integrated risk management framework - strategy, … · framework will be regularly reviewed and...
TRANSCRIPT
1
INTEGRATED RISK MANAGEMENT FRAMEWORK - STRATEGY, POLICY AND PROCEDURE
Last Reviewed February 2018 Approving Body Governing Body Date of Approval February 2019 Next Review Date December 2021 Review Responsibility Head of Corporate Governance Version 3
2
REVISIONS/AMENDMENTS SINCE LAST VERSION Date of Review
Amendment Details
September 2012
Framework updated for NHS Doncaster CCG Clinical Commissioning Group. Risk scoring matrix amended to version agreed October 2011. Version control re-set to V1.
February 2016
Framework updated to reflect the structure of NHS Doncaster CCG. • “Strategy” section merged with Section 1 of the Policy on
“Policy Statement, Aims and Objectives” to remove duplication.
• Policy Section 2: Refresh of list of legislation. • Refresh of job titles and reporting terminology throughout. • Step 4 in the Procedure (p.17) refreshed to clarify the type of
risk that each risk recording tool is used to record. • Removal of reference to the “shadow” Governing Body and
associated structures (policy was previously developed for the CCG in shadow format).
February 2018
Amendments to: • Chief of Corporate Services position, replaced with Associate
Director of HR and Corporate Services or Head of Corporate Governance (as appropriate)
• Include Internal Audit recommendations following review of Risk Management arrangements at the CCG
February 2019
Amendments to: • Risk Management Strategy – Section B included (new
section) (pg. 7-13). • Current Data Protection Legislation (replaced 1998) (pg. 16). • Reference to a Risk Matrix in appendix A, table 3, page 33
(pg. 25). • A score of 12 or below is considered to be an acceptable risk.
Previously the score was 11 (pg. 26). • The Risk Register will be regularly reviewed and updated (at
least quarterly) by the Corporate Governance Manager in liaison with Leads identified on the Register and updates reported bi-monthly to the Executive Committee and quarterly via the Corporate Assurance Report to the Governing Body (pg. 27).
• Step 5 – Review the Risk – scoring has been amended to reflect the new Risk Scoring Matrix (pg. 29).
• Risk Scoring Matrix colour format has been amended to identify risks that are 12 or below can be tolerated. Risks 15 and above are highlighted in red and cannot be tolerated and require regular review by the Audit Committee and Governing Body (pg. 36).
• Appendix B: Assurance Framework key notes and template have been amended to reflect the proposed risk scoring
3
matrix and the corporate objectives (pg. 36). • Definition of risk assurance columns in the Assurance
Framework details risks scored 13 or above which require an action plan. A risk of 12 or below is tolerated. Risks to be reviewed quarterly (pg. 37).
4
INTEGRATED RISK MANAGEMENT FRAMEWORK - STRATEGY, POLICY & PROCEDURE
Page Section A – Definitions 5-6 Section B – Strategy
7-13
Section C – Policy 14-22 1. Policy Statement, Aims & Objectives 14-16 2. Legislation & Guidance 16 3. Scope 17 4. Accountabilities & Responsibilities 17-20 5. Dissemination, Training & Review 21-22 Section D – Procedure 23-32 1. The Risk Management and Learning Process 23 Step 1 – Identify the Risk 23-24 Step 2 – Assess the Risk 24-25 Step 3 – Evaluate the Risk 25-27 Step 4 – Record the Risk 27-29 Step 5 – Review the Risk 29-30 2. Information Risk Management 30-31 3. 4.
Embedding Risk Management Assurance Framework and Corporate Risk Register Links
31 32
Appendices Appendix A - Risk Assessment Scoring Tool 33-35 Appendix B - Assurance Framework / Risk Register Template 36-40 Appendix C - Generic Risk Assessment Template 41 Appendix D - Equality Impact Assessment 42
5
Section A – Definitions Risk: The chance that something will happen that will have an impact on achievement of the organisation’s aims and objectives. It is measured in terms of consequence (impact or magnitude of the effect of the risk occurring) and likelihood (probability of the risk occurring). Risk assessment: A process of identifying the hazards in a workplace so as to effectively eliminate or adequately control the risks. Risk Management: A process that enables organisations to identify, analyse, control and monitor risks. By doing this we can protect our patients, visitors, contractors and employees. Control: The measures which are in place to control a risk and reduce its likelihood of occurring. Controls can be preventative, detective or directive. Effective control provides a reasonable assurance that the organisation will achieve its objectives reliably, and enables it to respond to significant operational, financial and compliance risks. Clinical Risk: Identified and managed in accordance with HSC1999/065 ’Clinical Governance in the new NHS’. Clinical risk can be defined as direct risks relating to the care of the patient and the standards of care received on the patients’ journey. Issues that can have an impact on the standard of clinical care received include patient safety, safeguarding, consent issues, patient research studies, infection prevention & control, medicines management, clinical audit, and ensuring that there are sufficient staffing levels and that these staff are appropriately trained. Organisational / Corporate Risk is defined as risks relating to the business of the organisation such as communication, provision of goods and services, data protection, information systems, human resources, and risks that threaten the achievement of the organisation’s objectives. It also includes risks relating to the delivery of the organisation’s delivery plans and efficiency programme. Financial Risk is managed in accordance with the codes of Resource Accounting and Budgeting, supported by Standing Orders, Standing Financial Instructions and appropriate risk management plans. Financial risk can be defined as risks that will threaten the effective financial controls, including the systems to maintain proper accounting records. It is important that the organisation is not exposed to avoidable financial risk and that financial information used within NHS Doncaster CCG and for external publication is reliable. Information Risk is inherent in all activities and an information risk assurance process is set out as a requirement of the Information Governance Toolkit. Information risk management seeks to identify and control information risks in relation to business processes and functions and is led by the Senior Information Risk Owner (SIRO).
6
Strategic Risk is defined as risks which affect the achievement of the organisation’s strategic objectives. Strategic risks are captured on the organisation’s Assurance Framework. Operational Risk is defined as risks which affect the achievement of Directorate and more local objectives. Operational risks are captured on the organisation’s Risk Register. Environmental Risk is defined as risks associated with organisational actions which may have an impact upon the environment. Reputational Risk is defined as risks which affect public and stakeholder perception of the organisation.
7
Section B – Strategy 1. Introduction 1.1 NHS Doncaster Clinical Commissioning Group (CCG), which is the corporate
body responsible for commissioning on behalf of its population, is committed to a strategy which minimises risks to all its stakeholders through a system of internal control, whilst maximising potential for flexibility, innovation and best practice in the delivery of its strategic objectives.
1.2 The Integrated Risk Management Framework Strategy, Policy and Procedure
sets out the CCG’s approach to managing risks of all kinds including clinical, organisational, financial and information at both an organisational and strategic level. It details the systems and arrangements, including the basic building blocks for managing risk through development and implementation of a comprehensive risk management system.
2. Aims and Objectives
2.1 The aim of this strategy is to promote risk management as an integral part of
organisational business so that all risks associated with the delivery of commissioning objectives and decisions are identified and managed appropriately.
2.2 The objectives of this strategy, policy and procedure are to: 2.2.1 Promote awareness of risk and embed the approach of its
management throughout the CCG; 2.2.2 Ensure that risk management is an integral part of the CCG’s culture; 2.2.3 Seek to identify, measure, control and report on any risk that will
undermine the achievement of the CCG’s priorities, both strategically and operationally, through appropriate assessment criteria;
2.2.4 Where, possible, eliminate or transfer risks or reduce them to an acceptable and cost effective level, otherwise ensure the organisation accepts the remaining risk.
3. Definitions Definitions of the terms used in this RMS are included in Section A. 4. Scope This strategy is applicable to all staff working for, on behalf of or commissioned to deliver services for the CCG (this includes all directly employed staff, bank, agency and contracted staff all risks inherent in the business activities of the CCG.
