risk management policy · 2018-11-19 · risk management policy v7 6 director of strategy and...

Risk Management Policy v7

Policy No: RM01

Version: 7.0

Name of Policy: Risk Management Policy

Effective From: 24/11/2017

Date ratified 08/11/2017

Ratified by Risk and Safety Council

Review date 01/11/2019

Sponsor Director of Nursing, Midwifery and Quality

Expiry date 07/11/2020

Withdrawn date

Unless this copy has been taken directly from the Trust intranet site (Pandora) there is no

assurance that this is the most up to date version

This policy supersedes all previous issues

Risk Management Policy v7 2

Version Control

Version Release Author/Revie

wer

Ratified by/

authorised by Date Changes

4.0 A O’Brien March

2009

4.1 29/09/2009 S. Winn/S A

Gair

Director of

Estates & Risk

Management

Sept

2009

OP27 format Updated to

include new staff

appointment and review

of the prioritised Board

risk register

4.2 01/01/2011 S A Gair Director of

Estates & Risk

Management

Jan

2011

Amended to include risk

grading matrix as agreed

by PQRS

5.0 01/04/2012 A O’Brien/S.

Winn

Director of

Nursing,

Midwifery and

Quality

March

2012

Revised to reflect

changes in risk reporting

structures and merge

with the local risk

management procedure

5.1 14/03/2013 S A Gair Director of

Nursing,

Midwifery and

Quality

Revised – Risk Awareness

Training for Senior

Management & Risk

Management Structure,

Risk matrix and

Governance Structure

6.0 24/07/2014 G Appleby / S

Winn

Director of

Nursing,

Midwifery and

Quality

June

2014

Revised and updated to

reflect changes to

departments and risk

reporting

7.0 24/11/2017 K Marley,

Corporate

Risk Manager

/ K Jones,

Head of

Corporate

Risk

Director of

Nursing,

Midwifery and

Quality

08/11/

2017

Revised and updated:

Job titles, Committee

titles, & structures

Reflect national changes

e.g. NHS I, NHS

Resolution etc.

Updated policy to align

with strategy.

Changed risk review

cycle.


Risk Management Policy

Contents

1 Introduction ........................................................................................................................................ 4

2 Policy Scope ........................................................................................................................................ 4

3 Aim of Policy ....................................................................................................................................... 4

4 Duties of Key Committees and Individuals – Roles and Responsibilities ................................... 5

5 Definition of Terms ............................................................................................................................ 8

6 Risk Management Approach .......................................................................................................... 10

6.1 Overview ............................................................................................................................... 10

6.2 Identifying, Defining and Describing Risk ........................................................................ 12

Local Risk Assessments ...................................................................................................................... 14

6.3 Risk Assessment - Risk Analysis: ........................................................................................ 15

6.4 Risk Assessment - Risk Evaluation ..................................................................................... 19

6.5 Risk Assessment - Treatment of Risk ................................................................................ 20

6.6 Monitoring and Review ...................................................................................................... 21

Risk review ......................................................................................................................................... 21

Authority for Managing Risk/ Risk Escalation .................................................................................... 22

Risk Registers ..................................................................................................................................... 23

6.7 Communicate, Consult, Learn and Adapt ........................................................................ 24

6.8 The Board Assurance Framework ..................................................................................... 25

7 Training .............................................................................................................................................. 25

8 Equality and Diversity ...................................................................................................................... 26

9 Monitoring Compliance with this Policy ....................................................................................... 26

10 Consultation and Review of this policy ......................................................................................... 27

11 Implementation of this policy ........................................................................................................ 27

12 References ........................................................................................................................................ 27

13 Associated Documentation ............................................................................................................. 27

14 Intranet Information ........................................................................................................................ 28


Risk Management Policy

1 Introduction

The management of risks is a key factor in achieving the provision of the highest quality

care, requiring the identification, management and minimising of activities or events which

could result in unnecessary risks to service users, staff and visitors/members of the public.

Risk management is the identification, assessment, and prioritisation of risks followed by

coordinated, effective and economic application of resources to minimise, monitor, and

control the probability and/or impact of unfortunate events or to maximise the realisation

of opportunities.

The National Health Service carries a number of risks which if not properly

managed/controlled have the potential to cause harm to patients, staff and visitors and

may contribute to an adverse effect on the Trust’s assets and/or reputation.

It is accepted that given the nature of the service provided by the NHS, some risks may

never be totally eliminated. It is however essential that NHS Trusts have in place good risk

management systems and practices which eliminate risk wherever possible and reduce the

impact of those risks that cannot be eliminated to an “acceptable level”.

This policy sets out the commitment of Gateshead Health NHS Foundation Trust to

managing risks (both clinical and non-clinical). The document must be read in conjunction

with the Health and Safety Policy.

The Risk Management Policy is an integral part of the Trust’s approach to continuous

quality improvement and is intended to support and assist the organisation in delivering

the Trust’s Strategic Objectives.

2 Policy Scope

This Policy relates to all members of staff, trainees, contractors, volunteers, visitors, and

members of the public working and visiting Gateshead Health NHS Foundation Trust.

3 Aim of Policy

The overall aims of the Risk Management Policy are to support the Risk Management

Strategy to have an organisation which:

• Is fully “risk aware” where risk management is embraced within the organisation’s

culture and is integrated into the working practices of all grades and disciplines of

staff;

• Encourages the open reporting of errors, within a fair blame culture and ensures

that lessons are learned from those errors and that measures to prevent recurrence

are promptly applied;

• Engages in the continual development of risk management systems to facilitate

identifying which risks represent opportunities and which represent potential

pitfalls; and

• Accepts that risk management is everyone’s responsibility.


This in turn will ensure the achievement of the organisation’s overall aim which is working

together to provide the best health services and care for local people.

4 Duties of Key Committees and Individuals – Roles and Responsibilities

Board of Directors: The Board has a collective responsibility for reviewing the

effectiveness of internal controls and for managing the Trust’s affairs efficiently and

effectively through the implementation of these controls.

Chief Executive: The Chief Executive, as Accountable Officer, has overall responsibility for

ensuring that effective risk management and integrated governance processes are in place

across the Trust and for meeting all statutory requirements and adhering to guidance

issued by NHS Improvement in respect of governance and risk management.

Executive Directors: Executive Directors with delegated responsibility for risk management

sit on the Quality Governance Committee (a committee of the Board of Directors).

