Download CNWL Risk Management Policy - v01

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
Document related concepts
no text concepts found
Transcript 
BOD39 /2012
BOARD OF DIRECTORS – 14 MARCH 2012
RISK MANAGEMENT POLICY
FOR APPROVAL
This report is for publication
Summary: The Risk Management Policy has been reviewed and is attached for
approval by the Board. The policy has been considered by the Audit Committee and
the Executive Board. The key changes are to the style and layout of the policy; the
fundamental principles of the system of risk management within CNWL are not
affected.
Key changes
1
2
3
The policy has been significantly shortened and reformatted.
The contents have been reviewed to ensure they comply with the
requirements of the NHSLA Risk Assessment standard.
The draft policy was reviewed during an informal NHSLA assessment in
January and found to be acceptable.
The Board is recommended to approve
the Risk Management Policy
Regulatory framework
This report supports all of the Strategic Priorities and the management of risks
associated with their achievement.
RESPONSIBLE DIRECTOR – Associate Director, Corporate Governance
DATE – 07 March 2012
RISK MANAGEMENT POLICY
Introduction
The Risk Management Policy has been reviewed and is attached for approval by the
Board. The policy has been considered by the Audit Committee and the Executive
Board. The principles of the system of risk management are not affected by this
review.
Key changes
1
It has been significantly shortened and reformatted to comply with the
requirements of the Trust’s Policy on the Development of Procedural
Documents.
2
The contents have been reviewed to ensure they comply with the
requirements of the NHSLA Risk Assessment standard. The Trust will be
reviewed for level 1 in June 2012 and the policy has been developed so that it
will not only match the level 1 requirements, but also those for levels 2 and 3.
3
The draft policy was reviewed during an informal NHSLA assessment in
January and found to be acceptable (with some minor changes that have
been incorporated).
4
A monitoring compliance and effectiveness matrix is shown at Appendix E.
The Board may be interested to know that ALL Trust-wide policies are now
required to have such a matrix. This is a tool that should provide assurance
that the key requirements of policies are being followed by staff
The Board is recommended to approve the policy.
Richard Vergez
Associate Director, Corporate Governance
RISK MANAGEMENT POLICY
Policy lead:
Associate Director, Corporate Governance
Ratifying Committee or Group
Board of Directors
Status of policy:
Final
Policy Reference:
TBC
Signed:
____________________________________________
Dame Ruth Runciman, Chairman, Board of Directors
Ratification date:
___________________________________________
Essential reading for the following staff groups:
1 - Board of Directors
2 - Service Directors
3 - Corporate and Clinical Governance Team members
4 - Designated risk management leads
Following staff groups should be aware exists for
reference purposes:
Other staff identified by local managers
POLICY
IMPLEMENTATION
DATE:
March 2012
DATE POLICY TO
BE REVIEWED:
March 2014
3
CONTENTS
1
Key Points
3
2
Purpose and Scope
3
3
Responsibilities
3.1
3.2
4
Organisation for risk management
Operational Management
3
4
Risk Management Policy
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
Risk Management Policy
Board Assurance Framework
Risk Management Process
Risk Assessment Procedure
Risk registers
Clinical Risks
Local management of risk
Acceptable risk
Support and expertise
Training
4
5
5
5
5
6
6
6
6
5
Monitoring compliance and effectiveness
7
6
References
7
APPENDICES
APPENDIX A
Responsibilities – Organisation for Risk Management
APPENDIX B
Responsibilities - Operational Management
APPENDIX C
Board Assurance Framework
APPENDIX D
Risk Management Process
APPENDIX E
Monitoring of the policy
APPENDIX F
References
APPENDIX G
Impact Assessment
8
10
12
14
18
19
20
4
1
KEY POINTS
The Trust has a system for managing risks, which is described in this policy.
Individual responsibilities for risk management are shown in Appendix B (hyperlink).
Risks are assessed using a multiplier of the impact of a risk by its likelihood of occurring, both
of which are scored on a 1-5 grading. This is known as a risk matrix (see Appendix D)
(hyperlink). The grading determines the way in which a risk is managed and reported.
Service line management teams and corporate directorates must identify risks and place them
on a local risk register. They must monitor them regularly and develop action plans with
specified leads and timescales.
