1

NHS Highland Board 1 December 2015

Item 5.6 NHS HIGHLAND RISK MANAGEMENT POLICY AND STRATEGIC RISK REGISTER Report by Mirian Morrison, Clinical Governance Development Manager on behalf of Nick Kenton, Director of Finance

1 Background and Summary

At the April 2015, Board meeting the NHS Highland Risk Management Policy was approved. The policy conforms to British Standard (BS ISO 31000:2009) Risk Management Principles and Guidelines. Over the last few months system and processes for risk management have been refined including the NHS Highland Strategic Risk Register.

2 NHS Highland Risk Management Policy

Following discussions at Senior Management Team and meetings with Executive Directors

some minor amendments have been made (subject to formal Board approval) to the Risk Management Policy. These include the inclusion of risk escalation arrangements, the revision of risk registers and the re-establishment of the Risk Management Steering Group. The amended policy is attached in Appendix 1.

3. NHS Strategic Risk Register 2015/16

The Board is responsible for ensuring that there is a clear and appropriate management structure for ensuring that NHS Highland has effective systems which enable risk to be identified and decisions to be taken at an appropriate level.

As part of the Board’s risk management arrangement, the Strategic Risk Register has been reviewed and updated. Discussions have taken place with each risk owner to identify the current level of risk, current control measures and action which will be taken to reduce/mitigate these risks. The strategic risk register is attached in Appendix 2.

To support the Board in discharging its responsibilities, it had delegated aspects of risk governance to the Governance Committees. Each committee has a responsibility for providing assurance to the Board in respect of the risks that fall within its specific remit. In some cases the Board itself is the assurance source.

This requires each Governance Committee to use the Strategic Risk Register to consider risks that may require further scrutiny (for example, risks evaluated as very high) and seek assurance from individual risk owners regarding the management of these risks, including the adequacy of existing control measures and progress against any actions required for improvement. This responsibility sits with Governance Committees with immediate effect.

4. Risk Management Steering Group

It has been agreed that the Risk Management Steering Group should be re-instated. The Risk Management Steering Group will meet on a quarterly basis and will be chaired by the Chief Executive.

The Board is asked to: • To approve the amendments to the NHS Highland Risk Management Policy • Approve the NHS Highland Strategic Risk Register • To note the re- establishment of a Risk Management Steering Group

2

The purpose of the group will be to provide reassurance to the NHS Board that all systems, processes and procedures relating to risk management are in place. It is recognised that risk is an inherent and integral part of all organisations and the Risk Management Steering Group will provide the lead role in advising on and managing all risks to an acceptable level.

The first meeting will be held early in the new year.

5. Contribution to Board Objectives

The contents of the Board Risk Management Policy and the risks contained within the Strategic Risk Register have a direct link to the ten NHS Highland Quality Objectives.

6. Governance Implications

• Staff Governance

The policy applies to all employee of NHS Highland and will require active input from Directors and Managers at all levels to ensure that risk management is a fundamental part of our approach to quality. The Executive Directors are responsible for ensuring that the risk is managed and actions are taken to manage the risk.

• Patient and Public Involvement

Without a comprehensive risk management policy patient and public safety could be compromised

• Clinical Governance

All clinical activities at NHS Highland involve risk. It is important that we proactively manage risk to an acceptable level by embedding processes focused on assessment and prevention, rather than reaction and remedy.

• Financial Impact

All financial decision making in NHS Highland involves risk. It is important that we proactively manage risk to an acceptable level by embedding processes focused on assessment and prevention, rather than reaction and remedy. A robust risk management policy should have a positive financial impact by ensuring that risks are mitigated.

7. Risk Assessment

This document sets arrangements for risk management and assessment within NHS Highland.

8. Planning for Fairness

An impact assessment will be undertaken shortly on the Risk Management Policy.

9. Engagement and Communication

Through the development of the policy and the review of the strategic risk register there has been engagement with Senior Management Team, Senior Leadership Team and through Board Development Sessions.