Non-Executive Directors: Non-Executive Directors are responsible for overseeing systems

of governance and have a particular role in this Trust as members of the Quality

Governance Committee.

Director of Nursing, Midwifery and Quality: Accountability for risk management systems

has been delegated to the Director of Nursing, Midwifery and Quality. This includes:

• Making sure that there are effective management systems in place for the planning,

organisation, control, monitoring and review of all risks;

• Processes for the management of the Board Assurance Framework and the

committee/meeting structure for the management of risk issues.

The Medical Director: The Medical Director supports the Director of Nursing, Midwifery

and Quality with clinical risk management and the implementation and monitoring of

clinical governance activity across the Trust. Clinical risk issues will be communicated and

monitored by the designated clinical governance forum i.e. SafeCare Council.

Director of Finance and Information: The Director of Finance and Information carries

specific responsibility for financial risk management. This includes:

• Advising the Board of Directors on financial and business risk issues;

• The named Executive Director with professional responsibility for provision of an

effective Internal Audit Service;

• Providing regular, timely and accurate reporting to the Board and the regulator in

line with requirements and professional standards; and

• Enabling the Board to provide in the Trust’s annual accounts, an assurance of the

safeguarding of assets and the maintenance of proper accounting records and the

reliability of financial information.

Director of Clinical Support and Screening: The Director of Clinical Support and Screening

carries specific responsibility for non-clinical health and safety risks.


Director of Strategy and Transformation: The Director of Strategy and Transformation is

the Director with delegated responsibility for non-clinical HR risk.

Audit Committee: The Audit Committee provides independent verification on the

organisation’s systems for risk management to ensure that structures and processes for

managing key risks are in place. It performs the essential scrutiny required to ensure key

management and control systems are working effectively.

Quality Governance Committee: The Trust’s Quality Governance Committee is a Board

committee, with responsibility for clinical and non-clinical risks and patient quality issues

within the Trust, with the exception of financial risks and human resource risks. The

Committee is responsible for overseeing the on-going development, implementation and

monitoring of the Risk Management Strategy. The Committee Terms of Reference includes

full details of the Committee’s remit.

Overseeing financial risks is the responsibility of the Finance and Performance Committee,

and human resource risks are the responsibility of the Human Resources Committee.

Finance Committee: The Finance and Performance Committee is a formal committee of

the Board with delegated responsibility to monitor, review and make recommendations to

the Trust Board with regard to the detailed financial and operational performance of the

Trust. They have responsibility for management of the Financial Risk Register, and relevant

section of the Board Assurance Framework (BAF), ensuring delivery against any associated

actions and escalating key strategic risks to the Trust Board following review at the Trusts

Risk and Safety Council.

Human Resources Committee: The Human Resources Committee is a Board Committee

with the purpose to oversee the development and implementation of the Trusts People

Strategy which aims to maximise the contribution of staff in the delivery of the Trusts

Strategic Plan and objectives. The Committee have oversight of all workforce risks

identified through service strategic planning, operational plans and as recorded in the

Corporate Risk Register, escalating matters of concern to the Trust Board.

Internal Audit: The internal audit function will undertake independent reviews of the

systems of internal control, using a risk based approach and report the findings to line

management and the Audit Committee.

Head of Corporate Risk: The Head of Corporate Risk supports the Chief Executive and the

Director of Nursing, Midwifery and Quality in developing a Risk Management Strategy

including all aspects of clinical and non-clinical risk management, and takes the lead in its

implementation. This includes:

• Responsibility for providing direction and guidance to Business Units and

departments in managing risk;

• Responsibility for advising the Trust Board and Committees on relevant risk

management issues and processes and implementing appropriate measures to

achieve risk reduction within the Trust;

• Attending the Quality Governance Committee, as lead for clinical risk management

and other Committees as required as lead for wider risk management;


• Coordinating the provision of risk management training as outlined within the

Trusts Training Needs Analysis (TNA);

• Responsibility for producing quarterly reports for the Board, Quality Governance

Committee and Audit Committee covering high level risks.

• Producing the Annual Risk Management report for submission to the Board of

Directors.

• Responsibility for co-ordination and collation of the Board Assurance Framework

processes and documentation to the Board and Committees.

• Overseeing the claims management service.

Corporate Risk Manager: The Corporate Risk Manager supports the Head of Corporate Risk

in the delivery of the Risk Management Strategy, supporting operational governance and

policy compliance, risk management training, and providing support to all Trust staff with

the process of risk identification, assessment and analysis.

Legal Services Manager: The Legal Services Manager is responsible for providing an

efficient and effective claims management process in line with the requirements of NHS

Resolution and ensuring that appropriate lessons are learned and disseminated across the

Trust to improve patient safety and reduce risk.

The Patient Safety Team: The Patient Safety Team manage the Datix incident management

system, quality checking safety incidents, ensuring investigations are undertaken timely

and helping to identify learning and thematic trends. The team also support wider Datix

system management including the risk register module.

The Patient Experience Team: The Patient Experience Team proactively manages

complaints and PALs, supporting patients in the process and learning from patient

experience.

Associate Directors, Heads of Department, and Managers: The Associate Directors, Heads

of Department, and Managers are responsible for implementing risk management within

their areas and for engaging all staff in this process. They are also be responsible for

making sure that members of their staff receive the necessary level of risk management

awareness/training in order to ensure that they are competent to identify, assess and

manage risk within their working environment. Furthermore they are responsible for the

development and ongoing maintenance of risks within their areas, which in turn will inform

the overall Trust-wide risk register, and for making sure that:

• There are appropriate and effective risk management processes in place and that all

staff are made aware of the risks within their work environment and of their

personal responsibilities;

• There are effective systems in place for the identification, management (control)

monitoring and review of risks (particularly in regards to Care Quality Commission

(CQC)). That risks are evaluated using the Trust’s framework for the grading of risks

and that the appropriate level of management action is initiated and completed

appropriately;

• Their staff receive the necessary information and training to enable them to work

safely and comply with appropriate Trust procedures, including incident reporting,

risk assessments, fire arrangements and all health and safety procedures;


• Non-attendance at mandatory training and other risk management training is

monitored and followed up. Non attendee’s will be rebooked by OD and Training.

