EAST AND NORTH HERTOFRDSHIRE CCG INTERIM ......2012/06/07 · Excel to produce risk register reports. A template risk register report can be found at Appendix 2. This template is

3.2

EAST AND NORTH HERTOFRDSHIRE CCG

INTERIM GOVERNANCE ARRANGEMENTS - RISK MANAGEMENT POLICY

Decision Discussion Information

Follow up from last meeting

Report author: Helen Edmondson Report signed off by: Helen Edmondson Purpose of the paper: The paper proposes a way forward with regard to Interim Governance Arrangements. Recommendations to the Board The Board is asked to agree to adopt the Risk Management Policy. The Board is asked to agree to develop its own policy and systems for risk management ready for establishment of the CCG in April 2013.

3.2

Proposed Interim Governance Arrangements Background East and North Hertfordshire CCG is a sub-committee of NHS Hertfordshire, providing it with a range of delegated authorities. The CCG will be established as a statutory organisation in April 2013 and as such will be required to have systems and processes in place to ensure that it can discharge its statutory responsibilities, including arrangements for governance and risk management. Context NHS Hertfordshire has an established Risk Management Policy and Governance Handbook. The process and systems are based on good practice and play an important role in providing the PCT Board with assurance. The Risk Management Policy details the system of risk management and the reporting mechanisms. The Governance Handbook describes the means by which Hertfordshire PCT fulfils its corporate governance. Recommendation The Shadow CCG Board is asked to adopt the established Risk Management Policy (Appendix 1). This will be for the transition period up until establishment in April 2013. This is with the understanding that the CCG will develop its own policy and systems to be in place ready for establishment. During the transition period the reporting will be to the CCG’s Audit and Governance Committee.

\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc

Page 1 of 24

RISK MANAGEMENT POLICY


Page 2 of 24

Policy Owner David Henson, Head of Corporate

Governance Policy Author Claire Goodey, Corporate

Governance Officer Directorate Primary Care Development Ratifying Committee NHS Hertfordshire’s Board Date of Approval 27th July 2011 Date of Review July 2013

Document History

Version Author Date 1.1 (first draft) Claire Goodey April 2011 1.2 (incorporating comments from the Risk and Assurance Sub Committee)

Claire Goodey May 2011

1.3 (incorporating comments from the Audit Committee and Project Management Office)

Claire Goodey July 2011 (approved by the Board on the 27th July 2011)

1.4 (amendments made to tolerance levels following Board agreement to increase tolerance for service improvement risks)

Claire Readman (nee Goodey)

February 2012


Page 3 of 24

Contents

Section No.

Section Name Page No.

Executive Summary 4

1. Introduction 5

2. Terms / Acronyms Used 5

3. Policy 6

4. Risk Management Structure 6

5. Risk Management in Commissioned services 9

6. Independent Contractors 10

7. Roles and Responsibilities 10

8. Risk Identification and Assessment 11

9. Risk Appetite 12

10. Risk Tolerance 13

11. Risk Management Procedure 13

12. Training 14

13. Monitoring 14

14. References 14

15. Related Policies and Documents 14

Appendix 1 Board Assurance Framework Template 16

Appendix 2 Risk Register Template 17

Appendix 3 Risk Scoring Matrix 18

Appendix 4 Risk Appetite and Tolerance Levels 22

Appendix 5 Equality Impact Assessment Stage 1 Screening 23

Appendix 6 Privacy Impact Assessment Stage 1 Screening 24


Page 4 of 24

Executive Summary

NHS Hertfordshire recognises that it is impossible and not always desirable to eliminate all risks and that systems of controls should not be so rigid that they stifle innovation and imaginative use of limited resources, therefore NHS Hertfordshire seeks to apply a system of risk management, not to eliminate risk entirely but to mitigate risk to an acceptable level.

Risks may be identified by any member of staff. Risks should be reported to the relevant work stream lead (see pages 6-9 for a list of work stream leads). The work stream lead will add the risk to the relevant work stream risk register on Datix. Work stream leads are responsible for the maintenance of their risk registers.

