KPCT-07-160_Risk_Management_Strat

Version No: 1 Approved Date: October 2007

1

RISK MANAGEMENT STRATEGY

Prepared by: Terry Service,

Responsible Area: Corporate

Date Approved:

Approval Information: Committee PCT Board October 2007

Sign

Approved By: Print Name

Version No: 1

Review Date: June 2007

Reference to Standards for Better Health Domain

Domain 6 (care environment and amenities) C20 Domain 3 (Gov) C7a C7c

Core/Development standard NA

Performance indicators

1. Availability of strategy to staff and stakeholders 2. compliance with NHSLA Risk Management Standard level 1


2

CONTENTS Section No.

Description Page No’s

1 Introduction 3

2 Aims 3

3 The Board’s intent 3

4 Who this strategy applies to 4

5 What the PCT must achieve 4

6 Strategic risks 4

7 The way we work 5

8 Accountabilities, responsibilities and organisational framework

5

9 Systems and processes for managing risk 6

10 Systems for monitoring the effectiveness of the Strategy

6

11 Key performance indicators 07/08 6

12 Implementation, training and support 6

13 Equality impact assessment 7

14 Other relevant policies 7

15 PCT stakeholders 7

16 Communication with stakeholders 8

Appendix 1 Definitions 9

Appendix 2 Operational responsibility for risk management 10

Appendix 3 Organisational structure for risk management and assurance

12

Appendix 4 Risk Management Operational Group Terms of Reference

14

Appendix 5 Governance Committee Terms of Reference 18

Appendix 6 Audit Committee Terms of Reference 22

Appendix 7 Risk Grading Tool 26

Appendix 8 Key Performance Indicators 2007/2008 29


3

1. INTRODUCTION

All actions contain inherent risks therefore risk management is central to the effective running of any organisation. At its simplest, risk management is good management practice. It should not be seen as an end in itself, but as part of an overall management approach. The Board will ensure that decisions made are taken with consideration to the effective management of risks.

2. AIMS The aims of this Risk Management Strategy are to ensure that:

Risks to patients, staff and the public are managed to the lowest level possible. Throughout this document the term ‘staff’ includes both commissioner and provider services.

Risks of liability claims against the NHS are minimised

The PCT meets the standards applied via the National Health Service Litigation Authority (NHSLA) risk management programme.

Staff are trained to manage risk

The staff, reputation and finances of the PCT are protected through the process of risk identification, assessment, control and elimination.

That strategic risks are identified and Incorporated within the Board Assurance Framework and the Statement of Internal Control

3. THE BOARD’S INTENT The PCT Board is committed to leading the organisation forward to deliver a quality service and achieve excellent results, thereby ensuring that the organisation makes the very best possible use of public funds. The Board intends to use the risk management processes outlined in this Strategy as a means to help achieve these goals. Definitions of the terms used in this Risk Management Strategy are included in Appendix 1. The objective of the Risk Management Strategy is to create a culture that encourages staff to:

identify and control risks which may adversely affect the Trust’s operational ability;

Ensure that al staff understand that risk management is an integral part of everyone role.


4

compare one risk to another using the grading system explained at Appendix 7;

where possible, eliminate or transfer risks or else reduce them to an acceptable and cost effective level;

otherwise ensure the organisation openly accepts the remaining risks.

A three year rolling implementation plan is in progress as follows: Year 1 (200/07) to devise and agree changes to improve the

existing systems Year 2 (2007/08) to implement appropriate changes to the

systems as agreed Year 3 (2008/09) to review progress and identify the

effectiveness of the revised systems put in place 4. WHO THIS STRATEGY APPLIES TO

This strategy is intended for use by provider and commissioned staff as well as contractors engaged on PCT work. As noted in section 1, all actions contain inherent risks. Although the key strategic risks are identified and monitored by the PCT Board, operational risks are managed on a day to day basis by staff and managers throughout the Trust. In order that progress in managing all risks can be acknowledged, the PCT Risk Register provides a central record of high level reported risks to the organisation.

5. WHAT THE PCT MUST ACHIEVE The Board is responsible for driving the PCT forward to achievement of certain organisational objectives which include the achievement of the standards set out by the NHSLA. The Department of Health (DH) requires the Chief Executive to sign a Statement on Internal Control annually on behalf of the Board. This is a comment on how risks are identified, evaluated and controlled, together with confirmation that the effectiveness of the system of internal control has been reviewed. To support achievement of the organisational objectives and in order to fulfil its responsibilities, the Board has developed a management system which allows decisions to be taken in a structured and equitable way. This Risk Management Strategy is a key component within that management system. Risks will be identified using a common tool with strategic risks linked to the Board Assurance Framework.


5

6. STRATEGIC RISKS Strategic risks to the organisation are identified by the Board via the PCT Directors. These strategic risks are considered by the Board who agree action to be taken. These action plans, are recorded in more detail on the PCT Risk Register and performance management systems and an up to date position is provided in regular reports to the Governance Committee by the Director of Corporate Services. The PCT Risk Register also records information in relation to other risks confronting the organisation. When these are significant (assessed as ’high’ when measured against the grading tool at Appendix 7), they will also be reported to the Governance Committee for the approval of ongoing action on a quarterly basis.

