hertfordshire community nhs trust · quality - we strive for excellence and effectiveness at all...

Risk Management Strategy 2017-2022, V.4

Hertfordshire Community NHS Trust

Risk Management Strategy

(2017 to 2022)


Version Control:

Edition: 4

Version: 4 – Annual review

Ratified by: Hertfordshire Community NHS Trust Board TBC

Date ratified: December Strategy and Resources Committee (SRC) 2017 and January Board 2018

Name & Designation of authors:

T Westley : Assistant Director Risk & Quality Assurance

Name of responsible committee:

Hertfordshire Community NHS Trust Board

Date issued for implementation:

February 2018

Review date: 2 years from date issued or earlier at discretion of the Executive Director or Author

Target audience: All Hertfordshire Community Trust (HCT) staff

Document History

Version Date Summary of Changes Authors Distribution

V2 Sept 2017

Amended to HCT Trust Strategy Template

T Westley

HCT Chair, (Board Risk Lead). Executive Team

HGC

V2 Sept 2017

Revised SWOT T Westley

V2 Sept 2017

Revised Risk Appetite T Westley

V2 Sept 2017

KPI revised to support assurance of milestone achievement

T Westley

V2 Sept 2017

Revised Benefit realisation T Westley

V2 Oct Revised Milestones T Westley

V3 Nov 2017

Revised in relation to SMT comments Updated working with key stakeholders, where are we now, assumptions and interdependencies

T Westley

HCT Chair, (Board Risk Lead). Executive Team

HGC

V4 Jan 2018 Board request for revised structure chart

T Westley Board

RISK MANAGEMENT STRATEGY 2017 TO 2022 CONTENTS


CONTENTS

1.0 EXECUTIVE SUMMARY ................................................................................................. 4

2.0 ORGANISATIONAL VISION AND VALUES .................................................................... 6

3.0 WHERE ARE WE NOW? ................................................................................................ 7

4.0 STRATEGIC CONTEXT ................................................................................................ 11

5.0 SWOT ANALYSIS ......................................................................................................... 12

6.0 VISION FOR RISK MANAGEMENT STRATEGY – WHERE DO WE WANT TO GO? .. 14

7.0 HOW WILL WE KNOW WE HAVE DELIVERED THE VISION AND THE STRATEGY’S OBJECTIVES? ......................................................................................................................... 15

8.0 STRATEGY – HOW WILL WE DELIVER THE VISION? ............................................... 17

9.0 FINANCIAL IMPLICATIONS OF DELIVERING THE STRATEGY ................................. 18

10.0 QUALITY IMPLICATIONS OF DELIVERING THE STRATEGY ..................................... 19

11.0 WORKING WITH KEY STAKEHOLDERS ..................................................................... 20

12.0 WORKFORCE AND ORGANISATIONAL DEVELOPMENT .......................................... 21

13.0 BENEFITS REALISATION ............................................................................................ 23

14.0 RISK / ISSUES and MITIGATIONS ............................................................................... 24

15.0 ASSUMPTIONS, INTER/DEPENDENCIES, CONSTRAINTS ....................................... 26

APPENDIX A - GLOSSARY OF TERMS AND ABBREVIATIONS ............................................ 27

APPENDIX B – RISK APPETITE .............................................................................................. 28

APPENDIX C – ACHIEVEMENT OF THE STRATEGY’S OBJECTIVES .................................. 30

APPENDIX D – COMMITTEE STRUCTURE ............................................................................ 35

APPENDIX E – RISK REPORTING FRAMEWORK.................................................................. 38

RISK MANAGEMENT STRATEGY 2017 TO 2022


1.0 EXECUTIVE SUMMARY

1.1 This Risk Management Strategy sets out HCT’s vision and approach to Enterprise Risk

Management (herein known as RM) over the next five years.

1.2 High level summary of the Risk Management strategy : The Trust expects all staff to subscribe to its vision, values and strategic objectives to which this strategy relates. This strategy is therefore integral to the work of all the Trust’s Directorates/Business Units and supports the delivery of Trust strategic objectives. It sets out why effective enterprise risk management is important for HCT at this time, and describes both the current and aspirational status of risk management The Risk Management Strategy aims to support delivery of HCT strategic Objectives. A Glossary of Terms to support this document can be found in Appendix A. Hertfordshire Community NHS Trust (HCT – the Trust) is committed to ensuring all services are provided to a high quality. The Board of Directors recognise that successful risk management must be forward thinking, must be the responsibility of all, must be comprehensive and coordinated, and that proactive and continuous identification and management of risk is essential to the delivery of high value healthcare. Further the Trust recognises that risk management is integral to all elements of Trust business and should be embedded in the Trust’s philosophy, practices and business at all levels throughout the organisation enabling a sustainable organisation fit to deliver current and future business activities.

1.3 Summary of main elements The Trust acknowledges that there is progress to be made in order that risk management becomes an instinctive part of the everyday working practice of staff and not a bureaucratic process, and that staff feel fully empowered in managing risk. The key milestones in 2017 – 2022 to achieving our vision are outlined in Chapter 7 and Appendix C. Risk management will fully support the delivery of HCT’s strategic objectives. The key outcomes for patients, staff and stakeholders, which will continue to be demonstrated as a result of this strategy, are: Patients, carers and their families will be confident that they will:

receive excellent patient-centred care in an environment that promotes their safety, well-being and satisfaction as well as that of visitors and staff

receive care in an organisation which promotes a culture of creativity and innovation, in which risks are identified, understood and proactively managed.

Every member of staff will:

be involved in, and take responsibility for, the identification, management and minimisation of negative / harmful risks in their day to day work

be involved in, and take responsibility for the identification, management, and realisation of opportunistic risks within the Trust risk appetite in their day to day work

escalate risks without delay, including incidents and feedback with potential or actual serious impact

be competent to consistently describe and measure the impact and consequence of risks and the outcomes of effective risk management


make informed management decisions based on risk HCT will demonstrate increased risk maturity through:

sharing identified risks and their management in an open and transparent way

be seen to continuously learn from and review the efficiency of its risk management.

be recognised for best practice in relation to risk management Therefore the Board will be confident in their systems of internal control and be provided with assurance on the effectiveness of systems in place throughout all levels of the Trust to ensure risks are being managed and mitigated. Risk management reports will be provided to the Board and linked to reviews of the risk management strategy.

