1. No category

Risk management policy

COR/POL/004/2015-001
TRUST CORPORATE POLICY
RISK MANAGEMENT POLICY
APPROVING
COMMITTEE(S)
EFFECTIVE FROM
DISTRIBUTION
RELATED DOCUMENTS
STANDARDS
OWNER
FURTHER
INFORMATION
SUPERSEDED
DOCUMENTS
CONSULTATIO
N
REVIEW DUE
KEYWORDS
INTRANET
LOCATION(S)
Trust Board
Date
approved:
07/01/2015
Date of approval
Trust Board, Executive Team, CAG Directors, General Managers,
Heads of Nursing/Midwifery, Matrons, Risk/Governance Leads, All
CAGs
Risk Guidance – on Intranet alongside Policy
Adverse Incident Policy (COR/POL/004/2012-001)
Whistleblowing Policy (Raising Concerns in the Workplace)
(COR/POL/005/2013-002)
Corporate Induction Policy (COR/POL/025/2012-001)
Production and Implementation of Trust Policies and Guidelines
(COR/POL/001/2014-001)
Statutory and Mandatory Training Policy (COR/POL/026/2012-001)
Fire Safety Management Policy (COR/POL/037/2013-001)
Claims and Inquest Policy (COR/POL/078/2013-001)
Central Alerting System Policy (COR/POL/077/2013-001)
External Agency Visits, Inspections and Accreditations Policy
(COR/POL/043/2012-001)
Fraud & Corruption Policy (COR/POL/064/2012-001)
Radiation Safety Policy (COR/POL/032/2013-001)
Health and Safety At Work (etc) Act 1974
CQC Essential Standards of Quality and Safety
Chief Nurse (Director responsible for risk management)
Sharon Brooks; Keith Hampton
Risk Management Policy 2013 Barts Health NHS Trust
(COR/POL/004/2013-001)
Three years from date of approval
Risk; Health & Safety; Risk Assessment; Risk Register
http://bartshealthintranet/Policies-and-Guidelines/Trust-widepolicies.aspx
Barts Health Groups
Risk Management Committee
Audit and Risk Committee
CAG Governance Groups/Corporate Heads of
Department/New Hospital Project
Compliance Unit
External Partner(s)
Redevelopment to issue to PFI partner
Page 1 of 34
APPLICATION
COR/POL/004/2015-001
Included in policy:
For the groups listed below, failure to comply with this policy may result in investigation
and management action which may include formal action in line with the Trust's
disciplinary or capability procedures for Trust employees, and other action in relation to
organisations contracted to the Trust, which may result in the termination of a contract,
assignment, placement, secondment or honorary arrangement.
All Trust staff, working in whatever capacity
Other staff, students and contractors working within the Trust
Trust PFI partners working within the Trust
No staff groups are exempted from this policy.
Table of Contents
1
Introduction and Aims of Policy ..................................................................................... 3
2
The Process .................................................................................................................. 7
3
The Risk register ......................................................................................................... 11
4
Duties and Responsibilities ......................................................................................... 16
5
Board and High Level Committee Structure for Risk Management .............................. 16
6
Other committees with key responsibilities for risk....................................................... 17
7
Assurance on the Effectiveness of the Risk Management System .............................. 18
8
Monitoring the effectiveness of the policy .................................................................... 18
APPENDIX 1 – Risk Assessment Form/Evaluation System ................................................ 20
APPENDIX 2: Information Available to Help Identify or Quantify Hazards & Risks .............. 25
APPENDIX 3 – Duties and Responsibilities ........................................................................ 26
APPENDIX 4 – Risk Management Committee Terms of Reference .................................... 32
Page 2 of 34
COR/POL/004/2015-001
1
INTRODUCTION AND AIMS OF POLICY
1.1
The main aim of the Trust’s risk management activities is to ensure the organisation
minimises the risks to achieving its objectives, from the Board level objectives
through to service level objectives. The Trust has in place a Quality Governance
framework which will allow the Trust Board to fulfil its legal and statutory obligations
and ensure the organisation consistently follows the principles of good governance
applicable to NHS organisations. The framework includes systems and processes for
financial control, clinical governance and risk management and will embrace the Care
Quality Commission’s registration requirements. The Board will ensure that high
quality care is being delivered and risks to quality are being effectively managed.
1.2
The Trust accepts its responsibility for the management of safety, environmental and
financial risks, ensuring the health, safety and welfare of staff, patients, visitors,
volunteer workers and all other people who attend our premises and who may be
affected by our activities. This Policy is also, explicitly, the Trust’s Health and Safety
Policy, as required by the Health and Safety at Work Act 1974.
1.3
Subject to the legal framework within which the Trust operates, the Trust will:

Appoint the most appropriate people, and support them through training and
supervision.

Promote a culture where staff are open to learn from experience, are confident in
reporting incidents, and are expected to raise or escalate concerns.

Establish effective controls against risk, including appropriate policies and
procedures, and compliance with statutory duties and national codes of practice.

Provide sufficient financial resources to support the risk management strategy
and the governance agenda.
1.4 This policy will be reviewed by the Trust Board on a three yearly basis and will reflect
changes to the Trust’s risk management systems as they continue to mature to meet
both internal and external drivers.
Page 3 of 34
COR/POL/004/2015-001
Definitions
1.5
The following definitions apply throughout this policy / strategy
Risk
An uncertain event, or set of events, that, should it occur, will have an
effect upon the achievement of objectives.
Risk
Management
The process through which risks are identified and evaluated, plans
made, carried out and monitored with a view to minimising the likelihood
of a risk actually occurring or, should it occur, minimising the adverse
impact of the risk upon the organisation’s objectives.
Throughout this policy, risk management explicitly includes but is not
restricted to the management of risks in the areas of health, safety,
infection control, fire, security, finance, clinical and operational activity.
There are other trust policies that also address the management of
specific areas of risk e.g. Fire Safety Policy.
Hazard
Risk Description
A hazard is something (e.g. an object, a situation, an activity) that can
cause adverse effects. For example:

Water on a staircase is a hazard, because you could slip on it, fall
and hurt yourself.

Short staffing can be a hazard as it might cause suboptimal service.

