Document Title
Document type:
Risk Management Strategy
Version:
8
Author (name and designation)
Trish Armstrong-Child,
Nursing
Ratified by:
Board of Directors
Date ratified:
26th June 2014
Name of responsible committee/individual:
Risk Management Committee
Name of Executive Lead:
Trish Armstrong-Child,
Nursing
Master Document Controller:
Annette Cox, Risk and Assurance
Secretary
Date uploaded to intranet:
11th July 2014
Review date:
March 2017
Director
Director
of
of
Equality Impact
Bolton NHS Foundation Trust strives to ensure equality of opportunity for all service
users, local people and the workforce. As an employer and a provider of healthcare
Bolton NHSFT aims to ensure that none are placed at a disadvantage as a result of
its policies and procedures. This document has therefore been equality impact
assessed by the Board of Directors to ensure fairness and consistency for all those
covered by it regardless of their individuality. The results are shown in the Equality
Impact Assessment (EIA) at appendix J.
Version Control Schedule
Version
8
Type of Change
Major
Date
Revisions from previous issues
March 2014
Duty of Candour added.
Changes to risk escalation process
New risk grading matrix
Additional KPI for training added to
monitoring section
Risk Appetite matric added
Sources of risk added
1
Index
Executive Summary
4
1. Introduction
6
2. Purpose and Scope
7
3. Strategic Objectives
7
4. Risk Management Organisational Structure
9
5. The Risk Management Process
14
6. Risk Assessment, Evaluation & Registering Risk
17
7. Roles and Responsibilities
20
8. Dissemination and Implementation
26
9. Training
27
10. Monitoring
27
11. Resources
32
12. Review
32
13. NHS Constitution
32
14. Equality Impact Assessment
32
15. References
33
Appendices
A. Governance Structure
34
B. Assurance Map
35
C. Risk Assessment Form
36
D. Risk Evaluation Tool
39
E. Identifying Risks
44
F. Recording Risk
46
G. Risk Escalator
47
H. Risk Appetite for NHS Organisations
48
I.
50
Risk Categorisation Matrix
J. Equality Impact Assessment
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
53
RISK MANAGEMENT STRATEGY
RISK MANAGEMENT STRATEGY
N
3
Risk Management Strategy
Executive Summary
Risk management is an integral part of Bolton NHS Foundation Trusts (BFT)
approach to quality improvement and good governance and is a central part of the
Trust’s strategic and operational management. It is the process whereby the Trust
identifies, assesses and analyses the risks inherent to and arising from its activities,
whether clinical or non-clinical including strategic, financial, workforce or any other
and puts in place robust and effective controls to mitigate those risks.
The aim of risk management is to improve safety and reduce the probability of failure
to meet regulatory compliance requirements or achieve strategic and operational
objectives. This strategy describes the systems that the Trust will use to embed risk
management throughout the organisation in order to provide assurance that risks are
managed and an effective internal control system is in place. The strategy is a trust
wide document, and is applicable to employees, as well as seconded and subcontracted staff at all levels of the organisation.
The Trust believes that effective risk management is imperative not only to provide a
safe environment and improved quality of care for service users and staff, it is also
significant in the business planning process where a more competitive and successful
edge and public accountability in delivering health services is required.
The risk management process involves the identification, evaluation and treatment of
risk as part of a continuous process aimed at helping the trust and individuals to
reduce the incidence and impact of the risks they face. Risk management is therefore
a fundamental part of both the operational and strategic thinking of every part of
service delivery within the organisation.
The Trust is committed to working in partnership with staff to make risk management
a core organisational process and to ensure that it becomes an integral part of the
Trust philosophy and activities. This will be achieved by building and sustaining an
organisational culture, which encourages appropriate risk taking, effective internal
control systems and accountability for organisational learning in order to continuously
improve the quality of services. As part of this, the Trust undertakes to ensure that
adequate provision of resources, including financial, personal training and information
technology in as far as reasonably practicable is made available.
This strategy is subject to annual review via the Risk Management Committee and
approval at Trust Board every three years.
The Trust is committed to a duty of candour by ensuring that all interactions with
patients, relatives, carers, the general public, commissioners, governors, staff and
regulators are honest, open, transparent and appropriate and conducted in a timely
manner. These interactions be they verbal, written or electronic will be conducted in
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
line with the NPSA, ‘Being Open’ alert, (NPSA/2009/PSA003 available at
www.nrls.npsa.nhs.uk/beingopen and other relevant regulatory standards and
prevailing legislation and NHS constitution)
It is essential in communications with patients that when mistakes are made and/or
patients have a poor experience that this is explained in a plain language manner
making a clear apology for any harm or distress caused.
The Trust will monitor compliance with the principles of both the duty of candour and
being open NPSA alert through analysis of claims, complaints and serious untoward
incidents recorded within the SAFEGUARD Risk Management System.
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
1.
Introduction
Bolton NHS Foundation Trust (BFT) is an integrated care organisation
providing a wide range of services including community health services. The
Trust recognises that the larger and more complex the organisation, more
varied the risks it may face. It is therefore crucial that this strategy is a “live”
document which recognises, reflects and responds to the risks faced. The
Trust takes a holistic approach to all risk management issues incorporating
clinical, business and financial as well as the traditional safety related topics.
The Risk Management Strategy provides the Trust with a basis to deliver safe,
responsive and continual learning in the provision of high quality services.
Bolton NHS Foundation Trust recognises that there are risks in delivering
health services. In brief risk can be defined as:
“The possibility of incurring misfortune or loss; it can arise from
SERVICE USERS/RELATIVES/CARERS in contact with our services
whether in the community or in hospital, the ENVIRONMENT i.e.
buildings, car parks, roads gardens in which the Trust operates, the
EQUIPMENT used, the PEOPLE employed by or visiting the Trust or
the CLINICAL AND MANAGEMENT SYSTEMS of the Trust”
In summary, risk can be defined as: “What can go wrong and how likely is it to
go wrong”
Risk management is an integral part of the Trust’s internal control and is a
management responsibility. As part of our continuous quality improvement
programme, the identification, evaluation and control of risk will result in the
development of safer systems to work and a safer environment. Staff
awareness of their responsibility, whatever their role in the organisation, is a
key element of risk management. Risk management is vital in contributing
towards:
ensuring we provide a high quality, safe service to our service
users/carers and the staff who care for them; and
providing a more cost effective service by eliminating or reducing
unnecessary potential risks thus reducing costs
The Trust Board recognises that Trust wide quality performance includes being
responsive to:
ensuring required standards are achieved
investing and taking action on substandard performance
planning and driving continuous improvement
identifying sharing and ensuring delivery of best practice
identifying and managing risks to quality of care
This strategy has been developed having consulted and considered the nature
of the Trust’s business. To ensure that these areas are always reflected within
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
the strategy, this document will be reviewed by the Trust Board on an annual
basis. The strategy will support the Board and help inform the Board
Assurance Framework in identifying and managing all its strategic risks and will
in turn support the organisation’s strategic plan.
From a strategic perspective, the Trust aims to fully understand the current and
future risks to the organisation and to ensure that risk reduction/mitigation
strategies are developed to address the risks, and provide assurance to the
organisation that the controls in place to reduce those risks are working
effectively. The system of internal control should:
be embedded in the operation of the organisation and form part of the
culture
be capable of responding quickly to evolving risks
include procedures for reporting and escalating any significant control
failings immediately to appropriate levels of management
2.
Purpose and Scope
The purpose of the Risk Management Strategy is to detail the Trust’s
framework within which the Trust leads, directs and controls risks to its key
functions in order to comply with Health and Safety legislation, Foundation
Trust Terms of Authorisation and its strategic objectives. The Risk
Management Strategy underpins the Trust’s reputation and performance and is
fully endorsed by the Trust Board.
The strategy is to continue to improve the management of risk within the
organisation, to assist with implementation of the key priorities within the 2014
Annual Plan.
The Trust acknowledges its legal duty to safeguard staff, patients and
members of the public. There are also sound moral, financial and good
practice reasons for identifying and managing risks. Failure to manage risks
effectively can lead to harm/loss/damage in terms of both personal injury but
also in terms of loss or damage to the Trust’s reputation; financial loss;
potential for complaints; litigation and adverse or unwanted publicity.
3.
Strategic Objectives
Risk can be defined as anything that poses a threat to the achievement of the
Trust’s objectives, service delivery or patient safety. This may include damage
to the reputation of the Trust, which could undermine public confidence.
The Trust recognises that it faces a range of risks. Overall, the strategic
purpose of this document can be summarised as being to manage all types of
risk the Trust may face, including:
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
Risk
Description
Strategic
Risks which have the ability to affect the achievement of
strategic objectives of the Trust. Also includes risks such as loss
of business or breach of contract, reputational risks leading to
loss or jeopardising the business of the Trust and risks posed by
competitors
Clinical
Risks which have the ability to affect patient care and may cause
harm to the patient, including patient safety risks. This covers
anything related to the diagnosis, treatment and outcome of
each patient’s care. Psychological harm or distress is also
included. Risks to staffing levels to provide safe, high quality
care to patients. Risks relating to recruitment as well as staff
conduct, competency, registration and professional practice.
This also includes potential future risks to quality through the
Trust Cost Improvement Programmes
Risks which do not have the ability to directly affect individual
patient care or harm the patient in a clinical or treatment focused
Health and Safety way, but has the ability to affect patients and others on site such
as visitors, contractors and staff. This includes fire, security,
environmental and health and safety issues.
Financial
Risks which have the ability to affect the financial wellbeing of
the Trust, including risk of fraud and claims against the Trust.
This also includes protecting intellectual property
Information
Governance
Risks which pose the possibility of a breach of confidentiality,
either personal or professional (e.g. leak of information sensitive
to the Trust).
Reputation
Protecting and maintaining the reputation of the Trust
Compliance
Ensuring the Trust meets the requirements of external regulators
and auditors.
It is recognised that the boundaries between these categories are not always
clear, and that some risks may fall into more than one category. The Trust
Risk Register will hold a record of all risks.
