Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1/22
RISK MANAGEMENT STRATEGY
Author with contact details
Dianne Brown, Chief Nurse Caroline Keating, Director Corporate Governance/Trust Secretary Telephone: No. 0151 529 5860 or 0151 529 4766 E.mail: [email protected] [email protected]
Original Issue date 2003
Issue Date: October 2018 Review Date: October 2019
Level Trust wide
Location of Staff applicable to
All staff across the Trust Staff groups applicable to
To all staff groups
To be read In conjunction with / Associated Documents:
Document Control SOP
Risk Management Policy and Procedure
Incident Reporting and Management Policy
Investigations of Incidents, Claims and Complaints SOP
Management and Resolution of Complaints and Concerns Policy
Claims Handling Policy & Procedure
Speak Out Safely Policy
Health & Safety Policy
Assurance & Escalation Framework
Being Open and Duty of Candour Policy
.
Information Classification Label
NHS Confidential NHS Protect Unclassified
Access to Information To access this document in another language or format please contact the policy author.
Document Change History (changes from previous issues of policy (if appropriate) :
Issue Number Page Changes made with rationale and impact on practice
Date
12 Total Document Review September 2017
13 Total Document Review October 2018
Aintree University Hospital NHS Foundation Trust
2/22
Risk Management Strategy
CONTENTS
Page No
Executive Summary & Risk Management Policy Statement 3
1 Introduction 5
2 Key Principles 5
3 Risk Appetite 7
4 The Risk Management Process 8
5 Responsibilities 8
6 Monitoring & Review 14
7 Continual Improvement of the Strategy 15
8 Human Rights, Equality & Diversity 15
9 Accessibility Statement 15
Page No
Appendices
1 Levels of Risk Appetite and Scoring Matrix 16
2 Trust Governance Structure 18
3 Risk Escalation Process 20
4 Risk Matrix 21
5 Monitoring & Review Template 22
6 Glossary of Terms 23
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 3/22
Executive Summary and Management Statement
Aintree University Hospital NHS Foundation Trust’s (“Aintree” or “the Trust”) risk management strategy
sets out the corporate framework and processes required for successful delivery of the Trust’s risk
management policy statement. It is supported by procedures, guidance and other documents to ensure
that a consistent and standardised approach to risk management is adopted across the organisation,
providing assurance that risks are managed effectively. Supporting documents include the risk
management implementation plan which is produced annually and outlines specific activities.
Figure 1: The Corporate Risk Management Framework
Aintree’s risk management policy statement explains why it is important for us to manage our risks and
the benefits of doing this. The statement is set by the Board of Directors and, to demonstrate our
commitment, it has been signed by both the Chief Executive (on behalf of the Executive), and the
Chairman (on behalf of the Board).
The Trust believes that effective risk management is imperative not only to provide a safe environment
and high quality of care for service users and staff, it is also critical in the business planning process
where a more competitive edge and greater public accountability in delivering healthcare services is
required. Risk management is the responsibility of all within the Trust.
Aintree is committed to working in partnership with staff to make risk management a core organisational
process and to ensure that it becomes an integral part of Trust philosophy and activities. The Risk
Management Strategy encourages appropriate risk taking, effective performance management and
accountability for organisational learning in order to deliver continuous improvement in the quality of
services. As part of this, the Trust undertakes to ensure that appropriate resources, including finances,
people, training and information technology is made available, as far as is reasonably practicable.
The Risk Management Strategy applies to the management of all risks within the Trust.
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 4/22
As part of the Annual Governance Statement, the Trust will make a public declaration of compliance
against meeting risk management standards. The Risk Management Strategy identifies the Trust’s
objectives in relation to risk management and outlines the main processes by which these objectives are
to be achieved.
This strategy is subject to annual review and approval by the Board of Directors.
The Trust’s Risk Management Statement
Aintree University Hospital NHS Foundation Trust is committed to securing the best quality
healthcare for the population we serve. In doing so, it acknowledges that this can only be achieved
through the skill and continuing commitment of its staff.
Aintree University Hospital NHS Foundation Trust will support and help its employees in providing
services which are safe for patients and staff. This will require that all staff understand that “risk
management is everyone’s business” actively identifying risks, adverse incidents, near misses or
hazards. Aintree University NHS Hospital Trust will promote an open and supportive risk culture,
seeking patients’ views, and using the feedback as an opportunity for learning and improving the
quality of our services.
