Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
3.2
EAST AND NORTH HERTOFRDSHIRE CCG
INTERIM GOVERNANCE ARRANGEMENTS - RISK MANAGEMENT POLICY
Decision Discussion Information
Follow up from last meeting
Report author: Helen Edmondson Report signed off by: Helen Edmondson Purpose of the paper: The paper proposes a way forward with regard to Interim Governance Arrangements. Recommendations to the Board The Board is asked to agree to adopt the Risk Management Policy. The Board is asked to agree to develop its own policy and systems for risk management ready for establishment of the CCG in April 2013.
3.2
Proposed Interim Governance Arrangements Background East and North Hertfordshire CCG is a sub-committee of NHS Hertfordshire, providing it with a range of delegated authorities. The CCG will be established as a statutory organisation in April 2013 and as such will be required to have systems and processes in place to ensure that it can discharge its statutory responsibilities, including arrangements for governance and risk management. Context NHS Hertfordshire has an established Risk Management Policy and Governance Handbook. The process and systems are based on good practice and play an important role in providing the PCT Board with assurance. The Risk Management Policy details the system of risk management and the reporting mechanisms. The Governance Handbook describes the means by which Hertfordshire PCT fulfils its corporate governance. Recommendation The Shadow CCG Board is asked to adopt the established Risk Management Policy (Appendix 1). This will be for the transition period up until establishment in April 2013. This is with the understanding that the CCG will develop its own policy and systems to be in place ready for establishment. During the transition period the reporting will be to the CCG’s Audit and Governance Committee.
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 1 of 24
RISK MANAGEMENT POLICY
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 2 of 24
Policy Owner David Henson, Head of Corporate
Governance Policy Author Claire Goodey, Corporate
Governance Officer Directorate Primary Care Development Ratifying Committee NHS Hertfordshire’s Board Date of Approval 27th July 2011 Date of Review July 2013
Document History
Version Author Date 1.1 (first draft) Claire Goodey April 2011 1.2 (incorporating comments from the Risk and Assurance Sub Committee)
Claire Goodey May 2011
1.3 (incorporating comments from the Audit Committee and Project Management Office)
Claire Goodey July 2011 (approved by the Board on the 27th July 2011)
1.4 (amendments made to tolerance levels following Board agreement to increase tolerance for service improvement risks)
Claire Readman (nee Goodey)
February 2012
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 3 of 24
Contents
Section No.
Section Name Page No.
Executive Summary 4
1. Introduction 5
2. Terms / Acronyms Used 5
3. Policy 6
4. Risk Management Structure 6
5. Risk Management in Commissioned services 9
6. Independent Contractors 10
7. Roles and Responsibilities 10
8. Risk Identification and Assessment 11
9. Risk Appetite 12
10. Risk Tolerance 13
11. Risk Management Procedure 13
12. Training 14
13. Monitoring 14
14. References 14
15. Related Policies and Documents 14
Appendix 1 Board Assurance Framework Template 16
Appendix 2 Risk Register Template 17
Appendix 3 Risk Scoring Matrix 18
Appendix 4 Risk Appetite and Tolerance Levels 22
Appendix 5 Equality Impact Assessment Stage 1 Screening 23
Appendix 6 Privacy Impact Assessment Stage 1 Screening 24
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 4 of 24
Executive Summary
NHS Hertfordshire recognises that it is impossible and not always desirable to eliminate all risks and that systems of controls should not be so rigid that they stifle innovation and imaginative use of limited resources, therefore NHS Hertfordshire seeks to apply a system of risk management, not to eliminate risk entirely but to mitigate risk to an acceptable level.
Risks may be identified by any member of staff. Risks should be reported to the relevant work stream lead (see pages 6-9 for a list of work stream leads). The work stream lead will add the risk to the relevant work stream risk register on Datix. Work stream leads are responsible for the maintenance of their risk registers.
Each time the committee that owns the risk register meets to discuss the work stream they will be provided with a copy of the work stream risk register. The committee must ensure that all known risks to the work stream are recorded on the risk register. In addition they must approve the description and the scoring of the risk and monitor the implementation of the action plan.