BFT is committed to ensuring the safety of patients, staff and the public
through the integrated management of all aspects of governance and risk. The
Trust recognises that this is best achieved through an environment of honesty
and openness, where mistakes and adverse events are identified quickly and
dealt with in a positive and responsive way. This commitment is made through
the establishment of a formal process for controlling and managing risk, which
reports directly to the Trust Board.
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
4.
RISK MANAGEMENT ORGANISATIONAL STRUCTURE
4.1
Governance and Risk Management Committees
A strong organisational structure, lines of reporting and accountability are key
to the delivery of the Trust’s risk management objectives. Appendix A outlines
the organisational structure of the Trust including lines of reporting. To
strengthen the Trust’s ability to deliver effective risk management, the
organisational structure includes a number of high level Committees with
responsibility for risk as appropriate to their function.
The Board, the Audit Committee, Quality Assurance Committee, Finance
Committee, Risk Management Committee and the Workforce Committee all
have a critical function in considering a range of policy and strategic issues
covering both clinical and non-clinical activities, and provide a forum for
addressing and managing areas of risk. These structures are designed to
ensure that there is clear accountability and that information flows quickly to
the Board and its committees. In this way the Trust can identify patterns and
promote best practices throughout the organisation. The identification of roles
and responsibilities provides a culture of transparency of decision-making.
4.2
Board of Directors
The Board gains assurance that risks are being appropriately managed
throughout the organisation through the Board Assurance Framework (BAF).
The Board Assurance Framework includes risks that are associated with the
strategic objectives of the organisation.
The Board accepts prime
responsibility for corporate governance and the development of systems and
processes for internal control, including risk management, the Board
Assurance Framework and compliance with Care Quality Commission (CQC)
regulations.
Those risks associated with an initial rating of 15 or more will be escalated to
the Executive Director Meeting and will be reported to the appropriate Board
Committee.
4.3
Audit Committee
The Audit Committee reviews the establishment and maintenance of an
effective system of risk management and internal control across the Trust,
delegating the management of clinical risk to the Quality Assurance
Committee. The Audit Committee provides an oversight of the activities of
internal audit, external audit, the local counter fraud service and the assurance
on internal control, including compliance with the law and regulations
governing the Trust’s activities.
The Audit Committee is chaired by a Non-Executive Director and membership
consists solely of Non-Executive Directors. Board Executives are invited to
attend.
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
The full Terms of Reference for the Audit Committee and the key Governance
/Risk Committees (updated annually) can be found on the Trusts intranet.
The Audit Committee oversee the annual audit programme for the Trust. This
includes verifying that the Trust has suitable and effective systems of internal
controls with respect to risk management in place. An annual Head of Internal
Audit Report is presented to the Audit Committee.
4.4
Quality Assurance Committee
The purpose of the Quality Assurance Committee is to assist the Board
obtaining assurance that high standards of care are provided and any risks to
quality identified and robustly addressed at an early stage. The Committee will
work with the Audit Committee to ensure that there are adequate and
appropriate quality governance structures, processes and controls in place
throughout the Trust to:
promote safety and excellence in patient care
identify, prioritise and manage risk arising from clinical care
ensure efficient and effective use of resources through evidence based
clinical practice
The Committee is responsible for the following aspects of Risk Management:
promote systems which provide assurance and improve the quality of
care, safety and experience of patients, carers, staff and visitors to the
Trust
exercise oversight of the systems of governance and risk management
and seek assurance that they are fit-for-purpose, adequately resourced
and effectively deployed to concentrate on matters of concern
oversee the effective management of risks as appropriate to the
purpose of the committee
seek assurances that the Trust complies with its own policies and all
relevant external regulations and standards of governance and risk
management (CQC essential standards of quality and safety)
review quality governance and require action to address any noncompliance with Monitors Quality Governance Framework
review of relevant external reports including CQC and ensure actions
plans are devised and performance managed to address any identified
deficiencies in clinical governance
monitor and sign off action plans of serious untoward incidents
satisfy itself and the Board that structures, processes and
responsibilities for identifying and managing risks to patients, staff and
the organisation are adequate
ensure that standards and procedures relating to risk are embedded
throughout the Trust, with mechanisms through the committee for
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
detailed scrutiny of high and significant areas, including consultation
with appropriate Trust staff
4.5
Risk Management Committee
The Risk Management Committee is a management committee accountable to
the Board of Directors. The committee is responsible for determining the most
appropriate course of action to manage risk and report this to the Executive
team and where appropriate to the Board. The committee will provide reports
to the Audit Committee on assurances relating to the effective operation of
controls.
The committee is responsible for the following aspects of Risk Management:
provide leadership to ensure risk is identified and managed proactively
in accordance with the Board’s risk appetite
champion and promote highly-effective risk management practices and
ensure that the risk management process and culture are embedded
throughout the organisation
maximise the delivery of objectives through an effective control system
keep risk under prudent control at all times and minimise over exposure
to risk
improve the standard of decision making on risk management
To receive and review the BAF bi-monthly and agree corporate risks for
addition to the BAF
4.6
Finance and Investment Committee
The Finance and Investment Committee supports and advises the Board on all
aspects of the Trust’s Annual, Medium and Long Term Financial Plans and
recommends adoption of the plans to the Board of Directors.
The Committee is responsible for the following aspect of Risk Management:
To oversee Financial Risk Assessment and Financial Risk Management
4.7
Workforce Committee
The purpose of the Workforce Committee is to support and advise the Board
on Human Resource performance, strategic plans and programmes and policy
and strategic direction.
The Committee is responsible for the following aspects of Risk Management:
The monitoring of recruitment of staff in accordance with the CQC Essential
Standards of Quality and Safety.
For overall Assurance Map on the interaction between the Committees and the
Groups see Appendix B
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
4.9
Internal Audit
The Trust currently uses Pricewaterhouse Coopers (PwC) as its Internal
Auditors that meets mandatory NHS Internal Audit Standards and provides
appropriate independent assurance to the Audit Committee, Chief Executive
and Board. They primarily provide an independent and objective opinion to the
Trust on the degree to which risk management, control and governance
processes support the achievement of the Trust’s objectives. Further, the
Trust’s Medical Director will also set out an annual clinical audit forward
programme and report results back to the Clinical Governance and Quality
Committee.
4.10
External Audit
The Trust’s external auditors are KPMG. External Audit is an essential
element of corporate governance, contributing to the stewardship and process
of accountability for use of resources. The scope of audits is extended to
cover not just financial statements but the arrangements to secure value for
money. This reports into the Audit Committee.
4.11
Approaches to Risk
Bolton NHS Foundation Trust will adopt the following approaches to risk
management:
4.11.1 Pro-active approaches to risk management (see also appendix G)
Developing and maintaining the BAF and Risk Registers
Ensuring a consistent approach to risk assessments/development of risk
registers through implementation of this policy and the Trust Online Risk
Register
Devising robust systems of maintaining policies and procedures across
the organisation
Putting in place policies to ensure achievement of corporate objectives
and mitigating risks associated with their achievement e.g. Incident and
Serious incident Reporting Policy, Health and Safety Policy
Ensuring an effective Safety Alert System
Clinical Audit
Ensuring efficient Emergency Planning and Business Continuity
Planning
Ensuring appropriate response to recommendations of National Institute
of Clinical Excellence (NICE) guidelines
Ensuring training and development of staff
4.11.2 Reactive approaches to risk management through (see also appendix G)
Near-miss and Incident reporting process
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
Serious Incident Reporting
Complaints and Patient Advice and Liaison Service (PALS) contacts
Claims Management
Implementing
recommendations
from
National
Enquiries,
internal/external reviews/recommendations etc
Implementing legislative changes to those resulting from changes in
national policy
Using information in public domain published by the regulatory bodies
4.12
Risk Taking, Appetite, Tolerance and Opportunities (see appendix H)
Risk Taking
The Bolton NHS Foundation Trust acknowledges that in delivering health
improvements and in embracing positive advantages it may involve taking
risks. We cannot create a risk free environment, but rather one in which risk is
considered as an integral part of everything we do and is appropriately
identified and controlled.
Risk Appetite
Bolton NHS Foundation Trust will need to establish the risk appetite of the
organisation. Risk appetite is the amount of risk that any organisation is
prepared to accept, or tolerate, or be exposed to at any point in time and every
risk needs to be assessed for the acceptable level of risk appetite (see
appendix H)
Risk Tolerance
Risk tolerance is the acceptable level of variation relative to achievement of an
individual objective. It is the amount of risk to which a programme or an
activity is prepared to be exposed to or that its resources allow it to be exposed
to, before actions become necessary.
The Trust has set its tolerance threshold for acceptable risk at medium. This
threshold is set in expectation of what risks are likely to be actually realised
and the resources needed to realistically control them.
Below this level ‘all’ risks are monitored and evaluated on an on-going basis to
confirm or reassess that rating. All risks at and above this threshold (at any
level of the organisation) are actively managed and mitigating actions taken to
bring the risks back to within tolerance.
Risks and Opportunities
Risk is not always negative or representing loss, hazard, harm and adverse
consequences. The Trust acknowledges that as part of risk assessment
process, the possibility of ‘upside risk’ or opportunity must be explored i.e.
uncertainties that could have a beneficial effect on achieving objectives.
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
5.
THE RISK MANAGEMENT PROCESS
5.1
Accepted risks
Bolton NHS Foundation Trust is committed to minimising all risks to as low as
reasonably practicable. However, it is not realistic to aim to eliminate or
reduce all risks. In many instances it is necessary to make judgements as to
whether the benefits to be gained by taking a specific risk outweigh the risk
itself. There is always a balance to be struck between risk and benefit.
Accepted risks are formally reviewed at least quarterly by the appropriate
locality to ensure the controls are still sufficient to keep the risk at the accepted
level. If the risk has remained at the appropriate level for a 12 month period
these risks can be closed off.
Risk management is having in place a corporate and systematic process for
reporting and evaluating the impact of risk in a cost effective way and having
staff with the appropriate skills to identify and assess the potential for risk to
arise.
