Risk Management Strategy and Standard Operating Procedure Document Status Draft Equality Impact Assessment Completed – no impact Document Ratified/Approved By Date Issued TBC Date To be Reviewed December 2014 Distribution All Staff Author Debra Elliott Senior Governance Manager North of England Commissioning Support Unit Version Version 2 Reference No TBC Location TBC
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Risk Management
Strategy and Standard
Operating Procedure
Document Status Draft
Equality Impact
Assessment
Completed – no impact
Document
Ratified/Approved
By
Date Issued TBC
Date To be
Reviewed
December 2014
Distribution All Staff
Author Debra Elliott Senior Governance Manager
North of England Commissioning Support Unit
Version Version 2
Reference No TBC
Location TBC
2
Section Content
Page number
1. Introduction 3
2 Definitions 3
3 Approach to Risk Management: Principles,
Aims and Objectives
4
4 Roles and Responsibility for Implementation 5
5 Approach to Risk Management and
Assessment
7
6 Distribution and Implementation
8
7 Training Plan 8
8 Monitoring 9
9 Equality and Diversity 9
10 Associated Documents 9
Appendices
1 Further risk management definitions 10
2 Safeguard Incident Risk Management System
Risk register Standard Operating Procedure
12
3 Risk management strategy and Standard
Operating Procedure Work Plan
35
3
1. Introduction
1.1 This strategy and related risk register standing operating procedure (SOP) sets out the approach and arrangements for management within the South Tees Clinical Commissioning Group (CCG)
1.2 The principles are consistent with those within the NHS England’s Risk
Management Strategy and Risk Management Policy and Procedure issued in July 2013.
1.3 This strategy sets out the CCG approach to risk and the management of risk
in fulfilment of its overall objectives. In addition, the adoption and embedding within the organisation of an effective risk management framework and processes will ensure that the reputation of the CCG is maintained and enhanced, and its resources are used effectively to ensure business success, continuing financial strength and to ensure continuous quality improvement in its operating model.
1.4 As part of this strategy it is also acknowledged that not all risks can be
eliminated. Ultimately it is for the organisation to decide which risks it is prepared to accept based on the knowledge that an effective risk assessment has been carried out and the risk has been reduced to an acceptable level as a consequence of effective controls.
1.5 At its simplest, risk management is good management practice and risk
assessment provides an effective management technique for managing the organisation (through the identification of risks and the development of mitigating action). Through this strategy and SOP the CCG is keen to ensure that risk management is not seen as an end in itself, but rather a part of an overall management approach that supports the organisation in developing achievable management action plans.
2. Definitions
The strategy and SOP are based on the following definitions:
Risk is the chance that something will happen that will have an impact on the achievement of the CCG objectives. It is measured in terms of likelihood (frequency or probability of the risk occurring) and consequence (impact or magnitude of the effect of the risk occurring).
Risk Management is the systematic application of management policies, procedures and practices to the tasks of identifying, analysing, assessing, treating and monitoring risk.
Risk Assessment is the process used to evaluate the risk and to determine whether precautions are adequate or more should be done. The risk is compared against predetermined acceptable levels of risk.
Further definitions of terms are set out in Annex 1.
4
3 Approach to Risk Management: Principles, Aims and Objectives 3.1 This strategy sets out the CCG’s approach to the way in which, in general
terms, risks are managed. This will be achieved by having a thorough process of risk assessment in place. This will provide a useful tool for the systematic and effective management of risk and will inform and guide staff as to the way in which all significant risks are to be controlled.
3.2 The aims of the strategy are summarised as follows:
to ensure that risks to the achievement of CCG’s objectives are understood and effectively managed;
to maintain a risk management framework to assure the Governing Body that strategic and operational risks are being effectively managed;
to ensure that risk management is a cohesive element of the internal control systems within the CCG’s corporate governance framework;
to ensure that risk management is an integral part of the CCG culture and its operating systems;
to ensure that the CCG meets its statutory obligations including those relating to health and safety and data protection, and
to assure all stakeholders, staff and partner organisations that the CCG is committed to managing risk appropriately.
3.3 In order to achieve these aims the CCG is committed to ensuring that:
risk management is embedded as an integral part of the management approach to the achievement of objectives;
the management of risk is seen as a collective and individual responsibility, managed through the agreed committee and management structures;
patient feedback, complaints and staff feedback are used as an integral part of the approach to risk management;
risk management support, training and development will be provided by the Commissioning Support Unit governance team;
a training needs analysis will be undertaken to identify staff members affected by the roll out of the strategy. Based on the findings of the analysis a risk management training programme will be put in place; and
risk management guidance will be provided to all staff.
