risk management policy · 2018-11-19 · risk management policy v7 6 director of strategy and...
TRANSCRIPT
Risk Management Policy v7
Policy No: RM01
Version: 7.0
Name of Policy: Risk Management Policy
Effective From: 24/11/2017
Date ratified 08/11/2017
Ratified by Risk and Safety Council
Review date 01/11/2019
Sponsor Director of Nursing, Midwifery and Quality
Expiry date 07/11/2020
Withdrawn date
Unless this copy has been taken directly from the Trust intranet site (Pandora) there is no
assurance that this is the most up to date version
This policy supersedes all previous issues
Risk Management Policy v7 2
Version Control
Version Release Author/Revie
wer
Ratified by/
authorised by Date Changes
4.0 A O’Brien March
2009
4.1 29/09/2009 S. Winn/S A
Gair
Director of
Estates & Risk
Management
Sept
2009
OP27 format Updated to
include new staff
appointment and review
of the prioritised Board
risk register
4.2 01/01/2011 S A Gair Director of
Estates & Risk
Management
Jan
2011
Amended to include risk
grading matrix as agreed
by PQRS
5.0 01/04/2012 A O’Brien/S.
Winn
Director of
Nursing,
Midwifery and
Quality
March
2012
Revised to reflect
changes in risk reporting
structures and merge
with the local risk
management procedure
5.1 14/03/2013 S A Gair Director of
Nursing,
Midwifery and
Quality
Revised – Risk Awareness
Training for Senior
Management & Risk
Management Structure,
Risk matrix and
Governance Structure
6.0 24/07/2014 G Appleby / S
Winn
Director of
Nursing,
Midwifery and
Quality
June
2014
Revised and updated to
reflect changes to
departments and risk
reporting
7.0 24/11/2017 K Marley,
Corporate
Risk Manager
/ K Jones,
Head of
Corporate
Risk
Director of
Nursing,
Midwifery and
Quality
08/11/
2017
Revised and updated:
Job titles, Committee
titles, & structures
Reflect national changes
e.g. NHS I, NHS
Resolution etc.
Updated policy to align
with strategy.
Changed risk review
cycle.
Risk Management Policy v7 3
Risk Management Policy
Contents
1 Introduction ........................................................................................................................................ 4
2 Policy Scope ........................................................................................................................................ 4
3 Aim of Policy ....................................................................................................................................... 4
4 Duties of Key Committees and Individuals – Roles and Responsibilities ................................... 5
5 Definition of Terms ............................................................................................................................ 8
6 Risk Management Approach .......................................................................................................... 10
6.1 Overview ............................................................................................................................... 10
6.2 Identifying, Defining and Describing Risk ........................................................................ 12
Local Risk Assessments ...................................................................................................................... 14
6.3 Risk Assessment - Risk Analysis: ........................................................................................ 15
6.4 Risk Assessment - Risk Evaluation ..................................................................................... 19
6.5 Risk Assessment - Treatment of Risk ................................................................................ 20
6.6 Monitoring and Review ...................................................................................................... 21
Risk review ......................................................................................................................................... 21
Authority for Managing Risk/ Risk Escalation .................................................................................... 22
Risk Registers ..................................................................................................................................... 23
6.7 Communicate, Consult, Learn and Adapt ........................................................................ 24
6.8 The Board Assurance Framework ..................................................................................... 25
7 Training .............................................................................................................................................. 25
8 Equality and Diversity ...................................................................................................................... 26
9 Monitoring Compliance with this Policy ....................................................................................... 26
10 Consultation and Review of this policy ......................................................................................... 27
11 Implementation of this policy ........................................................................................................ 27
12 References ........................................................................................................................................ 27
13 Associated Documentation ............................................................................................................. 27
14 Intranet Information ........................................................................................................................ 28
Risk Management Policy v7 4
Risk Management Policy
1 Introduction
The management of risks is a key factor in achieving the provision of the highest quality
care, requiring the identification, management and minimising of activities or events which
could result in unnecessary risks to service users, staff and visitors/members of the public.
Risk management is the identification, assessment, and prioritisation of risks followed by
coordinated, effective and economic application of resources to minimise, monitor, and
control the probability and/or impact of unfortunate events or to maximise the realisation
of opportunities.
The National Health Service carries a number of risks which if not properly
managed/controlled have the potential to cause harm to patients, staff and visitors and
may contribute to an adverse effect on the Trust’s assets and/or reputation.
It is accepted that given the nature of the service provided by the NHS, some risks may
never be totally eliminated. It is however essential that NHS Trusts have in place good risk
management systems and practices which eliminate risk wherever possible and reduce the
impact of those risks that cannot be eliminated to an “acceptable level”.
This policy sets out the commitment of Gateshead Health NHS Foundation Trust to
managing risks (both clinical and non-clinical). The document must be read in conjunction
with the Health and Safety Policy.
The Risk Management Policy is an integral part of the Trust’s approach to continuous
quality improvement and is intended to support and assist the organisation in delivering
the Trust’s Strategic Objectives.
2 Policy Scope
This Policy relates to all members of staff, trainees, contractors, volunteers, visitors, and
members of the public working and visiting Gateshead Health NHS Foundation Trust.
3 Aim of Policy
The overall aims of the Risk Management Policy are to support the Risk Management
Strategy to have an organisation which:
• Is fully “risk aware” where risk management is embraced within the organisation’s
culture and is integrated into the working practices of all grades and disciplines of
staff;
• Encourages the open reporting of errors, within a fair blame culture and ensures
that lessons are learned from those errors and that measures to prevent recurrence
are promptly applied;
• Engages in the continual development of risk management systems to facilitate
identifying which risks represent opportunities and which represent potential
pitfalls; and
• Accepts that risk management is everyone’s responsibility.
Risk Management Policy v7 5
This in turn will ensure the achievement of the organisation’s overall aim which is working
together to provide the best health services and care for local people.
4 Duties of Key Committees and Individuals – Roles and Responsibilities
Board of Directors: The Board has a collective responsibility for reviewing the
effectiveness of internal controls and for managing the Trust’s affairs efficiently and
effectively through the implementation of these controls.
Chief Executive: The Chief Executive, as Accountable Officer, has overall responsibility for
ensuring that effective risk management and integrated governance processes are in place
across the Trust and for meeting all statutory requirements and adhering to guidance
issued by NHS Improvement in respect of governance and risk management.
Executive Directors: Executive Directors with delegated responsibility for risk management
sit on the Quality Governance Committee (a committee of the Board of Directors).