8
5. Governance Structure 5.1 CCG Governing Body 5.1.1 The CCG Governing Body has overall responsibility for risk management. It is
responsible for ensuring that a framework of systems and processes for effective risk management are in place and for monitoring compliance. It provides leadership, scrutiny, challenge and support for risk management. The Governing Body is responsible for assuring itself that the CCG identifies and manages effectively any risks within their activities which could affect the achievement of the Strategic objectives, and for monitoring and agreeing further actions to mitigate these risks and any other significant non-strategic risks, where the Governing Body feels that further control is required.
5.1.2 The Governing Body Assurance Framework (GBAF) is the tool used to
identify, evaluate and monitor strategic risks to achievement of its objectives and record any actions taken to mitigate these risks. The Governing Body is responsible for reviewing the GBAF and for directing its Committees to review specific risks as appropriate.
5.1.3 The CCG Governing Body is responsible for receiving assurance from the
Audit Committee, supported by Internal and External Audit activities and from the other Committees of the Governing Body as appropriate, regarding the effectiveness of risk management, to enable this to contribute to its annual judgement on the effectiveness of internal controls. The CCG Governing Body is ultimately and collectively responsible for effective risk management within the CCG. The CCG discharges its functions in this respect both by setting and monitoring compliance with requirements for risk management within the CCG, and by directing a framework for the robust identification, measurement, mitigation and monitoring of strategic risks.
5.1.4 The Governing Body Assurance Framework is the principle means by which
the Governing Body will capture and monitor the strategic risks to delivery of its objectives.
5.1.5 The Assurance Framework is approved by the Governing Body at the start of
each financial year, and will receive an updated report on a quarterly basis in line with the annual business cycle.
6. Risk Register 6.1 The risk register is a management tool that will enable the CCG to understand
its comprehensive risk profile. It is simply a repository of information detailing the totality of risks evident through the organisation’s activities (and inactivity) at both a strategic and operational level, including quality, clinical, financial and business risks.
9
7. Risk Appetite 7.1 The term ‘risk appetite’ refers to the level of risk an organisation is willing to
take in pursuit of its strategic objectives. 7.2 NHS Doncaster CCG’s aim is to achieve an optimal response to risk, in
accordance with an evaluation of the likelihood and consequences of a risk occurring. NHS Doncaster CCG recognises that the risks are sometimes prescribed to an organisation as well as the organisations identifying its own risks.
7.3 If the assessment of the risk is higher than the risk appetite, further action
should be taken to reduce the likelihood and / or impact of the risk occurring. If this is not possible, contingency plans should be put in place to bring the risk exposure level (residual risk) back within the expected range.
7.4 NHS Doncaster CCG recognises that some risks or hazards should never be
encountered, whilst in other cases it is a matter of ensuring that the counter-measures taken to reduce the identified risks are proportionate, i.e. there is a conscious decision taken regarding what is an acceptable level of risk so that those who are responsible for managing the risk, willingly consent to the possibility of predictable, adverse consequences and have agreed appropriate risk mitigation plans in place to reduce the impact.
7.5 The adoption of a risk appetite statement is considered a fundamental aspect
of risk management and is set out in a number of authoritative sources:
• Treasury guidance: it is essential that both private and public organisations set out the Board’s attitude to risk and that this is used to inform decision making.
• British Standard (BS31100) The British Code of Practice for Risk Management and Guidance for ISO31000 states: “the organisation should prepare a risk appetite statement which may provide direction and boundaries on the risk that can be accepted at various levels of the organisation, how the risk and any associated reward are to be balanced and the likely response”.
• The UK Corporate Code of Governance sets out that: “The Board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives. The Board should maintain sound risk management and internal control systems”.
7.6 The CCG shall prepare a risk appetite statement that shall be reviewed
annually in line with the refresh of the CCG’s Board Assurance Framework. 7.7 The CCG risk appetite was established by the CCG’s Governing Body in
November 2018 using the criteria in the following table:
Appetite Finance Compliance Safety Service Delivery
Adverse Minor loss Marginal, very Insignificant Trivial impact /
10
<£1,000 short term single non-compliance
injury (no intervention)
undetected by service users
Cautious Small loss £1,001 to £10,000
Small, single short term non compliance
Minor (local intervention)
Small impact / small disruption
Moderate Moderate loss £10,001 to £100,000
Continuous single or a few short term non-compliances
Moderate injury (professional involvement)
Medium level impact / moderate disruption
Open Significant loss £100,001 to £1,000,000
Multiple continuous non-compliances
Major injury (hospital stay)
Significant impact / serious disruption
Hungry Extensive loss >£1,000,000
Multiple, long term, considerable non-compliances
Fatal injury Substantial / complete service failure
Appetite Approach to
achieving aims / objectives
Potential reward / benefit from risk
Organisational Structure
Adverse Safe, exposure to only the very lowest levels of risk.
Very Low Little or no empowerment beyond most senior team. Substantial control over activities.
Cautious Protected, as little risk as relatively possible.
Low Empowerment to senior and key middle managers. Strong control over some activities, more freedom for others.
Moderate Balanced, exposure to middle-ground risks.
Medium Authorisation to front-line managers. Control over some activities. Significant opportunity for others.
Open Creative, raised levels of risk exposure.
High Authorisation to all managers, supervisors and selected staff. Control over small core of activities, significant opportunity for others.
Hungry Revolutionary, substantial levels of risk.
Very High Widespread empowerment to all managers and staff. Very few controls, individual scheme strongly encouraged and tolerated.
11
7.8 Overall Risk Appetite NHS Doncaster CCG has an overall moderate to open risk appetite. The CCG will act in accordance with this risk appetite to support its delivery of the corporate objectives.
Appetite Finance Compliance Safety Service
Delivery Adverse Minor loss
<£1,000 Marginal, very short term single non-compliance
Insignificant injury (no intervention)
Trivial impact / undetected by service users
Cautious Small loss £1,001 to £10,000
Small, single short term non compliance
Minor (local intervention)
Small impact / small disruption
Moderate Moderate loss £10,001 to £100,000
Continuous single or a few short term non-compliances
Moderate injury (professional involvement)
Medium level impact / moderate disruption
Open Significant loss £100,001 to £1,000,000
Multiple continuous non-compliances
Major injury (hospital stay)
Significant impact / serious disruption
Hungry Extensive loss >£1,000,000
Multiple, long term, considerable non-compliances
Fatal injury Substantial / complete service failure
7.9 Safety Risks
The CCG has accepted a moderate appetite for the risk relating to safety. A number of areas including where constitutional targets not being met puts patient safety at risk as well as the commissioning of safe services. The impact of decisions on patients and the safe delivery of services is vitally important.
7.10 Financial Risks
The CCG is acceptable to an open financial loss of between £100,000 and £1,000,000, although dependent upon circumstances. If horizon scanning or risk management had been considered, then this would be less tolerable than a change in system position.
7.11 Compliance Risks A moderate appetite has been accepted for compliance risks, except where
the safety of patients is impacted. The CCG takes its statutory duties and obligations completely, therefore compliance will be achieved insofar as the control remains within the CCG. Where a failure directly impacts patient safety, the appetite for the risk is low.
12
7.12 Service Delivery Risks An open risk has been accepted in service delivery, but not where this
compromises patient safety. For example, an issue with staffing could cause difficulties with meeting the needs of the service, which is tolerated by the CCG and does not require escalation to senior managers. However, the CCG does not tolerate this risk if patients are put at risk.
8. Staff 8.1 All members of staff have an important role to play in identifying, assessing
and managing risk; guidance on the risk process is at Appendix 3. To support staff in this the CCG provides a fair, consistent environment and encourages a culture of openness and willingness to admit mistakes.
9. ACCOUNTABILITY, RESPONSIBILITY AND ORGANISATIONAL
FRAMEWORK 9.1 The Chief Officer has overall accountability for responsibility for risk
management. A list of operational responsibilities for risk management is included within the Policy, Section 4.
