risk management strategy · 4 target audience, communication and implementation this strategy is...

Risk Management Strategy

Document Profile Box

Document Reference: Q.S.S.D 2003

Version: 0008

Ratified by: Trust Board

Date ratified: 27th March 2008

Name of originator/author: Alan Gallagher

Name of responsible committee/individual Governance and Risk Committee

Date issued:

Review date: April 2015

Target audience: All staff

Document owner: Alan Gallagher

Authorised signatory:

Contents

Section Page 1 Introduction 3

2 Aims 3

3 Strategic Intentions and Objectives 3

4 Target Audience, Communication and Implementation 4

5 Definitions of Risk 6

6 What is Risk 7

7 What is Risk Management 7

8 Risk Appetite 8

9 Risk Appetite Statement 9

10 Risk Maturity 9

11 Risk Identification 10

12 Risk Management Processes 10

13 Acceptable Risk 11

Risk Management Overview Flowchart 12

14 Process 13

15 Assurance Framework Process 15

16 Risk Registers 18

17 Monitoring Effectiveness 21

18 Who is responsible for Risk Management 21

19 Review 24

20 Consultation, Approval and Ratification 24

21 Review and Revision Arrangements Including Version Control 24

22 Dissemination and Implementation 24

23 Document Control Including Archiving Arrangements 25

24 Associated Policies/Procedures 25

25 Equality and Diversity Statement 25 Appendices Appendix A Risk Matrix Guide Consequence and Likelihood Scores 26

Appendix B Risk Appetite Matrix for NHS Organisations 27

Appendix C Risk Management and Organisational Controls Framework 28

Appendix D Version Control Sheet 29

North East Ambulance Service NHS Foundation Trust Risk Management Strategy

Ref: Q.S.S.D.2003 Version: 0008 Status: Draft Issue Date: April 2014 Page -2-

1 Introduction The North East Ambulance Service NHS Foundation Trust is committed to the provision of high quality care in a setting that puts the safety of patients and staff first. However all activities contain inherent risks. Risk Management is defined as “identifying all risks which have potentially adverse effects on the quality of care and the safety of patients, staff visitors, assessing and evaluating those risks and taking positive action to eliminate or reduce them”. The Trust therefore regards the promotion of health and safety as an integral part of Risk Management and a mutual objective for management and employees at all levels. The Trust will meet it’s commitment through a system of risk management that is understood and implemented at all levels of the organisation. The Risk Management Strategy promotes the philosophy of integrated governance and requires all risk management to be systematic, robust and evident. This strategy requires that risk management processes are applied to business planning at all levels and that risk management issues should be communicated to key stakeholders where necessary. The strategy covers clinical, organisational and financial risk, and identifies the key management structures and processes defining objectives and responsibilities within the Trust. The Trust have therefore embraced Enterprise Risk Management (ERM) which is a process, effected by an organisations board of directors, management and other personnel, applied in strategy setting and across the organisation, designed to identify potential events that may affect the organisation, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of organisational objectives. Risk Management is not about risk elimination; it is about encouraging appropriate risk-taking, i.e. those risks that have been evaluated and which are understood as well as is possible with currently available information. It is recognised that only through appropriate risk-taking will the Trust be able to provide healthcare services in line with our mission statement of ‘right care, right time, right place’. Successful organisations are by their nature successful risk takers and aware of their risk appetite. It is also recognised that inadequately managed risks within our services have the potential to prevent the Trust from achieving its strategic intentions and objectives and may directly or indirectly cause harm to those it cares for, employs or otherwise affects as well as incurring loss relating to assets, finance, reputation, goodwill, partnership working or public confidence.

2 Aims The aim of this Strategy is to document the holistic approach taken by the Trust to provide an environment which minimises risks to all its stakeholders. This will be achieved through a comprehensive system of internal controls and external controls, maximising the potential for flexibility, innovation and best practice in delivery of the Trust’s strategic objective of delivering high quality, caring services for the North East. 3 Strategic Intentions and Objectives Patients are at the heart of everything that we do to support our mission of "right care, right place, right time". The Trust has a strong track record of delivering patient care, focussing resources to produce the most effective outcomes. Whilst at the leading edge of innovative service design which has consistently led to the Trust being one of the highest performing ambulance trusts in the country. The Trust’s vision is to make a difference by integrating our care and transport in the pursuit of equity and excellence. This means we will drive through improvements in service delivery and work to ensure all of our patients have a positive experience, not losing sight of our requirement to eliminate waste, inefficiency and unnecessary costs.



Strategic intentions: To lead in the provision of Emergency Care - We want to be the provider of choice for

A&E services and lead through innovation, research and performance. To be a first rate employer - We want to ensure our staff are appropriately supported, with

fair pay and flexible working conditions and a safe productive working environment. Be a key partner in Urgent Care reform - We want to help deliver the changes that our

patients and our commissioners are asking for using our expertise and infrastructure. To have sound financial health - We want to maintain strong financial health that enables

us to invest in new service developments, constantly taking the organisation forward. To transform our Patient Transport Service - We want to continue to be the provider of

choice for patient transport services in the North East. To be well governed and accountable - We want to continue to ensure that the safety and

quality of our services to patients remains our highest priority. Specific Objectives 0-12 months To ensure compliance with Legal and Statutory requirements.

To enhance the risk maturity of the Organisation over the next 12 months from Risk

Managed to Risk Enabled

Continue to work in collaboration with the Training Department to ensure the delivery of risk management training.

Integrate the risk management system to facilitate robust data capturing and reporting.

Review security/health and safety provision at all sites across the Trust as part of a rolling

programme. Continue to develop vehicle risk management/accident reduction processes.

Provide a safe environment for all staff, patients and stakeholders.

Implement the Corporate Health, Safety and Wellbeing Strategy and Plans.

Reduce the number of clinical negligence and employers liability claims.

Ensure all incidents are recorded, investigated, monitored and lessons learnt.