Mirian Morrison Clinical Governance Development Manager NHS Highland 20 November 2015

Appendix 1

RISK MANAGEMENT POLICY

Clinical Governance

& Risk Management Department

Warning – Document uncontrolled when printed

Policy Reference: RM 2.0 Date of Issue: May 2015 Prepared by: Risk Management Short Life Working Group

Date of Review: May 2017

Lead Reviewer: Director of Finance Version: 2.0(a) Authorised by: The NHS Board Date: October 2015

Distribution • Executive Directors • Directors of Operations • General Managers • Clinical Directors • Lead Nurses/Lead Midwives • Lead AHPs • Assistant General Managers • Nurse Managers • Head of Health & Safety • Head of Facilities Management • Head of eHealth • Head of Learning and Development

Method Intranet x E-mail Paper x

Risk Management Policy

1. Introduction

This Risk Management Policy describes the risk management arrangements at NHS Highland, and forms part of the wider framework for corporate governance and internal control.

NHS Highland recognises that healthcare provision and the activities associated with caring for patients, employing staff, providing facilities and managing finances are all, by their nature, activities that involve risk. These risks are present on a day-to-day basis throughout the organisation. They cannot be avoided but they can be managed to an acceptable level.

2. Managing uncertainty at NHS Highland

NHS Highland faces internal and external factors and influences that make it uncertain whether and when we will achieve our objectives. The effect this uncertainty has on our objectives is ‘risk’1.

Risk management is therefore a means of identifying, evaluating and controlling the uncertainties that could affect (either positively or negatively) the achievement of corporate objectives. It is crucial for the successful implementation of the NHS Highland Quality Approach and delivery of our corporate plans.

All activities at NHS Highland involve risk. It is important that we proactively manage risk to an acceptable level by embedding processes focussed on assessment and prevention, rather than reaction and remedy. Following a comprehensive, effective risk management approach throughout the organisation will help us achieve strategic and operational objectives, improve service delivery, increase efficiency, support and inform decision making, help provide a safe and secure environment and encourage a culture of quality improvement.

This policy applies to all employees of NHS Highland and will require active input from Directors and Managers at all levels to ensure that risk management is a fundamental part of our total approach to quality, corporate and clinical governance.

3. Risk management approach

The organisational approach to the management of risk reflects British Standard (BS ISO 31000:2009) Risk management – principles and guidelines.

When implemented and maintained in accordance with this approach, the management of risk enables an organisation to:

• increase the likelihood of achieving objectives • encourage proactive management • be aware of the need to identify and treat risk throughout the organisation • improve the identification of opportunities and threats • comply with relevant legal and regulatory requirements 1 BS ISO31000:2009

• improve mandatory and voluntary reporting • improve governance • improve stakeholder confidence and trust • establish a reliable basis for decision making and planning • improve controls • effectively allocate and use resources for risk treatment • improve operational effectiveness and efficiency • enhance health and safety performance, as well as environmental protection • improve loss prevention and incident management • minimise losses • improve organisational learning, and • improve organisational resilience.

The approach demonstrates the relationship between the principles for managing risk, the framework in which it occurs and the risk management process, as set out in Diagram 1 below.

Diagram 1: organisational approach to the management of risk

a) Creates value b) Integral part of

organisational process

c) Part of decision making

d) Explicitly addresses uncertainty

e) Systematic, structured and timely

f) Based on the best available information

g) Tailored h) Takes human and

cultural factors into account

i) Transparent and inclusive

j) Dynamic, iterative and responsive to change

k) Facilitates continual improvement and enhancement of the organisation

Principles

Process

Mandate and commitment

Design of framework for managing risk

Implementing risk management

Continual improvement of the framework

Monitoring and review of the framework

Framework

3.1 Principles

The principles provide a set of values by which NHS Highland will base its understanding of why and how risk will be managed.