1.4 Summary of main objectives are as follows:

Become a high performance, quality and risk managed organisation through an embedded risk management culture

Build individual and organisation risk management capability through an engaged and trained workforce

Establish integrated electronic risk management systems to support business function

1.5 The vision of the Risk Management strategy is set out below:

“HCT has an embedded positive risk management culture enabling self-managed teams and attainment of strategic objectives“

1.6 The goals are: Embedded Risk Management Strategy

Exemplar governance arrangements in place articulating delivery of the Trust’s strategic objectives

Exemplar risk policies and operational procedures to support and enable decision making for effective safe clinical care, improved patient experience and sustained effective financial management

An annual training programme

Embedded consistent risk reporting

Electronic risk register deployment providing a practical tool which enables effective prioritisation and decision making by identifying priorities for action and revealing operational areas for improvement

Integrated electronic risk management reporting, supporting integrated business planning

1.7 It will be delivered through:

Repeated review of governance arrangements, including management information

annual review and agreement of risk appetite

a dedicated Risk Management plan

learning from collated risk data and sharing across the Trust

delivery of an effective training programme supporting organisation sustainability

Delivery of the strategy is set out in the expected milestones (Appendix B) which will be monitored by the Audit Committee and annually by the Board.


2.0 ORGANISATIONAL VISION AND VALUES

2.1 HCT’s vision is:

“to maintain and improve the health and wellbeing of the people of Hertfordshire and other areas of the Trust”

2.2 To achieve this vision HCT has agreed the following five clear objectives:

1. We will support the people we serve to manage their own health and wellbeing

2. We will improve clinical outcomes and enhance patient safety

3. We will support the substantial expansion of community services through the delivery of excellent core services for adults and children and the development of ambulatory services

4. We will use resources efficiently to enhance our ability to improve services

5. We will develop the organisational capacity to deliver our vision and objectives

2.3 Underpinning HCT’s strategy are Five Core Values:

Care - We put patients at the heart of everything we do.

Respect - We always respect patient privacy and confidentiality

Quality - We strive for excellence and effectiveness at all times. D

Confidence - We do what we say we will do

Improve - We will improve through continuous learning and innovation.

2.4 The Trust is committed to delivering ‘High Value Healthcare’ which we define as having four components:

Excellent clinical outcomes

An outstanding patient experience

Consistent and improving patient safety

Highly efficient and cost effective

RISK MANAGEMENT STRATEGY 2017 TO 2022 STRATEGIC CONTEXT


3.0 WHERE ARE WE NOW?

3.1 The Trust is committed to a unified approach to risk management and has integrated

safety and incident reporting systems. The Trust has developed a governance system of internal control (SIC) which ensures that the strands of governance such as financial, clinical, operational and research are brought together in a coherent way.

Key Features Effective Enterprise Risk Management

Governance

Robust Risk Management underpins all decisions and business

planning to deliver strategic objectives

Risk Appetite

Organisational approach towards risk

Each risk is assessed to determine if within the risk Trust appetite

of acceptable risk (as per risk score and type of risk)

Risk

Identification

Context and impact on Trust strategic objectives is considered

Type of risk – Clinical, Organisational/Strategic, Financial, Reputational, Health & Safety, Information, Environmental

“cause” of the risk, its predicted “effect” and impact

potential “adverse / opportunistic consequence”

Risk

Assessment

Description of the risk including type, effect and adverse

consequences

Evaluation/quantification of potential financial and non-financial

impact – as per risk matrix scores (1-5) of likelihood and

consequence

Management approval of risk assessment including efficacy of

controls and assurances, risk score against Trust risk appetite,

Efficacious

Controls and

Assurances

Sources of internal and external assurances (audits/reviews) and

controls (reports to committees/Trust Board) identifies a

developing awareness and use of controls assurance

assurances.

Risk

Mitigation(s)

Decisions and actions to address the “cause” of the risk by

improving existing controls and assurances resulting in a

reduction the consequence and/or likelihood to within an

acceptable / manageable risk appetite level.


The Trust undertakes regular revision of its risk appetite and aligns this within the Risk Management Policy and process. Appendix B outlines the risk appetite initial position and future aspirations.

The Trust is committed to an integrated governance approach to risk management which is achieved by a structure that functions to support a coordinated approach to governance and risk management. The Trust’s system of internal control is underpinned by the governance committee structure (Appendix D).

The key committees with responsibility for receiving assurances on risk management and the delivery of this strategy are the Trust Board and three of its sub-committees; Audit Committee, Healthcare Governance Committee, Strategy and Resources Committee and the Executive Team. All committees, sub–committees, groups and forums have responsibility to identify and escalate risks to the parent committee and thus to Board via the Assurance and Escalation Framework.

This is further supported by the Trust’s commitment of compliance with the registration requirements of the Care Quality Commission. It is based upon a re–iterative internal risk management process and a live risk reporting framework showing movement between service and Board (Appendix E). The Board Assurance Framework (BAF) assesses the principle risks to achieving the Trust corporate objectives. This framework enables identification of risks to achieve the organisation’s strategic objectives; to evaluate the nature and extent of those risks and to manage them efficiently, effectively and economically, identifying gaps in control and gaps in assurance which require action and monitoring.

3.2 HCT has adopted the IRM iterative approach to risk management; this ensures that risks are identified and managed by staff with the appropriate level of knowledge and responsibility for the specific risk faced. This includes the authority to identify and implement appropriate actions. This approach allows the escalation of risk through service, business unit and corporate structures when the likelihood changes or significant risk have been identified

Executive Directors have the responsibility to manage risks on the BAF and risks on the HLRR (current score 15 and above) in particular where the risk extends across a


corporate directorate and is not limited to a business unit or service within that directorate. Assistant/ Deputy Directors have the responsibility to manage risks on the HLRR (current score 15 and above) where the risk is limited to their area of responsibility within the business unit or corporate directorate and risks on their business unit/corporate directorate risk register (current score less than 15) where the risk extends across the business unit or corporate directorate and is not limited to a service. Line Managers have the responsibility to manage risks on the business unit/corporate directorate risk register where the current risk score is less than 15 and where the risk is limited to their area of responsibility.

