board meeting 29th may 2014 purpose: …...risk management strategy v1 1_1985078.docx1.0 page 1 of...

of 2

BOARD MEETING 29th May 2014

Agenda Item: 12 Enclosure: H

Title: Risk Management Strategy

Purpose: Approval: X Assurance: Discussion: Briefing:

Summary: The Risk Management Strategy outlines the overarching governance

arrangements for managing risk in the Trust; including; Roles and Responsibilities Method/Process for Risk Management including how risk(s) will be identified,

assessed, recorded, reviewed and escalated. Management of the Board Assurance Framework This document replaces the current Risk Management Strategy and Risk

Management Policy.

Recommendation: The Board is asked to approve the Risk Management Strategy.

CQC Domains: Safe Effective Well Led

Strategic goals: The effective management of Risk is crucial to the delivery of each of the

Strategic Goals.

Equality and Diversity: There are no specific issues raised in this area.

Prepared by:Dan HalePatient Safety and Risk Manager

Presented by:Sarah Crosbie, Associate MedicalDirectorrepresenting Richard QuirkMedical Director

Risk Management Strategy v1 1_1985078.docx1.0Page 1 of 30

Risk Management Strategy 2014-2015

Trust Strategy

Version no.: 1, draft 1 UniqueIdentifier:

Approved by: Trust Wide ClinicalGovernance Group

Date:

Ratified by: Medical Director Date: 21/05/2014

ReviewFrequency:

Annually

Next Review: XXX 2015 This document remains valid whilst under reviewOwner Title: Medical Director Author Title: Patient Safety and Risk

ManagerSignature ofExecutiveDirector:

TARGET AUDIENCE (including temporary staff)People who need to know this documentin detail

All Directors, Deputy COOs, AMDs, Deputy CNs,Heads of Service and Managers who areresponsible for carrying out risk assessmentsincluding seconded staff from otherorganisations. All Chairs of committees, groupsor meetings with responsibility for risks.

People who need to have a broadunderstanding of this document

All Managers including seconded staff from otherorganisations.

People who need to know that thisdocument exists

All staff including seconded staff from otherorganisations.

LINKED TRUST DOCUMENTS STANDARDS(e.g. CQC regulations/outcomes, NHSLA)

Health and Safety PolicySecurity PolicyIncident Management and ReportingPolicy and Procedure (including SeriousIncidents)Fire Safety PolicyLegionellosis Risk Management Policyand ProceduresWaste Management PolicyManagement of Medical Devices PolicyManagement of Asbestos Policy

Risk within clinical context is referred tothroughout the CQC Outcomes.

CQC Outcome 16 - Assessing and monitoringthe quality of service provision.


CONTENTS

1 GOVERNANCE FOR RISK MANAGEMENT 31.1 Introduction 31.2 Legislative, Regulatory and Guidance Framework for Risk Management 4

1.2.1 Legislation 41.2.2 Care Quality Commission 41.2.3 Monitor 41.2.4 International Standard ISO31000 4

1.3 Purpose and Objectives 41.4 Risk Management Policy Statement 51.5 Definitions 61.6 Duties 7

1.6.1 Individual Duties within the Organisation 71.6.2 Committees within the Organisation 10

1.7 Document Control, Approval and Ratification 121.7.1 Author and Owner 121.7.2 Approval and Ratification 121.7.3 Review 12

1.8 Equality Analysis 131.9 Dissemination Plan 131.10 Freedom of Information 131.11 Breach 13

2 PRINCIPLES AND METHOD OF RISK MANAGEMENT 142.1 Key Principles 142.2 Risk Management Process 15

2.2.1 Risk Identification 152.2.2 Risk Analysis and Evaluation 162.2.3 Risk Treatment 202.2.4 Risk Documentation 202.2.5 Risk Ownership, Escalation and Assurance 21

2.3 Training 212.4 Monitoring Compliance and Effectiveness 23

3 PATIENT SAFETY AND RISK MANAGEMENT WORK PROGRAMME 25

APPENDIX A - GOVERNANCE STRUCTURE 26APPENDIX B - EQUALITY ANALYSIS TEMPLATE 27APPENDIX C - VERSION CONTROL 30


1 GOVERNANCE FOR RISK MANAGEMENT

1.1 Introduction

Sussex Community Trust (SCT) is committed to establishing and implementing a RiskManagement Strategy which minimises risk to its stakeholders through a comprehensivesystem of internal controls. The Risk Management Strategy provides a framework whichencompasses strategic, financial, quality, reputational, compliance and health & safetyrisks. Its aim is to ensure the safety of patients, staff and the public and to deliver quality,patient centered services that achieve excellent results, promoting the best possible use ofpublic resources, through an integrated approach to managing risks.

From a strategic perspective, SCT aims to fully understand the current and potential risksto the organisation and to ensure that risk reduction/mitigation strategies are developed toaddress risks. This in turn will provide public and board assurance that the controls inplace to reduce risks are working effectively. As such the system of internal control should;

Be embedded in the operation of the organisation and form part of its culture; Be capable of responding quickly to evolving risks; and Include procedures for reporting and escalating any significant control failings

immediately to appropriate levels of management.

SCT expects all staff to subscribe to its vision, values and strategic goals to which thisstrategy relates. This strategy is therefore integral to the work of all the Trust’s Divisionsand supports the delivery of strategic goals over the next five years. Failure to successfullyimplement an effective risk management process could severely impact on the Trust’sability to deliver safe, high quality care and reputation.

The strategy is supported by the Risk Identification, Assessment and Risk RegisterProcedure (as outlined in Section 2.0) which includes the process to identify and managelocal risks and the systemic means by which these local risks are escalated to Board levelattention through the Board Assurance Framework (BAF). This demonstrates how theTrust’s policies, systems and processes provide an effective and robust governancestructure enabling the identification of emerging issues and their control, monitoring, andescalation at appropriate levels in a timely way.