Introducing a new procedure is a hazard because, until staff are
familiar with it, they might make mistakes.
A risk is the likelihood that a hazard will actually cause its adverse
effects, together with a measure of the impact should these adverse
events occur. It is a two-part concept and you have to have both parts to
make sense of it.
When describing a risk in the risk register, a standard phrase should be
used to ensure consistency and accuracy and enable effective
communication:
“As a result of <the hazard>, there is <the likelihood> it will result in
<the impact>.”
For example:
As a result of poor attendance on manual handling training (the
hazard), each month (the likelihood) a staff member might receive a
minor injury (the impact)
As a result of lack of preventative maintenance of equipment (the
hazard), once per year (the likelihood) the service might be
interrupted for at least a week (the impact)
As a result of local non-compliance with national standards (the
hazard), it is possible (the likelihood) that we will receive a critical
external report (the impact)
Standard descriptors for likelihood and impact can be found in the Barts
health scoring matrix
Page 4 of 34
COR/POL/004/2015-001
Risk Scoring
Matrix
Likelihood and Impact are each rated from 1 to 5. The total risk score is
obtained by multiplying the two together, giving a total score of 1 to 25.
The Barts Health scoring matrix contains many descriptors for different
types of impact and likelihood appropriate for different risk situations.
Note, the current risk score should take into account the controls already
in place. Controls will tend to reduce the likelihood of the adverse event
occurring or its impact should it occur and, therefore, should reduce the
current risk score.
Control
A control is any measure that is in place which deliberately reduces
either the likelihood of the risk materialising or the impact it will have on
the relevant objective. Examples of controls might be:
Equipment or arrangements which act as a barrier against the risk
materialising (e.g. locks, access restrictions, recruitment checks, Safer
Surgery Checklist).
Policies, procedures or training which support staff in minimising the
likelihood of a risk materialising or its impact should it materialise.
Equipment or other measures which reduce the immediate impact of the
risk should it occur (e.g. fire extinguishers, first aid boxes) or which
promote a quicker recovery from resulting harm (e.g. insurance policies,
other contingency plans).
Mitigating action
A mitigating action is any step which the organisation can take to reduce
the likelihood or impact of a risk which has not yet been fully controlled.
Often a mitigating action will involve putting a control into place.
CAG or
Directorate risk
A risk, of whatever severity, that impacts primarily upon one CAG or
Corporate Directorate, or for which the means of mitigating the risk lies
largely with a single CAG or Corporate Directorate.
Multi Group risk
A risk, of whatever severity, that impacts upon more than one CAG or
Corporate Directorate or upon the organisation as a whole i.e. a shared
risk.
High level risk
A risk, regardless of where in the organisation it originates, which has
been agreed by the Risk Management Committee as having a
potentially severe impact on the organisation as a whole (currently risks
scored 15 and above - see Risk Evaluation System/Assessment form at
Appendix 1).
High Level Risks will all also be CAG, Directorate or Multi Group risks.
After identification of a high level risk, the Committee will wish to monitor
the risk to assure itself that it is being mitigated, but, in all but
exceptional circumstances, responsibility for managing the risk still
remains with the CAGs or corporate directorates.
Page 5 of 34
COR/POL/004/2015-001
Trust Risk
Register
The Trust’s Risk Register is a unified log of all the risks identified in the
organisation. Each record includes:
-
a summary of the risk
-
details of its potential impact and the likelihood of this occurring
-
location
-
who is accountable for managing the risk
-
mitigating actions which have been agreed or are planned,
-
controls that are in place and
-
progress achieved in reducing the severity of the risk.
The Trust has a single, unified risk register, hosted within the Trust’s
electronic risk management database. The information from the register
that is available to staff at different levels and areas of the trust will
depend upon agreed access levels.
CAG /
Directorate /
Departmental
Risk Register
These terms do not refer to separate registers but to the domains (within
the unified Trust Risk Register) which are accessible to staff at different
levels and in different areas of the organisation.
High Level Risk
Register
This term is used to refer to the subset of risk records in the risk register
which relates to high level risks, see above. This subset of records is still
managed by the CAG or corporate directorate but will also receive
particular involvement and attention at Board Level.
CAGs/Directorates/Departments Risks are always able to add, view,
and update records relating to risks which directly affect them,
regardless of the severity of the risk.
Board Assurance A document that contains the organisations strategic objectives and a
Framework
description of the principle risks that could threaten achievement of
(BAF)
these objectives.
Each objective has the current organisational
performance shown which allows effective linkages to be made against
risk management and performance
Strategic risks described in the BAF will be linked to one or more risks
on the trust risk register. As such, changes to the risk rating or mitigation
plan of a risk on the trust risk register will be incorporated into the
relevant strategic risk on the BAF.
The BAF is monitored and managed at Board level.
Accountable
Director (Risk
Sponsor)
Depending on the level of risk this needs to be one of the following:
Risk Owner
This should be the person that will be coordinating, overseeing or
undertaking work to mitigate the risk.
Tier 1
Group Director/Director of Nursing & Governance/Director of Operations
Executive Director/CAG Group Director/CAG DoNG/CAG Director of
Operations/General Manager/HoN/Matron/Service Line GM/
Departmental Manager/ Lead Clinician.
Corporate Directorate - Deputy Director/Associate Director
Page 6 of 34
COR/POL/004/2015-001
Tier 2
General Manager/Head of Nursing/Clinical Director
Corporate Directorate – Band 8
Tier 3
Service Manager/Matron/Clinical Lead
Corporate Directorate Band 6/7
2
THE PROCESS
2.1
The Trust manages its risks as set out in following diagram:
ESTABLISH Objectives
IDENTIFY RISKS to achieving objectives
What can happen? When? Where? How? Why?
Monitor and Review
Communicate and consult
Internal / external context
Develop Criteria; Define the Structure
ANALYSE AND EVALUATE RISKS
Identify existing controls
Determine
Determine
Consequences
Likelihood
Determine Level of Risk
Compare against criteria. Set priorities
TREAT RISKS
Identify and assess options
Prepare & implement treatment plans
Analyse and evaluate residual risk
2.2
This process is adapted from the internationally recognised Australian/New Zealand
Risk Management Standard (4360:2004) and complies with guidance from the
Department of Health and the Health and Safety Executive (Successful Health and
Safety Management (HSG65). It is a cyclical process for managing risk and can be
used to demonstrate continuous self-assessment and improvement.
Establishing Objectives
2.3
Organisational objectives are agreed and updated annually. Risk is defined as an
uncertain event, or set of events, that, should it occur, will have an effect upon the
Page 7 of 34
COR/POL/004/2015-001
achievement of these objectives. As such, identifying and treating risk should be an
integral part of the annual business planning and objective setting process
2.4
The Board Assurance Framework (BAF) contains the organisation’s strategic
objectives and a description of the principal risks that could threaten achievement of
these objectives. A strategic risk described in the BAF will be linked to one or more
risks on the trust risk register. As such, changes to the risk rating or mitigation plan of
a risk on the trust risk register will be incorporated into the relevant strategic risk on
the BAF. Through this process the Board gains assurances that risk mitigation is
planned and implemented.
2.5
The high risks in the trust risk register will be reviewed every month to ensure any
changes or additions are then reflected in the correspondnig strategic risks in the
BAF.
2.6
The BAF will be used to develop the annual work programmes for the high level
assurance committes reporting to the Board. Appropriate sources of assurance will
be identified and commissioned. The findings of these assurance sources shall
inform the BAF and will either confirm management’s view of the level of risk and the
adequacy of internal control or identify the need for revision (higher or lower). An
increase in risk would also lead to the BAF noting the need for additional
improvements in internal control. In addition the BAF evidences the systems of
internal control and is used to form part of the Annual Governance Statement issued
by the Trust (Annual Report and Accounts).
Identifying risks
2.7
Managers and Leads have clear responsibilities for risk assessment and control in
their areas. Specialist responsibilities (eg infection control, radiation safety, security)
are built into job plans of relevant staff. General responsibilities are built into all job
plans.
2.8
There are three circumstances in which risk assessments should be done:
2.9
a)
An annual risk assessment (against the upcoming year’s objectives)
b)
Risk assessments undertaken prior to a planned change (for example, when
planning new work, installing new equipment or implementing an organisational
change).
c)
Ad hoc risk assessments when a new hazard is identified. These may be
undertaken at any time.
When the need for a risk assessment has been established, there are three methods
available for identifying risks. In practice, a combination of these methods can be
used as appropriate to ensure the full range of risks are identified

Using a checklist of possible types of risk: The Trust’s Risk Evaulation System
(Appendix 1) describes different domains of adverse outcomes (e.g. injury, low
quality, loss of service, financial overspend etc). When generating a list of
possible risks within a particular service or risks resulting from a known hazard,
these domains should be used as a checklist to ensure a broad range of different
types of risk have been considered.
Page 8 of 34
COR/POL/004/2015-001
 Using a checklist of possible types of hazard: A hazard is something (e.g. an
object, a situation, an activity) that can cause adverse effects. One way of
identifying risks is to identify the range of hazards present in a particular service.
The possible risks resulting from these hazards can then be evaluated. A broad
list of generic hazards can be found in the Risk Guidance document. This should
be used as a checklist to ensure that a wide range of hazards is considered.

