COR/POL/004/2015-001 TRUST CORPORATE POLICY RISK MANAGEMENT POLICY APPROVING COMMITTEE(S) EFFECTIVE FROM DISTRIBUTION RELATED DOCUMENTS STANDARDS OWNER FURTHER INFORMATION SUPERSEDED DOCUMENTS CONSULTATIO N REVIEW DUE KEYWORDS INTRANET LOCATION(S) Trust Board Date approved: 07/01/2015 Date of approval Trust Board, Executive Team, CAG Directors, General Managers, Heads of Nursing/Midwifery, Matrons, Risk/Governance Leads, All CAGs Risk Guidance – on Intranet alongside Policy Adverse Incident Policy (COR/POL/004/2012-001) Whistleblowing Policy (Raising Concerns in the Workplace) (COR/POL/005/2013-002) Corporate Induction Policy (COR/POL/025/2012-001) Production and Implementation of Trust Policies and Guidelines (COR/POL/001/2014-001) Statutory and Mandatory Training Policy (COR/POL/026/2012-001) Fire Safety Management Policy (COR/POL/037/2013-001) Claims and Inquest Policy (COR/POL/078/2013-001) Central Alerting System Policy (COR/POL/077/2013-001) External Agency Visits, Inspections and Accreditations Policy (COR/POL/043/2012-001) Fraud & Corruption Policy (COR/POL/064/2012-001) Radiation Safety Policy (COR/POL/032/2013-001) Health and Safety At Work (etc) Act 1974 CQC Essential Standards of Quality and Safety Chief Nurse (Director responsible for risk management) Sharon Brooks; Keith Hampton Risk Management Policy 2013 Barts Health NHS Trust (COR/POL/004/2013-001) Three years from date of approval Risk; Health & Safety; Risk Assessment; Risk Register http://bartshealthintranet/Policies-and-Guidelines/Trust-widepolicies.aspx Barts Health Groups Risk Management Committee Audit and Risk Committee CAG Governance Groups/Corporate Heads of Department/New Hospital Project Compliance Unit External Partner(s) Redevelopment to issue to PFI partner Page 1 of 34 APPLICATION COR/POL/004/2015-001 Included in policy: For the groups listed below, failure to comply with this policy may result in investigation and management action which may include formal action in line with the Trust's disciplinary or capability procedures for Trust employees, and other action in relation to organisations contracted to the Trust, which may result in the termination of a contract, assignment, placement, secondment or honorary arrangement. All Trust staff, working in whatever capacity Other staff, students and contractors working within the Trust Trust PFI partners working within the Trust No staff groups are exempted from this policy. Table of Contents 1 Introduction and Aims of Policy ..................................................................................... 3 2 The Process .................................................................................................................. 7 3 The Risk register ......................................................................................................... 11 4 Duties and Responsibilities ......................................................................................... 16 5 Board and High Level Committee Structure for Risk Management .............................. 16 6 Other committees with key responsibilities for risk....................................................... 17 7 Assurance on the Effectiveness of the Risk Management System .............................. 18 8 Monitoring the effectiveness of the policy .................................................................... 18 APPENDIX 1 – Risk Assessment Form/Evaluation System ................................................ 20 APPENDIX 2: Information Available to Help Identify or Quantify Hazards & Risks .............. 25 APPENDIX 3 – Duties and Responsibilities ........................................................................ 26 APPENDIX 4 – Risk Management Committee Terms of Reference .................................... 32 Page 2 of 34 COR/POL/004/2015-001 1 INTRODUCTION AND AIMS OF POLICY 1.1 The main aim of the Trust’s risk management activities is to ensure the organisation minimises the risks to achieving its objectives, from the Board level objectives through to service level objectives. The Trust has in place a Quality Governance framework which will allow the Trust Board to fulfil its legal and statutory obligations and ensure the organisation consistently follows the principles of good governance applicable to NHS organisations. The framework includes systems and processes for financial control, clinical governance and risk management and will embrace the Care Quality Commission’s registration requirements. The Board will ensure that high quality care is being delivered and risks to quality are being effectively managed. 1.2 The Trust accepts its responsibility for the management of safety, environmental and financial risks, ensuring the health, safety and welfare of staff, patients, visitors, volunteer workers and all other people who attend our premises and who may be affected by our activities. This Policy is also, explicitly, the Trust’s Health and Safety Policy, as required by the Health and Safety at Work Act 1974. 1.3 Subject to the legal framework within which the Trust operates, the Trust will: Appoint the most appropriate people, and support them through training and supervision. Promote a culture where staff are open to learn from experience, are confident in reporting incidents, and are expected to raise or escalate concerns. Establish effective controls against risk, including appropriate policies and procedures, and compliance with statutory duties and national codes of practice. Provide sufficient financial resources to support the risk management strategy and the governance agenda. 1.4 This policy will be reviewed by the Trust Board on a three yearly basis and will reflect changes to the Trust’s risk management systems as they continue to mature to meet both internal and external drivers. Page 3 of 34 COR/POL/004/2015-001 Definitions 1.5 The following definitions apply throughout this policy / strategy Risk An uncertain event, or set of events, that, should it occur, will have an effect upon the achievement of objectives. Risk Management The process through which risks are identified and evaluated, plans made, carried out and monitored with a view to minimising the likelihood of a risk actually occurring or, should it occur, minimising the adverse impact of the risk upon the organisation’s objectives. Throughout this policy, risk management explicitly includes but is not restricted to the management of risks in the areas of health, safety, infection control, fire, security, finance, clinical and operational activity. There are other trust policies that also address the management of specific areas of risk e.g. Fire Safety Policy. Hazard Risk Description A hazard is something (e.g. an object, a situation, an activity) that can cause adverse effects. For example: Water on a staircase is a hazard, because you could slip on it, fall and hurt yourself. Short staffing can be a hazard as it might cause suboptimal service. Introducing a new procedure is a hazard because, until staff are familiar with it, they might make mistakes. A risk is the likelihood that a hazard will actually cause its adverse effects, together with a measure of the impact should these adverse events occur. It is a two-part concept and you have to have both parts to make sense of it. When describing a risk in the risk register, a standard phrase should be used to ensure consistency and accuracy and enable effective communication: “As a result of <the hazard>, there is <the likelihood> it will result in <the impact>.” For example: As a result of poor attendance on manual handling training (the hazard), each month (the likelihood) a staff member might receive a minor injury (the impact) As a result of lack of preventative maintenance of equipment (the hazard), once per year (the likelihood) the service might be interrupted for at least a week (the impact) As a result of local non-compliance with national standards (the hazard), it is possible (the likelihood) that we will receive a critical external report (the impact) Standard descriptors for likelihood and impact can be found in the Barts health scoring matrix Page 4 of 34 COR/POL/004/2015-001 Risk Scoring Matrix Likelihood and Impact are each rated from 1 to 5. The total risk score is obtained by multiplying the two together, giving a total score of 1 to 25. The Barts Health scoring matrix contains many descriptors for different types of impact and likelihood appropriate for different risk situations. Note, the current risk score should take into account the controls already in place. Controls will tend to reduce the likelihood of the adverse event occurring or its impact should it occur and, therefore, should reduce the current risk score. Control A control is any measure that is in place which deliberately reduces either the likelihood of the risk materialising or the impact it will have on the relevant objective. Examples of controls might be: Equipment