7. THE WAY WE WORK All members of staff have an important role to play in identifying, assessing and managing risk. To support staff in this role the PCT provides a fair, consistent environment which encourages a culture of openness and willingness to admit mistakes. All staff are encouraged to report any situation where things have, or could have gone wrong. Balanced in this approach is the need for the PCT to provide information, counselling and support, and training for staff in response to any such situation. At the heart of this strategy is the desire to learn from events and situations in order to continuously improve management processes. Where necessary, changes will be made to the Trust’s systems to enable this to happen. The PCT recognises that most incidents occur as a result of the accumulation of a number of factors and events all conspiring together. Staff should be encouraged to report incidents without fear of disciplinary action in a culture of learning so that quality infuses into all aspects of the Trust’s work. Fear of disciplinary action may deter staff from reporting an incident. The view of the PCT is that disciplinary action will normally not form part of the response to an incident, except in cases where:

In the view of the Trust, and or any professional registration body, the actions causing the incident/arising from the incident were far removed from acceptable practice.

Where there is failure to report an incident in which the member of staff was either involved or about which they were aware.

illegally - against the law; or


6

Should disciplinary action be appropriate, this will be made clear as soon as the possibility emerges. The investigation would then be modified to take account of personnel policies with advice from the Director of Human Resources as appropriate.

8. ACCOUNTABILITIES, RESPONSIBILITIES AND ORGANISATIONAL FRAMEWORK Accountabilities and Responsibilities The Chief Executive has overall accountability and responsibility for risk management within the Trust. The Chief Executive has delegated responsibility for implementation of risk management as outlined in Appendix 2. Organisational structure An organisational structure, to help manage this delegated responsibility for implementing risk management systems within the Trust, is illustrated and explained in Appendix 3. The Terms of Reference for the Committees which contribute to the assurance process are included as Appendix 4 – Risk Management Operational Group, Appendix 5 – Governance Committee and Appendix 6 – Audit Committee. This organisational structure is reviewed annually alongside this Strategy. Assurance framework This organisational structure is supported by the Board Assurance Framework. Through this Framework the PCT Board gains assurance from others that risks are being appropriately managed throughout the organisation. The Framework is built around the organisation’s Risk Register. The process for creating and maintaining the PCT Risk Register is described in the Policy for the Management of the PCT Risk Register.

9. SYSTEMS AND PROCESSES FOR MANAGING RISK The PCT operates major systems to facilitate the management of risk throughout the organisation. These are each described in detail in the following policy documents:

Incident Reporting and Investigation Policy

Policy for the Management of the Risk Register Both systems use the same risk grading process to assess risks in terms of frequency and severity of outcome. This is described fully in Appendix 7. The systems are supported by a Serious Untoward Incident Policy which includes detailed methodology and guidance in conducting investigations.


7

10. SYSTEMS FOR MONITORING THE EFFECTIVENESS OF THE STRATEGY The Risk Management Operational Group is responsible for collating all available information related to risk and for producing a report to the Governance Committee. In order to effectively separate the role of Commissioner and Provider the agenda for this committee will be structured on a Commissioner and Provider basis. This report will be completed in first quarter following the end of the financial year and will be measured against key performance indicators in order to develop future strategies.

11. KEY PERFORMANCE INDICATORS The KPIs for risk management in 2007/2008 are listed in Appendix 8. The Risk Management Operational Group will monitor achievement against these indicators on an ongoing basis.

12. IMPLEMENTATION, TRAINING AND SUPPORT The effective implementation of this Risk Management Strategy will facilitate the delivery of a quality service and, alongside staff training and support, will provide an improved awareness of the measures needed to prevent, control and contain risk. The PCT will:

ensure all staff and stakeholders have access to a copy of this Risk Management Strategy;

produce a register of risk across the PCT which will be subject to regular review by the Governance Committee;

communicate to staff any action to be taken in respect of risk issues;

develop policies, procedures and guidelines based on the results of assessments and all identified risks to assist in the implementation of this Strategy;

ensure that training programmes raise and sustain awareness throughout the PCT of the importance of identifying and managing risk;

ensure that staff have the knowledge, skills, support and access to expert advice necessary to implement the policies, procedures and guidelines associated with this Strategy; and

monitor and review the performance of the PCT in relation to the management of risk and the continuing suitability and effectiveness of the systems and processes in place to manage risk.


8

13. EQUALITY IMPACT ASSESSMENT As part of its development, this policy and its impact on equality have been reviewed in consultation with trade union and other employee representatives in line with the Trust’s Equality Scheme and Equal Opportunities Policy and no detriment was identified. The purpose of the assessment is to minimise and if possible remove any disproportionate impact on employees on the grounds of race, sex, disability, age, sexual orientation or religious belief.