Chairman ………………………………….. Chief Executive …………………………………
Date:
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 5/22
1. Introduction
The Trust accepts that it carries a number of risks which have the potential to cause harm to patients,
staff and visitors and loss to its assets and reputation if not properly managed and controlled.
It is accepted that, given the nature of the service provided by the Trust, some risks cannot be totally
eliminated. However, it is essential that the Trust has in place good risk management systems and
practices which eliminate risk wherever possible and reduce the impact of those risks that cannot be
eliminated to an “acceptable level”.
Aintree takes an integrated approach to risk management across the organisation, which embraces all
risks. The Board of Directors will set Aintree’s risk appetite which will determine the strategic
governance arrangements for the Trust and create an environment and structure for risk management to
operate effectively.
Aintree is committed to understanding the causes of risk that may impact on the organisation,
addressing issues in compliance with the organisation’s risk management methodology, thereby
improving the quality, safety and effectiveness of the services provided.
The Trust will endeavour to apply a proactive risk-based approach to all aspects of its undertakings, its
activities and condition of its estate. This will be achieved using the Trust’s risk assessment
methodology as a tool to identify potential hazards and associated risks and to ensure appropriate
control measures are identified and implemented
2. Key Principles
2.1 Purpose of the Risk Management Strategy
The purpose of the Strategy is to detail the framework which defines the Trust’s governance
arrangements ie. the way the Trust leads, directs and controls the risks to its key functions in
order to comply with health and safety legislation, its Provider Licence, CQC registration and the
Trust strategic objectives.
NHS Improvement has established a ‘Single Oversight Framework’ to ensure there is a clear
compliance framework so that all Trusts are able to demonstrate that they are remaining within
their agreed provider licence. It is therefore important that the Trust is aware of any risks (e.g.
associated with new business or service changes) which may impact on its ability to adhere to
this framework.
The Strategy underpins the Trust’s reputation and performance and is fully endorsed by the
Board of Directors.
2.2 Scope of the Strategy
Everyone is responsible for making sure that risks associated with the activities and assets they
are responsible for, are identified, assessed and managed, in accordance with the Trust’s risk
management system and processes. The Strategy applies to the management of all risks within
the Trust associated with the services, operations and business.
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 6/22
The Board of Directors has overall responsibility for the governance of risk management in
Aintree with identified committees having delegated responsibilities. The Clinical Governance
and Risk team is responsible for developing and managing the implementation of the Trust’s risk
management policy documents. Divisional managers are responsible for developing and
implementing local policy documents which align with the Trust documents.
2.3 Link between Risk Management and Corporate Governance
The Trust has adopted an integrated governance approach to the management of risk.
Integrated governance is defined as;
“the systems, processes and behaviours by which we lead, direct and control our functions in
order to achieve our organisational objectives and the safety, quality and value for money of
services as they relate to patients and carers, the wider community and partner organisations”.
Corporate Governance is the system by which an organisation is directed and controlled at its
most senior level to achieve the Trust’s objectives and meet the standards of accountability and
probity.
The Trust is required to demonstrate that it is doing ‘’its reasonable best to manage risk’’. In
practice, this means having systems and processes in place to identify, assess, evaluate and
assign responsibilities to manage risks within the Trust. This is achieved by ensuring that risk
management and corporate governance is an integrated process through which the organisation
will identify, assess, analyse and manage risks and incidents at every level of the organisation
and aggregate the results at a corporate level. The Trust, therefore:
Integrates risk management into all decision-making processes
Integrates all risk management functions including patient safety, safeguarding, health and
safety, complaints and litigation
Integrates risk management functions with service developments and clinical governance
activity to unify frameworks and improve patient safety
Implements a consistent approach to investigation of risks and incidents.
2.4 Trust Objectives
The Board recognises that the implementation of an effective risk strategy and risk management
process is key to the delivery of the Trust’s objectives, the development of a positive learning
environment and a risk aware culture. The tool the Trust will use to facilitate this is the Board
Assurance Framework (BAF).
The BAF contains those principal or strategic risks that without effective mitigation have the
potential to fundamentally impact on the Trust’s objectives. They are agreed annually by the
Board and kept under regular review.
The Trust Board has defined a principal risk for purposes of the BAF as:
“Those risks that if realised could fundamentally affect the way in which the Trust exists or
provides services in the next one to three years. These risks should they occur will have a
detrimental effect on the achievement of one, some or all of the Trust’s objectives. The risk
realisation will lead to material failure, loss or lost opportunity.”
