Reviews

20

Appendix 2 – Risk Monitoring and Review Process

Risk Identified Risk AssessmentInitial Risk Review at Team Meeting

Risk Managed at Team Level

Risk to be escalated to Committee/ Governing Body

Ongoing Review in line with risk level

Risk De-escalated/ closed

Risk Re-assessed against Corporate

objectives

On-going Review in line with risk level

Risk Managed By Committee/

Governing Body

21

Appendix 3 – Risk Matrix Guide

Table 1 Consequence scores

Choose the most appropriate domain for the identified risk from the left hand side of the table Then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column.

Consequence score (severity levels) and examples of descriptors

1 2 3 4 5

Domains Negligible Minor Moderate Major Catastrophic

Impact on the safety of patients, staff or public (physical/psychological harm)

Minimal injury requiring no/minimal intervention or treatment. No time off work

Minor injury or illness, requiring minor intervention Requiring time off work for >3 days Increase in length of hospital stay by 1-3 days

Moderate injury requiring professional intervention Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients

Major injury leading to long-term incapacity/disability Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with long-term effects

Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients

Quality/complaints/audit Peripheral element of treatment or service suboptimal Informal complaint/inquiry

Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved

Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on

Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report

Totally unacceptable level or quality of treatment/service Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Gross failure to meet national standards

22

Human resources/ organisational development/staffing/ competence

Short-term low staffing level that temporarily reduces service quality (< 1 day)

Low staffing level that reduces the service quality

Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Low staff morale Poor staff attendance for mandatory/key training

Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Loss of key staff Very low staff morale No staff attending mandatory/ key training

Non-delivery of key objective/service due to lack of staff Ongoing unsafe staffing levels or competence Loss of several key staff No staff attending mandatory training /key training on an ongoing basis

Statutory duty/ inspections

No or minimal impact or breech of guidance/ statutory duty

Breech of statutory legislation Reduced performance rating if unresolved

Single breech in statutory duty Challenging external recommendations/ improvement notice

Enforcement action Multiple breeches in statutory duty Improvement notices Low performance rating Critical report

Multiple breeches in statutory duty Prosecution Complete systems change required Zero performance rating Severely critical report

Adverse publicity/ reputation

Rumours

Potential for public concern

Local media coverage – short-term reduction in public confidence Elements of public expectation not being met

Local media coverage – long-term reduction in public confidence

National media coverage with <3 days service well below reasonable public expectation

National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Total loss of public confidence

Business objectives/ projects

Insignificant cost increase/ schedule slippage

<5 per cent over project budget Schedule slippage

5–10 per cent over project budget Schedule slippage

Non-compliance with national 10–25 per cent over project budget Schedule slippage Key objectives not met

Incident leading >25 per cent over project budget Schedule slippage Key objectives not met

Finance including claims

Small loss Risk of claim remote

Loss of 0.1–0.25 per cent of budget Claim less than £10,000

Loss of 0.25–0.5 per cent of budget Claim(s) between £10,000 and £100,000

Uncertain delivery of key objective/Loss of 0.5–1.0 per cent of budget Claim(s) between £100,000 and £1 million Purchasers failing to pay on time

Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Claim(s) >£1 million

Service/business interruption Environmental impact

Loss/interruption of >1 hour Minimal or no impact on the environment

Loss/interruption of >8 hours Minor impact on environment

Loss/interruption of >1 day Moderate impact on environment

Loss/interruption of >1 week Major impact on environment

Permanent loss of service or facility Catastrophic impact on environment

23

Table 2 Likelihood score (L)

What is the likelihood of the consequence occurring?

The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency.

Likelihood score 1 2 3 4 5

Descriptor Rare Unlikely Possible Likely Almost certain

Frequency How often might it/does it happen

This will probably never happen/recur

Do not expect it to happen/recur but it is possible it may do so

Might happen or recur occasionally

Will probably happen/recur but it is not a persisting issue

Will undoubtedly happen/recur,possibly frequently

Note: the above table can be tailored to meet the needs of the individual organisation.

Some organisations may want to use probability for scoring likelihood, especially for specific areas of risk which are time limited. For a detailed discussion about frequency and probability see the guidance notes.

Table 3 Risk scoring = consequence x likelihood ( C x L )

Likelihood

Likelihood score 1 2 3 4 5

Rare Unlikely Possible Likely Almost certain

5 Catastrophic 5 10 15 20 25

4 Major 4 8 12 16 20

3 Moderate 3 6 9 12 15

2 Minor 2 4 6 8 10

1 Negligible 1 2 3 4 5

Note: the above table can to be adapted to meet the needs of the individual trust.

For grading risk, the scores obtained from the risk matrix are assigned grades as follows

1 - 3 Low risk 4 - 6 Moderate risk

8 - 12 High risk

15 - 25 Extreme risk

Instructions for use

1 Define the risk(s) explicitly in terms of the adverse consequence(s) that might arise from the risk.

2 Use table 1 (page 13) to determine the consequence score(s) (C) for the potential adverse

outcome(s) relevant to the risk being evaluated.

3 Use table 2 (above) to determine the likelihood score(s) (L) for those adverse outcomes. If

possible, score the likelihood by assigning a predicted frequency of occurrence of the adverse

outcome. If this is not possible, assign a probability to the adverse outcome occurring within a

given time frame, such as the lifetime of a project or a patient care episode. If it is not possible to

determine a numerical probability then use the probability descriptions to determine the most

appropriate score.

24

4 Calculate the risk score the risk multiplying the consequence by the likelihood: C (consequence) x

L (likelihood) = R (risk score)

5 Identify the level at which the risk will be managed in the organisation, assign priorities for

remedial action, and determine whether risks are to be accepted on the basis of the colour

bandings and risk ratings, and the organisation’s risk management system. Include the risk in the

organisation risk register at the appropriate level.

risk management strategy - wolverhampton ccg...this risk management strategy, approved by the...

Documents