RISK MANAGEMENT POLICY

Clinical Governance

& Risk Management Department

Warning – Document uncontrolled when printed

Policy Reference: RM 2.0 Date of Issue: TBC Prepared by: Risk Management Short Life Working Group

Date of Review: TBC

Lead Reviewer: Director of Finance Version: 1.0 Authorised by: Executive Board Team Date: TBC

Distribution • Executive Directors • Directors of Operations • General Managers • Clinical Directors • Lead Nurses/Lead Midwives • Lead AHPs • Assistant General Managers • Nurse Managers • Head of Health & Safety • Head of Facilities Management • Head of eHealth • Head of Learning and Development

Method Intranet x E-mail Paper x

Risk Management Policy

1. Introduction

This Risk Management Policy describes the risk management arrangements at NHS Highland, and forms part of the wider framework for corporate governance and internal control.

NHS Highland recognises that healthcare provision and the activities associated with caring for patients, employing staff, providing facilities and managing finances are all, by their nature, activities that involve risk. These risks are present on a day-to-day basis throughout the organisation. They cannot be avoided but they can be managed to an acceptable level.

2. Managing uncertainty at NHS Highland

NHS Highland faces internal and external factors and influences that make it uncertain whether and when we will achieve our objectives. The effect this uncertainty has on our objectives is ‘risk’1.

Risk management is therefore a means of identifying, evaluating and controlling the uncertainties that could affect (either positively or negatively) the achievement of corporate objectives. It is crucial for the successful implementation of the NHS Highland Quality Approach and delivery of our corporate plans.

All activities at NHS Highland involve risk. It is important that we proactively manage risk to an acceptable level by embedding processes focussed on assessment and prevention, rather than reaction and remedy. Following a comprehensive, effective risk management approach throughout the organisation will help us achieve strategic and operational objectives, improve service delivery, increase efficiency, support and inform decision making, help provide a safe and secure environment and encourage a culture of quality improvement.

This policy applies to all employees of NHS Highland and will require active input from Directors and Managers at all levels to ensure that risk management is a fundamental part of our total approach to quality, corporate and clinical governance.

3. Risk management approach

The organisational approach to the management of risk reflects British Standard (BS ISO 31000:2009) Risk management – principles and guidelines.

When implemented and maintained in accordance with this approach, the management of risk enables an organisation to:

• increase the likelihood of achieving objectives • encourage proactive management • be aware of the need to identify and treat risk throughout the organisation • improve the identification of opportunities and threats • comply with relevant legal and regulatory requirements 1 BS ISO31000:2009

• improve mandatory and voluntary reporting • improve governance • improve stakeholder confidence and trust • establish a reliable basis for decision making and planning • improve controls • effectively allocate and use resources for risk treatment • improve operational effectiveness and efficiency • enhance health and safety performance, as well as environmental protection • improve loss prevention and incident management • minimise losses • improve organisational learning, and • improve organisational resilience.

The approach demonstrates the relationship between the principles for managing risk, the framework in which it occurs and the risk management process, as set out in Diagram 1 below.

Diagram 1: organisational approach to the management of risk

a) Creates value b) Integral part of

organisational process

c) Part of decision making

d) Explicitly addresses uncertainty

e) Systematic, structured and timely

f) Based on the best available information

g) Tailored h) Takes human and

cultural factors into account

i) Transparent and inclusive

j) Dynamic, iterative and responsive to change

k) Facilitates continual improvement and enhancement of the organisation

Principles

Process

Mandate and commitment

Design of framework for managing risk

Implementing risk management

Continual improvement of the framework

Monitoring and review of the framework

Framework

3.1 Principles

The principles provide a set of values by which NHS Highland will base its understanding of why and how risk will be managed.

3.2 Framework

The framework provides the foundation and arrangements to embed risk throughout the organisation at all levels. The framework ensures that information about risk is taken from the risk management process and is adequately reported and used as a basis for decision making and accountability at all levels.