Each time the committee that owns the risk register meets to discuss the work stream they will be provided with a copy of the work stream risk register. The committee must ensure that all known risks to the work stream are recorded on the risk register. In addition they must approve the description and the scoring of the risk and monitor the implementation of the action plan.

Where risks are breaching NHS Hertfordshire’s risk tolerance levels these should be reported to the Risk and Assurance Sub Committee and recommended for escalation to the Board who will then make a decision on the action to be taken.


Page 5 of 24

1. Introduction

1.1 NHS Hertfordshire is committed to being an organisation within which diversity, equality and human rights are valued. We will not discriminate either directly or indirectly and will not tolerate harassment or victimisation in relation to gender, marital status (including civil partnership), gender reassignment, disability, race, age, sexual orientation, religion or belief, trade union membership, status as a fixed-term or part-time worker, socio - economic status and pregnancy or maternity.

1.2 NHS Hertfordshire works to a framework for handling personal information in a confidential and secure manner to meet ethical and quality standards. This enables National Health Service organisations in England and individuals working within them to ensure personal information is dealt with legally, securely, effectively and efficiently to deliver the best possible care to patients and clients.

1.3 NHS Hertfordshire, via the Information Governance Toolkit, provides the means by which the NHS can assess our compliance with current legislation, Government and National guidance.

1.4 Information Governance covers: Data Protection & IT Security (including smart cards), Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality, Freedom of Information Regulations and Information Quality Assurance

1.5 NHS Hertfordshire is committed to a strategy which minimises risks to all its stakeholders through a comprehensive system of internal controls, whilst maximising potential for flexibility, innovation and best practice in delivery of its corporate objectives.

2. Terms / Acronyms Used

NHS = National Health Service

IT = Information Technology

QIPP = Quality, Innovation, Productivity and Prevention

PMO = Project Management Office

PCT = Primary Care Trust


Page 6 of 24

3. Policy

3.1 Risk is the effect of uncertainty on the organisation’s objectives. The goal of risk management is to make uncertainty visible and the organisation resilient to its effects.

3.2 NHS Hertfordshire recognises that it is impossible and not always desirable to eliminate all risks and that systems of controls should not be so rigid that they stifle innovation and imaginative use of limited resources, therefore NHS Hertfordshire seeks to apply a system of risk management, not to eliminate risk entirely but to mitigate risk to an acceptable level.

4. Risk Management Structure

4.1 NHS Hertfordshire uses a Board Assurance Framework to articulate the key strategic risks to the organisation’s objectives, the controls and assurances in place, their effectiveness, the severity of the remaining risk and the actions plans in place to further mitigate the risks. The Board Assurance Framework Template can be found at Appendix 1.

4.2 NHS Hertfordshire uses work stream risk registers to articulate the operational risks to the organisation’s objectives. Each work stream has its own risk register and each risk register is owned by the relevant work stream lead and assigned to a committee for monitoring purposes. See table 1 below for details of NHS Hertfordshire’s major work streams, its sub work streams, the corresponding risk register owners and the committees responsible.

4.3 Table 1: Risk Management Structure:

Major Work Stream

Sub Work Stream Risk Register Owner

Committee Responsible

Ambulance Assistant Director Finance - Acute Services (currently Jane Rice)

PMO

Community Services Assistant Director Community Commissioning (currently Jean Cobb)

PMO

DQHH Assistant Programme Director DQHH (currently Andrew Geddes)

PMO

Current Delivery: QIPP

Estates Assistant Director Estates and

PMO


Page 7 of 24

Major Work Stream



Facilities (currently Justin Spencer)

Financial Management

Assistant Director Financial Strategy and Monitoring (currently Noreen Coles)

PMO

Intermediate Care Programme Director DQHH (currently Jacqui Bunce)

PMO

Local Prescribing Assistant Director/Head of Pharmacy & Medicines Management (currently Heather Gray)

PMO

Long Term Conditions

Assistant Director Strategic Planning (currently Phil Crossley)

PMO

Mental Health and Learning Disability

Assistant Director Partnership Commissioning (currently Jane Hainstock)

PMO

Pathology Programme Director DQHH (currently Jacqui Bunce)