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 7/22
The strategic risks in the BAF are monitored at the appropriate Board Committee and a summary
of these risks are monitored and reviewed on a monthly basis by the Executive Team with an
update provided by the Trust strategic risk lead (Executive Director) to ensure that risks are
appropriately managed and mitigated against. The Corporate Report of the Trust’s Risk Register
details the high level operational risks which may impact on the BAF and these are monitored by
the Executive Led Groups and escalated where appropriate to the Hospital Management Board
(HMB) and the relevant Board Committee (Appendix 2).
The Audit Committee, which has responsibility for ensuring that the Trust’s risk management
remains effective, will undertake a review of the BAF process at least annually.
The BAF directly underpins the Annual Governance Statement (AGS) and is the subject of
annual enquiry by Internal and External Audit.
3. Risk Appetite
The Trust recognises that it is impossible and not always appropriate to eliminate all risks.
Systems of control must be balanced in order that innovation and the use of limited resources are
supported when applied to healthcare. Additionally, the Trust may be willing to accept a certain
level of risk when the cost of mitigating the risk is high in comparison to the potential severity of
the risk and the likelihood of it occurring. The Board will set the risk appetite annually for the
risks identified on the BAF.
The following statement has been approved by the Board in support of its risk appetite1.
1 Approved by the Board of Directors – January 2017
The Trust recognises that its long term sustainability depends upon the delivery of its strategic
objectives and its relationships with its patients, staff, the local community and strategic partners.
As such, the Trust has a minimal appetite for risks that impact on quality of care i.e. to be safe,
effective and providing a positive patient experience. Related to this, the Trust has a minimal risk
appetite relating to regulatory non-compliance.
The Trust has a moderate appetite to take considered risks in terms of their impact on financial
stability in challenging working practices in pursuance of its commitment to clinical excellence,
providing that patient safety and experience is not adversely affected. Similarly, the Board has only
a moderate appetite to risks associated with the development of its people and demonstrating
effective leadership recognising that both of these elements are key to ensuring quality service and
care to patients and achieving the Trust objectives
The Board has greatest appetite in seeking strategic transformation of healthcare across Merseyside
and the planned merger with the Royal Liverpool and Broadgreen University Hospitals NHS Trust, as
well as developing wider effective partnerships and alliances where positive gains can be anticipated
providing they are done so within the regulatory environment.
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 8/22
4. The Risk Management Process
The Trust’s risk management process is embedded at all levels as an integral part of Aintree’s
Risk Management Strategy and is supported by a robust training programme.
Through the organisational governance structure (Appendix 1), the Trust has systems in place to
identify risks, assess their impact and devise strategies to evaluate, manage and control them.
This system provides the Trust with an assurance that risks to which the Trust may be exposed
are managed and controlled at an appropriate level. This process is supported by the risk
escalation process (Appendix 2).
Appendix 3 contains the Risk Matrix details of the risk grading for the likelihood and consequence
scoring. These are supported by relevant risk management policy documents which provide
detailed guidance. The policy documents are used proactively to identify foreseeable risks and
ensure that those risks are evaluated with adequate control measures implemented and the
findings communicated appropriately.
Risks assessments, dependent on the risk score awarded, are recorded on the relevant risk
register and monitored and reviewed in compliance with respective Divisional governance
structures and risk management processes.
Communication and consultation is important at all stages of the risk management process. For
example, when undertaking a risk identification and assessment it is important that the right
people are involved, and when risk mitigations are identified it is important the people
implementing actions are informed.
5. Responsibilities
The Risk Management Strategy will ensure that its risk management arrangements meet the
requirements of regulatory bodies that directly assess the overall adequacy of the Trust’s risk
management arrangements including:
5.1 Statutory
Health & Social Care Act 2008 – the Trust is legally required to register with the Care
Quality Commission under the Health & Social Care Act 2008 and, as a legal requirement of
the Trust’s registration, must protect patients, workers and others
Management of Health & Safety at Work Regulations 1999 (as amended) – the Trust is
required to undertake a suitable and sufficient assessment of the risks to the health and
safety of all employees and persons not in its employ to which they are exposed to whilst at
work and arising out of or as a result of the Trust’s activities
Health and Safety at Work Act 1972 (HASWA) – Section 2 places a duty on the Trust to
ensure, so far as is reasonably practicable, the health, safety and welfare of all employees
and anyone who may be affected by its work activities.