Higher level risks are brought together in a Trust-wide Risk Register, which is presented to the
Executive Board quarterly and the Board of Directors every 6 months.
A Top Risk Register comprises the highest level risks and is reviewed by the Board of Directors
every month.
A Board Assurance Framework (see Appendix C) (hyperlink) describes the principle risks that
could stop the Trust from achieving its main objectives and the action being taken to address
them. This is reviewed regularly by the Board of Directors.
2
PURPOSE AND SCOPE
This document sets out the approach by Central and North West London NHS Foundation Trust
(the Trust) to identifying and managing risk as well as the governance arrangements for
ensuring that they are effective.
This document contributes to meeting the organisation’s legal and regulatory obligations. It
applies to all activities of the Trust, and all of the staff and contractors who are involved in them.
Central to this is the need to ensure the safety and welfare of service users and carers and the
staff of the Trust. Effective management of risk helps to create and sustain a safe environment
in which high quality care and treatment can be provided.
3
RESPONSIBILITIES
3.1
Organisation for risk management
Overall responsibility for risk awareness and risk management lies with the Board who will take
active measures to ensure that they are adequately assured that risks are being identified and
managed, and that they are adequately informed so that they can make appropriate decisions
to ensure that this is adequately resourced and managed effectively.
The Audit Committee shall review the establishment and maintenance of an effective system of
integrated governance, risk management and internal control, across the whole of the
organisation’s activities (both clinical and non-clinical), that supports the achievement of the
organisation’s objectives.
5
The Executive Board will regularly review the Top Risks and Trust-wide Risk Registers. It will
also review the Assurance Framework, prior to presentation to the Board of Directors and
determine the risks that are included in the Top Risk Register.
Further specific details on the organisation of risk management can be found at Appendix A
(hyperlink).
3.2
Operational Management
Managers are responsible for the day-to-day management of risks of all types within their remit
and budget allocation. Additional specific responsibilities may be defined in job descriptions.
They are charged with ensuring that risk assessments are undertaken throughout their area of
responsibility on a proactive basis and that remedial action is carried out where problems are
identified. They are also responsible for reporting difficulties in reducing risk to their executive
director and relevant committees or governance groups.
Individual managers should:







ensure that risk management policies and procedures are implemented within their
area of responsibility,
foster a supportive environment to facilitate the reporting of risks and incidents,
ensure that all staff are aware of their responsibilities,
ensuring that staff are aware of all relevant risks relating to their environment and the
activities that they are involved in,
keep staff informed of the risks faced by the organisation and what is being done to
address them,
ensure that staff complete training requirements,
ensuring that the required resources are identified and provided, including:
1. people and skills,
2. documented processes and procedures,
3. information systems and databases,
4. money and other resources for specific risk treatment activities.
A detailed description of the general and specific responsibilities of individuals within the Trust
is shown at Appendix B (hyperlink).
4
RISK MANAGEMENT POLICY
4.1
Risk Management Policy
Risk is an integral part of all activities and a certain amount of risk taking is inevitable if the
organisation is to achieve its objectives. Risk management will be embedded within the daily
operation of the organisation from strategy formulation through to business planning and
operational processes. Actively managing threats and opportunities can give the organisation a
competitive advantage.
The Trust is committed to building and sustaining an organisational culture which encourages
appropriate risk taking, effective performance management and organisational learning in order
to achieve continuous quality improvement of the services provided. The Board of Directors and
Executive Board are the leaders in risk management and will work actively to promote a culture
6
where risk is considered as a matter of course, and is appropriately identified and managed,
with staff positively engaged in risk management.
The Trust is committed to an integrated approach to risk management across all of its activities.
Through understanding risks decision makers will be better able to evaluate the impact of a
particular decision or action on the achievement of the organisation’s objectives.
4.2
Board assurance framework
The assurance framework will identify the principal risks against achieving the principal
objectives. It will also set out the activities in place to control or mitigate those risks and identify
the assurance (both internal and external) that such activities are effective.
The process for the operation of the Board assurance framework is outlined at Appendix C
(hyperlink).
4.3
Risk management process
The process by which risks are identified, assessed, analysed and managed is outlined in
Appendix D (hyperlink).