2.10
2.11
Using information and reports generated from other activities: regular
management information and other reports (such as internal and external audits)
are continuously generated for each service. These may identify some of the
hazards present (e.g. areas of underperformance). This, in turn, can be used to
identify potential risks resulting from these hazards. The types of information that
can be used in this way is shown as Appendix 2. In addition, some trust policies
explicitly require that risks identified in certain types of reports are considered for
inclusion in the risk register (Adverse Incident Policy, Complaints policy, CQC
Inspection Policy, Internal Audit Policy).
There are some instances that require specific consideration as to whether the risk
should be included in the trust risk register. This is to ensure that the trust risk
register is an accurate representation of all the risks facnig the organisation:

When the trust receives an external assessment report (for example, a CQC
inspection report), the person reponsible for actioning the report must, as part of
that process, also identify any risks articulated or implied in the report. These
risks must be formally risk assessed and placed on the trust risk register.

As part of a Serious Incident investigation, risks may be identified. Some of these
will be mitigated by the action plan, but some may be longer term and would
merit inclusion in the trust risk register. The service manager of the area in which
the incident took place must identify these risks and ensure they are placed on
the trust risk register. A simlar process should be followed for risks identified
through complaint investigations and claims.

A requirement of the Cost Improvement Programme is that the impact of each
proposal is risk assessed. The principal risks identified in the accepted proposals
must be placed on the trust risk register.

Trust programmes and projects (such as New Hospitals Programme, ICT
projects) will employ risk registers. The risks identified in these must be reflected
on the trust risk register.
Agreed risk assessments are completed using tools provided. A range of risk
assessment tools are available for particular areas. The general risk assessment tool
is available on the Barts Health intranet.
Evaluating & analysing risks
2.12
The Trust uses a standard Risk Evaluation System which is internationally
recognised and is adaptable to different areas of risk, supported by specific risk
assessment templates (eg Clinical Risk, Health and Safety, Fire, Stress etc) (see
Risk Management Intranet site for more details). All risks are evaluated and scored
using standardised criteria for impact and likelihood.
Page 9 of 34
COR/POL/004/2015-001
2.13 The Risk Evaluation System for use in the Trust is attached at Appendix 1. This
system incorporates the following key features: A matrix to identify the risk evaluation
score that uses impact and likelihood scales; Impact descriptors that cover different
areas of risk; Likelihood descriptors for frequency and probability; Management
authority for each level of risk (high, medium and low).
2.14
The Risk Evaluation System, is incorporated into the Trust Risk Assessment Form.
This can be downloaded from the Trust Intranet – Home Page/Trust Wide
Policies/Risk Management Policy.
Managing & Treating Risks
2.15
The Risk Evalution System, Appendix 1, sets out the management and committee
level at which risks of different severities are approved, reviewed, managed and
ultimately signed off.
2.16
Each risk register item is assigned to an appropriate monitoring / review body, which
is responsible for obtaining assurance of completion of the agreed action and for
approving updated risk register entries.
2.17
Wherever possible, claims of mitigation of a risk should be independently or
objectively evidenced (for example, evidence from an audit or external review).
2.18
This assurance is fed back up through the organisation, to provide high level
assurance to the Trust Board that the organisation’s risks are properly addressed.
2.19
Information on risks which are not adequately controlled or which remain at a high
level despite attempts to control, are escalated to the appropriate level of the
organisation, as set out in Appendix 1. This may be a departmental, speciality, CAG
or Directorate risk group, a higher level committee, or ultimately, in the case of the
most severe risks, the Trust Board.
2.20
Planning of action to reduce identified risks will typically follow widely recognised
schema for risk reduction -
2.21

Avoid the risk – eg by withdrawing equipment from use or terminating an activity.

Reduce the likelihood of the risk materialising – eg through audit and
compliance programmes, policies and procedures, preventative maintenance,
training, supervision programmes etc.

Reduce the potential impact if the risk does materialise – for example through
contingency planning, minimising exposure to the risk, public relations etc