What does this mean for people who use our services? HCT will put patients first. The patient will feel HCT undertakes a risk managed approach to provide innovative programmes of care which are aimed at maintaining and improving the health and well-being of people for whom HCT are commissioned to provide services, therefore delivering risk managed high value healthcare. This supports HCT’s belief to deliver the right care at the right time to the right person. It ensures staff are trained to assess and manage healthcare for those people who use our services

3.3 A revised Risk Management Strategy was signed by the Board in November 2014 and

supports the Risk Management Framework. This has undergone a further revision in March 2015 to a Trust template and has enabled a review of the current strengths, weaknesses, opportunities and threats to be considered. In addition the strategy milestones have been articulated into the objectives found in Appendix C.

3.4 To date the Risk Management Implementation Plan has identified an improved

understanding of RM at Executive, GM and middle management (service lead) level. However turnover and organisational change determines improvement in consistency of application.

3.5 An approved Board Assurance Framework which is aligned to the Trust corporate

objectives and records the strategic risks, which are detailed in the electronic risk register.

3.6 The Risk Management policy in place since 2015 has been refreshed in line with the

revised strategy. The policy describes HCT’s approach to risk management, including process, roles and responsibilities. The Chief Executive has overall responsibility for the Trust risk management processes.

3.7 Capability development of the RM Team has been initiated in line with milestones to

enabling business continuity and resilience. 3.8 The RM Framework includes an Escalation Framework underpinning operational

application and RM decision-making. This has supported the intention for “I AM Responsible” for RM to be operationalized and is being monitored by the Executive Team.

3.9 Deployment of the electronic Risk Register has been undertaken and is being supported

with a frontline Risk Management programme: “Delivering Safer Care” and preliminary use of risk surgeries to support operational understanding. This will support consistency


in application of the risk management process throughout all decision-making, clinical and non-clinical. The Risk Register also supports both business planning process and integrated business working and performance management of the strategic objectives.

3.10 Risk management principles are embedded in HCT’s approach to project risk

management of change whilst being sufficiently balanced to allow for the development of innovative practice and are monitored and reviewed through the PMO and QIA process which has been revised in Q2 of 2017/18.


4.0 STRATEGIC CONTEXT

4.1 The national, local and regional drivers which influence the Risk Management Strategy include: National Drivers

Operating Framework

Commissioning Intentions

National reports, Francis Report, Savile Report

Regulatory requirements i.e. CQC, GDPR, H&S Regulations Regional and Local Drivers

Demographic growth projections – Office for National Statistics (ONS)

Non-demographic growth projections

HCT planned Service Developments

All HCT strategies

HCT Delivery Plan

4.2 The main elements impacting upon HCT’s Risk Management Strategy are outlined in the national drivers above and the local drivers below: Local Drivers

Commissioning intentions - changing to block contracts, impact of Health & Social Care partner commissioning, changes in HBLIT contractual arrangements, STP and ACO/ ACS developments all need consideration as part of the implementation plan.

CQUIN delivery

Quality Priority delivery

RISK MANAGEMENT STRATEGY 2217 TO 2022 SWOT


5.0 SWOT ANALYSIS

5.1 HCT has revised its SWOT analysis in Q3 of 2017/18. Key elements are outlined below.

Table 6 SWOT

Strengths to Build On Weaknesses to Address

Board open to discussion & review

Quality Impact Assessment process linked to all PID, service developments and CIP decisions

Open culture

Learning and Development

Risk architecture (including Key Milestones, Developed risk escalation framework to and from board/service, risk policy, agreed risk appetite)

Live risk registers

Business Unit Performance Reviews encompass risk

Risk appetite evaluation (annual)

Good CQC registration

Infancy of Horizon scanning impacting upon across all strategies

Business Information Support developing in house

Risk Culture in infancy – inconsistent application

Limited learning from trends and near misses

Limited specialist risk skill set available

Risk aggregation requires development

QIR (Quality Impact Reviews) of PID and CIP decisions limited

Opportunities to Maximise Threats to Mitigate

Positive partner arrangements within Herts

Developing partner arrangement’s across STP programme

ACO/ ACS Development

Government Policy

Political Interest

Market bids, supporting income generation and reputation for High Value Health Care

Well managed risk optimises opportunities

External RM delivery

Government Policy

Commissioners unwilling to adopt innovation/ enhanced practice

Loss of Market bids

Political Interest

External RM delivery

Changes in commissioning intentions

Notice to tender services

5.2 Building on Strengths The Trust risk management framework encompasses:

A risk management strategy from providing the overall strategic aims to enable the Trust to achieve its overall vision

A risk management policy which describes HCT’s approach to risk management, including process, roles and responsibilities. The Chief Executive has overall responsibility for the Trust risk management processes

A ‘live’ risk register held on an electronic management system, which includes current historical risk assessments and record of current risk status and is linked to analysis of complaints and incident reporting


An approved Board Assurance Framework which is aligned to the Trust

corporate objectives and records the strategic risks, which are detailed in

the electronic risk register

Risk management principles which are embedded in HCT’s approach to

project risk management of change whilst being sufficiently balanced to

allow for the development of innovative practice

Risk management principles which are embedded within t h e business

planning process requiring c o r p o r a t e directorates and business units

to identify and record risks linked to the integrated HCT strategies and

annual planning process.

5.3 Addressing Weaknesses

Developing specialist risk skill is being addressed through internal and external development programmes leading to a mixture of external RM qualification achievement and experiential outcomes within the RM Team. Whist bringing initial additional financial impact upon the service, it provides capability to the organisation and long-term support for consistency in approach including consistency of support to frontline staff. The organisational risk culture continues to develop, there remains and improved yet inconsistent application of RM tools. The in-house educational support and development of RM through achievement of external qualification will further develop the in-house RM education programme and reduce the inconsistency. The impact of horizon scanning across all strategies and scoping of new technology to support this work is to be further has been considered for further potential financial implications. Project Initiation Documents and Quality Impact Assessments are reviewed in year and will continue to be monitored to ensure due governance applied. Risk appetite is refreshed annually in light of business opportunities and threats. This is reviewed and signed off at Board. Further development of risk aggregation tools will support the risk appetite review. Further integration between risk management and Trust Business Information Platform will be undertaken to ensure exemplar governance arrangements are supported by robust Business Information.