9.2 Board Assurance Framework (BAF) 9.2.1 The Assurance Framework provides a comprehensive method for the
effective and focussed management of the principle risks and assurances to meeting and delivering the organisation’s corporate objectives.
9.2.2 The Governing Body will be presented with a report of all risks graded at a
Level 13 or above using the risk matrix on a quarterly basis. 9.2.3 When linked with the Risk Register, the Assurance Framework formalises the
process of securing assurance and scrutinising risk, which is inherent in any effective risk management and accountability process.
9.2.4 The Governing Body have defined a set of strategic objectives in line with the
delivery of local strategy and outcomes, national targets and statutory responsibilities. These are underpinned by a number of principle objectives and are continuously reviewed to ensure that risks with the potential to impact on delivery or achievement are identified.
9.2.5 Risk Registers NHS Doncaster CCG has a corporate risk register which captures the corporate risks, this enables them to be analysed against the organisational objectives to ensure action is being taken to mitigate the risk. The risk registers are reviewed and updated on a regular basis by responsible leads within their teams.
13
9.2.6 Information Risk Management The Senior Information Risk Owner (SIRO) is responsible for coordinating the
development and maintenance of information risk management policies, procedures and standards for the CCG.
The SIRO is responsible for the ongoing development and day-to-day management of the CCG’s Risk Management Programme for information privacy and security. CCG Information Asset Owners (IAOs) shall ensure that information risk assessments are performed at least bi-annually on all information assets where they have been assigned ‘ownership’. Assessments are completed as part of the Information Asset Register. Further guidance on the completion of information risk assessments can be found in the IAO Role and Responsibilities guidance document.
10. Monitoring the Strategy 10.1 A risk report is presented to every meeting of the Audit Committee. This report
highlights the progress against all high and medium risks, lists any new risks identified and any which have been closed.
11. Implementation 11.1 The effective implementation of this strategy along with staff training will
provide awareness of the need to prevent, control and contain risk. 12. Equality Impact Analysis 12.1 This strategy fundamental to how the CCG operates but is an internal
management‐focused document and does not directly impact on the public. It will not have a differential impact on any equality group.
12.2 This strategy could help identify risks within the organisation which impact on
equality and diversity. 12.3 The equality impact findings show the strategy does not appear to have any
adverse effects on people who share Protected Characteristics. The full Equality Impact Analysis and action plan is available through the Corporate Governance Manager.
14
Section C – Policy 1. Policy Statement, Aims and Objectives 1.1. It is the policy of NHS Doncaster CCG (the CCG) to control risks to patients
and to the organisation as far as is reasonably practicable and in accordance with current guidance, legislation and best practice. The CCG recognises and accepts its duty and legal responsibility to provide a safe and healthy working environment for all its employees, patients, visitors and all others who may be affected by the working activities of the CCG.
1.2. In every activity carried out within and on behalf of the CCG there will be inherent risks. The CCG is committed to the management of risk throughout all its activities. It aims to promote risk management principles and practices throughout the organisation so that each employee becomes an active participant.
1.3. The NHS Doncaster CCG Governing Body is committed to ensuring adequate resources are available for the implementation of risk management systems and processes and embedding risk management into the culture of the organisation. Risk Management is regarded as part of the continuous quality improvement, business planning and organisational development agendas of the organisation.
1.4. NHS Doncaster CCG has a proactive approach aiming to identify, assess, evaluate, record and review risks, so as to reduce the likelihood of them causing harm to patients or staff or loss to NHS Doncaster CCG and to reduce the impact of such harm or losses should they occur. The Governing Body recognises that risk management is an essential element of good management practice and to be most effective needs to become part of NHS Doncaster CCG’s culture. The Governing Body is, therefore, committed to ensuring that risk management forms an integral part of its philosophy, practices and business planning processes.
1.5. NHS Doncaster CCG aims to take all reasonable steps in the management of risk with the overall objective of protecting patients, staff and assets. The aim of this policy is to ensure that all significant risks associated with the business of NHS Doncaster CCG are identified, assessed, evaluated, recorded, reviewed, managed appropriately and effectively and reduced to the minimum practicable level. In order to achieve this, it is necessary to:
• Define a coordinated approach for the management of risk across all its
activities. • Satisfy all statutory and mandatory duties. • Promote safe working practices aimed at the reduction or elimination of
risk, as far as is reasonably practicable. • Raise awareness of risk and its management through a programme of
communication, education and training.
15
1.6. Information Risk Management aims to:
• Protect NHS Doncaster CCG from those information risks of significant negative consequence and likelihood in the pursuit of NHS Doncaster CCG's stated strategic goals and objectives.
• Meet legal, statutory, and NHS policy requirements. • Assist in safeguarding NHS Doncaster CCG's information assets - people,
finance, property and reputation. 1.7. The following objectives detail our strategic aims for risk management and the
second column details our methods for delivery. Actions detailed in the “delivery” column are reported through quarterly Corporate Assurance Reports to the Governing Body.
Objective Delivery
To ensure sound systems of risk management are in place to identify, assess, evaluate, record and review all significant risks to the organisation, our patients, staff and visitors.
We will deliver this through:
• Integrated Risk Management Framework Strategy, Policy and Procedure.
• Provision of risk management training to staff based on a regular training needs assessment.
• Collation and monitoring of risk assessments through the Risk Register and Assurance Framework of the organisation.
• Incident management recording, thematic analysis and reporting.
To ensure information risk management is integrated into the organisation’s Information Governance Framework to assist in safeguarding the organisation’s information assets, people finance, property and reputation.
We will deliver this through:
• Regular reporting and review of information risks by the Senior Information Risk Owner (SIRO).
• Development, implementation and reporting of a Caldicott Annual Work Plan; Caldicott Log collation and reporting.
• Development, implementation and reporting of an Information Security Action Plan.
• Annual completion of the Information Governance Toolkit to achieve a Level 2 across all standards.
16
Objective Delivery
To ensure risk management processes are in place to provide assurance to the Governing Body through the Assurance Framework, the Annual Governance Statement and regular Corporate Assurance reporting.
We will deliver this through:
• Regular review of the Assurance Framework.
• Regular reporting to Governing Body and any delegated Committees.
• Production of the Annual Governance Statement.
• Serious Incident Reporting.
• Complaints Reporting.
• Claims reporting.
• Standing Orders and Financial Policies.
• Financial reporting to Governing Body.
• Fraud Risk Assessment and Workplan.
2. LEGISLATION AND GUIDANCE 2.1. The following legislation has been taken into consideration in the development
of this policy and procedure:
• Health and Social Care Act 2006 and as amended 2012 • Health and Safety at Work Act 1974 • The Management of Health and Safety at Work Regulations 1999 • Current Data Protection Legislation
2.2. A number of other procedural documents are related to this policy and should
be read in conjunction as shown below:
• Incident Management Policy • Complaints Policy • Disciplinary Policy • Fire Safety Policy • Fraud, Bribery and Corruption Policy • Health and Safety Policy • Information Governance Strategy, Framework and associated IG
Procedures • Information Management and Technology Strategy • Security Policy • Standards of Business Conduct and Conflicts of Interest Policy
17
• Whistleblowing Policy 3. SCOPE 3.1. This policy applies to those members of staff that are directly employed
by NHS Doncaster CCG and for whom NHS Doncaster CCG has legal responsibility. For those staff covered by a letter of authority / honorary contract or work experience this policy is also applicable whilst undertaking duties on behalf of NHS Doncaster CCG or working on NHS Doncaster CCG premises and forms part of their arrangements with NHS Doncaster CCG. As part of good employment practice, agency workers are also required to abide by NHS Doncaster CCG policies and procedures, as appropriate, to ensure their health, safety and welfare whilst undertaking work for NHS Doncaster CCG.