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 9/22
5.2 Mandatory
NHS Improvement (NHSI) is the sector regulator for health services in England. It
authorises and regulates NHS foundation trusts ensuring they are well led (governance) and
run efficiently (financial) so they can continue delivering good quality services for patients in
the future. NHSI has created a risk-based system of regulation which determines the
intensity of the monitoring it undertakes. The Trust is required to demonstrate compliance
with its Licence and the Single Oversight Framework.
The Care Quality Commission (CQC) is the independent regulator of health and adult social
care services in England. The Trust is required to provide reasonable assurance to the CQC
of its compliance against their essential quality and safety standards.
Approved Codes of Practice (ACoP) – these have a quasi legal status that assist the Trust
to ensure that it operates within the legal framework.
RSM Risk Assurance Services LLP is the Trust’s independent internal auditors who
develop and deliver an annual internal audit programme for the Trust. This includes verifying
that the Trust has suitable and effective systems of internal control with respect to risk
management in place and that these are effective.
Pricewaterhouse Coopers LLP is the Trust’s independent external auditors appointed by
the Council of Governors. The external auditors provide an unbiased and independent
opinion on the Annual Report & Accounts which includes the Annual Governance Statement.
5.3 Organisational
5.3.1 Organisational Accountability – Governance & Risk Management Committees
The Board of Directors is ultimately accountable for ensuring that the Trust is complying with the
terms of its Provider License which includes its arrangements for integrated governance and
effective risk management.
The Board has identified the strategic risks that it considers are the key risks likely to impact on
the delivery of the Trust’s objectives and overall strategy. Its Board Committees have
responsibility for monitoring the effectiveness of the controls and assurances in place to manage
these risks. The Corporate Governance Framework Manual2 references the delegated
responsibility from the Board to its Committees which is reflected in their terms of reference. The
current terms of reference for the Board Committees were approved by the Board of Directors in
April 2018. The responsibilities for the respective committees/groups are outlined in Table 1
overleaf.
2 Available on the trust website
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 10/22
Name Responsibilities
Quality Committee
Its purpose is to enable the Board to obtain assurance that high
standards of care are provided by the Trust and, in particular, that
adequate and appropriate governance structures, processes and
controls are in place throughout the Trust to identify, prioritise and
manage risk arising from clinical care.
Audit Committee
Its primary role is to provide the Board of Directors with a means of
independent and objective review of financial and corporate
governance, assurance processes and risk management across the
whole of the Trust’s activities.
Finance &
Performance
Committee
This Committee will review the financial prospects of the Trust and
approve the key financial assumptions used in strategic and business
planning.
Workforce
Executive Led
Group
Its purpose is to oversee the execution of the People and Organisational
Development Strategy and associated key delivery plans. It will provide
assurance to the Board Committees on workforce issues, taking
account of local and national agendas, and on the specific HR risks
identified within the BAF. It reports through to the Hospital Management
Board (HMB) to provide assurance to the Trust’s senior management
team on significant operational issues.
Safety & Risk
Executive Led
Group
Its purpose is to provide advice and assurance to the Quality Committee
on the delivery of the Risk Management Strategy and operational
management of risks within the Trust held on the Corporate Risk
Register. It is responsible for escalating to the Quality Committee those
risks and concerns requiring senior input. It reports through to the
Hospital Management Board (HMB) to provide assurance to the Trust’s
senior management team on significant operational issues.
Clinical
Effectiveness
Executive Led
Group
Its purpose is to provide advice and assurance to the Quality Committee
on the clinical risks within the Trust held on the Corporate Risk Register.
It is responsible for escalating to the Quality Committee those risks and
concerns requiring senior input. It reports through to the Hospital
Management Board (HMB) to provide assurance to the Trust’s senior
management team on significant operational issues.
Patient Experience
Executive Led
Group
Its purpose is to oversee the delivery of patient experience improvement
plans, identify risks associated with areas of performance and escalate
any concerns requiring senior input to the Quality Committee. It reports
through to the Hospital Management Board (HMB) to provide assurance
to the Trust’s senior management team on significant operational
issues.
Operations &
Performance
Executive Led
Group
Its purpose is to provide advice and assurance to the Finance &
Performance Committee on the operational delivery of hospital services
ensuring that mechanisms are in place to address, monitor and manage
operational issues within the Trust. It reports through to the Hospital
Management Board (HMB) to provide assurance to the Trust’s senior
management team on significant operational issues.