Non-Executive Directors: Non-Executive Directors are responsible for overseeing systems
of governance and have a particular role in this Trust as members of the Quality
Governance Committee.
Director of Nursing, Midwifery and Quality: Accountability for risk management systems
has been delegated to the Director of Nursing, Midwifery and Quality. This includes:
• Making sure that there are effective management systems in place for the planning,
organisation, control, monitoring and review of all risks;
• Processes for the management of the Board Assurance Framework and the
committee/meeting structure for the management of risk issues.
The Medical Director: The Medical Director supports the Director of Nursing, Midwifery
and Quality with clinical risk management and the implementation and monitoring of
clinical governance activity across the Trust. Clinical risk issues will be communicated and
monitored by the designated clinical governance forum i.e. SafeCare Council.
Director of Finance and Information: The Director of Finance and Information carries
specific responsibility for financial risk management. This includes:
• Advising the Board of Directors on financial and business risk issues;
• The named Executive Director with professional responsibility for provision of an
effective Internal Audit Service;
• Providing regular, timely and accurate reporting to the Board and the regulator in
line with requirements and professional standards; and
• Enabling the Board to provide in the Trust’s annual accounts, an assurance of the
safeguarding of assets and the maintenance of proper accounting records and the
reliability of financial information.
Director of Clinical Support and Screening: The Director of Clinical Support and Screening
carries specific responsibility for non-clinical health and safety risks.
Risk Management Policy v7 6
Director of Strategy and Transformation: The Director of Strategy and Transformation is
the Director with delegated responsibility for non-clinical HR risk.
Audit Committee: The Audit Committee provides independent verification on the
organisation’s systems for risk management to ensure that structures and processes for
managing key risks are in place. It performs the essential scrutiny required to ensure key
management and control systems are working effectively.
Quality Governance Committee: The Trust’s Quality Governance Committee is a Board
committee, with responsibility for clinical and non-clinical risks and patient quality issues
within the Trust, with the exception of financial risks and human resource risks. The
Committee is responsible for overseeing the on-going development, implementation and
monitoring of the Risk Management Strategy. The Committee Terms of Reference includes
full details of the Committee’s remit.
Overseeing financial risks is the responsibility of the Finance and Performance Committee,
and human resource risks are the responsibility of the Human Resources Committee.
Finance Committee: The Finance and Performance Committee is a formal committee of
the Board with delegated responsibility to monitor, review and make recommendations to
the Trust Board with regard to the detailed financial and operational performance of the
Trust. They have responsibility for management of the Financial Risk Register, and relevant
section of the Board Assurance Framework (BAF), ensuring delivery against any associated
actions and escalating key strategic risks to the Trust Board following review at the Trusts
Risk and Safety Council.
Human Resources Committee: The Human Resources Committee is a Board Committee
with the purpose to oversee the development and implementation of the Trusts People
Strategy which aims to maximise the contribution of staff in the delivery of the Trusts
Strategic Plan and objectives. The Committee have oversight of all workforce risks
identified through service strategic planning, operational plans and as recorded in the
Corporate Risk Register, escalating matters of concern to the Trust Board.
Internal Audit: The internal audit function will undertake independent reviews of the
systems of internal control, using a risk based approach and report the findings to line
management and the Audit Committee.
Head of Corporate Risk: The Head of Corporate Risk supports the Chief Executive and the
Director of Nursing, Midwifery and Quality in developing a Risk Management Strategy
including all aspects of clinical and non-clinical risk management, and takes the lead in its
implementation. This includes:
• Responsibility for providing direction and guidance to Business Units and
departments in managing risk;
• Responsibility for advising the Trust Board and Committees on relevant risk
management issues and processes and implementing appropriate measures to
achieve risk reduction within the Trust;
• Attending the Quality Governance Committee, as lead for clinical risk management
and other Committees as required as lead for wider risk management;
Risk Management Policy v7 7
• Coordinating the provision of risk management training as outlined within the
Trusts Training Needs Analysis (TNA);
• Responsibility for producing quarterly reports for the Board, Quality Governance
Committee and Audit Committee covering high level risks.
• Producing the Annual Risk Management report for submission to the Board of
Directors.
• Responsibility for co-ordination and collation of the Board Assurance Framework
processes and documentation to the Board and Committees.
• Overseeing the claims management service.
Corporate Risk Manager: The Corporate Risk Manager supports the Head of Corporate Risk
in the delivery of the Risk Management Strategy, supporting operational governance and
policy compliance, risk management training, and providing support to all Trust staff with
the process of risk identification, assessment and analysis.
Legal Services Manager: The Legal Services Manager is responsible for providing an
efficient and effective claims management process in line with the requirements of NHS
Resolution and ensuring that appropriate lessons are learned and disseminated across the
Trust to improve patient safety and reduce risk.
The Patient Safety Team: The Patient Safety Team manage the Datix incident management
system, quality checking safety incidents, ensuring investigations are undertaken timely
and helping to identify learning and thematic trends. The team also support wider Datix
system management including the risk register module.
The Patient Experience Team: The Patient Experience Team proactively manages
complaints and PALs, supporting patients in the process and learning from patient
experience.
Associate Directors, Heads of Department, and Managers: The Associate Directors, Heads
of Department, and Managers are responsible for implementing risk management within
their areas and for engaging all staff in this process. They are also be responsible for
making sure that members of their staff receive the necessary level of risk management
awareness/training in order to ensure that they are competent to identify, assess and
manage risk within their working environment. Furthermore they are responsible for the
development and ongoing maintenance of risks within their areas, which in turn will inform
the overall Trust-wide risk register, and for making sure that:
• There are appropriate and effective risk management processes in place and that all
staff are made aware of the risks within their work environment and of their
personal responsibilities;
• There are effective systems in place for the identification, management (control)
monitoring and review of risks (particularly in regards to Care Quality Commission
(CQC)). That risks are evaluated using the Trust’s framework for the grading of risks
and that the appropriate level of management action is initiated and completed
appropriately;
• Their staff receive the necessary information and training to enable them to work
safely and comply with appropriate Trust procedures, including incident reporting,
risk assessments, fire arrangements and all health and safety procedures;
Risk Management Policy v7 8
• Non-attendance at mandatory training and other risk management training is
monitored and followed up. Non attendee’s will be rebooked by OD and Training.