4.4
Risk Assessment Procedure
Risk assessment is a key risk management process which must be applied to all activities
undertaken by the Trust and embedded within relevant processes.
Further information about when and how to conduct risk assessment and who should be
involved can be found in the Risk Assessment Procedure (hyperlink). This document also
covers the treatment of risks, i.e. action and controls to minimise negative risk and enhance
positive risk.
4.5
Risk registers
The Trust’s portfolio of risk is maintained as a risk register. Identified risks will be entered onto
the risk register and regularly reviewed to ensure that the information is up to date. The Risk
Register will include the following components:






Source of the risk (e.g. incident reports, risk assessments)
Description of the risk
Risk score
Summary of the action plan required to address the risk
Date when the risk is to be reviewed
The residual risk rating
Information held in the risk register is used for a wide variety of purposes by groups and
individuals at all levels of the organisation. The Trust-wide Risk Register incorporates significant
risks from service lines and corporate directorate risk registers, incident reports and risk
assessments and will be presented to the Executive Board quarterly and the Board of Directors
twice annually.
7
4.6
Clinical risks
Clinical Risks identified in local risk registers will be reported on a quarterly basis to the Clinical
Safety Group. The Group will be responsible for considering whether clinical risks have Trustwide implications and identifying whether any further action is required.
4.7
Local management of risk
Service Lines and corporate departments will be responsible for identifying and treating risks in
their area in a manner which reflects the principles of this policy and strategy. They will maintain
their own risk register, which will feed into the Trust-wide Risk Register and consider their risks
on a regular basis at their local management meetings. Each risk will have an identified lead(s)
responsible for coordinating and implementing the action plan.
4.8
Acceptable risk
When risks have not been eliminated the organisation may choose to accept the risk and take
no further action to reduce it. The organisation’s risk tolerance may be different across the
range of risks.
In general it is expected that risks with potential negative impact will be reduced to a level which
is as low as reasonably practicable. Action should always be taken to reduce the risks unless it
involves measures which are clearly disproportionate in relation to the risk.
Where there is any uncertainty guidance or a decision should be sought from the committee or
governance group with responsibility for the area or type of risk in question.
4.9
Support and expertise
Staff within the Trust have a variety of knowledge and skills that can be called upon to support
risk management activities. In addition the Trust contracts external agencies to provide services
and advice in a number of areas relating to risk management.
4.10 Training
Senior management training - Board members (including non-executive directors), Service
Directors and nominated risk management leads will receive risk management training annually
to support them in their roles. A list of these managers and will be held by the Associate
Director Corporate Governance. The Director of Operations and Nursing (the designated Board
member with responsibility for risk) is responsible for ensuring that an appropriate programme
is provided. Attendance at such training will be recorded on the Trust’s electronic training record
system and the Associate Director Corporate Governance will be responsible for follow up
action in relating to non-attendance.
Training of other staff - The training and development of its staff is an integral part of the
Trust’s approach to risk management. Risk management is considered as part of the
organisation’s process for training needs analysis.
All training activity will be recorded and managers and staff are responsible for ensuring that
identified training is completed within the relevant timescales. Details of staff attendance on risk
management will be recorded on the Trust’s electronic training record system. Non-attendance
will be reported to relevant managers to enable follow-up action.
8
5
MONITORING COMPLIANCE AND EFFECTIVENESS
In order to monitor the effectiveness of this policy the CNWL Corporate Governance Team will
undertake a periodic audit of policy compliance.
The Auditable standards for this policy are:
1. Sample of risk registers to ensure compliance with the criteria in the NHSLA Risk
Management Standard
2, Monitoring of risk management training of senior managers and other staff.
3. Monitoring of risk management process by local services to assess whether a continual,
systematic approach to risk assessments is being followed
Compliance will be reported to the Executive Board and Audit Committee where action will be
monitored to address any shortfalls in performance. Further detail can be found within the
Monitoring Compliance and Effectiveness tool found at Appendix E (hyperlink).
6
REFERENCES
The references to this policy and strategy are attached at Appendix F (hyperlink).
9
Appendix A
RESPONSIBILITIES
Organisation for risk management
Board of Directors
Determine strategic aims and objectives and identify risks that would prevent the achievement of
these. Develop a Board Assurance Framework. Receive reports and assurances on risk
management processes and issues from relevant subcommittees. Approve and monitor the Top
Risks and Trust Wide risk registers. Approve the Risk Management Policy.
