Embed Size (px)
Citation preview
Page 1 of 15
Risk Management
Framework
2018-2021
Version 10 (May 2018)
Page 2 of 15
Contents
1. Introduction 3
2. Purpose 3
3. Roles and Responsibilities 3
3.1 – Board of Directors 3
3.2 – Audit Committee 3
3.3 – Finance, Performance & Informatics/Quality Committee/ Mental Health Legislation Committee
4
3.4 – Care Group Team Management Meetings 4
3.5 – Directorate/Care Group Team Management 4
3.6 – Executive Management Team 4
3.7 – Chief Executive 4
3.8 – Non-Executive Directors 4
3.9 – Director of Corporate Assurance/Board Secretary 4
3.10 – Risk and Assurance Officer 5
3.11 - Risk Leads 5
3.12 – Project Manager 5
3.13 – Managers 5
3.14 - Staff 5
4. Training 5
5. Levels of Risk 5
6. Risk Management Process Overview 7
Appendices
A Definitions 8
B Management of Risk Process 9
C Board Assurance Framework 11
D Monitoring and Reporting Arrangements 14
Page 3 of 15
1. Introduction
Rotherham, Doncaster and South Humber NHS Foundation Trust (RDASH) acknowledges that the services it provides carry risks. The identification and recognition of these risks together with proactive management and mitigation is essential for the efficient and effective delivery of safe and high quality of care for patients and staff. The Trust is committed to working with staff to make risk management a core organisational process that is an integral part of the Trust’s activities. The benefits of managing risk include:
Supports the safe delivery of care to our patients
Supports the achievement of Trust objectives
Avoids or mitigates the impact of failure
Supports the cost efficiency and value for money
Compliance with legal and regulatory frameworks
Management of external impacts and changes
Exploits opportunities encouraging innovation. The Risk Management Framework is supported by the Trusts suite of policies as listed on the RDaSH website. There is a strong link to a range of policies including:
Clinical Risk Assessment and Management Incident Reporting Policy Serious Incident Management Policy The Handling of Formal Complaints Policy Suite of Health & Safety policies Claims Management policy Standing Financial Instructions
In addition to the above procedural documents the leaflet ‘Identifying and Managing Operational Risk’ should also be read in conjunction with this framework. 2. Purpose
The purpose of the framework is to define the management of risks within the Trust to all staff and sets out the respective responsibilities for strategic and operational risk management from ‘Board to ward’ 3. Roles and Responsibilities 3.1 Board of Directors The Board of Directors has responsibility for ensuring that a framework of systems and processes for effective risk management are in place and that they are functioning appropriately. It is responsible for assuring itself that the Trust identifies and effectively manages any risks that could affect the achievement of the Strategic Goals. 3.2 Audit Committee The Audit Committee has responsibility to ensure that risk management systems are in place and are embedded throughout the Trust. It will provide assurance to the Board of
Page 4 of 15
Directors on the adequacy, efficiency and effectiveness of the Trusts’ Corporate Governance, Risk Management and Internal Control. 3.3 Quality Committee / Finance, Performance and Informatics Committee /
Mental Health Legislative Committee The Committees of the Board of Directors are responsible for providing assurance in relation to the relevant risks of the Board Assurance Framework and receiving, managing and monitoring relevant risks within the scope of their Terms of Reference. 3.4 Care Group Management Team Meetings Care Group Management Team Meetings are responsible for identifying, receiving, managing, monitoring and reviewing relevant risks within the scope of their Terms of Reference. 3.5 Directorate/Care Group Management Teams The Directorate/Care Group Management Teams are responsible for identifying, receiving, managing, monitoring and reviewing relevant risks within the scope of their Directorate/Care Group. 3.6 Executive Management Team The Executive Management Team is responsible for the implementation of risk management and its assurance mechanisms bringing together the corporate, financial, workforce, clinical, information, research and governance risk agendas. 3.7 Chief Executive
The Chief Executive is the Accountable Officer for effective risk management and the system of internal control with the organisation. The Chief Executive is also responsible for meeting all statutory requirements including health and safety and ensuring risk management systems are established, implemented and maintained in accordance with organisational arrangements. 3.8 Non-Executive Directors
The Non–Executive Directors are responsible for providing independent/objective scrutiny of the risk management structure and processes. 3.9 Director of Corporate Assurance/Board Secretary
The Director of Corporate Assurance/Board Secretary is responsible for ensuring that all risk and assurance processes are devised, implemented and embedded throughout the Trust and for reporting to the Chief Executive and the Executive Management Team of any significant issues arising from the implementation of the Framework including non-compliance or lack of effectiveness arising from the monitoring processes.