or arrangements which act as a barrier against the risk materialising (e.g. locks, access restrictions, recruitment checks, Safer Surgery Checklist). Policies, procedures or training which support staff in minimising the likelihood of a risk materialising or its impact should it materialise. Equipment or other measures which reduce the immediate impact of the risk should it occur (e.g. fire extinguishers, first aid boxes) or which promote a quicker recovery from resulting harm (e.g. insurance policies, other contingency plans). Mitigating action A mitigating action is any step which the organisation can take to reduce the likelihood or impact of a risk which has not yet been fully controlled. Often a mitigating action will involve putting a control into place. CAG or Directorate risk A risk, of whatever severity, that impacts primarily upon one CAG or Corporate Directorate, or for which the means of mitigating the risk lies largely with a single CAG or Corporate Directorate. Multi Group risk A risk, of whatever severity, that impacts upon more than one CAG or Corporate Directorate or upon the organisation as a whole i.e. a shared risk. High level risk A risk, regardless of where in the organisation it originates, which has been agreed by the Risk Management Committee as having a potentially severe impact on the organisation as a whole (currently risks scored 15 and above - see Risk Evaluation System/Assessment form at Appendix 1). High Level Risks will all also be CAG, Directorate or Multi Group risks. After identification of a high level risk, the Committee will wish to monitor the risk to assure itself that it is being mitigated, but, in all but exceptional circumstances, responsibility for managing the risk still remains with the CAGs or corporate directorates. Page 5 of 34 COR/POL/004/2015-001 Trust Risk Register The Trust’s Risk Register is a unified log of all the risks identified in the organisation. Each record includes: - a summary of the risk - details of its potential impact and the likelihood of this occurring - location - who is accountable for managing the risk - mitigating actions which have been agreed or are planned, - controls that are in place and - progress achieved in reducing the severity of the risk. The Trust has a single, unified risk register, hosted within the Trust’s electronic risk management database. The information from the register that is available to staff at different levels and areas of the trust will depend upon agreed access levels. CAG / Directorate / Departmental Risk Register These terms do not refer to separate registers but to the domains (within the unified Trust Risk Register) which are accessible to staff at different levels and in different areas of the organisation. High Level Risk Register This term is used to refer to the subset of risk records in the risk register which relates to high level risks, see above. This subset of records is still managed by the CAG or corporate directorate but will also receive particular involvement and attention at Board Level. CAGs/Directorates/Departments Risks are always able to add, view, and update records relating to risks which directly affect them, regardless of the severity of the risk. Board Assurance A document that contains the organisations strategic objectives and a Framework description of the principle risks that could threaten achievement of (BAF) these objectives. Each objective has the current organisational performance shown which allows effective linkages to be made against risk management and performance Strategic risks described in the BAF will be linked to one or more risks on the trust risk register. As such, changes to the risk rating or mitigation plan of a risk on the trust risk register will be incorporated into the relevant strategic risk on the BAF. The BAF is monitored and managed at Board level. Accountable Director (Risk Sponsor) Depending on the level of risk this needs to be one of the following: Risk Owner This should be the person that will be coordinating, overseeing or undertaking work to mitigate the risk. Tier 1 Group Director/Director of Nursing & Governance/Director of Operations Executive Director/CAG Group Director/CAG DoNG/CAG Director of Operations/General Manager/HoN/Matron/Service Line GM/ Departmental Manager/ Lead Clinician. Corporate Directorate - Deputy Director/Associate Director Page 6 of 34 COR/POL/004/2015-001 Tier 2 General Manager/Head of Nursing/Clinical Director Corporate Directorate – Band 8 Tier 3 Service Manager/Matron/Clinical Lead Corporate Directorate Band 6/7 2 THE PROCESS 2.1 The Trust manages its risks as set out in following diagram: ESTABLISH Objectives IDENTIFY RISKS to achieving objectives What can happen? When? Where? How? Why? Monitor and Review Communicate and consult Internal / external context Develop Criteria; Define the Structure ANALYSE AND EVALUATE RISKS Identify existing controls Determine Determine Consequences Likelihood Determine Level of Risk Compare against criteria. Set priorities TREAT RISKS Identify and assess options Prepare & implement treatment plans Analyse and evaluate residual risk 2.2 This process is adapted from the internationally recognised Australian/New Zealand Risk Management Standard (4360:2004) and complies with guidance from the Department of Health and the Health and Safety Executive (Successful Health and Safety Management (HSG65). It is a cyclical process for managing risk and can be used to demonstrate continuous self-assessment and improvement. Establishing Objectives 2.3 Organisational objectives are agreed and updated annually. Risk is defined as an uncertain event, or set of events, that, should it occur, will have an effect upon the Page 7 of 34 COR/POL/004/2015-001 achievement of these objectives. As such, identifying and treating risk should be an integral part of the annual business planning and objective setting process 2.4 The Board Assurance Framework (BAF) contains the organisation’s strategic objectives and a description of the principal risks that could threaten achievement of these objectives. A strategic risk described in the BAF will be linked to one or more risks on the trust risk register. As such, changes to the risk rating or mitigation plan of a risk on the trust risk register will be incorporated into the relevant strategic risk on the BAF. Through this process the Board gains assurances that risk mitigation is planned and implemented. 2.5 The high risks in the trust risk register will be reviewed every month to ensure any changes or additions are then reflected in the correspondnig strategic risks in the BAF. 2.6 The BAF will be used to develop the annual work programmes for the high level assurance committes reporting to the Board. Appropriate sources of assurance will be identified and commissioned. The findings of these assurance sources shall inform the BAF and will either confirm management’s view of the level of risk and the adequacy of internal control or identify the need for revision (higher or lower). An increase in risk would also lead to the BAF noting the need for additional improvements in internal control. In addition the BAF evidences the systems of internal control and is used to form part of the Annual Governance Statement issued by the Trust (Annual Report and Accounts). Identifying risks 2.7 Managers and Leads have clear responsibilities for risk assessment and control in their areas. Specialist responsibilities (eg infection control, radiation safety, security) are built into job plans of relevant staff. General responsibilities are built into all job plans. 2.8 There are three circumstances in which risk assessments should be done: 2.9 a) An annual risk assessment (against the upcoming year’s objectives) b) Risk assessments undertaken prior to a planned change (for example, when planning new work, installing new equipment or implementing an organisational change). c) Ad hoc risk assessments when a new hazard is identified. These may be undertaken at any time. When the need for a risk assessment has been established, there are three methods available for identifying risks. In practice, a combination of these methods can be used as appropriate to ensure the full range of risks are identified Using a checklist of possible types of risk: The Trust’s Risk Evaulation System (Appendix 1) describes different domains of adverse outcomes (e.g. injury, low quality, loss of service, financial overspend etc). When generating a list of possible risks within a particular service or risks resulting from a known hazard, these domains should be used as a checklist to ensure a broad range of different types of risk have been considered. Page 8 of 34 COR/POL/004/2015-001 Using a checklist of possible types of hazard: A hazard is something (e.g. an object, a situation, an activity) that can cause adverse effects. One way of identifying risks is to identify the range of hazards present in a particular service. The possible risks resulting from these hazards can then be evaluated. A broad list of generic hazards can be found in the Risk Guidance document. This should be used as a checklist to ensure that a wide range of hazards is considered. 