Continue to embed partnership working with the 3 Police Forces



4 Target Audience, Communication and Implementation This strategy is intended for use by all directly employed staff, agency workers and external contractors. The Risk Management Strategy will be communicated to all levels of the Trust. This will include copies of the Strategy being made available on all Trust sites and to all managers. The Strategy will be communicated to the wide audience of its stakeholders through existing communications mechanisms, including staff training/induction programmes, internal/external newsletters and publication on the Trusts external Internet and internal Intranet sites. All internal and external stakeholders will be informed of its location. Under the Freedom of Information Act 2000, the Risk Management Strategy will be made available to any person making such a legally based request. The Head of Risk and Claims will be responsible for co-ordinating the implementation of the strategy and policy. All management levels including executive level and staff will be expected to adopt the principles of the strategy, incorporating it into their day to day role and processes. Management will also be expected to support and encourage staff in adopting the principles of the strategy by promoting an open and fair culture and the identification of hazards through incident reporting Risk Management will also be a statutory component of all induction programmes delivered by the Trust. This will include members of staff at all levels within the Trust and will include familiarisation of the strategy. As a part of the Trust’s Appraisals process and the Personal Development Plan processes, staff will have specific levels of competency in relation to risk management appropriate to their specific role. Risk Management will form part of the mandatory training for all management grades within the Trust and will cover all aspects of this Strategy. The extent of an individual’s personal contribution to the implementation of the Risk Management Strategy may include, for example: Reporting of Seroius Incidents (SIs) Reviewing which may have scope for improvement Referring potential risk issues for review and corrective measures Participating in audit Seeking the support and/or advice of available in house expertise and/or infromation Asking to be involved Seeking/providing feedback for self or others Being aware of/finding out their own level of responsibility and contribution to risk

management By using such an approach the Trust is enabled to maximise its opportunities to develop and learn lessons because it is maximising the involvement and contribution of all concerned.



5 Definitions of Risk Appropriate definitions in relation to risk management are important. This policy will use certain phrases within this document which are defined as follows:

Hazard A hazard is anything with the potential to cause harm

Risk A risk is the likelihood that a hazard will cause a specified harm to someone or something

So Far as is Reasonably Practicable

Take action to control the health and safety risks in your workplace except where the cost (in terms of time and effort as well as money) of doing so is “grossly disproportionate” to the reduction in the risk

Risk Management The systematic identification, reduction an/or elimination of risks

Risk Appetite The amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time

Risk Management Maturity The level of skills, knowledge and attitudes displayed by people in the organisation, combined with the level of sophistication of risk management processes and systems in managing risk within the organisation.

Risk Matrix The mechanism through which all risks are rated and scored

Board Assurance Framework The documentation that provides the Trust Board with assurance(s) that the key risks associated with not achieving the Corporate objectives are being mitigated

Risk Register The method used to record identified risks, their rating, scores, control measures and where evidence of controls can be located

High Level Risks Risks that are rated and scored at 15 or above

Risk Treatment Proposed control measures that may reduce the risk of an identified hazard

Residual Risk Level of acceptable risk following implementation of risk treatment solutions

Risk Management Sub Committees/Groups

Delegated committees/groups of theTrust Board responsible for ensuring that identified risks are appropriately managed within the Trust



6 What is Risk? Risk can be defined as the chance that something will happen that will have an adverse impact on the achievement of the Trusts aims and objectives. In the NHS this can be further categorised as follows 1. Direct Patient Care Risks – this includes risks relating to: standards of care, consent to

treatment, working beyond competence, communication failure and delay in treatment. 2. Indirect Patient Care Risks – this includes risks relating to: security, fire, buildings, plant &

equipment and waste. 3. Health & Safety Risks – this includes risks relating to: Health & Safety obligations, unsafe

systems of work, Control of Substances Hazardous to Health (COSHH), failure to provide information, instruction, training & supervision, failure to provide a safe place of work and risks to health.

4. Risks of an Organisational Nature – this includes risks relating to: communication, provision of

goods & services, data protection, finance & insurance, and information systems. 7 What is Risk Management? Risk Management is concerned with ensuring that risks are recognised and their impact on the Trust is assessed in order that the appropriate resource can be channelled to minimise or eliminate any potential loss. There are five stages to risk management: Risk Identification What could go wrong? How could risk events happen?

What would be the effect?

Risk Measurement How often are risk events likely to happen? How much are they likely to cost? How severe would their effect be?

Risk Treatment How can the Trust eliminate or avoid these events?

If they occur how can we make them less likely and less damaging?

Risk Funding Transferring risk with or without an ’excess’ (NHSLA

Risk Management Standard), or self insurance (i.e. retaining risk)

Monitoring Effectiveness Measuring the effectiveness of the controls and repeating the cycle if further action is required?

North East Ambulance Service NHS Foundation Trust

Risk Management Strategy Ref: Q.S.S.D.2003 Version: 0008 Status: Draft Issue Date: April 2014

Page -7-

8 Risk Appetite Risk appetite is the degree of risk exposure, or potential adverse impact from an event, that the Trust is willing to accept in pursuit of its objectives. It is recognised that the pursuit of one objective may hinder the achievement of another and this will impact upon the associated risk appetite. Similarly, the relative importance of one objective against another may be influenced by external factors, such as changes in national policy or expectations of stakeholders. The Board recognises the importance of a robust and consistent approach to determining risk appetite in order to ensure: The organisation’s collective appetite for risk and the reasons for it are widely known to

avoid erratic or inopportune risk taking, or an overly cautious approach which may stifle growth and development

Managers in the Trust know the levels of risks that are legitimate for them to take, as well as

appropriate opportunities when they arise, in order to ensure service improvements and patient outcomes are not adversely affected.

In order to value and compare the relative merits and weaknesses of different risks, the Trust Board will determine the level of risk the organisation is willing to tolerate in different areas. This will include deciding whether the Trust will Eliminate, Reduce, Transfer or Accept a risk (as reflected in section 13.1) and what the organisation’s ‘target risk’ should be. Operating within risk tolerances provides the Trust Board with greater assurance that the organisation will remain within its risk appetite and, as a result, achieve its strategic objectives. Risk appetite will thus be quantified for each organisational risk in the first instance, with the aim of all risks having a target risk informed by risk appetite by the end of the longevity of this strategy. The Trust Board will put systems in place to manage risks to an acceptable level within its level of tolerance. The parameters of this tolerance are set within the Risk Tolerance Matrix below, as shown in Figure 2 on page 10. In setting risk appetite levels, the Trust Board will take account of risk tolerance and opportunity risk. The Executive Management team will recommend to the Board whether to tolerate certain risks from the point at which they are identified. The Executive Directors will provide ongoing assurance to the Trust Board that existing controls are sufficient to mitigate risks above the tolerance levels, particularly where the cost of treating the risk is more than the potential benefits. In formulating the Trusts Risk Appetite the Board have agreed to utilise a Risk Appetite Matrix (Appendix B) which assesses the Trusts risk appetite and complements other risk management tools. This matrix was initiated and designed by Southwark Clinical Commissioner Group and the Good Governance Institute and is now widely used by other NHS Organisations. Risk appetite is ‘the amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point of time’. Risk therefore needs to be considered in terms of both opportunities and threats and are not usually confined to money they will invariably also impact on the capability of our organisation, its performance and its reputation. NEAS commits in its formal risk appetite statement to review this statement on an annual basis. The statement provides direction and boundaries on risk that can be accepted at various levels of the organisation, how the risk and any associated reward are to be balanced and the likely response.