RISK MANAGEMENT STRATEGY 2017 TO 2022 DELIVERING THE VISION


6.0 VISION FOR RISK MANAGEMENT STRATEGY – WHERE DO WE WANT TO GO?

6.1 The HCT Risk Management vision has been determined so that it:

Reflects the key drivers and strategic context outlined in Sections 3 and 4

Supports HCT deliver its Vision and Strategic Objectives

Builds on strengths and maximising opportunities from the SWOT

Addresses weaknesses and mitigating threats from the SWOT

6.2 The vision for the Risk Management strategy is to:

“Embed a positive risk management culture enabling self-managed teams and

attainment of strategic objectives Risk Management Strategy Key Objectives – over five years

6.3 The Risk Management vision will be delivered through the achievement of three key objectives:

I. Become a high performance, risk managed organisation through an embedded risk management culture

II. Build individual and organisation risk management capability through an engaged trained workforce

III. Establish integrated electronic risk management systems to support business function

Key Initiatives

6.4 HCT’s Risk Management Strategy is structured under four key Initiatives. These are:

I. Board evaluation

II. Training programme

III. Scoping horizon scanning (automated)

IV. Integrating the electronic RM system into the HCT Business Information Platform


7.0 HOW WILL WE KNOW WE HAVE DELIVERED THE VISION AND THE STRATEGY’S OBJECTIVES?

7.1 The Trust will have achieved the RM Strategy’s vision and objectives through the

achievement of a number of goals.

7.2 The next section outlines the projects / implementation plan to deliver the goals. The Goals and targets which will demonstrate HCT has achieved its Vision and objectives are outlined below. Appendix C includes a more detailed table including all SMART targets and milestones. Objective 1 - Become a high performance, risk managed organisation through an embedded risk management culture

Goal Description How Success will be

measured - KPIs When

Achieved

1 Embedded Risk Management Strategy

Risk strategy reviewed Risk strategy refreshed in line with revised SWOT

Q3 2017/8

2 Exemplar governance arrangements

Board agreement of risk appetite Risk Appetite informs annual review of KPIs Quality Impact assessment monitored and quality impact reviews completed BU plans have QIA with risks managed via Risk Register BAF signed off at the Trust Board

Annual Annual Quarterly Monthly Monthly

3 Exemplar risk policies and operational procedures

Revision of Risk Management Policy Assurance and Escalation Framework revised

In line with strategy review

4 Operational RM Escalation applied

Develop risk operational summit agreements in line with management information reports

Q4 2017

5 Trust Strategic Objectives are met

All Trust strategies demonstrate milestones achievement, with escalation or risks to achievement received in respective Board sub-committee

Annual


Objective 2 - Build individual and organisational risk management capability through an engaged trained workforce



Achieved

1 An annual training programme

Delivering Safer Care agreed with Learning & Development Service managers able to identify, analyse, mitigate and management risks effectively Consistent risk scoring and evaluation of risk management in BUPR Continued delivery of risk surgeries to support staff understanding Develop risk management capability within the Risk Team through external qualification/ experiential learning

Annually Q4 Monthly through BUPR Monthly through BUPR Q1 2016 Q4 2018 Q4 2019

2 Embedded consistent risk reporting

Supported via risk surgeries all service leads self-activate monthly risk reporting Provide additional individual coaching as part of induction process

From Q4 2017 From Q4 2017

Objective 3 - Integrated electronic risk management system



Achieved

1 Electronic risk register deployment

Review Datix capability and retain licence Revised Datix modules to support IG management

Annually January Q1 2015

2 Integrated electronic RM reporting

Internal integration with HCT Business & Information Platform Routine service reporting undertaken by GMs

Q1 2018 Q4 2019

RISK MANAGEMENT STRATEGY 2017 TO 2022 FINANCIAL IMPLICATIONS


8.0 STRATEGY – HOW WILL WE DELIVER THE VISION?

8.1 The Risk Management Strategy will be achieved through the delivery of a number of

key projects which are outlined and linked to the objectives laid out in Appendix B

8.2 Risk assessment is a repeated process and all risks are periodically reviewed and reassessed in view of contextual changes. Reassessment is undertaken proactively at intervals proportionate to the risk magnitude and risk appetite as well as reactively in response to anticipated or known changes. Risk appetite is explored for strategic and operational risks throughout the BAF, High Level Risk Register (HLRR) and Business Unit or Corporate Directorate risk registers and evidence considered before deciding if residual risks are acceptable or not.

All strategic risks are reviewed by the Executive Team who will confirm their management through the content of the BAF in preparation for presentation to the Board for their consideration.

All high level risks (risk score 15 - 25) are reviewed by the Executive Team who take responsibility and confirm management through the content of the HLRR in preparation for presentation to the Board for their consideration.

All lower level risks (risk score less than 15) are reviewed by the General Manager, Deputy Director or Director (risk owner) who confirm their management through the content of the Business Unit/Corporate Directorate risk registers.

8.3 Risks which are not considered acceptable (outside the Trust risk appetite) will be

managed through strategic and operational change or transferred out (e.g. by contracting out) leaving acceptable (and opportunity) risks. Such risks are managed and mitigated through the Trust’s risk management processes and retained risks are recorded and reviewed through the Trust’s risk registers.

8.4 In accordance with the Risk Escalation framework when monitoring the acceptable

risks, the Board, its subcommittees and the Executive Team will consider:

existing controls to determine whether the risk score is appropriate

whether identified additional controls are suitable and sufficient to mitigate the risk within appropriate timescales

whether there are links between identified risks, which point to broader corporate issues

whether identified risks represent risks to the Trust’s strategic aims and should therefore be escalated to the Board Assurance Framework (BAF)

8.5 Committee observations and required actions will be communicated to the parent

committee reporting to the Board via the Chair’s report. These will be considered by the committee under the standing agenda item of “Reflection and issues for escalation” and be focused towards assurance, escalation, integration (interdisciplinary work recommended) or the commissioning of additional actions / monitoring by a junior committee.

8.6 In summary HCT’s delivery plan and associated strategies will have specific elements within to ensure exemplar risk management is sustained throughout their implementation, with clear leaders identified as outlined in section 12.

RISK MANAGEMENT STRATEGY 2017 TO 2022 FINANCIAL IMPLICATIONS


9.0 FINANCIAL IMPLICATIONS OF DELIVERING THE STRATEGY

9.1 The delivery of the strategy is subject the mitigation of the following financial implications.

9.2 Electronic License agreements: Significant time has been placed upon training in relation to a specific electronic risk management system. This system is web based and incurs an annual license fee, prone to fluctuation dependent upon modules used within the system

9.3 Furthermore the backup system required for historical legal data requires service support currently contracted out to a third provider. Maintenance of ICT support to manage the Electronic Risk Management system in place is reliant upon contracts with the third provider as noted above; this includes software upgrade to ensure fully functioning electronic systems. Thus the work aligned to this strategy has been integrated into the IT strategy work plan. This requires contract negotiation and associated financial penalties for non-delivery or contract amendments.