2.10 2.11 Using information and reports generated from other activities: regular management information and other reports (such as internal and external audits) are continuously generated for each service. These may identify some of the hazards present (e.g. areas of underperformance). This, in turn, can be used to identify potential risks resulting from these hazards. The types of information that can be used in this way is shown as Appendix 2. In addition, some trust policies explicitly require that risks identified in certain types of reports are considered for inclusion in the risk register (Adverse Incident Policy, Complaints policy, CQC Inspection Policy, Internal Audit Policy). There are some instances that require specific consideration as to whether the risk should be included in the trust risk register. This is to ensure that the trust risk register is an accurate representation of all the risks facnig the organisation: When the trust receives an external assessment report (for example, a CQC inspection report), the person reponsible for actioning the report must, as part of that process, also identify any risks articulated or implied in the report. These risks must be formally risk assessed and placed on the trust risk register. As part of a Serious Incident investigation, risks may be identified. Some of these will be mitigated by the action plan, but some may be longer term and would merit inclusion in the trust risk register. The service manager of the area in which the incident took place must identify these risks and ensure they are placed on the trust risk register. A simlar process should be followed for risks identified through complaint investigations and claims. A requirement of the Cost Improvement Programme is that the impact of each proposal is risk assessed. The principal risks identified in the accepted proposals must be placed on the trust risk register. Trust programmes and projects (such as New Hospitals Programme, ICT projects) will employ risk registers. The risks identified in these must be reflected on the trust risk register. Agreed risk assessments are completed using tools provided. A range of risk assessment tools are available for particular areas. The general risk assessment tool is available on the Barts Health intranet. Evaluating & analysing risks 2.12 The Trust uses a standard Risk Evaluation System which is internationally recognised and is adaptable to different areas of risk, supported by specific risk assessment templates (eg Clinical Risk, Health and Safety, Fire, Stress etc) (see Risk Management Intranet site for more details). All risks are evaluated and scored using standardised criteria for impact and likelihood. Page 9 of 34 COR/POL/004/2015-001 2.13 The Risk Evaluation System for use in the Trust is attached at Appendix 1. This system incorporates the following key features: A matrix to identify the risk evaluation score that uses impact and likelihood scales; Impact descriptors that cover different areas of risk; Likelihood descriptors for frequency and probability; Management authority for each level of risk (high, medium and low). 2.14 The Risk Evaluation System, is incorporated into the Trust Risk Assessment Form. This can be downloaded from the Trust Intranet – Home Page/Trust Wide Policies/Risk Management Policy. Managing & Treating Risks 2.15 The Risk Evalution System, Appendix 1, sets out the management and committee level at which risks of different severities are approved, reviewed, managed and ultimately signed off. 2.16 Each risk register item is assigned to an appropriate monitoring / review body, which is responsible for obtaining assurance of completion of the agreed action and for approving updated risk register entries. 2.17 Wherever possible, claims of mitigation of a risk should be independently or objectively evidenced (for example, evidence from an audit or external review). 2.18 This assurance is fed back up through the organisation, to provide high level assurance to the Trust Board that the organisation’s risks are properly addressed. 2.19 Information on risks which are not adequately controlled or which remain at a high level despite attempts to control, are escalated to the appropriate level of the organisation, as set out in Appendix 1. This may be a departmental, speciality, CAG or Directorate risk group, a higher level committee, or ultimately, in the case of the most severe risks, the Trust Board. 2.20 Planning of action to reduce identified risks will typically follow widely recognised schema for risk reduction - 2.21 Avoid the risk – eg by withdrawing equipment from use or terminating an activity. Reduce the likelihood of the risk materialising – eg through audit and compliance programmes, policies and procedures, preventative maintenance, training, supervision programmes etc. Reduce the potential impact if the risk does materialise – for example through contingency planning, minimising exposure to the risk, public relations etc Transfer of Risk – this involves another party bearing or sharing some part of the risk eg through the use of contracts, insurance arrangements, partnership and joint ventures. The treatment of some risks may require capital investment. If this is the case, an estimate of the capital investment required must be recorded on the risk register (in the ‘investment cost’ field). All that is required is an estimated cost (ie there is no need at this stage to get formal quotes or undergo a formal costing process). There is the ability to record capital investment, revenue, or capital investment and revenue. Page 10 of 34 COR/POL/004/2015-001 2.22 In due course, a business case for capital investment might be raised. A formal costing process would be required at this stage. 3 THE RISK REGISTER 3.1 The Trust Risk Register is a log of risks which have been identified within the organisation. New entries in the risk register are made as risks are identified and existing risks are updated as progress is made in controlling them. 3.2 The risk register is a single, integrated database, hosted on the Trust’s electronic risk management system, (Datix). Users in different areas and at different levels of responsibility in the Trust have access to different subsets of records within the Register. All CAGs and Directorates must enter and update their risks on this register making the electronic register the central repository for risk information across the organisation. 3.3 The risk register includes details of the nature of the risk, its potential impact and the likelihood of that impact, the overall risk score, the service(s) which “owns” the risk, the controls currently in place and further planned controls, the forum where progress in mitigating the risk is monitored and the progress achieved. 3.4 “Open” risks are those which have been evaluated but not yet fully controlled; these are therefore risks which may impact upon the Trust’s objectives. 3.5 Risks which have been graded 15 and above are a subset which is described as the “High Level Risk Register”. Trust executives are made aware of these risks and will require assurance that these high risks are being managed promptly and effectively. However, these risks will still be managed at the most appropriate level and in the most appropriate area of the organisation, usually at CAG or corporate directorate level. 3.6 When a risk has been fully controlled, the entry may be signed off at the appropriate level of the organisation (which will depend on the nature and severity of the risk) and the entry will then be “closed” (although, for audit purposes, a record of the closed risk will remain on the risk register). Training in risk evaluation and use of the risk register 3.7 The need for risk management training for staff, including board members, is reviewed annually as part of the Trustwide Training Needs Analysis and delivered in line with the Statutory and Mandatory Training Policy. Additional training needs identified outside of the Training Needs Analysis will be provided on request by the Compliance Team. Managing the Risk Register 3.8 Senior managers in all areas are responsible for monitoring and managing those risks which are “owned” within their area, and which therefore make up the CAG / Directorate / Departmental Risk Register for their area. 3.9 Where a risk’s overall score or controls in place or controls planned changes then the trust risk register must be updated as soon as possible. This ensures that, at all Page 11 of 34 COR/POL/004/2015-001 times, the risk register is an accurate representation of the current risks facing the trust. 