4. ACCOUNTABILITIES AND RESPONSIBILITIES 4.1. Overall accountability for risk within NHS Doncaster CCG lies with the Chief
Officer who has overall responsibility for establishing and maintaining an effective risk management system within NHS Doncaster CCG, for meeting all statutory requirements, and adhering to guidance issued by the Department of Health in respect of Governance. The Chief Officer is the Accountable Officer responsible for ensuring a sound system of internal control is maintained that supports the achievement of the organisation’s aims and objectives. This responsibility for risk is delegated to the following individuals:
Associate Director of HR and Corporate
Services (or equivalent)
Has delegated responsibility for driving the development of the risk management framework strategy, policy & procedure, for managing the development and implementation of non clinical risk management (excluding financial risk management), complaints, patient experience and corporate governance. Is the responsible officer for implementing the system of internal control and the Assurance Framework and Risk Register of NHS Doncaster CCG
Head of Corporate
Governance (or equivalent)
The Senior Information Risk Owner (SIRO) for NHS Doncaster CCG with responsibility for information risk management. The SIRO is the focus for the management of information risk at Governing Body level. The role of SIRO requires the nominated lead to: • Lead and foster a culture that values, protects and uses
information for the public good. • Own the overall information risk policy and risk assessment
process, test its outcome, and ensure it is used. • Advise the Accountable Officer on the information risk aspects
of the Annual Governance Statement. • Understand how the strategic business goals of NHS
Doncaster CCG may be impacted by information risks.
18
• Act as an advocate for information risk, providing a focal point for the resolution and / or discussion of information risks.
• Ensure that information security threats are followed up and incidents managed through appropriate action plans.
• Provide up-to-date information to the Accountable Officer and Governing Body on information risks.
Chief Nurse (or equivalent)
Has delegated accountability for managing the development and implementation of clinical risk management, clinical governance and patient safety including safeguarding. This includes clinical and professional responsibility for clinical staff employed by NHS Doncaster CCG. Has delegated responsibility for safeguarding adults, safeguarding children, Infection Prevention & Control and managing and overseeing the performance management of serious incidents. The Chief Nurse is also the Caldicott Guardian. The Caldicott Guardian is advisory, is the conscience of the organisation, provides a focal point for patient confidentiality & information sharing issues and is concerned with the management of patient information.
Chief Finance Officer
Has delegated responsibility for the development and implementation of financial risk management and financial governance including those relating to efficiency programmes and the maintenance of key financial controls.
Head of IT (or equivalent)
Has delegated responsibility for the development and implementation of Information Technology risk management.
Health, Safety & Security
Lead (or equivalent)
Responsibilities include: • Ensuring that systems are maintained to manage health, safety
& security risk effectively. • Being the Nominated Competent Person for all Health, Safety
& Security issues. • Providing expert advice and training on risk, health and safety
and security. • Ensuring health and safety, fire and security incidents are
investigated appropriately and trends identified. • Liaising with the Health and Safety Executive and the
Medicines Healthcare Regulatory Agency. • Ensuring that notification to external agencies regarding
serious incidents takes place (e.g. RIDDOR). • Providing update reports on health, safety & security risk.
Corporate Governance
• Maintaining the Risk Register of the organisation and reporting this appropriately.
19
Manager (or equivalent)
• Maintaining the Information Governance / Information Risks systems and processes of the organisation and reporting these appropriately.
Line Managers
All line managers are accountable and responsible for the management of risks in their areas of responsibility. This is key to continuous quality improvement, effective business planning and organisational development. Key responsibilities are: • Identifying and monitoring risks associated with their working
practices and their areas of responsibility. • Ensuring that risk assessments are undertaken throughout their
area of responsibility on a proactive basis. • Implementing and monitoring appropriate risk control measures
within their designated areas. Where implementation or risk control measures is beyond the authority or resources available to the manager this should be brought to the attention of their line manager or the Corporate Governance Manager or Health, Safety and Security Lead.
• Ensuring all staff are aware of risks within their workplace and providing adequate information, instruction and training to enable them to work safely.
• Ensuring attendance of staff at appropriate risk management training sessions commensurate with their role.
• Notifying to the Corporate Governance Lead all risks identified for inclusion in the Risk Register or Assurance Framework.
• Ensuring risks are captured in minutes of Committee / Group discussions and escalated appropriately.
• Seeking advice on risk management issues, as required, and liaising with relevant specialist risk advisors where necessary.
Staff
Responsibilities of Staff (including all employees, whether full/part time, agency, bank or volunteers) are: • General risk awareness at all times. • Notifying line managers of any identified hazards or risks. • Reporting incidents, hazards and near misses in line with NHS
Doncaster CCG’s Incident Management Policy or equivalent. • Acceptance of personal responsibilities for maintaining a safe
environment. • Awareness of the Integrated Risk Management Framework
Strategy, Policy and Procedure and associated procedural documents.
• Attendance at all relevant risk management training or completion of online risk training.
4.2. The NHS Doncaster CCG Governing Body is accountable for the performance
management of NHS Doncaster CCG’s Integrated Risk Management Framework Strategy, Policy and Procedure and systems of clinical, financial and organisational control, and oversees the overall system of risk
20
management and assurance to satisfy itself that NHS Doncaster CCG is fulfilling its organisational responsibilities and public accountability.
The NHS Doncaster CCG Governing Body uses the risk management processes outlined in this policy as a means to help it achieve its goals and provides a clear commitment and direction for Risk Management within NHS Doncaster CCG. The Governing Body has also delegated responsibility for some aspects of risk management to two main Committees, listed below. This is in order to ensure a holistic approach to risk management, whilst recognising that there are distinct and specialist risks within NHS Doncaster CCG. Risks are also considered at other Committees of the Governing Body relevant to their areas of delegated responsibility.
• Audit Committee – responsible for reviewing the establishment and
maintenance of an effective system of governance, risk management and internal control across the whole of the organisation’s activities (both clinical and non-clinical including information and financial risk) to support the achievement of the organisation’s objectives. Responsible for agreeing and monitoring the Internal Audit work plan and seeking assurance to ensure development of the Annual Governance Statement.
• Quality and Patient Safety Committee – responsible for overseeing and reporting to the Governing Body, and providing assurance to the Audit Committee and Governing Body on clinical risk management and research governance within NHS Doncaster CCG.
21
5. DISSEMINATION, TRAINING & REVIEW 5.1. Dissemination 5.1.1. The effective implementation of this Integrated Risk Management Framework
Strategy, Policy and Procedure will facilitate the delivery of quality commissioning and, alongside staff training and support, will provide an improved awareness of the measures needed to prevent, control and contain risk.
5.1.2. NHS Doncaster CCG will:
• Ensure all staff and stakeholders have access to a copy of this Integrated Risk Management Framework Strategy, Policy and Procedure via the organisation’s website.
• Communicate to staff any relevant action to be taken in respect of risk issues.
• Develop policies, procedures and guidelines based on the results of assessments to assist in the implementation of this strategy and policy.
• Ensure that training programmes raise and sustain awareness of the importance of identifying and managing risk.
• Ensure that staff have the knowledge, skills, support and access to expert advice necessary to implement the policies, procedures and guidelines associated with this strategy, policy and procedure
5.1.3. The Integrated Risk Management Framework Strategy, Policy and Procedure
is located in the General Policy Manual. A set of hardcopy Procedural Document Manuals are held by the Governance Team for business continuity purposes and all procedural documents are available via the organisation’s website. Staff are notified by email of new or updated procedural documents.
5.2. Training 5.2.1. Staff will be offered risk management training commensurate with their duties
and responsibilities. 5.2.2. Governing Body members require risk management training every two years
in accordance with national guidance. 5.2.3. The Human Resources Department is responsible for booking staff onto
courses. Attendance at training is also monitored by the Human Resources team, who follow up non-attendees via email and report non-attendance to line managers. Training attendance is entered onto the Electronic Staff Record system.
5.2.4. NHS Doncaster CCG has access to Competent Person advice for Health,
Safety and Security, and Fire. This ensures that a link for information, advice and training where necessary on these specialist issues is available.