Audit Committee*
The Committee shall review the establishment and maintenance of an effective system of integrated
governance, risk management and internal control, across the whole of the organisation’s activities
(both clinical and non-clinical), that supports the achievement of the organisation’s objectives.
In particular, the Committee will review the adequacy of:




All risk control related disclosure statements (in particular the Statement on Internal Control),
together with any accompanying Head of Internal Audit statement, external audit opinion or
other appropriate independent assurances, prior to endorsement by the Board. In reviewing
the Statement of Internal Control the Chief Executive should be invited to attend.
The underlying assurance processes that indicate the degree of the achievement of
corporate objectives, the effectiveness of the management of principal risks and the
appropriateness of the above disclosure statements
The policies for ensuring compliance with relevant regulatory, legal and code of conduct
requirements
The policies and procedures for all work related to fraud and corruption as set out in
Secretary of State Directions and as required by the Counter Fraud and Security
Management Service.
In carrying out this work the Committee will primarily utilise the work of Internal Audit, External Audit
and other assurance functions, but will not be limited to these audit functions. It will also seek
reports and assurances from directors and managers as appropriate, concentrating on the overarching systems of integrated governance, risk management and internal control, together with
indicators of their effectiveness. This will be evidenced through the Committee’s use of an effective
Assurance Framework to guide its work and that of the audit and assurance functions that report to
it.
Executive Board*
The Executive Board shall ensure an effective system of integrated governance, risk management
and internal control, operates across the whole of the organisation’s activities (both clinical and nonclinical). In particular, the Executive Board will:






Ensure appropriate processes and responsibilities for identifying risks and gaps in control
Review the Assurance Framework and monitor progress against each identified action
Review the Risk Register and receive update reports from Executive Directors responsible
for managing the identified risks
Review all risk and control related disclosure statements, in particular the Statement on
Internal Control, prior to endorsement by the Board
Monitor relevant regulatory, legal and code of conduct requirements and ensure that Trust
policies fully reflect their requirements
Ensure adherence to Trust key policies
10
Business and Finance Committee*
Identify and monitor financial risks that would prevent the achievement of the Trust’s objectives.
Review risks relevant to its terms of reference.
Quality and Performance Management Committee*
The Quality and Performance Management Committee will give assurance that appropriate clinical
risk management systems are in place and the Committee shall alert the Audit Committee to any
significant unaddressed risks.
Information Governance Programme Board
Oversee compliance with regulatory standards (e.g. Information Governance Toolkit) and legal
requirements that affect the organisation in regard to the management of information risk and data
security. Identify and report concerns on the risk register and report to the Executive Board.
Service Line Senior Management Teams (or equivalent) / Corporate Directorates
To identify and monitor risks that would affect the provision of services and/or developments.
Ensure risks are placed on the local risk register and monitor them regularly. Develop action plans
with identified leads and clear timescales.
Human Resources Group
Oversee compliance with regulatory standards and legal requirements that affect the organisation in
regard to the management of the workforce and mechanisms for delivery and monitoring of learning
and development.
Identify and monitor risks that would affect the objectives of the Human Resources Strategy. Identify
and monitor risks and report concerns on the risk register to the Executive Board.
Medicines Management Group
To oversee, agree and monitor overarching strategy, policy, planning and performance relating to
regulatory requirements for medicines. Identify and monitor risks and report concerns on the risk
register to the Quality Committee.
Infection Control Group
To endorse all overarching infection control policies, procedures and guidance, provide advice and
support on the implementation and monitor the progress of the infection prevention and control
annual programme including training and compliance with specific regulatory requirements.
Clinical Safety Group*
To receive reports on clinical risks identified in local risk registers and responsible for considering
whether such risks have Trust-wide implications and identifying whether any further action is
required.
Corporate Risk / Health and Safety Group*
To oversee, agree and monitor overarching policy, planning, training and performance relating to
requirements for health and safety. Identify and monitor risks and report concerns on the risk
register to the Executive Board.
* Key committees / groups shown in the following organisational chart.