(See Mandatory Training Policy);
• Staff know and understand their responsibilities and duties under this Policy and
have appropriate arrangements in place to ensure that these are met; and
• Staff know and understand their responsibilities and duties under the Trusts Health
and Safety Policy and have appropriate arrangements in place to ensure that these
are met.
All Staff: For risk management to be effective it must actively involve staff at all levels
within the organisation (i.e. ‘Board to Ward’), it must be seen as everyone’s responsibility
and not just that of any one individual or department.
Each employee has a responsibility to:
• Report incidents/accidents and near misses promptly in accordance with the Trust’s
Incident Reporting Policy. Every reported incident or near miss may be a valuable
learning opportunity;
• Provide safe standards of practice through compliance with the regulations of the
appropriate professional bodies and maintain professional and technical
competence;
• Ensure their own safety and the safety of all others who may be affected by the
Trust’s business;
• Work in accordance with all Trust policies and procedures;
• Comply with this Risk Management Policy;
• Ensure that equipment provided for the protection of safety and health is
maintained and utilised appropriately;
• Comply with emergency procedures e.g. resuscitation, evacuation and fire
precaution procedures including those pertaining to their particular Business
Unit/department locations;
• Attend induction and regular update training on risk management policies and
procedures including mandatory training; and
• Participate in risk assessments when required within their area of work and identify
any risks they feel exist.
5 Definition of Terms
A Hazard is anything that has the potential to cause injury, damage or harm.
Risk is defined as uncertainty/ possibility of loss, damage, missed opportunity, injury or
failure to achieve objectives or deliver our plans as a result of an uncertain action or event.
Risk Management is defined as ‘the systematic identification of risks within an activity,
system or process, and the implementation of actions which will minimise harm arising
from these risks’. A key aspect of risk management is learning from events, errors, or near
misses in order to reduce the risk of them recurring. Clinical risk management concentrates
on identifying and correcting risks associated with direct patient care, whilst non clinical
risk management is associated with all other Trust activities.
Risk Identification is the process of determining what, where, when, why and how
something could happen.
Risk Management Policy v7 9
Risk Assessment is the process used to evaluate a risk with regard to the impact if the risk
is realised and the likelihood of the risk being realised.
Likelihood is used to assess probability or frequency of a risk occurring. Likelihood is
expressed along a scale ranging from ‘rare’ to ‘almost certain’.
Probability is often used to express the likelihood of a specified event or outcome
occurring. This uses percentage levels to align likelihood.
Frequency is another expression of likelihood.
Impact/ Consequence refers to the outcome if a risk occurs. This can be positive or
negative.
Risk Mitigation/ Risk Treatment is the action that is/can be taken to reduce either the
likelihood or impact/consequences of a risk.
Risk Reduction refers to a reduction in the likelihood, negative consequences or both
associated with risk. This reduces the risk score.
Accepted risk refers to a risk that cannot be completely removed or eliminated but where
existing controls reduce the risk to an acceptable level.
Risk Owner is the person who is given and accepts responsibility for managing and
controlling a specific risk.
Risk Register (Datix) is a tool for recording identified risks, the results of their analysis and
evaluation, and monitoring actions and plans against them. The Risk Register is an
important component of the organisation’s risk management framework.
Risk Appetite refers to the statement of intent from the organisation about the level risk it
is prepared to accept, tolerate, or be exposed to at any point in time.
Risk Management Strategy is the overall organisational approach to risk management as
defined by the Trust Board, which is documented and easily available throughout the
organisation.
Risk Maturity refers to the overall quality of the risk management framework.
Board Assurance Framework (BAF) refers to the processes and documentation by which
the Board are assured that key risks to organisational objectives are being managed. The
documented BAF summarises key strategic risks and supporting assurances.
Risk Management Policy v7 10
6 Risk Management Approach
6.1 Overview
The Trust aims to be proactive in its approach to the management of risk and will
endeavour to identify, control and where possible eliminate the risk before
incidents of actual loss or harm have occurred. For this approach to be effective it
is recognised that there must also be:
• Ongoing risk management awareness raising;
• Involvement/participation of all staff;
• Integration of risk management into operational management;
• A live and meaningful organisation-wide Board Assurance Framework and
risk register which is populated with all types of risk e.g. financial, strategic,
clinical and non-clinical;
• Clearly communicated arrangements/designated responsibilities for risk
management;
• Training in risk assessment;
• A robust integrated incident reporting system;
• Development of risk management within a fair and just culture. The Trust’s
approach following adverse incidents will therefore focus on “what went
wrong not who went wrong”;
• Sound clinical practice which is evidence based and undertaken by
appropriately skilled and equipped staff in accordance with policies,
procedures and guidelines;
• Effective communication within and between Business Units, wards and
departments and also with patients, public and stakeholders;
• Safe systems of work and safe practices which are undertaken in accordance
with up-to-date policies, procedures and guidelines which are known and
understood by the staff concerned;
• Ongoing monitoring of actions/controls put in place to minimise the
organisation’s risk exposure;
• Proactive management of complaints and claims.
Effective risk management is based on a continuous cycle that involves robust
processes of hazard/risk identification, risk assessment and quantification, critical
examination and development of control measures and action planning for all types
of risk. Monitoring mechanisms are essential to ensure that actions taken as part of
the risk mitigation process are effective. Where possible, practicable risks will be
eliminated, otherwise risks will be reduced to the lowest reasonable level whereby
the residual risk can be classified as acceptable. The overall risk management
process is shown pictorially below, there being seven major elements in the
process.
Risk Management Policy v7 11
Step 1: Establish the context: When we are considering risk we determine the facts,
understand the situation and environment, considering both external and internal
factors.
Step 2: Identify risk: Identify what, why and how things can arise as the basis for
further analysis. Risk can be identified from many sources of information. These are
grouped as reactive (e.g. incidents) or proactive (risk assessments), as well as
internal (staff consultations) or external (inspections).
Steps 3 through 5: Risk Assessment: these three steps are brought together under
the heading of risk assessment as they are undertaken collectively, revisiting steps
as required.
Step 3: Analyse risk: Determining the relative importance of individual risks is a key
element of the risk management process, enabling risk control priorities to be
identified and appropriate action to be taken in response. This is achieved by:
• Assigning a level of ‘likelihood’ of a risk event occurring using the likelihood
matrix;
• Assigning a level of or ‘impact’ or ‘consequence’ to the risk event using the
consequences matrix;
Step 4: Evaluate risks: Review ‘residual’ risk level against policy requirements and
risk appetite and determine whether treatment is required. Compare estimated
levels of ‘residual’ risk. This enables risks to be ranked so as to identify management
priorities.