14. OTHER RELEVANT POLICIES

All documents in the NHSLA Policies and Procedures Register are relevant, in particular:

Health & Safety Policy

Incident Reporting and Investigation Policy

Policy for the Management of the PCT Risk Register

Complaints and Claims Policy

Whistleblowing Policy

Disciplinary Policy, Procedure and Rules

15. PCT STAKEHOLDERS Key stakeholders include:

Staff (directly employed and agency)

Service users (via Trust website)

Contractors

Department of Health

Strategic Health Authorities

Member NHS organisations

Private sector providers of NHS care where commissioned by the PCT

Professional Executive Committee

Public (via PCT website)

16. COMMUNICATION WITH STAKEHOLDERS Systems of communication with stakeholders that contribute to minimising risk are in place. These systems include the PCT website (www.kirklees-pct.nhs.uk), regular meetings, a patient satisfaction survey, publications, and the Public Board Meetings.


9

Communication with staff is particularly important and is mainly effected via line management at team meetings. Any urgent or particularly important messages are communicated by email. . This Risk Management Strategy is available to all staff via the PCT intranet and to other stakeholders on the PCT website. The introduction of new or significantly revised risk management policies is supported by appropriate staff training.


10

APPENDIX 1 DEFINITIONS

(Adapted from the Australian/New Zealand standard AS/NZS 4360:1999.) Risk is the chance that something will happen that will have an impact on achievement of the PCT’s aims and objectives. It is measured in terms of likelihood (frequency or probability of the risk occurring) and severity (impact or magnitude of the effect of the risk occurring). See Appendix 7 Risk Management is “the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects”. The risk management process is “the systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk”. It is described in the following diagram:

Risk Management Overview from AS/NZS 4360:1999

Significant Risks are those which, when measured according to the risk grading tool at Appendix 7, are assessed to be ’High’. The Governance Committee will monitor and performance manage significant risks via regular reports and the risk register.

Establish Context

Identify Risks

Analyse Risks

Evaluate and Rank Risks

Treat Risks

Asse

ss

Ris

ks

Com

mun

icat

ion

and

Con

sulta

tion

Monitor and

Review


11

APPENDIX 2

OPERATIONAL RESPONSIBILITY FOR RISK MANAGEMENT

Chief Executive The Chief Executive is personally involved in the management of complaints and claims against the Trust. Operationally, the Chief Executive has delegated responsibility for risk management as outlined below.

Director of Corporate Services The Director of Corporate Services is the Director designated as the accountable and responsible officer for implementing the system of internal control, including this Risk Management Strategy. This responsibility extends to co-ordinating resources based reviews of the PCT by internal audit and external agencies and action taken as a result.

The Assistant Director of Risk, Safety and Security The Assistant Director of Risk, Safety and Security is responsible for advising on and co-ordinating risk management activities within the Trust. In particular, the Assistant Director of Risk, Safety and Security is responsible for co-ordinating all other (i.e. non financial) risk based reviews of the PCT by external agencies and action taken as a result. The Assistant Director of Risk, Safety and Security is also responsible for ensuring that appropriate reports are created from the Risk Register, events and risk management training databases and that these are presented to the Risk Management Operational Group. The Assistant Director of Risk, Safety and Security is supported by the Health and Safety Manager and other key staff within the Risk Management Team.

Health & Safety Manager The PCT will appoint suitable competent person/s to ensure compliance with all relevant legal obligations under Health & Safety legislation. Where necessary such competent person/s will be sourced from external service providers.

Managers All managers within the PCT are accountable for the day-to-day management of risks of all types within their area of responsibility. They are charged with ensuring that risk assessments are undertaken throughout their area of responsibility on a pro-active basis and that preventive action is carried out where necessary. They are also responsible for seeking advice about implementation of risk reduction plans from the Risk Management Team.

Line Managers Line managers are responsible for setting objectives, relevant to Board objectives, for their own staff, and monitoring staff achievement against them.

Health & Safety Representatives Health & Safety Representatives have responsibility for supporting Managers and Line Managers (who are responsible for the day-to-day management of the health and safety programme in accordance with legislative requirements) in respect of health and safety matters within their area/floor.


12

All Staff Management of risks is a fundamental duty of all staff whatever their grade, role or status. All staff must follow all the PCT policies and procedures which explain how this duty is to be undertaken. In particular, all staff must ensure that identified risks and incidents are dealt with swiftly and effectively, reported to their immediate line manager and, if appropriate, the PCT Health & Safety lead, in order that further action may be taken where necessary. All such issues must also be reported to the Risk Management Team under the Incident Reporting and Investigation Policy . All staff are accountable for achievement against agreed personal objectives which contribute to organisational objectives.

Contractors Specific risks identified by the PCT will be shared with any other relevant Directorates and contractors working in partnership with the Trust. Likewise, the PCT expects that any relevant risks identified by stakeholders and contractors will be shared with the Trust.

Provider Board

It is accepted that as the development of the Commissioner/Provider role progresses through the NHS and the PCT some roles and responsibilities will need to reflect these changes. Any changes will be reported and agreed through the PCT Governance Committee before they are implemented.