11
Organisational Chart: Risk Management Structure
Internal
Assurance
Independent
Assurance
BOARD OF DIRECTORS
Audit
Committee
Business
and Finance
Committee
Quality and
Performance
Committee
Reports of
external
monitoring
bodies
EXECUTIVE
BOARD
Clinical Safety
Group
Internal
Audit
External
Audit
Corporate Risk /
H&S Group
12
Appendix B
RESPONSIBILITIES
Operational Management
Chief Executive
The Chief Executive has overall responsibility for risk management throughout the Trust.
Director of Operations and Nursing
The Director of Operations and Nursing is the Executive Director with designated
responsibility for the implementation of this policy
Executive Directors, Service Line Directors and Clinical Directors
These Directors will be responsible for ensuring that

The Risk Management Policy is implemented within their area of responsibility
and appropriate risk assessments have been carried out.
 All staff managed within their structure are aware of the Strategy and Policy and
are informed of their responsibilities in relation to the action required according
to the quantification of risk.
 Appropriate and effective risk management processes are in place within their
designated areas and scope of responsibility.

All staff attend appropriate training.
 Appropriate procedures are in place to comply with the Trust’s Risk
Management Policy.
Associate Director, Corporate Governance*
The Associate Director, Corporate Governance is accountable to the Director of Operations
and Nursing and the Chief Executive and is a member of the Executive Board. A key
objective for this post holder is to develop, implement and review a Trust-wide risk
management system. This post is key to ensuring the Risk Management Policy is delivered
throughout the Trust.
Clinical Risk Manager *
The Clinical Risk Manager reports to the Associate Director, Quality and Service
Improvement. The Clinical Risk Manager will act as the competent person to the Trust to
advise on issues of clinical risk and will liaise, as appropriate, with the Associate Director,
Corporate Governance to provide clinical risk guidance.
13
Safety Manager*
The Safety Manager will report to the Associate Director, Corporate Governance. The
Safety Manager will manage the Health and Safety Managers, who will act as the
competent persons on health and safety issues in the Trust and will liaise with the
Associate Director, Corporate Governance to provide guidance on health and safety
legislation and risks within the Trust.
Designated Risk Management Leads
Nominated by Service Directors, they will be responsible for the collation and update of
local risk registers.
All managers
All managers in the Trust have a responsibility to manage risk within their area of
responsibility. They should be



familiar with the arrangements for risk management
the process for escalating risks with which they require assistance in managing
receptive to risks brought to their attention by others, including staff
Employees
All employees are responsible for ensuring that any identified hazards, risks, accidents and
incidents are reported to their line manager immediately on discovery. They will:




Co-operate with their manager in the implementation, monitoring and reviewing of
this strategy
Communicate and co-operate with others on Trust premises regarding risk
management issues. If staff work off site, they must also be familiar with the risk
management systems for that site
Ensure they are familiar with the contents and requirements of appropriate policies
and procedures
Attend training sessions when requested by their managers
* Note: Within community provider services, specific posts will be identified to provide
assurance to the Trust on these functions / areas.
14
Appendix C
Board Assurance Framework
There is a requirement for all NHS chief executive officers to sign a Statement on Internal
Control (SIC) as part of the statutory accounts and annual report. This heightens the need
for boards to be able to demonstrate that they have been properly informed about the
totality of their risks, both clinical and non-clinical. To do this they need to be able to provide
evidence that they have systematically identified their objectives and managed the principal
risks to achieving them. The Assurance Framework fulfils this purpose.
The Assurance Framework provides a simple but comprehensive method for the effective
and focused management of the principal risks to meeting Trust objectives. It also provides
a structure for the evidence to support the Statement on Internal Control. This simplifies
Board reporting and the prioritisation of action plans which, in turn, allow for more effective
performance management
The objectives of the Trust will be set out in the annual plan, approved by the Board of
Directors. The business plan will contain a series of strategic priorities, for each of which
there shall be a tier of principal objectives. The strategic priorities and principal objectives
will be consistent with the Standards for Better Health and the seven domains contained
therein.
The Assurance Framework will identify the principal risks against achieving the principal
objectives. It will also set out the activities in place to control or mitigate those risks and
identify the assurance (both internal and external) that such activities are effective.