The Trust has identified 3 Strategic Goals for 2014-2019 as outlined in the Trust Five YearStrategic Plan;

We will provide excellent care every time to reinforce wellbeing and independence; Working with our partners we will personalise services for the individual; and We will be a strong, sustainable business, grounded in our communities and led by

excellent staff.

As reflected in the Board Assurance Framework the three key risks to the achievement ofits strategic objectives over the next five years are;

Failure to meet CQC standard of good or outstanding when inspected; affectingpatient safety, clinical effectiveness, quality services and compromising patientcare;

Inability to recruit and retain the right people, as outlined in the People Strategy, todeliver high quality services; and


Plans and processes for 2014/15 are insufficient to achieve planned financialtargets.

The following document therefore sets the aims and objectives for risk management andthe assurance mechanisms for measuring performance and progress.

1.2 Legislative, Regulatory and Guidance Framework for Risk Management

This strategy enables the Trust to meet the required regulatory frameworks and non-statutory guidance for Risk Management;

1.2.1 Legislation

The Trust has statutory responsibilities for risk assessing and reducing risks under Health and Safety at Work Act 1973; and Management of Health and Safety at Work Regulations 1992 (amended 1999);

In addition the Trust has a number of responsibilities as outlined in the Health and SafetyPolicy.

1.2.2 Care Quality Commission

The CQC use a risk based approach to make decisions on compliance with the EssentialStandards; as such it is essential the Trust make a connection between quality and risk.

Regulation 16 - Assessing and Monitoring the Quality of Service Provision requires thathealthcare providers “have an up to date description of the systems and methods thecontinuous quality improvement system uses to identify, assess, manage, monitor andrecord risk”.

1.2.3 Monitor

It is essential as an aspirant Foundation Trust that Sussex Community NHS Trustdevelops a strategy and culture which will enable compliance with the followingFrameworks/guidance;

NHS Foundation Trust Code of Governance, Section C2. Risk Management andInternal Control; and

Compliance Framework, Section 3 Risk Assessment.

1.2.4 International Standard ISO31000

It is the policy of the Trust to align to the International Standard for Risk Management(Principles and Guidelines) ISO31000 as a good practice framework.

1.3 Purpose and Objectives

The purpose of the Risk Management Strategy is to deliver a pragmatic and effectivemultidisciplinary approach to risk management, which is underpinned by a clearaccountability structure from Board to Practitioner level. It recognises the need for robustsystems and processes to support continuous programmes of risk management enabling


staff to integrate risk management into their daily activities and support better decisionmaking through a good understanding of risks and their likely impact.

The strategy enables the identification and management of risks which may prevent theachievement of the Trust’s Strategic Goals or the delivery of safe, high quality care;therefore the key objectives of the Risk Management Strategy are to;

Develop a culture where risk management is integrated into all Trust business;

Ensure appropriate structures are in place to manage risks with clear escalationlevels and processes;

Create a system which is user friendly and allows the prompt assessment andmitigation of risk;

Clearly describe the risk appetite of the organisation;

Reduce risks to patients, carers, staff, sub-contractors, members of the public,visitors etc to an acceptable level;

Develop an ‘open culture’ which encourages staff, patients and members of thepublic to report adverse events in a just and fair environment, so that potentialtrends and lessons may be identified and support offered to those reporting.

Maximise resources available for patient services and care;

Minimise financial liability;

Prioritise risk management action plans;

Embed risk management throughout the Trust, in support of integrated governance;and

Provide a system, which integrates into the planning and performance managementframeworks to minimise duplication whilst adding value.

1.4 Risk Management Policy Statement

The management of risks is a key factor in achieving the provision of the highest qualitycare to patients. Of equal importance is the legal duty of the Trust to control any potentialrisk to staff and the general public, as well as safeguarding assets of the Trust. It is theresponsibility of all staff to be involved in the identification and reduction of risks.

All staff are responsible for the health and safety of staff, patients, visitors and others whoattend our premises and this is the main component of much health and safety legislation,as identified within the Health and Safety Policy.


1.5 Definitions

The Trust will use the following definitions in relation to the Risk Management Strategy;

BoardAssuranceFramework

The Board level log of Strategic Risks. The BAF also includes anyOperational Risks, which may affect the achievement of the Five YearStrategic Plan escalated to the Board by ELT.

Consequence A measure of the impact that the predicted harm, loss or damagewould have on the people, property or objectives affected.

DivisionalRisks

Those risks that if realised could threaten the way in which theorganisation operates at a local or departmental/directorate level,affecting the delivery of services, but unlikely to directly impact theStrategic Goals outlined in the Five Year Strategic Plan.

ExistingControls

The controls and mitigating actions already in place through standardbusiness as usual operations/practise.

Hazard Anything that has the potential to cause injury, loss, damage or harm.Issues Log A log of the Operational Issues requiring business as usual

management and monitoring.Lessons Log A log of all the lessons captured during incident investigation, to

reduce the likelihood of incidents re-occurring.Likelihood A measure of the probability that the predicted harm, loss or damage

will occurOperationalRisks

Those risks that if realised could threaten the way in which theorganisation operates across the Trust or a number ofdivisions/departments and may have an indirect impact to theachievement of the Strategic Goals outlined in the Five Year StrategicPlan.

OperationalIssue

An operational problem, not so severe/serious enough for it to beconsidered an Operational Risk and requires business as usualmanagement.

Residual Risk The risk remaining following mitigation.Risk The combined likelihood and consequence of harm, injury, damage or

loss occurring or impacting the achievement of the Trusts objectrivesor strategic goals.

Risk Appetite The organisations attitude to risk – e.g. the level of risk that theorganisation is prepared to accept before action is required to reduceit.

RiskAssessment

The process by which hazards are identified and the risk rated usingtools implanted by the Trusts for use by all employees. Assessmentscan be either general or specific, but will be undertaken by competentpersons who have received the appropriate degree of information,instruction and training.