13

APPENDIX 3

ORGANISATIONAL STRUCTURE FOR RISK MANAGEMENT AND

ASSURANCE

Board The Board is accountable and responsible for ensuring that the PCT has an effective programme for managing all types of risk which is achieved via the Assurance Framework. The Board is chaired by a non-executive director and meets monthly. In order to verify that risks are being managed appropriately and that the organisation can deliver its objectives, the Board receives and considers reports from the Audit Committee and minutes from the Governance Committee. In particular, the Governance Committee considers risk reduction plans and monitors progress on action plans on all significant risks on at least a quarterly basis.

Governance Committee Operational implications of strategic decisions for all areas of the organisation are discussed, and action is agreed at the meetings of the Governance Committee. Much of the discussion involves weighing up risks and benefits of certain courses of action. The outcomes of these discussions, including identification of actions, are captured in the minutes of the meetings.

Risk Management Operational Group The Risk Management Operational Group monitors all areas of non financial risk management so that it can assure the Governance Committee and ultimately the Board that risks are being managed according to organisational policies and procedures. The Group is responsible for reporting risks from the PCT Risk Register to the Governance Committee. It is also responsible for monitoring the implementation of certain allocated treatment plans and reporting progress to the Governance Committee. The Risk Management Operational Group ensures that Key Performance Indicators (KPIs) are set and monitored in relation to risk. The Assistant Director of Risk, Safety and Security chairs the Committee. It meets at least four times every year and reports directly to the Governance Committee on a

Audit Committee

Risk Management Operational Group

Governance Committee

Board

Assurance Management

Senior Management

Team


14

quarterly basis. The Terms of Reference for the Risk Management Operational Group are attached at Appendix 4.

Audit Committee The Audit Committee is chaired by a non-executive director. It meets at least 4 times a year and reports directly to the Board. It ensures that an effective system of internal control for all risks is maintained. The Committee may review the results of audit work completed on the Trust’s risk management system and performance. The Committee will also agree an annual audit plan with reference to the PCT Risk Register. The Terms of Reference for the Audit Committee are attached at Appendix 6.


15

APPENDIX 4

Risk Management Operational Group Terms of Reference

1. Purpose of the Committee The Risk Management Operational Group will oversee the PCT’s programme of organisational risk management, in accordance with current Department of Health requirements. The programme will be approved and monitored by the Governance Committee. The Risk Management Operational Group is responsible for ensuring effective systems are in place to manage risks, which may lead to harm, loss or damage to reputation. It prioritises work on organisational risk and co-ordinates work on the organisational elements in the Standards for Better Health and the Risk Register. In order to assist in the development and management of the Commissioner/Provider Role the Risk Management Operational Group agenda will be separated to reflect the different roles and responsibilities. The remit includes the review and the management of risk from a number of activities including:

1. Risks in commissioning services from other organisations and potential failures in those organisations.

2. Risks where working in partnership with Social Services, Voluntary

Agencies and Independent providers of care

3. Risks where the PCT is directly managing systems in relation to General Medical Services (GMS) e.g. security and IT.

4. Risks in Provider or managed community services.

5. Risks in the work of relevant independent contractors – GPs, opticians,

pharmacists, and dentists.

There is a distinction between the PCT's responsibility for employed staff where the PCT has direct liability, and its responsibility towards commissioned care, where GPs and other primary care providers have direct liability as independent contractors – e.g. employment law and health and safety. The Risk Management Operational Group defines its approach to risk management in primary care as follows:

1. To actively engage with general practice, Provider Services and primary care independent contractors to support good practice in risk management i.e. offer support, help to develop.


16

2. To ensure that where PCT staff are working in primary care premises,

the same processes of identifying and addressing possible risks to them apply as would in PCT directly provided areas.

3. To ensure that the PCT's risk management work covers the other new

areas inherent in being a PCT, e.g. risks from holding contracts for the delivery of health services from other providers.

2. Objectives

1. To ensure systems are in place to identify, quantify, prioritise and plan action on risks which may lead to harm, loss or damage to reputation. This will include establishing formal links with other relevant committees.

2. To prioritise work on risks within its remit, and compile and update a

risk register.

3. To oversee and co-ordinate work on the organisational elements in the Standards for Better Health.

4. To ensure that means are developed to record and analyse incidents,

claims and near misses to enable trends to be identified and preventative measure targeted. To link with other groups in order to obtain that trend information.

5. To develop and subsequently review a risk strategy and policy for

approval by the PCT Board.

6. To ensure that risk management training and awareness programmes, and an approach to the systematic involvement of staff in risk identification and management are developed and implemented.

7. To promote and support risk management work amongst all the areas

of primary care, including incident reporting and dissemination of lessons learned.

8. To ensure the development of the ability to quantify the cost of risk.

9. To be up-to-date on developments in the field of Risk Management in

the public sector.