3.2 Framework

The framework provides the foundation and arrangements to embed risk throughout the organisation at all levels. The framework ensures that information about risk is taken from the risk management process and is adequately reported and used as a basis for decision making and accountability at all levels.

The NHS Highland framework is defined as follows:

3.2.1 Understanding the organisation and its context

The Board approves Quality Objectives, set within the overall context of the Highland Quality Approach. These, together with the annual Local Delivery Plan set out our strategic and operational objectives and plans. The purpose of risk management is to identify the risks to the achievement of these objectives and plans.

3.2.2 Accountability and governance

Risk is everyone’s responsibility. Accountability for risk management is held at all levels of the organisation.

NHS Highland Board

The Board is responsible for ensuring that there is a clear and appropriate management structure for ensuring that NHS Highland has effective systems which enable risk to be identified and decisions to be taken at an appropriate level.

The Board is required to ensure that it conducts a review of its systems of internal control, including in particular its arrangements for risk management, at least annually.

The Board is supported in discharging this responsibility through its governance committees.

Governance Committees

The NHS Highland Board has delegated aspects of risk governance to the Governance Committees. Each committee has a responsibility for providing assurance to the Board in respect of the risks that fall within its specific remit. In some cases the Board itself is the assurance source.

This requires each Governance Committee to use the Strategic Risk Register to consider risks that may require further scrutiny (for example, risks evaluated as very high) and seek assurance from individual risk owners regarding the management of these risks, including the adequacy of existing control measures and progress against any actions required for improvement.

The Clinical Governance Committee provides assurance to the Board that all key risks in clinical care and patient safety are identified and managed effectively.

The Staff Governance Committee provides assurance to the Board that all key risks in occupational safety, health and environment are identified and managed effectively.

The Highland Health and Social Care Governance Committee provides assurance to the Board on key risks relating to planning, development and provision of health and social care services in North Highland.

Argyll & Bute CHP – Integrated Joint Board (Argyll & Bute) provides assurance to the Board on the key risks relating to planning, development and provision of health care services in Argyll and Bute.

The Audit Committee, through internal audit, external audit and other assurance sources will provide independent objective assurance to the Board on the extent to which the risk management arrangements are in place and are effective.

3.2.3 Integration into organisational processes

Risk management should not be a stand-alone function, but should be integrated into day to day management processes.

Each Directorate/ Operational Area (as listed in Appendix 3) will establish a risk register in line with this policy. Each Directorate/ Operational Area will also identify key staff who will assume responsibility for risk within their area, and ensure that roles and responsibilities are clearly understood and adhered to.

NHS Highland expects staff to identify and report risk in line with this policy, as appropriate. Line Managers are responsible for ensuring that staff are enabled to identify learning needs and supported to participate in appropriate risk management related activities.

The Strategic Risk Register will be reported to the Board annually, demonstrating the changes in the risk profile of NHS Highland.

3.2.4 External communications and reporting

The annual governance statement included within the Annual Accounts summarises the organisational approach to risk management.

3.2.5 Monitoring, review and continuous improvement

The Audit Committee is responsible for reviewing the effectiveness of the risk management approach, which will involve periodic reviews of the strategic risk register and operational risk registers.

The Audit Committee may commission internal audit to review the risk management approach to provide assurance to the Board that the risk management system in place is robust and is effective in implementing this policy.

3.3 Process

The risk management process is an integral part of how we manage risk, how we embed risk management in our culture and practices and integrate it with our business processes.

The remainder of this document describes the process for risk management at NHS Highland.

4. How do we record risk?

Maintaining accurate and up to date risk registers is critical to effective risk management. NHS Highland will maintain the following risk registers:

• Strategic risk register. This covers the most significant risks that impact on the delivery of strategic objectives.

• Operational risk registers. These cover risks that impact on delivery of the Local Delivery Plan and operational plans. Operational risk registers will be established for each operational unit and directorate, as set out in Appendix 3.

