CHS 19/168

Risk Management FrameworkOpportunities for Improvement

Contents

Introduction...........................................................................................................................................3

Purpose.................................................................................................................................................3

Definitions.............................................................................................................................................5

Principles...............................................................................................................................................7

Accountabilities and Authorities............................................................................................................9

Risk Governance.............................................................................................................................9

Roles and Responsibilities............................................................................................................11

Risk Management declaration to ACTIA.......................................................................................11

Cross Directorate and Territory level risks...................................................................................11

Risk strategy........................................................................................................................................13Risk appetite and tolerance..........................................................................................................13

Risk Management Process...................................................................................................................13

Monitoring Processes..........................................................................................................................15

Reporting on Risk Management activity......................................................................................15

Performance of risk treatment action plans.................................................................................16

Performance of risk controls........................................................................................................16

Performance of risk management framework, policy and procedure..........................................16

Internal audit...............................................................................................................................17

External audit...............................................................................................................................17

Risk Management Tools......................................................................................................................18Canberra Health Services Risk Assessment Template..................................................................18

Canberra Health Services Risk Register........................................................................................18

Risk Management Framework: Opportunities for Improvement Version 1– September 2019, CHS 19/168, Review Date 1/10/2019, QSII

Incident Identification and Management – Riskman....................................................................18

Relationship with other processes.......................................................................................................19

References/Supporting documents.....................................................................................................20

Appendix.............................................................................................................................................21

Consequence table.......................................................................................................................21

Likelihood table............................................................................................................................22

Risk Matrix...................................................................................................................................22

Priority and Authority for Action table.........................................................................................22

Risk Management Framework: Opportunities for Improvement Version 1– September 2019, CHS 19/168, Review Date 1/10/2019, QSII

Risk Management Framework

IntroductionThe vision for Canberra Health Services (CHS) is ‘Creating exceptional health care together’. In order to achieve our vision, we need to provide a safe, high-quality health service to our community as well as create and maintain a safe environment for staff and visitors.

Risk is present in our daily activities. Many factors can influence and potentially impact on our ability to deliver health services and meet our organisations strategic objectives. The effect of this uncertainty is risk. Similarly, daily, factors affecting the quality of patient care and safety of patients, staff and visitors within CHS facilities may be compromised. This is also risk. Risk is managed by all staff every day.

Risk management is regarded by CHS as an essential process to maintain an appropriate balance between realising opportunities for better ways of doing things and addressing uncertainty of not achieving what we intend to. Risk Management processes assist us to make the best decision possible in a timely manner to reduce the likelihood and consequence of unintended harm to patients, staff and visitors. Risk Management assists in enabling us to do our jobs to the best of our ability each day to meet the organisations strategic objectives.

CHS is committed to:

creating leaders and the supporting culture in which effective risk management is seen as integral to success and high performance

supporting all staff to make risk management part of all decision-making processes

integrating risk management principles into daily work practices and

maximising awareness of how to contribute to the management of risk.

PurposeThe purpose of the Risk Management Framework is to describe the CHS approach to risk management to ensure that risk is managed effectively and efficiently and understood by all. The framework describes how the process for managing risk is integrated into the overall CHS governance; strategy and planning; management; reporting processes; policies, values and culture.

Page | 3

The framework supports a multidisciplinary approach and relies on a top down, bottom up partnership to support both continuous and proactive identification and response to risks. This enhances CHS’ ability to meet its strategic directions and operational objectives and to provide the Health Services Executive Committee, and management of CHS with information that supports improved decision making and planning.

The CHS approach to risk management is articulated in several key documents which are supported by training resources, these documents are:

Risk Management Framework – defines principles, governance structure, accountabilities and culture

Risk Management Policy – defines roles and responsibilities

Risk Management Procedure – describes the risk management process for staff

Risk Management Toolkit (in development) – resources to support training for managers and staff.

The purpose of the Risk Management Framework is to:

enhance clinical and corporate outcomes by implementing a common approach to managing clinical and non-clinical risks including recognising opportunities

provide a consistent risk management approach to ensure that risks are effectively identified, considered and responded to in a timely way

ensure that all risks are managed so that CHS maximises its ability to meet its objectives and operational targets

encourage proactive rather than reactive risk management

provide assistance to and improve the quality of decision making throughout the organisation

assist in safeguarding CHS’ assets, people, finance, property and reputation

meet legal and statutory requirements and obligations

ensure staff understand and confidently engage with risk in their roles.