3.10 The majority of risks identified will be owned and managed within a single CAG or Corporate Directorate. Occasionally, a risk might be shared across several areas and ownership of the risk might be unclear. In this case, the different areas will be expected to negotiate between themselves to determine how the risk will be owned and managed. In cases where ownership of a risk cannot be agreed, this must be escalated to the Risk Management Committee for discussion and resolution. 3.11 The overall process through which the risk register is managed is summarised in the flowchart on the next page. Local Risk Management Arrangements 3.12 To manage risks robustly and effectively in line with the process described overleaf, each CAG/Corporate directorate will have a system for reviewing risks. This will include, but not be limited to, a Governance Board where risks from the Service Groups will be reviewed, approved and monitored. The CAG/Corporate directorate will use information from the Goveranance SitRep weekly/monthly report to monitor risk management performance across their Services. The report contains metrics on risks overdue for review and risks not mitigated in 9 months or more. The intention of monitoring these metrics is to drive risk management improvements . Corporate Risk Management Arrangements 3.13 Each CAG has a monthly Performance Review with the Executives and risk management performance (using the risk metrics and specific risk escalation from the CAG) is part of this process. The CAG has the opportunity to seek direction on difficult to mitigate risks. The Corporate Directorates will review their risk management performance with their Executive lead using the risk metric reports to judge performance and encourage risk mitigation in a timely manner. Risk Management Process Chart 3.14 All of the above steps in the risk management process are summarised in the flow chart on the following page. Page 12 of 34 RISK MANAGEMENT PROCESS CHART KEY High (red) risks: 15 + Medium (amber): 8 to 12 Low (green), below 8 Red risks (15-25) - Risk identified & assessed. - Approved at directorate/ CAG level risk group and recorded on register. - Ownership of risk and action plan assigned to Directorate/ CAG senior team level Risk overseen by Executive lead & managed by CAG/Directorate (Tier 1 / 2 equivalent) Amber risks (8-12) - Risk identified & assessed. - Approved at directorate/ CAG level risk group and recorded on register. - Ownership of risk and action plan assigned to service head or equivalent Green risks (1-6) - Risk assessed. - Approved at Dept/Service level risk group and recorded on register. - Ownership of the risk and action plan devolved to Department Head or equivalent Risk overseen by nominated CAG/directorate manager (Tier 3 equivalent) Risks overseen by Department Head, ward manager or equivalent HIGH LEVEL RISK REGISTER (Comprises all red risks on register ie those rated 15 and above. Risks are assigned to appropriate level/area for mitigation High level risks (20+) to RMC monthly New high risks to RMC monthly High level risks (15+, >9 months old and not at target) to RMC monthly High level risks (all) to RMC quarterly High Level Risks inform Board Assurance framework review quarterly Annual report from RMC to Audit & Risk Committee CAG or Corporate Director Reviews new risks and action plan Reviews all red and amber risks Forwards new red risks to RMC Red risks reviewed MONTHLY by Owner. Regraded with evidence on register if rating changes Report to CAG Board/Directorate equivalent – red risks monthly, amber risks at least quarterly Amber risks reviewed at least QUARTERLY by owner. Regraded with evidence on register if level of risk changes, escalated/deescalated/closed etc. if indicated Exception report from RMC to each meeting of Audit & Risk Committee Green risks reviewed at least ANNUALLY by Owner. Regraded with evidence on register if level of risk changes RISK CLOSED Page 13 of 34 Risk Register Pathway 3.15 The chart on Page 15 shows how risk registers are used throughout the organisation, providing vital information on identified risks and the actions underway to mitigate these risks. Risk assessments typically travel in an upwards direction – Service level to CAG to corporate forums depending upon the level of risk. As risk is mitigated it will typically travel down through the organisation for monitoring of controls or closure as appropriate. Page 14 of 34 Risk Register Pathway Board Key Strategic Risks A&RC Exec Team TMB QAC RMC Board Assurance Framework (strategic risk register + assurances) OMG Risk Assessments Performance Review Meetings QUALITY IMPROVEMENT PROCESSES Trust Strategic Objectives & Mandatory/Statutory Requirements 15+ risks from CAG/ Corporate Directorate Level Risk Registers CAG/Corporate Directorate Level Risk Registers PLANNING ACTIVITIES Risk Assessments CAG/Corporate Directorate Level Objectives & Mandatory/Statutory Requirements QUALITY IMPROVEMENT PROCESSES PLANNING ACTIVITIES Other sources of strategic information Other sources of information about potential risks (Perf Data, External Reports, CQC compliance, SIs, Complaints, Litigation etc) Major Risks from Service Level Risk Registers Service Level Risk Registers Risk Assessments Service Level Objectives & Mandatory/Statutory Requirements Other sources of information about potential risks (Perf Data, External Reports, CQC compliance, SIs, Complaints, Litigation etc ) Page 15 of 34 COR/POL/004/2015/001 4 DUTIES AND RESPONSIBILITIES 4.1 The duties and responsibilities are attached at Appendix 3. 5 BOARD AND HIGH LEVEL COMMITTEE STRUCTURE FOR RISK MANAGEMENT Links to the approved Terms of Reference of the following committees can be found at http://www.bartshealth.nhs.uk/about-us/our-board/board-committees/ 5.1 The committee structure for the organisation follows best practice recommendations as laid out in the revised NHS Audit Committee Handbook1. Across the organisation all committees have a role to play in managing risks associated with their sphere of activity, and all committees feed into more senior committees, up to one of the three high level committees which escalate unresolved concerns to the Trust Board. Trust Board Overall responsibility for risk management rests with the Trust Board. Principal risks that could threaten the organisations objectives are monitored by the Board through review of the Board Assurance Framework (BAF). The Trust Board is supported by three high level committees, vis the Executive Team, the Audit and Risk Committee and the Quality Assurance Committee. Other Committees and subcommittees escalate risks to the Trust Board via these three committees. Executive Team The Executive Team is the senior management committee within the Trust. Its purpose is to oversee the effective operational management of the Trust (including achievement of statutory duties, standards, targets and other obligations) and the delivery of safe, high quality, patient centred care and to support the Trust Board in setting and delivering the organisation’s strategic direction and priorities. Audit and Risk The Audit and Risk Committee has overall responsibility for independently Committee monitoring, reviewing and reporting to the Trust Board on all aspects of governance, risk management and internal control. It assists the Trust Board with its oversight responsibilities. It independently and objectively monitors, reviews and reports to the Trust Board on the processes of governance in place in the Trust. Where appropriate, it facilitates and supports through its independence the attainment of effective processes. At each meeting the Committee receives and reviews an exception report from the Risk Management Committee monitoring progress made against mitigating risks and identifying any areas where the Committee requires additional assurance. This Committee will also review specific risks from the BAF assigned to it for monitoring and review. Quality Assurance Committee The Quality Assurance Committee will receive relevant clinical risks included in the BAF at each meeting for monitoring purposes. The Committee will undertake risk review as requested by the Audit and Risk Committee to provide assurance of the system of internal control. 