5
4. Roles and Responsibility for Implementation of the Risk Management Strategy and SOP.
The following staff have specific responsibilities with regards to risk management: 4.1 The Chief Officer has overall responsibility for ensuring the effective
implementation of this strategy and SOP. 4.2 The Chief Finance Officer is the nominated lead for co-ordination of
governance and risk management throughout the CCG. 4.3 Officers (including commissioning support staff) will:
be familiar with the main risks in their area of activity, leading the management of risks where required;
ensure the processes for managing risk within services/teams are clearly understood by managers, appropriately delegated and effective. and
ask for feedback from managers about risk assessments relevant to their portfolio and team(s); carry out further risk assessment to determine if the risk is common across the service/CCG teams; in conjunction with the wider team, determine the level of risk and required actions to eliminate or control the level of risk and report back to the team any progress and outcome in relation to action agreed.
4.4 All staff – risk management is everyone’s responsibility and all staff must be
familiar with the main risks in their area of activity. All staff must work within the guidance of the Risk Register SOP - see Appendix 2 for full guidance.
4.5 The Commissioning Support Unit, working with and on behalf of the CCG, will:
provide advice to ensure consistency in grading risks to identify the level of priority required in addressing risks;
support staff throughout the risk assessment process as outlined in the SOP;
support and monitor the implementation of CCG risk registers.
collate and analyse data showing trends and patterns and generate appropriate reports as agreed within the CCG risk management portfolio;
support the development and reporting of the Governing Body Assurance Framework and Annual Governance Statement working closely with the Chair, lay members and other Governing Body members to ensure strategic risk is accurately reflected and managed.
4.6 The CCG has developed clear lines of accountability with defined
responsibilities and objectives, the risk management reporting committees are outlined below:
The Governance and Risk Management Committee is responsible for reviewing and providing verification on the systems in place across the CCG for governance and risk management including internal control.
6
The Quality, Performance and Finance Committee is responsible for ensuring that risks to the delivery of the principles of patient safety, quality, safeguarding, performance and finance are identified, addressed and reported to the Governing Body as appropriate.
The Audit Committee is responsible for ensuring that organisational risk management systems and processes are in place.
The Remuneration Committee advises the Governing Body regarding appropriate remuneration and terms of service for the Accountable Officer and other senior employees.
The Governing Body monitors high level, principal risks relating to the achievement of the strategic objectives through the Governing Body Assurance Framework.
Governance infrastructure enabling effective risk management:
Supporting working groups as required
4.7 The Governance and Risk Management Committee is chaired by the Chief
Finance Officer and has overall responsibility for overseeing the implementation of this strategy and SOP. The committee will also:
review all risks on the risk register and monitor progression of stated action on a bi monthly basis;
review trend analysis for all risks;
ensure the established processes to manage risk by each team is in place and provide support for action where necessary;
ensure the processes for managing risk within the CCG are clearly understood, appropriately delegated and effective, and
escalate issues to the Governing Body as appropriate, in particular the identification of new significant risks or areas of concern of risks graded high or extreme.
4.8 The members of the Executive Group will:
maintain awareness of the main risks facing the organisation;
take ownership where relevant of principal (strategic) risks that pose a threat to the achievement of strategic objectives and ensure appropriate action is taken to mitigate and manage risks ensuring
7
regular updates to the Governing Body through contributing to the Assurance Framework;
review all Extreme and High risks on a monthly basis;
take or delegate ownership, where relevant, of risks that pose a threat to the achievement of objectives or the business of the CCG and ensure appropriate action is taken to mitigate and manage risks ensuring regular updates are added to the risk register;
ensure the processes for managing risk within the CCG are clearly understood, appropriately delegated and effective.
4.9 Significant CCG projects/work streams require project / programme leads to
ensure there are arrangements in place to develop, maintain and regularly review a project risk register to ensure effective management of risk. Red risks (graded as extreme or high) should be escalated to the CCG risk register if they are likely to impact on the CCG strategic objectives.
4.10 Assurance Framework
The CCG will produce and maintain a Governing Body Assurance Framework
(AF). The AF forms part of the overall governance arrangements of the CCG
and is a key component of the organisation’s internal control arrangements. The AF forms a significant part of the assurance given by the Accountable Officer in the Annual Governance Statement. It will be prepared at the start of each financial year when the CCG’s strategic objectives are known. It should be prepared with the involvement of senior leaders, reviewed by the committee with oversight for it (e.g. the Governance and Risk Committee) on a regular basis and the Audit Committee. It will also be approved and reviewed by the Governing Body at least six monthly.