Transfer of Risk – this involves another party bearing or sharing some part of the
risk eg through the use of contracts, insurance arrangements, partnership and
joint ventures.
The treatment of some risks may require capital investment. If this is the case, an
estimate of the capital investment required must be recorded on the risk register (in
the ‘investment cost’ field). All that is required is an estimated cost (ie there is no
need at this stage to get formal quotes or undergo a formal costing process). There is
the ability to record capital investment, revenue, or capital investment and revenue.
Page 10 of 34
COR/POL/004/2015-001
2.22 In due course, a business case for capital investment might be raised. A formal
costing process would be required at this stage.
3
THE RISK REGISTER
3.1
The Trust Risk Register is a log of risks which have been identified within the
organisation. New entries in the risk register are made as risks are identified and
existing risks are updated as progress is made in controlling them.
3.2
The risk register is a single, integrated database, hosted on the Trust’s electronic risk
management system, (Datix). Users in different areas and at different levels of
responsibility in the Trust have access to different subsets of records within the
Register. All CAGs and Directorates must enter and update their risks on this
register making the electronic register the central repository for risk information
across the organisation.
3.3
The risk register includes details of the nature of the risk, its potential impact and the
likelihood of that impact, the overall risk score, the service(s) which “owns” the risk,
the controls currently in place and further planned controls, the forum where progress
in mitigating the risk is monitored and the progress achieved.
3.4
“Open” risks are those which have been evaluated but not yet fully controlled; these
are therefore risks which may impact upon the Trust’s objectives.
3.5
Risks which have been graded 15 and above are a subset which is described as the
“High Level Risk Register”. Trust executives are made aware of these risks and will
require assurance that these high risks are being managed promptly and effectively.
However, these risks will still be managed at the most appropriate level and in the
most appropriate area of the organisation, usually at CAG or corporate directorate
level.
3.6
When a risk has been fully controlled, the entry may be signed off at the appropriate
level of the organisation (which will depend on the nature and severity of the risk) and
the entry will then be “closed” (although, for audit purposes, a record of the closed
risk will remain on the risk register).
Training in risk evaluation and use of the risk register
3.7
The need for risk management training for staff, including board members, is
reviewed annually as part of the Trustwide Training Needs Analysis and delivered in
line with the Statutory and Mandatory Training Policy. Additional training needs
identified outside of the Training Needs Analysis will be provided on request by the
Compliance Team.
Managing the Risk Register
3.8
Senior managers in all areas are responsible for monitoring and managing those
risks which are “owned” within their area, and which therefore make up the CAG /
Directorate / Departmental Risk Register for their area.
3.9
Where a risk’s overall score or controls in place or controls planned changes then the
trust risk register must be updated as soon as possible. This ensures that, at all
Page 11 of 34
COR/POL/004/2015-001
times, the risk register is an accurate representation of the current risks facing the
trust.
3.10
The majority of risks identified will be owned and managed within a single CAG or
Corporate Directorate. Occasionally, a risk might be shared across several areas and
ownership of the risk might be unclear. In this case, the different areas will be
expected to negotiate between themselves to determine how the risk will be owned
and managed.
In cases where ownership of a risk cannot be agreed, this must be escalated to the
Risk Management Committee for discussion and resolution.
3.11
The overall process through which the risk register is managed is summarised in the
flowchart on the next page.
Local Risk Management Arrangements
3.12 To manage risks robustly and effectively in line with the process described overleaf,
each CAG/Corporate directorate will have a system for reviewing risks. This will
include, but not be limited to, a Governance Board where risks from the Service
Groups will be reviewed, approved and monitored.
The CAG/Corporate directorate will use information from the Goveranance SitRep
weekly/monthly report to monitor risk management performance across their
Services. The report contains metrics on risks overdue for review and risks not
mitigated in 9 months or more. The intention of monitoring these metrics is to drive
risk management improvements .
Corporate Risk Management Arrangements
3.13
Each CAG has a monthly Performance Review with the Executives and risk
management performance (using the risk metrics and specific risk escalation from
the CAG) is part of this process. The CAG has the opportunity to seek direction on
difficult to mitigate risks.
The Corporate Directorates will review their risk
management performance with their Executive lead using the risk metric reports to
judge performance and encourage risk mitigation in a timely manner.
Risk Management Process Chart
3.14
All of the above steps in the risk management process are summarised in the flow
chart on the following page.
Page 12 of 34
RISK MANAGEMENT PROCESS CHART
KEY
High (red) risks: 15 +
Medium (amber): 8 to 12
Low (green), below 8
Red risks (15-25)
- Risk identified & assessed.
- Approved at directorate/
CAG level risk group and
recorded on register.
- Ownership of risk and action
plan assigned to
Directorate/ CAG senior
team level
Risk overseen by Executive
lead & managed by
CAG/Directorate
(Tier 1 / 2 equivalent)
Amber risks (8-12)
- Risk identified &
assessed.
- Approved at directorate/
CAG level risk group and
recorded on register.
- Ownership of risk and
action plan assigned to
service head or equivalent
Green risks (1-6)
- Risk assessed.
- Approved at Dept/Service
level risk group and
recorded on register.
- Ownership of the risk and
action plan devolved to
Department Head or
equivalent
Risk overseen by nominated
CAG/directorate manager
(Tier 3 equivalent)
Risks overseen by Department
Head, ward manager or
equivalent
HIGH LEVEL RISK REGISTER
(Comprises all red risks on
register ie those rated 15 and
above. Risks are assigned to
appropriate level/area for
mitigation
 High level risks (20+) to RMC
monthly
 New high risks to RMC monthly
 High level risks (15+, >9 months
old and not at target) to RMC
monthly
 High level risks (all) to RMC
quarterly
High Level Risks inform
Board Assurance framework
review quarterly
Annual
report from
RMC to
Audit &
Risk
Committee
CAG or Corporate Director
Reviews new risks and action plan
Reviews all red and amber risks
Forwards new red risks to RMC
Red risks reviewed MONTHLY by
Owner. Regraded with evidence on
register if rating changes
Report to CAG Board/Directorate
equivalent – red risks monthly,
amber risks at least quarterly
Amber risks
reviewed at least
QUARTERLY by
owner. Regraded
with evidence on
register if level of
risk changes,
escalated/deescalated/closed
etc. if indicated
Exception
report from
RMC to each
meeting of
Audit & Risk
Committee
Green risks
reviewed at
least
ANNUALLY
by Owner.
Regraded
with evidence
on register if
level of risk
changes
RISK
CLOSED
Page 13 of 34
Risk Register Pathway
3.15
The chart on Page 15 shows how risk registers are used throughout the organisation,
providing vital information on identified risks and the actions underway to mitigate these
risks. Risk assessments typically travel in an upwards direction – Service level to CAG to
corporate forums depending upon the level of risk. As risk is mitigated it will typically
travel down through the organisation for monitoring of controls or closure as appropriate.
Page 14 of 34
Risk Register
Pathway
Board
Key Strategic
Risks
A&RC
Exec
Team
TMB
QAC
RMC
Board Assurance Framework
(strategic risk register + assurances)
OMG
Risk Assessments
Performance Review
Meetings
QUALITY
IMPROVEMENT
PROCESSES
Trust Strategic Objectives &
Mandatory/Statutory Requirements
15+ risks from CAG/
Corporate Directorate
Level Risk Registers
CAG/Corporate Directorate Level Risk Registers
PLANNING
ACTIVITIES
Risk Assessments
CAG/Corporate Directorate Level Objectives
& Mandatory/Statutory Requirements
QUALITY
IMPROVEMENT
PROCESSES
PLANNING
ACTIVITIES
Other sources
of strategic
information
Other sources of
information about
potential risks
(Perf Data, External Reports,
CQC compliance, SIs,
Complaints, Litigation etc)
Major Risks
from Service
Level Risk
Registers
Service Level Risk Registers
Risk Assessments
Service Level Objectives &
Mandatory/Statutory Requirements
Other sources of
information about
potential risks
(Perf Data, External Reports,
CQC compliance, SIs,
Complaints, Litigation etc )
Page 15 of 34
COR/POL/004/2015/001
4
DUTIES AND RESPONSIBILITIES
4.1
The duties and responsibilities are attached at Appendix 3.
5
BOARD AND HIGH LEVEL COMMITTEE STRUCTURE FOR RISK MANAGEMENT
Links to the approved Terms of Reference of the following committees can be found
at http://www.bartshealth.nhs.uk/about-us/our-board/board-committees/
5.1
The committee structure for the organisation follows best practice recommendations
as laid out in the revised NHS Audit Committee Handbook1. Across the organisation
all committees have a role to play in managing risks associated with their sphere of
activity, and all committees feed into more senior committees, up to one of the three
high level committees which escalate unresolved concerns to the Trust Board.
Trust Board
Overall responsibility for risk management rests with the Trust Board.
Principal risks that could threaten the organisations objectives are
monitored by the Board through review of the Board Assurance Framework
(BAF). The Trust Board is supported by three high level committees, vis
the Executive Team, the Audit and Risk Committee and the Quality
Assurance Committee. Other Committees and subcommittees escalate
risks to the Trust Board via these three committees.
Executive
Team
The Executive Team is the senior management committee within the Trust.
Its purpose is to oversee the effective operational management of the Trust
(including achievement of statutory duties, standards, targets and other
obligations) and the delivery of safe, high quality, patient centred care and
to support the Trust Board in setting and delivering the organisation’s
strategic direction and priorities.
Audit and Risk The Audit and Risk Committee has overall responsibility for independently
Committee
monitoring, reviewing and reporting to the Trust Board on all aspects of
governance, risk management and internal control. It assists the Trust
Board with its oversight responsibilities. It independently and objectively
monitors, reviews and reports to the Trust Board on the processes of
governance in place in the Trust. Where appropriate, it facilitates and
supports through its independence the attainment of effective processes.
At each meeting the Committee receives and reviews an exception report
from the Risk Management Committee monitoring progress made against
mitigating risks and identifying any areas where the Committee requires
additional assurance. This Committee will also review specific risks from
the BAF assigned to it for monitoring and review.
Quality
Assurance
Committee
The Quality Assurance Committee will receive relevant clinical risks
included in the BAF at each meeting for monitoring purposes. The
Committee will undertake risk review as requested by the Audit and Risk
Committee to provide assurance of the system of internal control.
1
NHS Audit Committee Handbook – 2005, DH & Healthcare Financial Management Association, Gateway
Ref:5706
Page 16 of 34
COR/POL/004/2015/001
6
OTHER COMMITTEES WITH KEY RESPONSIBILITIES FOR RISK
Risk
Management
Committee
This committee is responsible for ensuring the development and
implementation of effective systems and processes for risk management
within the Trust and providing assurance to the Audit & Risk Committee
that this is the case. The Risk Management Committee reports by
exception to the Audit & Risk Committee at each meeting and provides and
annual report. Its responsibilities include
 Reviewing the organisations framework for risk management at
Corporate and CAG level
 Reviewing the Risk Management Policy every three years or sooner if
required
 BAF Heatmap is reviewed at RMC monthly, full BAF quarterly
 Reviewing risk management metrics quarterly
 Reviewing new risks scored 15 or above at each meeting