The Board of Directors will be responsible for approving the Assurance Framework. The
Executive Board will be responsible, on behalf of the Board of Directors, for developing and
monitoring the Assurance Framework. This will involve evaluating and, where necessary,
escalating risks identified in the Framework to the Audit Committee or Board of Directors.
The Executive Board will also consider the Trust wide and Top Risk registers and determine
whether any of these risks should be reflected in the Assurance Framework. It will report
progress to the Board of Directors every three months.
The work on monitoring the Assurance Framework will be monitored by the Audit
Committee, who may ask relevant leads to attend meetings to explain progress.
In discharging this responsibility, the Executive Board will monitor that the following are
applied in respect of the Assurance Framework:
Principal risks: The officer with lead responsibility for each Principal Objective will,
on an ongoing basis, identify the principal risks against its achievement. These will
be judgments based on knowledge and analysis of the objective and factors, both
internal and external, that could affect its successful implementation. It is recognised
that situations may change with time and it is important that the Principal Risks are
regularly reviewed to ensure they remain accurate. Identified risks will be prioritised
in accordance with the risk rating process shown in Appendix 6 (where appropriate,
identified risks will be included in the Corporate Risk Register). The officer with lead
responsibility will be the identified risk owner, unless another person is specifically
identified, and will be responsible for taking the lead in addressing the risk.
15
Control/mitigation of principal risks: The officer with lead responsibility for each
Principal Objective will identify the control/mitigation required to address the principal
risk.
Assurance: The officer with lead responsibility for each Principal Objective will
identify sources of internal and external assurance that the control/mitigation of the
identified risk has been, or is being, addressed.
The officer with lead responsibility for each Principal Objective will identify the committee,
sub-committee, group or forum that will take principal responsibility for monitoring progress
of the Principal Objective. The identified forum will be provided with evidence of
control/mitigation of the Principal Risk, evidence of assurance and be responsible for
identifying gaps in either. Any identified gaps will be mapped against the Principal Risks
and an action plan developed to address them. The action plan will identify lead
responsibility, action required and target date for completion.
16
Appendix D
RISK MANAGEMENT PROCESS
1
Management of risk should be integrated into the philosophy of an organisation. The
process by which the activities of the Trust are identified and graded for risk is based on
a framework recognised as good practice (Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association of Australia. Strathfield NSW).
2
The full benefit of risk management will only be achieved if there is a comprehensive and
cohesive system in place, underpinned by an organisation-wide risk management
organisational structure. The process must contain guidance on acceptable risk and for
the management of situations in which control failure leads to material realisation of risk.
3
A summary of the process is set out below.
3.1
Risk Identification
The first stage of risk management is the identification of risks. The identification process
embraces both a proactive approach and one that also reviews issues retrospectively.
Many lessons can be learnt from examining why an adverse incident occurred and then
taking appropriate action to avoid recurrence, as outlined in the Chief Medical Officer’s
report “Organisation with a Memory” published in July 2000. The Trust also needs to
place emphasis on predicting where incidents could occur and taking steps to stop them
before they do so.
3.2
Risk Assessment
When the risks have been identified, each one will be analysed in order to assess what
is the likelihood of it happening; how often it is likely to occur; and what the likely impact
would be. The culmination of this process is the prioritisation of the identified risks, within
the Risk Register, in order to create a manageable programme of risk targets.
3.3
Risk Analysis
Risk analysis uses descriptive scales to describe the magnitude of potential
consequences and the likelihood that those consequences occur. A matrix is used to
assign risk priority by combining their likelihood and consequences.
Use of the matrix enables a list of prioritised risks to be developed with an indication of
the action that may be required and highlights the most significant risk issues to be
considered by the Executive Board, Audit Committee and subsequently the Board of
Directors.
17
Risk Assessment Matrix
IMPACT
1
2
3
4
5
Insignificant
Minor
Moderate
Major
Catastrophic
1
2
3
4
5
2 - Unlikely
2
4
6
8
10
3 - Possible
3
6
9
12
15
4 - Likely
4
8
12
16
20
5 - Almost
Certain
5
10
15
20
25
LIKELIHOOD
1- Rare
Risk Rating
Numerical score
1-3
Low risk
4-6
Moderate risk
8 - 12
Significant risk
15 - 25
Extreme risk
Impact
x
Likelihood
=
Risk Rating
Detailed examples of the actual risk matrix are shown on the following page:
18
19
3.4
Risk Treatment
Risks scoring significant or extreme should be deemed as unacceptable in the first
instance and options for action considered. The Executive Board, Audit Committee or
Board of Directors, as appropriate, will then identify and agree whether these risks can
be controlled to an acceptable level.