The Risk Management Process provides a framework by which organisational
risks are identified, reviewed and monitored. This is achieved through the
following stages:
Risks are:
 Identified from a diverse range of sources, including front line
staff
 Recorded on the Risk Register
 Subject to robust and effective reporting and review
arrangements
 Escalated to the Board Assurance Framework (where and when
appropriate)
 Subject to effective monitoring
Aims of the Trust Risk Management Framework:
To safeguard and enhance the quality of healthcare provided
To protect the services, reputation and finances of the Trust
To promote risk management as an explicit part of the function of
individual staff members and the organisation so that staff may operate
according to clear policies, standards and protocols, which are
monitored and reviewed through the process of audit, including clinical
audit
To identify, assess, reduce and manage risk to people who use the
service, staff who provide the service and others, for example visitors,
contractors and the general public
To reduce the incidence of actual harm from suicide, deliberate selfharm, violence, self-neglect, abuse, exploitation, accidents to staff and
other non-clinical incidents
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
To ensure risks and the achievement of the Trusts annual objectives set
by the Trust Board are identified and managed, and to promote an
awareness of a risk management culture within the Trust
To identify any future risks to the Trust through review of national
enquiries and learning and recommendations for health organisations
To ensure Cost Improvement Programmes are fully assessed for the
impact they may have on the quality of services delivered, as well as for
the financial impact and delivery
To monitor the market position of the Trust and its strengths and
weaknesses in relation to its competitors
To provide assurance to the Board that risk controls are effective
5.2
The Trust Risk Register
The Trust Risk Register is a log of all risks (operational and strategic) that
threaten BFT’s success in achieving its objectives. It is a dynamic living
document which is populated through the organisation risk assessment and
evaluation process. The risk registers (divisional and corporate) enables risks
to be quantified and ranked and provides a structure for collating information
about risks.
Safeguard is Bolton Foundation Trust’s Risk Management system and is used
to manage and report risk from a variety of sources by all services throughout
the Trust.
Each Team/Service undertakes risk assessments which feed into the
Divisional level Risk Register.
These registers will include identified risks related to both strategic and local
objectives e.g. those related to key performance targets, as well as
departmental risks of high rating. Action required to mitigate risks should be
identified within the directorate and documented within the risk registers.
The Divisional risk registers are collated to form the single Trust Risk Register.
Risks are treated and filtered upwards through different levels of management
to the Board. These risks will be combined with the strategic risks thus
allowing for a bottom up/ top down approach to identifying the Trust’s principle
risks and informing the Board Assurance Framework. (See appendix G). This
empowers risk management decision making to occur as near as practicable to
the risk source. In addition, significant risks and those that cannot be treated
can be passed upwards to the appropriate level.
5.3
Escalation of Risk – Strategic Risk Register (Appendix G)
The Trust operates an escalation process depending on the level of risk
identified, this determines whether risks can be managed at
Directorate/Divisional (operational) level i.e. negligible, minor or moderate risks
or need to be escalated to Trust level and managed via the Corporate Risk
Register.
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
The highest – ranking risks assessed at 15 and above from the Divisional level
and any risk impacting across the Trust will be used to populate and inform the
Trust’s Corporate Risk Register.
The Corporate Risk Register – risks rated at 15 or above is monitored and
reviewed at the Risk Management Committee meeting monthly.
This proactive approach to risk management is holistic and intends to identify
all risks to the operation, including clinical, organisational, health and safety,
business, marketing and financial.
The Trust Board carries out a risk analysis as part of the development of the
Trust’s Annual Plan. A risk action plan will be developed to contain details of
each action required to treat the identified principle risks, and will be set out in
the Board Assurance Framework.
A rolling programme of review is in place to ensure that the risks are
appropriately captured, accurately recorded and scored, mitigated by
appropriate actions, reviewed at directorate level and escalated to the Board
when necessary via its committees.
The Divisions review all relevant corporate and local risks at all levels on their
risk registers at the Divisional Governance Boards on a monthly basis to
monitor progress of the implementation of action plans. They have authority to
adjust the risk level as actions are put in place to close gaps, and/or accept risk
if necessary. This is carried out monthly and presented to the Risk
Management Committee.
5.4
The Board Assurance Framework
The Board Assurance Framework (BAF) is a statutory requirement and is a
management tool that provides the Trust Board with evidence that effective
controls and assurance are in place to manage the key risks associated with
achieving its principle strategic objectives. It provides the Trust with a simple
but comprehensive method of describing the organisation’s objectives,
identifying the key risks to their achievement and the gaps in assurances on
which the Board relies. It is maintained by the Trust Secretary and reviewed at
the Risk Management Committee.
The BAF is reviewed in its entirety by the Audit Committee three times a year.
The key risks and actions to mitigate the risks, target date for achievement of
actions and a summary statement, drive and shape the Trust Board agenda.
The BAF will be reported to, and reviewed by the Trust Board twice a year.
There is a clear relationship between the BAF and the Trust’s Risk Register.
For example if a report is received by the Trust that heightens the risk of
achieving a particular strategic objective then it should be featured within the
BAF and also identified as a significant risk within the Risk Register. Similarly
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
if a major risk featured in the Risk Register has the potential to impact on the
achievement of strategic objectives then, as such this should be recorded in
the BAF. Clear plans of action must be put in place to reduce extreme risks
and will be overseen by the Audit Committee and Trust Board.
6.
RISK ASSESSMENT, EVALUATION AND REGISTERING RISKS
6.1
Risk Assessment
All risks that are proactively identified will be assessed using the Trust risk
grading matrix (appendix J). The risk assessment process may identify single
or multiple risks that require the creation of a risk record(s) and entry onto the
Trust Local or Corporate risk register.
For risks identified reactively e.g. from incident, complaint, claim etc. a risk
record can be created directly onto the Trust risk register or can follow the risk
assessment route.
The first stage is to identify the risks the Trust carries. This will be achieved by
considering the Trust strategic objectives and the areas ability to achieve
these. Other considerations are listed in Appendix F.
It should be noted that the list is not exhaustive. It is unlikely that one
particular method of identification will be sufficient to address all the hazards
faced by the Trust, therefore a combination of methods will be required to
ensure that there are no gaps in hazard identification.
Risk assessments will be carried out by staff in line with Trusts “How to do a
Risk Assessment”, Appendix D to ensure Trust wide consistency. Risk
assessments and associated reports will be discussed with the appropriate
managers/clinicians to agree actions to mitigate or reduce potential risks.
Systems for risk assessment will provide a structured method to:
Identify hazards
Establish which hazards are most dangerous and to whom
Assess adequacy of existing precautions and controls
Assess how likely is it to occur and what the impact would generally be
if it occurs
Multiply the likelihood score by the impact score using the matrix to
define the level of risk severity
Assign responsibility to an appropriate senior manager or clinician
Devise plans to meet any shortcomings
Establish how changes can be introduced
6.2
Risk Evaluation
Risks are evaluated to establish the level of risk as part of the Risk
Assessment process above, using one tool enabling a systematic approach to
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
risk evaluation See Appendix J. The level of risk is its magnitude. It is
estimated by considering and combining consequences and likelihoods. A level
of risk can be assigned to a single risk or to a combination of risks. Bolton
NHS Foundation Trust will utilise three risk ratings; current, target and residual
Current risk rating reflects the controls that are currently in place to mitigate
the risk;
Target risk rating is realistically the level of risk that would be acceptable once
all actions have been implemented; this is the level of risk that is reasonably
expected once all controls are in place and active.
Residual risk rating is the risk that is left once all actions have been
implemented this be may differ from the target risk rating that is expected. The
residual risk will be the acceptable level of risk determined by the Trust.
6.3
Registering Risks - Risk Record
A risk is formally registered through the creation of a risk record. The risk
record is an electronic record of the risk and associated actions required to
mitigate the risk, maintained via the Trust risk register. Each risk will have a
risk handler assigned.
The risk handler will advise whether a risk will form part of the Trust local or
corporate risk register e.g. a risk which does not impact on strategic objectives
of the Trust would be registered and managed at a local level and assigned to
an appropriate manager (risk lead). Ideally the appropriate manager is the Risk
Manager for corporate risks and operational leads for local level risks.
Corporate risks will also be assigned an executive lead.
6.4
Risk Register
The Trust records risks on Risk Registers, this provides a tool to help the ongoing management and review of identified risks and through a process of risk
grading allows managers to prioritise risk reduction activities. The Trust
operates two types of risk registers, both following the same format, local
registers and a corporate register defined by the risk locality. The corporate
risk register feeds into the BAF which includes the key risks to corporate
objectives.
6.4.1 Corporate risk register: refers to those risks that would affect the delivery of
the Trust principle/strategic objectives; or impacts across the Trust i.e. not
divisional specific
6.4.2 Local risk register: refers to a level lower than the corporate risk register
department/ward/divisional/directorate or specialist group level risks that are
important to these areas but are not likely to impact at Trust strategic level.
Areas from ward/department level upwards are able to access risks relevant to
their area making the on-going management of risks simpler. Risks will be
defined as local risks or corporate risks (risk locality). It will be possible to
have a high local risk that is not on the corporate risk register if the filtering
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
mechanism agrees to this. The filtering mechanism will be Risk Handlers in
the first instance and then Divisional Governance Boards for clinical areas or
Executive Directors/Directors in the case of non-clinical risk. Verification or
rejection on the CRR, and assignment to the Executive lead is through the Risk
Management Committee. Once actions have been taken to manage risks and
local management has been proved effective a risk may be closed
Risk Treatment
For each risk identified within Bolton NHS Foundation Trust that is added to the
risk register, a risk treatment plan will also be identified and attached to each
risk. These plans will include detail on the following:
A description of the risk
Current control measures
Current risk rating
Target risk rating
Identified actions to mitigate the risk
Who has responsibility for implementing the risk treatment plan
Committee with responsibility for monitoring progress with the risk
treatment plan
Expected date of implementation
Review dates
Residual risk rating
The organisation will be expected to evidence that such plans have been produced as
a result of the risk management process. Risk Treatment Plan should be included
within the SAFEGUARD Risk Register for each identified risk
6.5
Risk Management Framework
The Trust operates an escalation/de-escalation process depending on the level
and locality of the risk identified, this determines whether risks can be
managed at local level, or needs to be escalated to corporate level and
managed via the Corporate Register.