5. Approach to Risk Management and Assessment
5.1 Definition of Risk 5.2 Types of risks to be managed Examples of the types of risk that the CCG might encounter and need to
mitigate against include:
corporate risks – operating within powers, fulfilling statutory responsibilities and ensuring accountability;
reputational risks – associated with quality of services, communication with customers, staff and stakeholders;
financial risks – associated with achievement of planned surpluses,
reduction in costs and revenue growth;
environmental risks including health and safety – ensuring the well-
being of staff and visitors whilst using CCG premises;
8
strategic risk - a significant risk that will impact organisation wide and not just upon a function or team, and
operational risk - a key risk, which impacts on a team’s operational achievement.
5.3 Assessment of Risk
5.3.1 Whenever risks have been identified it is important to assess and record the risk so that appropriate controls are put in place to eliminate the risk or mitigate its effect. To do this a CCG risk register has been developed with an aligned risk register SOP. The SOP has been developed based on current national guidance - see Appendix 1 Safeguard Incident Risk Management System (SIRMS) South Tees CCG Risk Register SOP.
5.3.2 By all staff using the CCG risk register SOP it will ensure that risk assessments are undertaken in a consistent manner using agreed definitions and evaluation criteria. Additionally, this will allow for comparisons to be made between different risk types and for decisions to be made on the resources needed to mitigate the risk.
5.3.3 Risks are assessed in terms of the likelihood of occurrence and the consequences of impact. In order to arrive at an overall risk rating of the residual risk, the risk is rated to take account of the effectiveness of the controls, i.e. whether they are considered to be satisfactory, have some weaknesses or to be weak. This then provides the overall residual risk rating. Once the residual risk rating is determined an action plan identifying further mitigating action is put in place.
5.3.4 For each risk that is not adequately controlled, an action plan to reduce or eliminate the risk is required. The implementation of the action plan and residual risk assessment must be kept under review, to assess whether planned actions have reduced or eliminated the risk as expected.
5.3.5 Any risk that is identified through the risk assessment process and which the
CCG is required legally to report will be reported accordingly to the appropriate statutory body, e.g. Health and Safety Executive or Information Commissioner.
5.4 Risk Appetite
South Tees CCG endeavours to reduce risks to the lowest possible level that is reasonably practicable. All risks can be avoided, transferred or retained. Where risks cannot reasonably be avoided, every effort will be made to mitigate the remaining risk.
5.5 Risk Tolerance
The threshold level of risk exposure which, when exceeded, will trigger an escalation to bring the situation to the attention of a senior manager. Any risks scored as 12 or above should be escalated to a senior manager and the Governance and Risk Committee for review and monitoring and reported to the Governing Body quarterly. Low, moderate & high risks will be managed and monitored at team level, any risks of concern even if not scoring as an
9
extreme risk can be highlighted to the Governance and Risk Committee for escalation to the Governing Body.
6. Distribution and Implementation 6.1 This strategy and risk register SOP will be made available to all staff via CCG
internal communications. 6.2 Notifications of strategy and SOP changes will be shared via internal CCG
communications. 6.3 Any further guidance will be provided via the CSU governance team.
7. Training Plan
7.1 Risk management training will be provided to all executive members on an annual basis.
7.2 A training needs analysis will be undertaken by the CSU Senior Governance
Manager (lead for Risk Management). 7.3 Based on the findings of that analysis, a CCG risk management training plan
will be developed for staff. 8. Monitoring 8.1 The Governance and Risk Committee will review the strategy and SOP
annually and the Governing Body Assurance Framework on a quarterly basis and function / team risk registers on a bi monthly basis
8.2 Senior leads will ensure that teams review their risk registers on a monthly basis (or within individually agreed review times).
9. Equality Impact Assessment
9.1 This document has been developed in line with NHS England’ s commitment to create a positive culture of respect for all staff and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age religious or other belief, marriage or civil partnership, gender reassignment and pregnancy and maternity) as well as to promote positive practice and value the diversity of individuals and communities.
9.2 As part of its development this document’s impact on equality has been
analysed and no detriment identified.
10. Associated documentation 10.1 POL - 1015 Risk Management Strategy 10.2 POL – 1000 Risk Management: Policy and Procedure
10
10.3 POL – 1002 Health & Safety: Policy & Corporate Procedures 10.4 POL – 1003 Incident management: Policy & Corporate Procedures 10.5 POL – Business Continuity Policy: Policy & Corporate Procedures
11
Appendix 1 – Definitions
Action plan How the identified gap is to be addressed and how the risk is
to be diminished.