Page | 4

Definitions The following definitions are taken or amended from AS ISO 31000:2018: Risk Management Guidelines (referred to in this document as the RM Standard):

Risk - The effect of uncertainty on objectives

Risk management - The processes and activities to direct and control an organisation with regard to risk.

Risk management framework – The set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation

Risk management process – application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk

Risk assessment – the overall process of risk identification, risk analysis and risk evaluation

Risk identification – the process of finding, recognising and describing risks

Risk control – a measure that maintains or modifies risk i.e. to reduce the likelihood and/or consequence e.g. process, policy, practice

Risk treatment – an action required to be undertaken to modify risk i.e. reduce the likelihood and/or consequence. This can involve: avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk, taking or increasing risk in order to pursue an opportunity, retaining the risk by informed choice, removing the risk source, changing the likelihood, changing the consequences, sharing the risk with another party or parties, and retaining the risk by informed decision

Residual risk – the level of risk remaining after the risk has been treated i.e. the risk that is retained after controls are considered and in place and actions have been applied

Risk assurance – a measure that provides evidence about the effectiveness of controls

Risk maturity – the risk capability that an organisation has when implementing a risk management framework, policy, procedures and process

Risk register – a location for documenting risks identified within CHS. The register outlines the context, controls and actions required to reduce the risk to an acceptable level

Page | 5

Risk culture – the culture of CHS that supports successful implementation of the Risk Management Framework including risk management principles and their role and responsibilities in managing risk

Risk attitude – the organisation’s approach to risk assessment to eventually pursue, retain, take or turn away from risk

Risk appetite – defines the amount and type of risk that CHS is willing to accept to achieve its strategic objectives

Risk tolerance – the maximum level of acceptable risk that CHS will bear after risk treatment without affecting the achievement of strategic and operational objectives

Clinical Risk Management (CRM) – an approach to improving the quality and safety of health care delivery to patients by identifying circumstances that put patients at risk of harm and taking action to prevent or control these risks. CRM is one part of the organisations broader risk management system. CRM uses a range of strategies to identify and manage risks to patients and improve the quality and safety of patient care. These include: the incident management system which encompasses clinical review and sentinel event monitoring, medico-legal coordination, consumer feedback monitoring National Standards Committees

Page | 6

Principles CHS recognises that for risk management to be truly effective, it must be an integral part of the organisation’s culture and systems. That is, every staff member has an important role to play in keeping themselves, other staff and consumers from harm. Staff members also have a key role to play in supporting the organisation to manage risk to achieve the organisational strategic and operational objectives.

It is also acknowledged that unless the Risk Management Framework is supported by staff with appropriate competencies, attitudes and behaviours, the CHS approach to risk management will not be effective.

Risk Management contributes to our ability to:

keep patients and staff safe

achieve strategic objectives

maintain legislative and regulatory compliance and

be recognised as an organisation that creates exceptional healthcare, that’s trusted by our community.

CHS is committed to integrating the principles of risk management into everyday work practices and will adopt the following principles in relation to risk management:

Principles for Risk ManagementPrinciple Description

There is a mandate and commitment from the Health Services Executive Committee (HSEC), CHS Executive and Senior management for risk management

(Principle in the RM Standard: Human and Cultural Factors)

This is demonstrated by strong leadership in risk management and the ability to articulate governance processes and support training opportunities within areas of responsibility

There is linkage between risk management and the achievement of CHS objectives

(Principle in the RM Standard: Customised)

This is demonstrated by risks being linked to strategic objectives, risk management information being used to support decision making and strategic level audits being focused on identified areas of risk.

Page | 7

Principles for Risk ManagementPrinciple Description

There are clear roles and responsibilities for risk management throughout CHS

(Principle in the RM Standard: Inclusive)

This is demonstrated by a clear governance structure for risk management. Executives are identified as strategic risk leaders and held responsible and to account for the management of risk within their realm of responsibility.