• Project risk registers. These cover risks that impact on the successful delivery of specific projects.

This approach aligns to the approved Performance Management Framework which incorporates risk management.

Currently, risk registers are maintained on spreadsheets. However, the Executive Team and the Audit Committee will regularly review the effectiveness of the risk management process to determine whether further investment in automated risk management systems is necessary.

5.0 How do we assess risk?

5.1 How to identify a risk

Risk identification can take place at any time by any member of staff and is everyone’s responsibility.

Identifying risks is the first step in building the overall view of risk (risk profile) across the whole of the organisation. Risks can be identified from a number of sources, including:

• planning and performance management processes • review of significant changes in service • internal and external audit • changes to guidance / guidelines, laws or regulations • horizon scanning • incident reporting • complaints management • health and safety reviews • business cases and project plans • training needs analysis • recruitment / retention / absenteeism data.

5.1.1 Risk description

* Defining a risk should include a description of what the risk is, the possible cause and the impact on objectives. This will allow the risk to be more easily understood and more effectively managed. A useful model for helping to define a risk is:

there is a risk of 'x' because of 'y' resulting in 'z' where:

• x is the risk event • y is the cause of the risk (maybe a current issue) • z is the impact on objectives.

5.2 How to analyse a risk

5.2.1 Risk categories

** The first stage in analysing a risk is deciding what type of risk it is. We have identified five risk categories that are aligned to our Quality Objectives as shown in the table below. Categorising risks in this way will help the Board describe its risk appetite for each risk category.

Table 1: Risk categories

Risk category Quality Objectives

Strategic/ Reputational

1. Implementing our vision and strategy

2. Improving population health and reducing inequalities

10. Delivering our targets

Clinical 3. Creating a caring, person-centred experience

4. Providing safe and effective care

People 7. Engaging our people

Innovation and Transformation

5. Transforming our services

6. Designing integrated care

8. Promoting creativity, innovation and research

Finance and Sustainability

9. Ensuring value and sustainability

5.2.2 Current mitigation NHS Highland will mitigate either the likelihood or impact of risk, should it occur, by implementing a range of strategies, policies, projects and internal control processes. It is impossible to fully mitigate against all risks. Therefore, before we can consider whether further

action is required to address a particular risk, we must first assess what mitigation is already in place. The risk register template at appendix 1 requires the current mitigation for each risk to be defined. This need only be at a high level, but should provide enough information to inform the reader of the key mitigations that are currently in place. 5.2.3 Risk scoring Risks can be scored at different stages of the risk management process. For simplicity, NHS Highland will focus on Current Risk Exposure, i.e. the net or residual level of risk that the organisation currently faces, based on the extent to which we are currently controlling and managing each risk. 5.2.4 How to assess likelihood The likelihood of an event occurring should be assessed using the table below (1 to 5). When assessing likelihood you should take account of the controls that are already in place to mitigate likelihood of a risk occurring, e.g. strategies, policies, procedures. Table 2: Likelihood definitions

Score Description Chance of occurrence

1 Rare Very little evidence to assume this event would happen –

will only happen in exceptional circumstances

2 Unlikely Not expected to happen, but definite potential exists – unlikely to occur.

3 Possible May occur occasionally, has happened before on occasions – reasonable chance of occurring

4 Likely Strong possibility that this could occur – likely to occur

5 Almost certain This is expected to occur frequently / in most circumstances 5.2.5 How to assess net impact The impact on the organisation of an event happening should be assessed using the table below (1 to 5). When assessing net impact you should take account of the controls that are already in place to mitigate impact, e.g. contingency plans. Table 3: Impact descriptions Score Description