Assurance Framework
(AF)
The AF is an integral part of the system of internal control
and defines the significant potential risks which may impact
on delivery of the organisation priorities. It also summarises
the controls and assurances that are in place, or are planned,
to mitigate against them. Gaps are identified where key
controls and assurances are insufficient to reduce the risk of
non-delivery of objectives. This enables the governing body
to develop and subsequently monitor an assurance action
plan for closing the gaps.
Consequence
This is a numerical value from one to five (five = catastrophic) for the impact that a risk may have on the organisation or individual, and may be physical, financial, reputational etc.
Control The control of risk involves taking steps to reduce the risk
from occurring such as application of policies or procedures.
Directorate risk register The directorate risk register is a summary of the risks
identified through internal processes.
External assurance External evidence that risks are being effectively managed
(e.g. planned or received audit reviews).
Gaps in controls or
assurances
Where an additional system or process is needed, or
evidence of effective management of the risk is lacking.
Impact A measure of the impact that the predicted harm, loss or
damage would have on the people, property or objectives
affected.
Issue A relevant event that has happened was not planned and
requires action. It can be any concern, query and request for
change.
Likelihood A measure of the probability that the predicted harm, loss or
damage will occur.
This is a numerical value from one to five (five = almost certain) for the potential of the risk to be realised.
Management
assurance/actions
What are we doing to manage the risk and how this is
evidenced?
Sources of information used to ascertain whether controls
are working or not. Examples include minutes of meetings,
internal or external audit reports, survey results and reports
to the Executive Group
12
Operational risks A key risk that impacts on individual directorate operational
achievement. Operational risks are managed locally within
the directorate and are the responsibility of the appropriate
Director /Senior Manager.
Risk appetite
The organisation’s unique attitude towards risk taking that, in turn, dictates the amount of risk that it considers is acceptable.
Residual risk
The risk remaining after the risk response has been applied.
Risk An uncertain event or set of events that, should it occur,
would have an effect on the delivery of objectives. It is
measured in terms of consequence and likelihood.
Risk assessment The process used to evaluate the risk and to determine
whether precautions are adequate or more should be done to
mitigate the risk. The risk is compared against predetermined
acceptable levels of risk.
Risk management The systematic application of management policies,
procedures and practices to the task of identifying, analysing,
assessing, treating and monitoring risk.
Risk owner
A named individual who is responsible for the management, monitoring and control of all aspects of a particular risk assigned to them.
Risk tolerance
The threshold level of risk exposure which, when exceeded, will trigger an escalation to bring the situation to the attention of a senior manager. Any risks scored as 12 or above should be escalated to a senior manager for review at Executive Group for review and monitoring.
Strategic risks A significant risk that has the potential to impact across the
organisation. These risks have been mapped to the business
plan objectives and will be presented to the Governing Body
in the AF.
13
Appendix 2
SIRMS
Safeguard Incident & Risk Management System
Standard Operating Procedure Risk Register
South Tees CCG Version 12 Review date: 31/03/2014
14
Contents
General points ....................................................................................................................................... 15
Accessing the web-based risk register ................................................................................................. 15
How to add a new risk ........................................................................................................................... 16
Entering a risk ....................................................................................................................................... 17
Select organisation’s risk register ......................................................................................................... 18
Directorate ............................................................................................................................................. 18
Date of risk ............................................................................................................................................ 19
Source of risk ........................................................................................................................................ 19
Description of risk .................................................................................................................................. 20
Strategic/Operational Risks ................................................................................................................... 20
Corporate objective ............................................................................................................................... 23
Risk Co-ordinator .................................................................................................................................. 23
Risk Owner and Responsible Director .................................................................................................. 23
Responsible committee ......................................................................................................................... 23
Initial risk rating ..................................................................................................................................... 23
Controls and assurances ...................................................................................................................... 24
Action plans ........................................................................................................................................... 25
Risk updates ......................................................................................................................................... 26
Review details ....................................................................................................................................... 27
Residual risk rating ................................................................................................................................ 27
Closing a risk ......................................................................................................................................... 28
Risk register reports .............................................................................................................................. 29
Appendix 1 Risk assessment and escalation process .......................................................................... 30
Appendix 2 Describing a risk ................................................................................................................ 34
Appendix 3 New Risk Form................................................................................................................... 22
15
General points
Users are responsible for familiarising themselves with their duties for risk management as laid out in the CCG risk management strategy. Access rights Access will only be set up for nominated staff. Security access levels will be set by
the governance team as specified by CCG risk lead.