22
5.3. Review 5.3.1. As part of its development, this policy and its impact on staff, patients and the
public has been reviewed in line with NHS Doncaster CCG’s Equality Duties. The purpose of the assessment (refer to Appendix D) is to identify and if possible remove any disproportionate adverse impact on employees, patients and the public on the grounds of the protected characteristics under the Equality Act.
5.3.2. The Integrated Risk Management Framework Strategy, Policy and Procedure
will be reviewed every three years, and in accordance with the following on an as and when required basis:
• Legislatives changes • Good practice guidelines • Case Law • Significant incidents reported • New vulnerabilities identified • Changes to organisational infrastructure • Changes in practice
23
Section C - Procedure 1. The Risk Management and Learning Process Risk assessment is a continuous process in ensuring that NHS Doncaster CCG works within the legal and regulatory framework, identifying and assessing possible risks facing the organisation, and planning to prevent and respond to these. The process of risk management covers the following five steps to risk assessment: Step 1 – Identify the Risk Step 1 in the Five Steps to Risk Assessment is to identify the risk. We cannot manage our risks effectively unless we know what the risks are. Risk identification is therefore vital to the organisational success of the risk management process. Risks can be actual, emerging or potential. All staff within NHS Doncaster CCG may identify risks through the course of their work and their interaction with patients, the public, partner organisations and other key stakeholders. Risk identification should take place on a continual basis, but particularly where new activities are planned, new legislation or NHS policy requirements are identified, at the initiation of projects or where incidents or near misses have taken place. Committees of the Governing Body should consider any risks emerging from discussions within the meeting. There are various types of risk that may be identified: • A clinical risk to patients. • A risk of not effectively commissioning or performance managing a service. • A risk of not achieving organisational, programme or project outcomes. • A risk to organisational reputation.
STEP 1 - Look for the hazards. STEP 2 - Decide who might be harmed and how. STEP 3 - Evaluate the risks and decide whether the existing controls are adequate or whether more should be done. STEP 4 - Record your findings and report these appropriately. STEP 5 - Review your assessment and revise it if necessary.
24
• A risk around financial governance. • A risk relating to information and confidentiality. • A risk to Health and Safety. • A risk associated with staffing. There are a number of methods of identifying risk (this is not an exclusive list): • Assurance Framework review • Audits • Business planning process • Claims analysis and investigation • Complaints analysis and investigation • Equality Analysis • Exit interviews • External reviews and reports (e.g. Care Quality Commission, Health and
Safety Executive) • Incidents / Near misses analysis and investigation • Internal Reports (e.g. Fire Officers Reports, Finance Reports, Performance
Reports, Quality Reports) • Media interest • New legislation • NHS Litigation Authority • Risk Register review and update • Root Cause Analysis • Patient experience data • Patient safety data including safeguarding • Reviews of procedural documents • Risk Assessments • Serious Incidents (SIs) • Sickness absence rates • Staff Survey • Training • Staff Side and Colleague Engagement Group • Use of statistical data • Whistleblowing disclosures Step 2 – Assess the Risk Step 2 in the Five Steps to Risk Assessment is identifying the people who are at risk from each of the identified risks. The main categories of people who are affected by risks are: • Employees • Patients • Visitors to the premises • Contractors working on the premises
25
• “Others” which covers particularly vulnerable groups who may be more at risk than others, such as pregnant women or inexperienced staff.
• The corporate body e.g. through reputational risks. Step 3 – Evaluate the Risk Step 3 in the Five Steps to Risk Assessment is evaluating the risk. Employers are required to make suitable and sufficient assessments of significant risks that arise out of work activity so as to implement preventative and protective measures. All new activities / programmes / projects must have a formal risk assessment undertaken as part of the implementation of the activity / programme / project. A business care template for this purpose is provided in the Standards of Business Conduct and Conflicts of Interest Policy. Risk assessment is also required on the coversheet of formal papers to the Governing Body and Committees. In order to score risks systematically so that they can be classified and remedial action can be prioritised, it is necessary for all risks to be quantified using a standard methodology. The full Risk Assessment scoring methodology for the organisation is shown in Appendix A and should be used for all risk assessments within the organisation. To use the tool it is necessary to identify the consequences and likelihood of occurrence of harm from the risk. From this, the level of risk can be calculated as a risk score. Consequence / Impact x Likelihood = RISK SCORE The consequence score is derived from the most probable consequence of a particular risk occurring, and not from the worst imaginable and extremely improbable consequence of a particular risk occurring. Once set, it is unusual for the consequence score to change over time. The likelihood score is derived from the likelihood of the risk occurring following the implementation of controls. Controls are measures which are in place to control the risk and reduce its likelihood of occurring. Controls can be: • Preventative (controls which stop the risk occurring e.g. access controls,
financial authorisation levels). • Detective (controls which identify if the risk is threatening to occur e.g.
performance monitoring reports). • Directive (controls such as instructions or guidance which aim to reduce the
likelihood of the risk occurring e.g. policies, training). When scoring risks, an “uncontrolled risk score” is the score if there were no controls in place. This helps the organisation to prioritise risks. The “actual risk score” is the current score with the current controls in place. This allows construction of a risk matrix (Appendix A, Table 3, page 33) which can be used as the basis of identifying acceptable and unacceptable risk as shown below.
26
NHS Doncaster CCG regards any risk with a score of 12 or below to be an acceptable level of risk for toleration by the organisation. This does not preclude actions being taken to further mitigate risks to the lowest practicable level. In risk management terms, “assurances” are those measures which are in place to check that the key controls for the risk are operating effectively e.g. reports, audits. Assurances can be broken down into: • Internal assurances such as internal reports. • External assurances such as the independent External and Internal Audit
Reports. • Positive assurances: validated proof that the assurances are working and the
risk is controlled. Gaps in control or assurance are those that, if addressed, would reduce the risk score. Once scored and gaps identified, risks can be: • Treated (via an action plan). In many cases action can be taken to change
the way in which activities are carried out in order to reduce the risk identified. All risks scored as 12 or over must be treated. See also the risk hierarchy below.
• Tolerated: Low and medium risks can be accepted as requiring no further action. On reviewing this type of risk, it may however be decided that some further cost effective action would reduce the risk score still further. Action on this level of risk is a lower priority.
• Transferred (e.g. to another organisation). NHS Doncaster CCG is a member of the Liabilities to Third Parties (LTPS), Property Expenses Scheme (PES) and Clinical Negligence Scheme for Trusts (CNST) risk pooling schemes run by the NHS Litigation Authority (NHSLA). This membership transfers some financial risk to these risk pooling schemes. Not all risks are suitable for risk transfer.
• Terminated. It may be decided that a particular risk should be avoided altogether. This may involve ceasing the activity giving rise to the risk.
Risk treatment generally follows the following sequence (called the “Hierarchy of Controls”), starting at the top and working down the hierarchy.
• Can the risk be eliminated entirely? E.g. remove and condemn a piece of
equipment that keeps shorting out and poses the risk of electric shock. • Can we make a substitution, substituting one item for another that is less
harmful? E.g. for example substituting a detergent for a corrosive cream cleaner.
• Can we put in place physical or mechanical engineering controls such as guards, barriers and isolation.
• Can we put in place administrative controls such as supervision or training, information and induction, policies, protocols and safe systems of work to ensure that people working with risks are suitable informed and trained and know what to do if something goes wrong.
27
• Finally, can we use personal protective equipment (PPE) such as gloves, aprons and masks.
Where risk treatment plans require significant additional funding above that available within individual budgets or within NHS Doncaster CCG contingencies under the delegated authority of the Chief Finance Officer, or changes to the working patterns of NHS Doncaster CCG, these decisions will be made by the Governing Body. Risk assessments are carried out for a variety of activities, however, additional risk assessments must be carried out by Line Managers or other corporate persons in accordance with the following: • Health and Safety • Control of Substances Hazardous to Health (COSHH) • Display Screen Equipment • Moving and Handling • Work Equipment • Personal Safety • Fire Safety • Pregnancy & Maternity Line Managers are responsible for implementing and monitoring any identified appropriate risk control measures within their designated areas. Where implementation or risk control measures are beyond the authority or resources available to the line manager, this should be brought to the attention of the Health and Safety Lead or Corporate Governance Manager as appropriate. Clinical risks including patient safety and safeguarding risks must be notified to the Chief Nurse (or equivalent). Step 4 – Record the Risk All risk assessments must be recorded on NHS Doncaster CCG’s approved risk assessment templates as detailed below.