(See Mandatory Training Policy);

• Staff know and understand their responsibilities and duties under this Policy and

have appropriate arrangements in place to ensure that these are met; and

• Staff know and understand their responsibilities and duties under the Trusts Health

and Safety Policy and have appropriate arrangements in place to ensure that these

are met.

All Staff: For risk management to be effective it must actively involve staff at all levels

within the organisation (i.e. ‘Board to Ward’), it must be seen as everyone’s responsibility

and not just that of any one individual or department.

Each employee has a responsibility to:

• Report incidents/accidents and near misses promptly in accordance with the Trust’s

Incident Reporting Policy. Every reported incident or near miss may be a valuable

learning opportunity;

• Provide safe standards of practice through compliance with the regulations of the

appropriate professional bodies and maintain professional and technical

competence;

• Ensure their own safety and the safety of all others who may be affected by the

Trust’s business;

• Work in accordance with all Trust policies and procedures;

• Comply with this Risk Management Policy;

• Ensure that equipment provided for the protection of safety and health is

maintained and utilised appropriately;

• Comply with emergency procedures e.g. resuscitation, evacuation and fire

precaution procedures including those pertaining to their particular Business

Unit/department locations;

• Attend induction and regular update training on risk management policies and

procedures including mandatory training; and

• Participate in risk assessments when required within their area of work and identify

any risks they feel exist.

5 Definition of Terms

A Hazard is anything that has the potential to cause injury, damage or harm.

Risk is defined as uncertainty/ possibility of loss, damage, missed opportunity, injury or

failure to achieve objectives or deliver our plans as a result of an uncertain action or event.

Risk Management is defined as ‘the systematic identification of risks within an activity,

system or process, and the implementation of actions which will minimise harm arising

from these risks’. A key aspect of risk management is learning from events, errors, or near

misses in order to reduce the risk of them recurring. Clinical risk management concentrates

on identifying and correcting risks associated with direct patient care, whilst non clinical

risk management is associated with all other Trust activities.

Risk Identification is the process of determining what, where, when, why and how

something could happen.


Risk Assessment is the process used to evaluate a risk with regard to the impact if the risk

is realised and the likelihood of the risk being realised.

Likelihood is used to assess probability or frequency of a risk occurring. Likelihood is

expressed along a scale ranging from ‘rare’ to ‘almost certain’.

Probability is often used to express the likelihood of a specified event or outcome

occurring. This uses percentage levels to align likelihood.

Frequency is another expression of likelihood.

Impact/ Consequence refers to the outcome if a risk occurs. This can be positive or

negative.

Risk Mitigation/ Risk Treatment is the action that is/can be taken to reduce either the

likelihood or impact/consequences of a risk.

Risk Reduction refers to a reduction in the likelihood, negative consequences or both

associated with risk. This reduces the risk score.

Accepted risk refers to a risk that cannot be completely removed or eliminated but where

existing controls reduce the risk to an acceptable level.

Risk Owner is the person who is given and accepts responsibility for managing and

controlling a specific risk.

Risk Register (Datix) is a tool for recording identified risks, the results of their analysis and

evaluation, and monitoring actions and plans against them. The Risk Register is an

important component of the organisation’s risk management framework.

Risk Appetite refers to the statement of intent from the organisation about the level risk it

is prepared to accept, tolerate, or be exposed to at any point in time.

Risk Management Strategy is the overall organisational approach to risk management as

defined by the Trust Board, which is documented and easily available throughout the

organisation.

Risk Maturity refers to the overall quality of the risk management framework.

Board Assurance Framework (BAF) refers to the processes and documentation by which

the Board are assured that key risks to organisational objectives are being managed. The

documented BAF summarises key strategic risks and supporting assurances.


6 Risk Management Approach

6.1 Overview

The Trust aims to be proactive in its approach to the management of risk and will

endeavour to identify, control and where possible eliminate the risk before

incidents of actual loss or harm have occurred. For this approach to be effective it

is recognised that there must also be:

• Ongoing risk management awareness raising;

• Involvement/participation of all staff;

• Integration of risk management into operational management;

• A live and meaningful organisation-wide Board Assurance Framework and

risk register which is populated with all types of risk e.g. financial, strategic,

clinical and non-clinical;

• Clearly communicated arrangements/designated responsibilities for risk

management;

• Training in risk assessment;

• A robust integrated incident reporting system;

• Development of risk management within a fair and just culture. The Trust’s

approach following adverse incidents will therefore focus on “what went

wrong not who went wrong”;

• Sound clinical practice which is evidence based and undertaken by

appropriately skilled and equipped staff in accordance with policies,

procedures and guidelines;

• Effective communication within and between Business Units, wards and

departments and also with patients, public and stakeholders;

• Safe systems of work and safe practices which are undertaken in accordance

with up-to-date policies, procedures and guidelines which are known and

understood by the staff concerned;

• Ongoing monitoring of actions/controls put in place to minimise the

organisation’s risk exposure;

• Proactive management of complaints and claims.

Effective risk management is based on a continuous cycle that involves robust

processes of hazard/risk identification, risk assessment and quantification, critical

examination and development of control measures and action planning for all types

of risk. Monitoring mechanisms are essential to ensure that actions taken as part of

the risk mitigation process are effective. Where possible, practicable risks will be

eliminated, otherwise risks will be reduced to the lowest reasonable level whereby

the residual risk can be classified as acceptable. The overall risk management

process is shown pictorially below, there being seven major elements in the

process.


Step 1: Establish the context: When we are considering risk we determine the facts,

understand the situation and environment, considering both external and internal

factors.

Step 2: Identify risk: Identify what, why and how things can arise as the basis for

further analysis. Risk can be identified from many sources of information. These are

grouped as reactive (e.g. incidents) or proactive (risk assessments), as well as

internal (staff consultations) or external (inspections).

Steps 3 through 5: Risk Assessment: these three steps are brought together under

the heading of risk assessment as they are undertaken collectively, revisiting steps

as required.

Step 3: Analyse risk: Determining the relative importance of individual risks is a key

element of the risk management process, enabling risk control priorities to be

identified and appropriate action to be taken in response. This is achieved by:

• Assigning a level of ‘likelihood’ of a risk event occurring using the likelihood

matrix;

• Assigning a level of or ‘impact’ or ‘consequence’ to the risk event using the

consequences matrix;

Step 4: Evaluate risks: Review ‘residual’ risk level against policy requirements and

risk appetite and determine whether treatment is required. Compare estimated

levels of ‘residual’ risk. This enables risks to be ranked so as to identify management

priorities.