Hospital
Management Board
(HMB)
It provides advice to the Board on the direction and operational
management of the Trust. It takes on the role of leadership, developing
the overall strategy of the Trust and ensuring the delivery of strategic
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 11/22
Name Responsibilities
objectives and the mitigation of strategic risk through a focus on clinical
quality, performance and delivery.
Divisional
Assurance Groups
These groups are responsible for reviewing and controlling the risks
within their Divisions as part of the development of divisional and
corporate risk registers and escalating those risks to the relevant
Executive Led Group.
High risks that cannot be controlled and which emanate from the
Divisions are to be escalated to the Corporate Risk Register, treated by
the Executive Team and de-escalated and sent back to the appropriate
source.
Table 1: Committee Responsibilities
5.3.2 Organisational Accountability: Executive Leadership
The following table outlines the roles and responsibility for risk management within the
organisation:
Individual(s) Responsibilities
Lead Executive Directors
Chief Executive The Chief Executive has overall responsibility for risk management.
As Accounting Officer3, the Chief Executive has responsibility for
maintaining a sound system of internal control that supports the
achievement of the Trust’s policies, aims and objectives, whilst
safeguarding the public funds and departmental assets. The Chief
Executive is also responsible for ensuring that the Trust is
administered prudently and economically and that resources are
applied efficiently and effectively. This includes:
ensuring that employees and the public are properly protected
against exposure to risks arising out of or as a result of the Trust’s
activities
ensuring that the appropriate arrangements are in place to
manage risks within the organisation. This includes ensuring an
effective structure and system is in place to allow those who
create risks to manage them responsibly
signing the Annual Governance Statement in the annual report
and accounts on behalf of the Board
enabling individuals whether these are patients, staff, visitors etc
to understand that, as well as having the right to remain safe
without risk of harm, they too must act responsibly.
3 NHS Foundation Trust Accounting Officer Memorandum
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 12/22
Individual(s) Responsibilities
The Chief Executive has delegated responsibility for delivery within
the management structure to the Corporate Directors for their
respective areas.
Deputy Chief
Executive/Integration
Director
Nominated by the Chief Executive as the Executive Director
responsible for the management of risk relating to the proposed
merger transaction.
Medical Director
Nominated by the Chief Executive as the Executive Director
responsible for the management of risk relating to clinical
effectiveness, research & development and professional
responsibility for medical practice within the Trust.
The Medical Director is the nominated Caldicott Guardian and has
responsibility for the safety of patient data.
Chief Nurse Nominated by the Chief Executive as the Executive Director
responsible for the management of risk relating to quality
improvement, patient safety and patient experience, clinical
governance including risk management, safeguarding vulnerable
adults & children as well as professional responsibility for nursing and
allied health professionals.
The Chief Nurse is the Director for Infection Prevention and Control
and is also the Executive Lead for the Risk Management Strategy.
Director of Finance &
Business Services
Nominated by the Chief Executive as the Executive Director
responsible for the management of risk relating to systems of
financial control, standards of business conduct and counter fraud,
financial governance and associated risks.
The Director of Finance & Business Services is the nominated Senior
Information Risk Owner (SIRO) and is responsible for information
governance risk assessment and management processes.
Chief Operating
Officer
Nominated by the Chief Executive as the Executive Director
responsible for the management of risk relating to the management of
organisational operational issues, lead for service improvement and
transformation across the Clinical Divisions as well as emergency
preparedness resilience and response.
Director of
Workforce & OD
Nominated by the Chief Executive as the lead Director responsible for
the development and delivery of the Trust’s People and OD Strategy,
develop a values driven culture, maximizing education and learning
opportunities and management of risk relating to the Trust’s
workforce and associated policies.
Director of Estates &
Facilities
Nominated by the Chief Executive as the lead Director responsible for
the management of risk relating to health & safety as well as the
hospital’s physical environment.
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 13/22
Individual(s) Responsibilities
Non-Executive Director Responsibility
Non-Executive
Directors
The Chairman and Non-Executive Directors exercise non-executive
responsibility for the promotion of risk management through
participation in the Trust Board and its committees. They are
responsible for scrutinising systems of governance. They have the
responsibility to ensure that the Chief Executive and Executive
Directors are held to account for their risk management
responsibilities.