1 Negligible

2 Minor

3 Moderate

4 Major

5 Extreme Further definitions for each of the risk descriptions are outlined in Appendix 2. The Current Risk Exposure is then calculated by multiplying together the likelihood and impact scores. The current risk score therefore represents the organisation’s current risk exposure taking into account existing controls. 5.3 How to evaluate a risk The purpose of risk evaluation is to assist in making decisions about which risks need further treatment and the priority for treatment. This involves comparing our current risk score with our risk appetite. 5.3.1 Risk appetite Risk appetite is the amount of risk that the Board is prepared to accept, tolerate or be exposed to at any point in time. The Board may have different appetites for different categories of risk. Periodically (at least annually), the Board will consider its risk appetite for each of the categories of risk set out in Table 1, above. This will reflect the levels and types of risk that the Board is prepared for management to take in delivering each of our Quality Objectives. Below are the classifications that we use to help describe the Board’s risk appetite for each risk category. Table 4: Risk appetite (classification)

Classification Definition

Hungry Eager to be innovative and to choose options offering potentially bigger rewards despite greater inherent risk.

Open Willing to consider all options and chose the one that is most likely to result in success, while also providing an acceptable level of reward.

Cautious Preference for safe delivery options that have a low degree of inherent risk and may only have limited potential for reward.

Minimalist Preference for ultra-safe business delivery options that have a low degree of inherent risk and only have a potential for limited reward.

Averse Avoidance of risk and uncertainty is a key organisational objective

5.4 How to treat a risk The treatment of an identified risk will be based upon what resources the organisation has at its disposal to effectively manage the risk. Some common examples of how we may treat risk are provided below: • avoid the risk by deciding not to start or continue with the activity that gives rise to the risk • remove the risk source • change the likelihood of the risk occurring • change the consequences by developing a contingency plan • share the risk with another party • retain the risk by informed decision. When a further risk treatment has been agreed, the corrective action should be recorded (refer to 7.4.1). 5.4.1 Action required

The action required section of the risk register is where the further actions to be taken/adopted to manage/treat the risk within the agreed risk appetite are recorded. The narrative within this section should include eg: • the actions to be taken • the timescale for implementation and • any resource/budget requirements.

This section should be regularly updated to provide details of progress against the planned actions. This section should clearly state which actions have been taken to arrive at the current assessment and which actions are still to be implemented. 6 Risk monitoring and review

The management of risk should be continuously reviewed to monitor whether or not the organisational risk profile is changing, to gain assurance that risk management is effective and to identify when further action is necessary to deliver assurance on the effectiveness of control.

In practice, this will involve the risk registers being discussed at Executive Team, Senior Management Team, Operational Unit Management Teams and Corporate Department meetings etc to ensure that:

• planned, corrective actions/mitigation are implemented timeously

• current level of risk is reviewed on a continuous basis

• identification of any new or emerging risks

• current risk scores are reduced and/or maintained in line with agreed appetite and tolerances.

The role of the Executive Team is crucial. As well as periodically considering the strategic risk register and its content, it will also seek regular assurances from the Senior Management Team, Operational Unit Management Teams and Corporate Department meetings that operational risk registers have been reviewed and are up to date. 6.1 Evaluating progress

The monitoring and review of risk will include an evaluation of the progress made in implementing the agreed actions to address gaps in control, or to take advantage of opportunities that have been identified (see Appendix 4). 6.2 Escalating risk Risks should be managed at the lowest competent level, so long as this is appropriate. Each risk owner, be they within a project team, directorate or operational area, is responsible for the prompt identification of risks that should be escalated to the Leadership Group or the Audit Committee/ Board for consideration. Examples of scenarios where risks should be considered for escalation include, but are not limited to:

• Risks that may have a wider strategic impact, i.e. it is beyond the scope of the area in which it was originally identified;

• Risks which can no longer be managed effectively within the resources and authority of the risk owner; or

• Risks which have a significant risk score that may breach the appetite or tolerance for the particular type of risk, as defined by the Board.