Page 5 of 15
3.10 Risk and Assurance Officer
The Risk and Assurance Officer is responsible for the development, maintenance and monitoring of risk management processes particularly:
extreme operational risks Board Assurance Framework electronic risk management system (Risk module within Safeguard) support to the risk leads with regards to the management of risk
3.11 Risk Leads
Risk leads are responsible for the management of identified risks within the scope of their responsibility, ensuring that risks are reviewed monthly and maintained in a timely manner. 3.12 Project Manager
The Project Manager is responsible for the identification of all risks to the project, ensuring that they are recorded, regularly reviewed (at least monthly) and maintained in a timely manner. 3.13 Managers
Managers are responsible for the identification of risks and for implementing and monitoring any identified risk management control or assurance measures within their designated area and scope of responsibility. Managers should also ensure that all staff are aware of risks within their workplace and provide adequate information, instruction and training to enable them to work safely. Managers should seek advice on risk management issues, as required, and liaising with relevant specialist advisors where necessary. 3.14 Staff
All staff are responsible for having a sense of ownership and commitment to:
identifying and minimising risk; reporting and responding to risk; participate in training sessions; carry out any agreed control measures and duties as instructed.
4 Training
In addition to the mandatory training delivered and co-ordinated by learning and development, a programme of risk training is provided for all employees, as outlined below:
Page 6 of 15
Level of Training
Staff Group Frequency Timeframe of training
Delivery method
Delivery by whom
General Risk Awareness
All staff 3 Yearly N/A Leaflet Issued by Risk and Assurance Officer – also available on intranet Management
of risks Senior Management
‘Risk Module’ Safeguard System
Identified Risk Leads
Once 1 hour Face to Face supplemented with Easy Step Guide
Risk and Assurance Officer
5 Levels of Risk
Within the Trust there are 2 levels of risk:
Strategic Risk Operational Risk
The hierarchy of the two levels of risk is shown below:
Strategic Risks
Operational Risks
Strategic Risks - Each year a Board Assurance Framework is developed/ refreshed in order to identify and record the key strategic risks for the Trust that may impact on the achievement of its Strategic Goals. Further detail regarding the Board Assurance framework is outlined in appendix C.
Board Assurance Framework
Operations Risk Register Executive Lead – Chief Operating Officer
Corporate Assurance Directorate Risk Register
Health Informatics Directorate Risk Register
Finance Directorate Risk Register
Medical & Pharmacy Directorate Risk Register
Nursing & Quality Directorate Risk Register
Workforce & OD Directorate Risk Register
Children’s Care Group Risk Register
North Lincolnshire Care Group
Risk Register
Doncaster Care Group Risk Register
Rotherham Care Group Risk Register
Page 7 of 15
Operational Risk – these are the identified risks that have the potential to impact on the delivery of business, projects or programme objectives. Operational risks are recorded within the 11 risk registers held by the Trust (see Figure 1 below). Further detail regarding the systems and processes for managing operational risks is outlined in appendix B. In addition to the formal risk registers detailed above the Trust also utilises the process of using project risk logs which is an essential tool in any project management methodology. These logs are predominantly used within the Programme Management Office however the facility is available throughout the Trust.
6 Risk Management Process Overview
The risk management process is the means by which the Trust will effectively manage risks.
The Trust cannot manage its risk effectively unless it knows what the risks are. Risk identification is therefore vital to the success of the Trust’s risk management process and ultimately the safe delivery of care. Assessment and scoring of risks looks at the level of risk and is based on the Trust’s risk matrix. Treatment is how the risk will be managed, and what the required actions are to achieve an acceptable level of risk. All risks are recorded on a risk register which is the formal record of the risks that the Trust has identified. Part of managing risk is to continually review and update, to capture the changes and progress of mitigation.
Monitoring &
Review
Treatment &
Recording
Assessment &
Scoring
Risk
Identification
Appendix A
Page 8 of 15
DEFINITIONS
Action Plan Sets out the activities that will address the identified gap and reduce, eliminate or minimise the risk
Assurance Evidence that control measures are working effectively to manage risk
Control Process/plan/measure in place to assist in the prevention of risk occurring
Impact Result of a particular threat or opportunity should it actually occur
Likelihood Measure of probability that the threat will happen including a consideration of frequency with which it may arise
Operational risk A risk that has the potential to impact on the delivery of business, project or programme objectives
Risk appetite The tolerance of risk that the organisation is prepared to accept, tolerate or be exposed to
Risk assessment The process used to evaluate the risk and to determine whether controls are adequate or more should be done to mitigate the risk
Risk management The culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects.