Step 5: Treatment of risks: Risk treatment involves identifying the range of options

for controlling or treating risk, assessing those options, preparing risk treatment

plans and implementing them.


Step 6: Constant monitoring and review: Of risks, their controls, assurances, and

actions, and of the Risk Management System.

Step 7: Communicate, consult, learn and adapt: Communicate and consult widely,

including with external stakeholders as appropriate, at each stage of the risk

management process.

The Trust aims to foster an environment that also promotes innovation and service

development, which may be balanced with limited risk taking. Therefore careful

evaluation and management of risk within a framework of assurance is an essential

component to balanced risk management which supports development without

stifling innovation but reduces the risk of adverse outcomes which may cause harm

to patients, staff, reputation or resources. The risk management process involves

the systematic identification, analysis and treatment of all types of risk.

6.2 Identifying, Defining and Describing Risk

The Trust cannot manage its risks effectively unless we know what the risks are. Risk

identification is therefore vital to the organisational success of the Trust’s risk

management process.

Risk is the possibility of loss, damage, missed opportunity, injury or failure to achieve

objectives or deliver our plans as a result of an uncertain action or event.

It is the responsibility of all staff to be alert to risks and to report them as soon as

possible through their line management arrangements so that appropriate steps

can be taken to analyse, report and manage the identified risk.

Risk identification should take place on a continual basis, but particularly where

new activities are planned, new legislation or NHS policy requirements are

identified, new strategies and plans are developed, or where incidents or near

misses have taken place.

The following table indicates some areas from which risks may be identified.

External Scrutiny and

Inspection

Occurrences Internal Assessments

External audit reports Never Events/ Serious

Incidents/ Significant

Events

Board Assurance Framework

CQC reports/ visits Incident and near

miss reporting

Performance management

Reports from professional

bodies

Complaints Internal audit reports

Health and Safety Executive Legal claims

Clinical audit programmes


External Scrutiny and

Inspection

Occurrences Internal Assessments

Environmental Health

reports

Patient satisfaction

measures

Risk Assessments (work place or

clinical)

Monitor reports Employee satisfaction

measures

Networking – use of media

reports and information from

other Trusts

Coroner’s reports. Sickness and absence

records

Fraud & Corruption

NICE Guidance/Guidelines. Staff turnover Other self-assessment tools

(including self-assessment against

CQC standards)

Commissioner feedback Levels of agency

utilisation

Inspections

NHS Improvement oversight

Whistle-blowing Equality Analysis

Healthwatch Inquests Specialisms, e.g. information

governance, infection control,

health and safety, manual

handling.

(Note – this list is by no means exhaustive)

Proactive risk identification should be carried out throughout the Trust at all levels,

for example:

• Strategic objectives are cascaded into Business Unit and Directorate led

strategies and service plans, and risks to the achievement of these identified

and assessed.

• Multidisciplinary teams delivering clinical services carry out risk

identification and assessment of clinical activities as well as identifying and

reporting risks, act upon local risk assessments and consider any risks for the

Risk Register.

• Risk management specialists e.g. health and safety, security, fire, counter

fraud, clinical safety, carry out risk identification specific to their area of

expertise.

• Service/department teams identify and assess risks to patients, staff or

visitors within the service/department environment.

• Clinical risk assessments are carried out with individual patients/service

users using clinical risk assessment tools and care plans are developed

accordingly.

• Project management teams carry out risk assessments throughout a project,

maintain project risk logs, and assess both during and at the end of the

project any risks as to their suitability for the Risk Register.


Incident and near miss reporting, whistle blowing, complaints, claims, PALS contacts

and the outcomes of external reviews are sources of reactive risk identification.

Local Risk Assessments

Health and safety risk assessment should be documented on the appropriate Risk

Assessment Form in accordance with the Health and Safety Policy. Guidance is also

outlined in the ‘Risk Assessment Guidance’ located on the Health and Safety portal

of the Trust Intranet. Risk assessments that identify poorly controlled risks should

be considered for entry onto the risk register via the Datix risk register module.

Each Business Unit/department has an identified person responsible for managing

the process for undertaking risk assessments. Depending on the type and source of

risk, not all risks will be documented on the Trust risk assessment form. For

example, a service or business risk may be entered directly onto the risk register,

with appropriate documentation, records and action plans held within the system.

Copies of any ward/departmental risk assessments will be sent from the

ward/departmental manager to the area’s designated risk assessment lead as

identified.

All existing risk assessments must be reviewed every two years, after any relevant

accident or incident, or whenever there has been a significant change to the activity

covered by the risk assessment.

All risk assessments undertaken in accordance with the individual policies as per

patient/staff needs must be documented on the risk assessment tools provided

within those individual policies.

All staff are responsible for ensuring that individual risk assessments to promote

staff and patient safety are undertaken in accordance with relevant policies.

Defining and Describing Risk

How a risk is defined is an important factor, both to ensure a shared understanding

of the risk, and to aid the identification of controls, assurances and subsequent

treatment of the risk.

When describing risks, think of risk in terms of:

The Cause of the risk; the

current position, issues and

underlying causes behind

the risk.

The Risk Event; what could

go wrong?

The Consequences (or

impact); what could

happen to patients, staff,

the team, the service, or

the Trust if the event

occurs. How likely (what

is the probability of this

occurring.)

We can describe risks in the following ways;

‘As a result of 'an existing condition (the cause)', 'something uncertain' may occur

(the risk), which would lead to ‘effect on objectives/impact (the consequences)'.’ or;


There is a risk that (the risk event)….. This is caused by…(the cause).. And would

result in…… leading to an impact upon…(the consequences)…... ‘

The Trust recognises that as new risks are constantly emerging, the identification of

risk needs to be an ongoing and proactive process, which involves all staff and

ensures that action is taken before incidents/actual loss or harm have occurred.

Risks may be clinical or non-clinical risks, including financial risks. This will include

contract or service level agreements in recognition that risk management

arrangements should be formalised as part of contractual obligations.