28
Assurance Framework
The Assurance Framework is used for recording strategic risks (i.e. risks affecting achievement of the CCG’s strategic objectives). The Assurance Framework is coordinated by the Head of Corporate Governance (on the Associate Director of HR and Corporate Services behalf), to whom risks should be reported. The Assurance Framework will be regularly reviewed and updated (at least quarterly) by the Head of Corporate Governance in liaison with Leads identified on the Framework and updates reported quarterly to the Governing Body. The Framework will also be regularly reported to and reviewed by the Audit Committee. The Assurance Framework / Risk Register template is shown at Appendix B.
Risk Register
The Risk Register is used for recording operational directorate-level risks (risks which underpin strategic Assurance Framework risks). The Risk Register is coordinated by the Corporate Governance Manager, to whom risks should be reported. The Risk Register will be regularly reviewed and updated (at least quarterly) by the Corporate Governance Manager in liaison with Leads identified on the Register and updates reported bi-monthly to the Executive Committee and quarterly via the Corporate Assurance Report to the Governing Body. The Register will also be reported to and reviewed by the Audit Committee on an annual basis. The Framework / Risk Register template is shown at Appendix B.
Project Risk Logs
Project Risk Logs are used for recording project-level risks (risks associated with specific projects which may underpin operational risks on the Risk Register). Project Risk Logs are coordinated by Project Leads. Where relevant, the overarching risk from each Project should be entered onto the Risk Register by the Project Lead, liaising with the Corporate Governance Manager. The Project Lead has responsibility to maintain any Project Risk Log developed. The generic risk assessment template is shown at Appendix C.
29
Generic risk assessments
Generic risk assessments can be undertaken for areas where none of the other risk templates apply e.g. specific public engagement events. Risks arising out of generic risk assessments should be reported appropriately to the Head of Corporate Governance, Corporate Governance Manager, Project Lead or Health & Safety Lead dependant on the nature and severity of the risk. The generic risk assessment template is shown at Appendix C.
Specific risk assessments
There are a range of specific risks assessments which may be required. This is not an exclusive list – see individual procedural documents for further details and reporting arrangements.
• Health and Safety • Control of Substances Hazardous to Health (COSHH) • Display Screen Equipment • Moving & Handling • Work Equipment • Personal Safety • Fire Safety • Pregnancy & Maternity
Step 5 – Review the Risk All risk assessments should be reviewed on a regular basis or when activities change. The nominated lead as detailed in Step 4 is responsible for updating any changes to the risk assessment (whether on the Assurance Framework or Risk Register) and ensuring that actions are implemented. Identified risks will be reviewed on the following basis:
The assurance process is the process which NHS Doncaster CCG is required to undertake to ensure a sound system of internal control is maintained which supports the achievement of the organisation’s policies and objectives. The system of internal control is designed to manage risk to a reasonable level rather than to eliminate all
Score Category Review frequency 1-3 Low Annually 4-6 Medium 6-monthly 8-12 High Quarterly
15-20 Very High Monthly 25 Extreme Weekly
30
risk; it can therefore only provide reasonable and not absolute assurance of effectiveness. The system of internal control is based on an on-going process designed to:
• Identify and prioritise the risks to the achievement of the organisation’s policies, aims and objectives.
• Evaluate the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively and economically.
NHS Doncaster CCG is committed to establishing and maintaining assurance processes to ensure an adequate level of assurance is provided which will enable the Accountable Officer (Chief Officer) to sign the Annual Governance Statement. NHS Doncaster CCG will ensure there is Governing Body approved Assurance Framework which:
• Covers all of NHS Doncaster CCG’s main activities. • Identifies which objectives NHS Doncaster CCG is aiming to achieve. • Identifies the risks to the achievement of those objectives. • Evaluates and assesses those risks and records them appropriately. • Identifies and examines the system of internal control in place to manage the
risks. • Identifies and examines the review and assurance mechanisms which relate
to the effectiveness of the system of internal control. • Records the actions taken by NHS Doncaster CCG to address gaps in control
and assurance. 2. Information Risk Management The principles of information security require that all reasonable care is taken to prevent inappropriate access, modification or manipulation of data from taking place. In the case of the NHS, the most sensitive of our data is patient record information. In practice, this is applied through three cornerstones - confidentiality, integrity and availability.
• Information must be secured against unauthorised access – confidentiality. • Information must be safeguarded against unauthorised modification –
integrity. • Information must be accessible to authorised users at times when they require
it – availability. Information security risk is inherent in all administrative and business activities and everyone working for or on behalf of the organisation continuously manages information security risk. The aim of information security risk management is not to eliminate risk, but rather to provide the structural means to identify, prioritise and manage the risks involved in organisational activities. It requires a balance between the cost of managing and treating information security risks with the anticipated benefits that will be derived.
31
The Trust Information Risk Owner (SIRO) is responsible for coordinating the development and maintenance of information risk management policies, procedures and standards for the CCG. CCG Information Asset Owners (IAOs) ensure that information risk assessments are performed regularly on all information assets where they have been assigned ‘ownership’, following guidance from the SIRO on assessment method, format, content, and frequency. Information risk assessments should be performed on a regular basis for key information systems and critical information assets. Information Risk assessments must also be undertaken at the following times:
• At the inception of new systems, applications and facilities that may impact the assurance of NHS Doncaster CCG Information or Information Systems.
• Before enhancements, upgrades, and conversions associated with critical systems or applications.
• When NHS policy or legislation requires risk determination. • When the NHS Doncaster CCG Management team / Governing Body requires
it. Information incident reporting will be in line with the organisation’s Incident Management Policy. All very high and extreme information risks should be reported to and discussed with the Senior Information Risk Owner (SIRO) as soon as they are identified. The Senior Information Risk Owner (SIRO) will coordinate and monitor implementation of an annual Information Security Management and Assurance Plan. 3. Embedding Risk Management The effective implementation of this Integrated Risk Management Framework Strategy, Policy & Procedure will facilitate the delivery of quality commissioning and, alongside staff training and support, will provide an improved awareness of the measures needed to prevent, control and contain risk. NHS Doncaster CCG ensures stakeholders are involved in managing risks which impact on them by the following mechanisms:
• Communication, Engagement and Experience Strategy. • Commissioning arrangements involving a wide range of partner NHS
organisations. • Joint commissioning arrangements with the local authority. • Governing Body meetings held in public. • Patient Experience data. • Publication of the Integrated Risk Management Framework Strategy, Policy &
Procedure with its key partners and the public through the NHS Doncaster CCG website.
• Meeting the public sector Equality Duties.
32
4. Assurance Framework and Corporate Risk Register Links The Assurance Framework of the CCG captures and provides assurance to those risks (strategic) that are threats and opportunities to achieving the CCG’s Corporate Objectives. The Corporate Risk Register of the CCG captures and manages those risks (operational) that are threats and opportunities to delivering the objectives of each department of the CCG overall coordinated by the Corporate Governance Manager. Corporate Risks identified that have a direct threat or opportunity to a Corporate Objective will be escalated at the Head of Corporate Governance discretion in liaising with the Associate Director of HR and Corporate Services, to the Assurance Framework for explicit assurance. Risks that are identified via the Assurance Framework review process, that are operational in nature, are to be captured via the gaps in control section of the Assurance Framework and then captured in more explicit detail on the Corporate Risk Register to be managed appropriately by the process documented above. The Assurance Framework and Corporate Risk Register are expected to work in tandem in managing the risk profile of the CCG.