The Leadership Group will be responsible for assessing the strategic impact of the risk and determining whether it should be included in the strategic risk register, and therefore reported to the Audit Committee/ Board (See Appendix 4). 6.3 Reporting progress A report will be provided to the Audit Committee to update on overall progress in managing risk. The report will include, but not be limited to, the following:

• Updates on key/significant risks and risk exposures

• A narrative explaining any key movements and trends

• Details of any new or emerging risks for consideration

• Reporting on the progress of agreed actions on an exceptions basis

• An assessment of any risks that should be formally highlighted to the Board and/or a specific governance committee(s).

1. This policy is based on British Standards (BS ISO 31000:2009) risk management – principles and guidelines. This has been used as a guideline on which NHS

Highland has designed and implemented its risk management policy which is specific to our organisation.

Permission to reproduce the extracts from British Standards referred to in this document has been granted by BSI Standards Limited (BSI). No other use of this

material is permitted. British Standards can be obtained in PDF or hard copy formats from the BSI online shop: www.bsigroup.com/Shop or by contacting BSI

Customer Services for hard copies only: Tel: +44 (0)20 8996 9001, Email: cservices@bsigroup.com

Appendix 1

Appendix 1 – risk register template

Risk Register Template

Risk Register

Risk Register Owner Date of Review

Risk Ref & Date Added

Risk Owner Executive Lead or appropriate senior manager

Risk description

There is a risk of ‘x’, because of ‘y’, resulting in ‘z’

Risk Category

Current Mitigation These are the control systems and processes that are already in place to address this risk.

Current Risk Score Likelihood x Impact = Risk Rating

Further Action Required Also state: Action Owner and expected implementation date.

Target risk score Likelihood x Impact = Risk Rating

Assurance -Responsible Committee

Last review date

Movement since last review ↑ ↓ ↔

Acceptable Risk

L I RR L I RR

Appendix 2 - Impact definitions

Descriptor Negligible (1) Minor (2) Moderate (3) Major (4) Extreme (5) Reputation/ credibility

Rumours, no media coverage. Little effect on staff morale.

Local media coverage – short term. Some public embarrassment. Minor effect on staff morale/public attitudes.

Local media – long-term adverse publicity. Significant effect on staff morale and public perception of the organisation.

National media/adverse publicity, less than 3 days.Public confidence in the organisation undermined. Use of services affected.

National/international media/adverse publicity, more than 3 days. MSP/MP concern (Questions in Parliament). Court Enforcement. Public Inquiry/ FAI.

Operational (examples)

Barely noticeable reduction in scope, quality or schedule.

Minor reduction in scope, quality or schedule.

Reduction in scope or quality of project; project objectives or schedule.

Significant project over-run.

Inability to meet project objectives; reputation of the organisation seriously damaged.

Interruption in a service which does not impact on day to day business activities.

Short term disruption with minor impact on business activities.

Some disruption in service with unacceptable impact on business activities.

Sustained loss of business services which has serious impact on day-to-day activities.

Permanent loss of core business services or facilities. Disruption to facility leading to significant “knock on” effect.

Short term low staffing level temporarily reduces quality (< 1 day). Short term low staffing level (>1 day), where there is no disruption to business services.

Ongoing low staffing level reduces quality. Minor error due to ineffective training/implementation of training.

Late delivery of key objective / business activities due to lack of staff. Moderate error due to ineffective training/implementation of training. Ongoing problems with staffing levels.

Uncertain delivery of key objective/ activity due to lack of staff. Major error due to ineffective training/ implementation of training.

Non-delivery of key objective/activity due to lack of staff. Loss of key staff. Critical error due to ineffective training/ implementation of training.

Small number of recommendations which focus on minor quality improvement issues.

Recommendations made which can be addressed by low level of management action.

Challenging recommendations that can be addressed with appropriate action plan.

Enforcement action. Low rating. Critical report.

Prosecution. Zero rating. Severely critical report.

Financial/value for money (including damage / loss / fraud)

Negligible organisational/ personal financial loss.

Minor organisational/personal financial loss.

Significant organisational/personal financial loss.