Assessing risks Risks should be assessed according to the ‘Risk assessment and escalation process’ procedure (Appendix 1) using the NPSA risk matrix.
Consequence
Likelihood 1 2 3 4 5
Negligible Minor Moderate Major Catastrophic
5 Almost Certain 5 10 15 20 25
4 Likely 4 8 12 16 20
3 Possible 3 6 9 12 15
2 Unlikely 2 4 6 8 10
1 Rare 1 2 3 4 5
Printing reports The system allows for both single risk reports which provide all the details logged against a single risk and also a full risk register report. The content of these reports is fixed, however it is possible for the NECS governance team to design other reports on an ad hoc basis that can be scheduled to run and be forwarded to users automatically on a periodic basis. Accessing the web-based risk register
To access SIRMS (Safeguard Incident and Risk Management System) go to http://srvsg/safeguard or http://10.97.194.139/safeguard you should log into the system with the username and password you log into your computer with. If you require access to the risk register, a request should come from your nominated risk co-ordinator, to [email protected]
This document, along with other relevant risk management guidance, can be
accessed via the CCG ………..TBC. And for NECS staff via NECS Intranet site
under Risk and Assurance in the Governance section.
16
How to add a new risk
You will then be asked to decide whether the new risk is Extreme (risk score 15 to
25) or Low, Moderate, High (risk score 01 to 12).
To add a new risk click
here
Once signed in,
open the Risk
module here.
Select Extreme or Low, Mod, High risk.
Extreme Risks are those rated 15 to 25 which
have the potential to impact adversely on the
organisation’s ability to deliver its corporate
(strategic) objectives
17
Entering a risk
The orange fields are mandatory
sections that must be
completed.
The risk reference number will
not appear until you have saved
these details.
To change risk level: use
drop down option before
saving. If you change after
saving, you will need to
provide a reason for
escalation/de-escalation.
The system will assign a sequential
number that should be used to
identify the risk.
The sequence runs across all the
organisations that are using SIRMS.
A new version must be created
BEFORE existing risks are updated.
18
Select organisation’s risk register
Directorate Select CCG lead responsible for the risk.
Select your CCG from drop
down list: this will assign the
risk to the correct risk register
Select CCG Director
responsible for the risk.
19
Date of risk This is the date the risk was first identified.
Source of risk
The default date will always be the
current date, to change, use drop down
calendar.
The source of the risk identifies how
you became aware of the risk, i.e.
through national guidance, through
a reported incident, complaint etc.
20
Description of risk
Strategic/Operational Risks Identify whether the risk is strategic or operational or
both.
Choose your organisation from drop down list. (Please note this field ties the organisation to
its corportate objectives.)
The risk cause, event and effect allow you to
describe the risk in detail. Take care to describe
the consequence of a risk rather than the cause.
E.g. ‘management of staff sickness’ is not a risk,
but failure to deliver a high quality service due
to inability to manage staff sickness effectively’
would be. See Appendix 2 for further guidance.
Click on the drop down arrow and
select the type of risk here.
21
Select South Tees CCG
22
Corporate Objectives
Risk co-ordinator
Risk owner and responsible director
From the list of your CCG
objectives, select one that the
risk affects.
Select the risk co-ordinator
for your team/CCG from
drop down list
Type the surname in and the relevant person
will be found – please note, you have to click on
the name to select them. If the name does not
appear in the system please contact
23
Responsible Committee
Initial Risk rating
You will now need to save the risk before you can complete the rest of the
form.
If you have not completed all of the mandatory (orange) fields, you will not be able to
save.
Apply the initial risk rating. This
is the score that is given to the
risk before controls have been
applied. Either select the score
from the table, or use the drop
down boxes.
See ‘How to assess risk’ in
appendix 1.
Click ‘save’ after
completing initial risk
rating.
Select the committee that is
responsible for monitoring risk
from drop down list.
24
Controls and Assurances
Please enter any control measures already in place as well as any new ones that will
be implemented to manage the risk. For example in the case of a litigation risk, you
could list ‘Claims Procedure’ or ‘Claims handling service provided by NECS’ as part
of the existing control framework.
Then go to Action Plan
To add a control
choose “New”
Complete details, selecting level
of effectiveness of the control
from drop down box.
To add a new action, click
‘new’
25
Action plans
Click on the ‘Action Details’
tab and complete
If you are updating actions,
click on the ‘Progress’ tab and
complete section.