There is integration of risk management into decision making processes

(Principle in the RM Standard: Integrated)

This is demonstrated by using risk management information (which is linked to meeting strategic objectives) to inform decision making

There is a structured approach to the robust assessment of risk which considers best available information from relevant data and stakeholders

(Principles in the RM Standard: Structured and Comprehensive, Best available information, Inclusive)

This is demonstrated by a structured and consistent approach which uses CHS approved tools and templates and considers relevant information sources such as historical data, expert stakeholder experience and opinions and direct observation.

There is responsiveness to change when internal or external factors impact on risk management and/or the management of risks

(Principle in the RM Standard: Dynamic)

This is demonstrated by making risk management part of everyday business processes, risk assessment being considered in a timely way to address uncertainty, and ongoing review of the risk management framework.

There is continual improvement to risk management and the management of risk, and conversely risk management facilitates improvements with CHS

(Principle in the RM Standard: Continual Improvement)

This is demonstrated by risk being discussed and communicated as opportunities for improvement. Risk treatment actions plans are considered as improvement initiatives and are recorded as Quality Improvement activities as appropriate.

Page | 8

Accountabilities and Authorities

Risk Governance The purpose of CHS risk governance structure is to provide direction and oversight of risk management activities within CHS and to ensure that the framework is being applied in a consistent and transparent way. All staff have a responsibility for managing risks within their scope of delegated authority and realm of responsibility.

Risk Oversight – is the responsibility of HSEC Risk Management – is the responsibility of the Chief Executive Officer (CEO) and

Executive Risk Assurance – is the responsibility of the Audit and Risk Management Committee,

with activities e.g. internal and external audit, reported to HSEC, Executive Committees and specialist committees as appropriate.

The CHS governance structure includes specialist committees such as the Clinical Review Committee and various National Standards steering committees. These committees play an important role by:

undertaking risk identification activities coordinating and managing information related to particular risks coordinating risk treatment plan activities and being an expert, consultative body for particular risks.

The committee structure within the CHS governance structure seeks to ensure that safety, quality and risk management are embedded in the organisation’s daily business. A committee’s responsibility in the risk management process will be outlined in its Terms of Reference. Examples of operational committees with a risk focus include: Work Health and Safety Committees, Clinical Review Committee and our Emergency Management committees.

Refer to Figure 1. below for the CHS Risk Management Governance Structure:

Page | 9

Figure 1: CHS Risk Management Governance Structure

Page | 10

Roles and Responsibilities CHS has developed a ‘Three lines of Defence Model’ based on the model as described in the ACT Government Risk Management Policy 2019 Implementation guide. The model describes how different parts of our organisation work collaboratively to communicate about and manage risk; and to provide assurance that the risk treatment controls and actions are effectively managing our identified risks.

Three lines of defence:

First line of defence - staff that own and manage risk Second line of defence - staff that are involved with overseeing the management of

risk Third line of defence - staff involved with providing independent assurance about

risk management.

CHS has clearly articulated roles and responsibilities for Risk Management which are described in the CHS Risk Management Policy.

Risk Management declaration to ACTIA Under the Insurance Act 2005, the ACT Insurance Authority (ACTIA) is delegated with responsibility for driving best practice risk management across ACT government.

CHS completes an annual declaration to ACTIA to provide assurance that risk management is built into annual corporate planning, operational activities, planning (including business continuity planning) and reporting processes. The declaration also provides assurance over risk management culture, the presence of risk management oversight bodies and the presence and implementation of a Risk Management Framework.

Cross Directorate and Territory level risks Identification of key dependencies will assist in identifying and managing cross Directorate risks within CHS.

Some ways CHS identifies cross Directorate risks includes:

Cross Territory and interjurisdictional meetings e.g. with Greater Southern Area Health Service and/or Southern NSW Local Health District.

Through the design and implementation of infrastructure projects. Data/performance reporting.

Sharing risks within other agencies can reduce risk to a tolerable level. Shared risks with other Directorates include:

Page | 11

Risks shared with ACT Corrective Services who manage the facilities that accommodate prisoners who require services provided by Justice Health.

Risks shared with Infrastructure, Finance and Capital Works within Commercial Services and Infrastructure Directorate who are delivering select major capital works projects.