6.6
Escalation/De-escalation
6.6.1 Escalation: Medium-High Level Risk that cannot be reduced locally or poses
a significant risk to the organisation and its objectives are escalated to the
corporate risk register for on-going monitoring by the Risk Management
Committee (medium-high) and the Trust Board (high).
6.6.2 De-escalation: Corporate risks reduced to a low level following mitigation of
the residual risk will be de-escalated for local management but will remain on
the corporate risk register. High-level corporate risks which have been
reduced to a medium residual risk will be de-escalated by the Trust Board to
the Risk Management Committee.
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
6.6.3 De-activation: Risks will be de-activated from the risk register when the risk is
fully controlled and no longer poses any threat to the Trust or when the risk is
transferred.
7.
ROLES AND RESPONSIBILITIES OF KEY INDIVIDUALS
All staff are responsible for managing risk. They have a key role in identifying,
reporting and escalating risks and incidents promptly, thereby allowing risks to
be managed and added to the risk register if appropriate. In addition, staff
have a responsibility for taking steps to avoid injuries and risks to patients, staff
and visitors.
The duties and roles of key individuals responsible for advising and
coordinating risk management activities can be summarised as follows:
7.1
The Board of Directors
The Board of Directors is required to have the capability within is structure to
carry out its roles and functions in relation to risk as defined in Monitor’s Risk
Assessment Framework. The Accountable Officer, the Chief Executive has a
specific responsibility for internal control, and the Board has a collective
responsibility to ensure that the direction, once set, is being followed.
7.2
Chief Executive
The Chief Executive has overall responsibility and accountability for risk with
the Trust. The Chief Executive is responsible for the Trust Risk Register. The
Chief Executive will sign an annual Statement of Internal Control, outlining the
Trust’s governance and assurance systems, and a Statement of Accounting
Officer’ Responsibilities which are submitted to Monitor, and published in the
Trust’s Annual Report.
The Chief Executive provides leadership and strategic direction to risk
management processes. This responsibility includes consideration of the
Trust’s Risk Register and resource allocation relating to the significant risks of
the Trust.
7.3
Chair of the Audit Committee
There is a named non-executive director who has responsibility for risk
management and chairs the Audit Committee.
7.4
Director of Nursing
The Director of Nursing has the responsibility for the production of key
documents such as the Trust’s Quality Account and for developing processes
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
to improve the Quality of services provided by the Trust. The Director of
Nursing also holds responsibility for the Trust on non-compliance with the CQC
essential standards and is the Director for Infection Prevention and Control
(DIPC).
7.5
Director of Finance
The Director of Finance is responsible for the management of financial risks
and ensuring that any significant risks are brought to the attention of the Board.
The Director of Finance ensures that the Trust carries out its business
providing healthcare within sound Financial Governance arrangements that are
controlled and monitored through robust audit and accounting mechanisms
that are open to public scrutiny on an annual basis.
7.6
Director of Workforce and Organisational Development
The Director of Workforce and OD is responsible for the management of risk in
relation to staff, including recruitment processes and staff side negotiations,
and for ensuring appropriate processes are in place to manage any workforce
associated risks.
7.7
Medical Director
The Medical Director has responsibility and authority for risk management
relating to their professional fields.
Acts as Caldicott Guardian.
7.8
Chief Operating Officer
The Chief Operating Officer is responsible for the operation of clinical services,
IT and Estates and has responsibility and authority for risks arising from these
services.
The Chief Operating Officer is the Senior Information Risk Owner (SIRO).
7.9
Trust Secretary
Leads on the management of strategic risk within the organisation and is
responsible for:
ensuring compliance with the Constitution
regular reviews of the Trust Risk Register
ensuring appropriate training is given to Board members on risk
management
accessing and providing legal advice where appropriate
maintaining the Trust Policy Database, to ensure version control, and
Records Management
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
production of the Annual Governance Statement and the Board
Assurance Framework
maintenance of appropriate insurances and indemnities
ensuring compliance with Freedom of Information
7.10
Head of Governance
The Head of Governance reports to the Director of Nursing and is responsible
for conducting/overseeing a programme of clinical risk assessments, root
cause analysis and incident reporting throughout the Trust to ensure where
possible an integrated risk management approach, and is the major interface
between the Trust and overall quality with external bodies, i.e. Monitor, CQC
and NHSLA.
Risk Manager
The Risk Manager reports to the Head of Governance and is responsible for
the management of the Trust’s SAFEGUARD risk management system and is
responsible for the line management of the Risk Co-ordinators The Risk
Manager will also provide mandatory training to all staff in risk management
and will act as a focal point of expertise within the Risk and Assurance
Department.
7.11
Patient Safety Lead Practitioner
The Patient Safety Lead Practitioner reports to the Medical Director and
Director of Nursing and is responsible for the day-to-day management of
clinical audit and effectiveness, across the Trust.
7.12
Health and Safety Manager
The Health and Safety Manager oversees the Trust Health and Safety
Advisors who provide speciality advice to managers to maintain best health
and safety practice. The Health and Safety Manager acts as a Trust link with
the Health and Safety Executive and ensures Trust wide Health and Safety
Audits are undertaken and action plans carried forward within directorates.
The Health and Safety Manager will ensure RIDDOR reportable adverse
incidents are reported to the HSE and identifies trends to mitigate
reoccurrence.
7.13
Local Security Management Specialist (LSMS)
The Chief Operating Officer is supported by an appropriately qualified Local
Security Management Specialist who is responsible for ensuring the
requirements of the Secretary of State Directorate for Security Management
are completed within the Trust. The LSMS also works with the police to
prosecute individuals for physical assault against staff and support staff after
adverse incidents and through legal proceedings, as well as ensuring proactive
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
actions are taken to safeguard Trust premises and assets. The role is also to
investigate all cases of loss to ensure robust procedures are in place and being
followed.
7.14
Senior Information Risk Owner (SIRO) – COO (7.8)
Acts as the lead to foster a culture that values, protects and uses information
for the success of the organisation and benefit of its customers:
Advise the Chief Executive on Information Risk Aspects
Ensure incidents are reported via the Incident Reporting System
7.15
Caldicott Guardian
The Medical Director is the Caldicott Guardian and represents and champions
confidentiality requirements and issues within the organisation to ensure that
NHS and partner organisations satisfy the highest practical standards for
handling patient information, and will act as the “conscience” of the
organisation.
7.16
Divisional Management Team (Head of Division (HoD), Divisional
Directors of Operations (DDO), Professional Lead (PL)
Are responsible for compliance with this strategy and for ensuring that remedial
action is taken wherever key risks are identified within their area of
responsibility, including:
Ensuring that appropriate and effective risk management processes are
in place within their designated area(s) and scope of responsibility
Ensuring Risk Assessments are undertaken and action implemented
Are responsible for implementing and monitoring any identified and
appropriate risk management control measures within their designated
area(s) and scope of responsibility
Ensuring staff undertake mandatory and statutory training
Ensuring the reporting of Adverse Incidents is undertaken, together with
action to prevent or minimise a reoccurrence
Risks should be dealt with at a management level appropriate to the assessed
rating as follows:
Low risk
Moderate risk
High risk
7.17
- individual staff/first line manager
- hospital/service manager
- Director/Chief Executive
Risk Handlers: Divisional Governance Leads, Risk Manager and Health
and Safety Manager
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
These teams are able to advise about risks, facilitate risk assessments, assist
in incorporating risks onto the relevant risk registers for their areas and verify
risks for inclusion and onward management on the local risk register or reject
the risk if more work/information is required.
7.18
All Trust Employees
All employees of the Trust have a responsibility to:
Ensure they work in accordance with all policies and procedures
Ensure they practice within the standards of their professional bodies,
any other national standards and any locally determined clinical policies
and guidelines to ensure their practice is as risk free as possible
Identify through their own departments self-assessment process and
line management arrangements, any risks they feel exist within the
service and their practice
Provide incident reports and supporting documentation for any
unexpected event or incident arising from clinical care or treatment
provided
Ensure they attend induction and receive mandatory update training on
risk management policy and procedures.
7.19
Specialist Advice
Advice and expertise in specific areas of risk is available from:
Caldicott Guardian
Research and Development Manager (Research Governance)
Divisional Governance Leads
Head of Governance
Trust Secretary
Director of Estates and Facilities
Fire Officer
Health and Safety Team
Infection Control Lead Nurse
Local Security Management Specialist
Local Counter Fraud Management Specialist
Senior Information Risk Owner – Information Governance Risks
7.20
Learning
The Trust will continue to promote an open learning culture to identify and
disseminate local examples of good practice. This includes systems of
information sharing, collation, monitoring, analysis and reporting of themes and
trends arising from the data of complaints, incidents and patient and carer
feedback to give early warning or emerging patterns of risk behaviour, in the
interests of patient safety. This facilitates the detection of problems, failures
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
and trends in the management of risk; promotion and participation in audit
projects within clinical risk; and ensuring information is disseminated through
clinical and operational management structures. The following describes how
the Trust learns from its risk management processes:
Adverse incidents, complaints and claims are collated and analysed in
monthly reports and discussed at the Quality Assurance Committee and
disseminated to Directorate Management Teams for consideration of
trends and shared learning;
A focus on clinical risk at team away days with lessons to be learnt and
practice changes identified through a cycle of audit for significant
actions to demonstrate improvement;
National reports and external enquiries are reviewed at the Quality
Assurance Committee.
A local action plan is drawn up and
implemented via Directorate Management Groups;
Adaptations to training programmes are made in response to learning
from identified/managed risks
Financial forecasts are adjusted in the light of identified risks
In addition, identified groups receive daily incident reports
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
Risk Escalation Process
7.21
Risk Register
7.21.1 Low Risk: Coded Green
Risks assessed at this level will be managed locally and will appear on the
local risk registers. These risks will still need to be reviewed to ensure controls
remain robust and risk does not change.
7.21.2 Medium Risk – Coded Amber
Medium risks may be held at corporate and/or local level if this is deemed
appropriate by either the RMC/local level. If the risk is of a corporate nature
i.e. impacts across the Trust this will be included onto the corporate risk
register regardless of score. If these risks cannot be managed by the Division
then they will be escalated to the Risk Management Committee for
consideration and debate.