10. To develop and maintain appropriate links at local and regional level.

11. To take an annual report to the Governance Committee.

12. To define key indicators to enable the PCT to measure the successful implementation of the Risk Management Strategy.


17

13. To manage Key performance programmes including NHSLA Risk

Management Standards. 3. Membership of the Risk Management Operational Group The Risk Management Operational Group membership must include key staff who can advise on the complexity of risks being managed and therefore must include a wide remit of staff. Members

1. PCT Risk Management Lead. 2. Clinical Governance Lead. 3. Provider Services representatives (Provider Section of meeting). 4. Commissioning representative 5. Senior Infection Control Nurse 6. Pharmaceutical Advisor 7. Health and Safety Advisor 8. Representative from Training and Education Group 9. Specialist by invite

4. In Attendance (co-opted staff) Other officers may be co-opted at the Groups discretion or lead officers, or other bodies, be invited to attend for specific items under consideration by the Group. 5. Quorate The Group is quorate when five members are present. 6. Frequency of Meetings The Group will meet quarterly. The Chair will convene additional meetings if required for emergency items. 7. Support for the Committee The Group will be supported through normal administration programmes within the PCT 8. Reporting arrangements The Risk Management Operational Group will provide minutes to the Governance meeting and circulation to all related committees with a remit for risk management. 9. Level of Financial Authority/Decision making. The Risk Management Operational Group is an advisory Committee and therefore has no financial authority.


18

The committee has authority to take action to resolve any immediate patient safety risk and can seek relevant authority when required for any risk issues that are not immediate. 10. Accountability and reporting The Board has overall responsibility for the management of risk, and for monitoring the work of the Committees with responsibility for risk management, i.e.:

1. The Governance Committee for verifying the overall system for risk management.

2. Clinical Governance Operational Group for managing organisational

risk related to systems and processes.

3. The Risk Management Operational Group for organisational and operational risk.

4. The Infection Control Committee for managing any risks related to

infection control. Links to the related Committees dealing with other dimensions of risk are essential, and will be achieved by common membership of Committees. 11.Reporting arrangements for sub groups A number of committees, working groups, managers and PCT Advisors will be responsible for reporting risk areas or concerns to the Risk Management Operational Group and these are detailed in the Risk Management Strategy. 12. Conduct of Business The Risk Management Operational Group will conduct business in line with all PCT policies. 13. Review Date The Risk Management Operational Group TOR will be reviewed bi annually within the context of the Risk Management Strategy.


19

APPENDIX 5

KIRKLEES PCT.

Governance Committee Terms of Reference.

1. BACKGROUND The prime governance tasks for a PCT are the effective management of risk, ensuring the provision of quality services, and the effective stewardship of public funds in providing those services. ‘Risk’ should be considered holistically to include: Financial Business Operational Clinical Litigation In addition, the PCT is required to ensure probity when commissioning services from its provider arm. 2. PURPOSE OF THE GOVERNANCE COMMITTEE. The Trust Board has delegated authority to the Governance Committee to ensure on its behalf that appropriate systems and processes are in place to achieve and maintain the highest standards of governance and public accountability across the whole spectrum of the PCT’s work. The Board Assurance framework will be used as a tool for monitoring progress. The Governance Group will assure Trust Board that the level of acceptable risk (as determined by Trust Board) is managed as far as reasonably practicable. This will be achieved by working to deliver the following key objectives: 3. OBJECTIVES To design a robust system for management of the Board Assurance

Framework and review that this is working effectively. To review, challenge and prioritise issues that are important regarding

the management of risk within the PCT’s internal and external environments.

Monitor compliance against the Standards for Better Health, NHSLA Risk Management Standards and Information Governance Toolkit standards and report any exceptions to the Trust Board

To own the PCT’s Risk Management and Clinical Governance strategies and ensure that their contents meet national standards and are complimentary.

To give direction in the development of polices procedures and audit across all of the PCT’s activities and to ratify those policies that Trust Board has delegated authority to the committee to do so.


20

To work with senior management to ensure that these strategies and policies are embedded in the daily work of the PCT.

To set key performance indicators for the management of risk and improvement of quality and monitor progress against these indicators.

To ensure that the Practice Based Commissioning practices and consortia have implemented robust corporate and clinical governance arrangements that meet national targets.

To approve clinical governance aspects of business cases submitted to the PCT from practices within practice based commissioning arrangements.

To ensure that service providers in contract with the PCT, including the primary care provider arm, have effective systems of corporate and clinical governance that meets national targets

To ensure that agents commissioning on behalf of the PCT have in place effective corporate and clinical governance arrangements

To receive and consider reports the following reports incident trends, health and safety, security on a quarterly basis significant incidents ad hoc and annually the risk register on a quarterly basis activity, manpower and finance legal claims, insurance matters ad hoc and annually complaints and PALs contacts on a quarterly basis clinical and corporate governance reports regarding

commissioned and provided services on a quarterly basis research governance & information governance on a quarterly

basis To receive and consider the minutes of the sub-committees listed in

Section 10 to respond appropriately to matters referred to the committee by the

Board and Professional Executive Committee 4; ORGANISATION OF THE AGENDA & REPORTS In order to ensure transparency of probity and management of risk by the separate Provider and Commissioner arms of the PCT, the meeting will be divided into two distinct parts. The agenda will be drawn up in such a way that matters pertinent to the Commissioning arm are considered at the start of the meeting and matters pertinent to the Provider arm will be considered at the end of the meeting. This will enable members of the committee to attend only for the relevant part of the meeting.