RiskManagement

The systematic application of management policies, procedures andpractices to identifying, analysing, assessment, treating andmonitoring risk.

Risk Matrix The tool used to ‘score’ each risk and determine its place on the RiskRegister.

RiskMitigation

The systemic reduction in the extent of exposure to a risk and/or thelikelihood of its occurrence.

Risk Register A log (captured in Safeguard) of all the risks that may threaten thesuccess of the Trust in achieving its declared aims and objectives.


StrategicRisks

Those risks that if realised could threaten the way in which theorganisation exists or operates. These risks will have a directdetrimental effect on the achievement of the Strategic Goals outlinedin the Five Year Strategic Plan and are captured in the BoardAssurance Framework.

TolerableRisk

The risk that has been identified, assessed and evaluated and doesnot require any further mitigating actions because the risk has a scoreof less than 6 (low), the Trust’s ability to mitigate the risk is constrainedor taking action would be disproportionately costly.

1.6 Duties

The organisational management of risk forms part of the Trust’s overall approach togovernance, with individual and committee responsibilities as outlined below;

1.6.1 Individual Duties within the Organisation

Chief ExecutiveThe Chief Executive, as Accountable Officer has overall responsibility for risk managementand for ensuring the Trust has a Risk Management Strategy and infrastructure in place toprovide a comprehensive system of internal control and systemic and consistentmanagement of risk. S/He will delegate specific roles and responsibilities to the appointedExecutive Director/Senior Managers to ensure risk management is co-ordinated andimplemented equitably to meet the Trusts objectives.

Medical DirectorThe Medical Director has the delegated board level responsibility for ensuring that all riskand assurance processes are devised, implemented and embedded, reporting to the ChiefExecutive and Executive Team any significant issues arising from the implementation ofthis strategy including evidence of non-compliance or lack of effectiveness arising from themonitoring process so that remedial action can be taken.

Chief NurseThe Chief Nurse has the delegated board level responsibility for quality, health and safetyand patient experience in relation to risk management processes. The Chief Nurse holdsthe responsibility for the Trust risk of non-compliance with CQC essential standards, and isthe director with responsibility for decontamination and infection prevention and control.

Director of Finance, Facilities and EstatesThe Director of Finance, Facilities and Estates has the delegated board level responsibilityfor financial constraints and balances competing financial demands and for coordinatingthe audit programme within the Trust. S/He is also the Senior Information Risk Owner(SIRO) with responsibility for information governance risk management.

Chief Operating OfficerThe Chief Operating Officer is responsible for the operational delivery of the Trustsservices, and as such holds the executive level ownership for risks relating to the deliveryof operational services; including those risks being managed as a result of servicetransformation and redesign.


Director of Transformation and Commercial DevelopmentThe Director of Transformation and Commercial Development has the board levelresponsibility for implementing an effective Programme Management Office and forChange Control Processes. S/He is responsible for ensuring that risks relating todelivering service transformation and re-design are identified, mitigated and managedthrough robust business case and change control processes.

Director of Human Resources and Organisational DevelopmentThe Director of Human Resources and Organisational Development has the board levelresponsibility for implementing effective workforce planning, staff welfare, recruitment andretention and organisational development strategies. S/He is responsible for ensuring thatrisks relating to human resources and organisational development are identified, mitigatedand managed.

Executive DirectorsAll Executive Directors are accountable for the delivery of quality services in the areaswithin their remit (whether clinical or operational) and lead on the delivery of the Trust’sStrategy with responsibility for ensuring that risks are appropriately identified andcontrolled. They will ensure the quality agenda is effectively co-ordinated, resourced andimplemented across the Trust in an integrated way, ensuring actions to improve the qualityof service delivery are completed, measured and shared to identify lessons and areas forimprovement and of best practice. Executive Directors are accountable for ensuring thatthe potential effect on the quality of service delivery is risk assessed prior to approval ofany new business proposal. They will ensure that the infrastructure to enable staff todeliver high quality care within with their areas of responsibility is in place.

Deputy Chief Operating Officers, Associate Medical Directors and Deputy ChiefNursesAll Senior Managers are responsible for ensuring systems are in place to implement andmonitor programmes of quality improvement within their areas of responsibility in line withthe Trust’s priorities. With support from Heads of Service and Clinical Directors, SeniorManagers are responsible for managing the strategic development and implementation ofintegrated risk and governance within their divisions and service lines. This includesensuring:

Systems are in place to identify, assess and manage risks through implementationand review of the Divisional/Service Line Risk Register; and

Effective systems are employed for reporting, recording and investigating of alladverse events, such as serious incidents, incidents, near misses, complaints andclaims.

They will identify risks within the service line, ensuring appropriate actions are taken,documented and completed to mitigate risks, complying with reporting and governancearrangements to ensure lessons identified and best practice are shared across theorganisation. They will monitor their staff and service compliance against identifiedstandards and safe systems of work whether set nationally or locally and will facilitate andact upon regular user feedback.

Company SecretaryThe Company Secretary is responsible for overseeing the management and maintenanceof the Board Assurance Framework and ensuring the Board follows due process.


Patient Safety and Risk ManagerReporting to the Assistant Director of Governance the Patient Safety and Risk Manager isresponsible for ensuring:

The development of the Risk Management Strategy and Board AssuranceFramework. Ensuring they are effectively coordinated, implemented and monitoredacross the Trust;

Maintain the Risk Register as an active document and monitor mitigation and actionplans.

Monitor the risk and safety requirements of external agencies, including, but notlimited to:

o National Patient Safety Authorityo Medicines and Healthcare Regulation Authority;o Health and Safety Executiveo Monitor; ando Care Quality Commission.

