risk management strategy and standard operating procedure · tbc . section : content . page number...
TRANSCRIPT
Risk Management Strategy and Standard Operating Procedure
Document Status Final Equality Impact Assessment Completed – No impact
Document Ratified/ Approved By Governance and Risk Committee/ Governing Body
Date Issued December 2013 Date to be reviewed December 2014 Distribution All Staff
Author Debra Elliott, Senior Governance Manager North of England Commissioning Support Unit
Version 2 Reference No TBC Location TBC
Section Content Page number
1. Introduction 3
2. Definitions 3
3. Approach to Risk Management Principles 4
4. Roles and Responsibility for Implementation 5
5. Approach to Risk Management and Assessment 7
6. Distribution and Implementation 9
7. Training Plan 9
8. Monitoring 9
9. Equality and Diversity 10
10. Associated Documents 10
Appendices
1. Further risk management definitions 11
2. Safeguard Incident Risk Management System Risk Register Standard Operating Procedure 13
3. Risk Management Strategy and Standard Operating Procedure Work Plan 36
2
1. Introduction 1.1 This strategy and related risk register standing operating procedure
(SOP) sets out the approach and arrangements for management within the South Tees Clinical Commissioning Group (CCG)
1.2 The principles are consistent with those within the NHS England’s Risk
Management Strategy and Risk Management Policy and Procedure issued in July 2013.
1.3 This strategy sets out the CCG approach to risk and the management of
risk in fulfilment of its overall objectives. In addition, the adoption and embedding within the organisation of an effective risk management framework and processes will ensure that the reputation of the CCG is maintained and enhanced, and its resources are used effectively to ensure business success, continuing financial strength and to ensure continuous quality improvement in its operating model.
1.4 As part of this strategy it is also acknowledged that not all risks can
be eliminated. Ultimately it is for the organisation to decide which risks it is prepared to accept based on the knowledge that an effective risk assessment has been carried out and the risk has been reduced to an acceptable level as a consequence of effective controls.
1.5 At its simplest, risk management is good management practice and risk
assessment provides an effective management technique for managing the organisation (through the identification of risks and the development of mitigating action). Through this strategy and SOP the CCG is keen to ensure that risk management is not seen as an end in itself, but rather a part of an overall management approach that supports the organisation in developing achievable management action plans.
2. Definitions
The strategy and SOP are based on the following definitions:
• Risk is the chance that something will happen that will have an impact on the achievement of the CCG objectives. It is measured in terms of likelihood (frequency or probability of the risk occurring) and consequence (impact or magnitude of the effect of the risk occurring).
• Risk Management is the systematic application of management policies, procedures and practices to the tasks of identifying, analysing, assessing, treating and monitoring risk.
• Risk Assessment is the process used to evaluate the risk and to determine whether precautions are adequate or more should be done. The risk is compared against predetermined acceptable levels of risk.
Further definitions of terms are set out in Annex 1.
3
3. Approach to Risk Management: Principles, Aims and Objectives
3.1 This strategy sets out the CCG’s approach to the way in which, in
general terms, risks are managed. This will be achieved by having a thorough process of risk assessment in place. This will provide a useful tool for the systematic and effective management of risk and will inform and guide staff as to the way in which all significant risks are to be controlled.
3.2 The aims of the strategy are summarised as follows:
• to ensure that risks to the achievement of CCG’s objectives are understood and effectively managed;
• to maintain a risk management framework to assure the Governing Body that strategic and operational risks are being effectively managed;
• to ensure that risk management is a cohesive element of the internal control systems within the CCG’s corporate governance framework;
• to ensure that risk management is an integral part of the CCG culture and its operating systems;
• to ensure that the CCG meets its statutory obligations including those relating to health and safety and data protection, and
• to assure all stakeholders, staff and partner organisations that the CCG is committed to managing risk appropriately.
3.3 In order to achieve these aims the CCG is committed to ensuring that:
• risk management is embedded as an integral part of the management approach to the achievement of objectives;
• the management of risk is seen as a collective and individual responsibility, managed through the agreed committee and management structures;
• patient feedback, complaints and staff feedback are used as an integral part of the approach to risk management;
• risk management support, training and development will be provided by the Commissioning Support Unit governance team;
• a training needs analysis will be undertaken to identify staff members affected by the roll out of the strategy. Based on the findings of the analysis a risk management training programme will be put in place; and
• risk management guidance will be provided to all staff.
4
4. Roles and Responsibility for Implementation of the Risk Management Strategy and SOP
The following staff have specific responsibilities with regards to risk management:
4.1 The Chief Officer has overall responsibility for ensuring the effective
implementation of this strategy and SOP. 4.2 The Chief Finance Officer is the nominated lead for co-ordination of
governance and risk management throughout the CCG. 4.3 Officers (including commissioning support staff) will:
• be familiar with the main risks in their area of activity, leading the management of risks where required;
• ensure the processes for managing risk within services/teams are clearly understood by managers, appropriately delegated and effective. and
• ask for feedback from managers about risk assessments relevant to their portfolio and team(s); carry out further risk assessment to determine if the risk is common across the service/CCG teams; in conjunction with the wider team, determine the level of risk and required actions to eliminate or control the level of risk and report back to the team any progress and outcome in relation to action agreed.