The NHS Highland framework is defined as follows:

3.2.1 Understanding the organisation and its context

The Board approves Quality Objectives, set within the overall context of the Highland Quality Approach. These, together with the annual Local Delivery Plan set out our strategic and operational objectives and plans. The purpose of risk management is to identify the risks to the achievement of these objectives and plans.

3.2.2 Accountability and governance

Risk is everyone’s responsibility. Accountability for risk management is held at all levels of the organisation.

NHS Highland Board

The Board is responsible for ensuring that there is a clear and appropriate management structure for ensuring that NHS Highland has effective systems which enable risk to be identified and decisions to be taken at an appropriate level.

The Board is required to ensure that it conducts a review of its systems of internal control, including in particular its arrangements for risk management, at least annually.

The Board is supported in discharging this responsibility through its governance committees.

Governance Committees

The NHS Highland Board has delegated aspects of risk governance to the Governance Committees. Each committee has a responsibility for providing assurance to the Board in respect of the risks that fall within its specific remit. In some cases the Board itself is the assurance source.

This requires each Governance Committee to use the Strategic Risk Register to consider risks that may require further scrutiny (for example, risks evaluated as very high) and seek assurance from individual risk owners regarding the management of these risks, including the adequacy of existing control measures and progress against any actions required for improvement.

The Clinical Governance Committee provides assurance to the Board that all key risks in clinical care and patient safety are identified and managed effectively.

The Staff Governance Committee provides assurance to the Board that all key risks in occupational safety, health and environment are identified and managed effectively.

The Highland Health and Social Care Governance Committee provides assurance to the Board on key risks relating to planning, development and provision of health and social care services in North Highland.

Argyll & Bute CHP Committee provides assurance to the Board on the key risks relating to planning, development and provision of health care services in Argyll and Bute.

The Audit Committee, through internal audit, external audit and other assurance sources will provide independent objective assurance to the Board on the extent to which the risk management arrangements are in place and are effective.

3.2.3 Integration into organisational processes

Risk management should not be a stand-alone function, but should be integrated into day to day management processes.

Each Directorate/ Operational Area (as listed in Appendix 3) will establish a risk register in line with this policy. Each Directorate/ Operational Area will also identify key staff who will assume responsibility for risk within their area, and ensure that roles and responsibilities are clearly understood and adhered to.

NHS Highland expects staff to identify and report risk in line with this policy, as appropriate. Line Managers are responsible for ensuring that staff are enabled to identify learning needs and supported to participate in appropriate risk management related activities.

The Strategic Risk Register will be reported to the Board annually, demonstrating the changes in the risk profile of NHS Highland.

3.2.4 External communications and reporting

The annual governance statement included within the Annual Accounts summarises the organisational approach to risk management.

3.2.5 Monitoring, review and continuous improvement

The Audit Committee is responsible for reviewing the effectiveness of the risk management approach, which will involve periodic reviews of the strategic risk register and operational risk registers.

The Audit Committee may commission internal audit to review the risk management approach to provide assurance to the Board that the risk management system in place is robust and is effective in implementing this policy.

3.3 Process

The risk management process is an integral part of how we manage risk, how we embed risk management in our culture and practices and integrate it with our business processes.

The remainder of this document describes the process for risk management at NHS Highland.

4. How do we record risk?

Maintaining accurate and up to date risk registers is critical to effective risk management. NHS Highland will maintain the following risk registers:

• Strategic risk register. This covers the most significant risks that impact on the delivery of strategic objectives.

• Operational risk registers. These cover risks that impact on delivery of the Local Delivery Plan and operational plans. Operational risk registers will be established for each operational unit and directorate, as set out in Appendix 3.

• Project risk registers. These cover risks that impact on the successful delivery of specific projects.

This approach aligns to the approved Performance Management Framework which incorporates risk management.

Currently, risk registers are maintained on spreadsheets. However, the Executive Team and the Audit Committee will regularly review the effectiveness of the risk management process to determine whether further investment in automated risk management systems is necessary.