Where risks are breaching NHS Hertfordshire’s risk tolerance levels these should be reported to the Risk and Assurance Sub Committee and recommended for escalation to the Board who will then make a decision on the action to be taken.
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 5 of 24
1. Introduction
1.1 NHS Hertfordshire is committed to being an organisation within which diversity, equality and human rights are valued. We will not discriminate either directly or indirectly and will not tolerate harassment or victimisation in relation to gender, marital status (including civil partnership), gender reassignment, disability, race, age, sexual orientation, religion or belief, trade union membership, status as a fixed-term or part-time worker, socio - economic status and pregnancy or maternity.
1.2 NHS Hertfordshire works to a framework for handling personal information in a confidential and secure manner to meet ethical and quality standards. This enables National Health Service organisations in England and individuals working within them to ensure personal information is dealt with legally, securely, effectively and efficiently to deliver the best possible care to patients and clients.
1.3 NHS Hertfordshire, via the Information Governance Toolkit, provides the means by which the NHS can assess our compliance with current legislation, Government and National guidance.
1.4 Information Governance covers: Data Protection & IT Security (including smart cards), Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality, Freedom of Information Regulations and Information Quality Assurance
1.5 NHS Hertfordshire is committed to a strategy which minimises risks to all its stakeholders through a comprehensive system of internal controls, whilst maximising potential for flexibility, innovation and best practice in delivery of its corporate objectives.
2. Terms / Acronyms Used
NHS = National Health Service
IT = Information Technology
QIPP = Quality, Innovation, Productivity and Prevention
PMO = Project Management Office
PCT = Primary Care Trust
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 6 of 24
3. Policy
3.1 Risk is the effect of uncertainty on the organisation’s objectives. The goal of risk management is to make uncertainty visible and the organisation resilient to its effects.
3.2 NHS Hertfordshire recognises that it is impossible and not always desirable to eliminate all risks and that systems of controls should not be so rigid that they stifle innovation and imaginative use of limited resources, therefore NHS Hertfordshire seeks to apply a system of risk management, not to eliminate risk entirely but to mitigate risk to an acceptable level.
4. Risk Management Structure
4.1 NHS Hertfordshire uses a Board Assurance Framework to articulate the key strategic risks to the organisation’s objectives, the controls and assurances in place, their effectiveness, the severity of the remaining risk and the actions plans in place to further mitigate the risks. The Board Assurance Framework Template can be found at Appendix 1.
4.2 NHS Hertfordshire uses work stream risk registers to articulate the operational risks to the organisation’s objectives. Each work stream has its own risk register and each risk register is owned by the relevant work stream lead and assigned to a committee for monitoring purposes. See table 1 below for details of NHS Hertfordshire’s major work streams, its sub work streams, the corresponding risk register owners and the committees responsible.
4.3 Table 1: Risk Management Structure:
Major Work Stream
Sub Work Stream Risk Register Owner
Committee Responsible
Ambulance Assistant Director Finance - Acute Services (currently Jane Rice)
PMO
Community Services Assistant Director Community Commissioning (currently Jean Cobb)
PMO
DQHH Assistant Programme Director DQHH (currently Andrew Geddes)
PMO
Current Delivery: QIPP
Estates Assistant Director Estates and
PMO
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 7 of 24
Major Work Stream
Sub Work Stream Risk Register Owner
Committee Responsible
Facilities (currently Justin Spencer)
Financial Management
Assistant Director Financial Strategy and Monitoring (currently Noreen Coles)
PMO
Intermediate Care Programme Director DQHH (currently Jacqui Bunce)
PMO
Local Prescribing Assistant Director/Head of Pharmacy & Medicines Management (currently Heather Gray)
PMO
Long Term Conditions
Assistant Director Strategic Planning (currently Phil Crossley)
PMO
Mental Health and Learning Disability
Assistant Director Partnership Commissioning (currently Jane Hainstock)
PMO
Pathology Programme Director DQHH (currently Jacqui Bunce)
PMO
Planned Care Assistant Director of Acute Commissioning (currently Elaine Askew)
PMO
Prevention Public Health Consultant (currently Hilary Angwin)
PMO
Primary Care Assistant Director Primary Care Commissioning (currently John