Step 5: Treatment of risks: Risk treatment involves identifying the range of options
for controlling or treating risk, assessing those options, preparing risk treatment
plans and implementing them.
Risk Management Policy v7 12
Step 6: Constant monitoring and review: Of risks, their controls, assurances, and
actions, and of the Risk Management System.
Step 7: Communicate, consult, learn and adapt: Communicate and consult widely,
including with external stakeholders as appropriate, at each stage of the risk
management process.
The Trust aims to foster an environment that also promotes innovation and service
development, which may be balanced with limited risk taking. Therefore careful
evaluation and management of risk within a framework of assurance is an essential
component to balanced risk management which supports development without
stifling innovation but reduces the risk of adverse outcomes which may cause harm
to patients, staff, reputation or resources. The risk management process involves
the systematic identification, analysis and treatment of all types of risk.
6.2 Identifying, Defining and Describing Risk
The Trust cannot manage its risks effectively unless we know what the risks are. Risk
identification is therefore vital to the organisational success of the Trust’s risk
management process.
Risk is the possibility of loss, damage, missed opportunity, injury or failure to achieve
objectives or deliver our plans as a result of an uncertain action or event.
It is the responsibility of all staff to be alert to risks and to report them as soon as
possible through their line management arrangements so that appropriate steps
can be taken to analyse, report and manage the identified risk.
Risk identification should take place on a continual basis, but particularly where
new activities are planned, new legislation or NHS policy requirements are
identified, new strategies and plans are developed, or where incidents or near
misses have taken place.
The following table indicates some areas from which risks may be identified.
External Scrutiny and
Inspection
Occurrences Internal Assessments
External audit reports Never Events/ Serious
Incidents/ Significant
Events
Board Assurance Framework
CQC reports/ visits Incident and near
miss reporting
Performance management
Reports from professional
bodies
Complaints Internal audit reports
Health and Safety Executive Legal claims
Clinical audit programmes
Risk Management Policy v7 13
External Scrutiny and
Inspection
Occurrences Internal Assessments
Environmental Health
reports
Patient satisfaction
measures
Risk Assessments (work place or
clinical)
Monitor reports Employee satisfaction
measures
Networking – use of media
reports and information from
other Trusts
Coroner’s reports. Sickness and absence
records
Fraud & Corruption
NICE Guidance/Guidelines. Staff turnover Other self-assessment tools
(including self-assessment against
CQC standards)
Commissioner feedback Levels of agency
utilisation
Inspections
NHS Improvement oversight
Whistle-blowing Equality Analysis
Healthwatch Inquests Specialisms, e.g. information
governance, infection control,
health and safety, manual
handling.
(Note – this list is by no means exhaustive)
Proactive risk identification should be carried out throughout the Trust at all levels,
for example:
• Strategic objectives are cascaded into Business Unit and Directorate led
strategies and service plans, and risks to the achievement of these identified
and assessed.
• Multidisciplinary teams delivering clinical services carry out risk
identification and assessment of clinical activities as well as identifying and
reporting risks, act upon local risk assessments and consider any risks for the
Risk Register.
• Risk management specialists e.g. health and safety, security, fire, counter
fraud, clinical safety, carry out risk identification specific to their area of
expertise.
• Service/department teams identify and assess risks to patients, staff or
visitors within the service/department environment.
• Clinical risk assessments are carried out with individual patients/service
users using clinical risk assessment tools and care plans are developed
accordingly.
• Project management teams carry out risk assessments throughout a project,
maintain project risk logs, and assess both during and at the end of the
project any risks as to their suitability for the Risk Register.
Risk Management Policy v7 14
Incident and near miss reporting, whistle blowing, complaints, claims, PALS contacts
and the outcomes of external reviews are sources of reactive risk identification.
Local Risk Assessments
Health and safety risk assessment should be documented on the appropriate Risk
Assessment Form in accordance with the Health and Safety Policy. Guidance is also
outlined in the ‘Risk Assessment Guidance’ located on the Health and Safety portal
of the Trust Intranet. Risk assessments that identify poorly controlled risks should
be considered for entry onto the risk register via the Datix risk register module.
Each Business Unit/department has an identified person responsible for managing
the process for undertaking risk assessments. Depending on the type and source of
risk, not all risks will be documented on the Trust risk assessment form. For
example, a service or business risk may be entered directly onto the risk register,
with appropriate documentation, records and action plans held within the system.
Copies of any ward/departmental risk assessments will be sent from the
ward/departmental manager to the area’s designated risk assessment lead as
identified.
All existing risk assessments must be reviewed every two years, after any relevant
accident or incident, or whenever there has been a significant change to the activity
covered by the risk assessment.
All risk assessments undertaken in accordance with the individual policies as per
patient/staff needs must be documented on the risk assessment tools provided
within those individual policies.
All staff are responsible for ensuring that individual risk assessments to promote
staff and patient safety are undertaken in accordance with relevant policies.
Defining and Describing Risk
How a risk is defined is an important factor, both to ensure a shared understanding
of the risk, and to aid the identification of controls, assurances and subsequent
treatment of the risk.
When describing risks, think of risk in terms of:
The Cause of the risk; the
current position, issues and
underlying causes behind
the risk.
The Risk Event; what could
go wrong?
The Consequences (or
impact); what could
happen to patients, staff,
the team, the service, or
the Trust if the event
occurs. How likely (what
is the probability of this
occurring.)
We can describe risks in the following ways;
‘As a result of 'an existing condition (the cause)', 'something uncertain' may occur
(the risk), which would lead to ‘effect on objectives/impact (the consequences)'.’ or;
Risk Management Policy v7 15
There is a risk that (the risk event)….. This is caused by…(the cause).. And would
result in…… leading to an impact upon…(the consequences)…... ‘
The Trust recognises that as new risks are constantly emerging, the identification of
risk needs to be an ongoing and proactive process, which involves all staff and
ensures that action is taken before incidents/actual loss or harm have occurred.
Risks may be clinical or non-clinical risks, including financial risks. This will include
contract or service level agreements in recognition that risk management
arrangements should be formalised as part of contractual obligations.