26
Risk Updates NB: A new version should be created with each update in order to ensure that the
movement of the risk is captured.
Risks should be reviewed and updated on a regular basis and the frequency of review
should be considered when assessing the risk.
Every time an update is conducted you should make a note in this section of the date the
risk was reviewed and by whom. The process should involve:
Create new version (either by changing the ‘risk level’ or clicking on ‘new version’).
Provide assurances on control measures.
Review and update the action plan.
Reassess and apply the residual risk score (this is score following implementation of
control measures).
Enter the actual date of review and by whom.
N.B. if you know that the ‘risk level’ is going to change (from ‘Extreme’ to ‘Low, Moderate,
High’ or vice versa), change this first as this will automatically create a new version number,
however if the risk level is to remain the same then please click on ‘New Version’.
1. If you change the risk level,
SIRMS will automatically create a
new version.
2. If risk level to remain
unchanged click here to add new
version.
3. Information box – click ok.
27
Review details Describe what has been updated: controls and assurance; action plan; review frequency;
residual risk rating. This section can also highlight suggested actions, such as discussing at
a committee or recommended closure of the risk.
Residual risk rating This is the consequence and likelihood after the control measures have been applied.
To add review details (i.e. date of
review, reviewer and details of the fields
that have been updated) – click ‘new’.
New risks –see Appendix 3 for new
risk form.
When entering a new risk, select from
drop down list how often it is to be
reviewed.
The next review date will be displayed –
this is dependent on the date entered
when adding the review (update).
Complete sections to record when the risk was reviewed
and by whom.
If the risk rating has
changed following review,
apply the residual risk
rating score. Either select
the score from the table, or
use the drop down boxes.
See ‘Risk assessment and
escalation process’ in
appendix 1.
Please note – changing the residual risk rating will not
automatically change the risk level at the top of the screen. The
risk level has to be changed manually. Remember – changing
the risk level will create a new version therefore it is best
practice to change the risk level at the start of your update.
The details of the review should be a summary of what has been
updated in this version i.e. assurance on controls, progress update
in action plan, reduction in residual risk rating etc. You can also
use this field to note if the risk is to be considered for removal.
28
Closing a risk
Scroll to the bottom of the page and select ‘Closed’ from options:
You can then select a reason for closing the risk.
Follow the steps to create a new
version.
Scroll down to the Controls and
Assurances section, click on existing
control measures and click on the
‘Effectiveness’ drop down list, select
‘Action Plan Completed Risk
Removed’.
29
Risk register reports
To print a report there
are 2 options. Click on
‘Print’ from top ribbon
then:
Single report
Register style report
Choose the type of
report then click print.
This will generate a PDF
copy of the report. As
the system is
developed, more
reports will become
available.
Whatever is
highlighted in this
window will be the
report that is
generated.
30
Appendix 1
Risk assessment and escalation process
Step 1: Determine the consequence score This is offered as guidance when completing a risk assessment, either when an incident has occurred or if the consequence of potential risks is being considered. Choose the most appropriate domain for the identified risk from the left hand side of the table. Then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column. Note consequence will either be negligible, minor, moderate, major or catastrophic.