9 Risk Appetite Statement The Trust endeavours to establish a positive risk culture within the organisation, where unsafe practice (clinical, managerial, etc) is not tolerated and where every member of staff feels committed and empowered to identify and correct/escalate system weaknesses. The Trust Board is committed to ensuring a robust infrastructure is in place to manage risks from operational level to board level, and that where risks crystallise, demonstrable improvements can be put in place. North East Ambulance Service NHS Foundation Trust’s appetite is to minimise the risk to the delivery of our mission statement of ‘right care, right place, right time’ within the Trust’s accountability and compliance frameworks whilst maximising performance within value for money frameworks. In order to deliver safe, effective services, the Trust will encourage staff to work in collaborative partnership with each other and service users and carers to minimise risk to the greatest extent possible and promote patient safety and well-being. Additionally, the Trust seeks to minimise the harm to service users and/or staff arising from their own actions and harm to others arising from the actions of service users and/or staff. The Trust wishes to maximise opportunities for developing and growing its business by encouraging entrepreneurial activity and by being creative and pro-active in seeking new business ventures consistent with the strategic direction set out in the Integrated Business Plan, whilst respecting and abiding by its statutory obligations. North East Ambulance Service NHS Foundation Trust is working toward a ‘mature’ risk appetite. The Trust has no appetite for fraud and zero tolerance for regulatory breaches. The Trust may take considered risks, where the long term benefits outweigh any short term losses. Well managed risk taking will ensure that the skills, ability and knowledge are there to support innovation and maximise opportunities to further improve services. The Trust commits to review its risk appetite statement on an annual basis and/or following any significant changes or events. 10 Risk Maturity Figure 1 below show a Risk Maturity scale, which shows the different levels of risk maturity that the Trust can aim to achieve as risk management becomes more embedded in the organisation. An internal self-assessment of the Risk Maturity of the Trust indicates that NEAS is currently between ‘Risk Managed’ and ‘Risk Enabled’ It is the intention of the Trust Board to embed the risk maturity of the organisation as ‘Risk Managed’ throughout 2014, and to move towards ‘Risk Enabled’ status by 2015, depending on the prevailing appetite of the Trust Board to invest any resources required for this achievement. The Board will review its risk maturity on annual basis, as part of the Annual Governance Statement disclosure The Annual internal audit of risk management will include an assessment of the risk maturity of the organisation. The Governance and Risk Committee will monitor the implementation of recommendations arising from this audit.



Figure 1: Risk Maturity Scale

Risk Maturity Key Characteristics

Risk Naive No formal approach developed for risk management

Risk Aware Scattered silo based approach to risk management

Risk Defined Strategy and policies in place and communicated. Risk appetite defined

Risk Managed Enterprise wide approach to risk management developed and communicated

Risk Enabled Risk management and internal control fully embedded in the operations 11 Risk Identification The Trust operates two systems to facilitate the identification, analysis and treatment of risks:-

Pro-actively: - Production of risk registers and treatment action plans at department,

directorate and organisational level, with the organisational risks reported to the Board.

Reactively: - The incident reporting and investigation policy requiring all incidents to be

recorded, investigated and recommendations acted upon

12 Risk Management Processes The Trust uses the NHS Executive endorsed Australian / New Zealand Risk Management Standard – AS/NZS 4360:1999. This standard provides a generic non-prescriptive method of managing any type of risk in any organisation. The principles outlined in the standard are universal and can be applied in any healthcare risk management context whether that is financial, organisational or clinical. Figure 2 provides an overview of the risk management process documented in the standard. Using the key stages and processes identified within AS/NZS:4360 the Trust will be able to profile identified and potential risks, develop prioritised action plans for the management of risks and evaluate the effectiveness/end results of the implemented action plans using residual risk scoring. Risk Prioritisation and action planning will take account of incident reporting, complaints, litigation/ claims information, audit information and issues raised by individual directorates/departments as well as national requirements and guidance. In addition to utilisation of the information sources referred to above, in depth risk assessments will be undertaken across the Trust when: New activities are introduced Introducing change Developing and/or revising systems, procedures or working practice Introducing new equipment and/or facilities Planning and managing projects Business planning



Management and operational structures have delegated responsibility for implementing risk management systems and control the risks that the Trust faces. The current dedicated risk management committees and risk management groups are shown in diagrammatic form at Appendix ‘C’. The terms of reference of these committees, which are reviewed on an annual basis can be found on Docuviewer. 13 Acceptable Risk Defining what an acceptable level of risk is very difficult, as acceptability will vary depending on each risk and the prevailing circumstances. The North East Ambulance Service NHS Foundation Trust Board has agreed the following definition of “Acceptable Risk”. “North East Ambulance Service NHS Foundation Trust acknowledges that no system can be “Risk Free” and defines “Acceptable Risk” as that risk which remains after rigorous assessment of equipment, work processes and procedures have been undertaken and steps have been taken, including information, instruction, training and supervision, to remove all risks so far as reasonably practicable” Decisions about risk acceptability and appropriate risk treatment may be based on any number of criterions such as operational, technical, financial, legal, social and humanitarian. Identified risks should be formally acknowledged, quantified and addressed. Action plans and risk treatment solutions should be devised detailing proposed control measures to be implemented to address risks which it has not been possible to resolve in the first instance.



Ass

ess

Ris

k

Establish Context 1. Identify factors which support or impair the ability to manage risk 2. Identify the healthcare and risk management goals and objectives of the Trust 3. Define the criteria against which risk will be evaluated 4. Decide the Risk Management Structure

Identify Risks 1. What can occur? 2. Why can it occur? 3. When can it occur? 4. Who can it affect? 5. Where is the level of risk? 6. How can it occur?

Evaluate and Rank Risks 1. Compare the levels of risk against the previously identified criteria 2. Determine if the risk is to be accepted or not 3. Evaluate options for controlling/reducing risks 4. Quantify costs of actions to control/reduce risks 5. Identify actions, which reduce total cost of risk and give best value for money 6. Compare costs against benefit

Treat Risks 1. Identify the options 2. Consider and evaluate the merits and practicalities of the options 3. Select the most suitable option 4. Prepare action plans 5. Implement action plans

Com

mun

icat

ion

and

Con

sulta

tion

M

axim

ise

Invo

lvem

ent o

f all

Stak

ehol

ders

M

onitoring, Auditing and R

eviewing

Maxim

ise Involvement and use of Internal and/or External Expertise and

Support

Risk is Not Accepted

Risk is Accepted

Appropriate R

isk Register

Analyse Risks 1. What is the likelihood of something occurring? 2. What is the consequence or likely outcome? 3. Who could be affected and how? 4. What is the level of risk? 5. What are the existing and required controls?