PMO
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 8 of 24
Major Work Stream
Sub Work Stream Risk Register Owner
Committee Responsible
Phipps) Procurement Head of System
Management Business Support (currently Trudi Southam)
PMO
Specialised Commissioning
Assistant Director of Acute Commissioning (currently Elaine Askew)
PMO
Urgent Care Assistant Director Service Redesign - Unplanned Care (currently Dee Boardman)
PMO
Counter Fraud Local Counter Fraud Specialist (currently Francesca Pillow)
Audit Committee
Emergency Planning Emergency Planning & Resilience Manager (currently Tony Ferrari)
Resilience and Business Continuity Committee
Heath and Safety Head of Facilities (currently John Hatchett)
Risk and Assurance Sub Committee
Information Governance
Information Governance Manager (currently Val Penn)
Information Governance Sub Committee
Regulatory Compliance: Legislation
Patient Safety Head of Patient Experience & Safety (currently Tracey Cooper)
Quality Assurance Committee
Staffing Director of Workforce Transformation (currently Alan Farmer)
PMO Workforce
Training Director of Workforce Transformation
PMO
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 9 of 24
Major Work Stream
Sub Work Stream Risk Register Owner
Committee Responsible
(currently Alan Farmer)
Communications Assistant Director Communications (currently Juliet Rodgers)
PMO
Governance Head of Corporate Governance (currently David Henson)
Risk and Assurance Sub Committee
ICT Head of ICT (currently Martin Wallis)
Information Governance Sub Committee
Corporate Services
Public Engagement Head of Public Engagement (currently Lynda Dent)
PMO
Future Transition
Set Up Consortia Assistant Director of PCSR Commissioning (currently Nicky Poulain) & Deputy Director Public Health (currently Louise Smith)
PMO
4.4 NHS Hertfordshire uses the risk management software, Datix, to record its operational risks. Data held on Datix can be exported to Excel to produce risk register reports. A template risk register report can be found at Appendix 2. This template is to be used to report risk to the relevant committees.
4.5 The risks on NHS Hertfordshire’s Board Assurance Framework should represent all of the PCT’s work streams. As mentioned above each work stream has its own operational risk register. If an operational risk register is highlighting a problem area this should be articulated under the relevant risk on the Board Assurance Framework as a gap in the controls. In addition, if an operational risk starts to threaten the strategic objectives of NHS Hertfordshire then it will be escalated to the Board Assurance Framework.
5. Risk Management in Commissioned services
5.1 NHS Hertfordshire will agree with all commissioned services a process for risk management through contract and Service Level Agreement
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 10 of 24
(SLA) arrangements. Commissioned services will be expected to report via appropriate quality of service and SLA monitoring meetings on key risks. NHS Hertfordshire needs to be assured that the services it commissions are meeting national standards and those identified in NHS Hertfordshire’s strategy.
6. Independent Contractors
6.1 Independent Contractors and their staff are actively encouraged to ensure they develop risk management systems for both risk assessment and adverse event reporting and comply with all relevant Health and Safety and Information Governance Legislation.
6.2 They should record and review all adverse events that occur on their premises and take appropriate remedial action. They should also ensure that the Health and Safety Executive and other agencies as appropriate are informed of relevant incidents.
6.3 Independent Contractors should ensure that the PCT is informed of any significant incidents that potentially or actually impact on the Independent Contractor’s ability to deliver a safe, high quality service. Information regarding their Risk Management systems will be provided to the PCT within the requirements of Contract Monitoring and the Quality and Outcomes Framework and reported to the Quality Assurance Sub Committee.
6.4 Independent Contractors and their staff may utilise appropriate policies developed by the PCT.
6.5 Independent Contractors (general practitioners, dentists, pharmacists and optometrists) and their staff are individually responsible for taking action in response to risks.
7. Roles and Responsibilities
7.1 The Chief Executive is accountable for having in place an effective system of risk management and internal control.
7.2 The Board is required to have confidence in the systems of Internal Control within the organisation.
7.3 The Director of Primary Care Development is the designated Director with overall responsibility for ensuring the implementation of risk management and organisational controls and for reporting to the Board.