PMO

Planned Care Assistant Director of Acute Commissioning (currently Elaine Askew)

PMO

Prevention Public Health Consultant (currently Hilary Angwin)

PMO

Primary Care Assistant Director Primary Care Commissioning (currently John

PMO


Page 8 of 24

Major Work Stream



Phipps) Procurement Head of System

Management Business Support (currently Trudi Southam)

PMO

Specialised Commissioning

Assistant Director of Acute Commissioning (currently Elaine Askew)

PMO

Urgent Care Assistant Director Service Redesign - Unplanned Care (currently Dee Boardman)

PMO

Counter Fraud Local Counter Fraud Specialist (currently Francesca Pillow)

Audit Committee

Emergency Planning Emergency Planning & Resilience Manager (currently Tony Ferrari)

Resilience and Business Continuity Committee

Heath and Safety Head of Facilities (currently John Hatchett)

Risk and Assurance Sub Committee

Information Governance

Information Governance Manager (currently Val Penn)

Information Governance Sub Committee

Regulatory Compliance: Legislation

Patient Safety Head of Patient Experience & Safety (currently Tracey Cooper)

Quality Assurance Committee

Staffing Director of Workforce Transformation (currently Alan Farmer)

PMO Workforce

Training Director of Workforce Transformation

PMO


Page 9 of 24

Major Work Stream



(currently Alan Farmer)

Communications Assistant Director Communications (currently Juliet Rodgers)

PMO

Governance Head of Corporate Governance (currently David Henson)

Risk and Assurance Sub Committee

ICT Head of ICT (currently Martin Wallis)

Information Governance Sub Committee

Corporate Services

Public Engagement Head of Public Engagement (currently Lynda Dent)

PMO

Future Transition

Set Up Consortia Assistant Director of PCSR Commissioning (currently Nicky Poulain) & Deputy Director Public Health (currently Louise Smith)

PMO

4.4 NHS Hertfordshire uses the risk management software, Datix, to record its operational risks. Data held on Datix can be exported to Excel to produce risk register reports. A template risk register report can be found at Appendix 2. This template is to be used to report risk to the relevant committees.

4.5 The risks on NHS Hertfordshire’s Board Assurance Framework should represent all of the PCT’s work streams. As mentioned above each work stream has its own operational risk register. If an operational risk register is highlighting a problem area this should be articulated under the relevant risk on the Board Assurance Framework as a gap in the controls. In addition, if an operational risk starts to threaten the strategic objectives of NHS Hertfordshire then it will be escalated to the Board Assurance Framework.

5. Risk Management in Commissioned services

5.1 NHS Hertfordshire will agree with all commissioned services a process for risk management through contract and Service Level Agreement


Page 10 of 24

(SLA) arrangements. Commissioned services will be expected to report via appropriate quality of service and SLA monitoring meetings on key risks. NHS Hertfordshire needs to be assured that the services it commissions are meeting national standards and those identified in NHS Hertfordshire’s strategy.

6. Independent Contractors

6.1 Independent Contractors and their staff are actively encouraged to ensure they develop risk management systems for both risk assessment and adverse event reporting and comply with all relevant Health and Safety and Information Governance Legislation.

6.2 They should record and review all adverse events that occur on their premises and take appropriate remedial action. They should also ensure that the Health and Safety Executive and other agencies as appropriate are informed of relevant incidents.

6.3 Independent Contractors should ensure that the PCT is informed of any significant incidents that potentially or actually impact on the Independent Contractor’s ability to deliver a safe, high quality service. Information regarding their Risk Management systems will be provided to the PCT within the requirements of Contract Monitoring and the Quality and Outcomes Framework and reported to the Quality Assurance Sub Committee.

6.4 Independent Contractors and their staff may utilise appropriate policies developed by the PCT.

6.5 Independent Contractors (general practitioners, dentists, pharmacists and optometrists) and their staff are individually responsible for taking action in response to risks.

7. Roles and Responsibilities

7.1 The Chief Executive is accountable for having in place an effective system of risk management and internal control.

7.2 The Board is required to have confidence in the systems of Internal Control within the organisation.

7.3 The Director of Primary Care Development is the designated Director with overall responsibility for ensuring the implementation of risk management and organisational controls and for reporting to the Board.