21

5; MEMBERSHIP Commissioning Agenda Provider Agenda Chief Executive (Chair) As for commissioning agenda NED plus PEC Risk Management lead. Director of Provider Services PEC Clinical Governance lead Director of Corporate Affairs Director of Finance Medical Director Internal Auditor Head of Risk Management Head of Clinical Governance

In attendance as appropriate Director of Commissioning Strategic Development Director of Patient Care & Professions Director of Performance & Information Director of Public Health Complaints manager H&S Risk Manager HR Senior Manager Head of PDT Pharmacy lead External advisors Head of Estates The minutes and agenda will be circulated for information to the non-core members, who will be requested to attend according to the subject matter of the agenda. 6; QUORUM The separate halves of the meeting will be quorate on the attendance of one third of the membership which must include the Chair (or their deputy) NB: If a member is unable to attend a meeting, their deputy should attend on their behalf. 7; FREQUENCY OF MEETINGS Meetings of the Governance Committee will normally be on a six weekly cycle; there will be a minimum of 7 meetings per year. The Chief Executive may request additional meetings to address specific items. 8; SUPPORT TO THE COMMITTEE The committee will be supported by the Trust Board Secretary. 9; REPORTING 1; This committee is a sub-committee of the Trust Board and hence directly

accountable to the Trust Board. The minutes of each meeting to be presented to the Trust Board for receipt and discussion as appropriate.

2; The minutes and a bullet pointed highlight report to be presented to the Audit Committee


22

3; Annual Risk Management and Clinical Governance reports will be presented to the Trust Board. This report will be compliant with the criteria contained within the NHSLA Risk Management standards and other external audits as required.

4; Relevant articles will be produced for PCT newsletter and the Team Brief. These will also be posted on the internet / intranet.

10; SUB-COMMITTEES Operational Risk Management group Infection Control Committee Clinical Audit group Operational Clinical Governance Group Supporting Primary Care Practitioners Advisory Group Information Governance Accreditation panel for new services 11; CONDUCT OF BUSINESS Agendas and papers will be circulated to committee members at least 7

calendar days before the meeting. Minutes of the meeting will be circulated no later than 14 Calendar days

after the meeting This Committee will observe the requirements of the Freedom of

information Act 2000, which allows a general right of access to recorded information held by the PCT, including minutes of meetings, subject to specified exemptions.

This committee will operate in accordance with the PCT’s guidance for Chairs and Minute Takers.

All members must declare any conflict of interest they may have regarding an agenda item at the start of the meeting.

12; REVIEW DATE These Terms of Reference will be reviewed on an annual basis. Approved by Trust Board 25th October 2006 Review Date October 2007


23

APPENDIX 6

AUDIT COMMITTEE TERMS OF REFERENCE Constitution The Board hereby resolves to establish a Committee of the Board to be known as the Audit Committee (The Committee). The Committee is a non-executive Committee of the Board and has no executive powers, other than those specifically delegated in these Terms of Reference. Membership The Committee shall be appointed by the Board from amongst the Non-Executive Directors of the PCT and shall consist of not less than three members. A quorum shall be two members. The Board will appoint one of the members Chair of the Committee. The Chairman of the PCT shall not be a member of the Committee. Attendance The Director of Finance and appropriate Internal and External Audit representatives shall normally attend meetings. However at least once a year the Committee should meet privately with the External and Internal Auditors. The Chief Executive and other executive Directors should be invited to attend, but particularly when the Committee is discussing areas of risk or operation that are the responsibility of that Director. The Chief Executive should be invited to attend, at least annually, to discuss with the Audit Committee the process for assurance that supports the Statement on Internal Control. The Trust Secretary, or whoever covers these duties, shall be Secretary to the Committee and shall attend to take minutes of the meeting and provide appropriate support to the Chairman and Committee members. Frequency Meetings shall be held not less than three times a year. The Director of Finance, the External Auditor or Head of Internal Audit may request a meeting if they consider that one is necessary. Authority The Committee is authorised by the Board to investigate any activity within its terms of reference. It is authorised to seek any information it requires from any employee and all employees are directed to co-operate with any request made by the Committee. The Committee is authorised by the Board to obtain outside legal or other independent professional advice and to secure the attendance of outsiders with relevant experience and expertise if it considers this necessary.