6.3 Risk Assessment - Risk Analysis:
Determining the relative importance of individual risks is a key element of the risk
management process, enabling risk control priorities to be identified and
appropriate action to be taken in response. This is achieved by:
• Assigning a level of ‘likelihood’ of a risk event occurring using the likelihood
matrix;
• Assigning a level of or ‘impact’ or ‘consequence’ to the risk event using the
consequences matrix;
• The assessment is completed using a likelihood matrix (Table 1) and
consequence matrix (Table 2). While the likelihood matrix offers an option of
frequency or probability, the likelihood matrix offers options based on the
type of consequence (impact) that will arise if the risk should occur.
Table 1 – Likelihood Table
Likelihood
Score 1 2 3 4 5
Descriptor Rare Unlikely Possible Likely Almost certain
Frequency
How often
might it/does
it happen
This will
probably
never
happen/recur
Not expected
to happen for
years
Do not expect
it to
happen/recur
but it is
possible it may
do so
Expected to
occur at least
annually
Might happen
or recur
occasionally
Expected to
occur at least
monthly
Will probably
happen/recur
but it is not a
persisting
issue
Expected to
occur at least
weekly
Will
undoubtedly
happen/recur,
possibly
frequently
Expected to
occur at least
daily
Probability
<1%
Unlikely to
occur
1-5%
Unlikely to
occur
6-20%
Reasonable
chance of
occurring
21-50%
Likely to occur
>50%
More likely to
occur than not
Risk Management Policy v7
16
Table 2 – Consequence Score
Consequence score (severity levels) and examples of descriptors
1 2 3 4 5
Consequence
Type
Negligible Minor Moderate Severe Catastrophic
Impact on the
safety of
patients, staff
or public
(physical/
psychological
harm)
Minimal injury
requiring no/minimal
intervention or
treatment.
No time off work
Minor injury or illness,
requiring minor
intervention
Requiring time off work
for >3 days
Increase in length of
hospital stay by 1-3 days
Moderate injury requiring
professional intervention
Requiring time off work for 4-14
days
Increase in length of hospital
stay by 4-15 days
RIDDOR/agency reportable
incident
An event which impacts on a
small number of patients
Major injury leading to long-
term incapacity/disability
Requiring time off work for
>14 days
Increase in length of hospital
stay by >15 days
Mismanagement of patient
care with long-term effects
Incident leading to death
Multiple permanent injuries or
irreversible health effects
An event which impacts on a
large number of patients
Quality/
complaints/
audit
Peripheral element of
treatment or service
suboptimal
Informal
complaint/inquiry
Service delivery is not
materially affected.
Overall treatment or
service suboptimal
Formal complaint (stage
1) / Local resolution
Single failure to meet
internal standards
Minor implications for
patient safety if
unresolved / Reduced
performance rating if
unresolved
Some inconvenience/
difficulty in operational
performance of a
particular service area
Treatment or service has
significantly reduced
effectiveness
Formal complaint (stage 2)
complaint
Local resolution (with potential
to go to independent review)
Repeated failure to meet
internal standards
Major patient safety
implications if findings are not
acted on
Operational performance of a
particular service area is
affected to the extent that
revised planning is required to
overcome difficulties.
Non-compliance with national
standards with significant risk
to patients if unresolved
Multiple complaints/
independent review
Low performance rating
Critical report
Operational performance of a
particular service area is
severely affected.
Totally unacceptable level or
quality of treatment/service
Gross failure of patient safety
if findings not acted on
Inquest/ombudsman inquiry
Gross failure to meet national
standards
Operational performance is
compromised to the extent
that the organisation is unable
to meet its obligations in core
activity areas.
Risk Management Policy v7
17
Consequence score (severity levels) and examples of descriptors
1 2 3 4 5
Consequence
Type
Negligible Minor Moderate Severe Catastrophic
Human
resources/
organisational
development/
staffing/
competence
Short-term low
staffing level that
temporarily reduces
service quality (< 1
day)
Low staffing level that
reduces the service
quality
Late delivery of key objective/
service due to lack of staff
Unsafe staffing level or
competence (>1 day)
Low staff morale
Poor staff attendance for
mandatory/key training
Uncertain delivery of key
objective/service due to lack
of staff
Unsafe staffing level or
competence (>5 days)
Loss of key staff
Very low staff morale
No staff attending mandatory/
key training
Non-delivery of key
objective/service due to lack
of staff
Ongoing unsafe staffing levels
or competence
Loss of several key staff
No staff attending mandatory
training / key training on an
ongoing basis
Statutory duty/
inspections
No or minimal impact
or breech of guidance/
statutory duty
Breech of statutory
legislation
Reduced performance
rating if unresolved
Single breech in statutory duty
Challenging external
recommendations/
improvement notice
Enforcement action
Multiple breeches in statutory
duty
Improvement notices
Low performance rating
Critical report
Multiple breeches in statutory
duty
Prosecution
Complete systems change
required
Zero performance rating
Severely critical report
Adverse
publicity/
reputation
Rumours
Potential for public
concern
Local media coverage –
short-term reduction in
public confidence
Elements of public
expectation not being
met
Local media coverage –
long-term reduction in public
confidence
National media coverage with
<3 days service well below
reasonable public expectation
National media coverage with
>3 days service well below
reasonable public expectation.
MP concerned (questions in
the House)
Total loss of public confidence
Business
objectives/
projects
Insignificant cost
increase/ schedule
slippage
<5 per cent over project
budget
Schedule slippage
5–10 per cent over project
budget
Schedule slippage
late delivery of key target.
Non-compliance with national
10–25 per cent over project
budget
Schedule slippage
Key objectives not met
Partial delivery of key targets
Incident leading >25 per cent
over project budget
Schedule slippage
Key objectives not met
Non-delivery of key targets.
Risk Management Policy v7
18
Consequence score (severity levels) and examples of descriptors
1 2 3 4 5
Consequence
Type
Negligible Minor Moderate Severe Catastrophic
Finance
including claims
Small loss (less that
0.1% of budget)
Risk of claim remote
Loss of 0.1–0.25 per cent
of budget
Claim less than £10,000
Loss of 0.25–0.5 per cent of
budget
Claim(s) between £10,000 and
£100,000
Uncertain delivery of key
objective/Loss of 0.5–1.0 per
cent of budget
Claim(s) between £100,000
and £1 million
Purchasers failing to pay on
time
Non-delivery of key objective/
Loss of >1 per cent of budget
Failure to meet specification/
slippage
Loss of contract / payment by
results
Claim(s) >£1 million
Service/busines
s interruption
Environmental
impact
Loss/interruption of
>1 hour
No impact on ability to
meet internal and
external reporting
requirements even
though a particular
service area is
affected.