1 NHS Audit Committee Handbook – 2005, DH & Healthcare Financial Management Association, Gateway Ref:5706 Page 16 of 34 COR/POL/004/2015/001 6 OTHER COMMITTEES WITH KEY RESPONSIBILITIES FOR RISK Risk Management Committee This committee is responsible for ensuring the development and implementation of effective systems and processes for risk management within the Trust and providing assurance to the Audit & Risk Committee that this is the case. The Risk Management Committee reports by exception to the Audit & Risk Committee at each meeting and provides and annual report. Its responsibilities include Reviewing the organisations framework for risk management at Corporate and CAG level Reviewing the Risk Management Policy every three years or sooner if required BAF Heatmap is reviewed at RMC monthly, full BAF quarterly Reviewing risk management metrics quarterly Reviewing new risks scored 15 or above at each meeting Reviewing all risks scored 20 or above at each meeting Reviewing the high level risk register quarterly Reviewing all risks scored 15 or above, older than nine months and not at target at each meeting Receiving ‘deep dive’ risk reports from the CAG’s/Corporate Directorates on a rolling programme Reviewing rare but catastrophic risks at each meeting The Terms of reference for this committee can be found at Appendix 4. Committees reporting to the Executive Team All committees which report to the Executive Team fulfil a leadership, monitoring and quality role in relation to the areas of their responsibility. All of these are responsible for reviewing relevant risks recorded on the Trust Risk Register and escalating concerns via the Executive Team Clinical Academic Groups Each CAG/Directorate has its own governance structure through which risks are reported and reviewed, all of which feed into the higher level committees by exception. CAGs and Directorate Boards and committees are also required to review the relevance of BAF risks and commission any related risk assessments. Directorate Equivalents Page 17 of 34 COR/POL/004/2015/001 7. ASSURANCE ON THE EFFECTIVENESS OF THE RISK MANAGEMENT SYSTEM 7.1 As part of its strategic and annual work programmes, Internal Audit reviews the adequacy of the Trust’s risk management system and Board Assurance Framework and identifies areas for improvement and provides appropriate recommedations. All other aspects of its work programme, which will review the governance, risk and control arrangements relating to the delivery of business objectives and key systems underpinning the delivery of thse objectives and the Trust’s responsibilities, will also form Internal Audit’s view of the adequacy of the risk management system. Each audit report will identify areas for improvement and provide appropriate recommendations. The annual Head of Internal Audit Opinion Statement will also summarise the position and give an overall opinion. This document informs the production of the Trust’s Annual Governance Statement. 8. MONITORING THE EFFECTIVENESS OF THE POLICY Committee which monitors outcomes and recommends actions RMC What is monitored How and frequency Recorded in 1. The organisation’s risk management structure, detailing all those committees and groups which have some responsibility for risk Three yearly via review of risk management policy Minutes of RMC and Trust Board 2. How the board or high level risk committee(s) review the organisationwide risk register Review of previous year's compliance with their terms of reference for risk management (Trust Board, Audit and Risk Committee, Executive Team and RMC) Minutes of RMC RMC 3. How risk is managed locally "Deep dive" re each CAG / Directorate at least annually to confirm action against Minute of RMC RMC Page 18 of 34 COR/POL/004/2015/001 What is monitored How and frequency Recorded in Committee which monitors outcomes and recommends actions 12+ risks SIT rep produced weekly and monthly for discussion at CAGs governance or performance committees 4. How all risks are assessed 5. How risk assessments are conducted consistently 6. Authority levels for managing different levels of risk within the organisation 7. How risks are escalated through the organisation Minutes of local committees Annual audit Minutes of RMC undertaken by compliance team of a sample of risks from the register, identifying whether CAG / Directorate committees RMC - a risk assessment form is completed, - the risk is assigned to an appropriate accountable director (sponsor) and owner - risks not covered by item 2 above have been discussed at relevant service/CAG/director ate or specialist OR mitigated / closed / brought to residual level Page 19 of 34 COR/POL/004/2015/001 4 APPENDIX 1 – RISK ASSESSMENT FORM/EVALUATION SYSTEM GENERAL RISK ASSESSMENT RECORD FORM Guidance for completion of this risk assessment is documented for each section. When the assessment is complete the guidance notes in blue italics can be deleted. Clinical risks will be managed through the Service Group and Clinical Academic Group (CAG) governance arrangements. Accountability is with the Clinical Academic Group Director. Corporate Directorate (finance, HR etc) risks will be managed through directorate structures and accountability is with the Executive Director. Section 1: Administrative Details Assessor's Name Date of Assessment Assessor’s Designation Risk Owners Name (The person who will be coordinating, overseeing or undertaking the work to mitigate the risk): Risk Sponsors Name (This needs to be one of the following: Executive Director, CAG Director, CAG Director of Nursing, CAG General Manager, Service Line General Manager, Lead Clinician) CAG/Corporate Directorate Service Specialty Site Section 2: Activity/Task Risk Title: Suggest a brief title for the risk. This should be no longer than a few words. On some summary reports in Datix, the ‘risk title’ may be the only description of the risk displayed. Therefore, make the risk title as descriptive as possible so that you and others (who may be from elsewhere in the Trust) can understand the general area of the risk Description of risk: Hazard Describe the hazard – this is the state of affairs that has the potential to cause harm. Describe the harm that may be caused as a result of this hazard, making clear who or what could be harmed, and if possible the extent of the harm that could be caused. Likelihood Give any information that will assist in identifying the likelihood of the harm that you describe occurring – eg how many incidents involving this kind of harm have occurred to date? Section 3: Current Control Measures What measures have already been put into place in order to reduce the risk from the hazards identified? Detail only actual control measures not potential measures in this section. If there are no current control measures then state this here. Page 20 of 34 COR/POL/004/2015/001 Section 4: Risk Rating Consequence Score: . The risk rating is identified by utilising a 5 x 5 matrix to calculate the likelihood of the harm occurring and the consequence of the harm occurring. Choose the most appropriate domain descriptor(s) from the left hand column of the table e.g. B Injury. Then work across the row to identify the most appropriate IMPACT descriptor e.g. 3 moderate injury. You can use more than 1 domain; enter your selections in the box at the bottom of the table DOMAINS 1 2 3 A Objectives/ Projects Insignificant cost increase Schedule slippage < 5% over budget Schedule slippage 5-10% over budget Schedule slippage. Minimal injury requiring no/minimal intervention/ treatment No time off work Minor injury/illness requiring minor intervention Time off work < 7days Increase in LOS by 1-3 days Moderate injury requiring professional intervention Requiring 4-14 days off work RIDDOR/ Agency Reportable An event which impacts on small numbers (3-5) C Quality/ Complaints/ Audit Peripheral element of treatment or service suboptimal Locally resolved complaint Overall treatment or service suboptimal Formal complaint Single failure to meet internal standards Minor implications for patient safety if left unresolved Reduced performance rating if unresolved Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on Non-compliance with national standards with significant risk to patients if unresolved Low performance rating Critical report Totally unacceptable level or quality of service Gross failing of patient safety if findings not acted upon Gross failure to meet national standards D Service/ Business Interruption/ Environment Loss / interruption of > 1 hour No or minimal impact on environment Loss / interruption of > 8 hours Minor impact on environment Loss / interruption > 1 day Moderate impact on environment Loss / interruption > 1 week Major impact on environment Permanent loss of service or facility Catastrophic impact on environment E Human Resources/ Organisational Development/ Staffing/ Competence Short term low staffing level temporarily reduces service quality ( < 1 day) Low staffing level that reduces the service quality Late delivery of key objective/service due to lack of staff. Poor attendance at mandatory training. Unsafe staffing level > 1 day Uncertain delivery of key objective/service due to lack of staff. Loss of key staff. No staff attending mandatory training F Finance (whole Trust budget) G Claim Small loss of whole Trust budget < £10,000 Risk of claim remote Loss more than 0.25% of whole Trust budget £10K - < £50K Loss more than 0.5% of whole Trust budget £50K - < £500K Loss more than 1.0% of whole Trust budget £500K - <£1M Claim < £100,000 Claim between £100K - £1M H Inspection/ Audit No or minimal impact or breech of guidance/ statutory