24

Duties The duties of the Committee can be categorised as follows: Governance, Risk Management and Internal Control The Committee shall review the establishment and maintenance of an effective system of integrated governance, risk management and Internal control, across the whole of the organisation’s activities (both clinical and non-clinical) that supports the achievement of the organisation’s objectives. In particular, the Committee will review the adequacy of: All risk and control related disclosure statements (in particular the

statement on Internal control and declaration of compliance with the Standards for Better Health), together with any accompanying Head of Internal Audit statement, External Audit opinion or other appropriate independent assurances, prior to endorsement by the Board

The underlying assurance processes that indicate the degree of the

achievement of corporate objectives, the effectiveness of the management of principal risks and the appropriateness of the above disclosure statements

The policies for ensuring compliance with relevant regulatory, legal and

code of conduct requirements The policies and procedures for all work related to fraud and corruption as

set out in Secretary of State Directions and as required by the Counter Fraud and Security Management Service

In carrying out this work the Committee will primarily utilise the work of Internal Audit, External Audit and other assurance functions, but will not be limited to these Audit functions. It will also seek reports and assurances from Directors and Managers as appropriate, concentrating on the overarching systems of integrated governance, risk management and Internal control, together with indicators of their effectiveness. This will be evidenced through the Committee’s use of an effective Assurance Framework to guide its work and that of the Audit and assurance functions that report to it. Internal Audit The Committee shall ensure that there is an effective Internal Audit function established by management that meets mandatory NHS Internal Audit Standards and provides appropriate independent assurance to the Audit Committee, Chief Executive and Board. This will be achieved by:

Consideration of the provision of the Internal Audit Service, the cost of the Audit and any questions of resignation and dismissal


25

Review and approval of the Internal Audit strategy, operational plan and more detailed programme of work, ensuring that this is consistent with the Audit needs of the organisation as identified dint he Assurance Framework

Consideration of the major findings of Internal Audit work (and

management’s response), and ensure co-ordination between the Internal and External Auditors to optimise Audit resources

Ensuring that the Internal Audit function is adequately resourced and

has appropriate standing within the organisation

Annual review of the effectiveness of Internal Audit External Audit The Committee shall review the work and findings of the External Auditor appointed by the Audit Commission and consider the implications and management’s responses to their work. This will be achieved by:

Consideration of the appointment and performance of the External Auditor, as far as the Audit Commission’s rules permit.

Discussion and agreement with the External Auditor, before the Audit

commences, of the nature and scope of the Audit as set out in the Annual Plan, and ensure co-ordination, as appropriate, with other External Auditors in the local health economy.

Discussion with the External Auditors of their local evaluation of Audit

risks and assessment of the PCT and associated impact on the Audit fee.

Review all External Audit reports, including agreement of the annual

Audit letter before submission to the Board and any work carried outside the annual Audit plan, together with the appropriateness of management Reponses.

Other Assurance Functions The Audit Committee shall review the findings of other significant assurance functions, both Internal and External to the organisations and consider the implication to the governance of the organisation. These will include, but will not be limited to, any reviews by Department of Health Arms Length Bodies or Regulators/Inspectors (e.g. Healthcare Commission, NHS Litigation Authority, etc), professional bodies with responsibility for the performance of staff or functions (e.g. Royal Colleges, accreditation bodies, etc). In addition, the Committee will review the work of other Committees within the organisation, whose work can provide relevant assurance to the Audit Committee’s own scope of work. This will particularly include the Clinical


26

Governance Committee and any Risk Management Committees that are established. In reviewing the work of the Clinical Governance Committee, and issues around clinical risk management, the Audit Committee will wish to satisfy themselves on the assurance that can by gained from the clinical Audit function. Management The Committee shall request and review reports and positive assurances from Directors and Managers on the overall arrangements for governance, risk management and Internal control. They may also request specific reports from individual functions within the organisation (e.g. clinical Audit), as they may be appropriate to the overall arrangements. Financial Reporting The Audit Committee shall review the Annual Report and Financial Statements before submission to the Board, focusing particularly on:

The wording in the Statement on Internal control and other disclosures relevant to the Terms of Reference of the Committee.

Changes in, and compliance with, accounting policies and practices

Unadjusted misstatements in the financial statements

Major judgemental areas

Significant adjustments resulting from the Audit.

The Committee should also ensure that the systems for financial reporting to the Board, including those of budgetary control, are subject to review as to completeness and accuracy of the information provided to the Board. Reporting The minutes of Audit Committee meetings shall be formally recorded by the Trust Secretary and submitted to the Board. The Chair of Committee shall draw to the attention of the Board any issues that require disclosure to the full Board, or require executive action. The Committee will report to the Board annually on its work in support of the Statement on Internal control, specifically commenting on the fitness for purpose of the Assurance Framework, the completeness and embedment of risk management in the organisation, the integration of governance arrangements and the appropriateness of the self-assessment against the Standards for Better Health.