Develop and implement suitable and sufficient risk management training provisionacross the Trust, ensuring role specific training is provided; and

Responsible for the governance process relating to risks and monitoring compliancewith the policy framework and coordinating the updating of the Board AssuranceFramework and reporting to the Trust Board;

Complaints and Assurance LeadReporting to the Assistant Director of Governance the Complaints and Assurance Lead isresponsible for:

Managing and co-ordinating the formal investigation of complaints; Ensuring the Trust Complaints Procedure is adhered to; Ensuring investigations are completed by service lines in accordance with identified

standards and that required follow up action is implemented in order to preventrecurrence;

Monitoring compliance with the policy framework and coordinating reportingexternal agencies such as the Care Quality Commission, Parliamentary HealthService Ombudsman and the Trust Board;

Ensuring that any risk management issues or remedial actions identified during thecourse of a claim, or during the review process on closure is appropriately referredfor action; and

Implement the process to ensure that risks highlighted in external reviews andreports (Care Quality Commission and Coroners Enquiry) addressed by the Trust.

Information Governance LeadThe Information Governance Lead, reporting to the Assistant Director of Governance andthe Director of Finance, Facilities and Estates (as the Senior Information Risk Owner), isresponsible for;

Ensuring the Trust meets statutory obligations in relation to information governanceand freedom of information and that risks are identified and managed;

Ensuring that risks and incidents are escalated to the attention of the SeniorInformation Risk Owner (SIRO) as necessary/required;

Analysing and identifying trends in information governance from incidents,complaints and claims data; and

Providing training, information and support in information governance to staff.


Head of ProcurementThe Head of Procurement is responsible for;

Providing advice and guidance on purchasing strategies, to enable the minimisationof risk; and

Working with the Chief Nurse to maintain an effective response to MHRA guidance.

Health and Safety LeadThe Health and Safety Lead, reporting to the Patient Safety and Risk Manager andaccountable to the Chief Nurse (as delegated board level responsibility for health andsafety), is responsible for;

Acting as a specialist advisor (competent person) to the Trust on compliance withhealth and safety legislation, standards, policies and procedures;

Ensuring adequate investigation and follow up to health and safety incidents,providing reports, analysis and identifying trends;

Identifying specific health and safety risks and ensuring that they are adequatelyassessed, recorded and mitigated;

Responding to health and safety issues identified through complaints, legal claimsand medical device alerts; and

Providing a comprehensive training programme for health and safety to staff.

All StaffAll staff are accountable for the quality of the services they deliver and complying with, andparticipating in risk assessment processes as required. They will comply with identifiedstandards and safe systems of work specific to their roles, whether identified in national,professional or Trust policy, procedures and guidelines. They will report quality issues,however caused, through identified channels to ensure prompt action can be taken usingexisting reporting systems within the Trust.

All Managers and staff have responsibility for managing risks within the services withinwhich they work and for ensuring that they have attended the appropriate RiskManagement Training consummate to their role.

1.6.2 Committees within the Organisation

The Committee structure set out below is designed to ensure that risks are beingeffectively identified, assessed and mitigated.

Trust BoardThe Trust Board is responsible for establishing the principle Strategic Goals and for drivingthe organisation forward to achieve these. It is also responsible for ensuring that there areeffective systems in place to identify and manage the strategic risks associated with theachievement of these objectives through the Board Assurance Framework. The BoardAssurance Framework also includes the Operational Risks, which may affect theachievement of the Strategic Goals, escalated to the Board by ELT.

Audit CommitteeThe Audit Committee has delegated responsibility on behalf of the Board to seeksatisfactory assurance that the Trust is meeting statutory internal and externalrequirements to remain a safe and effective business through embedded and effective riskmanagement systems and processes with appropriate support from internal/external audit.


The Committee are also responsible for seeking assurance that action plans resulting fromaudit findings are satisfactorily completed.

Quality CommitteeThe Quality Committee has delegated responsibility on behalf of the Board to seeksatisfactory assurance that there are adequate controls in place to ensure SussexCommunity NHS Trusts provides high quality services and care to its patients and iscapable of meeting the CQC outcomes in relation to risk.

Finance and Investment CommitteeFinance and Investment Committee has delegated responsibility on behalf of the Board toseek satisfactory assurance that there are suitable financial controls in place, providingscrutiny of major business cases and proposed investment decisions, whilst regularlyreviewing contracts with key partners to ensure suitable and sufficient risk management.

Executive Leadership Team (ELT) CommitteeThe Executive Leadership Team is responsible for monitoring and managing the strategicrisks, providing assurance to the Trust Board that they are being monitored and managedthrough the Board Assurance Framework. The ELT is also responsible for reviewing andmonitoring the Operational Risk Register escalating any operational risks, which mayaffect the achievement of the Strategic Goalsto the Trust Board as necessary/requiredthrough the Board Assuracne Framework. This function is undertaken through the monthlyPerformance and Governance Meeting of the Executive Leadership Team, chaired by theChief Executive, or her/his deputy.

The ELT Performance and Governance committee is also responsible for receiving andassessing risks escalated by the Trust Wide Clinical Governance Group for inclusion onthe Board Assurance Framework and for de-escalating risks from the Board AssuranceFramework to the Trust Wide Clinical Governance Group and Operational Risk Register.

Trust Wide Clinical Governance GroupThe Medical Director chairs the monthly Trust Wide Clinical Governance Group, reportingto the Executive Leadership Team Performance and committee. The Group is responsiblefor ensuring the delivery of the Trust’s Clinical Governance, including risk managementprocedures and practices. The group will receive escalated risks from Divisional RiskRegisters from the Adult’s Divisional Clinical Governance Meeting, Children’s andSpecialist Services Clinical Governance Meeting and Corporate Divisions and specialistgroups Governance Reports. The group will also receive de-escalated risks from theExecutive Leadership Team Performance, Governance and Quality Meeting.Specifically in relation to risk the group will;

Review and approve the Risk Management Strategy; Regularly review the Operational Risk Register, escalating risks as required; Ensure systems are in place to support delivery and compliance with legislation,

mandatory NHS standards and relevant bodies; Monitor the delivery of action plans to ensure gaps in controls are closed and to

identify robust assurance mechanisms; Undertake critical review of services; and Encourage and foster greater awareness of risk management throughout the Trust.