duty Breech of statutory duty Reduced performance rating if unresolved Single breech in statutory duty Challenging external recommendations/ improvement notice Claim between £1M-£5M Enforcement Action. Low performance rating/critical report. Multiple breeches in statutory duty Improvement Notice Rumours Potential for public concern Local media coverage Short term reduction in public concern Elements of public expectation not being met B Injury I Adverse Publicity/ Reputation Local media coverage Long term reduction in public confidence 4 Non-compliance with national target or key objectives not met 10-25% over project budget Major injury leading to long term incapacity/ disability Requiring > 14 days off work Mismanagement of patient care with long term effects An event which impacts on moderate numbers (1850) National Media coverage < than 3 days Service well below reasonable public expectation 5 > 25% over budget Schedule slippage. Key objectives not met Death Multiple permanent or irreversible health effects An event which impacts on large numbers (50+) Non delivery of key objective / service due to lack of staff. Loss of several key staff. No staff attending mandatory training on an ongoing basis Loss of > 2% of whole trust budget > £5M Loss of contract/PbR Claim > £5M Multiple breeches Prosecution Zero performance rating Severely critical report National media coverate > 3 days. MP Concern (Questions in House) Total loss of public confidence Record Domains and Consequences as appropriate e.g. A1, B4, H3 Page 21 of 34 COR/POL/004/2015/001 The ‘frequency-based’ score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to Likelihood Score identify a frequency. 1 Rare 2 Unlikely 3 Possible 4 Likely LIKELIHOOD Broad descriptors Harm at the level indicated will probably never happen/never recur Do not expect harm at the level indicated to happen/recur but it is possible it may do so Harm at the level indicated might happen or recur occasionally Harm at the level indicated will probably happen/ recur FREQUENCY Time Related Not expected to occur for years Expected to occur at least annually Expected to occur monthly Expected to occur at least weekly Descriptor 5 Almost Certain Harm at the level indicated will undoubtedly happen/recur, possibly frequently Expected to occur at least daily Record the frequency score: For each of the consequences identified, record a frequency/probability (eg A1 x 3, B4 x 2, H3 x 4). Make sure that you are assessing the frequency/likelihood of harm at the level you have indicated Risk Score:: In each case, calculate the risk score by multiplying the consequence score by the likelihood score. NOTE: You may have identified several consequences (each with their own likelihood) arising from the one hazard. Each may give rise to a different risk score above. The overall risk score should reflect the highest of these scores (for example, if you have identified A1x3, B4x2 & H3x4, then the overall risk score will be 12 (i.e. from the highest risk H3x4) Risk Grading: Likelihood Use the table below to calculate the risk grading (low 1-6; Medium 8-12; high 15-25) and take note of the appropriate organisational level for managing the risk and timescale for action 1 2 Consequence 3 4 5 1 1 2 3 4 5 2 2 4 6 8 10 3 3 6 9 12 15 4 4 8 12 16 20 5 5 10 15 20 25 Section 5: Level at which the Risk will be managed Risk Banding Scores Accountable for Remedial Action Decision to accept risk Risk Register Level Red 15-25 Tier 1 RMC/Exec Team/Trust Board BAF/High Level Yellow 8-12 Tier 2-3 CAG Director of Nursing & Governance Service/CAG/ Corporate Green 1-6 Band 6 or above Ward/Department Manager Service/ Department RISK LEVEL TIMESCALE FOR ACTION TIMESCALE FOR REVIEW Red (15-25) – High Action immediately Review within 1 month Yellow (8-12) – Medium Action within 1 month Green (1-6) – Low Action within 3 months/accept risk Review at 3 months Reduce risk to lowest level possible Monitor risk controls (6 monthly/annually) Accept residual risk Review controls at 6 months Risk fully mitigated - close risk OR Risk reduced to lowest level/review annually Page 22 of 34 COR/POL/004/2015/001 Section 6: Proposed Risk Reduction Action Plan Use this section to identify how the risk can be reduced. Outline all the actions required and identify a risk score in light of the introduction of that action. Ensure that you are not introducing a different (and potentially greater) risk by trying to address the current risk. Identify any costs associated with the actions. Consider if the risk can be eliminated or the work activity substituted with a less hazardous task. Will training help the situation or is it necessary to make environmental, policy or organisational changes before further education will be of use. Your risk assessment should be submitted to the CAG/Directorate Governance Team so that it can be added to the risk register and submitted to the CAG/Directorate governance group for agreement of the action plan. A risk assessment will be needed for any improvements/schemes that will need consideration by the Investment Viability Committee/Sub Group. Action List the proposed actions required to reduce the risk. Revised Risk Score What effect will the action have on the risk score Has this action been agreed? If agreed, lead Person & Target Date 1 2 3 4 Section 7: Cost Is there a direct cost to mitigate this risk? What type of cost? How much? Is this the estimated or actual cost? *Delete as applicable Yes/No* Capital/Revenue/Capital & Revenue* Capital: £ Revenue: £ Estimated/Actual* Section 8: Action Plan Agreement Risk Rating Amber & Red risks must be escalated to a senior manager who will take responsibility for further escalation. Service Group validation and agreement of proposed action plan Amber & red risks will require this CAG/Corporate Directorate validation and agreement of proposed action plan Name of senior manager Date and name of committee Date and name of committee Page 23 of 34 COR/POL/004/2015/001 Amber and red risks will require this Further management action required by CAG or Division: Action Lead Target Date 5 6 Section 9: Review For further reviews, append additional sheets Planned Review Date Actual Review Date: Reassessed Risk Score: Name of reviewer Comments: Give details of actions completed and explain why actions are overdue (if any) Please send a copy of this risk assessment form to your Directorate/Service Line/CAG Governance Team so that it can be added, if appropriate, to the CAG/Directorate risk register If further help or guidance is required please contact your CAG Governance Team, the Trust Risk Manager or the Compliance Unit Page 24 of 34 COR/POL/004/2015-001 APPENDIX 2: INFORMATION AVAILABLE TO HELP IDENTIFY OR QUANTIFY HAZARDS & RISKS Proactive Reactive Incidents, claims and complaints Risk Assessments – Clinical, Fire, Health & Saf ety Serious Untoward Incidents Internal Inspections, Audit Perf ormance Dashboard Clinical Due Diligence Board 2 Board Programme and Project Activities Patient & Staf f surveys Annual Planning/Objectives Governance Audit Tool Issues raised by committees Speciality Specif ic Audits Risks on the Register Internal External External External audits / accreditations / reports (e.g. Fire Brigade, HSE, HPA) NICE, NSF, National Enquiry Reports Saf ety Alerts, Rapid Response Reports External Inspections, Audit Internal Consultation External Stakeholders CQC Essential Standards inspections NHSLA Risk Mgmt & Maternity Standards Assessments Reactive Internal Assurance against CQC & NHSLA standards Proactive Page 25 of 34 COR/POL/004/2015-001 APPENDIX 3 – DUTIES AND RESPONSIBILITIES Trust Board Overall responsibility for risk management rests with the Board. The Board is responsible for reviewing the effectiveness of internal controls: clinical, financial, environmental and organisational. The Board is required to meet its statutory obligations on financial management, the quality of health care and on health and safety. In addition, it is required to produce an annual Governance Statement that it is doing its reasonable best to manage the Trust’s affairs efficiently and effectively through the implementation of internal controls to manage risk. The Board demonstrates its commitment to risk management through the Annual Business Plan and through the endorsement of the Risk Management Policy on an annual basis. Chief Executive Ensures, through leadership the effective implementation of this Policy and monitoring of its effectiveness. Chief Nurse Designated as the accountable and responsible officer for: Ensuring the efficient management of risk, implementing the system of internal control, including the Risk Management policy. Ensuring the efficient management of security, including the implementation of the requirements of the Counter Fraud and Security Management Service (CFSMS) in line with recommendations made by the Secretary of State Ensuring the proper