Figure 2 – Risk Management Overview (Adapted from AS/NZS 4360:1999 – Risk Management)



14 The Process The following steps should be used when managing a risk: 14.1 Establish the Context Identify factors which support or impair the ability to manage risk Identify the healthcare and risk management goals and objectives of the Trust Define the criteria against which risk will be evaluated Decide the Risk Management Structure

14.2 Identify the Risks What can occur? Why can it occur? When can it occur? Who can it affect? Where is the level of risk? How can it occur?

14.3 Analyse the Identified Risks – Risk Assessment What is the likelihood of something occurring? What is the consequence or likely outcome? Who could be affected and how? What is the level of risk? What are the existing and required controls?

The process of risk assessment is to establish the hazards facing the Trust and the “Risk” of them occurring. Because of the degree of uncertainty associated with such a process, a methodical system is used to ensure consistency, ensuring that all activities undertaken by the Trust are identified, assessed, controlled, registered, monitored and reviewed. Risks should be assessed and quantified using 2 criterions:

1. The likelihood of occurrence 2. The consequence of impact

The Trust has adopted a systematic and common approach to quantifying risk through defining qualitative measures of likelihood of occurrence and consequence of impact (defined in Appendix A) Once a risk has been identified, either through incident reporting or via the Risk Registers, it is measured in terms of likelihood (frequency or probability of the risk occurring) and severity (impact or magnitude of the effect of the risk event occurring). A 5-by-5 matrix is used by the Trust to quantify risks. This allows standardisation of risk assessment across the Trust, from the risk assessment form (HS 5) to the classification of incidents. The matrix also provides a common currency, which can be used across the Trust when communicating about aspects of risk in general A risk matrix has been produced to help calculate the score and grade the risk in terms of severity (see figure 3)



Figure 3 - Qualitative Risk Assessment Matrix – Level of Risk

Likelihood

Con

sequ

ence

s

Rare 1

Unlikely 2

Possible 3

Likely 4

Almost Certain 5

Insignificant 1 2 3 4 5

Minor 2 4 6 8 10

Moderate 3 6 9 12 15

Major 4 8 12 16 20

Catastrophic 5 10 15 20 25

Management Level

Low (Green)

1 to 3 (Unit)

Moderate (Yellow) 4 to 6 (Department) Significant (Orange) 8 to 12 (Organisational) High (Red) 15 to 25 (Organisational)

Definitions of Consequence and Likelihood and shown in Appendix A and B respectively. Within the matrix the Trust has agreed levels of acceptable and unacceptable risk. Those risks rated at between 1 and 6 are deemed to be controlled or trivial risks (green to yellow). Those that score between 8 and 25 are deemed to be significant to high risks The quantification and grading of the risk also helps determine the level of authority that the management of risks can be delegated to (see figure 4 below). Figure 4 – Risk Rating Key

Key to risk rating: Risk of 1 - 3 (Unit) Adequately

Controlled Risk of 4 – 6 (Department) Risk of 8 – 12 (Organisational) Inadequately

Controlled Risk of 15 – 25 (Organisational) Low and Moderate Risks Where the cost in terms of time and resource to reduce the risk far outweigh the potential harm caused by a particular situation, the risk would be considered as acceptable. However careful monitoring should still be undertaken to identify trends or pre-cursers to more significant events. Significant Risks These risks should be managed or reduced within a reasonable timescale through measures such as review of work practices, training or the purchase of new equipment. These are reportable to the Trust Board in the Organisations Risk Register High Risks These risks have a serious impact on the Trust and threaten achievement of its objectives. As such they are managed at Director Level and reportable to the Trust Board in the Organisations Risk Register.



14.4 Evaluation and Ranking Risks Compare the levels of risk against the previously identified criteria Determine if the risk is to be accepted or not Evaluate options for controlling/reducing risks Quantify costs of actions to control/reduce risks Identify actions, which reduce total cost of risk and give best value for money Compare costs against benefit

Risks are prioritised according to the severity of the risk (risk score) and the existing controls in place. The key objectives of this process are: Develop a comprehensive, prioritised Board Assurance Framework process that

includes the population, monitoring and management of the content of the Trust risk registers.

Develop appropriate associated action plans for all uncontrolled risks

Develop a profile of high level risks and populate the Trusts Corporate (Organisational)

risk register. Identify existing control measures and assess the potential for improvement, according

for financial and practical implications. Identify suitable monitoring and reviewing arrangements for all identified risks to the

Trust from Departmental to Trust Board level. Provide suitable support from the Trusts Risk and Claims Management team.

15 Board Assurance Framework Process The Board Assurance Framework directly links the Directors objectives with the risks the Trust faces to achieving those risks. For risks identified, the same process applies as to the treatment of any risk in the risk management process. As such the Trust recognises that the content of the Trust’s Board Assurance Framework and Corporate (Organisational) risk register must be considered as an integral part of the Trusts annual business planning process. Each financial year the Trust’s strategic (showstopper) objectives are agreed by the Executive Team, these are then shared with the management team at a dedicated event to communicate these and identify potential risks against their achievement. This event provides an environment which facilitates the various areas of the Trust to have input into the creation of the Board Assurance Framework and Corporate (Organisational) Risk Register (see figure 5) The Board Assurance Framework is completed by Directors at the beginning of each year and approved by the Trust Board having received assurances from the Audit Committee and Governance and Risk Committee. The Board Assurance Framework is reviewed at least annually by the Governance and Risk Committee and Audit Committee and a close out is completed at the end of the financial year, which is approved by the Trust Board. The Trust will ensure that checks are carried out to ensure that all relevant items identified within the Trusts Board Assurance Framework and Corporate (Organisational) Risk Register have been appropriately considered and addressed within the business planning process. Senior managers of the Trust will need to take account of this need while developing their proposals for objectives and all objectives, once agreed, will be risk assessed and control measures identified.



Each department and directorate will be responsible for ensuring that risks identified appear on the relevant risk registers so that the Trust can in turn ensure that all known key risks are utilised to inform current and future business planning.