Table 1: Consequence score
Consequence score (severity levels) and examples of descriptors
1 2 3 4 5
Domains Negligible Minor Moderate Major Catastrophic
Impact on the safety of patients, staff or public (physical/psychological harm)
Minimal injury requiring no/minimal intervention or treatment. No time off work
Minor injury or illness, requiring minor intervention Requiring time off work for >3 days Increase in length of hospital stay by 1-3 days
Moderate injury requiring professional intervention Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients
Major injury leading to long-term incapacity/disability Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with long-term effects
Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients
Quality/complaints/audit
Peripheral element of treatment or service suboptimal Informal complaint/inquiry
Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved
Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on
Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report
Totally unacceptable level or quality of treatment/service Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Gross failure to meet national standards
31
Human resources/ organisational development/staffing/ competence
Short-term low staffing level that temporarily reduces service quality (< 1 day)
Low staffing level that reduces the service quality
Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Low staff morale Poor staff attendance for mandatory/key training
Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Loss of key staff Very low staff morale No staff attending mandatory/ key training
Non-delivery of key objective/service due to lack of staff On-going unsafe staffing levels or competence Loss of several key staff No staff attending mandatory training /key training on an on-going basis
Statutory duty/ inspections
No or minimal impact or breech of guidance/ statutory duty
Breach of statutory legislation Reduced performance rating if unresolved
Single breach in statutory duty Challenging external recommendations/ improvement notice
Enforcement action Multiple breaches in statutory duty Improvement notices Low performance rating Critical report
Multiple breaches in statutory duty Prosecution Complete systems change required Zero performance rating Severely critical report
Adverse publicity/ reputation
Rumours
Potential for public concern
Local media coverage – short-term reduction in public confidence Elements of public expectation not being met
Local media coverage – long-term reduction in public confidence
National media coverage with <3 days service well below reasonable public expectation
National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Total loss of public confidence
Business objectives/ projects
Insignificant cost increase/ schedule slippage
<5 per cent over project budget Schedule slippage
5–10 per cent over project budget Schedule slippage
Non-compliance with national 10–25 per cent over project budget Schedule slippage Key objectives not met
Incident leading >25 per cent over project budget Schedule slippage Key objectives not met
Finance including claims
Small loss Risk of claim remote
Loss of 0.1–0.25 per cent of budget Claim less than £10,000
Loss of 0.25–0.5 per cent of budget Claim(s) between £10,000 and £100,000
Uncertain delivery of key objective/Loss of 0.5–1.0 per cent of budget Claim(s) between £100,000 and £1 million Purchasers failing to pay on time
Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Claim(s) >£1 million
Service/business interruption Environmental impact
Loss/interruption of >1 hour Minimal or no impact on the environment
Loss/interruption of >8 hours Minor impact on environment
Loss/interruption of >1 day Moderate impact on environment
Loss/interruption of >1 week Major impact on environment
Permanent loss of service or facility Catastrophic impact on environment
32
Step 2: Determine the likelihood
Now determine what is the likelihood of the impact occurring.
The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency. The frequency-based score will either be classed as rare, unlikely, possible, likely or almost certain.
Table 2: Likelihood score Likelihood score 1 2 3 4 5
Descriptor Rare Unlikely Possible Likely Almost certain
Frequency How often might it/does it happen
This will probably never happen/recur
Do not expect it to happen/recur but it is possible it may do so
Might happen or recur occasionally
Will probably happen/recur but it is not a persisting issue
Will undoubtedly happen/recur, possibly frequently
Step 3: Assigning a risk rating Now apply the consequence and likelihood ratings to give you a risk rating for each of the risks you have identified. Calculate the risk rating by multiplying the consequence by the likelihood: C (consequence) x L (likelihood) = R (risk score) Table 3: Risk rating = consequence x likelihood (C x L) Consequence
Likelihood 1 2 3 4 5
Negligible Minor Moderate Major Catastrophic
5 Almost Certain 5 10 15 20 25
4 Likely 4 8 12 16 20
3 Possible 3 6 9 12 15
2 Unlikely 2 4 6 8 10
1 Rare 1 2 3 4 5
For grading risk, the scores obtained from the risk matrix are assigned grades as follows:
1 - 3 Low risk 4 - 6 Moderate risk
8 - 12 High risk
15 - 25 Extreme risk
Step 4: Assessing the effectiveness of the control(s) For each of the risks (and especially extreme and high risks) identify the controls that are in place. For example, in an operational setting and where an incident may have occurred, the controls may take the form of a policy, guideline, procedure or process, etc. For risks that have been identified as preventing achievement of organisational objectives then the control is likely to be a management action plan.
33
Review the control(s) for each of the risks and apply the following criteria; Satisfactory: Controls are strong and operating properly, providing a reasonable
level of assurance that objectives are being delivered.
Some Weaknesses: Some control weaknesses/inefficiencies have been identified. Although these are not considered to present a serious risk exposure, improvements are required to provide reasonable assurance that objectives will be delivered.
Weak: Controls do not meet any acceptable standard, as many weaknesses/inefficiencies exist. Controls do not provide reasonable assurance that objectives will be achieved.
Step 5: Determining the residual risk Taking into account the initial risk rating and the assessment of the effectiveness of the control together, you can now assess the residual risk that needs to be managed. The consequence and likelihood ratings should be applied, as in table 3 above.
Step 6: Developing an action plan An action plan must be developed for all risks, regardless of the risk rating in order to record progress on control measures and who is responsible for carrying them out as the system is capable of generating automatic reminders to action owners. Step 7: Risk Management Action Guide
Where risks have been identified and scored, more likely as a consequence of an incident, then the following escalation arrangements should be used.