5.0 How do we assess risk?

5.1 How to identify a risk

Risk identification can take place at any time by any member of staff and is everyone’s responsibility.

Identifying risks is the first step in building the overall view of risk (risk profile) across the whole of the organisation. Risks can be identified from a number of sources, including:

• planning and performance management processes • review of significant changes in service • internal and external audit • changes to guidance / guidelines, laws or regulations • horizon scanning • incident reporting • complaints management • health and safety reviews • business cases and project plans • training needs analysis • recruitment / retention / absenteeism data.

5.1.1 Risk description

* Defining a risk should include a description of what the risk is, the possible cause and the impact on objectives. This will allow the risk to be more easily understood and more effectively managed. A useful model for helping to define a risk is:

there is a risk of 'x' because of 'y' resulting in 'z' where:

• x is the risk event • y is the cause of the risk (maybe a current issue) • z is the impact on objectives.

5.2 How to analyse a risk

5.2.1 Risk categories

** The first stage in analysing a risk is deciding what type of risk it is. We have identified five risk categories that are aligned to our Quality Objectives as shown in the table below. Categorising risks in this way will help the Board describe its risk appetite for each risk category.

Table 1: Risk categories

Risk category Quality Objectives

Strategic/ Reputational

1. Implementing our vision and strategy

2. Improving population health and reducing inequalities

10. Delivering our targets

Clinical 3. Creating a caring, person-centred experience

4. Providing safe and effective care

People 7. Engaging our people

Innovation and Transformation

5. Transforming our services

6. Designing integrated care

8. Promoting creativity, innovation and research

Finance and Sustainability

9. Ensuring value and sustainability

5.2.2 Current mitigation NHS Highland will mitigate either the likelihood or impact of risk, should it occur, by implementing a range of strategies, policies, projects and internal control processes. It is impossible to fully mitigate against all risks. Therefore, before we can consider whether further

action is required to address a particular risk, we must first assess what mitigation is already in place. The risk register template at appendix 1 requires the current mitigation for each risk to be defined. This need only be at a high level, but should provide enough information to inform the reader of the key mitigations that are currently in place. 5.2.3 Risk scoring Risks can be scored at different stages of the risk management process. For simplicity, NHS Highland will focus on Current Risk Exposure, i.e. the net or residual level of risk that the organisation currently faces, based on the extent to which we are currently controlling and managing each risk. 5.2.4 How to assess likelihood The likelihood of an event occurring should be assessed using the table below (1 to 5). When assessing likelihood you should take account of the controls that are already in place to mitigate likelihood of a risk occurring, e.g. strategies, policies, procedures. Table 2: Likelihood definitions

Score Description Chance of occurrence

1 Rare Very little evidence to assume this event would happen –

will only happen in exceptional circumstances

2 Unlikely Not expected to happen, but definite potential exists – unlikely to occur.

3 Possible May occur occasionally, has happened before on occasions – reasonable chance of occurring

4 Likely Strong possibility that this could occur – likely to occur

5 Almost certain This is expected to occur frequently / in most circumstances 5.2.5 How to assess net impact The impact on the organisation of an event happening should be assessed using the table below (1 to 5). When assessing net impact you should take account of the controls that are already in place to mitigate impact, e.g. contingency plans. Table 3: Impact descriptions Score Description

1 Negligible

2 Minor

3 Moderate

4 Major

5 Extreme Further definitions for each of the risk descriptions are outlined in Appendix 2. The Current Risk Exposure is then calculated by multiplying together the likelihood and impact scores. The current risk score therefore represents the organisation’s current risk exposure taking into account existing controls. 5.3 How to evaluate a risk The purpose of risk evaluation is to assist in making decisions about which risks need further treatment and the priority for treatment. This involves comparing our current risk score with our risk appetite. 5.3.1 Risk appetite Risk appetite is the amount of risk that the Board is prepared to accept, tolerate or be exposed to at any point in time. The Board may have different appetites for different categories of risk. Periodically (at least annually), the Board will consider its risk appetite for each of the categories of risk set out in Table 1, above. This will reflect the levels and types of risk that the Board is prepared for management to take in delivering each of our Quality Objectives. Below are the classifications that we use to help describe the Board’s risk appetite for each risk category. Table 4: Risk appetite (classification)

Classification Definition

Hungry Eager to be innovative and to choose options offering potentially bigger rewards despite greater inherent risk.