Organisational Objectives Agreed

Directors Individual Objectives Agreed

with Chief Executive

BAF Event to Identify Risks

BAF and ORR Populated onto

Ulysses

Directors Quarterly Objective Review

with Chief Executive

Quarterly BAF/ORR/DRR update required

Meeting is arranged between the Head of Risk and Claims and

each Director

Content of BAF/ORR/DRR

agreed and updates undertaken by

appointed person on Ulysses system

Head of Risk and Claims attends

Executive Team Meeting on a

quarterly basis to present BAF and ORR updates to

seek joint approval

Content of BAF/ORR/DRR

updates undertaken by appointed person on Ulysses system

This process continues throughout the year until closure of the BAF. Once this

cycle is complete then the process will commence from the

initial stage to formulate the new strategic objectives

and directors individual objectives

Process to establish strategic objectives to

support the Trust’s mission and vision of

‘Right Care, Right Place, Right Time’

Figure 5 – Creating and Updating the Board Assurance Framework



15.1 Board Assurance Framework The Trust will utilise the following components within their Assurance Framework process: (see figure 6) Trust Board Assurance Framework Action Plans Directorate Actions Plans Assurance Framework Identification Process Corporate (Organisational) Risk Register

Figure 6 – Assurance Framework Process

The Executive Team will be responsible for managing the content of the Trusts Corporate (Organisational) Risk Register. All risks populated on the Trusts Corporate (Organisational) Risk Register will be aligned to the appropriate organisational objective on the Trusts Board Assurance Framework. All risk on the Trusts Board Assurance Framework will be assessed in terms of the provision of appropriate assurances via the Trusts assurance identification process. Any high level risk that does not provide adequate or fully compliant positive assurances will require an action plan, developed by the appropriate Directorate to demonstrate how assurance will be gained. The Executive Team will be responsible for ensuring that those high level risks without adequate or fully compliant positive assurances, have in place an appropriate Directorate action plan. The Trust Board will be responsible for monitoring progress of the Trusts high level risks and their assurances via a Trust Board Assurance Framework. The Executive Team will be responsible for monitoring progress of the Trusts risks and their assurances, other than high risk via Directorate action plans.

Trust Board Assurance Framework Action Plan

Directorate Action Plans

Assurance Identification Process

Assurance Framework (Key Risks Aligned to Corporate Objectives)

Corporate (Organisational) Risk Register



16 Risk Registers The Trust has Risk Registers for each Directorate which detail risks within all areas of work. Each risk is assigned an owner, and as a living document, the risks are updated constantly. The highest scoring risks feed through to a single Trust Wide Organisational Risk Register with associated Treatment/Management Plans. The Organisational Risk Registers are monitored by the Executive Team and Governance and Risk Committee on a quarterly basis.

The Trusts risk registers will include as a minimum: Location and Management Unit Service Name and department/directorate

Risk Assessor Name of the person conducting the assessment

Risk Owner Name of the person with overall responsibility

for managing the risk Date Date of conducting assessment

Date of Review Date assessment requires review

Risk Reference A unique reference for each risk identified

Risk Description Description of the principle risk and its possible

impact upon the Trust

Adequacy of Existing Controls Tick boxes to identify existing controls, Adequate or Inadequate options

Likelihood The probability of the realisation of risk score

Consequence The degree to which the interests of the Trust

would be harmed by the realisation of risk

Risk Rating The total of the sum, consequence multiplied by the Likelihood

Trust Risk Ranking Risk Rating Key The risk rating key positioned at the bottom of

the risk registers with guidance on risk scores

Corporate (Organisational) Risk Register

Directorate Risk Registers

Trust Wide Risk Register

Department Risk Registers

8+ 8+



Designated leads will be responsible for maintaining and reviewing the Departmental Risk Registers, ensuring any required actions are undertaken and the provision of evidence or assurances. Designated leads will be responsible for maintaining and reviewing the Directorate Risk Registers, ensuring the any required actions are undertaken and the provision of evidence or assurances. All risks scored at 8 and above will be known as ‘High Level’ risks to the Trust. All identified risks scored at 8 and above will be added to the Trusts Corporate (Organisational) Risk Register if deemed to be a risk to against the corporate objectives, risks scoring 8 and above may remain on directorate and department risk registers if appropriate. In practice further consideration is given to organisational risks by the Executive Team before input onto the Organisational Risk Register. This means that risks given an initial scoring of 8 or above are not necessarily featured within the Corporate (Organisational) Risk Register. The Executive Team will have responsibility for reviewing the Corporate (Organisational) Risk Register and making recommendations to the Governance and Risk Committee. The Governance and Risk Committee will be responsible for reviewing the Corporate (Organisational) Risk Register and making any recommendations for change or approval to the Trust Board. The Governance and Risk Committee Report will be based on any high level risks identified that do not have positive assurances. It will be the responsibility of the nominated lead to produce an update/progress report for the inclusion in the committee report. The Head of Risk and Claims will co-ordinate this process. The Governance and Risk Committee will be expected to make recommendations on actions to be taken. The Trust Board will monitor progress against high level risks in the Trust via the Trust Board Assurance Framework. The Trusts Board Assurance Framework will be reviewed by the Trust Board, as minimum, 4 times within any calendar year. The Trust Board will receive the Trust Corporate (Organisational) Risk Register, for review, as a minimum, on an annual basis. The Head of Risk and Claims will provide support in conjunction with the Risk Officer/LSMS and Risk Management Systems Officer. The Head of Risk and Claims will be responsible for ensuring that the Departmental and Directorate and Corporate (Organisational) Risk Registers are co-ordinated, maintained and kept up to date. 16.1 Risk Treatment Eliminate - Not proceeding with activity likely to generate the risk Reduce - Reducing or controlling the likelihood and consequences of the occurrence Transfer - Arranging for another party to bear or share some part off the risk through

contracts, partnerships, joint ventures etc. Accept - Some risks may be minimal and retention acceptable



16.2 Controlling Risk Once a risk has been assessed and its impact upon the Trust determined, measures will be implemented to reduce the impact to a level that is as low as reasonably practicable, this may be influenced by some of the following: Statutory or Regulatory requirements Nature – Strategic, Operational, Financial or Compliance Stakeholder requirements and expectations Likelihood of occurrence and safety outcome Human Resources, Financial, Operational or Technological constraints Current controls Degree of acceptance for level of risk

16.3 Risk Actions Plans Risk Action Plans will be developed for all risks rated at 8 and above. These will record existing controls, implementation arrangements for the new controls together with achievement dates and estimated residual score. It is the responsibility of the delegated officer (as defined in Figure 3) to ensure production of a risk action plan. It is the responsibility of the delegated manager (as defined in Figure 3) to review any Risk Action Plans produced, progress made and their effectiveness. The Risk Action Plan should clearly identify the controls that are to be recommended and the resource implications of the implantation of controls i.e. Financial, Humanitarian, Operational and Resources. There should also be clear evidence that the implementation of those controls will reduce the risk to a level that is acceptable. The Risk Action Plan can also be provided as part of a Business Case to show evidence that risks have been considered, this is of particular importance in the case of new equipment, resources, practices and procedures. 16.4 Monitor and Review of Risks Monitor risk impact Review effectiveness of action Has the risk priority changed? All risks identified and assessed will be monitored, reviewed and re-assessed on the following basis: Low Risk Score, 1-6, green and yellow - Reviewed at least Annually Moderate Risk Score, 8-12, amber - Reviewed at least Quarterly High Risk Score, 15-25, red - Reviewed at least Monthly An organisational process and guide can be found via the Docuviewer system under (Risk Register Process and Guide QSSD 2017, this details the processes for identification, assessment and analysis of risk, including reporting. The matrix will specify the department responsible, the lead person(s) or group for managing the activities and the review process. The frequency of reviews may be subject to alteration if additional information (such as incident reports, claims or complaints) indicates there is a requirement for earlier assessment and action. This will be monitored via development of a key performance indicator, which will be reported to the Governance and Risk Committee.