7.21.3 High Risks – Coded Red
Risks assessed at this level need action to reduce the risk level and monitoring
to ensure this is happening in a timely fashion. It may be decided by the Trust
Board that in the short term, the only acceptable response may be to suspend
the activity associated with the risk. High level risks will still need to be
managed by local areas; however a decision on mitigation may need to be
made by either the RMC or the Board. These risks will be escalated to the
Risk Management Committee on a quarterly basis.
7.22
Review of the Corporate Risk Register
Corporate risks are reviewed quarterly by the Risk Management Committee
(RMC).
Where the resolution of a risk needs funding beyond available budgets, a
business case will be developed as part of the Trust’s business planning
process; this will include an assessment of risk to the achievement of the Trust
objective should the business case not be agreed.
Those corporate risks, which remain at a high level when all available controls
have been put in place, will be reported to Quality Assurance Committee to
determine that the risk will be accepted and if escalation to Board is required.
8.
DISSEMINATION AND IMPLEMENTATION
The Risk Management Strategy (including the Board Assurance Framework)
will be available to all staff via the Trust Policy Information Management
System. Staff will be alerted to the strategy by a general email and Team Brief
Current staff will be updated on changes to this document through Trust
intranet, and risk management /governance meetings within their area.
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
9.
TRAINING
A programme of risk management is provided for all employees as outlined
within the Trust Training Needs Analysis as described in the Trusts Statutory
Mandatory Training Policy which includes a description of risk management
training requirements covering:
Relevant staff groups
Frequency of training
Attendance and follow up on non-attendance
All new employees receive risk management training at the Mandatory
Corporate Induction programme which includes risk awareness training as well
as Health and Safety, Fire and Manual Handling.
The reporting and monitoring of compliance and the processes the Trust
follows when gaps in compliance are identified are managed through the
process described in the Trust Statutory Mandatory Training Policy.
10.
MONITORING COMPLIANCE
All risks including incidents, complaints and claims that have been
identified/reported will be responded to immediately. The emphasis is for
investigation and action to take place at the level of assessed risk or through
the incident reporting process. Specialist input should be sought if required.
All managers will review their incidents on an on-going basis to identify any
trends and to ensure action is taken promptly.
External quality assurance processes include:
Care Quality Commission (CQC Visits)
NICE Quality Standards
Patient Safety Alerts
External Audit
The Risk Management processes are also subject to external reviews by the
CQC and the Health and Safety Executive (HSE)
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
Monitoring Compliance with the Risk Management Strategy
Element to be
monitored
What needs
Monitoring
Risk Management
Systems and
Processes
Lead
Who will
lead on
this aspect
of
monitoring
– name the
lead and
job title
Internal
Audit
Tool/
Methodology
Frequency
Reporting
arrangements
Action Lead(s)
Change in practice and
lessons to be shared
What tool will
I use to
monitor/chec
k that
everything is
working
How often
will we need
to monitor/
frequency
Who or what
committee will
I report the
results to for
information
and action
Who will
undertake the
action planning
for deficiencies
How will changes be
implemented and lessons
shared
Audit
Annually
Audit Committee Risk
(AC)
Manager/Head of
Governance
Corporate risk
registers and
exception reports
from RMC
Trust Board
Committee
meetings
Quarterly
Risk
Management
Committee
(RMC)
Trust Secretary/
Head of
Governance
Board Assurance
Framework
AC/RMC
Committee
meetings
Committee
meetings
Quarterly
Trust Board
Trust Secretary
Trust Board
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
Required changes to practice
will be identified and actioned
within a specific time frame. A
lead member of the team
along with Governance Leads
will be identified to take each
change forward where
appropriate lessons will be
shared with all relevant
stakeholders.
Required changes to practice
will be identified and actioned
within a specific time frame.
The Head of Governance will
be identified to take each
change forward where
appropriate and report to RMC
Required changes to practice
will be identified and actioned
within a specific timeframe.
The Trust Secretary will take
any changes forward where
appropriate
Element to be
monitored
Terms of Reference
of each Board
Committee checked
to ensure reporting
structures remain
compliant
Risk Management
Training
Lead
Chair of
RMC/
Chair AC
Tool/
Methodology
Committee
meeting
discussion
Head of
Evaluation
Governance forms
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
Annually
Reporting
arrangements
Trust Board
Quarterly
RMC
Frequency
Action Lead(s)
Trust secretary/
Head of
Governance
Head of
Governance
Change in practice and
lessons to be shared
Board approved Terms of
Reference disseminated to
committee members
Risk Manager/Head of
Governance will review
training as a result of feedback
from staff.
Monitoring Compliance with the risk management process
Element to be
monitored
What needs
Monitoring
Risk assessments
risk registers
Tool/
Methodology
What tool will
Who will
I use to
lead on
monitor/check
this aspect
that
of
everything is
monitoring
working
– name the
according to
lead and
this element
job title
of the policy
Divisional
Check current
Governance risk
Leads
assessment
form used
Review,
moderate and
check for
consistency
against Trust
agreed risk
evaluation tool
Risk
Risk Registers
Manager
are being used
effectively in all
areas
Lead
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
Frequency
Reporting
arrangements
Action Lead(s)
Change in practice and
lessons to be shared
How often
will we need
to monitor/
frequency
Who or what
committee will
I report the
results to for
information
and action
Who will
undertake the
action planning
for deficiencies
How will changes be
implemented and lessons
shared
All risks
transferred
onto a local
or corporate
risk register
monthly
Relevant
Divisional
Governance
Board by
exception
Relevant clinical,
corporate
Divisional
Governance Lead
Required changes to practice will
be identified and actioned within
a specific time frame. A lead
member of the team will be
identified to take each change
forward where appropriate and
lessons will be shared with all
relevant stakeholders
Monthly
Overdue actions
highlighted to
assigned
management
lead; risk
register reports
show overdue
actions in redproduced for
informal
meeting,
Governance
Leads
If overdue actions are reported to
RMC the committee will ask
searching questions as to why
an action has not been
progressed, the relevant
Governance Lead/Executive will
be tasked with ensuring this is
moved forward. The Executive
Director will then report this
down to the relevant senior
managers for action.
Element to be
monitored
Risk escalation
process
Lead
Risks are
escalated to
the
corporate
risk register
and to the
RMC/Board
as
appropriate
Tool/
Methodology
Frequency
Reports and
minutes of
meetings
For each new
risk escalated
bi-monthly
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
Reporting
arrangements
divisional
governance
meetings and
for RMC/Board
RMC
Action Lead(s)
Head of
Governance
Change in practice and
lessons to be shared
Feedback to divisions/regular
meetings with key personnel to
ensure risks are escalated
appropriately.
11.
RESOURCES
Board decisions should clearly demonstrate how resources for risk
management are prioritised. When resources are prioritised by Board level
debate, the reasons supporting the decision will be fully recorded in the
minutes of the meeting.
12.
REVIEW
The Trust Board will review this strategy every three years and the Risk
Management Committee will review it annually.
13.
NHS CONSTITUTION
The Trust is committed to the principles and values of the NHS Constitution
and this document takes into account these principles and values.
14.
EQUALITY IMPACT ASSESSMENT
The Trust is committed to promoting equality of opportunity for all its
employees and the population it serves. The Trust aims to design and
implement services, policies and measures that meet the diverse needs of our
service, population and workforce, ensuring that none are placed at a
disadvantage over others. This document has been equality impact assessed
Definitions
Hazard
Likelihood
Consequence
Risk
Risk Assessment
Risk Management
Anything that has the potential to cause injury, loss, damage
or harm
A measure of the probability that the predicted harm, loss or
damage will occur
A measure of the impact that the predicted harm, loss or
damage would have on the people, property or objectives
affected
“What can go wrong and how likely is it to go wrong”
The process by which hazards are identified and the risk rated
using tools implemented by the Trust for use by all
employees. Assessments can either be general or specific,
but will be undertaken by competent persons who have
received appropriate degree of information, instruction and
training
Risk management is the systematic application of
management policies, procedures and practices to the tasks
of identifying, analysing, assessing, treating and monitoring
risk. This includes the application of Health and Safety
Regulations in every day working activity
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
Risk Matrix
Risk Register
Strategic Risk
Register
Control
Residual risk
15.