Reviewing all risks scored 20 or above at each meeting
Reviewing the high level risk register quarterly
Reviewing all risks scored 15 or above, older than nine months and not
at target at each meeting
Receiving ‘deep dive’ risk reports from the CAG’s/Corporate
Directorates on a rolling programme
Reviewing rare but catastrophic risks at each meeting
The Terms of reference for this committee can be found at Appendix 4.
Committees
reporting
to
the Executive
Team
All committees which report to the Executive Team fulfil a leadership,
monitoring and quality role in relation to the areas of their responsibility. All
of these are responsible for reviewing relevant risks recorded on the Trust
Risk Register and escalating concerns via the Executive Team
Clinical
Academic
Groups
Each CAG/Directorate has its own governance structure through which
risks are reported and reviewed, all of which feed into the higher level
committees by exception. CAGs and Directorate Boards and committees
are also required to review the relevance of BAF risks and commission any
related risk assessments.
Directorate
Equivalents
Page 17 of 34
COR/POL/004/2015/001
7.
ASSURANCE ON THE EFFECTIVENESS OF THE RISK MANAGEMENT SYSTEM
7.1
As part of its strategic and annual work programmes, Internal Audit reviews the
adequacy of the Trust’s risk management system and Board Assurance Framework
and identifies areas for improvement and provides appropriate recommedations. All
other aspects of its work programme, which will review the governance, risk and
control arrangements relating to the delivery of business objectives and key systems
underpinning the delivery of thse objectives and the Trust’s responsibilities, will also
form Internal Audit’s view of the adequacy of the risk management system. Each audit
report will identify areas for improvement and provide appropriate recommendations.
The annual Head of Internal Audit Opinion Statement will also summarise the position
and give an overall opinion. This document informs the production of the Trust’s
Annual Governance Statement.
8.
MONITORING THE EFFECTIVENESS OF THE POLICY
Committee which
monitors outcomes
and recommends
actions
RMC
What is monitored
How and frequency
Recorded in
1. The
organisation’s
risk
management
structure,
detailing all
those
committees and
groups which
have some
responsibility for
risk
Three yearly via review
of risk management
policy
Minutes of RMC
and Trust Board
2. How the board or
high level risk
committee(s)
review the
organisationwide risk register
Review of previous
year's compliance with
their terms of reference
for risk management
(Trust Board, Audit and
Risk Committee,
Executive Team and
RMC)
Minutes of RMC
RMC
3. How risk is
managed locally
"Deep dive" re each
CAG / Directorate at
least annually to
confirm action against
Minute of RMC
RMC
Page 18 of 34
COR/POL/004/2015/001
What is monitored
How and frequency
Recorded in
Committee which
monitors outcomes
and recommends
actions
12+ risks
SIT rep produced
weekly and monthly for
discussion at CAGs
governance or
performance
committees
4. How all risks are
assessed
5. How risk
assessments are
conducted
consistently
6. Authority levels
for managing
different levels of
risk within the
organisation
7. How risks are
escalated
through the
organisation
Minutes of local
committees
Annual audit
Minutes of RMC
undertaken by
compliance team of a
sample of risks from the
register, identifying
whether
CAG / Directorate
committees
RMC
- a risk assessment
form is completed,
- the risk is assigned to
an appropriate
accountable director
(sponsor) and owner
- risks not covered by
item 2 above have
been discussed at
relevant
service/CAG/director
ate or specialist OR
mitigated / closed /
brought to residual
level
Page 19 of 34
COR/POL/004/2015/001
4
APPENDIX 1 – RISK ASSESSMENT FORM/EVALUATION SYSTEM
GENERAL RISK
ASSESSMENT RECORD
FORM
Guidance for completion of this risk assessment is documented for each section.
When the assessment is complete the guidance notes in blue italics can be deleted.
Clinical risks will be managed through the Service Group and Clinical Academic Group (CAG) governance arrangements. Accountability is
with the Clinical Academic Group Director.
Corporate Directorate (finance, HR etc) risks will be managed through directorate structures and accountability is with the Executive
Director.
Section 1: Administrative Details
Assessor's Name
Date of Assessment
Assessor’s Designation
Risk Owners Name (The person
who will be coordinating, overseeing or
undertaking the work to mitigate the risk):
Risk Sponsors Name (This
needs to be one of the following:
Executive Director, CAG Director, CAG
Director of Nursing, CAG General
Manager, Service Line General Manager,
Lead Clinician)
CAG/Corporate Directorate
Service
Specialty
Site
Section 2: Activity/Task
Risk Title: Suggest a brief title for
the risk. This should be no longer than a
few words. On some summary reports in
Datix, the ‘risk title’ may be the only
description of the risk displayed.
Therefore, make the risk title as
descriptive as possible so that you and
others (who may be from elsewhere in the
Trust) can understand the general area of
the risk
Description of risk:
Hazard Describe the hazard – this is
the state of affairs that has the potential to
cause harm. Describe the harm that may
be caused as a result of this hazard,
making clear who or what could be
harmed, and if possible the extent of the
harm that could be caused.
Likelihood Give any information that
will assist in identifying the likelihood of
the harm that you describe occurring – eg
how many incidents involving this kind of
harm have occurred to date?
Section 3: Current Control Measures
What measures have already been put
into place in order to reduce the risk from
the hazards identified? Detail only actual
control measures not potential measures
in this section. If there are no current
control measures then state this here.
Page 20 of 34
COR/POL/004/2015/001
Section 4: Risk Rating
Consequence Score:
.
The risk rating is identified by utilising a 5 x 5 matrix to calculate the likelihood of the harm
occurring and the consequence of the harm occurring.
Choose the most appropriate domain descriptor(s) from the left hand column of the table e.g. B
Injury. Then work across the row to identify the most appropriate IMPACT descriptor e.g. 3
moderate injury. You can use more than 1 domain; enter your selections in the box at the