The table below provides a suggested action guide for the management of a risk: Risk Rating RAG Rating Action
Level of Authority
25 Red Halt activities IMMEDIATELY and review status
Warrants Chief Officers / Chief Finance Officers attention
15 -20 Red Significant probability that major harm will occur if control measures are not implemented URGENT action required. Director may consider limiting or halting activity
Warrants Chief Officers Chief Finance Officers attention
8-12 Amber Unacceptable level of risk exposure which requires constant monitoring and controls at Directorate level
Warrants Head of Service attention
4-6 Yellow Moderate probability of moderate harm if control measures are not implemented. Action in mediate term
Warrants Head of Service/Senior Lead Attention
1-3 Green The majority of control measures are in place. Harm severity is small. Action may be long term
Warrants manager attention
34
Appendix 2
Describing a risk
In SIRMS, there are three fields in which to describe your risk; the risk cause, event
and effect. These are mandatory fields and whilst details will be entered separately,
when printed, they will appear in one field on the risk register, called ‘description of
risk’.
Example
Risk Cause: As a result of…. (This is the trigger)
Risk Event: There is a risk that….(This is what might happen)
Risk Effect: Which will result in….(This is the impact on the achievement of
objectives)
35
Completed forms should be returned to: Your CCG Risk Co-ordinator
Risk Register – New Risk
Risk Ref Leave blank
Date Identified
Responsible Director Name and job title
Risk Owner Name and job title
Risk Details
Directorate/Function/Risk Type/Delivery Area Frequency of Review Source of Risk
Description of Risk
Risk Cause
Risk Event
Risk Effect
Risk Assessment Matrix (please circle)
Likelihood score
Consequence score 1 2 3 4 5
Rare Unlikely Possible Likely Almost certain
5 Catastrophic 5 10 15 20 25
4 Major 4 8 12 16 20
3 Moderate 3 6 9 12 15
2 Minor 2 4 6 8 10
1 Negligible 1 2 3 4 5
Initial risk rating score:
Risk for consideration to risk register? Yes No
Controls (Current) Control Details Assurances on Controls
(Progress/Evidence) Effectiveness of
Controls Gaps in Control
Controls & Actions Required
Action Details Responsibility / Lead Target Date
Form Completed By
Name Job Title Contact Details
Risk Management Committee Structure Appendix 1
Appendix 3 NHS South Tees CCG
Risk Management Strategy and Standard Operating Procedure (SOP) Work Plan December 2013
What How Person Responsible By When Resources Required Risk Management Strategy and SOP reviewed by Governance & Risk Committee. Once agreed strategy and SOP to be sent to the Governing Body meeting for review and approval once approved to be published on CCG website
North of England Commissioning (NECS) governance team to arrange for Strategy & SOP to be uploaded and communication to go out internally across the CCG.
Lead is NECS Governance Administrator working with CCG Corporate Governance Risk Officer
Within 5 working days of policy approval Within 5 working days of policy approval (or go live of website)
Staff time and commitment
Ensure CCG and staff are aware of the new Strategy and SOP
Targeted email to CCG staff Raise at Team meetings
Lead is CCG Corporate Governance Risk Officer
Within 5 working days of policy approval
Staff time and commitment
Risk management training needs analysis to be undertaken and risk management training develop for review at Governance and Risk Committee
CCG Risk management training today baseline review to be undertaken. Outcome Baseline review to be analyzed, training plan drafted and finalized for CCG review and internal comment.
Lead is NECS Senior Governance Manager working with CCG Corporate Governance Risk Officer
February 2014 G&R committee meeting
Staff time and commitment
Risk register management and review
All CCG risks to be subject to peer review and internal security. Outcome all risks on the CCG risk
All relevant CCG staff Lead is NECS Senior Governance Manager working with CCG
Twice a year – January & July
Staff time and commitment
What How Person Responsible By When Resources Required register will be live, well defined, have an agreed risk score and review target date and be aligned to a CCG strategic objective
Corporate Governance Risk Officer
CCG Risk management maturity assessment
CCG Risk Management Maturity Assessment to be developed and undertaken. Outcome CCG Risk Management Maturity Assessment Report to be prepared and presented to G&R Committee. The report would include results of assessment, findings and future recommendations to support enhanced risk management across the CCG.
All relevant CCG staff Lead is NECS Senior Governance Manager working with CCG Corporate Governance Risk Officer
June 2014 Staff time and commitment
Governing Body (GB) Assurance Framework (AF) review and update
CCG AF to be reviewed in line with principal objectives & risks. Reviewing current controls and assurances
All relevant CCG staff Lead is CCG Corporate Governance Risk Officer with support from NECS Senior Governance Manager.
February 2014 Staff time and commitment
Related Documents