17 Monitoring Effectiveness The Trust can monitor the effectiveness of its risk management controls in a number of ways: Annual Governance Statement (AGS) – Each year the Chief Executive, on behalf of the

Trust Board, must sign a statement on the effectiveness of the systems of internal controls and detail any weaknesses identified. This is also independently verified by Internal Audit.

DOH Care Quality Commission – The Trust is regularly reviewed by a number of external

assessors each with their own set of performance and control standards against which the Trust is measured.

Performance against Key Performance Indicators 18 Who is responsible for Risk Management? The Chief Executive and Trust Board have overall responsibility for the Trust’s risk management programme. It is the Trust Board that endorses and resources all formalised risk management plans. The four categories of risk described previously in section 5 are grouped into two distinct areas, Those that could be regarded as having direct patient care risks, managed by the activity of

the Quality Committee. This Committee takes responsibility for the development of controls for meeting clinical standards and implementing clinical policies and

Those that posses non-clinical risks and managed by the Governance and Risk Committee, the responsibility having been delegated by the Audit Committee. This Committee is responsible for the implementation of risk management.

The Governance and Risk Committee and the Quality Committee must work in a co-ordinated way to make sure that all the areas of risk are properly managed. Both committees have strategic responsibilities, they set standards, provide risk related policies that are clear and up-to-date, and check that the Trust is meeting these standards and operating accordingly. Responsibility for meeting standards and implementing these are delegated to all staff and overseen by Trust Managers. Individuals and individual departments have certain defined responsibilities as follows.

Executive Directors The Director of Finance is the designated Executive Director with overall responsibility for ensuring the implementation of risk management and organisational controls relating to financial risk management. The Director of Clinical Care and Patient Safety is the designated Executive Director with overall responsibility for ensuring the implementation of risk management and organisational controls for clinical and non-clinical risk. All Directors will have involvement in ‘amber risks’, through their Directorate Risk Registers. Red risks will be brought to the attention of the relevant director through the same mechanism and be incorporated in the Organisational Risk Register presented to the Governance and Risk Committee and Trust Board.



Executive Directors are also responsible for ensuring that: All staff managed within their structure are clear about their responsibilities in relation to risk These responsibilities are made clear within job descriptions Appropriate policies and strategies are in place to comply with the Trust Risk Management

Strategy Audit programmes are undertaken.

Non-Executive Directors Non-Executive Directors are specifically responsible for:-

Ensuring the systems for governance, risk management and internal control are effective

and maintained across all the organisation’s activity; ensuring the strategic goals and corporate objectives of the organisation are achieved; Constructively challenging and contributing to the development of risk management

systems; One of the Non-Executive Directors is appointed as the Chair of the Governance and Risk

Committee which is the Committee responsible for risk management.

Council of Governors The Council of Governors is responsible for holding the Board of Directors to account for the performance of the Trust, including ensuring the Board of Directors acts so that the Trust does not breach the terms of its authorisation. The Trust will ensure that it supports governors in this role by proactive notification to governors of the following:-

Any issues identified by the Trust which put the Trust at risk of breaching its terms of

authorisation; Any serious incident, media interest or similar issue which may impact upon the Trust’s

reputation and which is also notified to the CQC and Monitor; Any Corporate risk which has the potential to impact on the achievement of the Trust’s

Corporate Objectives.

Trust Managers Regardless of the severity of the risk, Trust managers are responsible for management of day-to-day risks of all types within their management structure and budget allocation. They are charged with ensuring that risk assessments are undertaken throughout their area of responsibility on a pro-active basis and that remedial action is carried out where problems are identified. All managers can employ the following with regards to risk: Risk Avoidance - Avoid completely a particular risk by discontinuing the operation or activity

producing the risk.

Risk Reduction - Examine the extent to which the risks can be reduced and employ risk treatment plans.

Risk Action plans can sometimes include a financial element. Managers can act independently up to their financial budgetary limit. Managers are responsible for implementing and monitoring any identified and appropriate risk management control measures within their designated area(s) and scope of responsibility. In situations where significant risks have been identified and where local control measures are considered to be potentially inadequate, managers are responsible for bringing these risks to the attention of the Governance and Risk Committee if local resolution has not been satisfactorily achieved. Managers are also responsible for reporting difficulties in progress to the appropriate committee. All major financial investments however, must be agreed through the Capital Monitoring Group and the Director of Finance.



Staff Responsibilities and Non-punitive (fair blame) commitment Management of risks is a fundamental duty of all staff and should be recognised as an integral part of good practice whatever grade or designation. All staff must ensure that identified risks are reported to their immediate line manager in order that effective controls may be considered and action taken where necessary. All employees of the Trust have a duty under legislation to take reasonable care of their own safety and the safety of others who may be affected by Trust business. It is the duty of all employees to be familiar with the Trust Risk Management Strategy and comply with Trust rules and regulations and instructions to protect health safety and welfare of anyone affected by the Trust’s business. The Trust cannot condone any intentional or reckless interference with or misuse of any equipment provided for their protection, health and safety. The Trust believes that this is best achieved through an environment of honesty and openness, where mistakes and untoward incidents are identified quickly and dealt with in a positive and responsive way. Staff may at one time or another have concerns about what is happening at work. Usually these concerns are easily resolved. However, if those concerns are about possible unlawful conduct, financial malpractice or dangers to the public or the environment it can be difficult for staff to know what to do. Staff may be worried about raising issues or may want to keep concerns to themselves, perhaps feeling it’s none of their business, that it’s only a suspicion or they would be being disloyal to colleagues, managers or the organisation. As a result, the Trust introduced the Policy for Raising Matters of Concern (Whistle Blowing Policy) to enable staff to raise concerns about possible unlawful conduct, financial irregularities or dangers to the public or environment at an early stage and in the right way. The Trust would rather staff raise their concerns when they are just concerns rather than wait until further problems have occurred.