All identified risks should be included in a risk register. The incidence of significant risks
(i.e. those evaluated as signficant or extreme) should be reported to the Executive
Board, Audit Committee and the Board of Directors on a regular basis.
An action plan setting out the manner in which the risk will be addressed will be
developed by the service most responsible for its treatment. Progress will monitored
locally on all risks.
3.5
Risk Monitoring
In order to monitor the Trust’s risk profile the Trust will keep a risk register that contains
a summary of risk information. The risk register enables all risks identified within the
Trust to be categorised and recorded. This enables risks to be assessed against each
other and on a Trust-wide and Service basis to facilitate decision-making regarding
resource allocation and risk reduction.
3.6
Funding of risk management
Risk management is an integral part of the Trust business. Central posts have been
funded to co-ordinate the process and support Directorate staff. This includes the
Associate Director, Corporate Governance, Corporate Risk Advisor, Clinical Risk
Manager, Health and Safety Advisors, Fire and Safety Advisor and Infection Control
staff. In addition each Service is expected to identify lead people and consider funding of
quality improvement issues identified through risk assessment. This responsibility rests
with the service based local management and clinical governance groups. There will be
a system of reporting via the Executive Board, Audit Committee to the Board of Directors
on issues of significant and extreme risk that have resource implications which cannot
be addressed by an individual Service.
3.7
Risk Appetite
Risk appetite is the amount or level of risk that an organisation is prepared to accept at a
particular time in relation to meeting its objectives. It will be for the Board of Directors to
establish and review the level of risk appetite, particularly in relation to higher level risks
identified in the Top Risks Register. The Board should determine whether the risk is one
that it is prepared to run with or whether further controls and mitigation should be
identified (which may require the investment of more resources) to lower the likelihood or
impact of the risk should it happen.
3.8
Risk Mitigation
Plans to mitigate risks need to be properly constructed and all parties aware of their
content. Such plans should be regularly reviewed for the on-going validity and impact.
Mitigation plans may be an alternative course of action should a risk materialise and not
just a risk avoidance plan.
20
Appendix E
Monitoring Compliance and Effectiveness
What key element(s)
need(s) monitoring
as per local approved
policy or guidance?
Who will lead
on this aspect
of monitoring?
What tool will be
used to
monitor/check/
observe/assess/
inspect/
authenticate that
everything is
working
according to this
key element from
the approved
policy?
How often is the need to
monitor each element?
How often is the need
complete a report ?
How often is the need to
share the report?
Element to be
monitored
Lead
Tool
Frequency
1. Sample of risk
registers to ensure
compliance with the
criteria in the NHSLA
Risk Management
Standard
2, Monitoring of risk
management training
of senior managers
and other staff.
3. Monitoring of risk
management process
by local services to
assess whether a
continual, systematic
approach to risk
assessments is being
followed.
ALL - Associate
Director,
Corporate
Governance
ALL. An excel
spreadsheet will
be developed to
record findings of
auditing. This will
also include
review of NHSLA
Risk Management
Standard
compliance.
1. Risk Registers will be
reviewed by the Corporate
Governance Team as they are
submitted. A report will be
submitted to the Executive
Board every 6 months.
2. An annual report will be
submitted to the Executive
Board.
3. Policies will be reviewed by
the Corporate Governance
Team as they are submitted.
An annual report will be
submitted to the Executive
Board.
Who or what
committee will the
completed report
go to.
How will each
report be
interrogated to
identify the
required actions
and how thoroughly
should this be
documented in e.g.
meeting minutes.
Reporting
arrangements
ALL. An annual
report on overall
compliance will be
provided to the
Executive Board and
Audit Committee.
Any identified actions
agreed at the
meetings should be
recorded in the notes
of the meeting.
Which committee,
department or lead
will undertake
subsequent
recommendations
and action planning
for any or all
deficiencies and
recommendations
within reasonable
timeframes?