Individuals with Specific Responsibilities for Risk Management
Director of Corporate
Governance/Trust
Secretary
Responsibility to review all corporate governance arrangements that
might affect the Trust to ensure that the Board is fully briefed on
these matters and has regard to them when taking decisions and to
advise the Board on the strategic risks identified in the BAF.
Associate Director of
Quality Governance
Oversees and supports the implementation of the risk functions and
has responsibility for the implementation of the Risk Management
Strategy and aligned risk management policy documents within the
Trust as well as the implementation of the risk management
framework.
Associate Medical
Directors
Responsible for the management of risk relating to the areas of their
portfolio.
Divisional Medical
Directors
Ultimate responsibility for the implementation of the Risk
Management Strategy and policy within their division.
Divisional Directors
of Operations
Responsibility for the operational implementation of the Risk
Management Strategy and policy within their division.
Divisional Directors
of Nursing
Responsibility for the management of clinical and non-clinical risk
within their division and for advice regarding patient safety.
Clinical Risk
Manager
Responsibility for ensuring systems and processes relating to clinical
risk management are embedded throughout the Trust, including
clinical incident reporting and investigations; ensuring lessons learnt
from adverse events are shared throughout the governance structure;
reviewing risk assessments to identify risks which are prevalent
across the organisation.
Risk & Legal
Services Manager
Responsibility for ensuring systems and processes relating to
litigation are embedded throughout the Trust; ensuring equitable and
cost effective resolution of claims; and for the Trust’s incident
reporting procedure for all non-clinical incidents.
Health and Safety
Manager
Responsibility for ensuring systems and processes relating to non-
clinical risk management are embedded throughout the Trust.
Divisional
Governance Leads Responsibility for providing advice and support to Clinical Business
Units on all issues relating to this strategy and associated policy
documents; ensure departments have an active risk register and that
risks are updated; ensure risk assessments are undertaken and
provide quality assurance checks; ensure systems and processes are
established with the Division to manage risks and incidents.
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 14/22
Individual(s) Responsibilities
Clinical Director of
Pharmacy Responsibility for the delivery of safe medicines management and as
the Accountable Officer for Pharmacy to ensure total compliance with
legislation for controlled drugs.
All Managers/Heads
of Service
Responsibility for the local implementation of this Strategy and
associated policy documents in their departments, wards and/or other
clinical and non-clinical areas.
All staff
Responsibility for compliance with the requirements of this Strategy
and associated policy documents; awareness of the risks identified
within their working environment and how their role impacts on those
risks; reporting hazards or threats to the ward or department manager
taking reasonable steps to reduce the risk if possible.
Table 2: Individual Responsibilities relating to risk management
5.4 Third Party Organisations
Specific risks identified by the Trust will be shared with any other relevant organisation working in
partnership with the Trust. Likewise, the Trust expects that any relevant risks identified by
partners will be shared with the Trust.
6. Monitoring and Review
Monitoring assesses how well risk management across Aintree is performing (performance
monitoring) and if it is delivering the objectives and benefits defined in the Risk Management
Policy documents. This monitoring covers input indicators (eg. compliance with risk management
requirements, progress with risk plans, etc) and output indicators (eg. near miss and accident
rates).
Risk management performance will be monitored and reviewed according to the process
identified in Appendix 4 to ensure that risk management in Aintree is effective and provides
support for the successful delivery of the Trust’s objectives. The monitoring and review covers:
Regular reviews of the potential events or uncertainties (ie. what could go wrong) and how
they are being managed. On an individual basis, this includes consideration of the level of
risk, progress with risk mitigation actions and the current effectiveness of risk measures /
controls / contingencies. Concerns should be escalated to the appropriate management level
for consideration and response
Investigations of reported near misses and incidents to understand root causes, and to
develop risk mitigation actions (specific measures / controls and contingencies) and to
improve Aintree’s risk management system framework
Gaining assurance that (i) the measures / controls / contingencies are in place and
performing as specified, (ii) risk plans are being progressed and (iii) we are working in
accordance with our risk management system and processes. This is achieved in three
parts:
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 15/22
o Self-assessment – Line managers are responsible for including self-assessment
activities in their quality improvement plans and the identification of any risks arising from
these.
o Internal audit – The Audit Committee will set and review the internal audit requirements
which will focus on assessing the measures / controls / contingencies of greatest
importance in mitigating the risks to the organisation
o External audit - The Board will respond to external audit and legislative requirements
(eg. CQC audits). Typically, these audits will focus on compliance with standards and
legal requirements, assessing the measures / controls / contingencies of greatest
importance in mitigating risk, and on the effectiveness of the risk management framework.