The tool that is used to “score” each risk and determine its
place on divisional and corporate risk registers, levels of
authority are determined through the matrix and this will
provide a priority list for managers to use within their
respective area of control
Is a log of all risks (operational and strategic) that threaten the
organisations success in achieving its objectives
The highest-ranking risks assessed at 12 and above from the
Directorate level will be used to populate and inform the
Trust’s Strategic Risk Register
The control of risk involves taking steps to reduce the risk
from occurring such as application of policies or procedures
Are those which remain after considering the controls in place
to reduce the risk and the implementation of any additional
controls that may have been identified as necessary
REFERENCES
Risk Assessment Framework, Monitor, August 2013
The NHS Foundation Trust Code of Governance, Monitor, March 2010
Quality Governance Framework, Monitor, March 2010
Essential Standards of Quality and Safety, Care Quality Commission, 2010
Integrated Governance Handbook: 2006
The Audit Committee Handbook: 2006
Board Assurance Frameworks: A simple rules guide for the NHS 2009
The Health NHS Board Principles for Good Governance, National Leadership
Council, 2010
Taking it on Trust, Audit Commission 2009
NHSLA Risk Management Standards, 2012/13
NHSLA Risk Management Strategy Checklist, March 2012
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
Appendix A
Bolton NHS Foundation Trust Board and Committee structure and
Local Risk Groups and Committees
Council of Governors
Audit Committee
Board of Directors
Internal Audit
External Audit
Clinical Audit
Exec Directors
Quality Assurance
Committee
Clinical
Governance and
Quality
Committee
Infection Control
Mortality Reduction
Resuscitation
Thrombosis
Nutrition Advisory
PEIP Committee
Equality steering
group
Executive
Board/PAF
Workforce
Committee
Medical Education
Board
E Rostering Project
Board
Education
Governance
Risk Management
Committee
Informatics
Committee
Data quality sub
group
Information
governance
W eb development
group
Medicines
Management
Medicines
management safety
group
Antimicrobial
committee
Finance and Investment
Committee
Health &Safety
Committee
Fire
Security
Moving and
Handling
Radiation protection
Critical Care
HAB/SABS
End of Life
Medical Devices
Safeguarding
Emergency planning
Research
Governance
Blood transfusion
PAG
Updated April 2013
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
CRIG
Estates
Committee
Appendix B
Assurance Map - Board to Ward/Floor Visibility of Risk Management Process Outline
Report
Purpose
Reviewed by
Frequency
Sourcing Risk from:
Board Assurance Framework
Identify, assess and manage all risks to the Trust's strategic objectives
Board
&
Board committees
Board - Bi-monthly
Board discussion, Monitor, Quality Assurance
Framework, Leadership Walkarounds
Escalation from sub-committees
Performance data (IPR)
Compliance Reporting (CQC, NHSLA, Audit, NICE
Guidelines Compliance etc)
Trust wide risk assessments/Clinical Audits
Patient & Staff Experience Surveys
Delegate sub-committees with responsibility for managing and tracking
actions
Sub Committees - In line
with committee cycle
Feed all risks of a corporate nature regardless of score into the Corporate
Risk Register
Address any risks flagged as RED
Risk profile summary
Receive and manage exceptions from the Corporate Risk Register (new
risks, increased risks, actions outstanding, risks which remain RED)
Board
Quarterly
Corporate Risk Register and BAF
Corporate Risk Register
Identify, assess and manage all risks across the Trust
ED's
Bi-monthly
Committee discussion, Serious Incident Review
Group
Escalation from sub-committees and Divisional
Boards
Performance data
Compliance Reporting (CQC, NHSLA, Audit, NICE
Guidelines Compliance etc) Reporting (Complaints,
Litigation, Incidents & PALs)
Risk Assessments
Patient & Staff Experience Surveys
Corporate teams,
Divisional Directors and
ED's
Team discussion - Monthly
Management, operational and clinical team
discussion
Performance data
Clinical Audit
Compliance Reporting (CQC, NHSLA, Audit, NICE
Guidelines Compliance etc)
Reporting (Complaints, Litigation, Incidents & PALs)
Risk Assessments
Patient & Staff Experience Surveys
Accept risks and associated actions where these are rated 15 or more
Report and manage exceptions (new risks, increased risks, actions
outstanding, risks which remain RED)
Address any risks flagged as RED
Other BFT Risk Registers IM&T. H&S, HR
Risks to be identified recorded and managed by relevant area. Any risks of
a corporate nature to be escalated to the corporate risk register. Any highlevel risks to be reviewed by RMC and the Board.
Bolton NHS Foundation Trust –Risk Management Strategy –– Aug 2014
submission of corporate
risks to the RMC if rated
15 or above.
Risk Reference No: (for risks entered onto
Appendix C
risk register -governance Use Only)
RISK ASSESSMENT FORM
This form is to be used for identification and mitigation plans for ad hoc risks which arise and do not replace any
existing Health & Safety Risk Assessment tools - supplementary proformas are available from the Health & Safety
Team.
RISK INFORMATION
Description of risk (background information / detail to give risk context):
Does this risk relate to national guidance standards / legislation: YES / NO (Please delete as
appropriate)
If this risk relates to national guidance please outline:
Does the risk meet any of the following criteria: (Please note only one option may be selected)
Audit
IG
Internal
alerts
CAS
Health & Safety
Medical
devices
Annual
plan
CQC
NICE
Security
External review
Infection
control
Does this risk affect patient safety?
Division:
Ward/dept:
Yes / No (Delete as appropriate)
Assessor:
Confidential
enquiry
Assessment date:
Which staff groups were involved in the assessment?
Persons / groups at risk:
Frequency of exposure to the risk:
Existing control measures: (i.e. what is currently in place to reduce the risks)
Current Risk Rating
Current Risk Rating – Calculated using the risk grading matrix with existing control measures taken into
consideration.
Consequence Score (C)
Likelihood Score (L)
Risk Score (CxL)
Target Risk Rating
An estimate of the risk rating based on what the division feel this risk should be once the mitigations have
been implemented.
Consequence Score (C)
Likelihood Score (L)
Risk Score (CxL)
Please refer to Trust’s Risk Grading Matrix
http://intranet.rbh.nhs.uk//clientfiles/201462410343_Risk%20Matrix%20BFT%20SW%20(2).pdf
ACTION PLAN SUMMARY
Issue
Action
Responsible Person
Name/Designation
Due
Date
Completed
Date
Residual Risk Rating
Consequence Score (C)
Likelihood Score (L)
Risk Score (CxL)
This is the risk remaining after risk treatment. First you have to identify the risks, and then you need to mitigate the risks you find
unacceptable (i.e. treat them). Once you treat the risks, you won’t completely eliminate all the risks because it is simply not possible –
therefore some risks will remain at a certain level, and this is what residual risks are. Residual risk cannot be determined until actions have
been completed. Once actions are implemented, remember this will strengthen your existing controls too and should reduce your current
risk rating; this is why risks will need regular review.
If further actions need to be recorded, please continue on a separate sheet and attach to this document
Please keep a copy of the assessment in your department and forward to your Line Manager for inclusion onto the Divisional risk register if
needed. The risk should be discussed at your service clinical governance meeting and a decision to escalate to the risk register should be
made at that meeting. Your governance lead for the Division or Manager can decide if the risk needs to be included on your risk register.
Appendix D
How to do a risk assessment
Purpose
The purpose of this document is to assist the Trust staff in conducting a risk assessment. The guidance is intended to encourage greater consistency in
the way risk assessment is applied across the Trust and promote vigilance in identifying risk and the ways in which it can be reduced.
Introduction
The Management of Health and Safety at Work Regulations 1999, Regulation 3 place a legal duty on all employees to assess all significant risks in the
work place. This includes all clinical tasks, activities, situations and risks. The Regulations also state that risk assessments should be suitable and
sufficient, taking account of the work tasks, activities and situations undertaken and the environment in which these take place.
The assessment should identify the hazards associated with the task, activity or situation and establish control measures to minimise the risk. This in turn,
based upon the risk levels, allow you to prioritise actions.
There is also a legal duty to monitor and review the risk assessments to ensure they remain suitable, (appropriate to the task, activity or situation), effective
and sufficient (continue to meet the needs of the task, activity or situation).
The important thing that needs to be considered is, does the hazard pose a significant risk? If so, have you implemented control measures to reduce
the risk to an acceptable level?
If there is a lack of or ‘gap in control’ to reduce the risk, then further actions and precautions, ‘controls’ may be required.
It is not usually possible to eliminate all risks by the Trust has a duty to protect patients, staff and visitors as far as ‘reasonably practicable’. This means
you must avoid unnecessary risk.
Definitions:
Hazard:
Likelihood:
Consequence:
Risk:
Anything that has the probability or may cause harm (what could go wrong)
The chance of harm occurring as a result of exposure to a hazard
The level of harm that may occur as a result of exposure to or contact with a hazard
Risk is the chance high or low that an event/hazard will occur or may prevent the Trust from achieving its objectives
What is a risk assessment?
A risk assessment is simply a careful examination of the hazards associated with work tasks, activities, or situations in the Trust, that could have the
potential to cause harm to patients, staff and visitors. It allows you to consider and evaluate if there are ‘suitable’ (appropriate to the task, activity or work
situation) and ‘sufficient’ (meet the needs of the task, activity or work situation) controls in place to reduce the level of risk to the lowest possible level. In
other words have you taken enough precautions (controls) or should you do more to prevent potential harm from the hazard?
Using a methodology of the Health and Safety Executives 5 Steps to Risk Assessment and the NPSA Guide to Healthcare Risk Assessment shown in the
diagram, a risk assessment seeks to answer the following key questions:
Step 3
CONSEQUENCE
How bad will it be?
Step 1 & 2
HAZARD
What could go wrong?
Who might be harmed?
Step 3
LIKELIHOOD
How often?
Step 4 & 5
GAPS IN CONTROL & REVIEW
Record your findings.
What controls are in place?
Is there a need for action?
Implement the actions
Review the risk assessment.
How to carry out a risk assessment
The steps below will enable you to complete the risk assessment form. A template form can be found at appendix F.
Step 1
Identify the Hazards (what could go wrong)
Walk around your workplace and look at what could reasonably be expected to cause harm. Ignore the trivial and concentrate on significant
hazards, things that could result in serious harm or affect numerous people e.g. Medicines not stored or locked away/trailing electrical lead
causing a trip hazard.
Ask those involved with the task, activities or situation for their opinion. They may have noticed things, which are not immediately obvious to
those not involved with the task on a regular basis
Look at and provide a description of the hazards associated with a task/activity/situation, include any hazards associated with any
equipment, substances or processes used in the task/activity/situation
Remember to prevent harm it is important to understand not only what is likely to go wrong but also how and why it may go wrong
Take in to account things that have gone wrong in the past and near miss incidents
Check manufacturer instructions for equipment or data sheets for chemicals as they can also help you spot hazards and put risks in their true
perspective
Check if individual’s health has been affected e.g. sickness absence due to skin problems caused by using a particular chemical/complaints
of feeling unwell when working in a certain environment
Step 2
Who might be harmed and how?
Identify those individuals or groups of people who may be at risk of harm if exposed to the hazard
Remember the most vulnerable patients are more likely to suffer harm
When considering people who, potentially could be harmed don’t forget to consider new workers or trainees, young workers, new and
expectant mothers and people with disabilities
Cleaners, visitors, contractors or maintenance workers who may not be familiar or in the work place all the time
Step 3
Evaluate the risks (how bad – consequence and how probable (often) – Likelihood) and decide on the actions required
Having spotted the hazards, detail the existing control measures already in place to prevent harm occurring
Are these controls adequate?
Intelligence data such as incident reports many indicate that a control you have in place is not effective
Are controls reducing risk or harm to its lowest level?