bottom of the table
DOMAINS
1
2
3
A
Objectives/
Projects
Insignificant cost
increase
Schedule slippage
< 5% over budget
Schedule slippage
5-10% over budget
Schedule slippage.
Minimal injury
requiring
no/minimal
intervention/
treatment
No time off work
Minor injury/illness
requiring minor
intervention
Time off work < 7days
Increase in LOS by 1-3
days
Moderate injury
requiring professional
intervention
Requiring 4-14 days off
work
RIDDOR/
Agency Reportable
An event which impacts
on small numbers (3-5)
C
Quality/
Complaints/
Audit
Peripheral
element of
treatment or
service suboptimal
Locally resolved
complaint
Overall treatment or
service suboptimal
Formal complaint
Single failure to meet
internal standards
Minor implications for
patient safety if left
unresolved
Reduced performance
rating if unresolved
Treatment or service
has significantly
reduced effectiveness
Formal complaint (stage
2)
Repeated failure to
meet internal standards
Major patient safety
implications if findings
are not acted on
Non-compliance with
national standards with
significant risk to patients
if unresolved
Low performance rating
Critical report
Totally unacceptable
level or quality of
service
Gross failing of patient
safety if findings not
acted upon
Gross failure to meet
national standards
D
Service/
Business
Interruption/
Environment
Loss / interruption
of > 1 hour
No or minimal
impact on
environment
Loss / interruption of >
8 hours
Minor impact on
environment
Loss / interruption > 1
day
Moderate impact on
environment
Loss / interruption > 1
week
Major impact on
environment
Permanent loss of
service or facility
Catastrophic impact on
environment
E
Human
Resources/
Organisational
Development/
Staffing/
Competence
Short term low
staffing level
temporarily
reduces service
quality
( < 1 day)
Low staffing level that
reduces the service
quality
Late delivery of key
objective/service due to
lack of staff.
Poor attendance at
mandatory training.
Unsafe staffing level > 1
day
Uncertain delivery of key
objective/service due to
lack of staff.
Loss of key staff.
No staff attending
mandatory training
F
Finance
(whole Trust
budget)
G
Claim
Small loss of
whole Trust
budget
< £10,000
Risk of claim
remote
Loss more than 0.25%
of whole Trust budget
£10K - < £50K
Loss more than 0.5% of
whole Trust budget
£50K - < £500K
Loss more than 1.0% of
whole Trust budget
£500K - <£1M
Claim < £100,000
Claim between
£100K - £1M
H
Inspection/
Audit
No or minimal
impact or breech
of guidance/
statutory duty
Breech of statutory duty
Reduced performance
rating if unresolved
Single breech in
statutory duty
Challenging external
recommendations/
improvement notice
Claim between
£1M-£5M
Enforcement Action.
Low performance
rating/critical report.
Multiple breeches in
statutory duty
Improvement Notice
Rumours
Potential for public
concern
Local media coverage
Short term reduction in
public concern
Elements of public
expectation not being
met
B
Injury
I
Adverse
Publicity/
Reputation
Local media coverage
Long term reduction in
public confidence
4
Non-compliance with
national target or key
objectives not met
10-25% over project
budget
Major injury leading to
long term incapacity/
disability
Requiring > 14 days off
work
Mismanagement of patient
care with long term effects
An event which impacts on
moderate numbers (1850)
National Media coverage <
than 3 days
Service well below
reasonable public
expectation
5
> 25% over budget
Schedule slippage.
Key objectives not met
Death
Multiple permanent or
irreversible health
effects
An event which impacts
on large numbers (50+)
Non delivery of key
objective / service due
to lack of staff.
Loss of several key
staff.
No staff attending
mandatory training on
an ongoing basis
Loss of > 2% of whole
trust budget
> £5M
Loss of contract/PbR
Claim > £5M
Multiple breeches
Prosecution
Zero performance rating
Severely critical report
National media
coverate > 3 days.
MP Concern (Questions
in House)
Total loss of public
confidence
Record Domains and Consequences as
appropriate e.g. A1, B4, H3
Page 21 of 34
COR/POL/004/2015/001
The ‘frequency-based’ score is appropriate in most circumstances and
is easier to identify. It should be used whenever it is possible to
Likelihood Score
identify a frequency.
1
Rare
2
Unlikely
3
Possible
4
Likely
LIKELIHOOD
Broad descriptors
Harm at the level
indicated will probably
never happen/never
recur
Do not expect harm at
the level indicated to
happen/recur but it is
possible it may do so
Harm at the level
indicated might
happen or recur
occasionally
Harm at the level
indicated will probably
happen/ recur
FREQUENCY
Time Related
Not expected to occur
for years
Expected to occur at
least annually
Expected to occur
monthly
Expected to occur at
least weekly
Descriptor
5
Almost Certain
Harm at the level
indicated will
undoubtedly
happen/recur, possibly
frequently
Expected to occur at
least daily
Record the frequency score:
For each of the consequences identified, record a frequency/probability (eg A1 x 3, B4 x 2,
H3 x 4). Make sure that you are assessing the frequency/likelihood of harm at the level you
have indicated
Risk Score::
In each case, calculate the risk score by multiplying the consequence score by the likelihood
score.
NOTE: You may have identified several consequences (each with their own likelihood)
arising from the one hazard. Each may give rise to a different risk score above. The overall
risk score should reflect the highest of these scores (for example, if you have identified A1x3,
B4x2 & H3x4, then the overall risk score will be 12 (i.e. from the highest risk H3x4)
Risk Grading:
Likelihood
Use the table below to calculate the risk grading (low 1-6; Medium 8-12; high 15-25) and take
note of the appropriate organisational level for managing the risk and timescale for action
1
2
Consequence
3
4
5
1
1
2
3
4
5
2
2
4
6
8
10
3
3
6
9
12
15
4
4
8
12
16
20
5
5
10
15
20
25
Section 5: Level at which the Risk will be managed
Risk Banding
Scores
Accountable for
Remedial Action
Decision to accept risk
Risk Register Level
Red
15-25
Tier 1
RMC/Exec Team/Trust Board
BAF/High Level
Yellow
8-12
Tier 2-3
CAG Director of Nursing &
Governance
Service/CAG/
Corporate
Green
1-6
Band 6 or above
Ward/Department Manager
Service/ Department
RISK LEVEL
TIMESCALE FOR ACTION
TIMESCALE FOR REVIEW
Red (15-25) – High
Action immediately
Review within 1 month
Yellow (8-12) – Medium
Action within 1 month
Green (1-6) – Low
Action within 3 months/accept risk