management of Controlled Drugs Bringing significant omissions/lapses in any of the above areas to the attention of the Trust Board. Medical Director Executive director accountable for clinical effectiveness and responsible for the development of appropriate mechanisms to support clinical effectiveness activities in CAGs and clinical teams. The Medical Director is also the appointed Director of Infection Prevention and Control and must ensure there are appropriate arrangements in place to prevent HCAI. Chief Financial Officer The Chief Financial Officer holds overall fiscal responsibility in the Trust and is responsible for ensuring a sound system of internal financial control and providing adequate financial information. He is the key contact for the auditors and is responsible for providing assurances to the Audit and Risk Committee. He will have ultimate responsibility for any financial implications of plans to minimise risk and the method used to incorporate such into the business planning process. Director of Delivery and Improvement Overall responsibility for the Hospital Director Team as well as Performance, Emergency Planning and Business Continuity,. Page 26 of 34 COR/POL/004/2015-001 Director of Strategy The Director of Strategy will manage the annual planning process. Integral to the process is risk assessment so that from the outset plans are in place to manage risk if it arises and ensure successful delivery of the annual planning objectives. The role also includes overall responsibility for the redevelopment programme, Estates and Facilities, fire, health and safety risk management. Director of Corporate Affairs The Director of Corporate Affairs is responsible for maintaining the Board Assurance Framework and ensuring its regular review as required by the Risk Management Committee and Trust Board. The Director also coordinates with the Deputy Chief Nurse to ensure that the risks within the Board Assurance Framework are appropriately linked to other risks identified throughout the Trust. The Director also maintains the External Inspection scrutiny role and signifies which forum/directorate will report to external inspection reports and the given timeframe. The Director will maintain a register of all external inspections. The Director is also responsible for information governance and ensuring any associated risks are adequately managed in line with the requirements of this policy. Is responsible for preparing the Annual Governance Statement to be signed by the Board. Non-Executive Directors Non-Executive Directors are responsible for giving an independent perspective on the adequacy of risk management arrangements. A Non-Executive Director chairs the Audit and Risk Committee and the Quality Assurance Committee and thereby has oversight of risk arrangements across the organisation and escalates any concerns arising from this to the Trust Board. Director of Estates & Facilities Part of the strategy corporate directorate the Director has responsibility for effective implementation and maintenance of Health and Safety, to meet the Trust's obligations under the Health and Safety at Work (etc) Act 1974, and associated legislation, maintaining the health, safety and welfare of the Trust's employees, patients, visitors, contractors, volunteers and others affected by the Trust's activities. Director of Internal Audit Internal Audit is responsible for reviewing and providing assurance on the Trust's internal control, governance and risk management arrangements with particular emphasis on key Trust objectives and responsibilities. The annual audit programme is risk based and takes account of other assurance providers in determining necessary coverage. Tier 1 Directors have overall responsibility management in the CAG/Directorate. CAG/Corporate Group Directors Tier 1 Directors of Operations for governance and risk The Directors are required to support the Service Lines in developing innovative approaches to patients and patient pathways/systems ensuring risks are understood and managed. Assist the CAG/directorate senior team with the management of operational risks directing the risk management activity of the Heads of Service. Page 27 of 34 COR/POL/004/2015-001 Tier 1 CAG Directors of Nursing and Governance/ Corporate Senior Managers Are responsible for ensuring the local and corporate arrangements for risk management are implemented following the risk management process set out in Section 3 of the Policy. This includes but is not limited to – Establishing a regular Forum to review risk registers Ensuring the breadth of risk identification is sufficient (e.g. external/internal reviews, incidents, claims and complaints) Monitoring risk mitigation plans with high risks have a monthly review Escalating risks to the Management Performance Review Escalating risks to the Risk Management Committee Undertaking deep dive reviews of their risk register Ensuring learning takes place from incidents, claims and complaints and that a tangible reduction in severity is achieved along with, over time, a reduction in incidence Preparing a risk management plan covering the above that is used at the local level to inform key personnel The Director of Human Resources Responsible for ensuring that a register of Safety Representatives is maintained and available to all staff. Tier 2 Have statutory obligations for the management of risk in the workplace including assessments for all work-based activity and to foster a culture of risk awareness throughout the Service. Risk assessment should cover all areas of business activity – operational, financial, clinical, fire, health and safety, emergency planning and business continuity. Risk assessments must include capital funding requirements where appropriate. General Managers, Heads of Nursing, Clinical Directors Senior Managers of corporate directorates (HR, Finance etc) Tier 3 Service Managers, Matrons, Clinical Leads CAG Governance Managers Mangers with responsibility for external contracts will comply with Standing Financial Instructions, to ensure contractual arrangements reflect the risk management requirements of the Trust. Have responsibility for risk register activity (risk ownership, mitigation plans, risk updating, escalation) following the risk register process (section 3). To assist Tier 2 in particular to own risk mitigation action plans and to actively promote a culture of risk management within their services. To manage the local risk registers with support from the CAG Governance Team. Within CAGs, support the Group Director, Director of Nursing and Governance to deliver the outcomes above. Identify and escalate risks emerging from other aspects of governance work (eg incidents, complaints, Central Alerting System) Page 28 of 34 COR/POL/004/2015-001 Heads of Departments, Ward Sisters, Charge Nurses Accept personal accountability for the active implementation of risk assessment and risk management in the ward or department concerned. Supporting the maintenance of the local risk register in conjunction with Tier 3 managers and the CAG Governance Team. Ensure that documented risk management procedures and systems are in place and adhered to; Ensure health and safety issues are a standing item at team and departmental meetings to secure staff commitment to safety by discussion of near miss and unsafe conditions and feedback from incident investigations: Ensure attendance of staff at appropriate risk management and mandatory training sessions; Safety Representatives These are nominated by Trade Unions and Staff Associations. Representatives must provide notification of their appointment to the Director of Human Resources. Safety Representatives can; Monitor the arrangements for staff safety, Attend the Health and Safety Committee, Investigate potential hazards and dangerous occurrences, Examine the causes of accidents, Carry out periodic, planned inspections, Represent employees in consultations at the workplace with inspectors of the HSE and of any other enforcing authority. All employees Comply with the risk management and health and safety arrangements and policies appropriate to the work task being undertaken. Report to their line manager any deficiencies that could impact upon the health, safety and welfare of individuals (patients, staff, contractors, etc.). To complete and submit an incident report form in the event of an incident and escalate high risk/harm incidents by the quickest means possible (see the Trust’s Adverse Incident Policy). Where necessary, to raise concerns through specific channels (see the Trust’s Whistle Blowing Policy (Raising Concerns in the Workplace). Work within the safety systems and protocols arranged by the Trust, and in accordance with the directions of their manager, including the correct use of personal protective equipment where this has been identified as necessary. To participate in mandatory and other training as directed by