Is there a ‘Gap in Control’ and therefore a need for additional action and controls to reduce the risk? Look at the hierarchy of risk control
Step 4
Record your findings and proposed actions then implement them
Complete the risk assessment form and action plan
The actions required should be detailed in the action plan section of the risk assessment form, summarising how the controls are to be
achieved. A responsible person is then allocated the responsibility of ensuring the actions are completed within a targeted date
Using the Trust risk matrix, quantify the level of risk by choosing the level of consequence and likelihood of the harm occurring based on all
the information you have gathered
Evaluate the risks and decide whether the existing control measures are adequate or if more could be done
Consider how likely it is that each hazard could cause harm. This will determine whether or not you need to do more to reduce the risk.
Even after all precautions have been taken, some risk usually remains. What you have to decide is , whether the remaining level of risk is
acceptable, if not then further action is required
When writing the results of the risk assessment keep it simple, for example ‘tripping over rubbish: bins provided, staff instructed, weekly
housekeeping checks instigated’
It is important that you can show that:
A thorough check was make to identify all the hazards and treat all the significant risks;
The controls are reasonable and the remaining risk is acceptable
The solutions are realistic, sustainable and effective
Step 5
NB it may be reasonable to accept some degree of preventable risk, if the benefits to be gained outweigh the risk
Review your risk assessment and update if necessary
Risk assessments and action planning should be reviewed and monitored regularly
Risk levels that are medium or high should be placed on the risk register. So that the action plans can be monitored regularly. Decide if you
have a ‘local risk’ or ‘Corporate risk’
Once an action on the plan has been completed and the new or additional control implemented the risks should be re-evaluated and the
results recorded
Remember, research and new developments increase the pace of change, and those changes can alter existing and/or introduce new
hazards
Review your risk assessment regularly and at least on an annual basis:
Regularly and at least on an annual basis
When learning from incidents which may indicate a control is not working or needs to be changed
When you are planning a change to a task, activity or situation
When there has been a significant change to a service or way of working
Risk assessment doesn’t need to be overcomplicated and identifying hazards is common sense. However risk assessment should only be
carried out by a competent person, that is, someone who is familiar with the task, activity or situation, the environment is which the activity
takes place and who has sufficient knowledge and understanding that they can identify those hazards present. Additionally the competent
person should recognise their limitations and be prepared to seek advice as necessary.
Risk Evaluation Tool
In order to separate those risks that are unacceptable from those that are acceptable the risks should be evaluated.
Control Measures
Once the risk assessment has been completed and the risk level indicates further actions and controls are necessary to ensure that the risk
is reduced to as low as is reasonably practicable then consider the following:
a)
Can the hazard be removed altogether?
b)
If not, how can I control it?
When controlling risk, try applying the principles below:
Use ERIC PD
ELIMINATE get rid of the hazard; replace it with something less hazardous
REDUCE
the level of risk by reducing the nature of the hazard e.g. use similar quantities, lower voltage etc
ISOLATE
the hazard from people, for example by putting up barriers or guarding
CONTROL
exposure to the hazard by controlling who has access or limiting exposure time
PPE
issue Personal Protective Equipment
Discipline and Culture
Improving risk management need not cost a lot of money, however failure to carry out suitable and sufficient risk assessments and not
controlling significant risk in the workplace can cost the Trust in more ways than one.
If a task, activity or situation remains the same then a generic risk assessment can be produced. However, the assessment must be
reviewed when the environment changes affecting the task, activity or situation and/or the process changes.
Risk Assessment Action Plan
The actions required should be detailed on the action plan section of the risk assessment form, summarising how the additional controls
required to close the gap are to be achieved. A key individual is then allocated the responsibility of ensuring the actions are completed. A
target date must be set and activity against the action monitored.
Unless the risk level is specified as ‘acceptable’ where only actions necessary are to monitor and review the assessment and established
controls for effectiveness, all of risk levels will require further actions applied to reduce them to the lowest acceptable level. Once completed,
the action is implemented and closed.
Monitor and Review
All risk assessments must be reviewed not less than annually and/or if:
There is a significant change in equipment or process
There is a change to the task activity or situation process or environment
After an incident or accident
There is a change to the people who are affected by the task, activity or situation
There is a change in legislation
There is a change to or introduction of new equipment
The routine, process, system or procedure is no longer valid
If you have any questions regarding the completion of the risk assessment please contact the Trust Risk Manager.
Training on the risk assessment process is available from the Risk Team
References:
HSE Guide Five Steps to Risk Assessment IND163 (rev3), revised 06/1
NPSA Healthcare Risk Assessment Made Easy, March 2007
Appendix E
Identifying Risks
The Trust will review compliance with the Care Quality Commission
requirements on an on-going basis to identify any risks
Effective health and safety audits and inspections and implementation of
resulting action plans
Each Director will be responsible for ensuring that departmental risk
assessments are carried out, producing directorate risk registers and
taking action to avoid/minimise risk as appropriate
Regular multi-disciplinary review of incidents, complaints and claims
data
Patient and staff feedback surveys
Public perceptions of the NHS e.g. media reviews
Root Cause Analysis following serious adverse incidents
Underlying root causes of incidents, complaints and claims
Concerns raised by Trade Unions
Whistle blowing
Coroners reports
Financial forecasting and reports Board Quality walkabouts
New legislation and guidance
Recommendation and reports from assessment/inspections from
internal and external bodies
Safety alerts e.g. Central Alerting System, NHS Protect
Non Clinical/Generic Risk Assessments completed by staff
Incident Reports
Serious Adverse Incident Reports
Directorate Risk Registers (for the Corporate Risk Register)
Health and Safety Audits
Regular Health and Safety Checks e.g. Window checks, Fire
Inspections
Complaints
National Guidance/Reports
Patient’s conditions (e.g. inherent risk of falls in people with dementia)
Major incident (drill or live)
Deficiencies with effective controls assurance standards
Deficiencies with various elements of the CQC standards
Recommendations and reports from external agencies such as NHSLA,
Health and Safety Executive, Patient-led Assessments of the Care
Environment (PLACE) etc
Actions taken to reduce risks which could not be or were not
implemented for various reasons such as resource limitations
Any other sources of information that could be considered to be a threat
to patient, staff visitors, environmental safety or the organisations
wellbeing
Estates risk profile]
Financial/business plans/IT reports
Underlying causes related to poor trends identified from key
performance indicators
Considerable deficiencies in/non-compliance with staff mandatory
training
Appendix F
RECORDING RISK
RISK ESCALATOR – BOLTON NHS FOUNDATION TRUST – Appendix G
A
S
BOARD OF DIRECTORS (Corporate Risk Register and
BAF) quarterly
S
C
Audit Committee
(BAF)
S
Exec Directors (Corporate risk register and BAF)
R
Board Assurance Framework and
Corporate Risk Register
Submitted to the Board and
Monitored through Board governance
And assurance committees
Any risk scoring 15 or above and/or
impacting across the Trust
escalated
To Corporate risk register with agreement
By RMC. RMC would recommend
Risks to be incorporated into BAF
Risk Management Committee
U
U
Divisional Board Meetings
R
Divisional Governance Meetings
T
A
All risks 15 or above
(corporate or divisional)
and any risks
Regardless of score if unmanageable
Escalated by the Divisions
to RMC
Service/Divisional risks reviewed
at Service Governance Forums/
Divisional Board
SERVICE CLINICAL GOVERNANCE
TASK GROUPS / BUSINESS MEETINGS
I
N
Risks identified populate
the Risk Register
RISK REGISTER
N
C
Y
E
Incidents
Complaints
Claims
Assurance
framework
External
Assessments/
CQC/Monitor
Audit/NonCompliance
NICE guidance
Departmental
Risk
Assessments
Health
&Safety
Appendix H
Appendix H cont.d
Table 1: Risk Appetite Statements are provided below
Extreme Risk - Appetite 5
In relation to this area of work, Bolton NHS FT is willing to accept risks that are likely to occur and would then lead to some degree of
damage to its reputation, possible financial exposure, or short term disruption to one or more service areas.
High Risk - Appetite 4
In relation to this area of work, Bolton NHS FT is willing to accept risks that may occur and would then lead to some degree of damage
to its reputation, or possible financial loss, exposure or short term disruption to no more than one service area.
Moderate Risk - Appetite 3
In relation to this area of work, Bolton NHS FT is willing to accept risks might occur in certain circumstances that could lead to some
degree of damage to its reputation, possible financial exposure, or minor disruption to one or more service areas.
Low Risk - Appetite 2
In relation to this area of work, Bolton NHS FT is willing to accept improbable risks that might, however, lead to some degree of damage
to its reputation, financial exposure, or minor disruption to a service area, should these risks materialise or fail to be mitigated.
Zero Risk – Appetite 1
In relation to this area of work, Bolton NHS FT is not willing to accept any risks that could lead to damage to its reputation, financial loss
or exposure, major breakdown in services, information systems or integrity, failings in significant aspects of regulatory and/or legislative
compliance, potential risk of injury to staff, service users or public.
13.1 Risk Categorisation Matrix (APPENDIX I)
1 Qualitative Measures of Consequences (Actual / Potential) – select the descriptors which best fit the risk you have identified
Descriptor
Insignificant
Minor
Moderate
1
2
3
Injury
(Physical/
Psychological)
Patient Experience
Environmental Impact
Staffing &
Competence
Complaints/Claims
Adverse event requiring no/minimal intervention
or treatment.