The Trust Wide Clinical Governance Group is supported by a number of subject-specificsub committees, which are responsible for risks within a defined area as identified inAppendix A.


Adults Division Clinical Governance MeetingThe Deputy Chief Nurse for Adult Services chairs the monthly Adults Division ClinicalGovernance Meeting, reporting to the Trust Wide Clinical Governance Group. The chair(on behalf of the Chief Operating Officer) holds the divisional responsibility for;

Ensuring the division is compliant with risk management strategies, policies andprocesses;

Managing divisional and service risks; Escalating risks, issues or requests for assistance to the Trust Wide Clinical

Governance Group; Providing divisional reporting on risk to the Trust Wide Clinical Governance Group;

and Managing, implementing and tracking mitigating actions, plans and lessons

identified.

Children’s and Specialist Services Clinical Governance MeetingThe Deputy Chief Nurse for Children’s and Specialist Services chairs the monthlyChildren’s and Specialist Services Clinical Governance Meeting, reporting to the TrustWide Clinical Governance Group. The chair (on behalf of the Chief Operating Officer)holds the divisional responsibility for;

Ensuring the division is compliant with risk management strategies, policies andprocesses;

Managing divisional and service risks; Escalating risks, issues or requests for assistance to the Trust Wide Clinical

Governance Group; Providing divisional reporting on risk to the Trust Wide Clinical Governance Group;

and Managing, implementing and tracking mitigating actions, plans and lessons

identified.

1.7 Document Control, Approval and Ratification

1.7.1 Author and Owner

The Patient Safety and Risk Manager is the Author of this document, with ownership bythe Medical Director.

1.7.2 Approval and Ratification

This strategy will be presented to the Trust Wide Clinical Governance Group fordevelopment and approval, before subsequent approval by the Trust Board, via theExecutive Leadership Team. Approval of the strategy (at each level) must be reflectedwithin the minutes taken to ensure there is a full auditable records.

1.7.3 Review

This strategy will be reviewed annually from the date of ratification, or sooner should therebe a change to business process, which affects the arrangements outlined in thisdocument.


1.8 Equality Analysis

The Trust aims to design and implement services, policies & other procedural documentsand measures that meet the diverse needs of our service, population and workforce,ensuring that none are placed at a disadvantage over others.

Under the Equality Act 2010, policy or other procedural document authors have a statutoryduty to give “due regard” to issues of race, disability, gender (including transgender),religion or belief, age, sexual orientation and human rights when developing their policy orother procedural document. This means that policy or other procedural document authorshave to assess the potential for their document to discriminate on any of these grounds.Alternatively, the impact of the policy or other procedural document on these groups mightbe positive or the same for everyone.

The Completed Equality Analysis Template is provided in Appendix B.

1.9 Dissemination Plan

This document will be made available to all staff via the internal SCT website ‘The Pulse’.

Those named individuals/roles within the strategy will receive an electronic copy of thisdocument and any subsequent amended version via the Patient Safety and Risk Manager.Named individuals/roles have the responsibility to ensure the onward circulation within thedivision/service for which they have responsibility.

It is the policy of Sussex Community NHS Trust to make Risk Management documentspublically available via the public facing website with information redacted asnecessary/required.

1.10 Freedom of Information

The Freedom of Information Act 2000 gives the public a wide-ranging right to see all kindsof information held by the government and public authorities. Authorities will only be ableto withhold information if an exemption in the Act allows them to. As such a publicallyavailable version of this document will be made available. In line with Government andNHS Document Protection Markings some information (confidential and sensitive) may beredacted from publically available versions.

1.11 Breach

Non-compliance with strategies, policies and procedural documents can affect patientsafety, SCT’s compliance with the Care Quality Commission (CQC) regulations, NHSLitigation Authority standards, and audits or inspections carried out by internal andexternal auditors.

Compliance with Trust strategies, policies and other procedural documents is a contractualcondition of SCT employment.


2 PRINCIPLES AND METHOD OF RISK MANAGEMENT

The following section outlines the Principles and Method by which Sussex CommunityNHS Trust will implement its Risk Management Strategy.

2.1 Key Principles

Healthcare provision and the activities associated with caring for patients, employing staff,providing premises and managing finances will always involve an inherent degree of risk.

In broad terms, groups or areas that may be affected are; Patients and visitors; Staff (including contractors and volunteers); Finances; The business of the Trust; Compliance with statutory duties; and The Trust’s reputation.

The key sources of risks to those groups are: Acts or omissions by staff and contractors; Information systems and the reports they generate (information governance); Trust estates and environmental impact; Work force planning; Business Continuity i.e. the unexpected failure of systems, which may have a wide

impact on the continued delivery of services; Internal change control; and Changes to the commissioning environment.


2.2 Risk Management Process

The Trust will use the risk management process as outlined by ISO31000 in implementingits risk management strategy;

2.2.1 Risk Identification

Risks may be identified via a number of mechanisms and may be both proactive andreactive from a number of sources, including but not limited to;

Analysis of key performance indicators; Capital and service development projects; Change control processes. Claims, incidents, serious incidents and complaints; Clinical Risk Assessments; Contingency/Disaster recovery planning and exercising; Coroners reports; Environmental and workplace risk assessments; Equipment and system malfunction or failure; Equipment purchase/modification; Information Governance Toolkit; Internal and External reviews, visits, inspections, audits and accreditation; National recommendations; New legislation and guidance; Preventative maintenance issues; Risk assessment of everyday operational activities, especially when there is a

change in working practice or environment; Safety alerts (e.g. Central Alerting System and NSH protect) Staff and patient surveys; and Whistle blowing;


Each risk identified should be clearly defined using simple and unambiguous language.Ideally risks should be defined in no more than one or two sentences and should not beemotive.