Risks shared with Digital Solutions Division who provide expertise and an element of funding for information technology architecture and solutions.

Risk is shared with ACTIA as the Territory’s insurers for medico-legal and civil matters.

Page | 12

Risk strategy HSEC is accountable for reducing risk exposure by maintaining a robust risk management program compliant with the Risk Management Standard AS ISO 31000:2018: Risk Management Guidelines. The CHS Risk Management procedure requires escalation of risks with an Extreme or High-risk rating to HSEC as they are identified.

Risk appetite and toleranceRisk appetite is the amount and type of risk that an organisation is willing to accept in order to achieve our strategic objectives. Our risk appetite is described through our tolerance to risk. Canberra Health Services tolerates risk rated as Medium using the CHS Risk Matrix included in the Appendix.

Risk Management ProcessThe CHS Risk Management process is based on the risk management process outlined in AS ISO 31000:2018 Risk Management Guidelines.

Figure 2 and Table 2 below provide an overview and description of the steps in the risk management process. The CHS Risk Management procedure provides more detailed information.

Figure 2: Risk Management Process AS ISO 31000:2018 Risk Management Guidelines (Diagram taken from ACT Government Risk Management Policy 2019 Implementation Guide)

Page | 13

Page | 14

CHS Risk Management Process

Step Description

1. Communication and Consultation

Effective communication and consultation with all (internal and external) stakeholders is necessary at all stages of the risk management process. Working together and including all people impacted by and able to treat the risk will help to ensure all perspectives are considered, understood, and included in the decision making process; and treatment proposals and change management are endorsed and more likely to be supported respectively.

2. Establish the context A key aim of establishing the context is to identify the organisations objectives and consider (internal and external) factors and influences that CHS needs to consider in decision making and management.

3. Risk Identification

Risk

Ass

essm

ent

The purpose of risk identification is to generate a comprehensive list of risks that might affect the achievement of objectives. Risk identification will address what, where, when, why and how the risk will occur.

4. Risk Analysis The intent of risk analysis is to gain a detailed understanding of the risk. Risk analysis takes into consideration existing controls, and using best available information including relevant qualitative and/or quantitative data, determines the likelihood and consequences of the risk occurring. The level of risk using the CHS Risk Matrix is determined, then prioritised for escalation and treatment.

5. Risk Evaluation Risk evaluation is used to determine whether the risk is acceptable or unacceptable (i.e. CHS tolerance to the risk), make decisions about future action/s and the priority action/s which should be given.

Note: A risk may be ‘acceptable’ if the decision has been made not to treat it, regardless of risk rating.

6. Risk Treatment Risks that are determined not acceptable or intolerable require a risk treatment action plan to be implemented. A range of risk treatment options should be considered, being mindful not to create new risks, including the advantages and disadvantages, ahead of agreeing on a plan and implementing the actions. Risk treatment action plans should be integrated into existing management plans and processes within CHS where appropriate, with consultation with relevant stakeholders.

7. Monitoring and review Monitoring and review of the risk management process and outcomes is important to ensure risk maturation and continuous improvement within CHS.

8. Recording and Reporting Risk recording and reporting is crucial in communicating risk management activities and outcomes within CHS. It provides information for decision making and assists in acquiring and maintaining collaboration and engagement of staff in risk management activities.

Table 2: CHS Risk Management Process

Page | 15

Monitoring ProcessesMonitoring performance is one of the most important steps in the risk management process. It ensures the initiatives implemented for treating and controlling risks are working as planned and expected.

Reporting on Risk Management Activity The annual Review and Planning cycle describes how identified risks and respective risk treatment action plans are monitored and reviewed. The identification, monitoring and review of all risks occurs on an annual cycle. In summary:

Enterprise risks are reviewed annually and progress on risk treatment action plans and controls are monitored quarterly by HSEC and the Audit and Risk Management Committee.

Operational Risks are reviewed annually and progress on risk treatment action plans and controls are monitored at a minimum quarterly by Divisions.

All risks rated extreme or high (residual risk rating) and progress on treatment plans will be monitored by HSEC monthly.