6.3 Risk Assessment - Risk Analysis:

Determining the relative importance of individual risks is a key element of the risk

management process, enabling risk control priorities to be identified and

appropriate action to be taken in response. This is achieved by:

• Assigning a level of ‘likelihood’ of a risk event occurring using the likelihood

matrix;

• Assigning a level of or ‘impact’ or ‘consequence’ to the risk event using the

consequences matrix;

• The assessment is completed using a likelihood matrix (Table 1) and

consequence matrix (Table 2). While the likelihood matrix offers an option of

frequency or probability, the likelihood matrix offers options based on the

type of consequence (impact) that will arise if the risk should occur.

Table 1 – Likelihood Table

Likelihood

Score 1 2 3 4 5

Descriptor Rare Unlikely Possible Likely Almost certain

Frequency

How often

might it/does

it happen

This will

probably

never

happen/recur

Not expected

to happen for

years

Do not expect

it to

happen/recur

but it is

possible it may

do so

Expected to

occur at least

annually

Might happen

or recur

occasionally

Expected to

occur at least

monthly

Will probably

happen/recur

but it is not a

persisting

issue

Expected to

occur at least

weekly

Will

undoubtedly

happen/recur,

possibly

frequently

Expected to

occur at least

daily

Probability

<1%

Unlikely to

occur

1-5%

Unlikely to

occur

6-20%

Reasonable

chance of

occurring

21-50%

Likely to occur

>50%

More likely to

occur than not


16

Table 2 – Consequence Score

Consequence score (severity levels) and examples of descriptors

1 2 3 4 5

Consequence

Type

Negligible Minor Moderate Severe Catastrophic

Impact on the

safety of

patients, staff

or public

(physical/

psychological

harm)

Minimal injury

requiring no/minimal

intervention or

treatment.

No time off work

Minor injury or illness,

requiring minor

intervention

Requiring time off work

for >3 days

Increase in length of

hospital stay by 1-3 days

Moderate injury requiring

professional intervention

Requiring time off work for 4-14

days

Increase in length of hospital

stay by 4-15 days

RIDDOR/agency reportable

incident

An event which impacts on a

small number of patients

Major injury leading to long-

term incapacity/disability

Requiring time off work for

>14 days

Increase in length of hospital

stay by >15 days

Mismanagement of patient

care with long-term effects

Incident leading to death

Multiple permanent injuries or

irreversible health effects

An event which impacts on a

large number of patients

Quality/

complaints/

audit

Peripheral element of

treatment or service

suboptimal

Informal

complaint/inquiry

Service delivery is not

materially affected.

Overall treatment or

service suboptimal

Formal complaint (stage

1) / Local resolution

Single failure to meet

internal standards

Minor implications for

patient safety if

unresolved / Reduced

performance rating if

unresolved

Some inconvenience/

difficulty in operational

performance of a

particular service area

Treatment or service has

significantly reduced

effectiveness

Formal complaint (stage 2)

complaint

Local resolution (with potential

to go to independent review)

Repeated failure to meet

internal standards

Major patient safety

implications if findings are not

acted on

Operational performance of a

particular service area is

affected to the extent that

revised planning is required to

overcome difficulties.

Non-compliance with national

standards with significant risk

to patients if unresolved

Multiple complaints/

independent review

Low performance rating

Critical report

Operational performance of a

particular service area is

severely affected.

Totally unacceptable level or

quality of treatment/service

Gross failure of patient safety

if findings not acted on

Inquest/ombudsman inquiry

Gross failure to meet national

standards

Operational performance is

compromised to the extent

that the organisation is unable

to meet its obligations in core

activity areas.


17


1 2 3 4 5

Consequence

Type


Human

resources/

organisational

development/

staffing/

competence

Short-term low

staffing level that

temporarily reduces

service quality (< 1

day)

Low staffing level that

reduces the service

quality

Late delivery of key objective/

service due to lack of staff

Unsafe staffing level or

competence (>1 day)

Low staff morale

Poor staff attendance for

mandatory/key training

Uncertain delivery of key

objective/service due to lack

of staff

Unsafe staffing level or

competence (>5 days)

Loss of key staff

Very low staff morale

No staff attending mandatory/

key training

Non-delivery of key

objective/service due to lack

of staff

Ongoing unsafe staffing levels

or competence

Loss of several key staff

No staff attending mandatory

training / key training on an

ongoing basis

Statutory duty/

inspections

No or minimal impact

or breech of guidance/

statutory duty

Breech of statutory

legislation

Reduced performance

rating if unresolved

Single breech in statutory duty

Challenging external

recommendations/

improvement notice

Enforcement action

Multiple breeches in statutory

duty

Improvement notices

Low performance rating

Critical report

Multiple breeches in statutory

duty

Prosecution

Complete systems change

required

Zero performance rating

Severely critical report

Adverse

publicity/

reputation

Rumours

Potential for public

concern

Local media coverage –

short-term reduction in

public confidence

Elements of public

expectation not being

met

Local media coverage –

long-term reduction in public

confidence

National media coverage with

<3 days service well below

reasonable public expectation

National media coverage with

>3 days service well below

reasonable public expectation.

MP concerned (questions in

the House)

Total loss of public confidence

Business

objectives/

projects

Insignificant cost

increase/ schedule

slippage

<5 per cent over project

budget

Schedule slippage

5–10 per cent over project

budget

Schedule slippage

late delivery of key target.

Non-compliance with national

10–25 per cent over project

budget

Schedule slippage

Key objectives not met

Partial delivery of key targets

Incident leading >25 per cent

over project budget

Schedule slippage

Key objectives not met

Non-delivery of key targets.


18


1 2 3 4 5

Consequence

Type


Finance

including claims

Small loss (less that

0.1% of budget)

Risk of claim remote

Loss of 0.1–0.25 per cent

of budget

Claim less than £10,000

Loss of 0.25–0.5 per cent of

budget

Claim(s) between £10,000 and

£100,000

Uncertain delivery of key

objective/Loss of 0.5–1.0 per

cent of budget

Claim(s) between £100,000

and £1 million

Purchasers failing to pay on

time

Non-delivery of key objective/

Loss of >1 per cent of budget

Failure to meet specification/

slippage

Loss of contract / payment by

results

Claim(s) >£1 million

Service/busines

s interruption

Environmental

impact

Loss/interruption of

>1 hour

No impact on ability to

meet internal and

external reporting

requirements even

though a particular

service area is

affected.

Minimal or no impact

on the environment

Loss/interruption of >8

hours

Inability to meet a

specific reporting

requirement.