Open Willing to consider all options and chose the one that is most likely to result in success, while also providing an acceptable level of reward.

Cautious Preference for safe delivery options that have a low degree of inherent risk and may only have limited potential for reward.

Minimalist Preference for ultra-safe business delivery options that have a low degree of inherent risk and only have a potential for limited reward.

Averse Avoidance of risk and uncertainty is a key organisational objective

5.4 How to treat a risk The treatment of an identified risk will be based upon what resources the organisation has at its disposal to effectively manage the risk. Some common examples of how we may treat risk are provided below: • avoid the risk by deciding not to start or continue with the activity that gives rise to the risk • remove the risk source • change the likelihood of the risk occurring • change the consequences by developing a contingency plan • share the risk with another party • retain the risk by informed decision. When a further risk treatment has been agreed, the corrective action should be recorded (refer to 7.4.1). 5.4.1 Action required

The action required section of the risk register is where the further actions to be taken/adopted to manage/treat the risk within the agreed risk appetite are recorded. The narrative within this section should include eg: • the actions to be taken • the timescale for implementation and • any resource/budget requirements.

This section should be regularly updated to provide details of progress against the planned actions. This section should clearly state which actions have been taken to arrive at the current assessment and which actions are still to be implemented. 6 Risk monitoring and review

The management of risk should be continuously reviewed to monitor whether or not the organisational risk profile is changing, to gain assurance that risk management is effective and to identify when further action is necessary to deliver assurance on the effectiveness of control.

In practice, this will involve the risk registers being discussed at Executive Team, Senior Management Team, Operational Unit Management Teams and Corporate Department meetings etc to ensure that:

• planned, corrective actions/mitigation are implemented timeously

• current level of risk is reviewed on a continuous basis

• identification of any new or emerging risks

• current risk scores are reduced and/or maintained in line with agreed appetite and tolerances.

The role of the Executive Team is crucial. As well as periodically considering the strategic risk register and its content, it will also seek regular assurances from the Senior Management Team, Operational Unit Management Teams and Corporate Department meetings that operational risk registers have been reviewed and are up to date. 6.1 Evaluating progress

The monitoring and review of risk will include an evaluation of the progress made in implementing the agreed actions to address gaps in control, or to take advantage of opportunities that have been identified. 6.2 Escalating risk Risks should be managed at the lowest competent level, so long as this is appropriate. Each risk owner, be they within a project team, directorate or operational area, is responsible for the prompt identification of risks that should be escalated to the Leadership Group or the Audit Committee/ Board for consideration. Examples of scenarios where risks should be considered for escalation include, but are not limited to:

• Risks that may have a wider strategic impact, i.e. it is beyond the scope of the area in which it was originally identified;

• Risks which can no longer be managed effectively within the resources and authority of the risk owner; or

• Risks which have a significant risk score that may breach the appetite or tolerance for the particular type of risk, as defined by the Board.

The Leadership Group will be responsible for assessing the strategic impact of the risk and determining whether it should be included in the strategic risk register, and therefore reported to the Audit Committee/ Board. 6.3 Reporting progress A report will be provided to the Audit Committee to update on overall progress in managing risk. The report will include, but not be limited to, the following:

• Updates on key/significant risks and risk exposures

• A narrative explaining any key movements and trends

• Details of any new or emerging risks for consideration

• Reporting on the progress of agreed actions on an exceptions basis

• An assessment of any risks that should be formally highlighted to the Board and/or a specific governance committee(s).

1. This policy is based on British Standards (BS ISO 31000:2009) risk management – principles and guidelines. This has been used as a guideline on which NHS

Highland has designed and implemented its risk management policy which is specific to our organisation.