Canberra Health Services Risk Register

Annual Review and Planning CycleTiming Activity Description

Monthly Review of High and Extreme risks

Summary of Extreme and High risks prepared by Risk Manager for HSEC

May - July Annual Review

Progress update for Quarter 4 (to 30 June)

Annual Workshop with Executive Directors to review Enterprise risks led by Executive Director Quality, Safety, Innovation and Improvement

Annual review of Divisional/local risks led by Executive Directors

Risk management activity reporting led by Executive Directors to HSEC and Audit and Risk Management Committee (ARMC)

Review and reporting of Enterprise risks by Accountable Executive Director

August - September

Annual Planning Present Annual Risk Review outcomes to HSEC and to ARMC for endorsement of any proposed updates.

October Progress update for Quarter 1 (to 30 September)

Risk management activity reporting led by Executive Directors to HSEC and ARMC

Page | 16

Enterprise risk reporting by Accountable Executive Director

February Progress update for Quarter 2 (to 31 December)

Risk management activity reporting led by Executive Directors to HSEC and ARMC

Enterprise risk reporting by Accountable Executive Director

April Progress update for Quarter 3 (to 31 March)

Risk management activity reporting led by Executive Directors to HSEC and ARMC

Enterprise risk reporting by Accountable Executive Director

For the purpose of Divisional reporting, the following positions are required to maintain a risk register on Riskman and report on high and extreme risks and other risks of note from their work area to HSEC:

all Executive Directors reporting to the Chief Executive Officer (excluding the Chief Operating Officer and Executive Director, Medical Services)

all Executive Directors reporting to the Chief Operating Officer the following areas under the Executive Director, Medical Services: Pharmacy,

Pathology, Medical Imaging and Health Care Technology Management.

Performance of risk treatment action plans All risk treatment action plans for CHS Enterprise and Divisional high and extreme risks are monitored monthly at HSEC. There is an expectation that all Divisional risk registers will be reviewed and updated on Riskman at least quarterly at the Divisional governance committees where risk management is discussed. This will include review of risk rating and progress of risk treatment action plan implementation.

Performance of risk controls The effectiveness of risk controls are monitored and reported through mechanisms such as incident monitoring, consumer feedback monitoring, and internal and external audit activities. The Performance Reporting and Monitoring Framework describes the Key performance indicators for CHS which are measures of the effectiveness of identified risk controls. The monitoring is done through Risk Management/Quality and Safety Committees at the CHS, Divisional and Business Unit/Program level.

Page | 17

Performance of risk management framework, policy and procedureIt is important to review the effectiveness of risk controls, however also equally important to review and monitor the effectiveness of the risk management framework. The CHS risk management approach is formally reviewed through a review of the Risk Management Framework undertaken by the CHS Executives and members of the Audit and Risk Management Committee annually in May. This review will be undertaken in a workshop and will incorporate the review of the Risk Management Framework, policy and procedure. A risk maturity self-assessment where CHS Executive will assess CHS risk management maturity at the level of Foundation, Graduation or Optimisation will also occur.

While CHS is at the Foundation level of maturity, an annual review will occur until such a time the Executive determine a 3 yearly review period, aligned to the CHS Policy Management Policy and process is appropriate.

Internal auditInternal audit provides an independent and objective view and confirms whether controls designed to manage the organisations risks and achieve the CHS objectives are operating in an efficient, effective, economical and ethical manner.

External audit External audits may occur from time to time as an additional assurance mechanism to determine the effectiveness of internal controls to manage risk.

Accreditation against the Australian Commission on Safety and Quality in Health Care’s National Safety and Quality in Health Service Standards is a planned and external mechanism for providing assurance on the performance of the risk management framework, policy and procedure.

Page | 18

Risk Management Tools The CHS Risk Management Toolkit guides a standardised approach to the identification, assessment and overall management of risk. The complete document is in development and will be available on the CHS intranet. Key Risk Management tools are outlined below.

Canberra Health Services Risk Assessment ToolThe CHS risk assessment tool guides a standardised approach to the assessment of risk. The template includes the likelihood and consequence table, risk rating matrix and a risk rating-based approach to risk escalation.

Refer to the Appendix for the risk likelihood and consequence tables, risk matrix and the priority for action for risk escalation table used to complete a risk assessment.