Minor impact on

environment

Loss/interruption of >1 day

Difficulty in complying with key

reporting requirements.

Moderate impact on

environment

Loss/interruption of >1 week

Unable to comply with the

majority of reporting

requirements.

Major impact on environment

Permanent loss of service or

facility

Unable to access any service

user or corporate information.

Catastrophic impact on

environment


The two numerical assessment scores are then multiplied to give a risk rating and

level of risk as shown in table 3.

Table 3 – Risk Scoring and Levels

The Trust’s risk assessment matrix is therefore as follows:

Severity of Impact/ Consequence

1 2 3 4 5

Negligible Minor Moderate Severe

Catastrop

hic

Lik

eli

ho

od

5 Almost

certain

5

Low

10

Moderate

15

High

20

High

25

High

4 Likely 4

Low

8

Moderate

12

Moderate

16

High

20

High

3 Possible 3

Very Low

6

Low

9

Moderate

12

Moderate

15

High

2 Unlikely 2

Very Low

4

Low

6

Low

8

Moderate

10

Moderate

1 Rare 1

Very Low

2

Very Low

3

Very Low

4

Low

5

Low

We undertake assessment of risk at three stages:

• Inherent risk (initial or gross risk) is an assessment of the risk prior to

considering any controls in place.

• Current risk is an assessment of the risk after identification of controls,

assurances, and gaps in control or assurance, hence reflecting how these

controls reduce either the likelihood or impact of the risk.

• Target risk (residual risk) is an assessment of the anticipated risk score

following the successful implementation of identified actions to create

additional controls. This is undertaken where the residual risk score reflects

that further controls are needed, and these are identified in the form of

actions. The target risk score enables managers to fully understand the

impact of the actions to be taken, as well as whether these actions alone will

reduce (mitigate) the risk to an acceptable level.

The assessment undertaken is the same at each stage, enabling consistency

and demonstration as to how well risks are being managed by current

controls.

6.4 Risk Assessment - Risk Evaluation

The level of ‘current’ risk will indicate whether additional treatment/ mitigation is

required. The ‘current’ risk level also enables risks to be ranked so as to identify

management priorities.

All risks with a current score that results in a classification of Moderate or High will

require a supporting action plan that describes the activities and actions being

taken to mitigate the risk.


Current risks with a level of low may be required to have action plans in place to

further mitigate the risk. Very low current risks do not usually need any further

action.

Although action should always be taken to reduce risks where this involves

measures that are clearly proportionate in relation to the risk, actions should not

always be taken just because there is a level of risk. Applying this often requires the

use of common sense and judgment, rather than a formal cost-benefit analysis.

However, some risks will remain above the minimal level even after being mitigated

in this way. Such risks may be deemed acceptable provided:

• The risk is maintained at a level which is both ‘as low as reasonably

practicable’ and acceptably low in absolute terms;

• The risk and the control measures are communicated to staff / management

/service users;

• The risk, and control mechanisms, are reviewed regularly;

• It does not exceed the Trust’s risk appetite (it is accepted by the Board,

Committee or sub-group);

• It does not lead the Trust to breach its terms of authorisation.

• If a risk requires further mitigation, the scale and urgency of the risk treatment

should be determined based on the level (score) and immediacy (how soon it could

occur) of the risk.

• The level of risk the controls are managing is important in considering the type and

frequency of assurances required to be fully assured that the systems and

process continue to work effectively to mitigate the risk. The Trust will use

this information to inform the internal audit and clinical audit plans, as well

as management reviews.

6.5 Risk Assessment - Treatment of Risk

Risk treatment involves identifying the range of options for controlling or treating

risk, assessing those options, preparing risk treatment plans and implementing

them. The options available for the treatment of risks include:

• Tolerate (accept) the risk - if, after controls are put in place, the remaining

risk is deemed acceptable to the organisation, the risk can be retained. The

process for recording and updating risks provides an option to ‘accept’ the

risk, this reflects that although a level of risk remains, even if this is high, the

risk is being managed and accepted at the current risk level. This may be the

case where the risk is inherent to the service provided, and although all

controls are in place to manage and mitigate the risk as it arises, the risk of

reoccurrence, and resulting possible outcomes, remains. In such instances

assurance should be sought on a regular basis that the key controls remain

effective, incidents of occurrence reviewed, and the risk updated to reflect

assurances and gaps in assurance.

• Treat the risk-

• Reduce the likelihood of the risk occurring – for example using;

preventative maintenance, market assessment, relationship management,

audit and compliance programs, supervision, policies and procedures,

testing, investment, training of staff, technical controls and quality

assurance.


• Reduce the consequences of the risk occurring – for example using;

insurance, financial reserves, contingency planning, disaster recovery &

business continuity plans, off-site back-up, public relations, emergency

procedures and staff training.

• Transfer the risk - this involves another party bearing or sharing some part

of the risk by the use of contracts, insurance, outsourcing, joint ventures or

partnerships.

• Terminate (avoid) the risk - decide not to proceed with the activity likely to

generate the risk, where this is practical.

Where further actions are required to avoid, eliminate or reduce the risk,

these risks should be considered for entry onto the risk register via the Datix

risk register module. Actions must be clearly defined to ensure that risk

treatment is devised and progressive risk reduction is achieved.

Action Plans

In each case where further action is required to control a risk an action plan

should be formulated. This will record the further controls required to

reduce the risk to a level which is as low as is reasonably practicable, a

named person responsible for taking the action, the estimated cost (where

appropriate) associated with the action and the date by which the action

should be completed. Action plans must be reviewed regularly to ensure

that all appropriate actions have been taken.

Action plans must include a description of ‘SMART’ actions; include interim

actions already taken as well as those planned that will reduce the risk prior

to the final action identified.

SMART = Specific, Measurable, Agreed upon, Realistic, Time-based

Responsibility relates to the individual, management team, group or

committee responsible for the action.

Cost an estimated total cost of implementing the identified actions, where

this can be calculated.

Completion dates of actions should be realistic and achievable. Where these

take a longer period of time, the actions should be broken down so that

progress can be demonstrated.

The strategic planning and capital allocation processes are linked to the risk

assessment process. Business Units, Specialties and Departments are

required to risk assess and support all bids to demonstrate that the

allocation of funding will reduce or remove a risk on the risk register.