27

Other Matters The Committee shall be supported administratively by the Trust Secretary, whose duties in this respect will include:

Agreement of agenda with Chairman and attendees and collation of papers

Taking minutes and keeping a record of matters arising and issues to

be carried forward

Advising the Committee on pertinent areas


28

APPENDIX 7 RISK GRADING TOOL

The same grading tool is used by the PCT for all risk processes (risk assessment, Risk Register, and incident reporting assessment). Risks are measured according to the following formula:

Likelihood x Severity = Risk Likelihood

Risks are first judged on the likelihood of the risk being realised. For example, how likely is it that the PCT will be found in breach of a duty of care in a particular legal case? The following categories are available for grading: Likelihood rating Descriptor 5 Certain this type of event will happen frequently

4 Highly Likely this type of event will happen, but is not a persistent concern

3 Likely this type of event may well happen (e.g. 50/50 chance)

2 Unlikely unlikely that this type of event will happen

1 Rare cannot predict that an event of this type will occur in the foreseeable future

Severity

Situations are then judged to evaluate, if the risk were to be realised, what the outcome is most likely to be. The following categories are available for grading: Descriptor Impact (actual or potential) Catastrophic death or significant permanent disability

organisation unable to function very high financial implications (>£1million) e.g. large scale fraudulent claims management, international adverse publicity, bomb threat, anything untoward that involves >50 people

Severe serious injury (emotional, psychological or physical), ill health, damage, or loss of function possibly with prolonged disability

serious disruption to the organisation high financial implications (>£500K) e.g. large section of roof falling in, national adverse publicity, computer network failure >3 working days, prolonged time off work (>15 days), theft of claim file

Moderate some injury (emotional, psychological or physical), ill health, damage, or loss of function likely to resolve within one year


29

disruption to organisation could be managed moderate financial implications (>£50K) e.g. RIDDOR reportable injury, local adverse publicity, missing claim file

Low mild injury (will probably resolve in less than 1 month) the impact would threaten the efficiency of some aspects of

the organisation some financial implications e.g. absence from work <3 days, incorrectly filed documents

No Harm no injury or identifiable damage no disruption to service or the organisation financial implications are negligible e.g. tripping, file falling & hitting someone, spills of non hazardous liquids

Risk

Based on the above judgements, a risk assessment can be made of the potential future risk to stakeholders and the organisation as follows:

Most likely Impact/Consequences Likelihood of occurrence/ recurrence

None (1)

Minor (2)

Moderate (3)

Major (4)

Catastrophic (5)

Almost certain (5) 5 10 15 20 25 Likely (4) 4 8 12 16 20 Possible (3) 3 6 9 12 15 Unlikely (2) 2 4 6 8 10 Rare (1) 1 2 3 4 5 Classification of Incident

Very Low Low Moderate High Risk Treatment

Risks to the PCT can be: Accepted: very low and low risks can be accepted as requiring no

further action. On reviewing this type of risk it may, however, be decided that some cost effective action would reduce the risk still further. Action on this risk is a lower priority.

Transferred: the PCT is a member of the Liabilities to Third Parties and Property Expenses risk pooling schemes run by the NHSLA. This membership transfers some financial risk to these risk pooling schemes.

Managed: in many cases action can be taken to change the way activities are carried out in order to reduce the risk identified. The PCT is committed to using a systematic/holistic approach to risk management.


30

Avoided: in some cases risk cannot be accepted, transferred or managed. Then the Board may decide a particular risk should be avoided altogether. This may involve ceasing the activity giving rise to the risk.

Where risk treatment plans require significant additional funding, or changes to the working pattern of the Trust, these decisions will be made by the Governance Committee or in the case of strategic risks, by the Board. Decisions with less significant implications will be taken by the Director of Corporate Services. Further Action Required Based on the Risk Grading Very Low and Low risks

Most risks will be graded into these less serious categories and can normally be managed through local action by line managers. Staff should be encouraged to fill in an Incident Report Form to record any unforeseen events in order that a trend analysis can be carried out.

Risk Further Action By Whom

Very Low

Acceptable Risk. Inform all appropriate stakeholders Take action to reduce risk where

necessary and within authority Maintain paper records

All staff

Low

Acceptable Risk. As above plus: Discuss whether any further action

should be taken to reduce future risk Report to Risk Management as per

Incident Reporting Policy

Team Leaders

Moderate risks

Of the rest, most risks will fall to be addressed by a senior manager within the PCT supported, if required, by a member of the Risk Management Team. For this type of risk an option appraisal needs to be carried out to identify the most appropriate way of dealing with the risk. This will be reported to the Risk Management operational Group.


Moderate

Unacceptable Risk. As above plus: Report to the Risk Management

Operational Group identifying treatment options

regular reports to Governance Committee monitoring progress on treatment action plans

Senior Managers


31

High risks

These risks are also known as significant risks to the Trust. A systems approach will be used to identify root causes of the risk and thereby help choose an appropriate risk treatment plan. In addition to the strategic risks, all other high risks will be recorded in the Risk Register and reported quarterly to the Governance Committee which will approve treatment plans and monitor progress.


High

Significant Risk. As above plus: Report to Board identifying treatment

options Quarterly report to the Board

monitoring progress on treatment action plans

Risk Management Operational Group


32

APPENDIX 8

KEY PERFORMANCE INDICATORS 2007/2008 Target Key Performance Indicator Ensure that Risk management Strategy is agreed and available for all staff and service users

Board minutes Website

Demonstrate compliance with Level 1 of the NHSLA Risk Management Standards

Level 1 achieved by 31 December 2007

Documents

KPCT-07-160_Risk_Management_Strat