Canberra Health Services Enterprise Risk RegisterCHS uses the Risk Register on Riskman to register Enterprise and Divisional risks. The risk register is used to document contextual information about the risk, controls, actions (including action officers and action due dates) and allocate an accountable executive and responsible manager for managing the risk. Risk information is used to inform organisational planning and decision-making processes.

For more detail regarding use of the Risk Register, refer to the CHS Risk Management Toolkit.

Incident Identification, Notification and Management All identified incidents within CHS are notified through Riskman. The Riskman system is accessible by all staff within CHS. Incidents notified within the Riskman system are analysed by a range of people, areas and committee’s including management, Quality, Safety, Innovation and Improvement and specialist committees. Analysed incident data is an important source of information used to identify and analyse risk.

Page | 19

Relationship with other processes Risk Management is not a standalone process. It is most effective when integrated with existing organisational business processes. Some key business processes for risk management to be integrated into are:

Strategic/business planning – Organisational and operational business planning processes both inform and are informed by risk management processes. The planning process provides opportunity to reflect on achievements, identify and prioritise future key focus areas, strategic priorities and objectives, identify strategic risks and areas for quality and safety improvement initiatives. The process is then replicated within divisions, units and with individual staff.

Internal Audit – The internal audit program and processes assess the effectiveness of risk management controls. The internal audit program uses a risk management-based approach to prioritise the internal audit plan.

Performance management – Risk Management responsibilities are included, where relevant, in individual performance plans.

Business Continuity Management – Business Continuity Management (BCM) is a risk management process that identifies potential impact of events that can disrupt business processes. BCM plans for essential services to be maintained with minimal disruption so the delivery of critical high level and business unit functions can continue or be resumed as soon as possible.

Clinical Governance and Clinical Risk Management - Clinical Risk Management is an approach to improving the quality and safe delivery of health care by identifying circumstances that put patients at risk of harm and acting to prevent or control those risks. Clinical risk management is part of a broader organisational risk management system at CHS which uses a range of strategies to identify, mitigate and managed risk and improve the quality of clinical care. At CHS these strategies include: Clinical Review Committee, Medical credentialing committee, and the National Standards Committees. Further information is provided in the CHS Clinical Governance Framework.

Performance Reporting and Monitoring Framework – The CHS Performance Reporting and Monitoring Framework provides a clear understanding of how CHS reports, monitors and manages performance across the organisation and at all levels within the organisation. The performance reporting and monitoring framework is linked, and complementary to, our clinical governance framework, our risk management framework and the annual review and planning process. It considers the information that managers and staff at all levels of the service need to have access to, in order to perform their role. It is also a critical component

Page | 20

of good governance and identifies key indicators which are measures of risk controls effectiveness.

Page | 21

References/Supporting documents AS ISO 31000:2018. Risk Management – Guidelines

SA/SNZ HB 436:2013. Risk management guidelines – Companion to AS/NZS ISO 31000:2009.

ACT Government Risk Management Policy 2019 Implementation Guide – February 2019

ACT Government Risk Management Policy 2019

NSW Government. The Treasury. Risk Management Toolkit for NSW Public Sector Agencies. Volume 2: Templates, examples and case study. 2012.

Austin Health Risk Management Framework

Orbost Regional Health – Risk Management Framework Opportunities for Improvement. Published 25 October 2016

Page | 22

Appendix

Consequence table

Page | 23

Likelihood table

Risk Matrix

Priority and Authority for Action table

Page | 24

Page | 25

ACKNOWLEDGMENT OF COUNTRYACT Health acknowledges the Traditional Custodians of the land, the Ngunnawal people. ACT Health respects their continuing culture and connections to the land and the unique contributions they make to the life of this area. ACT Health also acknowledges and welcomes Aboriginal and Torres Strait Islander peoples who are part of the community we serve.

ACCESSIBILITYIf you have difficulty reading a standard printed document and would like an alternative format, please phone 13 22 81.

If English is not your first language and you need the Translating and Interpreting Service (TIS), please call 13 14 50.

For further accessibility information, visit: www.health.act.gov.au/accessibility

www.health.act.gov.au | Phone: 132281 | Publication No XXXXX

Page | 26