Impact prevented – any patient safety incident that
had he potential to cause harm but was
prevented, resulting in no harm
Impact not prevented – any patient safety
incident that ran to completion but no harm
occurred
Minor injury or illness – first aid treatment
needed
Health associated infection which
may/did result in semi permanent harm
Affects 1-2 people
 Any patient safety incident that required
extra observation or minor treatment W and
caused minimal harm to one or more
persons
Reduced level of patient experience which is not
due to delivery of clinical care
Unsatisfactory patient experience directly Unsatisfactory management of patient care Unsatisfactory management of
due to clinical care – readily resolvable
– local resolution (with potential to go to
patient care with long term
Increase in length of hospital stay by 1-3
independent review)
effects
days
Increased length of hospital stay by 4 – 15 days increased length of hospital stay
>15 days
Misdiagnosis
Onsite release of substance contained
On site release no detrimental effect
Offsite release with no
Minor damage to Trust property - easily
Moderate damage to Trust property –
detrimental effect / on-site
remedied <£10K
remedied by Trust staff / replacement of
release with potential for
items required £10K - £50K
detrimental effect
Major damage to Trust
property – external organisations
required to remedy - associated
On-going low staffing level - minor
Late delivery of key objective / service due to
Uncertain
delivery of key
costs >£50K
reduction in quality of patient
lack of staff
objective / service due to lack
care
50% - 75% staff attendance at mandatory /
of staff
25%-50% staff attendance at
Unresolved trend relating to competency
key training
mandatory / key training
reducing service quality
Unsafe staffing level
75% - 95% staff attendance at
Unsafe staffing level >5days
Error due to ineffective training /
mandatory / key training
Serious error due to ineffective
competency we removed
Low staff morale (1% - 25% of staff)
training and / or competency
Low staff morale (25% - 50% of staff)
Very low staff morale (50% –
75% of staff)
Failure to adhere to principles
of the duty of candour /being
open
Overall treatment / service substandard Justified complaint (Stage 2) involving lack
Multiple justified complaints
Formal justified complaint (Stage 1)
of appropriate care
Independent review
Minor implications for patient safety if
Claim(s) between £10K - £100K
Claim(s) between £100K - £1M
unresolved
Major implications for patient safety if
Non-compliance with national
Claim <£10K
unresolved
standards with significant risk to
patients if
unresolved
Onsite release of substance averted
Short term low staffing level (<1 day) –
temporary disruption to patient care
Minor competency related failure reduces
service quality <1 day
Low staff morale affecting one person
Informal / locally resolved complaint
Potential for settlement / litigation <£500
Moderate injury or illness requiring
professional intervention
No staff attending mandatory / key training
RIDDOR / Agency reportable incident (4- 14
days lost)
Adverse event which impacts on a small
number of patients
Affects 3-15 people
 Any patient safety incident that resulted in
a moderate increase in treatment X and which
caused significant but not permanent harm to
one or more persons
Major
4
Major injury / long term
incapacity / disability (e.g.
loss of limb)
>14 days off work
Affects 16 – 50 people
 Any patient safety incident that
appears to have resulted in
permanent harm Y to one or more
persons
Catastrophic
5
Fatalities
Multiple permanent
injuries or
irreversible health
effects
An event affecting >50 people
 Any patient safety incident that
directly resulted in the death Z of
one or more persons
Incident leading to death
Totally unsatisfactory level or
quality of treatment / service
Onsite /offsite release with
realised detrimental /
catastrophic effects
Loss of building / major
piece of equipment vital to
the Trusts business
continuity
Non-delivery of key objective
/ service due to lack of staff
Ongoing unsafe staffing levels
Loss of several key staff
Critical error due to lack of
staff or insufficient training
and / or competency
Less than 25% attendance at
mandatory / key training on an
on-going basis
Very low staff morale (>75%)
Multiple justified complaints
Single major claim
Inquest / ombudsman inquiry
Claims >£1M
Financial
Objectives/Projects
Business/Service
Interruption
Inspection/
Statutory Duty
Adverse
Publicity/Reputation
Fire Safety/General
Security
Information
Governance / IT
Medication
Small loss
Theft or damage of personal property <£50
Loss <£50K
Loss of 0.1 - 0.25% of budget
Theft or loss of personal property <£750
Loss of £50K - £500K
Loss of 0.25 – 0.5% of budget
Theft or loss or personal property >£750
Interruption does not impact on delivery of
patient care / ability to provide service
Insignificant cost increase / schedule slippage
<5% over project budget / schedule
slippage
5 – 10% over project budget / schedule
slippage
Loss/Interruption of >1 hour; no impact on
delivery of patient care / ability to provide
services
Short term disruption, of >8 hours, with
minor impact
Loss / interruption of >1 day
Disruption causes unacceptable impact on
patient care
Non-permanent loss of ability to provide
service
Loss / interruption of > 1 week.
Sustained loss of service which
has serious impact on delivery of
patient care resulting in major
contingency plans being invoked
Temporary service closure
Permanent loss of core service /
facility
Disruption to facility leading to
significant ‘knock-on’ effect
across local health economy
Extended service closure
Small number of recommendations which focus
on minor quality improvement issues
No or minimal impact or breach of guidance /
statutory duty
Minor non-compliance with standards
Minor recommendations which can be
implemented by low level of
management action
Breach of Statutory legislation
No audit trail to demonstrate that
objectives are being met (NICE; HSE;NSF
etc.)
Local Media – short term – minor
effect on public attitudes / staff morale
Elements of public expectation not
being met
Challenging recommendations which can be
addressed with appropriate action plans
Single breach of statutory duty
Non-compliance with core standards
<50% of objectives within standards met
Enforcement action
Multiple breaches of statutory duty
Improvement Notice
Critical Report
Low performance rating
Major non-compliance with
core standards
National media <3 days – public
confidence in organisation
undermined – use of services
affected
Multiple breaches of statutory
duty
Prosecution
Severely critical report
Zero performance rating
Complete systems change
required
No
objectives
/ standards being
National
/ International
metadverse publicity >3 days.
MP concerned (questions in the
House)
Total loss of public confidence
Minor short term (<1day) shortfall in fire safety
system.
Security incident with no adverse outcome
Temporary (<1 month) shortfall in fire
safety system / single detector etc (nonpatient area)
Security incident managed locally
Controlled drug discrepancy –
accounted for
Fire code non-compliance / lack of single
detector – patient area etc.
Security incident leading to compromised staff
/ patient safety.
Controlled drug discrepancy – not
accounted for
Significant failure of critical
component of fire safety system
(patient area)
Serious compromise of staff /
patient safety
Failure of multiple critical
components of fire safety
system (high risk patient area)
Infant / young person abduction
Breach of confidentiality – no
adverse outcome.
Unplanned loss of IT facilities < half a day
Health records / documentation incident – no
adverse outcome
Minor breach of confidentiality – readily
resolvable
Unplanned loss of IT facilities < 1 day
Health records incident / documentation
incident – readily resolvable
Moderate breach of confidentiality –
complaint initiated
Health records documentation incident –
patient care affected with short term
consequence
Serious breach of confidentiality
– more than one person
Unplanned loss of IT facilities >1
day but less than one week
Health records / documentation
incident – patient care affected
with major consequence
Serious breach of confidentiality
– large numbers
Unplanned loss of IT facilities >1
week
Health records /
documentation incident –
catastrophic consequence
Incorrect medication dispensed but not
Taken
Wrong drug or dosage administered with
no adverse effects
Wrong drug or dosage administered with
potential adverse effects
Wrong drug or dosage
administered with adverse effects
Wrong drug or dosage
administered with adverse
effects leading to death
Rumours
Potential for public concern
Local media – long term – moderate effect –
impact on public perception of Trust & staff
morale
Loss of £500K - £1M or loss of
Loss > £1M or loss >1% of
0.5 – 1% of budget
budget
 Purchasers failing to pay on time Loss of contract / payment by
results
10 – 25% over project budget /
>25% over project budget /
schedule slippage
schedule slippage
= minor treatment is defined as first aid, additional therapy, r additional medication. It does not include any extra stay in hospital or any extra time as an outpatient, or continued treatment over and above the treatment
already planned. Nor does it include a return to surgery or re-admission.
W
= moderate increase in treatment is defined as a return to surgery, an un-planned re-admission, a prolonged episode of care, extra time in
hospital or as an outpatient, cancelling of treatment, or transfer to another area such as intensive care as a result of the incident.
Y = permanent harm directly related to the incident and not the natural course of the patients illness or underlying condition is defined as
permanent lessening of
Bodily functions, sensory, motor, physiologic or intellectual, including removal of the wrong limb or organ or brain damage.
= the death must relate to the incident rather than to the natural course of that patients illness or underlying condition.
X
Using the Risk Rating Matrix determine the Severity (Extreme / High / Moderate / Low)
Risk Rating Matrix
Z
2 Consider how likely the outcomes (descriptors) are to happen
Qualitative Measures of Likelihood
Level
1
Descriptor
Rare
Example
Difficult to believe that this will
ever happen / happen again.
2
Unlikely
Do not expect it to happen / happen
again, but it may
3
Possible
It is possible that it may occur / recur
4
5
Likely
Almost
certain
Is likely to occur / recur, but is not a
persistent issue.
Will almost certainly occur /
recur, and could be a
persistent issue
% of risk
Consequence
Likelihood
1
2
3
1
1
2
3
2
2
3
3
4
5
8
10
9
12
15
<10%
10 – 40%
4
8
12
16
20
5
10
15
20
25
40 – 60%
60 – 90%
>90
%
Extreme risk – immediate action
required (stop the activity)
High Risk – Senior Management attention
needed
Moderate Risk – management responsibility
must be ascertained
Low Risk – manage by routine procedures
Appendix J
Equality Impact Assessment Tool
To be completed and attached to any procedural document when submitted to the appropriate
committee for consideration and approval.
Yes/No
1.
Comments
Does the document/guidance affect one group
less or more favourably than another on the basis
of:
Race
No
Ethnic origins (including gypsies and travellers)
No
Nationality
No
Gender (including gender reassignment)
No
Culture
No
Religion or belief
No
Sexual orientation
No
Age
No
Disability - learning disabilities, physical
disability, sensory impairment and mental
health problems
No
2.
Is there any evidence that some groups are
affected differently?
No
3.
If you have identified potential discrimination, are
there any valid exceptions, legal and/or
justifiable?
No
4.
Is the impact of the document/guidance likely to
be negative?
No
5.
If so, can the impact be avoided?
N/A
6.
What alternative is there to achieving the
document/guidance without the impact?
N/A
7.
Can we reduce the impact by taking different
action?
N/A
If you have identified a potential discriminatory impact of this procedural document, please refer it to
your Divisional E&D Lead, together with any suggestions as to the action required to avoid/reduce
this impact.
For advice in respect of answering the above questions, please contact Divisional E&D Lead