2.2.2 Risk Analysis and Evaluation

Risk analysis and evaluation involves developing a further understanding of the risk toenable an evaluation of how the risk should be treated. As such risk analysis involves theconsideration of the causes and sources of the risk, their positive and negativeconsequences and the likelihood that those consequences may occur.

Ideally, risk analysis should be an objective process and wherever possible should drawon independent evidence and valid quantitative data. However it is recognised that suchevidence and data may not be available to the assessor(s), who will be required to makea subjective judgement. When facing uncertainty, the assessor(s) should take aprecautionary approach.

In order to ensure consistency of risk quantification across the Trust a standardised set ofdescriptors and scoring matrices (based upon the Australian/New Zealand StandardAS/NZS 4360:2004) will be used for risk analysis.

Risk ScoringThe risk score will be based upon the consequence of a risk and the likelihood of it beingrealised;

Consequence x Likelihood = Risk Score

The Trust uses three risk scores during the management of risks;

Initial Risk ScoreThe score when the risk was first identified and is assessed with existing controls inplace. This score will remain unchanged for the lifetime of the risk and is used as abenchmark against which the effect of risk mitigation can be measured

Current Risk ScoreThis is the score at the time the risk was last reviewed in line with the set review dates. Itis expected that the current risk score will reduce and move toward the Target Risk Scoreas action plans and mitigating actions are developed and implemented.

Target Risk ScoreThis is the score that is expected to be reached after the action plan and mitigatingactions have been fully implemented to enable the risk to be reduced to a level which istolerable.

Scoring the ConsequenceConsequence must be scored using the Table of Consequences, with existing controls inplace. The Trust provides a number of domains for consideration, where there aremultiple domains to be considered the highest consequence should be used.


Table of Consequences

Domain:

Consequence Score and Descriptor1 2 3 4 5

Insignificant Minor Moderate Major Catastrophic

Injury or harmPhysical or

Psychological

No/ minimal injuryrequiring no /

minimalintervention or

treatment

No Time off workrequired

Minor injury orillness requiring

intervention

Requiring time offwork < 4 days

Increase in lengthof care by 1-3

Moderate injuryrequiring

intervention

Requiring time offwork of 4-14 days

Increase in lengthof care by 4-14

days

RIDDOR / agencyreportable incident

Major injury leadingto long-term

incapacity/disability

Requiring time offwork for >14 days

Incident leading tofatality

Multiple permanentinjuries or

irreversible healtheffects

Quality of PatientExperience /

Outcome

Unsatisfactorypatient experiencenot directly relatedto the delivery of

clinical care

Readily resolvableunsatisfactory

patient experiencedirectly related to

clinical care.

Mismanagement ofpatient care withshort term affects

<7 days

Mismanagement ofcare with long term

affects >7 days

Totallyunsatisfactory

patient outcome orexperience including

never events.

Statutory

Coroners verdict ofnatural causes,

accidental death oropen

No or minimalimpact of statutory

guidance

Coroners verdict ofmisadventure

Breech of statutorylegislation

Police investigation

Prosecutionresulting in fine

>£50K

Issue of statutorynotice

Coroners verdict ofneglect/system

neglect

Prosecutionresulting in a fine

>£500K

Coroners verdict ofunlawful killing

Criminal prosecutionor imprisonment of aDirector/Executive

(Inc. CorporateManslaughter)

Business / Finance& ServiceContinuity

Minor loss of non-critical service

Financial loss of<£10K

Service loss in anumber of non-critical areas <6

hours

Financial loss £10-50K

Service loss of anycritical area

Service loss ofnon- critical areas

>6 hours

Financial loss £50-500K

Extended loss ofessential service in

more than onecritical area

Financial loss of£500k to £1m

Loss of multipleessential services in

critical areas

Financial loss of>£1m

Potential forpatient complaint

or Litigation /Claim

Unlikely to causecomplaint, litigation

or claim

Complaint possible

Litigation unlikely

Claim(s) <£10k

Complaintexpected

Litigation possiblebut not certain

Claim(s) £10-100k

Multiple complaints/ Ombudsmen

inquiry

Litigation expected

Claim(s) £100-£1m

High profilecomplaint(s) withnational interest

Multiple claims orhigh value single

claim .£1m

Staffing andCompetence

Short-term lowstaffing level that

temporarily reducespatient care/service

quality <1day

Concerns aboutskill mix /

competency

On-going lowstaffing level thatreduces patient

care/service quality

Minor error(s) dueto levels of

competency(individual or team)

On-going problemswith levels of

staffing that resultin late delivery of

keyobjective/service

Moderate error(s)due to levels of


Uncertain deliveryof key objectives /service due to lack

of staff

Major error(s) dueto levels of


Non-delivery of keyobjectives / servicedue to lack/loss of

staff

Critical error(s) dueto levels of


Reputation orAdverse publicity

Rumours/loss ofmoral within the

Trust

Local media 1 daye.g. inside pages or

limited report

Local media <7days coverage e.g.

front page,headline

Regulator concern

National Media <3days coverage

Regulator action

National media >3days coverage

Local MP concern

Questions in theHouse

Full public enquiry

Public investigationby regulator

ComplianceInspection / Audit

Non-significant /temporary lapses in

compliance /targets

Minor non-compliance with

standards / targets

Minorrecommendations

from report

Significant non-compliance with

standards/targets

Challenging report

Low rating

Enforcement action

Critical report

Loss ofaccreditation /

registration

Prosecution

Severely criticalreport


Scoring the LikelihoodLikelihood must be scored using the Table of Likelihood, with existing controls in place.