9.4 Organisational capability and sustainability requires external risk management training and qualification for identified RM staff. This incurs training costs for the whole 5 year plan which are subject to annual review and require placing in RM budget.

9.5 Scoping of future automated horizon scanning tools in year 2 and 3 will also bring additional cost not currently held within the budget or within the IT strategy implementation plan. Developments of an internal business platform may negate this potential additional cost.

9.6 Changes to the claims programme from April 2015 will also affect financial reward/payment incurred through litigation and will continue to be monitored and reviewed annually. Effective application of RM objectives will help mitigate future litigation claims.

RISK MANAGEMENT STRATEGY 2017TO 2022 QUALITY IMPLICATIONS


10.0 QUALITY IMPLICATIONS OF DELIVERING THE STRATEGY

10.1 Full delivery of the strategy embedding an exemplar risk management culture will demonstrate a reduction in litigation claims, reduction in harm to patients and staff, increasing growth in contracting and an increased ability of self-managed teams.

10.2 Quality contract arrangements will be achieved supporting the Trust strategic objectives and specifically positive patient outcomes, improved patient experience and achievement of the financial long term delivery plan.

10.3 Additional contractual awards are achieved in recognition of an embedded effective risk management culture enabling sustainability as a quality care provider.

RISK MANAGEMENT STRATEGY 2017TO 2022 WORKING WITH STAKEHOLDERS


11.0 WORKING WITH KEY STAKEHOLDERS

11.1 HCT undertook to communicate and engage with relevant stakeholders throughout

the formation of the 2014 is strategy. There has been internal involvement of staff in the revision this strategy, with a partnership approach to support safe effective service delivery helping to mitigate negative risk and maximise opportunities to support the Trust objectives.

RISK MANAGEMENT STRATEGY 2017TO 2022 WORKFORCE & ORGANISATIONAL DEVELOPMENT


12.0 WORKFORCE AND ORGANISATIONAL DEVELOPMENT

The delivery of this strategy is dependent not only on the responsibility delegated to key committees and their integrated reporting structure but also through the responsibilities held within key roles in the Trust. More detail on the roles and responsibilities to service level are outlined in the Risk Management Policy.

12.1 Chief Executive of HCT The Chief Executive Officer is the Accountable Officer for the Trust and has overall accountability and responsibility for the operational implementation of this strategy, development of the Annual Governance Statement and for ensuring that Executives and Non-Executive members of the Trust Board access annual training and education for risk management in healthcare.

12.2 Director of Quality & Governance/Chief Nurse

The Director of Quality & Governance/Chief Nurse has delegated overall responsibility from the Chief Executive Officer and is the Executive Lead Director for ensuring that all risk and assurance processes are devised, implemented and embedded throughout the organisation and reports to the Chief Executive and Executive Team any significant issues arising from the implementation of this strategy including evidence of non-compliance or lack of effectiveness arising from the monitoring process so that remedial action can be undertaken.

As Chief Nurse the Director of Quality & Governance has responsibility for seeking assurances on the management of risks related to professional practice of nurses and allied health professionals in the Trust, liaising with the Trust’s lead Allied Health Professional (AHP) and professional bodies as required.

12.3 Medical Director

The Medical Director has responsibility with the Director of Quality & Governance/Chief Nurse for clinical risk management and clinical governance, and is jointly responsible with the Director of Finance for information governance. The Medical Director is the Caldicott Guardian, and facilitates medical and dental staff compliance with all safety and risk management procedures and seeks assurances on the management of risks related to their professional practice and revalidation, liaising with professional bodies as required.

12.4 Director of Finance

The Director of Finance has responsibility for ensuring that the Trust operates within financial constraints and balances competing financial demands and coordinates the internal audit programme for the Trust. The Director of Finance is the SIRO (Senior Information Risk Owner) for the Trust with delegated responsibility for information governance risk management.

12.5 Company Secretary

The Company Secretary is responsible for maintaining the BAF on behalf of the Board and the Executive Team and ensuring that it is presented to the Board and Audit Committee at the agreed intervals.


12.6 Executive Directors and Executive Team

The Executive Directors are accountable to the Chief Executive for all areas of risk and assurance in respect of their areas of remit. As such, in addition to being collectively responsible as an Executive Team, they are also individually accountable to the CEO, the Audit Committee and the Board. This includes taking responsibility for risks populating the BAF and ensuring within their directorates the appropriate and timely populating, and reporting of effective management including escalation of risks within risk registers. Executive Directors are responsible for directing the implementation of the risk strategy and associated policies and ensuring that risk management arrangements are embedded within their areas of responsibility.

12.7 Assistant Director of Risk and Quality Assurance

The Assistant Director Risk and Quality Assurance is accountable to the Director of Quality & Governance and Chief Nurse, and has delegated responsibility for the implementation of risk management and clinical assurance processes across the Trust working through the Risk & Assurance Team and with the Directors, Deputy Directors, General Managers and Service/Locality Managers in the Trust. The Assistant Director Risk and Quality Assurance is responsible for maintaining progress against the milestones outlined in the risk management strategy, and for ensuring the HLRR is maintained on behalf of the Board and the Executive Team and analysing the CQC Quality & Risk Profile for the Trust and ensuring they are presented to the Board and Audit Committee at the agreed intervals.

12.8 Non-Executive Directors

The Board chair is the designated Non-Executive link for the Risk Strategy. All Non-Executive Directors have been consulted in the development of the strategy. All have responsibility to provide appropriate objective challenge and to seek assurance of effective implementation.

12.9 All Staff

All staff have a responsibility to be familiar and comply with the Trust’s risk management policies and processes, and to identify, assess and report risks, and to mitigate risks over which they have control in their daily work and to cooperate with their line managers in respect of the line manager’s responsibilities. This includes using the Assurance and Escalation Framework to raise concerns. They are also responsible for undertaking training identified by their line manager and to report known breaches of compliance with the risk management policies whether by others or by themselves.