7.4 Members of the Executive Team are required to ensure the provision of effective and comprehensive risk management collectively as an Executive Team and individually in relation to their individual directorates.
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 11 of 24
7.5 All staff are required to understand their responsibility for ensuring an awareness of the importance of effective risk management within their specific remit and throughout the organisation.
7.6 Risk Register Owners are responsible for updating their risk registers in real time using Datix.
7.7 Committee administrators must ensure that risk registers feature on the relevant agendas whenever the work stream is being discussed and make timely requests to the Corporate Governance Officer for copies of the relevant risk registers.
7.8 The Corporate Governance Officer must produce risk register reports for the relevant committees upon request and provide Datix training and support to Risk Register Owners as well as basic risk management training to all staff as part of their corporate induction and ongoing mandatory training.
7.9 The Committees must monitor the risks on the risk registers and participate in identifying new risks, assessing the severity of the risks (i.e. the risk score) and monitoring the implementation of action plans put in place to mitigate the risks. Committees are also responsible for identifying risks that need to be escalated to the Board for their consideration.
7.10 The Risk and Assurance Sub Committee is responsible for ensuring there is a robust risk management system in place. It carries out this function by agreeing the risk management strategy and policy, reviewing the Board Assurance Framework on a regular basis, by agreeing the annual risk management report for submission to the Board and receiving reports from internal audit following reviews of the PCT’s risk management processes and monitoring the resulting action plans.
7.11 The Audit Committee is responsible for monitoring the work of the Risk and Assurance Sub Committee and ensuring that a comprehensive programme of audits is agreed with the internal auditors each year which focuses on the key strategic risks detailed on the Board Assurance Framework.
8. Risk Identification and Assessment
8.1 Risk may be identified as part of the ongoing review of services or functions, when new services or functions are introduced or where there are changes. Risks may also be identified following incidents, complaints, claims, information from PALS or as a result of internal or external audits and reviews or trend analysis from these sources.
8.2 Once risk is identified it is measured in terms of consequences and likelihood. This has allowed the construction of a risk matrix that can be used as the basis for identifying acceptable and unacceptable risk.
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 12 of 24
NHS Hertfordshire uses a risk scoring matrix based upon the NPSA’s to score its risks. Some revisions have been necessary to adapt the risk scoring matrix for the PCT’s purposes. Please see Appendix 3 for more detail.
8.3 For each risk identified there may be physical or financial consequences. For others the risks may be reputational or failure to comply with standards and legislations. When assessing the score for the consequences of such a risk, the clinical assessment (e.g. serious injury or death) will always take precedence over the financial assessment.
8.4 The objective of risk assessment is to clearly identify and quantify the risk, and to provide data to assist in the evaluation and management of risks. Risk Assessment involves consideration of the cause of the risk, its consequences and the likelihood that those consequences may occur. Factors which affect consequences and likelihood may be identified and used as the basis for risk mitigation plans. Risk is analysed by combining estimates of consequences and likelihood in the context of existing control measures.
Risk = Consequences x Likelihood.
9. Risk Appetite
9.1 Each risk category needs to be linked to desired outcomes in order to codify the Board’s collective view of what level of risk could and should be tolerated, and for what period, in order to achieve objectives. Risk categorisation on its own is therefore rather sterile.
9.2 Table 2: Risk Appetite Statement:
Assessment Description of potential effect High Risk Appetite 5
In relation to this area of work, the PCT is willing to accept risks that are likely to occur and would then lead to some degree of damage to its reputation, possible financial exposure, or short term disruption to one or more service area.
Moderate Risk Appetite 4
In relation to this area of work, the PCT is willing to accept risks that may occur and would then lead to some degree of damage to its reputation, or possible financial loss, exposure or short term disruption to no more than one service area.
Neutral Risk Appetite 3
In relation to this area of work, the PCT is willing to accept risks might occur in certain circumstances that could lead to some degree of damage to its reputation, possible financial exposure, or minor disruption to one or more service areas.
Low Risk Appetite
In relation to this area of work, the PCT is willing to accept improbable risks that might, however, lead to some degree
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 13 of 24
Assessment Description of potential effect 2 of damage to its reputation, financial exposure, or minor
disruption to a service area, should these risks materialise or fail to be mitigated.