Major organisational/personal financial loss.

Severe organisational/personal financial loss.

Compliance/ regulatory

Unlikely to be challenged

Could be challenged but defended.

Could be challenged and need to be defended.

Moderate breach of legislation.

Major breach of legislation with extreme impact.

Appendix 3 – Risk Registers

Risk Registers should be in place for each of the following area:-

1. Strategic Risk Register

2. Directorate Risks Registers for :-

• Public Health • Finance (including Facilities, Procurement) • HR • Medical Directorate • Nursing, Midwifery and AHPs (including Infection Control) • Infection Control – nursing • Chief Operational Officers (including eHealth, Pharmacy and Business Support) • Director of Adult Social Care

3. Operational Units:-

• Raigmore • South and Mid • North and West • Argyll and Bute

Appendix 4 – Risk Escalation Procedures

RISK ESCALATION PROCEDURES

Level 1 – Groups including Quality & Patient Safety Groups/Corporate Heads of Service

• Identifies operational risks for operational unit • Maintains operational Risk Register • Monitors action plans and agrees level of acceptable risk • Reports unacceptable risks to the Operational Unit Management Team/Directorate Management Team

Level 2 – Operational Unit Management Teams/Directorate Management Teams

• Discharges accountability for delivery of risk plan, incident management and quality improvements • Agrees unacceptable risks • Escalates unacceptable risks to the Senior Leadership Team

Level 3 – Senior Management Team

• Reviews unacceptable operational risks across whole area • Implements action plans as necessary • Agrees unacceptable risks • Escalates unacceptable risks for inclusion onto the highland wide operational unit/strategic risk register

Audit Committee

• Through internal, external and other assurance sources will provide independent objective assurance on risk management arrangements and monitoring of strategic risks on behalf of Board.

Governance Committees

• Each Governance Committee will use the Strategic Risk Register to consider risks that may require further scrutiny and to seek assurance that these risks are being appropriately managed.

NHS Highland Board

• Will receive updates on the Strategic Risk Register every 6 months

Appendix 2

Risk Register Template

Risk Register

Strategic Risk Register 2015/16 Risk Register Owner Date of Review October 2015

Risk Ref & Date Added (Note 1)

Risk Owner Executive Lead or appropriate senior manager ( note 2)

Risk description There is a risk of ‘x’, because of ‘y’, resulting in ‘z’ ( note 3)

Risk Category (note 4)

Current Mitigation These are the control systems and processes that are already in place to address this risk ( note 5)

Current Risk Score Likelihood x Impact = Risk Rating ( note 6)

Further Action Required Also state: Action Owner and expected implementation date (note 7)

Target Risk Score Likelihood x Impact – Risk Rating (note 8)

Assurance -Responsible Committee (note 9)

Last Review

Movement since last review

↑↓↔

Acceptable Risk (note 10)

L

S

RR

L

S

RR

N1 Chief Executive

The cost of maintaining current service levels will become unsustainable because of the increased demand due to the ageing population which will result in failure to deliver key access targets and quality standards.

Strategic/ Reputational

Redesign work HQA lean work Care Strategy Ten Year Operational Plan

P M H

Resign work HQA Lean work Care Strategy Ten Year Operational Plan

P M M Board October 2015

N2 Board Medical Director

Inadequate services available because of resource constraints resulting in unintended reduction in the quality and safety of patient care

Clinical Board support for HQA SLT support for HQA Implementation of HQA with elimination of waste

P M H Board support for HQA SLT support for HQA Implementation of HQA with elimination of waste

P M M Clinical Governance Committee

October 2015

N3 Board Medical Director

Failure to recruit and retain specialist staff because of manpower shortage in remote and rural locations resulting in inability to deliver specialist services

Clinical Designing different model of care Being addressed nationally and at regional level through specific work streams, e.g. Diagnostics, Radiology, Oncology, Healthcare Scientists Ensure workforce planning function is aligned with LDP and financial planning cycles, operational unit delivery plans and overall capacity planning. Review Locum Policy and Recruitment Process and

AC M VH Designing different model of care Being addressed nationally and at regional level through specific work streams, e.g. Diagnostics, Radiology, Oncology, Healthcare Scientists Ensure workforce planning function is aligned with LDP and financial planning cycles, operational unit delivery plans and overall capacity planning.