33
Risk Scoring Matrix Table 1 Consequence score (C) Choose the most appropriate domain for the identified risk from the left hand side of the table. Then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence / impact score, which is the number given at the top of the column.
Consequence score (impact levels) and examples of descriptors 1 2 3 4 5
Domains Insignificant Minor Moderate Major Catastrophic
Patient and staff safety
Minimal injury requiring no /
minimal intervention or
treatment.
No time off work
Minor injury or illness, requiring
minor intervention
Requiring time off work for >3 days
Moderate injury requiring
professional intervention
Requiring time off
work for 4-14 days. RIDDOR
reportable incident
An event which impacts on a
small number of patients
Major injury leading to long-term incapacity /
disability
Requiring time off work for >14 days
Mismanagement of patient care with long-term
effects
Incident leading to death
Multiple
permanent injuries or irreversible health effects
An event which
impacts on a large number of patients
Quality
Peripheral element of
treatment or service
suboptimal
Informal complaint/
inquiry
Overall treatment or service suboptimal
Formal complaint
Local resolution
Single failure to meet internal
standards
Minor implications for patient safety if
unresolved
Reduced performance
rating if unresolved
Treatment or service has significantly
reduced effectiveness
Local resolution (with potential to
go to independent review)
Repeated failure to meet internal
standards
Major patient safety implications if findings are not
acted on
Non-compliance with national
standards with significant risk to
patients if unresolved
Multiple
complaints / independent
review
Low performance rating
Critical report
Unacceptable level or quality of
treatment / service
Gross failure of patient safety if
findings not acted on
Inquest / ombudsman
inquiry
Gross failure to meet national
standards
Human Resources / Organisation
al Development
Short-term low staffing level that
temporarily reduces service quality (< 1 day)
Low staffing level that reduces the service quality
Late delivery of key objective/ service due to
lack of staff
Unsafe staffing level or
competence (>1 day)
Low staff morale
Poor staff
attendance for mandatory/key
training
Uncertain delivery of key
objective/service due to lack of staff
Unsafe staffing
level or competence (>5
days)
Loss of key staff
Very low staff morale
No staff attending mandatory/ key
training
Non-delivery of key
objective/service due to lack of staff
Ongoing unsafe staffing levels or
competence
Loss of several key staff
No staff attending
mandatory training /key
training on an ongoing basis
Appendix A
34
Consequence score (impact levels) and examples of descriptors 1 2 3 4 5
Domains Insignificant Minor Moderate Major Catastrophic
Statutory duty /
inspections
No or minimal impact or breach
of guidance/ statutory duty
Breach of statutory
legislation
Reduced performance
rating if unresolved
Single breach in statutory duty
Challenging
external recommendations
/ improvement notice
Enforcement action
Multiple breaches in statutory duty
Improvement
notices
Low performance rating
Critical report
Multiple breaches in statutory duty
Prosecution
Complete systems change required
Zero performance
rating
Severely critical report
Adverse publicity /
Reputation
Rumours
Potential for public concern
Local media coverage – short-term
reduction in public confidence
Elements of public
expectation not being met
Local media coverage – long-term
reduction in public confidence
National media coverage with <3 days service well below reasonable public expectation
National media coverage with >3 days service well below reasonable
public expectation. MP
concerned (questions in the
House)
Total loss of public confidence
Business Objectives
Insignificant cost increase /
schedule slippage
<5 per cent over project budget
Schedule slippage
5–10 per cent over project
budget
Schedule slippage
Non-compliance with national 10–25 per cent over project budget
Schedule slippage
Key objectives not
met
Incident leading >25 per cent over
project budget
Schedule slippage
Key objectives not met
Finance Small loss Risk of claim remote
Loss of 0.1–0.25 per cent of budget
Claim less than
£10,000
Loss of 0.25–0.5 per cent of budget
Claim(s) between
£10,000 and £100,000
Uncertain delivery of key
objective/Loss of 0.5–1.0 per cent
of budget
Claim(s) between £100,000 and £1
million
Purchasers failing to pay on time
Non-delivery of key objective/ Loss of >1 per cent of budget
Failure to meet specification/
slippage
Loss of contract / payment by
results
Claim(s) >£1 million
Service / business
interruption
Impact on environment
Loss/interruption of >1 hour
Minimal or no impact on the environment
Loss/interruption of >8 hours
Minor impact on
environment
Loss/interruption of >1 day
Moderate impact on environment
Loss/interruption of >1 week
Major impact on
environment
Permanent loss of service or facility
Extreme impact on environment
35
Table 2 Likelihood score (L) What is the likelihood of the consequence occurring? The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency.
Likelihood score 1 2 3 4 5
Descriptor Rare Unlikely Possible Likely Almost certain
Frequency How often
might it / does it happen
This will probably never
happen/recur
Do not expect it to happen/recur but it is possible it may
do so
Might happen or recur occasionally
Will probably happen/recur but
it is not a persisting issue
Will undoubtedly happen / recur,
possibly frequently
Probability Percentage likelihood of occurrence
0-5% 6-20% 21-50% 51-80% 81-100%
Table 3 Risk scoring = consequence x likelihood ( C x L ) Calculate the risk score by multiplying the consequence score by the likelihood score.
Risk Matrix Consequences / Impact Insignificant Minor Moderate Major Catastrophic
Likelihood of Occurrence 1 2 3 4 5
(1) Rare 1 2 3 4 5 (2)
Unlikely 2 4 6 8 10 (3)
Possible 3 6 9 12 15 (4)
Likely 4 8 12 16 20 (5)
Almost Certain 5 10 15 20 25 The risk tolerance/appetite under which risks can be tolerated is a score of 12 or below where the assessment has been undertaken following the implementation of controls and assurances.
36
1-3 Low 4-6 Medium
8-12 High 15-20 Very High
25 Extreme
NHS Doncaster Clinical Commissioning Group
Assurance Framework xx.x as at [date]
Key notes: • The Assurance Framework has been developed in accordance with guidelines provided by the Department of Health, External Audit and Internal
Audit and comprises risks which affect the achievement of the NHS Doncaster Clinical Commissioning Group’s (CCG) corporate objectives, vision and values.
• Only those potential or current risks which affect the achievement of the NHS Doncaster CCG’s corporate objectives are eligible for entry to the Assurance Framework. All other risks are managed through the Risk Register, and each of the Risk Register risks is linked to an overarching Assurance Framework risk.
• Risks can be a) treated (via an action plan), b) tolerated, c) terminated or d) transferred (e.g. to another organisation). • Leads named on the Assurance Framework review the controls, assurances, gaps in control / assurance and scores of the Assurance
Framework risks on a regular basis. The Assurance Framework Risk Lead(s) for each area, in consultation with the Governance Lead, can add or remove risks from the Assurance Framework. This will be subsequently ratified by the Governing Body of the NHS Doncaster CCG.
• The organisational risk appetite under which risks can be tolerated is a score of 12 or below. • Assurance Framework risks which are scored at or in excess of a score of 15 must be escalated to the next meeting of the NHS Doncaster
CCG’s Governing Body. • The Corporate Objectives against which the Assurance Framework is currently mapped and risk scoring matrix are shown below.
Risk Matrix Consequences / Impact
Insignificant Minor Moderate Major Catastrophic Likelihood of Occurrence 1 2 3 4 5
(1) Rare 1 2 3 4 5 (2)
Unlikely 2 4 6 8 10 (3)
Possible 3 6 9 12 15 (4)
Likely 4 8 12 16 20 (5)
Almost Certain 5 10 15 20 25
Corporate Objectives (SOs) CO 1 Ensure an effective, well led, and well governed organisation.
CO 2 Commission high quality, continually improving, cost effective healthcare which meets the needs of the Doncaster population.
CO 3 Ensure that the healthcare system in Doncaster is sustainable.
CO 4 Work collaboratively with partners to improve health and reduce inequalities in well governed and accountable partnerships.
*The risk appetite under which risks can be tolerated is a score of 12 or below.