Zero Risk Appetite 1
In relation to this area of work, the PCT is not willing to accept any risks that could lead to damage to its reputation, financial loss or exposure, major breakdown in services, information systems or integrity, failings in significant aspects of regulatory and / or legislative compliance, potential risk of injury to staff, service users or public.
Examples might be: 5 A secondary to primary care service redesign programme that
has clear potential to deliver better quality and more cost-effective care, but is likely to make current users or staff feel uncertain or inconvenienced by the change
3 Change over of a number of practices IT systems to new
software 1 Not submitting correct accounts on time
9.3 NHS Hertfordshire has articulated its risk appetite in relation to the risk
categories described on the risk scoring matrix. This information can be found at Appendix 4.
10. Risk Tolerance
10.1 Appendix 4 also details the tolerance levels for each of the risk categories on the risk scoring matrix. All risks breaching the tolerance levels must, once identified, be immediately brought to the attention of the Executive Team, once the Executive Team have agreed the risk score these risks must be reported to the Risk and Assurance Sub Committee alongside a risk mitigation plan. These risks will also be reported to the Audit Committee and the Board.
11. Risk Management Procedure
11.1 Risks may be identified by any member of staff. Risks should be reported to the relevant work stream lead. The work stream lead will add the risk to the relevant work stream risk register on Datix.
11.2 Each time the committee that owns the risk register meets to discuss the work stream they will be provided with a copy of the work stream risk register. The committee must ensure that all known risks to the work stream are recorded on the risk register. In addition they must approve the description and the scoring of the risk and monitor the implementation of the action plan.
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 14 of 24
11.3 Where risks are breaching NHS Hertfordshire’s risk tolerance levels these should be reported to the Risk and Assurance Sub Committee and recommended for escalation to the Board who will then make a decision on the action to be taken.
12. Training
12.1 An introduction to risk management is to be delivered to all staff through the corporate induction with updates delivered as part of mandatory training. This introduction to risk management should focus on risk identification and the organisation’s processes for dealing with risk.
12.2 All risk register owners are to receive additional training on the completion of a risk register, including the use of Datix.
13. Monitoring
13.1 The Risk and Assurance Sub Committee will produce an annual risk management report detailing the processes in place to manage risk throughout the preceding year. This report is submitted to the Board to provide assurance and support the Statement on Internal Control.
13.2 Internal Audit will review the organisation’s risk management processes on a frequency agreed by the Audit Committee. In addition Internal Audit will review the high risk areas detailed on the Board Assurance Framework as part of the audit plan for the year.
14. References
Organising Uncertainty; a presentation given by Paul Moore, Chief Risk Officer, University Hospital South Manchester NHS Foundation Trust, at the Datix Patient Safety Conference on the 11th November 2010
East of England Strategic Health Authority Risk Management Strategy, July 2010
East of England Strategic Health Authority Risk Management Policy, July 2010
West Hertfordshire PCT and East and North Hertfordshire PCT’s Risk Management Policy, November 2008
15. Related Polices and Documents
The Governance Manual
Audit Committee Terms of Reference
Risk and Assurance Sub Committee Terms of Reference
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 15 of 24
The Board Assurance Framework
Work stream risk registers
Datix help sheets: Recording Risks Using Datix, Updating Risks Using Datix and Creating Risk Register Reports Using Datix.