7.4 Members of the Executive Team are required to ensure the provision of effective and comprehensive risk management collectively as an Executive Team and individually in relation to their individual directorates.


Page 11 of 24

7.5 All staff are required to understand their responsibility for ensuring an awareness of the importance of effective risk management within their specific remit and throughout the organisation.

7.6 Risk Register Owners are responsible for updating their risk registers in real time using Datix.

7.7 Committee administrators must ensure that risk registers feature on the relevant agendas whenever the work stream is being discussed and make timely requests to the Corporate Governance Officer for copies of the relevant risk registers.

7.8 The Corporate Governance Officer must produce risk register reports for the relevant committees upon request and provide Datix training and support to Risk Register Owners as well as basic risk management training to all staff as part of their corporate induction and ongoing mandatory training.

7.9 The Committees must monitor the risks on the risk registers and participate in identifying new risks, assessing the severity of the risks (i.e. the risk score) and monitoring the implementation of action plans put in place to mitigate the risks. Committees are also responsible for identifying risks that need to be escalated to the Board for their consideration.

7.10 The Risk and Assurance Sub Committee is responsible for ensuring there is a robust risk management system in place. It carries out this function by agreeing the risk management strategy and policy, reviewing the Board Assurance Framework on a regular basis, by agreeing the annual risk management report for submission to the Board and receiving reports from internal audit following reviews of the PCT’s risk management processes and monitoring the resulting action plans.

7.11 The Audit Committee is responsible for monitoring the work of the Risk and Assurance Sub Committee and ensuring that a comprehensive programme of audits is agreed with the internal auditors each year which focuses on the key strategic risks detailed on the Board Assurance Framework.

8. Risk Identification and Assessment

8.1 Risk may be identified as part of the ongoing review of services or functions, when new services or functions are introduced or where there are changes. Risks may also be identified following incidents, complaints, claims, information from PALS or as a result of internal or external audits and reviews or trend analysis from these sources.

8.2 Once risk is identified it is measured in terms of consequences and likelihood. This has allowed the construction of a risk matrix that can be used as the basis for identifying acceptable and unacceptable risk.


Page 12 of 24

NHS Hertfordshire uses a risk scoring matrix based upon the NPSA’s to score its risks. Some revisions have been necessary to adapt the risk scoring matrix for the PCT’s purposes. Please see Appendix 3 for more detail.

8.3 For each risk identified there may be physical or financial consequences. For others the risks may be reputational or failure to comply with standards and legislations. When assessing the score for the consequences of such a risk, the clinical assessment (e.g. serious injury or death) will always take precedence over the financial assessment.

8.4 The objective of risk assessment is to clearly identify and quantify the risk, and to provide data to assist in the evaluation and management of risks. Risk Assessment involves consideration of the cause of the risk, its consequences and the likelihood that those consequences may occur. Factors which affect consequences and likelihood may be identified and used as the basis for risk mitigation plans. Risk is analysed by combining estimates of consequences and likelihood in the context of existing control measures.

Risk = Consequences x Likelihood.

9. Risk Appetite

9.1 Each risk category needs to be linked to desired outcomes in order to codify the Board’s collective view of what level of risk could and should be tolerated, and for what period, in order to achieve objectives. Risk categorisation on its own is therefore rather sterile.

9.2 Table 2: Risk Appetite Statement:

Assessment Description of potential effect High Risk Appetite 5

In relation to this area of work, the PCT is willing to accept risks that are likely to occur and would then lead to some degree of damage to its reputation, possible financial exposure, or short term disruption to one or more service area.

Moderate Risk Appetite 4

In relation to this area of work, the PCT is willing to accept risks that may occur and would then lead to some degree of damage to its reputation, or possible financial loss, exposure or short term disruption to no more than one service area.

Neutral Risk Appetite 3

In relation to this area of work, the PCT is willing to accept risks might occur in certain circumstances that could lead to some degree of damage to its reputation, possible financial exposure, or minor disruption to one or more service areas.