RISK MANAGEMENT STRATEGY 2017 TO 2022 BENEFITS REALISATION


13.0 BENEFITS REALISATION

13.1 The key intended benefits the strategy will achieve are:

Staff feel well supported and have the resilience to adapt and deliver what is required of them.

Services are well led and staff are confident acting as leaders whatever their role.

Self- managed teams demonstrate safe, clinically effective, efficient service delivery.

The Trust delivers the milestones within all strategies

The Trust has resilience and strengthened adaptability through the embedded pro-active risk management culture.

RISK MANAGEMENT STRATEGY 2017 TO 2022 RISKS / ISSUES AND MITIGATIONS


14.0 RISK / ISSUES and MITIGATIONS

14.1 The main risks to successfully achieving the objectives of this strategy include:

Failure to engage and retain all stakeholders from service to Board in this iterative framework.

Ineffective Horizon scanning, including automated models therefore missing opportunities or threats to future HCT business and thus under minding compromising the vision to embed an exemplar risk management culture

Limited capability within the RM during external development.

Limited ability to scope and acquire additional automated electronic platforms to support the process, including formation and agreement of the annual risk appetite as future business is developed.

14.2 Responsibility for managing these risks remains with the Executive Team with major

risks escalated to the Trust Board. 14.3 These risks will be monitored within the overall Risk Management regime established

within HCT. As such high risks issues are reported to the Board on a bi-monthly basis. 14.4 Risk is scored via a 5 by 5 matrix which assesses the potential impact of a risk

occurring and its likelihood of occurring.

14.5 Whilst not exclusive, mitigating actions generally reduce the likelihood of a risk occurring.

14.6 Risks are defined using the following structure: There is a risk that:

X” Cause may lead to

“Y” Effect resulting in

“Z” Adverse Consequence

It is a model based on work by the International Risk Management (IRM) Organisation and the National Learning and Reporting System (NRLS).

There is a Risk that…

“X (Cause) may lead to Y (effect) resulting in Z (adverse consequence)”

C L Score CxL

Mitigating Actions

1

2

3


Risk scoring = Consequence (C) x Likelihood (L)

Likelihood (L) 1 2 3 4 5

Rare Unlikely Possible Likely

Almost Certain

5 Catastrophic 5 10 15 20 25

4 Major 4 8 12 16 20

3 Moderate 3 6 9 12 15

2 Minor 2 4 6 8 10

1 Negligible 1 2 3 4 5

14.7 Risk will have mitigation actions to address gaps in either controls or assurance of

efficacy of those controls. This will be monitored through the risk escalation framework at all levels of the organisation from service to Board as the strategy is fully realised.



15.0 ASSUMPTIONS, INTER/DEPENDENCIES, CONSTRAINTS

15.1 The Risk management strategy is a supporting strategy of HCT and has therefore

utilised the following inputs to shape and drive the organisational needs that the strategy needs to serve:

a. Operational Delivery Plan

b. Long Term Financial Model

c. Market Strategy

d. Health and Wellbeing Strategy

e. Workforce & Organisational Development Strategy

f. Partnership Strategy

g. Risk Management Strategy

h. Estates Strategy 15.2 Implementation of the strategy depends on having sufficient capacity within the Quality

and Governance corporate directorate to lead the range of developments set out and provide the necessary level of support to the organisation.

15.3 Progress in implementing the strategy will be monitored through the Executive team

and will be reviewed on a regular basis through the Audit Committee (Trust Board sub-committee). Regular progress updates will also be taken to the Trust Board as part of the Director of Quality and Governance report and via the Trust Annual Report.



APPENDIX A GLOSSARY OF TERMS AND ABBREVIATIONS

Abbreviations bespoke or specific to this strategy Abbr Definition

HBLIT Supports IT risk management software

NRLS National reporting and Learning System

RM Enterprise risk management – A management culture that works across and through the whole business of the organisation

Other Common / High level Abbreviations within HCT Abbr Definition Abbr Definition

ADO Assistant Director of Operations IPA Integrated Point of Access

ACO Accountable Care Organisation LTC Long Term Conditions

ACS Accountable Care System LTFM Long Term Financial Model

CCG Clinical Commissioning Groups Monitor Independent Regulator of Foundation Trusts

COPD Chronic Obstructive Pulmonary Disease MDT Multidisciplinary Team

CQC Care Quality Commission NHSI NHS Improvement

D2A Discharge to Assess NHSR NHS Resolution

DH Department of Health NHSE NHS England (National Commissioning Board)

EDS Equality Delivery System NMET Non-Medical Education & Training

EIS Early Implementation Sites OD Organisational Development

EWTD European Working Time Directive ONS Office of National Statistics

GP General Practice / General Practitioner OT Occupational Therapy

GDPR General Data Protection Regulations QIPP Quality Innovation Productivity Prevention

HCC Hertfordshire County Council RR Rapid Response

HCP Healthy Child Programme SaLT Speech and Language Therapy

HCT Hertfordshire Community NHS Trust SIP (Hertfordshire’s) System Integrated Plan

HF Home First SPOC/A Single Point of Contact / Access

HWBS Health and Well Being Strategy SWOT Strengths Weaknesses Opportunities Threats

IM&T Information Management & Technology VW Virtual Ward

RISK MANAGEMENT STRATEGY 2017 TO 2022 APPENDICES


APPENDIX B – RISK APPETITE

HCT Risk Appetite by Risk Domain aligned with matrix adopted from Good Governance Institute Domain Definition Level

2017/18 Appetite

17/18 Aspirational

Level 2020/2021

Aspirational

Appetite 2020/2021

Financial Prepared to invest for return and minimise the possibility of financial loss by managing the risks to a tolerable level. Value and benefits considered (not just cheapest price). Resources allocated in order to capitalise on opportunities. – Expansion new business within Hertfordshire

3 Open

High

5 Mature

Significant

Compliance / Regulatory

Limited tolerance for ‘placing HCT out of step with expected standards’. Want to be reasonably sure we would win any challenge.

2 Cautious

Moderate 5 Mature Significant

Innovation / Quality Outcomes

Innovation pursued – desire to ‘break the mould’ and challenge current working practices. New technologies viewed as a key enabler of operational delivery. High levels of devolved authority – management by trust rather than tight control.

4 Seek

Significant

4 Seek

Significant

Reputation

Tolerance for risk taking limited to those events where there is little chance of any significant repercussion for the organisation should there be a failure. Mitigations in place for any undue interest.