NHS Hertfordshire’s Governance policies, Health and Safety policies, Clinical Policies and Information Governance Policies
NHS Hertfordshire’s Emergency and Business Continuity Plans
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc Page 16 of 24
Appendix 1: Board Assurance Framework Template
Work Stream
Source Document
Risk Lead
Risk Number
Risk Appetite Assessment
Current
Risk Score Target
Risk Score Cause of Risk Effect
of Risk
Controls Gaps In Controls
Assurances Gaps in Assurances
Status of
Controls
C L Tot
Actions Lead for the action
Deadline for the action
Comments/ Updates
C L Tot
The 'Status of Control' column will be colour coded
Red The control is ineffective
Amber The control is having some effect however it is insufficient
Green An effective control
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc Page 17 of 24
Appendix 2: Risk Register Template
Title
Inherent Risk Score Current Risk Score Target Risk Score
Refe
ren
ce N
o
Tit
le
Wo
rk s
tream
Su
b T
yp
e
Ris
k O
wn
er
Date
Ris
k I
den
tifi
ed
Ris
k D
escri
pti
on
an
d
Co
nseq
uen
ces
Co
nseq
uen
ce
Lik
elih
oo
d
Ris
k S
co
re
Co
ntr
ols
in
Pla
ce
Co
nseq
uen
ce
Lik
eli
ho
od
Ris
k S
co
re
Acti
on
or
Mil
e S
ton
e
Acti
on
s/M
ilesto
nes
Acti
on
targ
et
date
Acti
on
co
mp
leti
on
Date
Up
date
s
Co
nseq
uen
ce
Lik
eli
ho
od
Ris
k S
co
re
Targ
et
Co
mp
leti
on
Date
Tra
ffic
Lig
ht
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc Page 18 of 24
Appendix 3: Risk Scoring Matrix
Table 1 Consequence scores (C) Choose the most appropriate category for the identified risk from the left hand side of the table. Then work along the columns in the same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column.
Consequence score (severity levels) and examples of descriptors
Categories 1 = Negligible 2 = Minor 3 = Moderate 4 = Major 5 = Catastrophic
Safety of staff and visitors
- Minimal injury requiring no/minimal intervention or treatment.
- No time off work
- Minor injury or illness, requiring minor intervention
- Requiring time off work for 1-3 days
- Moderate injury requiring professional intervention
- Requiring time off work for 4-14 days RIDDOR/agency reportable incident
- Major injury leading to long-term incapacity/disability
- Requiring time off work for >14 days
- Or Moderate injury requiring professional intervention for multiple persons
- Incident leading to death - Multiple permanent injuries
or irreversible health effects
- Or Major injury leading to long-term incapacity/ disability for multiple persons
Quality/ complaints/ patient safety / audit
- Peripheral element of treatment or service suboptimal
- PALS contact with issue resolved in less than 24 hours
- Overall treatment or service suboptimal
- PALS contact with issue resolved in 24 – 72 hours
- Single failure to meet internal standards
- Minor implications for patient safety if unresolved
- Providers failing to report patient safety incidents
- Reduced performance rating if unresolved
- Treatment or service has significantly reduced effectiveness
- Complaint made, local resolution undertaken and issue resolved with a written response.
- Repeated failure to meet internal standards ·
- A patient safety incident which indicates a more significant problem.
- Major patient safety implications if findings are not acted on
- Non-compliance with national standards with significant risk to patients if unresolved
- Complaint made, local resolution undertaken and issue resolved with a complaints meeting.
- Multiple complaints on the same issue / about the same service.
- Rate of patient safety incidents significantly higher than the regional trend
- Low performance rating - Critical report
- Totally unacceptable level or quality of treatment / service
- Complaint made to ombudsman
- A patient safety incident arising from a system wide failure / lack of learning from a previous incident
- Gross failure to meet national standards
- An inquest / ombudsman inquiry (where the PCT is the subject of the complaint) which demonstrates a systematic failure.
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc Page 19 of 24
Consequence score (severity levels) and examples of descriptors
Categories 1 = Negligible 2 = Minor 3 = Moderate 4 = Major 5 = Catastrophic
Human resources/ staffing/ competence
- Short-term low staffing level that temporarily reduces service quality (< 1 day)
- Low staffing level that reduces the service quality (>1 day)
- Late delivery of key objective/ service due to lack of staff
- Unsafe staffing level or competence (1-5 days)
- Low staff morale - Poor staff attendance for
mandatory/ key training
- Uncertain delivery of key objective/ service due to lack of staff
- Unsafe staffing level or competence (>5 days)
- Loss of key staff - Very low staff morale - No staff attending
mandatory/ key training
- Non-delivery of key objective/ service due to lack of staff
- Ongoing unsafe staffing levels or competence
- Loss of several key staff - No staff attending
mandatory training /key training on an ongoing basis
Statutory duty/ inspections
- Minimal impact or breach of guidance/ statutory duty
- A breach of a single piece of statutory legislation
- Reduced performance rating if unresolved
- A single breach of a statutory duty or multiple breaches of a single piece of statutory legislation
- Challenging external recommend-ations/ improvement notice
- Multiple breaches of a statutory duty
- Low performance rating - Improvement notices - Enforcement action - Critical report
- Multiple breaches of more than one statutory duty
- Zero performance rating - Complete systems change
required - Severely critical report - Prosecution
Adverse publicity/ reputation
- Rumours - Potential for public concern
- Local media coverage - Local media coverage - Short-term reduction in
public confidence - Elements of public
expectation not being met - MP concerned (questions
in the House)
- National media coverage - Long-term reduction in
public confidence
- National media coverage with commission-ing decisions well below reasonable public expectation.