Low Risk Appetite

In relation to this area of work, the PCT is willing to accept improbable risks that might, however, lead to some degree


Page 13 of 24

Assessment Description of potential effect 2 of damage to its reputation, financial exposure, or minor

disruption to a service area, should these risks materialise or fail to be mitigated.

Zero Risk Appetite 1

In relation to this area of work, the PCT is not willing to accept any risks that could lead to damage to its reputation, financial loss or exposure, major breakdown in services, information systems or integrity, failings in significant aspects of regulatory and / or legislative compliance, potential risk of injury to staff, service users or public.

Examples might be: 5 A secondary to primary care service redesign programme that

has clear potential to deliver better quality and more cost-effective care, but is likely to make current users or staff feel uncertain or inconvenienced by the change

3 Change over of a number of practices IT systems to new

software 1 Not submitting correct accounts on time

9.3 NHS Hertfordshire has articulated its risk appetite in relation to the risk

categories described on the risk scoring matrix. This information can be found at Appendix 4.

10. Risk Tolerance

10.1 Appendix 4 also details the tolerance levels for each of the risk categories on the risk scoring matrix. All risks breaching the tolerance levels must, once identified, be immediately brought to the attention of the Executive Team, once the Executive Team have agreed the risk score these risks must be reported to the Risk and Assurance Sub Committee alongside a risk mitigation plan. These risks will also be reported to the Audit Committee and the Board.

11. Risk Management Procedure

11.1 Risks may be identified by any member of staff. Risks should be reported to the relevant work stream lead. The work stream lead will add the risk to the relevant work stream risk register on Datix.

11.2 Each time the committee that owns the risk register meets to discuss the work stream they will be provided with a copy of the work stream risk register. The committee must ensure that all known risks to the work stream are recorded on the risk register. In addition they must approve the description and the scoring of the risk and monitor the implementation of the action plan.


Page 14 of 24

11.3 Where risks are breaching NHS Hertfordshire’s risk tolerance levels these should be reported to the Risk and Assurance Sub Committee and recommended for escalation to the Board who will then make a decision on the action to be taken.

12. Training

12.1 An introduction to risk management is to be delivered to all staff through the corporate induction with updates delivered as part of mandatory training. This introduction to risk management should focus on risk identification and the organisation’s processes for dealing with risk.

12.2 All risk register owners are to receive additional training on the completion of a risk register, including the use of Datix.

13. Monitoring

13.1 The Risk and Assurance Sub Committee will produce an annual risk management report detailing the processes in place to manage risk throughout the preceding year. This report is submitted to the Board to provide assurance and support the Statement on Internal Control.

13.2 Internal Audit will review the organisation’s risk management processes on a frequency agreed by the Audit Committee. In addition Internal Audit will review the high risk areas detailed on the Board Assurance Framework as part of the audit plan for the year.

14. References

Organising Uncertainty; a presentation given by Paul Moore, Chief Risk Officer, University Hospital South Manchester NHS Foundation Trust, at the Datix Patient Safety Conference on the 11th November 2010

East of England Strategic Health Authority Risk Management Strategy, July 2010

East of England Strategic Health Authority Risk Management Policy, July 2010

West Hertfordshire PCT and East and North Hertfordshire PCT’s Risk Management Policy, November 2008

15. Related Polices and Documents

The Governance Manual

Audit Committee Terms of Reference

Risk and Assurance Sub Committee Terms of Reference


Page 15 of 24

The Board Assurance Framework

Work stream risk registers

Datix help sheets: Recording Risks Using Datix, Updating Risks Using Datix and Creating Risk Register Reports Using Datix.