Appendix B
37
The Assurance Framework / Risk Register columns include:
Area Definition Principal Risks Those risks which affect the achievement of the Clinical Commissioning Group’s strategic objectives.
Uncontrolled risk The risk score (consequence x likelihood) if there were no controls in place. This helps the organisation to prioritise risks.
Current Risk The risk score (consequence x likelihood) as at the present time with the listed controls in place. See appendix for the detailed risk scoring matrix.
Key Controls
The controls which are already in place to control the risk and reduce its likelihood of occurring. Controls can be: • Preventative (stopping the risk occurring e.g. access controls) • Detective (If the risk is threatening to occur, how would you know? e.g. authorisation process) • Directive (instructions or guidance in place to reduce the chance of the risk occurring e.g. policies)
Assurance The assurances which are in place to check that the key controls for the risk are operating effectively e.g. reports, audits. Assurances are broken down into internal assurances such as internal reports, and external assurances such as the independent Internal Audit Reports.
Positive Assurance The positive assurances which have been received that confirm the risk is being effectively managed, and that key controls are in place and working e.g. positive Internal or External Audit Reports.
Gaps in Control and Assurance The gaps identified in control or assurance, which, if addressed, would reduce the risk score.
Outcome
The risk treatment which is appropriate for the risk based on the risk description, the scoring and any gaps in either control or assurance. There are 4 categories to choose from: • Treat – Where there are insufficient controls and/or assurances in place, risks must be treated. Any risk scored with
a risk rating of 13 or above should be treated. The risk treatment should be captured in an accompanying action plan.
• Tolerate – Where the risk is deemed adequately controlled and there are sufficient assurances in place, risks can be tolerated providing that they are scored with a risk rating of 12 or below.
• Transfer – Risks can be transferred to another organisation, therefore removing the associated risk e.g. transfer of commissioning decisions, transferring services or letting contracts with risk transfer clauses.
• Terminate – It could be that the organisation wishes to avoid a particular risk altogether. This may involve ceasing the activity giving rise to the risk.
Review Date Risks should be reviewed at least quarterly.
38
NHS Doncaster Clinical Commissioning Group Assurance Framework 2019/20
V[x.x] as at [date]
NHS Doncaster CCG Governing Body Assurance Framework SummaryRef Risk Description Risk Causes Risk ConsequenRisk Owner Committee Lay Member Existing Controls Assurances on Controls Positive Assurance Gaps in Assurance Gaps in Controls Actions for Further Control Due Date Progress Against Actions
What is the specific risk to corporate objective?
What has to happen for the risk to occur?
Should the risk materialise, what is the impact?
Who is the Risk Owner?
Which Committee does the risk link to?
Who is the Lay Member lead?
Like
lihoo
dIm
pact
Leve
l What controls are in place that are operating at this level?
Like
lihoo
dIm
pact
Leve
l Where can we gain evidence that our controls / systems on which we are placing reliance are effective?
What evidence shows we are reasonably managing our risks and our objectives are being delivered?
Where are we failing to deliver to gain evidence that our controls / systems, on which we place reliance are effective?
Where are we failing to put controls / systems in place were we are failing to make them effective?
What actions will help to further manage the risk?
Like
lihoo
d
Impa
ct
Leve
l Is the plan on track?
Last updated: xx July 2018Gross Risk Net Risk Target
Strategic Objective 1: Ensure an effective, well led, and well governed organisation.
39
NHS Doncaster Clinical Commissioning Group
Assurance Framework / Risk Register Action Plan
Ref Principal Risk Lead Person / Delegated Committee
Uncontrolled risk Current Risk Action Plan Progress Due Date
C L CxL C L CxL
40
NHS Doncaster Clinical Commissioning Group Risk Register
xx.x as at [date]
NHS Doncaster CCG Governing Body Assurance Framework SummaryRef Risk Description Risk Causes Risk ConsequenRisk Owner Committee Lay Member Existing Controls Assurances on Controls Positive Assurance Gaps in Assurance Gaps in Controls Actions for Further Control Due Date Progress Against Actions
What is the specific risk to corporate objective?
What has to happen for the risk to occur?
Should the risk materialise, what is the impact?
Who is the Risk Owner?
Which Committee does the risk link to?
Who is the Lay Member lead?
Like
lihoo
dIm
pact
Leve
l What controls are in place that are operating at this level?
Like
lihoo
dIm
pact
Leve
l Where can we gain evidence that our controls / systems on which we are placing reliance are effective?
What evidence shows we are reasonably managing our risks and our objectives are being delivered?
Where are we failing to deliver to gain evidence that our controls / systems, on which we place reliance are effective?
Where are we failing to put controls / systems in place were we are failing to make them effective?
What actions will help to further manage the risk?
Like
lihoo
d
Impa
ct
Leve
l Is the plan on track?
Last updated: xx July 2018Gross Risk Net Risk Target
Strategic Objective 1: Ensure an effective, well led, and well governed organisation.
41
Generic Risk Assessment Template Area / Task / Activity:
Date of assessment: Persons Assessing the Risks: Next scheduled assessment:
Ref Risk identified Controls in place
Con
sequ
ence
/ Im
pact
Li
kelih
ood
Ris
k Sc
ore Risk treatment
(treat, tolerate, terminate, transfer)
& details of any action plan
Review of risk (enter date and review details)
Post risk
review score
1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Appendix C
42
Appendix D Equality Analysis Form
Subject of equality analysis
Risk Management Strategy
Type Tick Policy √ Strategy √ Business case Commissioning service redesign Contract / Procurement Event / consultation
Owner Name: Helen Harris Job Title: Head of Corporate Governance
Date 24 September 2018 Assessment Summary
To set out the CCG’s strategy in relation to risk and risk management.
Stakeholders
Tick Staff √ General public Service users Partners Providers Other
Data collection and consultation
Application of this policy helps ensure that the staff, patients, visitors, reputation and finances of the CCG are protected through the process of risk identification, assessment, control and elimination/reduction. Relevant employees and SMT Members have been involved in the development of this policy. Please note that due to the small number of staff employed by the CCG, data with returns small enough to identity individuals cannot be published. However, the data should still be analysed as part of the EIA process, and where it is possible to identify trends or issues, these should be recorded in the EIA.
Protected characteristic Positive Neutral Negative
Negative: What are the risks?
Positive: What are the benefits / opportunities?
Age
x
This policy applies to all regardless of age
43
Protected characteristic Positive Neutral Negative
Negative: What are the risks?
Positive: What are the benefits / opportunities?
Disability
x
This policy applies to all regardless of disability.
This Strategy is not currently available in other formats. The assumption is that all staff will
have the correct physical equipment on their desktops
to ensure that they will be able to view this document. The CCG website does provide
the facility to view documents in larger fonts.
Gender
x This policy applies to all
regardless of gender
Race
x
This policy applies to all staff regardless of race/ethnicity. Analysis of employee data
indicates that the percentage of white employees is reflective of the local
population. However, the proportion of
BME staff is lower than that of the local population it serves All staff require competencies
which include the ability to read and understand English or to request the information in another format available to
them.
Religion & Belief
x
This policy applies to all regardless of religion or belief
Sexual Orientation
x
This policy applies to all, regardless of sexual
orientation
Gender
reassignment
x
This policy applies to all regardless of
transgender/gender reassignment
x This policy applies to all
44
Protected characteristic Positive Neutral Negative
Negative: What are the risks?
Positive: What are the benefits / opportunities?
Pregnancy & Maternity
regardless of pregnancy or maternity
Marriage & Civil Partnership
x
This policy applies to all regardless of marriage or civil
partnership
Social Inclusion / Community Cohesion
x This policy applies to all.
Conclusion & Recommendations including any resulting action plan
The assumption is that all staff will have the correct physical equipment on their desktops to ensure that they will be able to view this document. The CCG website does provide the facility to view documents in larger fonts. The CCGs internal ‘portal’ and external website signpost individuals to alternative formats such as large print, braille or another language. Responsible lead: CCG Communications.
Review date October 2020