Review at 3 months
Reduce risk to lowest level possible
Monitor risk controls (6 monthly/annually)
Accept residual risk
Review controls at 6 months
Risk fully mitigated - close risk OR
Risk reduced to lowest level/review annually
Page 22 of 34
COR/POL/004/2015/001
Section 6: Proposed Risk Reduction Action Plan
Use this section to identify how the risk can be reduced. Outline all the actions required and identify a risk score in light of the introduction
of that action. Ensure that you are not introducing a different (and potentially greater) risk by trying to address the current risk. Identify any
costs associated with the actions.
Consider if the risk can be eliminated or the work activity substituted with a less hazardous task. Will training help the situation or is it
necessary to make environmental, policy or organisational changes before further education will be of use.
Your risk assessment should be submitted to the CAG/Directorate Governance Team so that it can be added to the risk register and
submitted to the CAG/Directorate governance group for agreement of the action plan. A risk assessment will be needed for any
improvements/schemes that will need consideration by the Investment Viability Committee/Sub Group.
Action
List the proposed actions required to reduce the risk.
Revised Risk
Score
What effect will the action
have on the risk score
Has this
action
been
agreed?
If agreed, lead
Person &
Target Date
1
2
3
4
Section 7: Cost
Is there a direct cost to mitigate this risk?
What type of cost?
How much?
Is this the estimated or actual cost?
*Delete as applicable
Yes/No*
Capital/Revenue/Capital & Revenue*
Capital: £
Revenue: £
Estimated/Actual*
Section 8: Action Plan Agreement
Risk Rating
Amber & Red risks must be escalated to a senior manager who will take
responsibility for further escalation.
Service Group validation and agreement of proposed action plan
Amber & red risks will require this
CAG/Corporate Directorate validation and agreement of proposed action
plan
Name of senior manager
Date and name of committee
Date and name of committee
Page 23 of 34
COR/POL/004/2015/001
Amber and red risks will require this
Further management action required by CAG or Division:
Action
Lead
Target Date
5
6
Section 9: Review
For further reviews, append additional sheets
Planned Review Date
Actual Review Date:
Reassessed Risk Score:
Name of reviewer
Comments:
Give details of actions completed and explain why actions are overdue (if any)
Please send a copy of this risk assessment form to your Directorate/Service Line/CAG
Governance Team so that it can be added, if appropriate, to the CAG/Directorate risk
register
If further help or guidance is required please contact your CAG Governance Team, the
Trust Risk Manager or the Compliance Unit
Page 24 of 34
COR/POL/004/2015-001
APPENDIX 2: INFORMATION AVAILABLE TO HELP IDENTIFY OR QUANTIFY HAZARDS & RISKS
Proactive
Reactive
Incidents, claims
and complaints
Risk Assessments –
Clinical, Fire, Health
& Saf ety
Serious Untoward
Incidents
Internal Inspections,
Audit
Perf ormance
Dashboard
Clinical Due Diligence
Board 2 Board
Programme and
Project Activities
Patient & Staf f
surveys
Annual
Planning/Objectives
Governance Audit Tool
Issues raised by
committees
Speciality Specif ic
Audits
Risks on the
Register
Internal
External
External
External audits /
accreditations / reports (e.g.
Fire Brigade, HSE, HPA)
NICE, NSF, National
Enquiry Reports
Saf ety Alerts,
Rapid Response Reports
External Inspections,
Audit
Internal
Consultation External
Stakeholders
CQC Essential
Standards
inspections
NHSLA Risk Mgmt &
Maternity Standards
Assessments
Reactive
Internal Assurance
against CQC & NHSLA
standards
Proactive
Page 25 of 34
COR/POL/004/2015-001
APPENDIX 3 – DUTIES AND RESPONSIBILITIES
Trust Board
Overall responsibility for risk management rests with the Board.
The Board is responsible for reviewing the effectiveness of internal
controls: clinical, financial, environmental and organisational. The
Board is required to meet its statutory obligations on financial
management, the quality of health care and on health and safety. In
addition, it is required to produce an annual Governance Statement that
it is doing its reasonable best to manage the Trust’s affairs efficiently
and effectively through the implementation of internal controls to
manage risk.
The Board demonstrates its commitment to risk management through
the Annual Business Plan and through the endorsement of the Risk
Management Policy on an annual basis.
Chief Executive
Ensures, through leadership the effective implementation of this Policy
and monitoring of its effectiveness.
Chief Nurse
Designated as the accountable and responsible officer for:
Ensuring the efficient management of risk, implementing the system of
internal control, including the Risk Management policy.
Ensuring the efficient management of security, including the
implementation of the requirements of the Counter Fraud and Security
Management Service (CFSMS) in line with recommendations made by
the Secretary of State
Ensuring the proper management of Controlled Drugs
Bringing significant omissions/lapses in any of the above areas to the
attention of the Trust Board.
Medical Director
Executive director accountable for clinical effectiveness and responsible
for the development of appropriate mechanisms to support clinical
effectiveness activities in CAGs and clinical teams. The Medical
Director is also the appointed Director of Infection Prevention and
Control and must ensure there are appropriate arrangements in place to
prevent HCAI.
Chief Financial
Officer
The Chief Financial Officer holds overall fiscal responsibility in the Trust
and is responsible for ensuring a sound system of internal financial
control and providing adequate financial information.
He is the key contact for the auditors and is responsible for providing
assurances to the Audit and Risk Committee.
He will have ultimate responsibility for any financial implications of plans
to minimise risk and the method used to incorporate such into the
business planning process.
Director of
Delivery and
Improvement
Overall responsibility for the Hospital Director Team as well as
Performance, Emergency Planning and Business Continuity,.
Page 26 of 34
COR/POL/004/2015-001
Director of
Strategy
The Director of Strategy will manage the annual planning process.
Integral to the process is risk assessment so that from the outset plans
are in place to manage risk if it arises and ensure successful delivery of
the annual planning objectives. The role also includes overall
responsibility for the redevelopment programme, Estates and Facilities,
fire, health and safety risk management.
Director of
Corporate Affairs
The Director of Corporate Affairs is responsible for maintaining the
Board Assurance Framework and ensuring its regular review as
required by the Risk Management Committee and Trust Board. The
Director also coordinates with the Deputy Chief Nurse to ensure that the
risks within the Board Assurance Framework are appropriately linked to
other risks identified throughout the Trust. The Director also maintains
the External Inspection scrutiny role and signifies which
forum/directorate will report to external inspection reports and the given
timeframe.
The Director will maintain a register of all external
inspections. The Director is also responsible for information governance
and ensuring any associated risks are adequately managed in line with
the requirements of this policy. Is responsible for preparing the Annual
Governance Statement to be signed by the Board.
Non-Executive
Directors
Non-Executive Directors are responsible for giving an independent
perspective on the adequacy of risk management arrangements.
A Non-Executive Director chairs the Audit and Risk Committee and the
Quality Assurance Committee and thereby has oversight of risk
arrangements across the organisation and escalates any concerns
arising from this to the Trust Board.
Director of
Estates &
Facilities
Part of the strategy corporate directorate the Director has responsibility
for effective implementation and maintenance of Health and Safety, to
meet the Trust's obligations under the Health and Safety at Work (etc)
Act 1974, and associated legislation, maintaining the health, safety and
welfare of the Trust's employees, patients, visitors, contractors,
volunteers and others affected by the Trust's activities.
Director of
Internal Audit
Internal Audit is responsible for reviewing and providing assurance on
the Trust's internal control, governance and risk management
arrangements with particular emphasis on key Trust objectives and
responsibilities. The annual audit programme is risk based and takes
account of other assurance providers in determining necessary
coverage.
Tier 1
Directors have overall responsibility
management in the CAG/Directorate.
CAG/Corporate
Group Directors
Tier 1
Directors of
Operations
for
governance
and
risk
The Directors are required to support the Service Lines in developing
innovative approaches to patients and patient pathways/systems
ensuring risks are understood and managed.
Assist the CAG/directorate senior team with the management of
operational risks directing the risk management activity of the Heads of
Service.
Page 27 of 34
COR/POL/004/2015-001
Tier 1
CAG Directors of
Nursing and
Governance/
Corporate Senior
Managers
Are responsible for ensuring the local and corporate arrangements for
risk management are implemented following the risk management
process set out in Section 3 of the Policy. This includes but is not limited
to –