NHS Hertfordshire’s Governance policies, Health and Safety policies, Clinical Policies and Information Governance Policies

NHS Hertfordshire’s Emergency and Business Continuity Plans

\\nebula.xherts.nhs.uk\Data\PCTs\Secure\Corporate Services\Governance Policies\Risk Management Policy February 2011.doc Page 16 of 24

Appendix 1: Board Assurance Framework Template

Work Stream

Source Document

Risk Lead

Risk Number

Risk Appetite Assessment

Current

Risk Score Target

Risk Score Cause of Risk Effect

of Risk

Controls Gaps In Controls

Assurances Gaps in Assurances

Status of

Controls

C L Tot

Actions Lead for the action

Deadline for the action

Comments/ Updates

C L Tot

The 'Status of Control' column will be colour coded

Red The control is ineffective

Amber The control is having some effect however it is insufficient

Green An effective control


Appendix 2: Risk Register Template

Title

Inherent Risk Score Current Risk Score Target Risk Score

Refe

ren

ce N

o

Tit

le

Wo

rk s

tream

Su

b T

yp

e

Ris

k O

wn

er

Date

Ris

k I

den

tifi

ed

Ris

k D

escri

pti

on

an

d

Co

nseq

uen

ces

Co

nseq

uen

ce

Lik

elih

oo

d

Ris

k S

co

re

Co

ntr

ols

in

Pla

ce

Co

nseq

uen

ce

Lik

eli

ho

od

Ris

k S

co

re

Acti

on

or

Mil

e S

ton

e

Acti

on

s/M

ilesto

nes

Acti

on

targ

et

date

Acti

on

co

mp

leti

on

Date

Up

date

s

Co

nseq

uen

ce

Lik

eli

ho

od

Ris

k S

co

re

Targ

et

Co

mp

leti

on

Date

Tra

ffic

Lig

ht


Appendix 3: Risk Scoring Matrix

Table 1 Consequence scores (C) Choose the most appropriate category for the identified risk from the left hand side of the table. Then work along the columns in the same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column.

Consequence score (severity levels) and examples of descriptors

Categories 1 = Negligible 2 = Minor 3 = Moderate 4 = Major 5 = Catastrophic

Safety of staff and visitors

- Minimal injury requiring no/minimal intervention or treatment.

- No time off work

- Minor injury or illness, requiring minor intervention

- Requiring time off work for 1-3 days

- Moderate injury requiring professional intervention

- Requiring time off work for 4-14 days RIDDOR/agency reportable incident

- Major injury leading to long-term incapacity/disability

- Requiring time off work for >14 days

- Or Moderate injury requiring professional intervention for multiple persons

- Incident leading to death - Multiple permanent injuries

or irreversible health effects

- Or Major injury leading to long-term incapacity/ disability for multiple persons

Quality/ complaints/ patient safety / audit

- Peripheral element of treatment or service suboptimal

- PALS contact with issue resolved in less than 24 hours

- Overall treatment or service suboptimal

- PALS contact with issue resolved in 24 – 72 hours

- Single failure to meet internal standards

- Minor implications for patient safety if unresolved

- Providers failing to report patient safety incidents

- Reduced performance rating if unresolved

- Treatment or service has significantly reduced effectiveness

- Complaint made, local resolution undertaken and issue resolved with a written response.

- Repeated failure to meet internal standards ·

- A patient safety incident which indicates a more significant problem.

- Major patient safety implications if findings are not acted on

- Non-compliance with national standards with significant risk to patients if unresolved

- Complaint made, local resolution undertaken and issue resolved with a complaints meeting.

- Multiple complaints on the same issue / about the same service.

- Rate of patient safety incidents significantly higher than the regional trend

- Low performance rating - Critical report

- Totally unacceptable level or quality of treatment / service

- Complaint made to ombudsman

- A patient safety incident arising from a system wide failure / lack of learning from a previous incident

- Gross failure to meet national standards

- An inquest / ombudsman inquiry (where the PCT is the subject of the complaint) which demonstrates a systematic failure.




Human resources/ staffing/ competence

- Short-term low staffing level that temporarily reduces service quality (< 1 day)

- Low staffing level that reduces the service quality (>1 day)

- Late delivery of key objective/ service due to lack of staff

- Unsafe staffing level or competence (1-5 days)

- Low staff morale - Poor staff attendance for

mandatory/ key training

- Uncertain delivery of key objective/ service due to lack of staff

- Unsafe staffing level or competence (>5 days)