6.6 Monitoring and Review

Risk review

All risks on the risk register require regular review by the risk owner, as well as

wider review by peers within department, service and Business Unit/ Directorate

meetings. The former enables the risk to be kept up to date, and controls and


actions to be updated and monitored, while the latter enables wider review and

input into the risk detail, wider agreement on risk scoring levels, wider input into

actions, including wider support in unblocking issues to enable and ensure risks can

be successfully mitigated.

Risk Review Timescales

Current Risk Level Frequency Who

12 and above Monthly Risk owner

Department/ service

meetings

Determined locally but at least

bi-monthly

Business Unit/ Directorate

meetings

8 to 10 At least bi-monthly Risk owner

Department/ service

meetings


6 monthly


meetings

Up to 6 At least 6 monthly Risk owner

Authority for Managing Risk/ Risk Escalation

Authority for Managing Risk

Whilst all staff within the Trust have some responsibility for risk management,

where a risk cannot be dealt with at a specific level there must be a mechanism in

place for escalation to the next level for a decision to be made.

The responsibility for managing an identified risk rests with the individual who has

identified it unless, and until, that risk is accepted by another.

In line with the principles of the Business Unit/ departmental management system

within Gateshead Health NHS Foundation Trust, responsibility for the

management/control and funding of a particular risk rests with the Business

Unit/department concerned.

However, where action to control a particular risk falls outside the

control/responsibility of that Business Unit/department or requires significant

financial investment, or the risk is ‘significant’ and simply cannot be dealt with at

that level, such issues will be referred to the appropriate committee e.g. Health and

Safety Committee, Risk and Safety Council, Quality Governance Committee, Finance

Committee or Senior Management Team/Board of Directors as appropriate.

In respect of risks, it will be the responsibility of individual Business

Units/departments to decide what level of risk is ‘acceptable’. In respect of Trust-

wide level risks (15 and above), it will be the responsibility of the Chief Executive, as


Accountable Officer, who has overall responsibility for ensuring the effective

management of risk, supported by the directors.

Risk Escalation and Risk Registers

Once on Datix a risk will be reflected as part of wider risk register reporting. As such

an individual service or department risk will form part of your service or

department register, but also the wider register for the Business Unit or

Directorate, as well as showing on collated Trust-wide registers depending on the

current risk score.

The Associate Directors/Directors/departmental leads, or their deputies will

present their Business Unit/ Directorate risk registers on a six monthly basis as part

of a rolling programme to the Risk and Safety Council. Financial and Human

Resources risks will also be reviewed by the Finance and Performance Committee/

Human resources Committee.

Risks scoring 15 or above will be collated and presented as a Trust-wide Risk

Register to the Quality Governance Committee and the Trust Board on a quarterly

basis.

Risks identified as impacting directly on the achievement of the Trusts strategic

objectives are also reflected in the Board Assurance Framework (BAF).

Risk Registers

Risk registers are used as tools to assist the Trust to understand its comprehensive

and complex risk profile and aid decision-making and resource prioritisation. Risk

registers provide information on the systematic, effective and efficient

management of risks, providing reassurance that the organisation’s objectives are

being delivered. In combination with the Board Assurance Framework, risk registers

can assist in identifying that appropriate management arrangements are in place to

address risks at all levels. The risk register process ensures that all key topics

highlighted are subject to the appropriate level of scrutiny, frequent review and a

continual process for the effective management of risk.

The Business Unit/service/department (or Directorate/department) level risk

register acts as a repository for all specific risk information relating to their

department using the comprehensive risk identification process outlined. Business

Unit/service/department specific risk registers continue to be developed for all

areas.

The Datix risk register module is a comprehensive electronic management system

that captures all relevant information including the description of the risk; risk score

including initial risk score; current risk and target risk score; actions to formulate a

summary risk treatment plan and review dates. Actions identified to manage and

reduce risks should be agreed and entered into the actions module of the Datix

System Risk Register within the corresponding risk. Actions should be timed, with a

person identified as responsible for completing the action.


Associate Directors/ Directors and ‘operational leads’ are responsible for ensuring

that Business Unit/Directorate risk registers are updated, and risk ratings are

amended to reflect ongoing risk assessment and treatment. Where appropriate,

corresponding action plans that are reviewed regularly via the same route as the

risk register should support the risk registers. Review of the risk register should

include the identification and addition of new risks to the register. This should

include the systematic consideration of internal, external, proactive and reactive

methods as described above.

Risk Register Reviewed at

Committee/Meeting Frequency

Service/department risk

register (all within scope)

Service/ Departmental

meeting


bi-monthly

Business Unit/

Directorate Risk Register

(12 and above)


Meeting


bi-monthly

Business Unit/

Directorate Risk Register

(8-10)


Meeting


6 monthly

Business unit/Directorate

risk register (12 and

above)

Risk and Safety Council Bi-Annually

Trust-wide Risk Register

(15 and above)

Quality Governance

Committee/ Trust Board

Quarterly

6.7 Communicate, Consult, Learn and Adapt

To address risk we will communicate and consult widely, including with external

stakeholders as appropriate, at each stage of the risk management process. Risks

will emerge that have cross functional or cross Business Unit impacts or relevance

and as such should be shared and discussed in wider groups. This will be partly

facilitated through the Risk and Safety Council meetings, where a Trust-wide

representation from all areas enables wider discussion and consideration of risks

and controls in use, but will also be facilitated through a number of meetings across

the Trust, including various Committee sub groups and working groups.

To ensure learning and appropriate adaptation occurs in order to minimise

recurrence of risks across the organisation, cross Directorate and Business Unit

analysis will be undertaken. This will enable similar and cross cutting risks to be

grouped and shared, enabling learning and adaptation of controls or actions.

Risks may also emerge as a result of partnership/ joint working crossing

organisational boundaries. In such cases it is important that all organisations

involved are aware of the risk, and understand and accept responsibility for controls

and actions.

Where a risk has been identified in one area of the Trust but has the potential to

occur elsewhere, lessons learnt will be widely shared. The Trust will have in place a

range of mechanisms to support this sharing of information (If the risk identified

impacts on another Business Unit/department the risk will need to be

communicated to the other department.)