How will system or
practice changes be
implemented and how
will these be shared.
Acting on
recommendations
and Lead(s)
Change in practice and
lessons to be shared
Required actions will
be identified and
completed in a
specified timeframe.
Required changes to
practice will be identified
and actioned within a
specific time frame. A
lead member of the team
will be identified to take
each change forward
where appropriate.
Lessons will be shared
with all the relevant
stakeholders.
21
Appendix F
References
1 Standards Australia and Standards New Zealand, 2004.AS/NZS 4360:2004
RiskManagement.
2 Standards Australia and Standards New Zealand, 2004.HB 436:2004 RiskManagement
Guidelines – Companion to AS/NZS 4360:2004.
3 Office of Government Commerce, 2007.Management of Risk: Guidance forPractitioners.
London: The Stationary Office.
4 NHSLA Risk Management Standards for NHS Trusts providing Acute, Community, or
Mental Health & Learning Disability Services
5 Department of Health, 2006.Integrated Governance Handbook. London: Departmentof
Health. Available at:
http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/documents/digit
alasset/dh_4129615.pdf.
6 Department of Health, 2003.Assurance: The Board Agenda. London: Department of
Health. Available at:
http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/documents/digit
alasset/dh_4110083.pdf.
7 Department of Health, 2003.Building An Assurance Framework: A Practical Guide forNHS
Boards. London: Department of Health. Available at:
http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/documents/digit
alasset/dh_4093993.pdf.
8 Audit Committee Handbook,
22
Appendix H
Equality, Human Rights and Privacy Impact Assessment Form
1.What is the name of the service / policy / procedure / project being assessed?
Risk Management Policy.
2.Briefly describe the aim of the service /policy /procedure / Trust function that is being Impact
Assessed. What needs or duties is it designed to meet? What are its intended outcomes?
To ensure a consistent approach to the management of risk across the Trust.
3. If this service /policy /procedure / Trust function has no relevance for Equalities or human rights
considerations, please give your reasoning below and sign on page 2.
Application of this policy affects the identification treatment and management of risks. This
policy does not directly impact on individual groups. The subject matter of the risk areas
being reviewed may, and there must be an impact assessment on each of them. Details of
monitoring are included in the policy.
There is no relevance for equalities or human rights considerations.
(Where there is no relevance then the screening section can be signed and countersigned, and
there is no need for a full assessments. Where there is relevance, then a full Equality and Human
Rights Impact Assessment must be undertaken.
Privacy Impact Assessment Screening Tool
4a. Does the project/service development involve any technologies that might have a privacy
impact, for example, Smartcards, biometrics, digital imaging, video recording or logging of electronic
traffic?
No
4b.Does the project/service development involve the use of new personal identifiers or an extension
in the use of personal identifiers?
No
23
4c. Does the project/service development involve the handling of a significant amount of new
personal data?
No
4d. Does the project/service development involve new or changed data management processes that
might be intrusive, insecure, more permissive in terms of access to data, or unclear?
No
If the answer to any of questions 4a – 4d is ‘yes’, you are required to contact the Information
Governance Team for advice on how to proceed in relation to the privacy issues identified.
Manager undertaking the screening assessment
Name
Richard Vergez
Designation: Associate Director, Corporate Governance
Date
January 2012
To be countersigned by the Senior Manager, i.e. Service Head, Line Manager, Director, as
appropriate
Name
Richard Vergez
Designation: Associate Director, Corporate Governance
Date
January 2012
24
Related documents
Program Plan
Program Plan
The impact of recent changes in corporate financial reporting
The impact of recent changes in corporate financial reporting
MM Assignment briefing - Jun-Sep 2013
MM Assignment briefing - Jun-Sep 2013
Community Development Advisory Group
Community Development Advisory Group
C8041 Organisational Psychology resit information [PDF 150.98KB]
C8041 Organisational Psychology resit information [PDF 150.98KB]
Business Case Builder – Board Portal
Business Case Builder – Board Portal
Marketing Mix
Marketing Mix
93 KB - Financial System Inquiry
93 KB - Financial System Inquiry
COBIT
COBIT
Related Items - 1 - Spider Strategies Support
Related Items - 1 - Spider Strategies Support