Table of LikelihoodDescriptor Score Frequency ProbabilityRare 1 This will probably never happen / recur > 1 in 100,000Unlikely 2 Do not expect it to happen / recur but it may > 1 in 10,000Possible 3 Might happen / recur occasionally > 1 in 1,000Likely 4 Will probably happen / recur but it is not a

persistent issue> 1 in 100

AlmostCertain

5 Will undoubtedly happen / recur, possiblyfrequently

> 1 in 10

Risk ScoreOnce the Consequence and Likelihood have been determined, the over-all risk score canbe measured using the Risk Score Matrix:

Risk Score Matrix

Consequence:

Likelihood:

Rare (1) Unlikely (2) Possible (3) Likely (4) AlmostCertain (5)

Insignificant (1) 1 2 3 4 5

Minor (2) 2 4 6 8 10

Moderate (3) 3 6 9 12 15

Major (4) 4 8 12 16 20

Catastrophic(5) 5 10 15 20 25

Risk rating makes evaluation of the risk easier with reference to the divisional and/orTrust wide risk profile; providing a systemic framework by which to identify the level atwhich risks will be managed, prioritising remedial action and availability of resources toaddress risks.

Risk rating also allows the Trust to set its risk appetite, with the ‘Risk Rating - ActionsTable’ used to define the guidance on the documentation/registration of the risk, theurgency of action to mitigate the risk and clarifies ownership, reporting and oversight.

Risk Management Strategy v1 1_1985078.docx1.0 Page 19 of 30

Risk Rating - Action TableScore Level Action Risk Owner * Governance/Monitoring** Register Escalation Route1-6 Low Entered on to

safeguardHead of service /Manager

Divisional Governance andPerformance Meeting

Divisional RiskRegister

Trust Wide ClinicalGovernance Group

8-12 Moderate Entered on tosafeguard

Deputy ChiefOperating Officers,Associate MedicalDirectors andDeputy ChiefNurses

Trust Wide ClinicalGovernance Group

Operational RiskRegister

ExecutiveLeadership Team -Performance andGovernance

15-25 High Entered on tosafeguard

ExecutiveDirector

Executive Leadership Team- Performance andGovernance

Operational RiskRegister

Trust Board viaBoard AssuranceFramework

* The Risk Owner has the over-arching organisational responsibility for the risk; however they may delegate the management of the riskthrough the implementation of controls and production of action plans as appropriate.** The committee, group or meeting responsible for Governance and Monitoring will validate scoring and undertake the monitoring /review of action plans and any tolerated risks. They are also responsible for escalating risks as appropriate.


2.2.3 Risk Treatment

Having identified, assessed, scored and rated the risk, it is important to identify anddocument what action needs to be taken to enable the Target Risk Score to be achieved.In general there are four potential responses to address a risk once it has been identifiedand assessed;

TolerateThe risk may be considered tolerable without the need for further mitigating actions, forexample the risk is rated low or the Trusts ability to mitigate the risk is constrained or iftaking action is disproportionately costly.

In general the Trust will tolerate all risks scored 6 or less, which do not require furthermitigating actions; however they must be regularly assessed and monitored, (at leastannually) to identify any change in circumstances or scoring.

Where the decision to tolerate a risk is taken, consideration should be given to developingcontingency arrangements for managing the consequences if the risk is realised.

TreatThis is the most common response to managing risks. It allows the Trust to continue withthe activity whilst ensuring that mitigating actions are implemented to reduce the risk to atolerable level e.g. as low as reasonably practicable. In general action plans will reduce therisk over time, but are unlikely to eliminate it.

It is important to ensure that mitigating actions are proportionate to the identified risk andgive reasonable assurance that the risk will be reduced to a tolerable level. Once atolerable level of risk has been reached, it should continue to be reviewed a minimum ofannually to ensure that there has not been a change in circumstances or scoring.

It is the responsibility of the Divisional Clinical Governance Group to ensure that actionplans are suitable to reduce the risk with regular monitoring.

TransferIn some circumstances the risk may be transferred, for example through conventionalinsurance policies or by sub-contracting a third party to take the risk. This option isparticularly suited to mitigating financial risks or risks to assets.

It is important to note that risks to the Trusts reputation cannot be transferred.

TerminateIn some circumstances, the only way to reasonably prevent the risk is to terminate theactivity, which gives rise to the risk or by changing the way in which the activity isundertaken. Within the NHS this option is limited as there are many activities which haveassociated risks that are deemed necessary for the delivery of effective health careservices.

2.2.4 Risk Documentation

All risks are entered into Safeguard to ensure that there are suitable documented recordsin place, and to ensure regular monitoring and review.


Divisional Risk RegistersThe divisional risk register will identify and monitor the risks to the achievement of localbusiness/service objectives, with risks generally scored 6 or less. The Divisional RiskRegisters will be reviewed by the Divisional Governance and Performance Meeting.

Operational Risk RegisterThe operational risk register will identify and monitor the risks to the achievement of Trustwide business/service objective and higher rated divisional risks, with risks generallyscored between 8 and 12. The Operational Risk Register will be reviewed by the TrustWide Clinical Governance Group.

Board Assurance FrameworkThe Board Assurance Framework is the Board level register and will identify and monitorthe strategic risks and any operational risks which may affect the achievement of thestrategic goals. The Board Assurance Framework will be managed, monitored andreviewed by the Executive Leadership Team Performance and Governance Meeting, whoare responsible for escalating operational risks to the Trust Board asappropriate/necessary. A quarterly Board Assurance Framework update report will bepresented to the board, with the full risk register presented at least annually.

2.2.5 Risk Ownership, Escalation and Assurance

The Risk Owner identified in the ‘Risk Rating - Action Table’ holds the overarchingresponsibility for the risk, ensuring that the risk is appropriately scored, that suitable andeffective controls are implemented and action plans produced; however where suitableand appropriate the management of the risk may be delegated to a competent individualwithin their division.

The clinical governance structure enables risks to be managed at the appropriate levelwithin the Trust, ensuring there is a committee/group or meeting with responsibility forproviding assurance that risks have been suitably and effectively identified, assessed anddocumented. They are also responsible for ensuring that action plans and mitigatingactions are proportionate and are implemented effectively.

It is the responsibility of the committee/group or meeting with responsibility for governanceand monitoring to ensure that risks are escalated appropriately, including escalatingthemes where they are observed by a number of similar low level risks.