6.8 The Board Assurance Framework

All NHS Trusts are required to use a Board Assurance Framework, as this has been

proven good practice for many years in both healthcare and a range of other high-

risk organisations. It is a “live” document that changes over time, and in particular it

picks up all the controls that we have in place to manage, minimise the principal

risks we’ve identified and points towards concise and comprehensive evidence that

the controls are working. It also provides a structure to support the evidence for the

Annual Governance Statement.

The Board Assurance Framework documents the Trust’s high level risks to achieving

our strategic objectives, bringing together the assurances that effective controls are

in place and actions are being completed. The required assurances reflected in the

document also inform the Board and Committee agendas, ensuring that key

assurances are provided to the Board timely.

The risks reflected within the Board Assurance Framework also form part of the

Trusts Risk Registers. The difference between the two in terms of their presentation

to the Board is that the Trust-wide (15+) Risk Register is there to provide the Board

with an overview of the highest risks that the Trust is managing, while the Board

Assurance Framework document is there to provide a summary of the assurances

(they have or will receive) that risks to the achievement of the objectives are being

successfully managed and mitigated.

The risk register is based on ‘bottom-up’ risk assessment, i.e. risks identified by

Departments and Business Units which are normally operational in nature.

However, the Board Assurance Framework is based on a ‘top down’ assessment,

where strategic objectives are risk assessed, followed by associated strategies and

plans.

The Board Committees support the identification and review of assurance on the

Board Assurance Framework, and the Audit Committee will also provide

overarching scrutiny regarding the risk management processes in the Trust with

particular reference to the Board Assurance Framework and the Trust-wide Risk

Register.

7 Training

In order to ensure that staff possess sufficient awareness of risk management and are

competent to identify, assess and manage risk within their working environment, risk

awareness/assessment training will be made available to all staff as part of the Risk

Management Training Programme. This is linked to the Trust Training Needs Analysis and

is reflected in the Staff Development Prospectus. There will be ongoing review of Risk

Management Training in the form of a regular training needs analysis to assist with the

development of training and to provide appropriate education to a body of competent

persons who are available to give advice and support where necessary.

Specific risk management awareness training sessions on national and local risk

management will be developed as necessary based on an ongoing review of national and


local risk management issues which will affect the roles and responsibilities of Executive,

Non-executive and Associate Directors.

Managers with responsibility for the management of staff (and ultimately Associate

Directors/Heads of Department) will be responsible for ensuring that an assessment of the

risk management training needs of their staff is undertaken and that staff have access to

and are able to attend relevant training. In respect of new staff, information on risk

management including information on incident reporting is included in the general

induction arrangements for all staff.

8 Equality and Diversity

The Trust is committed to ensuring that, as far as is reasonably practicable, the way we

provide services to the public and the way we treat staff reflects their individual needs and

does not unlawfully discriminate against individuals or groups on the grounds of any

protected characteristic (Equality Act 2010). This policy aims to uphold the right of all staff

to be treated fairly and consistently and adopts a human rights approach. This policy has

been appropriately assessed.

9 Monitoring Compliance with this Policy

Ongoing monitoring will be reflected in the reports to Risk and Safety Council, whereas an

annual overview will be provided within the Risk Management Annual Report. The

information reported will be based on compliance with the Risk Management Policy, risk

management process and use of the risk registers.

Standard/ process/

issue

Monitoring and Audit

Method By Committee Frequency

Risk review and

management - cyclic

Business Unit/

Directorate review

process

Identification

and monitoring

of KPIs, Risk

movement and

current position

report

Corporate

Risk

Manager and

local Lead(s)

Risk & Safety

Council

Bi-monthly

meetings – twice a

year for each

Business Unit/

Directorate

Overall Trust

adherence to policy

and management of

risk

In year

monitoring and

Report

Head of Risk

Management

/ corporate

Risk

Manager

Risk & Safety

Council

Annual

Independent review of

compliance

Audit &

subsequent

report

Internal

Audit

Risk & Safety

Council, Quality

Governance

Committee,

Audit

Committee

Annual

An action plan will be produced if necessary to address where improvements should be

made. Review of the action plan will be overseen by the Risk and Safety Council.

Information will be shared with other Committee and groups as appropriate.


10 Consultation and Review of this policy

This Policy will be reviewed in October 2018 or sooner should the need arise. All members

of the Risk & Safety Council have been consulted in relation to this policy.

11 Implementation of this policy

The Risk Management Policy and supporting guidance will be made available to all staff via

the Trust Intranet, as well as being made available to stakeholders and the public via the

Trust website. Risk management training will reflect the policy, and any amendments to

the Policy will be communicated as and when they occur.

12 References

Australian/New Zealand Risk Management Standard AS/NZS 4360:1999

NHS Litigation Authority, Risk Management Standards 2013-14

National Patient Safety Agency, Risk Assessment Matrix, March 2007

13 Associated Documentation

The above represents the Trust’s Risk Management Policy and does not provide detailed

information on the management of a specific area of risk or risk topic. It is recommended,

therefore, that this document be read in conjunction with the Risk Management Strategy,

and the suite of risk management, operational and clinical policies and procedures which

can be found on the Trust intranet, some of which are referenced below.

RM02 - Health & Safety Policy

RM03 - Incident Reporting and Investigation Policy

RM06 - Manual Handling Policy

RM08 - Control of Substance Hazardous to Health

RM10 – Violence at Work Policy

RM11 - Security Policy

RM21 - Complaints and Concerns Policy

RM23 - Claims Management Policy

RM30 – Procurement, management and Use of Medical Devices Policy

RM49 - Being Open and Duty of Candour Policy

RM50 – Slips, Trips and Falls Policy

RM51 – Learning from Experience Policy

RM59 – Policy on the use of Bed Rails

RM66 – Business Continuity Planning Policy

RM79 – Fire Safety Policy

OP06 – IT and Information Security Policy

OP89 – Emergency Preparedness and Response (EPRR) Policy

OP93 – Reviewing and Learning from Deaths

PP35 – Freedom to Speak Up – Raising Concerns Policy

The above is not an exhaustive list but represents key documents which outline

arrangements and processes which complement the approach outlined in this Policy.


14 Intranet Information

The Risk Management intranet pages include additional information and guidance to

support this policy. This includes two downloadable A5 booklets;

• Risk Management Guide

• Risk Assessment Guide

Intranet risk management pages can be found here.

risk management policy · 2018-11-19 · risk management policy v7 6 director of strategy and...

Documents