Risk registers A log of risks of all kinds and levels that may threaten the achievement of objectives. It is a living document which is populated through the organisation’s risk assessment and evaluation process.
Strategic risk A risk that has the potential to impact on the delivery of the Strategic objectives
Risk Lead Nominated lead for managing the review and update of either an individual risk or risk register
Appendix B
Page 9 of 15
MANAGEMENT OF RISK PROCESS
Risk identification should take place on a continual basis, but particularly where new activities are planned, new legislation or policy requirements have been identified, at the initiation of projects or when incidents or near misses have taken place. It is vital that all risks are assessed in an objective and consistent manner if they are to be managed effectively.
When dealing with patient risk assessment please also refer to the Clinical Risk Assessment and Management Policy.
RISK IDENTIFICATION - Member of staff or Group identifies a risk, and notifies their Line
Manager
(Please refer to the Identifying and Managing Operational Risk Leaflet
for guidance on how to identify risks)
RISK LEAD - Risk Lead will add new risk to Care Group / Support
Services Directorate Risk Register identifying a lead for each
action as appropriate.
(Please refer to the Easy Step Guide for viewing and editing the web
based Risk Registers)
RISK LEAD - will liaise with action lead(s) to assess progress
being made and update all risks under their remit at least on a
monthly basis adding further controls as they are put in place
and further actions if required.
REJECT AMEND ACCEPT
RISK LEAD -
Provides feedback
to originator
LINE MANAGER - Line Manager notifies Risk Lead
RISK LEAD – Assessment of the risk:
Identify controls in place
Score the risks (with controls in place)
Identifying actions that will mitigate the risk (with timescales)
Score the risk post mitigation
(Please refer to the Identifying and Managing Operational Risk Leaflet
for guidance on how to assess risks)
RISK LEAD - in conjunction with the Care Group / Directorate Senior Team will make the
following decisions:-
Appendix B
Page 10 of 15
All risks scored as 15 or above must be approved by the Executive Management Team in order for the rating to be agreed as Extreme:
For any risk that has been scored as 15 or above the role of the risk lead is escalated
up/transferred to the appropriate Executive Director for update and review.
RISK AND ASSURANCE OFFICER - For new risks is scored 15 or above Risk and
Assurance Officer will escalate to Executive Management Team for moderation.
EXECUTIVE MANAGEMENT TEAM - Will make the
following decision:-
Risk and Assurance Officer - adds to Extreme
Operational Risk Register
Risk and Assurance Officer - will liaise with Risk
Lead to assess progress being made and update all
risks under their remit at least on a monthly basis
adding further controls as they are put in place and
further actions if required.
Risk and Assurance Officer -
Provides feedback to Care
Group /Support Services
Executive Director
Risk will remain on Care
Group/Directorate risk
register
REJECT AMEND ACCEPT
Appendix C
Page 11 of 15
BOARD ASSURANCE FRAMEWORK - STRATEGIC RISKS
In accordance with the Annual Reporting Manual issued by NHS Improvement, all foundation trusts are required to present in the Annual Report an annual governance statement signed by the Chief Executive and underpinned by a supporting Board Assurance Framework (BAF). This aims to provide the Board of Directors with assurance that systems are safe and subject to appropriate scrutiny and that the Board of Directors are able to demonstrate that they are informed of key strategic risks. The BAF contains all the strategic risks that have the ability to undermine the Trust’s Strategic Goals:
To provide safe effective, compassionate care
To attract, retain, support and develop the finest workforce
To maintain financial stability
To work with partners to offer and deliver market leading services
To be an outstanding, well-led organisation The framework is built up of the strategic risks and includes:
Current and Target Risk scores (see risk scoring methodology at appendix C)
Lead Assurance Committee
Lead Director
Key Controls intended to manage the risk
Sources of Assurance
Gaps in either control or assurance
Action plan to address the gaps
Risk Appetite Key Controls The key controls are the processes/plans/measures that are in place to assist in the prevention of risk occurring such as:
Operational plans
Statutory frameworks, for instance standing orders, standing financial instructions and associated scheme of delegation;
Actions in response to audits, assessments and reviews;
Workforce training and education;
Clinical governance processes;
Incident reporting and risk management processes;
Complaints and other patient and public feedback procedures;
Performance management systems;
Strategies/Policies/Procedures/Guidance;
Robust systems/programmes in place – what / how do you know?