Head of Risk and Claims and Risk Management Team The Head of Risk and Claims and team co-ordinate the activities of the Trust in the management of risk, monitor the risk assessments programme and complete the following responsibilities: Maintenance of the Organisational Risk Register Maintenance of the Directorate Risk Registers Maintenance of the Assurance Framework for the Trust Development & Maintenance of the Risk Management Strategy Policy development for Risk Management Development and maintenance of the Risk Management System and software With the Health and Safety Adviser and the respective Divisional / Department Manager,

draws up risk treatment plans based upon the findings within the Risk Registers Reports the risks deemed to be not adequately controlled within the Organisational Risk

Register to the Governance and Risk Committee

Health and Safety Adviser The Health and Safety Advisors manage the regular reporting mechanisms concerned with maintaining a ‘safe’ internal working environment. Co-ordinates the risk assessments programme in compliance with Regulation 3 of the

‘Management of Health and Safety at Work Regulations 1999'. Maintains a central generic risk register and assessment documentation Distributes completed risk assessments to all relevant locations in conjunction with the

NEAS Quality Department Monitors the effectiveness of the agreed risk treatment plans Periodically reviews the risk assessments

Chief Internal Auditor The Chief Internal Auditor is responsible for verifying the accuracy of the Statement on Internal Controls.



19 Review An annual report on Risk Management will be produced by the Risk Management Team in the first quarter following the financial year end. As the risk management process is continually evolving, this strategy will be reviewed on an annual basis and in light of the annual assessment, external assessments, changes in guidance, best practice and legislation. 20 Consultation, Approval and Ratification 20.1 Consultation Process The Strategy has been reviewed by appropriate staff within the Risk and Claims Management Team. 20.2 Strategy Approval Process This Strategy shall be approved by the Trust Board on an annual basis. Any amendments to the Strategy in-year will be approved at the next available Trust Board. 20.3 Ratification Process This Strategy shall be ratified by the Trust Governance and Risk Committee. 21 Review and Revision Arrangements Including Version Control 21.1 Review and Revision Process The Risk Management Strategy shall be reviewed at least annually by the Head of Risk and Claims. The Trust Board shall approve the Strategy thereafter. All reviews and revisions to any procedural document must be approved according to the process described in section 9 of this document.

21.2 Version Control A Version Control sheet shall be maintained with the document. See Appendix B Version Control Sheet.

22 Dissemination and Implementation 22.1 Dissemination Once approved, this document shall be circulated by e-mail to all manager and locations. An article will also be placed on the Pulse The document will also be supplied to the Quality Assurance Officer to replace the previous version of the Strategy on Docuviewer.

22.2 Implementation Implementation shall be carried out by the Head of Financial Services, the Head of Risk and Claims Manager in conjunction with Risk and Claims Management team.



23 Document Control including Archiving Arrangements 23.1 Register / Library of Procedural Documents This Strategy will be stored on the Trusts document database Docuviewer which can be accessed via the Trusts intranet. This is a secure database maintained by the Quality Assurance Officer. Documents are given a unique reference number and are only updated on the database following full ratification process.

23.2 Archiving Arrangement The Strategy shall be reviewed on an annual basis and older versions of the Strategy shall be retained by the Quality department.

Copies of previous versions of the document can be obtained on request from the Quality Assurance Officer. 24 Associated Policies/Procedures The Trust develops and maintains policies and procedures to govern the work that is undertaken and ensure that risks are minimised. All policies and procedures are given a unique number and are available for viewing on the Trusts dedicated policy system “Docuviewer”. All policies and procedures are reviewed and updated on a regular basis. Associated risk management policies and procedures can be located on “Docuviewer”. The Trust Board acknowledges its responsibility to monitor progress of this strategy and to review it on an annual basis using the results of the annual report and external assessments for reference. 25 Equality and Diversity Statement The Trust is committed to providing equality of opportunity, not only in its employment practices but also in the services for which it is responsible. As such, this document has been screened, and if necessary an Equality Impact Assessment has been carried out on this document, to identify any potential discriminatory impact. If relevant, recommendations from the assessment have been incorporated into the document and have been considered by the approving committee. The Trust also values and respects the diversity of its employees and the communities it serves. In applying this policy, the Trust will have due regard for the need to:

• Eliminate unlawful discrimination • Promote equality of opportunity • Provide for good relations between people of diverse groups

Signed:……………………………….. Chairman Date:……………………………….. Signed:……………………………….. Chief Executive Date:………………………………..



Appendix ‘A’ - Risk Matrix - Consequence Score

1 2 3 4 5 Domains Negligible Minor Moderate Major Catastrophic Impact on the safety of patients, staff or public (physical/psychological harm)

Minimal injury requiring no/minimal intervention or treatment. No time off work

Minor injury or illness, requiring minor intervention Requiring time off work for >3 days Increase in length of hospital stay by 1-3 days

Moderate injury requiring professional intervention Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients

Major injury leading to long-term incapacity/disability Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with long-term effects

Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients

Quality/ Complaints /audit

Peripheral element of treatment or service suboptimal Informal complaint/inquiry

Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved

Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on

Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report

Totally unacceptable level or quality of treatment/service Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Gross failure to meet national standards

Human resources/ organisational development/staffing/ competence

Short-term low staffing level that temporarily reduces service quality (< 1 day)

Low staffing level that reduces the service quality

Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Low staff morale Poor staff attendance for mandatory/key training

Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Loss of key staff Very low staff morale No staff attending mandatory/ key training

Non-delivery of key objective/service due to lack of staff Ongoing unsafe staffing levels or competence Loss of several key staff No staff attending mandatory training /key training on an ongoing basis

Statutory duty/ inspections

No or minimal impact or breech of guidance/ statutory duty

Breech of statutory legislation Reduced performance rating if unresolved

Single breech in statutory duty Challenging external recommendations/ improvement notice

Enforcement action Multiple breeches in statutory duty Improvement notices Low performance rating Critical report

Multiple breeches in statutory duty Prosecution Complete systems change required Zero performance rating Severely critical report

Adverse publicity/ reputation

Rumours

Potential for public concern

Local media coverage – short-term reduction in public confidence Elements of public expectation not being met

Local media coverage – long-term reduction in public confidence

National media coverage with <3 days service well below reasonable public expectation

National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Total loss of public confidence

Business objectives/ projects

Insignificant cost increase/ schedule slippage

<5 per cent over project budget Schedule slippage

5–10 per cent over project budget Schedule slippage

Non-compliance with national 10–25 per cent over project budget Schedule slippage Key objectives not met

Incident leading >25 per cent over project budget Schedule slippage Key objectives not met

Finance including claims

Small loss Risk of claim remote

Loss of 0.1–0.25 per cent of budget Claim less than £10,000

Loss of 0.25–0.5 per cent of budget Claim(s) between £10,000 and £100,000

Uncertain delivery of key objective/Loss of 0.5–1.0 per cent of budget Claim(s) between £100,000 and £1 million Purchasers failing to pay on time

Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Claim(s) >£1 million

Service/ business interruption Environmental impact

Loss/interruption of >1 hour Minimal or no impact on the environment

Loss/interruption of >8 hours Minor impact on environment

Loss/interruption of >1 day Moderate impact on environment

Loss/interruption of >1 week Major impact on environment

Permanent loss of service or facility Catastrophic impact on environment

Risk Matrix - Likelihood score

Likelihood score 1 2 3 4 5

Descriptor Rare Unlikely Possible Likely Almost certain Frequency How often might it/does it happen

This will probably never happen/recur

Do not expect it to happen/recur but it is possible it may do so

Might happen or recur occasionally

Will probably happen/recur but it is not a persisting issue

Will undoubtedly happen/recur,possibly frequently



Appendix ‘B’ - Risk Appetite Matrix for NHS Organisations Risk levels

Key elements

Avoid Avoidance of risk and uncertainty is a Key Organisational objective

Minimal (ALARP) (as little as reasonably possible) Preference for ultra-safe delivery options that have a low degree of inherent risk and only for limited reward potential

Cautious Preference for safe delivery options that have a low degree of inherent risk and may only have limited potential for reward.

Open Willing to consider all potential delivery options and choose while also providing an acceptable level of reward (and VfM)

Seek Eager to be innovative and to choose options offering potentially higher business rewards (despite greater inherent risk).

Mature Confident in setting high levels of risk appetite because controls, forward scanning and responsiveness systems are robust

Financial/VFM Avoidance of financial loss

is a key objective. We are only willing to accept the low cost option as VfM is the primary concern.

Only prepared to accept the possibility of very limited financial loss if essential. VfM is the primary concern.

Prepared to accept possibility of some limited financial loss. VfM still the primary concern but willing to consider other benefits or constraints. Resources generally restricted to existing commitments.

Prepared to invest for return and minimise the possibility of financial loss by managing the risks to a tolerable level. Value and benefits considered (not just cheapest price). Resources allocated in order to capitalise on opport nities

Investing for the best possible return and accept the possibility of financial loss (with controls may in place). Resources allocated without firm guarantee of return ‘investment capital’ type approach.

Consistently focussed on the best possible return for stakeholders. Resources allocated in ‘social capital’ with confidence that process is a return in itself.

Compliance/ regulatory

Play safe, avoid anything which could be challenged, even unsuccessfully.

Want to be very sure we would win any challenge. Similar situations elsewhere have not breached compliances.

Limited tolerance for sticking our neck out. Want to be reasonably sure we would win any challenge.

Challenge would be problematic but we are likely to win it and the gain will outweigh the adverse consequences.

Chances of losing any challenge are real and consequences would be significant. A win would be a great coup.

Consistently pushing back on regulatory burden. Front foot approach informs better regulation.

Innovation/ Quality/Outcomes

Defensive approach to objectives – aim to maintain or protect, rather than to create or innovate. Priority for tight management controls and oversight with limited devolved decision taking authority. General avoidance of systems/ technology developments.

Innovations always avoided unless essential or commonplace elsewhere. Decision making authority held by senior management. Only essential systems / technology developments to protect current operations.

Tendency to stick to the status quo, innovations in practice avoided unless really necessary. Decision making authority generally held by senior management. Systems/ technology developments limited to improvements to protection of current operations.

Innovation supported, with demonstration of commensurate improvements in management control. Systems / technology developments used routinely to enable operational delivery Responsibility for non-critical decisions may be devolved.

Innovation pursued – desire to ‘break the mould’ and challenge current working practices. New technologies viewed as a key enabler of operational delivery. High levels of devolved authority – management by trust rather than tight control.

Innovation the priority consistently ‘breaking the mould’ and challenging current working practices. Investment in new technologies as catalyst for operational delivery. Devolved authority – management by trust rather than tight control is standard practice.

Reputation No tolerance for any

decisions that could lead to scrutiny of, or indeed attention to, the organisation. External interest in the organisation viewed with concern.

Tolerance for risk taking limited to those events where there is no chance of any significant repercussion for the organisation. Senior management distance themselves from chance of exposure to attention.

Tolerance for risk taking limited to those events where there is little chance of any significant repercussion for the organisation should there be a failure. Mitigations in place for any undue interest.

Appetite to take decisions with potential to expose the organisation to additional scrutiny/interest. Prospective management of organisation’s reputation.

Willingness to take decisions that are likely to bring scrutiny of the organisation but where potential benefits outweigh the risks. New ideas seen as potentially enhancing reputation of organisation.

Track record and investment in communications has built confidence by public, press and politicians that organisation will take the difficult decisions for the right reasons with benefits outweighing the risks.

APPETITE NONE LOW MODERATE HIGH SIGNIFICANT

0 1 2 3 4 5



Appendix ‘C’ - Risk Management and Organisational Control Framework

NB: All Working Groups shown below the ‘line’, form part of the Trust’s Risk Management & Organisational Controls Framework. Groups with dotted line are task & finish groups

Ris

ks a

nd A

ssur

ance

Vehicle Risk Management Group

Data Quality Assurance & Records Management Group

Policy Review Group

Information Governance Working Group

Emergency Planning, Resilience & Response Group

Environmental Management

Working Group

Information Security Group

Assurance

Infection Prevention & Control

Medical Devices Group

ECLIPs Group

Safeguarding Group

R&D Group

Root Cause Analysis Panel

Clinical Audit Steering Group

Clinical Advisory Group

Medicines Management Group

Ris

ks a

nd A

ssur

ance

Business Investment Group

Improvement Steering Group

Ris

ks a

nd A

ssur

ance

Commercial Development Group

Organisational Development Group

Health, Safety & Wellbeing Group

Workforce Planning Group

Equality and Diversity Group

Ris

ks a

nd A

ssur

ance

BOARD Audit

Committee

Quality Committee

Business Investment and

Finance

Workforce & Equality Committee

Governance and Risk Committee

Risk Risk

Independent Assurance

Patient Experience

Clinical Effectiveness

Patient Safety

Risk Risk Repository

Education Governance Group

Workforce Development Group

Appendix ‘D’ - Version Control Sheet

Version Date Author Status Comment 0001 March 2007 Owen Chaplin Archive 0002 April 2008 Judith Hurrell Archive 0003 March 2009 Judith Hurrell Archive 0004 March 2010 Alan Gallagher Archive 0005 March 2011 Alan Gallagher Archive 0006 March 2012 Alan Gallagher Archive 0007 March 2013 Alan Gallagher Live 0008 April 2014 Alan Gallagher Draft