- Total loss of public confidence
Service improvement / service development
- Insignificant cost increase - Minimal project timescale
slippage
- <5 per cent over project budget
- Minor project timescale slippage
- 5–10 per cent over project budget
- Moderate project timescale slippage
- 10–25 per cent over project budget
- Major project timescale slippage
- A key objective not met
- >25 per cent over project budget
- Catastrophic project timescale slippage
- Multiple key objectives not met
Financial management - Overspend of > £17k - Overspend of £17k-£170k - Overspend of £170k-£1.7m - Overspend of £1.7m-£8.5m
- Overspend of > £8.5m
Financial losses - Loss / claim of <£10,000 - Loss / claim of £10,000-£100,000
- Loss / claim of £100,000-£500,000
- Loss / claim of £500,000-£1m
- Loss / claim of >£1m
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc Page 20 of 24
Consequence score (severity levels) and examples of descriptors
Categories 1 = Negligible 2 = Minor 3 = Moderate 4 = Major 5 = Catastrophic
Service/ business interruption
- Loss/interruption of 1-8 hours unless point in business cycle raises impact
- Loss/interruption of 8 -24 hours unless point in business cycle raises impact
- Loss/interruption of 1-7 days unless point in business cycle raises impact
- Loss/interruption of >1 week unless point in business cycle raises impact
- Permanent loss of service or facility
Environmental impact - Minimal or no impact on the working environment e.g. 2-3 hours without water / electricity
- Minor impact on the working environment e.g. 3-6 hours without water / electricity
- Moderate impact on the working environment e.g. 1 day – 1 week without water / electricity
- Major impact on the working environment e.g. > 1 week without water / electricity
- Catastrophic impact on environment e.g. permanent loss of building / utilities
Table 2 Likelihood score (L)
What is the likelihood of the consequence occurring?
The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency.
Likelihood score 1 2 3 4 5
Descriptor Rare Unlikely Possible Likely Almost certain
Frequency How often might it/ does it happen
This will probably never happen/ recur
Do not expect it to happen/recur but it is possible it may do so
Might happen or recur occasionally
Will probably happen/ recur but it is not a persisting issue
Will undoubtedly happen/ recur, possibly frequently
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc Page 21 of 24
Table 3 Risk scoring = consequence x likelihood (C x L)
Likelihood
Consequence 1 2 3 4 5
Rare Unlikely Possible Likely Almost certain
5 Catastrophic 5 10 15 20 25
4 Major 4 8 12 16 20
3 Moderate 3 6 9 12 15
2 Minor 2 4 6 8 10
1 Negligible 1 2 3 4 5
For grading risk, the scores obtained from the risk matrix are assigned grades as follows
1 - 3 Low risk 4 - 6 Moderate risk 8 - 12 Significant risk 15 - 25 High risk
Instructions for use
1. Define the risk explicitly in terms of the adverse consequence(s) that might arise from the risk.
2. Use table 1 to determine the consequence score (C) for the potential adverse outcome(s) relevant to the risk being evaluated.
3. Use table 2 to determine the likelihood score (L) for those adverse outcomes. If possible, score the likelihood by assigning a predicted frequency of occurrence of the adverse outcome. If this is not possible, assign a probability to the adverse outcome occurring within a given time frame, such as the lifetime of a project. If it is not possible to determine a numerical probability then use the probability descriptions to determine the most appropriate score.