Objectives set and agreed at appropriate level
Frameworks in place to provide delivery;
SLA/Contracts/Agreements in place.
Appendix C
Page 12 of 15
Sources of Assurance
Source of assurance refers to the evidence that describes how well the controls are operating. Assurance can be categorised using a ‘three lines of defence’ model:
First line – operated by managers across the business
Second line – corporate oversight functions and challenge
Third line – independent assurance
This model categorises the assurance according to how independent it is likely to be:
First Line of Defence – operational management, examples include:
o Budgets; o Risk assessments; o Work programmes of groups / committees; o Planning exercises when, who, relevance; o Training needs assessments.
Second Line of Defence – Corporate oversight, examples include:
o Performance/Quality monitoring in place and at what level, how and when;
o Action monitoring reports o Complaints and Compliments / Incident monitoring; o National returns; o Training compliance monitoring; o Routine reporting of key targets together with any necessary
contingency plans.
Third Line of Defence - Independence assurances example include:
o External audit; o External inspection bodies, such as the Care Quality Commission and
Royal Colleges; o Systems of accreditation o Mandatory reporting systems; o Internal Audit; o Health and Safety Executive;
Risk Appetite
Risk appetite is the amount of risk that the Trust is prepared to accept, tolerate or be exposed to and for the Board Assurance Framework. The Trust categorises the risk appetite using the Good Governance Institute’s support matrix (full details available on the Intranet under Corporate Affairs):
Appendix C
Page 13 of 15
Avoid Avoidance of risk and uncertainty is a Key Organisational objective.
Minimal Preference for ultra-safe delivery options that have a low degree
of inherent risk and only for limited reward potential.
Cautious Preference for safe delivery options that have a low degree of inherent risk and may only have limited potential for reward.
Open Willing to consider all potential delivery options and choose while also providing an acceptable level of reward (and VfM).
Seek Eager to be innovative and to choose options offering potentially
higher business rewards (despite greater inherent risk).
Mature Confident in setting high levels of risk appetite because controls, forward scanning and responsiveness systems are robust.
Appendix D
Page 14 of 15
MONITORING AND REPORTING ARRANGEMENTS
All risks are subject to continual review and monitoring by the relevant meeting structure and this is facilitated by the Risk and Assurance Officer who provides reports on risk management to the:
Board of Directors,
Committees,
Care Group Management Team Meetings and
Executive Management Team
On an ad-hoc basis as and when required. Board of Directors The Board of Directors will:
Receive and overview the strategic risks (Board Assurance Framework) on a quarterly basis;
Receive an overview of all extreme operational risks on a monthly basis;
Receive risk management report on an annual basis. Audit Committee The Audit Committee will receive at each meeting an overview of risk management which outlines the process for managing and monitoring the risk and provides assurance of achievement to date. Quality Committee/Finance, Performance and Informatics Committee/Mental Health Legislative Committee The Committees will (relevant to the scope of the Terms of Reference):
Review all Strategic Risks (Board Assurance Framework) on a quarterly basis
Review all the Extreme Operational Risks on a monthly basis
Receive an overview of all risks on a quarterly basis Care Group Management Team Meetings Care Group Management Team Meetings will (relevant to the scope of the Terms of Reference):
Moderate all new risks on a monthly basis as identified
Review all risks on a quarterly basis
Highlight to the relevant Committee/Operational Management Meeting any risks requiring escalation
Care Group Management Teams The Care Group Management Teams will (relevant to the Care Group):
Moderate all new risks on a monthly basis as identified
Review all risks on at least quarterly basis
Appendix D
Page 15 of 15
Highlight to the Operational Management Meeting any risks requiring escalation Directorates The Directorate Management Teams will (relevant to the Directorate):
Moderate all new risks on a monthly basis as identified
Review all risks on at least quarterly basis
Highlight to the relevant Committee any risks requiring escalation Executive Management Team The Executive Management Team will:
Review all risks on a rolling programme to provide a confirm and challenge function including longstanding risks and a thematic moderation of the risks
Moderate all risks scored 15 or above onto and off the Extreme Operational Risk Register
Moderate the tolerated risks scored 8 or above where the likelihood is 3 or above.
Project Risk Logs The Project Manager will report on the project risk log as part of the project update reporting.