Permission to reproduce the extracts from British Standards referred to in this document has been granted by BSI Standards Limited (BSI). No other use of this

material is permitted. British Standards can be obtained in PDF or hard copy formats from the BSI online shop: www.bsigroup.com/Shop or by contacting BSI

Customer Services for hard copies only: Tel: +44 (0)20 8996 9001, Email: cservices@bsigroup.com

Appendix 1 – risk register template

Risk Register Template

Risk Register

Risk Register Owner Date of Review

Risk Ref & Date Added

Risk Owner Executive Lead or appropriate senior manager

Risk description

There is a risk of ‘x’, because of ‘y’, resulting in ‘z’

Risk Category

Current Mitigation These are the control systems and processes that are already in place to address this risk.

Current Risk Score Likelihood x Impact = Risk Rating

Further Action Required Also state: Action Owner and expected implementation date.

Target risk score Likelihood x Impact = Risk Rating

Assurance -Responsible Committee

Last review date

Movement since last review ↑ ↓ ↔

Acceptable Risk

L I RR L I RR

Appendix 2 - Impact definitions

Descriptor Negligible (1) Minor (2) Moderate (3) Major (4) Extreme (5) Reputation/ credibility

Rumours, no media coverage. Little effect on staff morale.

Local media coverage – short term. Some public embarrassment. Minor effect on staff morale/public attitudes.

Local media – long-term adverse publicity. Significant effect on staff morale and public perception of the organisation.

National media/adverse publicity, less than 3 days.Public confidence in the organisation undermined. Use of services affected.

National/international media/adverse publicity, more than 3 days. MSP/MP concern (Questions in Parliament). Court Enforcement. Public Inquiry/ FAI.

Operational (examples)

Barely noticeable reduction in scope, quality or schedule.

Minor reduction in scope, quality or schedule.

Reduction in scope or quality of project; project objectives or schedule.

Significant project over-run.

Inability to meet project objectives; reputation of the organisation seriously damaged.

Interruption in a service which does not impact on day to day business activities.

Short term disruption with minor impact on business activities.

Some disruption in service with unacceptable impact on business activities.

Sustained loss of business services which has serious impact on day-to-day activities.

Permanent loss of core business services or facilities. Disruption to facility leading to significant “knock on” effect.

Short term low staffing level temporarily reduces quality (< 1 day). Short term low staffing level (>1 day), where there is no disruption to business services.

Ongoing low staffing level reduces quality. Minor error due to ineffective training/implementation of training.

Late delivery of key objective / business activities due to lack of staff. Moderate error due to ineffective training/implementation of training. Ongoing problems with staffing levels.

Uncertain delivery of key objective/ activity due to lack of staff. Major error due to ineffective training/ implementation of training.

Non-delivery of key objective/activity due to lack of staff. Loss of key staff. Critical error due to ineffective training/ implementation of training.

Small number of recommendations which focus on minor quality improvement issues.

Recommendations made which can be addressed by low level of management action.

Challenging recommendations that can be addressed with appropriate action plan.

Enforcement action. Low rating. Critical report.

Prosecution. Zero rating. Severely critical report.

Financial/value for money (including damage / loss / fraud)

Negligible organisational/ personal financial loss.

Minor organisational/personal financial loss.

Significant organisational/personal financial loss.

Major organisational/personal financial loss.

Severe organisational/personal financial loss.

Compliance/ regulatory

Unlikely to be challenged

Could be challenged but defended.

Could be challenged and need to be defended.

Moderate breach of legislation.

Major breach of legislation with extreme impact.

Appendix 3 – Risk Registers

Risk Registers should be in place for each of the following area:-

1. Strategic Risk Register

2. Directorate Risks Registers for :-

• Public Health • Finance (including Facilities, Procurement) • HR • Medical Directorate • Nursing, Midwifery and AHPs (including Infection Control) • Infection Control – nursing • Chief Operational Officers (including eHealth and Pharmacy)

3. Operational Units:-

• Raigmore • South and Mid • North and West • Argyll and Bute