2 Cautious

Moderate

4 Seek

Significant

Key to level 0 Avoid Avoidance of risk and uncertainty is a key organisational objective Appetite: None

1 Minimal As little as reasonably possible(ALARP) - Preference for ultra-safe delivery options that have a low degree of inherent risk and only for limited reward potential

Low

2 Cautious Preference for safe delivery options that have a low degree of inherent risk and may only have limited potential for reward

Moderate

3 Open Willing to consider all potential delivery options and choose while also providing an acceptable level of reward (and Value for Money)

High

4 Seek Eager to be innovative and to choose options offering potentially higher business rewards (despite greater inherent risk)

Significant

5 Mature Confident in setting high levels of risk appetite because controls, forward scanning and responsiveness systems are robust

Significant



HCT Risk Appetite by Strategic Objective aligned with matrix adopted from Good Governance Institute

Objective Definition Level 2017/18

Appetite 2017/18

Aspirational level

2019/2021

Aspirational Appetite

2019/2021

We will support the people we serve to manage their own health and wellbeing

Preference for safe delivery options that have a low degree of inherent risk and may only have limited potential for reward. for

2

Cautious

Moderate

3 Open

High

We will improve clinical outcomes and enhance patient safety

(as little as reasonably possible) Preference for ultra-safe delivery options that have a low degree of inherent risk and only for limited reward potential

1 Minimal

Low

1 Minimal

Low

We will support the substantial expansion of community services through the delivery of excellent core services for adults and children and the development of ambulatory services

Willing to consider all potential delivery options and choose while also providing an acceptable level of reward (and Value for Money; VfM) – within Hertfordshire

3 Open

High

4 Seek

Significant

Willing to consider all potential delivery options and choose while also providing an acceptable level of reward (and Value for Money; VfM) – outside Hertfordshire

2

Cautious

Moderate

3 Open

High

We will use resources efficiently to enhance our ability to improve services

Willing to consider all potential delivery options and choose while also providing an acceptable level of reward (and VfM)

3 Open

High

5 Mature

Significant

We will develop the organisational capacity to deliver our vision and objectives

Willing to consider all potential delivery options and choose while also providing an acceptable level of reward (and VfM)

3 Open

High

5 Mature

Significant

0 Avoid Avoidance of risk and uncertainty is a key organisational objective Appetite: None

1 Minimal As little as reasonably possible(ALARP) - Preference for ultra-safe delivery options that have a low degree of inherent risk and only for limited reward potential

Low

2 Cautious Preference for safe delivery options that have a low degree of inherent risk and may only have limited potential for reward

Moderate

3 Open Willing to consider all potential delivery options and choose while also providing an acceptable level of reward (and Value for Money)

High

4 Seek Eager to be innovative and to choose options offering potentially higher business rewards (despite greater inherent risk)

Significant

5 Mature Confident in setting high levels of risk appetite because controls, forward scanning and responsiveness systems are robust

Significant



APPENDIX C – ACHIEVEMENT OF THE STRATEGY OBJECTIVES

Objective 1 Become a high performance, risk managed organisation through an embedded risk management culture

Goal

Link to

Trust SO

SMART Target / KPI

Measure Base line

Y4 17/18

Y5 18/19

Y6 19/20

Y7 20/21

Y8 21/22 Target

1

Embedded Risk Management Strategy

1,2,3,4

A Risk strategy reviewed

Board Agreed Nov 2014 Agreed Annually agreed

Annually agreed

Annually agreed

Annually agreed

1,2,3,4

B

Risk strategy refreshed in line with revised SWOT

Board Agreed May 2015 Annually agreed

Annually agreed

Annually agreed

Annually agreed

Annually agreed

1,2,3,4 C

Risk Strategy Implementation plan refreshed

Executive Agreed

Sept 2017 Audit

Committee Report

Audit Committee

Report

Audit Committee

Report

Audit Committee

Report

Audit Committee

Report

1,2,3,4 D

Trust strategic Milestones achieved

Board subcommittee agree

April 2017 Annually agreed

Annually agreed

Annually agreed

Annually agreed

Annually agreed

2 Exemplar governance arrangements

ALL A

Board agreement of risk appetite

Minutes at Board

Agreed Jan 2017

Jan 2017 Annually agreed

Annually agreed

Annually agreed

Annually agreed

4

B Risk Appetite informs annual review of KPIs

IPBR agreed Board

Agreed IBPR

metrics March 2014

Annually agreed

Annually agreed

Annually agreed

Annually agreed

Annually agreed

1,2,34

C Quality Impact assessment revised

Healthcare Governance minutes

Revised QIA

process 2017

Agreed revised

QIA process

Q3

Annually agreed

Annually agreed

Annually agreed

Annually agreed

1,2,3 D BU plans have BUPR and PMO in Agreed Monthly Monthly Monthly Monthly



,4 QIA with risks managed via Risk Register

PMO place reported to Exec

via BUPR

Q4

1,2,3,4 E

BAF signed off at the Trust Board

Board minutes

Monthly Monthly Monthly Monthly Monthly Monthly

3

Exemplar risk policies and operational procedures

1,2,3,4

A

Revision of Risk Management Policy

Executive Team agreed

Revised current policy

Revised Dec 2017

Annual review

Annual Review

Annual Review

Annual review

3,4

B

Assurance and Escalation Framework revised


Risk Escalation process in

place

Escalation process agreed

Nov 2017

Annual review

Annual Review

Annual Review

Annual review

3,4 C

Annual review of all policies and SOP

Healthcare Governance Agreed

Annual Plan

approved April 2017

Annual review

Annual Review

Annual Review

Annual review

3,4

D Timely Risk Summit activated


Risk Escalation process in

place reports via

BUPR

Escalation process agreed

Nov 2017

Monthly Monthly Monthly Monthly



Objective 2: Build individual and organisational risk management capability through an engaged trained workforce

Goal

Link to

Trust SO

SMART Target / KPI

Measure Base line

Y4 17/18

Y5 18/19

Y6 19/20

Y7 20/21

Y8 21/22 Target

1 An annual training programme

2,3

A

Delivering Safer Care agreed with Learning & Development

Agreed in L&D annual programme

Q4 annually

Annual Annual Annual Annual Annual

1,2,3,4

B

Service managers able to identify, analyse, mitigate and management risks effectively