4. Calculate the risk; score the risk by multiplying the consequence by the likelihood: C(consequence)x L(likelihood) =R(risk score)
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc Page 22 of 24
Appendix 4: Risk Appetite and Tolerance Levels
Risk Category:
Safety of staff and visitors
Quality / complaints /
patient safety / audit
Human resources /
staffing / competence
Statutory duty / inspections
Adverse publicity / reputation
Service improvement
/ service development
Financial management
Financial losses
Service / business
interruption
Environmen-tal impact
Risk Appetite Score:
2
1
3
3
4
3
3
4
4
4
Risk Tolerance
Level*:
16
12
12
12
15
16
12
16
12
16
*Once the risk score has been calculated using the risk scoring matrix, if it scores at or above the tolerance level for that category it will be reported to the Board.
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 23 of 24
Appendix 5 – Equality Impact Assessment Stage 1 Screening 1. Policy EIA Completion Details
Title: Risk Management Policy
Proposed Existing
Date of Completion: July 2011
Review Date: July 2013
Names & Titles of staff involved in completing the EIA: Claire Goodey, Corporate Governance Officer
2. Details of the Policy. Who is likely to be affected by this policy?
Staff Patients Public
3. Impact on Groups
Probable impact on group?
Positive Adverse None
High, Medium or Low
Please explain your answers
Age Low
Being married or in a civil partnership
Low
Disability, inc. learning
difficulties, physical disability, sensory impairment etc.
Low
Having just had a baby or being pregnant
Low
Race, ethnicity, nationality,
language etc. Low
Religion or belief Low
Sex (inc. being a transsexual person)
Low
Sexual Orientation Low
Other:
If a PCT strategy / policy / procedure may impact negatively on a particular group then a risk assessment can be undertaken to inform the relevant committee so that remedial action can be taken.
No impact on any of the groups above.
Please explain and provide evidence N/A
4. Which equality legislative Act applies to the policy?
Human Rights Act 1998 Equality Act 2010 Health & Safety Regulations
Mental Health Act 1983 Mental Capacity Act 2005
5. How could the identified adverse effects be minimised or eradicated?
N/A
6. How is the effect of the policy on different Impact Groups going to be monitored?
David Henson, Head of Corporate Governance, will have responsibility for overseeing this process.
\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc
Page 24 of 24
Appendix 6 – Privacy Impact Assessment Stage 1 Screening 1. Policy PIA Completion Details
Title: Risk Management Policy
Proposed Existing
Date of Completion: April 2011
Review Date: April 2013
Names & Titles of staff involved in completing the PIA: Claire Goodey, Corporate Governance Officer
2. Details of the Policy. Who is likely to be affected by this policy?
Staff Patients Public
Yes No Please explain your answers Technology Does the policy apply new or additional information technologies that have the potential for privacy intrusion? (Example: use of smartcards)
NHS Hertfordshire’s risks are recorded on a Datix database. This database also holds patient identifiable information (within the incidents, complaints, PALS and claims modules) however the risk leads’ accounts are restricted so that they only have access to the risk module.
Identity By adhering to the policy content does it involve the use or re-use of existing identifiers, intrusive identification or authentication? (Example: digital signatures, presentation of identity documents, biometrics etc.)
By adhering to the policy content is there a risk of denying anonymity and de-identification or converting previously anonymous or de-identified data into identifiable formats?
The risk module does not hold any patient identifiable information.
Multiple Organisations Does the policy affect multiple organisations? (Example: joint working initiatives with other government departments or private sector organisations)
The policy describes how agreement will the reached with commissioned services on their risk management processes and contains guidance for independent contractors.
Data By adhering to the policy is there likelihood that the data handling processes are changed? (Example: this would include a more intensive processing of data than that which was originally expected)
NHS Hertfordshire’s risks have been recorded on Datix for the past 2 years so there is no change to the data handling process. Previously this data was maintained by the Corporate Governance Officer. From now on it will be maintained by the risk register owners.
If Yes to any of the above have the risks been assessed, can they be evidenced, has the policy content and its implications been understood and approved by the department?
The risks have been assessed (as explained above) and appropriate controls have been implemented. The policy content and its implications are understood and approved by the department.