Minimal or no impact
on the environment
Loss/interruption of >8
hours
Inability to meet a
specific reporting
requirement.
Minor impact on
environment
Loss/interruption of >1 day
Difficulty in complying with key
reporting requirements.
Moderate impact on
environment
Loss/interruption of >1 week
Unable to comply with the
majority of reporting
requirements.
Major impact on environment
Permanent loss of service or
facility
Unable to access any service
user or corporate information.
Catastrophic impact on
environment
Risk Management Policy v7 19
The two numerical assessment scores are then multiplied to give a risk rating and
level of risk as shown in table 3.
Table 3 – Risk Scoring and Levels
The Trust’s risk assessment matrix is therefore as follows:
Severity of Impact/ Consequence
1 2 3 4 5
Negligible Minor Moderate Severe
Catastrop
hic
Lik
eli
ho
od
5 Almost
certain
5
Low
10
Moderate
15
High
20
High
25
High
4 Likely 4
Low
8
Moderate
12
Moderate
16
High
20
High
3 Possible 3
Very Low
6
Low
9
Moderate
12
Moderate
15
High
2 Unlikely 2
Very Low
4
Low
6
Low
8
Moderate
10
Moderate
1 Rare 1
Very Low
2
Very Low
3
Very Low
4
Low
5
Low
We undertake assessment of risk at three stages:
• Inherent risk (initial or gross risk) is an assessment of the risk prior to
considering any controls in place.
• Current risk is an assessment of the risk after identification of controls,
assurances, and gaps in control or assurance, hence reflecting how these
controls reduce either the likelihood or impact of the risk.
• Target risk (residual risk) is an assessment of the anticipated risk score
following the successful implementation of identified actions to create
additional controls. This is undertaken where the residual risk score reflects
that further controls are needed, and these are identified in the form of
actions. The target risk score enables managers to fully understand the
impact of the actions to be taken, as well as whether these actions alone will
reduce (mitigate) the risk to an acceptable level.
The assessment undertaken is the same at each stage, enabling consistency
and demonstration as to how well risks are being managed by current
controls.
6.4 Risk Assessment - Risk Evaluation
The level of ‘current’ risk will indicate whether additional treatment/ mitigation is
required. The ‘current’ risk level also enables risks to be ranked so as to identify
management priorities.
All risks with a current score that results in a classification of Moderate or High will
require a supporting action plan that describes the activities and actions being
taken to mitigate the risk.
Risk Management Policy v7 20
Current risks with a level of low may be required to have action plans in place to
further mitigate the risk. Very low current risks do not usually need any further
action.
Although action should always be taken to reduce risks where this involves
measures that are clearly proportionate in relation to the risk, actions should not
always be taken just because there is a level of risk. Applying this often requires the
use of common sense and judgment, rather than a formal cost-benefit analysis.
However, some risks will remain above the minimal level even after being mitigated
in this way. Such risks may be deemed acceptable provided:
• The risk is maintained at a level which is both ‘as low as reasonably
practicable’ and acceptably low in absolute terms;
• The risk and the control measures are communicated to staff / management
/service users;
• The risk, and control mechanisms, are reviewed regularly;
• It does not exceed the Trust’s risk appetite (it is accepted by the Board,
Committee or sub-group);
• It does not lead the Trust to breach its terms of authorisation.
• If a risk requires further mitigation, the scale and urgency of the risk treatment
should be determined based on the level (score) and immediacy (how soon it could
occur) of the risk.
• The level of risk the controls are managing is important in considering the type and
frequency of assurances required to be fully assured that the systems and
process continue to work effectively to mitigate the risk. The Trust will use
this information to inform the internal audit and clinical audit plans, as well
as management reviews.
6.5 Risk Assessment - Treatment of Risk
Risk treatment involves identifying the range of options for controlling or treating
risk, assessing those options, preparing risk treatment plans and implementing
them. The options available for the treatment of risks include:
• Tolerate (accept) the risk - if, after controls are put in place, the remaining
risk is deemed acceptable to the organisation, the risk can be retained. The
process for recording and updating risks provides an option to ‘accept’ the
risk, this reflects that although a level of risk remains, even if this is high, the
risk is being managed and accepted at the current risk level. This may be the
case where the risk is inherent to the service provided, and although all
controls are in place to manage and mitigate the risk as it arises, the risk of
reoccurrence, and resulting possible outcomes, remains. In such instances
assurance should be sought on a regular basis that the key controls remain
effective, incidents of occurrence reviewed, and the risk updated to reflect
assurances and gaps in assurance.
• Treat the risk-
• Reduce the likelihood of the risk occurring – for example using;
preventative maintenance, market assessment, relationship management,
audit and compliance programs, supervision, policies and procedures,
testing, investment, training of staff, technical controls and quality
assurance.
Risk Management Policy v7 21
• Reduce the consequences of the risk occurring – for example using;
insurance, financial reserves, contingency planning, disaster recovery &
business continuity plans, off-site back-up, public relations, emergency
procedures and staff training.
• Transfer the risk - this involves another party bearing or sharing some part
of the risk by the use of contracts, insurance, outsourcing, joint ventures or
partnerships.
• Terminate (avoid) the risk - decide not to proceed with the activity likely to
generate the risk, where this is practical.
Where further actions are required to avoid, eliminate or reduce the risk,
these risks should be considered for entry onto the risk register via the Datix
risk register module. Actions must be clearly defined to ensure that risk
treatment is devised and progressive risk reduction is achieved.
Action Plans
In each case where further action is required to control a risk an action plan
should be formulated. This will record the further controls required to
reduce the risk to a level which is as low as is reasonably practicable, a
named person responsible for taking the action, the estimated cost (where
appropriate) associated with the action and the date by which the action
should be completed. Action plans must be reviewed regularly to ensure
that all appropriate actions have been taken.
Action plans must include a description of ‘SMART’ actions; include interim
actions already taken as well as those planned that will reduce the risk prior
to the final action identified.
SMART = Specific, Measurable, Agreed upon, Realistic, Time-based
Responsibility relates to the individual, management team, group or
committee responsible for the action.
Cost an estimated total cost of implementing the identified actions, where
this can be calculated.
Completion dates of actions should be realistic and achievable. Where these
take a longer period of time, the actions should be broken down so that
progress can be demonstrated.
The strategic planning and capital allocation processes are linked to the risk
assessment process. Business Units, Specialties and Departments are
required to risk assess and support all bids to demonstrate that the
allocation of funding will reduce or remove a risk on the risk register.