The above will inform the Board Assurance Framework which is provided to the Board of
Directors so they can make a judgment on how effectively the strategic risks are being managed.
7. Continual Improvement of the Strategy
Based on results and a wider understanding of the context, decisions will be made on how to
improve the risk management policy, framework, processes and tools. These decisions will be
aimed at improving the management of risk and risk culture throughout the organisation.
The Risk Management Strategy will be reviewed annually.
8. Human Rights, Equality & Diversity
The Strategy has been assessed against the Trust’s Equality Impact Assessment Form which
has identified that there is no impact on any Equality Target Group.
Implications arising from the Human Rights Act have been taken into account in the formulation
of this Strategy and have, where appropriate, been fully reflected in its wording.
9. Accessibility Statement
This document can be made available in a range of alternative formats on request eg. large print,
Braille etc.
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy –October 2018 16/22
Appendix 1 – Trust Governance Structure
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy – October 2018 17/22
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy –October 2018 18/22
Appendix 2 – Risk Escalation Process
BOARD OF DIRECTORS (BAF quarterly)
Board Committees
Divisional Assurance Group
CBU/Directorate Governance/Assurance Meetings
Incidents Complaints
Claims
External Assessments/
CQC/NHSI
Ad hoc Risk
Assessments
Health and
Safety
RISK REGISTER
S
C
R
U
T
I
N
Y
A
S
S
U
R
A
N
C
E
Board Assurance Framework and submitted to the Board and monitored through Board
governance and assurance
committees
Any risk scoring 15 or above and/or impacting across the Trust is escalated to the Corporate risk register and with agreement with relevant Exec would recommend
risks to be incorporated into BAF
All risks 15 or above (corporate or divisional added to corporate risk register) and any risks that
cannot be managed regardless of score to be escalated by the
Divisions to Exec Led Safety and
Risk Group
Service/Divisional risks reviewed at Service Governance Forums
and escalated to Harm Free Care Meetings for decision to include
on risk register
Risk Assessments completed at local level
Audit/Non-Compliance
NICE Guidance
Safety & Risk Executive Led Group
Risks scoring 9 and above and any risks that cannot be managed
at service level escalated to
Divisional Assurance Group
HMB
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy –October 2018 19/22
Appendix 3 – Risk Matrix
Risk Grading = Likelihood x Consequence (impact) (L x C)
Likelihood
Consequence score 1 2 3 4 5
Rare Unlikely Possible Likely Almost certain
5 Catastrophic 5 10 15 20 25
4 Major 4 8 12 16 20
3 Moderate 3 6 9 12 15
2 Minor 2 4 6 8 10
1 Negligible 1 2 3 4 5
Further details of the descriptors for the likelihood and consequence scoring can be found in the Risk Management Policy
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy –October 2018 20/22
Appendix 4
Monitoring and review of the effectiveness of the Trust’s risk management strategy
Key Process /
part of this
policy for which
compliance or
effectiveness is
being monitored
Monitoring
method (ie.
audit, report, on-
going committee
review, survey
etc)
Job title and
department of
person
responsible for
leading the
monitoring
Frequency
of the
monitoring
activity
Monitoring
Committee
responsible for
receiving the
monitoring
report/ audit
outcomes etc
Committee
responsible
for ensuring
that
improvement/
action plans
are
completed
Compliance with
the Risk
Management
Strategy at
Divisional level,
and process for
managing the
risk locally.
Reporting
arrangements
into the Board
Committees and
the Board.
Committee
effectiveness
Review of
effectiveness of
Committees and
Groups with
responsibility for
risk management
(including
reporting
arrangements to
the Board and
Board
Committees)
Associate
Director of Quality
Governance
Director
Corporate
Governance/
Trust Secretary
Corporate
Governance
Team
At least
annually
Board
Committees
Quality
Committee
Compliance with
the process for
Risk Registers
Review of
Divisional and
Corporate Risk
Registers
Associate
Director of Quality
Governance
Quarterly Safety & Risk
Executive Led
Group
Quality
Committee
Ensuring that
strategic risks are
assessed,
reviewed and
aligned with the
strategic
objectives via the
Board Assurance
Framework
Review of the
Board Assurance
Framework,
content and
process.