manager. Be aware of their full duties and responsibilities under the HASAW Act, the requirements of their professional body and those of their job plan to work safely, which may be updated and revised from time to time. Page 29 of 34 COR/POL/004/2015-001 Agency, Locum and bank Staff To undertake a local induction and to escalate concern via the staff bank or other office arranging their placement if this is not provided. Work within the safety systems and protocols arranged by the Trust, and in accordance with the directions of their manager, including the correct use of personal protective equipment where this has been identified as necessary. To participate in risk management activities as directed by the manager responsible for their activity in the Trust To report any safety incidents or escalate any concerns to that manager. Contractors Contractors are required to comply with the statutory and contractual arrangements that specify the health, safety and risk management activities that must be observed while working in the Trust. This includes maintaining appropriate communication with the Trust senior manager who is responsible for each Contract. CORE CORPORATE ROLES/RESPONSIBILITIES Deputy Chief Nurse Quality and Governance Leading and directing risk management activities for the organisation Through collaborative working with Directors and Executives ensure the BAF reflects the risks arising from within the organisation Leading and directing patient safety activities – care collaborative etc Ensuring the organisation has effective governance systems Associate Chief Nurse Ensuring risks arising from the Care Quality Collaborative are identified, escalated and mitigated. Trust Risk Manager Lead the development and implementation of the Trust’s Risk Management Policy Responsible for maintaining a robust risk register, through collaborative work with the CAGs/Directorates and supporting the Board Assurance Framework Establishing and maintaining effective relationships within the organisation to deliver an effective service and develop the capability of the organisation to manage risk Head of Compliance Unit CQC compliance assessment and delivery and identification of risks that threaten compliance. Ensuring mitigation plans are in place. Head of Emergency Planning Lead on all aspects of emergency planning Continue to develop and refine the organisation’s Business Continuity Plan Exercise the organisation both locally and in conjunction with partner agencies to ensure effective responses to a variety of emergency situations Page 30 of 34 COR/POL/004/2015-001 Head of Health and Safety Regular monitoring of health, safety and fire compliance throughout the organisation (risk assessments, incident investigations) Prepare policies and guidance as required to ensure the organisation has an effective health and safety framework Responsible for internally produced fire, H&S guidance (intranet) Assist with the implementation of e-learning for fire, health and safety Liaise with Enforcement bodies and in particular report incidents as required (HSE, Medicines and Healthcare products Regulatory Agency, London Fire and Emergency Planning Authority, Environment Agency, Police in conjunction with Trust Security Specialist Manager, NHSLA, SHA, NHS Estates Forum, Local Authorities Head of Occupational Health Services Provide an occupational health service to the organisation that addresses identified occupational health requirements Undertake health surveillance Managing inoculation injuries Radiation Protection Advisor The RPA is responsible for providing advice to the Trust on radiation safety issues and on compliance with radiation safety legislation. Page 31 of 34 COR/POL/004/2015-001 APPENDIX 4 – RISK MANAGEMENT COMMITTEE TERMS OF REFERENCE 1. Authority 1.1 The Risk Management Committee is constituted as an executive committee reporting to the Audit and Risk Committee. 2. Purpose 2.1 The Risk Management Committee is responsible for ensuring the development and implementation of effective systems and processes for risk management within the Trust and providing assurance to the Audit and Risk Committee that this is the case. 3. Membership and quorum 3.1 The membership of the Risk Management Committee will be as follows: Chief Executive (Chair of the Committee) Director of Delivery and Improvement Medical Director Chief Nurse Director of Strategy Chief Financial Officer Director of Academic Health Sciences Director of Human Resources Chief Information Officer Director of Corporate Affairs and Trust Secretary Clinical Academic Group (CAG) Directors of Nursing and Governance Director of Internal Audit Deputy Chief Nurse, Quality and Governance Non-Executive Director Trust Risk Manager 3.2 In their absence, members should send appropriate deputies. In the case of CAGs, the expectation is that this would be a member of the CAG leadership team. 3.3 A quorum shall be at least five members, with at least two members of the Executive team and two CAG representatives present. 3.4 Others will be invited to attend by the Chair as required for specific items. Page 32 of 34 COR/POL/004/2015-001 4. Secretariat 4.1 The Director of Corporate Affairs will ensure that there is a Secretary to the Committee who provides appropriate support to the Chair and committee members. This shall include agreement of the agenda with the Chair and attendees, collation of papers, taking minutes and keeping a record of matters arising and issues to be carried forward and advising the committee on pertinent areas. 5. Frequency of meetings 5.1 The Risk Management Committee will meet monthly. 6. Reporting and assurance 6.1 The Risk Management Committee will produce an annual report to the Audit and Risk Committee on its activities in relation to its terms of reference. It will provide an exception report to each meeting of the Audit and Risk Committee. 7. Review 7.1 The Risk Management Committee will review its terms of reference at least annually. 8. Responsibilities 8.1 Keep under review the Trust’s policy framework for risk management, at both corporate and CAG levels, reviewing the Risk Management Strategy and Policy annually for approval by the Trust Board. 8.2 Ensure that there are appropriate arrangements in place for risk management training and assessment across the Trust. 8.3 Review risk register entries in line with the agreed work programme, assessing the scoring criteria and consistency and agreeing at which level of the organisation they should be managed. The focus of the Committee’s work will be on scrutinising the actions being taken to mitigate risks (rather than validation of risk scoring, which will primarily be the responsibility of the senior management teams responsible for CAGs and corporate areas). 8.4 Review the Board Assurance Framework at each meeting, ensuring that it reflects the current principal risks to the achievement of the Trust’s annual objectives (and other strategic aims), that appropriate controls and sources of assurance are in place and that actions are being taken to address gaps in control or assurance. 8.5 Review key risk metrics and the full high risk register (risks scoring 15 and above) quarterly, ensuring that risks are being managed effectively at the appropriate level of the organisation and escalated to the Board Assurance Framework where appropriate. Page 33 of 34 COR/POL/004/2015-001 8.6 Review as part of a rolling programme both the risk systems and risk registers of each Clinical Academic Group and corporate directorate, with a focus on the effectiveness of risk management arrangements, those risks scoring 12 or above and those risks with high consequence but low likelihood. The Committee to decide at each meeting which CAG and Corporate department should report at the following meeting. 8.7 Identify requirements for additional information, controls or assurances in relation to key risks and commission the appropriate individuals or groups to provide this. 8.8 Provide risk-based input to the development of Internal Audit, External Audit and Clinical Audit work plans, identifying specific assessment or assurance work required during the development of these work plans or amendments to these that may be required in-year to address gaps in control or assurance. 8.9 Provide risk-based input to the development of the annual capital programme for the Trust, ensuring that appropriate account has been taken of significant risks on the risk register in drawing up the capital programme and that potential capital schemes have been robustly risk assessed and prioritised. 8.10 A work programme will be agreed with the Chair and progress against this monitored by the Risk Management Committee. Version history: v1.0 Reviewed by Risk Management Committee: 6 September 2012 v2.0 Reviewed by Risk Management Committee: 9 May 2013 v3.0 Reviewed by Risk Management Committee: 10 July 2014 Page 34 of 34
© Copyright 2024 Paperzz