6.6 Monitoring and Review
Risk review
All risks on the risk register require regular review by the risk owner, as well as
wider review by peers within department, service and Business Unit/ Directorate
meetings. The former enables the risk to be kept up to date, and controls and
Risk Management Policy v7 22
actions to be updated and monitored, while the latter enables wider review and
input into the risk detail, wider agreement on risk scoring levels, wider input into
actions, including wider support in unblocking issues to enable and ensure risks can
be successfully mitigated.
Risk Review Timescales
Current Risk Level Frequency Who
12 and above Monthly Risk owner
Department/ service
meetings
Determined locally but at least
bi-monthly
Business Unit/ Directorate
meetings
8 to 10 At least bi-monthly Risk owner
Department/ service
meetings
Determined locally but at least
6 monthly
Business Unit/ Directorate
meetings
Up to 6 At least 6 monthly Risk owner
Authority for Managing Risk/ Risk Escalation
Authority for Managing Risk
Whilst all staff within the Trust have some responsibility for risk management,
where a risk cannot be dealt with at a specific level there must be a mechanism in
place for escalation to the next level for a decision to be made.
The responsibility for managing an identified risk rests with the individual who has
identified it unless, and until, that risk is accepted by another.
In line with the principles of the Business Unit/ departmental management system
within Gateshead Health NHS Foundation Trust, responsibility for the
management/control and funding of a particular risk rests with the Business
Unit/department concerned.
However, where action to control a particular risk falls outside the
control/responsibility of that Business Unit/department or requires significant
financial investment, or the risk is ‘significant’ and simply cannot be dealt with at
that level, such issues will be referred to the appropriate committee e.g. Health and
Safety Committee, Risk and Safety Council, Quality Governance Committee, Finance
Committee or Senior Management Team/Board of Directors as appropriate.
In respect of risks, it will be the responsibility of individual Business
Units/departments to decide what level of risk is ‘acceptable’. In respect of Trust-
wide level risks (15 and above), it will be the responsibility of the Chief Executive, as
Risk Management Policy v7 23
Accountable Officer, who has overall responsibility for ensuring the effective
management of risk, supported by the directors.
Risk Escalation and Risk Registers
Once on Datix a risk will be reflected as part of wider risk register reporting. As such
an individual service or department risk will form part of your service or
department register, but also the wider register for the Business Unit or
Directorate, as well as showing on collated Trust-wide registers depending on the
current risk score.
The Associate Directors/Directors/departmental leads, or their deputies will
present their Business Unit/ Directorate risk registers on a six monthly basis as part
of a rolling programme to the Risk and Safety Council. Financial and Human
Resources risks will also be reviewed by the Finance and Performance Committee/
Human resources Committee.
Risks scoring 15 or above will be collated and presented as a Trust-wide Risk
Register to the Quality Governance Committee and the Trust Board on a quarterly
basis.
Risks identified as impacting directly on the achievement of the Trusts strategic
objectives are also reflected in the Board Assurance Framework (BAF).
Risk Registers
Risk registers are used as tools to assist the Trust to understand its comprehensive
and complex risk profile and aid decision-making and resource prioritisation. Risk
registers provide information on the systematic, effective and efficient
management of risks, providing reassurance that the organisation’s objectives are
being delivered. In combination with the Board Assurance Framework, risk registers
can assist in identifying that appropriate management arrangements are in place to
address risks at all levels. The risk register process ensures that all key topics
highlighted are subject to the appropriate level of scrutiny, frequent review and a
continual process for the effective management of risk.
The Business Unit/service/department (or Directorate/department) level risk
register acts as a repository for all specific risk information relating to their
department using the comprehensive risk identification process outlined. Business
Unit/service/department specific risk registers continue to be developed for all
areas.
The Datix risk register module is a comprehensive electronic management system
that captures all relevant information including the description of the risk; risk score
including initial risk score; current risk and target risk score; actions to formulate a
summary risk treatment plan and review dates. Actions identified to manage and
reduce risks should be agreed and entered into the actions module of the Datix
System Risk Register within the corresponding risk. Actions should be timed, with a
person identified as responsible for completing the action.
Risk Management Policy v7 24
Associate Directors/ Directors and ‘operational leads’ are responsible for ensuring
that Business Unit/Directorate risk registers are updated, and risk ratings are
amended to reflect ongoing risk assessment and treatment. Where appropriate,
corresponding action plans that are reviewed regularly via the same route as the
risk register should support the risk registers. Review of the risk register should
include the identification and addition of new risks to the register. This should
include the systematic consideration of internal, external, proactive and reactive
methods as described above.
Risk Register Reviewed at
Committee/Meeting Frequency
Service/department risk
register (all within scope)
Service/ Departmental
meeting
Determined locally but at least
bi-monthly
Business Unit/
Directorate Risk Register
(12 and above)
Business Unit/ Directorate
Meeting
Determined locally but at least
bi-monthly
Business Unit/
Directorate Risk Register
(8-10)
Business Unit/ Directorate
Meeting
Determined locally but at least
6 monthly
Business unit/Directorate
risk register (12 and
above)
Risk and Safety Council Bi-Annually
Trust-wide Risk Register
(15 and above)
Quality Governance
Committee/ Trust Board
Quarterly
6.7 Communicate, Consult, Learn and Adapt
To address risk we will communicate and consult widely, including with external
stakeholders as appropriate, at each stage of the risk management process. Risks
will emerge that have cross functional or cross Business Unit impacts or relevance
and as such should be shared and discussed in wider groups. This will be partly
facilitated through the Risk and Safety Council meetings, where a Trust-wide
representation from all areas enables wider discussion and consideration of risks
and controls in use, but will also be facilitated through a number of meetings across
the Trust, including various Committee sub groups and working groups.
To ensure learning and appropriate adaptation occurs in order to minimise
recurrence of risks across the organisation, cross Directorate and Business Unit
analysis will be undertaken. This will enable similar and cross cutting risks to be
grouped and shared, enabling learning and adaptation of controls or actions.
Risks may also emerge as a result of partnership/ joint working crossing
organisational boundaries. In such cases it is important that all organisations
involved are aware of the risk, and understand and accept responsibility for controls
and actions.
Where a risk has been identified in one area of the Trust but has the potential to
occur elsewhere, lessons learnt will be widely shared. The Trust will have in place a
range of mechanisms to support this sharing of information (If the risk identified
impacts on another Business Unit/department the risk will need to be
communicated to the other department.)