Director
Corporate
Governance/
Trust Secretary
Quarterly Executive Team
Board of
Directors
.
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy –October 2018 21/22
Appendix 5 – Glossary of Terms
Term Definition
Adverse Event Any event or circumstances leading to unintended harm and/or suffering which
results in admission to hospital, prolonged hospital stay, significant disability at
discharge or death
Board Assurance
Framework (BAF)
The BAF is a tool by which the Board corporately assures itself about the
successful delivery of the Trust’s strategic objectives. The BAF is designed to
focus the Board on controlling principal risks threatening the delivery of those
objectives. The BAF aligned principal risks, key controls and assurances on the
operation of controls
Consequence The outcome of an event being a loss, injury, disadvantage or gain in respect of
the physical, emotional, financial, social or credibility status of the individual or
organisation
Controls
Assurance
A process designed to provide evidence that the NHS in total (and its constituent
parts) is doing its reasonable best to manage, direct and control itself so as to
protect itself, its employees, patients and stakeholders safety and interests
against risks of all kinds
Cost Activities, both direct and indirect, which result in a negative outcome or impact for
an individual or the organisation. Cost includes money, time, labour, disruption,
goodwill, political and intangible losses
Current risk The risk of the risk still being realised, despite the actions required being adopted.
This is represented by the risk being rescored post action and can be
supplemented by a narrative
Event Incident or situation occurring in a particular place during a particular interval of
time
Hazard A source of potential harm, or a situation with the potential to cause loss
Incident Any unplanned event or circumstance resulting in, or having a potential for injury,
ill health, complaint, damages or loss
Incident
Reporting &
Investigation
A formal, structured process and approach to enable the occurrence of incidents
to be reported, recorded and the root cause of reported incidents identified, in
order to manage risk exposure and identify required corrective actions.
Likelihood A qualitative measure/description or probability or frequency
Monitor To check, supervise, observe critically or record the progress of an activity, action
or system on a regular basis in order to identify change
Probability The likelihood of a specific event or outcome occurring. This is measured by the
ratio of specific events or outcomes to the total number of possible events or
outcomes. Probability is expressed along a scale ranging from impossible to
certain
Risk The chance of something happening that will have an impact upon objectives. It
is measured in terms of consequences and likelihood
Risk Acceptance An informed decision to accept the identified consequences and likelihood of a
particular risk
Aintree University Hospital NHS Foundation Trust
Risk Management Strategy –October 2018 22/22
Term Definition
Risk Analysis A systematic use of available information to determine how often specified events
may occur and the magnitude of their consequences
Risk Appetite Risk appetite is the amount of risk that an organisation is prepared to accept,
tolerate, or be exposed to at any point in time.
Risk Assessment The overall process of risk analysis and evaluation
Risk Avoidance An informed decision not to become involved in a risk situation
Risk Control That part of risk management which involves the development and
implementation of policies, standards, procedures and/or physical changes to
eliminate or minimise adverse events or risks
Risk Evaluation The process used to determine risk management priorities by comparing the level
of risk against pre-determined standards, target risk levels or other criteria
Risk Identification The process of determining what can happen, why and how
Risk Management The culture, processes and structures that are directed towards the effective
management of potential opportunities and/or adverse effects
Risk Management
Process
Systematic application of management policies, procedures and practices to the
tasks of establishing the context of risk and then identifying, analysing, evaluating,
treating, monitoring and communicating risk
Risk Reduction The application of appropriate techniques and management principles, to reduce
either the likelihood of an occurrence, or its consequences or both
Risk Transfer Shifting the responsibility or burden for loss to another party through legislation,
contract, insurance or other means. Risk transfer can also refer to shifting a
physical risk or part thereof elsewhere
Risk Treatment Selection and implementation of appropriate options and action plans for dealing
with risk
Serious Incident A serious incident requiring investigation is defined as an incident that occurred in
relation to NHS funded services and care resulting in unexpected or avoidable
death, serious harm, permanent harm (National Patient Safety Agency (NPSA),
2008)
Stakeholders Those people and organisations who may affect, be affected by or perceive
themselves to be affected by a decision, action or activity
System Failure A non-conformance with, malfunction or, or deviation from a defined management
system. A system failure may also be defined as inadequate performance, non-
participation in or non-application of a defined management system or process.