2.3 Training

Sussex Community Trusts is committed to equipping staff with the necessary skillsrequired to undertake their roles competently and confidently. In turn, staff must takeresponsibility for developing these skills and participating in the lifelong learning process.

Training in risk management, at all levels of the organisation is described in the Trust’sLifelong Learning Policy, where a Training Needs Analysis (TNA) has been developed toidentify the training requirements of each group of staff.

In line with the Lifelong Learning Policy, the Risk Management Team will deliver aprogramme of risk management training, including risk assessment and root causeanalysis.


The delivery of training will form a key indicator for the Risk Management Team AnnualPerformance Report.


2.4 Monitoring Compliance and Effectiveness

Minimum requirement to bemonitored

Process formonitoring e.g.audit

Responsibleindividual/group/committee

Frequency ofmonitoring

Lead forreviewingresults

Lead fordevelopment ofaction plan

Lead formonitoring andimplementationof action plan

Production of AnnualGovernance Statement

Publication ofAGS

Trust Board Annual Chief Executive Chief Executive Chief Executive

Risks to Strategic Goals andBusiness Objectives

Review ofBoardAssuranceFramework

Trust Board Quarterly Chief Executive ExecutiveLeadershipTeam

Chief Executive

Governance Structure - RiskManagement Strategy:- Organisational risk

management structuredetailing all committees,groups and meetings withresponsibility for risk.

- How the Board or highlevel risk committeesreview the organisationalrisk register.

- How risks are locallymanaged

- Duties of the keyindividuals for riskmanagement includingTORs for Committees.

RiskManagementReport

Trust WideClinicalGovernanceGroup

Annual MedicalDirector

MedicalDirector

MedicalDirector

Risk Management Principlesand Method:

Review of RiskManagementStrategy



MedicalDirector

MedicalDirector


Risk Management trainingand education




MedicalDirector

MedicalDirector

Risk Register Bi-Monthly RiskReport


Bi-Monthly MedicalDirector

Divisional RiskOwners

MedicalDirector

Incidents Log Bi-MonthlyIncident Report


Bi-Monthly MedicalDirector

Divisional RiskOwners

MedicalDirector

Patient Safety and RiskManagement WorkProgramme




Patient Safetyand RiskManager

Patient Safetyand RiskManager


3 PATIENT SAFETY AND RISK MANAGEMENT WORK PROGRAMME

The Patient Safety and Risk Management Work Programme is produced and owned bythe Patient Safety and Risk Manager and outlines the programme of work to be deliveredby the Risk Management Team to ensure that the Trust continues to deliver, develop andimplement its Risk Management Strategies.

The Trust Wide Clinical Governance Group, is responsible for approving the Patient Safetyand Risk Management Work Programme and for monitoring its development and delivery.

The top four priorities for delivery in 2014/15 are;

Review of the Trust’s risk and incident reporting governance structure to improvethe management, monitoring and reporting of risks and incidents, whilst increasingassurance to the Executive Leadership Team and Board;

Development and Implementation of the Board Assurance Framework;

Review of Trust’s risk management associated Training Needs Analysis with theproduction and implementation of a Risk Management Training Programme; and

Establish, develop and implement key performance indicators for the RiskManagement and Patient Safety Work Programme/Team.


APPENDIX A - GOVERNANCE STRUCTURE


APPENDIX B - EQUALITY ANALYSIS TEMPLATE

To be used to analyse the effect of your policy or service on the protected groups in equality law, resulting in either:1. removing or minimising disadvantages suffered by people due to their protected group characteristics (i.e. gender, race, age, disability,

sexual orientation; transgender status, pregnancy or maternity, religion or belief, civil partnership or marriage);2. taking steps to meet the needs of people from protected groups where these are different from the needs of other people;3. no further action required

1 Name of Policy or Service Risk Management Strategy 2014-15

2 Service andDirectorate

Clinical Governance Team, Clinical Quality Division

3 Objectives

What is the purpose of this policy orservice?

The purpose of the Risk Management Strategy is to outline the framework by whichthe Trust will implement internal controls for the Governance of Risk Management andoutline the Method and Procedure for identification, assessment, mitigation andmonitoring.

4 Analysis completed By(Author? Equality Lead? Other?)

a) Name b) Job Title

Author Daniel Hale Patient Safety and Risk Manager

5 Does the policy or service have an effect on Staff and/or the Public? (please √)Staff Yes √ NoPublic Yes √ No


Equality lawprotects people on

the followinggrounds:

Is your policyor servicerelevant tothis area ofequality or

humanrights?

If relevant, is theeffect positive or

negative

Evidence of the effect(e.g. statistics, research, surveys, results of

engagement, etc)

Is furtheraction

required?

Yes No Positiveeffect

Negativeeffect

*Yes No

Age √Disability √Gender (includingpregnancy andmaternity)

√

Transgender √Race and Ethnicity √Religion and Belief √Sexual Orientation(including civilpartnership)

√

Human Rights √

* Complete the following Equality Analysis Action Plan only for equality grounds marked: *Yes further action required.


Equality Analysis Action Plan

Equalitygroundsticked*Yesrequiringfurtheraction:

Does your policy or service: Any action takento date

Action to be taken Targetdate

ResponsiblePerson(s)

ExpectedOutcome(includingmonitoringarrangements)

Discriminate? Eliminatediscriminationor promoteequality?

Promotegood

relationsbetweengroups?

Equality Analysis: Equality and Diversity Lead sign offSigned Date

Risk Management Strategy v1 1_1985078.docx1.0

Page 30 of 30

APPENDIX C - VERSION CONTROL

VERSION HISTORYDate Version Changes / Comments20/5/14 0.1-0.3 Patient Safety and Risk Manager & Medical Director Review/rewrite21/05/14 1.0 Submitted to Trust Board

board meeting 29th may 2014 purpose: …...risk management strategy v1 1_1985078.docx1.0 page 1 of...

Documents