Establishing a regular Forum to review risk registers

Ensuring the breadth of risk identification is sufficient (e.g.
external/internal reviews, incidents, claims and complaints)

Monitoring risk mitigation plans with high risks have a monthly
review

Escalating risks to the Management Performance Review

Escalating risks to the Risk Management Committee

Undertaking deep dive reviews of their risk register

Ensuring learning takes place from incidents, claims and
complaints and that a tangible reduction in severity is achieved
along with, over time, a reduction in incidence

Preparing a risk management plan covering the above that is
used at the local level to inform key personnel
The Director of
Human
Resources
Responsible for ensuring that a register of Safety Representatives is
maintained and available to all staff.
Tier 2
Have statutory obligations for the management of risk in the workplace
including assessments for all work-based activity and to foster a culture
of risk awareness throughout the Service. Risk assessment should
cover all areas of business activity – operational, financial, clinical, fire,
health and safety, emergency planning and business continuity. Risk
assessments must include capital funding requirements where
appropriate.
General
Managers,
Heads of
Nursing, Clinical
Directors
Senior Managers
of corporate
directorates (HR,
Finance etc)
Tier 3
Service
Managers,
Matrons, Clinical
Leads
CAG
Governance
Managers
Mangers with responsibility for external contracts will comply with
Standing Financial Instructions, to ensure contractual arrangements
reflect the risk management requirements of the Trust.
Have responsibility for risk register activity (risk ownership, mitigation
plans, risk updating, escalation) following the risk register process
(section 3).
To assist Tier 2 in particular to own risk mitigation action plans and to
actively promote a culture of risk management within their services.
To manage the local risk registers with support from the CAG
Governance Team.
Within CAGs, support the Group Director, Director of Nursing and
Governance to deliver the outcomes above.
Identify and escalate risks emerging from other aspects of governance
work (eg incidents, complaints, Central Alerting System)
Page 28 of 34
COR/POL/004/2015-001
Heads of
Departments,
Ward Sisters,
Charge Nurses
Accept personal accountability for the active implementation of risk
assessment and risk management in the ward or department
concerned. Supporting the maintenance of the local risk register in
conjunction with Tier 3 managers and the CAG Governance Team.
Ensure that documented risk management procedures and systems are
in place and adhered to;
Ensure health and safety issues are a standing item at team and
departmental meetings to secure staff commitment to safety by
discussion of near miss and unsafe conditions and feedback from
incident investigations:
Ensure attendance of staff at appropriate risk management and
mandatory training sessions;
Safety
Representatives
These are nominated by Trade Unions and Staff Associations.
Representatives must provide notification of their appointment to the
Director of Human Resources. Safety Representatives can;
Monitor the arrangements for staff safety,
Attend the Health and Safety Committee,
Investigate potential hazards and dangerous occurrences,
Examine the causes of accidents,
Carry out periodic, planned inspections,
Represent employees in consultations at the workplace with inspectors
of the HSE and of any other enforcing authority.
All employees
Comply with the risk management and health and safety arrangements
and policies appropriate to the work task being undertaken.
Report to their line manager any deficiencies that could impact upon the
health, safety and welfare of individuals (patients, staff, contractors,
etc.).
To complete and submit an incident report form in the event of an
incident and escalate high risk/harm incidents by the quickest means
possible (see the Trust’s Adverse Incident Policy).
Where necessary, to raise concerns through specific channels (see the
Trust’s Whistle Blowing Policy (Raising Concerns in the Workplace).
Work within the safety systems and protocols arranged by the Trust, and
in accordance with the directions of their manager, including the correct
use of personal protective equipment where this has been identified as
necessary.
To participate in mandatory and other training as directed by manager.
Be aware of their full duties and responsibilities under the HASAW Act,
the requirements of their professional body and those of their job plan to
work safely, which may be updated and revised from time to time.
Page 29 of 34
COR/POL/004/2015-001
Agency, Locum
and bank Staff
To undertake a local induction and to escalate concern via the staff
bank or other office arranging their placement if this is not provided.
Work within the safety systems and protocols arranged by the Trust, and
in accordance with the directions of their manager, including the correct
use of personal protective equipment where this has been identified as
necessary.
To participate in risk management activities as directed by the manager
responsible for their activity in the Trust
To report any safety incidents or escalate any concerns to that
manager.
Contractors
Contractors are required to comply with the statutory and contractual
arrangements that specify the health, safety and risk management
activities that must be observed while working in the Trust.
This
includes maintaining appropriate communication with the Trust senior
manager who is responsible for each Contract.
CORE CORPORATE ROLES/RESPONSIBILITIES
Deputy Chief
Nurse Quality
and Governance
Leading and directing risk management activities for the organisation
Through collaborative working with Directors and Executives ensure the
BAF reflects the risks arising from within the organisation
Leading and directing patient safety activities – care collaborative etc
Ensuring the organisation has effective governance systems
Associate Chief
Nurse
Ensuring risks arising from the Care Quality Collaborative are identified,
escalated and mitigated.
Trust Risk
Manager
Lead the development and implementation of the Trust’s Risk
Management Policy
Responsible for maintaining a robust risk register, through collaborative
work with the CAGs/Directorates and supporting the Board Assurance
Framework
Establishing and maintaining effective relationships within the
organisation to deliver an effective service and develop the capability of
the organisation to manage risk
Head of
Compliance Unit
CQC compliance assessment and delivery and identification of risks that
threaten compliance. Ensuring mitigation plans are in place.
Head of
Emergency
Planning
Lead on all aspects of emergency planning
Continue to develop and refine the organisation’s Business Continuity
Plan
Exercise the organisation both locally and in conjunction with partner
agencies to ensure effective responses to a variety of emergency
situations
Page 30 of 34
COR/POL/004/2015-001
Head of Health
and Safety
Regular monitoring of health, safety and fire compliance throughout the
organisation (risk assessments, incident investigations)
Prepare policies and guidance as required to ensure the organisation
has an effective health and safety framework
Responsible for internally produced fire, H&S guidance (intranet)
Assist with the implementation of e-learning for fire, health and safety
Liaise with Enforcement bodies and in particular report incidents as
required (HSE, Medicines and Healthcare products Regulatory Agency,
London Fire and Emergency Planning Authority, Environment Agency,
Police in conjunction with Trust Security Specialist Manager, NHSLA,
SHA, NHS Estates Forum, Local Authorities
Head of
Occupational
Health Services
Provide an occupational health service to the organisation that
addresses identified occupational health requirements Undertake health surveillance
Managing inoculation injuries
Radiation
Protection
Advisor
The RPA is responsible for providing advice to the Trust on radiation
safety issues
and on compliance with radiation safety legislation.
Page 31 of 34
COR/POL/004/2015-001
APPENDIX 4 – RISK MANAGEMENT COMMITTEE TERMS OF REFERENCE
1.
Authority
1.1
The Risk Management Committee is constituted as an executive committee reporting
to the Audit and Risk Committee.
2.
Purpose
2.1
The Risk Management Committee is responsible for ensuring the development and
implementation of effective systems and processes for risk management within the
Trust and providing assurance to the Audit and Risk Committee that this is the case.
3.
Membership and quorum
3.1
The membership of the Risk Management Committee will be as follows:















Chief Executive (Chair of the Committee)
Director of Delivery and Improvement
Medical Director
Chief Nurse
Director of Strategy
Chief Financial Officer
Director of Academic Health Sciences
Director of Human Resources
Chief Information Officer
Director of Corporate Affairs and Trust Secretary
Clinical Academic Group (CAG) Directors of Nursing and Governance
Director of Internal Audit
Deputy Chief Nurse, Quality and Governance
Non-Executive Director
Trust Risk Manager
3.2
In their absence, members should send appropriate deputies. In the case of CAGs,
the expectation is that this would be a member of the CAG leadership team.
3.3
A quorum shall be at least five members, with at least two members of the Executive
team and two CAG representatives present.
3.4
Others will be invited to attend by the Chair as required for specific items.
Page 32 of 34
COR/POL/004/2015-001
4.
Secretariat
4.1
The Director of Corporate Affairs will ensure that there is a Secretary to the
Committee who provides appropriate support to the Chair and committee members.
This shall include agreement of the agenda with the Chair and attendees, collation of
papers, taking minutes and keeping a record of matters arising and issues to be
carried forward and advising the committee on pertinent areas.
5.
Frequency of meetings
5.1
The Risk Management Committee will meet monthly.
6.
Reporting and assurance
6.1
The Risk Management Committee will produce an annual report to the Audit and Risk
Committee on its activities in relation to its terms of reference. It will provide an
exception report to each meeting of the Audit and Risk Committee.
7.
Review
7.1
The Risk Management Committee will review its terms of reference at least annually.
8.
Responsibilities
8.1
Keep under review the Trust’s policy framework for risk management, at both
corporate and CAG levels, reviewing the Risk Management Strategy and Policy
annually for approval by the Trust Board.
8.2
Ensure that there are appropriate arrangements in place for risk management
training and assessment across the Trust.
8.3
Review risk register entries in line with the agreed work programme, assessing the
scoring criteria and consistency and agreeing at which level of the organisation they
should be managed. The focus of the Committee’s work will be on scrutinising the
actions being taken to mitigate risks (rather than validation of risk scoring, which will
primarily be the responsibility of the senior management teams responsible for CAGs
and corporate areas).
8.4
Review the Board Assurance Framework at each meeting, ensuring that it reflects the
current principal risks to the achievement of the Trust’s annual objectives (and other
strategic aims), that appropriate controls and sources of assurance are in place and
that actions are being taken to address gaps in control or assurance.
8.5
Review key risk metrics and the full high risk register (risks scoring 15 and above)
quarterly, ensuring that risks are being managed effectively at the appropriate level
of the organisation and escalated to the Board Assurance Framework where
appropriate.
Page 33 of 34
COR/POL/004/2015-001
8.6
Review as part of a rolling programme both the risk systems and risk registers of each
Clinical Academic Group and corporate directorate, with a focus on the effectiveness
of risk management arrangements, those risks scoring 12 or above and those risks
with high consequence but low likelihood. The Committee to decide at each meeting
which CAG and Corporate department should report at the following meeting.
8.7
Identify requirements for additional information, controls or assurances in relation to
key risks and commission the appropriate individuals or groups to provide this.
8.8
Provide risk-based input to the development of Internal Audit, External Audit and
Clinical Audit work plans, identifying specific assessment or assurance work required
during the development of these work plans or amendments to these that may be
required in-year to address gaps in control or assurance.
8.9
Provide risk-based input to the development of the annual capital programme for the
Trust, ensuring that appropriate account has been taken of significant risks on the
risk register in drawing up the capital programme and that potential capital schemes
have been robustly risk assessed and prioritised.
8.10
A work programme will be agreed with the Chair and progress against this
monitored by the Risk Management Committee.
Version history:
v1.0
Reviewed by Risk Management Committee: 6 September 2012
v2.0
Reviewed by Risk Management Committee: 9 May 2013
v3.0
Reviewed by Risk Management Committee: 10 July 2014
Page 34 of 34

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2024 Paperzz