P M H Clinical Governance Committee

October 2015

Appendix 2 monitor adherence and costs through Workforce Monitoring Meetings. Develop Regional and National medical workforce banks; Reshaping Medical Workforce national work stream addressing issues

N4 Chief Operating

Officer/ Chief

Executive

Negative Impact of Integration because of poorer services being delivered; reputational damage; higher than anticipated costs resulting in a failure to realise the benefits of integration

Innovation and Transformation

Building relationships with clients and care providers

Highland Health

and Social Care Committee / Integrated Joint Board

Comment: This risk needs to be reviewed in light of integration in North Highland and the establishment of Integrated Joint Board in Argyll and Bute

N5 Director of Finance

Infrastructure maintenance may be inadequate because of restrictions in capital funding resulting in buildings and equipment not fit for purpose

Innovation and Transformation

Clear Asset Management Strategy with trajectory for reducing backlog maintenance in property

P M H Trajectory of High and significant Risk items shows a continued downward trend, as highlighted in our PAMS. For this to continue and meet our plan the investment needs to be maintained for the next 5 years.

P M M Asset Management Group / Highland Health and Social Care Committee / Integrated Joint Board

N7 Director of HR

Sustainable workforce because of a failure to recruit and retain staff, maintain health and wellbeing resulting in high level of vacancies, poor staff experience, high turnover and absenteeism

People

HPF, HPF Sub Groups and Local Partnership Forums in place and positive working relations established Continue to support partnership with staff side

Ensure managers are competent and supported in the application of PIN policies. Adhere to Staff Governance Standard requirements. Monitor the workforce cost base and address local variances Recruitment initiatives

P M M Vacancy management HQA Lean work Current measurements are implemented and monitored

P M M Staff Governance October 2015

Appendix 2 N9 Chief

Executive Targets and outcomes not

being met because of funding constraints and recruitment difficulties

resulting in reputational damage and greater

scrutiny

Strategic/ Reputational

Waiting time initiatives Redesign HQA lean work

P M H Waiting time initiatives Redesign HQA lean work

P M M Board/Highland Health and Social Care Committee/Integrated Joint Board

October 2015

N10 Chief Executive

Public, patients and politicians may not support planned changes because of ineffective public engagement resulting in inability to deliver change plan

Strategic/ Reputational

Effective public engagement models

P M H Continuation of effective public engagement models Support of staff and clinicians for the need for service change

P M H Board October 2015

N11 Director of Adult

Social Care

Exploitation of vulnerable clients because of growing trend in society to target these groups resulting in harm to clients.

Strategic/ Reputational

Education programme in schools Transition pathway agreed by Highland Council and NHS Highland Mandatory Adult Support and Protection Training including bespoke training Training in Self Direct Support Highlighting staff and public awareness Effective communication and engagement plan to raise public awareness of vulnerable adults

AC M VH Continuation of existing action Improvement groups in Highland Council and NHS Highland Governance arrangements

P M H Board October 2015

N12 Chief Operating

Officer

PMS implementation may be inhibited because of lack of technical capacity and capability and operational unit ownership of data quality input and investment in new IT systems support clinical deliver resulting in failure to maximise the benefits of a patient management system

Innovation and Transformation

Appointment of a clinical director Revised operational governance arrangements Additional technical and analytical staff to be appointed

P M M Recruitment of new head of ehealth HQA approach Customer service training for e-health staff Revision of strategy and plan via e-health arrangements

P M M Highland Health and Social Care Committee/ Integrated Joint Board/ Improvement Committee/Board

October 2015