Risk Management Policy v7 25
6.8 The Board Assurance Framework
All NHS Trusts are required to use a Board Assurance Framework, as this has been
proven good practice for many years in both healthcare and a range of other high-
risk organisations. It is a “live” document that changes over time, and in particular it
picks up all the controls that we have in place to manage, minimise the principal
risks we’ve identified and points towards concise and comprehensive evidence that
the controls are working. It also provides a structure to support the evidence for the
Annual Governance Statement.
The Board Assurance Framework documents the Trust’s high level risks to achieving
our strategic objectives, bringing together the assurances that effective controls are
in place and actions are being completed. The required assurances reflected in the
document also inform the Board and Committee agendas, ensuring that key
assurances are provided to the Board timely.
The risks reflected within the Board Assurance Framework also form part of the
Trusts Risk Registers. The difference between the two in terms of their presentation
to the Board is that the Trust-wide (15+) Risk Register is there to provide the Board
with an overview of the highest risks that the Trust is managing, while the Board
Assurance Framework document is there to provide a summary of the assurances
(they have or will receive) that risks to the achievement of the objectives are being
successfully managed and mitigated.
The risk register is based on ‘bottom-up’ risk assessment, i.e. risks identified by
Departments and Business Units which are normally operational in nature.
However, the Board Assurance Framework is based on a ‘top down’ assessment,
where strategic objectives are risk assessed, followed by associated strategies and
plans.
The Board Committees support the identification and review of assurance on the
Board Assurance Framework, and the Audit Committee will also provide
overarching scrutiny regarding the risk management processes in the Trust with
particular reference to the Board Assurance Framework and the Trust-wide Risk
Register.
7 Training
In order to ensure that staff possess sufficient awareness of risk management and are
competent to identify, assess and manage risk within their working environment, risk
awareness/assessment training will be made available to all staff as part of the Risk
Management Training Programme. This is linked to the Trust Training Needs Analysis and
is reflected in the Staff Development Prospectus. There will be ongoing review of Risk
Management Training in the form of a regular training needs analysis to assist with the
development of training and to provide appropriate education to a body of competent
persons who are available to give advice and support where necessary.
Specific risk management awareness training sessions on national and local risk
management will be developed as necessary based on an ongoing review of national and
Risk Management Policy v7 26
local risk management issues which will affect the roles and responsibilities of Executive,
Non-executive and Associate Directors.
Managers with responsibility for the management of staff (and ultimately Associate
Directors/Heads of Department) will be responsible for ensuring that an assessment of the
risk management training needs of their staff is undertaken and that staff have access to
and are able to attend relevant training. In respect of new staff, information on risk
management including information on incident reporting is included in the general
induction arrangements for all staff.
8 Equality and Diversity
The Trust is committed to ensuring that, as far as is reasonably practicable, the way we
provide services to the public and the way we treat staff reflects their individual needs and
does not unlawfully discriminate against individuals or groups on the grounds of any
protected characteristic (Equality Act 2010). This policy aims to uphold the right of all staff
to be treated fairly and consistently and adopts a human rights approach. This policy has
been appropriately assessed.
9 Monitoring Compliance with this Policy
Ongoing monitoring will be reflected in the reports to Risk and Safety Council, whereas an
annual overview will be provided within the Risk Management Annual Report. The
information reported will be based on compliance with the Risk Management Policy, risk
management process and use of the risk registers.
Standard/ process/
issue
Monitoring and Audit
Method By Committee Frequency
Risk review and
management - cyclic
Business Unit/
Directorate review
process
Identification
and monitoring
of KPIs, Risk
movement and
current position
report
Corporate
Risk
Manager and
local Lead(s)
Risk & Safety
Council
Bi-monthly
meetings – twice a
year for each
Business Unit/
Directorate
Overall Trust
adherence to policy
and management of
risk
In year
monitoring and
Report
Head of Risk
Management
/ corporate
Risk
Manager
Risk & Safety
Council
Annual
Independent review of
compliance
Audit &
subsequent
report
Internal
Audit
Risk & Safety
Council, Quality
Governance
Committee,
Audit
Committee
Annual
An action plan will be produced if necessary to address where improvements should be
made. Review of the action plan will be overseen by the Risk and Safety Council.
Information will be shared with other Committee and groups as appropriate.
Risk Management Policy v7 27
10 Consultation and Review of this policy
This Policy will be reviewed in October 2018 or sooner should the need arise. All members
of the Risk & Safety Council have been consulted in relation to this policy.
11 Implementation of this policy
The Risk Management Policy and supporting guidance will be made available to all staff via
the Trust Intranet, as well as being made available to stakeholders and the public via the
Trust website. Risk management training will reflect the policy, and any amendments to
the Policy will be communicated as and when they occur.
12 References
Australian/New Zealand Risk Management Standard AS/NZS 4360:1999
NHS Litigation Authority, Risk Management Standards 2013-14
National Patient Safety Agency, Risk Assessment Matrix, March 2007
13 Associated Documentation
The above represents the Trust’s Risk Management Policy and does not provide detailed
information on the management of a specific area of risk or risk topic. It is recommended,
therefore, that this document be read in conjunction with the Risk Management Strategy,
and the suite of risk management, operational and clinical policies and procedures which
can be found on the Trust intranet, some of which are referenced below.
RM02 - Health & Safety Policy
RM03 - Incident Reporting and Investigation Policy
RM06 - Manual Handling Policy
RM08 - Control of Substance Hazardous to Health
RM10 – Violence at Work Policy
RM11 - Security Policy
RM21 - Complaints and Concerns Policy
RM23 - Claims Management Policy
RM30 – Procurement, management and Use of Medical Devices Policy
RM49 - Being Open and Duty of Candour Policy
RM50 – Slips, Trips and Falls Policy
RM51 – Learning from Experience Policy
RM59 – Policy on the use of Bed Rails
RM66 – Business Continuity Planning Policy
RM79 – Fire Safety Policy
OP06 – IT and Information Security Policy
OP89 – Emergency Preparedness and Response (EPRR) Policy
OP93 – Reviewing and Learning from Deaths
PP35 – Freedom to Speak Up – Raising Concerns Policy
The above is not an exhaustive list but represents key documents which outline
arrangements and processes which complement the approach outlined in this Policy.
Risk Management Policy v7 28
14 Intranet Information
The Risk Management intranet pages include additional information and guidance to
support this policy. This includes two downloadable A5 booklets;
• Risk Management Guide
• Risk Assessment Guide
Intranet risk management pages can be found here.