- Loss of key staff - Very low staff morale - No staff attending

mandatory/ key training

- Non-delivery of key objective/ service due to lack of staff

- Ongoing unsafe staffing levels or competence

- Loss of several key staff - No staff attending

mandatory training /key training on an ongoing basis

Statutory duty/ inspections

- Minimal impact or breach of guidance/ statutory duty

- A breach of a single piece of statutory legislation

- Reduced performance rating if unresolved

- A single breach of a statutory duty or multiple breaches of a single piece of statutory legislation

- Challenging external recommend-ations/ improvement notice

- Multiple breaches of a statutory duty

- Low performance rating - Improvement notices - Enforcement action - Critical report

- Multiple breaches of more than one statutory duty

- Zero performance rating - Complete systems change

required - Severely critical report - Prosecution

Adverse publicity/ reputation

- Rumours - Potential for public concern

- Local media coverage - Local media coverage - Short-term reduction in

public confidence - Elements of public

expectation not being met - MP concerned (questions

in the House)

- National media coverage - Long-term reduction in

public confidence

- National media coverage with commission-ing decisions well below reasonable public expectation.

- Total loss of public confidence

Service improvement / service development

- Insignificant cost increase - Minimal project timescale

slippage

- <5 per cent over project budget

- Minor project timescale slippage

- 5–10 per cent over project budget

- Moderate project timescale slippage

- 10–25 per cent over project budget

- Major project timescale slippage

- A key objective not met

- >25 per cent over project budget

- Catastrophic project timescale slippage

- Multiple key objectives not met

Financial management - Overspend of > £17k - Overspend of £17k-£170k - Overspend of £170k-£1.7m - Overspend of £1.7m-£8.5m

- Overspend of > £8.5m

Financial losses - Loss / claim of <£10,000 - Loss / claim of £10,000-£100,000

- Loss / claim of £100,000-£500,000

- Loss / claim of £500,000-£1m

- Loss / claim of >£1m




Service/ business interruption

- Loss/interruption of 1-8 hours unless point in business cycle raises impact

- Loss/interruption of 8 -24 hours unless point in business cycle raises impact

- Loss/interruption of 1-7 days unless point in business cycle raises impact

- Loss/interruption of >1 week unless point in business cycle raises impact

- Permanent loss of service or facility

Environmental impact - Minimal or no impact on the working environment e.g. 2-3 hours without water / electricity

- Minor impact on the working environment e.g. 3-6 hours without water / electricity

- Moderate impact on the working environment e.g. 1 day – 1 week without water / electricity

- Major impact on the working environment e.g. > 1 week without water / electricity

- Catastrophic impact on environment e.g. permanent loss of building / utilities

Table 2 Likelihood score (L)

What is the likelihood of the consequence occurring?

The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency.

Likelihood score 1 2 3 4 5

Descriptor Rare Unlikely Possible Likely Almost certain

Frequency How often might it/ does it happen

This will probably never happen/ recur

Do not expect it to happen/recur but it is possible it may do so

Might happen or recur occasionally

Will probably happen/ recur but it is not a persisting issue

Will undoubtedly happen/ recur, possibly frequently


Table 3 Risk scoring = consequence x likelihood (C x L)

Likelihood

Consequence 1 2 3 4 5

Rare Unlikely Possible Likely Almost certain

5 Catastrophic 5 10 15 20 25

4 Major 4 8 12 16 20

3 Moderate 3 6 9 12 15

2 Minor 2 4 6 8 10

1 Negligible 1 2 3 4 5

For grading risk, the scores obtained from the risk matrix are assigned grades as follows

1 - 3 Low risk 4 - 6 Moderate risk 8 - 12 Significant risk 15 - 25 High risk

Instructions for use

1. Define the risk explicitly in terms of the adverse consequence(s) that might arise from the risk.

2. Use table 1 to determine the consequence score (C) for the potential adverse outcome(s) relevant to the risk being evaluated.

3. Use table 2 to determine the likelihood score (L) for those adverse outcomes. If possible, score the likelihood by assigning a predicted frequency of occurrence of the adverse outcome. If this is not possible, assign a probability to the adverse outcome occurring within a given time frame, such as the lifetime of a project. If it is not possible to determine a numerical probability then use the probability descriptions to determine the most appropriate score.