I AM Responsible demonstrated via Datix and BUPR


4

C

Consistent risk scoring and evaluation of risk management in BUPR

Datix and BUPR reports


1,2,3,4

D

Development of risk surgeries to support staff understanding

Surgery cycle developed

Q4 Quarterly Quarterly Quarterly Quarterly Quarterly

4

E

Develop risk management capability within the

Confirmed achievement of IRM qualification

DDQ IRM certified Develop Internal

DDQ IRM Dip module 4

RM and RC IRM certified

DDQ IRM Dip module 5

DDQ IRM Dip

module 6



Risk Team through external qualification

SOP

2

Embedded consistent risk reporting

1,2,3,4

A

Supported via surgeries service leads activate monthly risk reporting

Service level Risk Registers

One operational Business

Unit

One operational

Business Unit

All operational Business

Units

All operational Business Units and Corporate



1,2,3,4

B

Provide additional individual coaching as part of induction process

Improved consistency in risk scoring and documented risk management

Risk registers

run by RM team

Risk registers run by one operational

Business Unit and Quality Directorate

(some inconsistency)

All operational Business

Units report inconsistency

at BUPR


75% consistent


90% consistent


90% consistent



Objective 3: Integrated electronic risk management system

Goal

Link to

Trust SO

SMART Target / KPI Measure Base line

Y4 17/18

Y5 18/19

Y6 19/20

Y7 20/21

Y8 21/22

Target

1 Electronic risk register deployment

4

A Review Datix capability and retain licence

Licence obtained

Licence obtained

Revised Datix

upgrade with roll out to all operational teams

Annual maintena

nce

Annual maintena

nce

Annual maintenan

ce

Annual maintena

nce

4 B

Revised Datix modules to support IG and new GDPR management

Single electronic RM system

Module baseline

Q1 Monthly Monthly Monthly Monthly Monthly

2 Integrated electronic RM reporting

4

A Internal integration with HCT Business & Information Platform

Effective quality reporting

Quality schedule

and BUPR

Agreed by Q1

Monthly Monthly Monthly Monthly

1,2,3,4

B Routine service reporting undertaken by GMs

Effective quality report (I AM Responsible demonstrated)

Agreed by Q4

Quarterly at BUPR

Quarterly at BUPR

Quarterly at BUPR

Quarterly at BUPR

Quarterly at BUPR



APPENDIX D – COMMITTEE STRUCTURE



The Board has collective responsibility for overseeing all aspects of risk management throughout HCT and seeking assurances (positive or negative) that this strategy is effectively implemented, monitored and complied with.

The Board is the designated committee for this strategy and is responsible for reviewing the Trust’s risk management performance against achievement of its strategic objectives. This includes receiving assurances from the Chief Executive and Executive Directors and Board Committees that mitigation is in place through controls and actions, and for setting the risk management strategy and delivery plan, determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives (risk appetite) and allocating resources as required. It has delegated the functions of risk governance to key governance committees, each of which has a responsibility to provide assurance to the Board in respect of the risks that fall within their specific remit. The Board receives a copy of the Board Assurance Framework (BAF) and High Level Risk Register (HLRR) quarterly.

The Trust Board and its sub-committees are committed to risk management and will:

where appropriate, demonstrate personal involvement and support for risk management

approve, review and monitor key strategies, policies and associated training for risk management on a regular basis

ensure that there is a structure and training in place for effective risk management within the Trust

manage and monitor risk identified in the BAF and HLRR that may prevent the Trust from achieving its objectives

identify and manage risks raised by appropriate directors and receive assurance that mitigation is in place

be involved in external assessments of risk management.

Audit Committee

The Audit Committee has delegated responsibility on behalf of the Board to seek satisfactory assurances that the Trust is meeting its statutory internal and external requirements to remain a safe effective business through embedded and effective risk management systems and processes with appropriate support from internal/external audit. It has primary responsibility for all aspects of financial risk and retains an overview of governance risks including clinical risks.

The Audit Committee is responsible for seeking assurances that the strategic and high level risks are being controlled and managed effectively and advising the Board on the adequacy of risk management arrangements throughout the Trust. It reviews the BAF and HLRR (and de-escalated high level risks) at every meeting and receives a paper outlining links between them, and progress and issues for review. It receives a summary of the CQC Quality & Risk Profile for the Trust each quarter and undertakes a review of the (draft) Annual Governance Statement each year.

Healthcare Governance Committee

The Healthcare Governance Committee has overall responsibility for ensuring effective risk management for patient safety, patient experience, infection prevention and control, safeguarding, clinical audit and clinical effectiveness and will bring to the attention of the Audit Committee and the Board risks that may affect patient safety



and/or failure to meet the Care Quality Commission Fundamental Standards of Quality and Safety.

The Healthcare Governance Committee is responsible for considering and reviewing clinical risks and ensuring that high operational or strategic risks are reported to the Executive Committee for consideration to populate the Board Assurance Framework and through this to the Audit Committee. It receives the High Level Risk Register in line with its business cycle with a summary paper outlining progress and issues for review.

Strategy and Resources Committee

The Strategy and Resources Committee has overall responsibility for ensuring the Trust cooperates within financial constraints and manages risks related to investment and business development and will ensure systems are in place to this effect.

The Strategy and Resources Committee is responsible for considering and reviewing finance and business risks and ensuring that high operational or strategic risks are reported to the Executive Committee for consideration to populate the Board Assurance Framework and through this to the Audit Committee.

Executive Team

The Executive Team has collective responsibility for ensuring that:

effective systems, processes and resources are in place for the implementation of the risk management related policies and for their compliance

arrangements are in place for receiving and reporting (positive or negative) assurances through to the Trust Board or any relevant committee or sub-committee of the Board as delegated, as to the effectiveness of and compliance with risk management related policies and this strategy.

The Executive Team is responsible for all aspects of managing risk, including

reviewing the Board Assurance Framework (BAF) and High Level Risk Register (HLRR) every month

confirming their validity and considering escalation/de-escalation and linking between the BAF and HLRR

ensuring steps are taken to mitigate the risks and reduce them to an acceptable level

approving all risk management related policies collating the annual training needs of the Board.

Other sub-committees of Healthcare Governance Committee and sub-groups of the Executive Team have delegated responsibility for overseeing all areas of risk management within their specific area/s of remit as defined in their terms of reference These committees have their remit and responsibilities related to risk embedded in their respective terms of reference.



APPENDIX E – RISK REPORTING FRAMEWORK