4. Calculate the risk; score the risk by multiplying the consequence by the likelihood: C(consequence)x L(likelihood) =R(risk score)


Appendix 4: Risk Appetite and Tolerance Levels

Risk Category:

Safety of staff and visitors

Quality / complaints /

patient safety / audit

Human resources /

staffing / competence

Statutory duty / inspections

Adverse publicity / reputation

Service improvement

/ service development

Financial management

Financial losses

Service / business

interruption

Environmen-tal impact

Risk Appetite Score:

2

1

3

3

4

3

3

4

4

4

Risk Tolerance

Level*:

16

12

12

12

15

16

12

16

12

16

*Once the risk score has been calculated using the risk scoring matrix, if it scores at or above the tolerance level for that category it will be reported to the Board.


Page 23 of 24

Appendix 5 – Equality Impact Assessment Stage 1 Screening 1. Policy EIA Completion Details

Title: Risk Management Policy

Proposed Existing

Date of Completion: July 2011

Review Date: July 2013

Names & Titles of staff involved in completing the EIA: Claire Goodey, Corporate Governance Officer

2. Details of the Policy. Who is likely to be affected by this policy?

Staff Patients Public

3. Impact on Groups

Probable impact on group?

Positive Adverse None

High, Medium or Low

Please explain your answers

Age Low

Being married or in a civil partnership

Low

Disability, inc. learning

difficulties, physical disability, sensory impairment etc.

Low

Having just had a baby or being pregnant

Low

Race, ethnicity, nationality,

language etc. Low

Religion or belief Low

Sex (inc. being a transsexual person)

Low

Sexual Orientation Low

Other:

If a PCT strategy / policy / procedure may impact negatively on a particular group then a risk assessment can be undertaken to inform the relevant committee so that remedial action can be taken.

No impact on any of the groups above.

Please explain and provide evidence N/A

4. Which equality legislative Act applies to the policy?

Human Rights Act 1998 Equality Act 2010 Health & Safety Regulations

Mental Health Act 1983 Mental Capacity Act 2005

5. How could the identified adverse effects be minimised or eradicated?

N/A

6. How is the effect of the policy on different Impact Groups going to be monitored?

David Henson, Head of Corporate Governance, will have responsibility for overseeing this process.


Page 24 of 24

Appendix 6 – Privacy Impact Assessment Stage 1 Screening 1. Policy PIA Completion Details

Title: Risk Management Policy

Proposed Existing

Date of Completion: April 2011

Review Date: April 2013

Names & Titles of staff involved in completing the PIA: Claire Goodey, Corporate Governance Officer

2. Details of the Policy. Who is likely to be affected by this policy?

Staff Patients Public

Yes No Please explain your answers Technology Does the policy apply new or additional information technologies that have the potential for privacy intrusion? (Example: use of smartcards)

NHS Hertfordshire’s risks are recorded on a Datix database. This database also holds patient identifiable information (within the incidents, complaints, PALS and claims modules) however the risk leads’ accounts are restricted so that they only have access to the risk module.

Identity By adhering to the policy content does it involve the use or re-use of existing identifiers, intrusive identification or authentication? (Example: digital signatures, presentation of identity documents, biometrics etc.)

By adhering to the policy content is there a risk of denying anonymity and de-identification or converting previously anonymous or de-identified data into identifiable formats?

The risk module does not hold any patient identifiable information.

Multiple Organisations Does the policy affect multiple organisations? (Example: joint working initiatives with other government departments or private sector organisations)

The policy describes how agreement will the reached with commissioned services on their risk management processes and contains guidance for independent contractors.

Data By adhering to the policy is there likelihood that the data handling processes are changed? (Example: this would include a more intensive processing of data than that which was originally expected)

NHS Hertfordshire’s risks have been recorded on Datix for the past 2 years so there is no change to the data handling process. Previously this data was maintained by the Corporate Governance Officer. From now on it will be maintained by the risk register owners.

If Yes to any of the above have the risks been assessed, can they be evidenced, has the policy content and its implications been understood and approved by the department?

The risks have been assessed (as explained above) and appropriate controls have been implemented. The policy content and its implications are understood and approved by the department.