4.4 All staff – risk management is everyone’s responsibility and all staff must
be familiar with the main risks in their area of activity. All staff must work within the guidance of the Risk Register SOP - see Appendix 2 for full guidance.
4.5 The Commissioning Support Unit, working with and on behalf of the CCG, will:
• provide advice to ensure consistency in grading risks to identify the level of priority required in addressing risks;
• support staff throughout the risk assessment process as outlined in the SOP;
• support and monitor the implementation of CCG risk registers. • collate and analyse data showing trends and patterns and generate
appropriate reports as agreed within the CCG risk management portfolio;
• support the development and reporting of the Governing Body Assurance Framework and Annual Governance Statement working closely with the Chair, lay members and other Governing Body members to ensure strategic risk is accurately reflected and managed.
4.6 The CCG has developed clear lines of accountability with defined responsibilities and objectives, the risk management reporting committees are outlined below:
5
• The Governance and Risk Management Committee is responsible for reviewing and providing verification on the systems in place across the CCG for governance and risk management including internal control.
• The Quality, Performance and Finance Committee is responsible for ensuring that risks to the delivery of the principles of patient safety, quality, safeguarding, performance and finance are identified, addressed and reported to the Governing Body as appropriate.
• The Audit Committee is responsible for ensuring that organisational risk management systems and processes are in place.
• The Remuneration Committee advises the Governing Body regarding appropriate remuneration and terms of service for the Accountable Officer and other senior employees.
• The Governing Body monitors high level, principal risks relating to the achievement of the strategic objectives through the Governing Body Assurance Framework.
Governance infrastructure enabling effective risk management:
Supporting working groups as required 4.7 The Governance and Risk Management Committee is chaired by the
Chief Finance Officer and has overall responsibility for overseeing the implementation of this strategy and SOP. The committee will also:
• review all risks on the risk register and monitor progression of stated action on a bi monthly basis;
• review trend analysis for all risks; • ensure the established processes to manage risk by each team is in
place and provide support for action where necessary; • ensure the processes for managing risk within the CCG are clearly
understood, appropriately delegated and effective, and • escalate issues to the Governing Body as appropriate, in particular the
identification of new significant risks or areas of concern of risks graded high or extreme.
6
4.8 The members of the Executive Group will:
• maintain awareness of the main risks facing the organisation; • take ownership where relevant of principal (strategic) risks that pose a
threat to the achievement of strategic objectives and ensure appropriate action is taken to mitigate and manage risks ensuring regular updates to the Governing Body through contributing to the Assurance Framework;
• review all Extreme and High risks on a monthly basis; • take or delegate ownership, where relevant, of risks that pose a threat
to the achievement of objectives or the business of the CCG and ensure appropriate action is taken to mitigate and manage risks ensuring regular updates are added to the risk register;
• ensure the processes for managing risk within the CCG are clearly understood, appropriately delegated and effective.
4.9 Significant CCG projects/work streams require project / programme leads to ensure there are arrangements in place to develop, maintain and regularly review a project risk register to ensure effective management of risk. Red risks (graded as extreme or high) should be escalated to the CCG risk register if they are likely to impact on the CCG strategic objectives.
4.10 Assurance Framework
The CCG will produce and maintain a Governing Body Assurance Framework (AF). The AF forms part of the overall governance arrangements of the CCG and is a key component of the organisation’s internal control arrangements. The AF forms a significant part of the assurance given by the Accountable Officer in the Annual Governance Statement. It will be prepared at the start of each financial year when the CCG’s strategic objectives are known. It should be prepared with the involvement of senior leaders, reviewed by the committee with oversight for it (e.g. the Governance and Risk Committee) on a regular basis and the Audit Committee. It will also be approved and reviewed by the Governing Body at least six monthly.
5. Approach to Risk Management and Assessment
5.1 Definition of Risk 5.2 Types of risks to be managed
Examples of the types of risk that the CCG might encounter and need to mitigate against include:
• Corporate risks – operating within powers, fulfilling statutory responsibilities and ensuring accountability;
7
• reputational risks – associated with quality of services, communication with customers, staff and stakeholders;
• financial risks – associated with achievement of planned surpluses, reduction in costs and revenue growth;
• environmental risks including health and safety – ensuring the
well- being of staff and visitors whilst using CCG premises;
• strategic risk - a significant risk that will impact organisation wide and not just upon a function or team, and
• operational risk - a key risk, which impacts on a team’s
operational achievement. 5.3 Assessment of Risk
5.3.1 Whenever risks have been identified it is important to assess and record the risk so that appropriate controls are put in place to eliminate the risk or mitigate its effect. To do this a CCG risk register has been developed with an aligned risk register SOP. The SOP has been developed based on current national guidance - see Appendix 1 Safeguard Incident Risk Management System (SIRMS) South Tees CCG Risk Register SOP.
5.3.2 By all staff using the CCG risk register SOP it will ensure that risk assessments are undertaken in a consistent manner using agreed definitions and evaluation criteria. Additionally, this will allow for comparisons to be made between different risk types and for decisions to be made on the resources needed to mitigate the risk.
5.3.3 Risks are assessed in terms of the likelihood of occurrence and the consequences of impact. In order to arrive at an overall risk rating of the residual risk, the risk is rated to take account of the effectiveness of the controls, i.e. whether they are considered to be satisfactory, have some weaknesses or to be weak. This then provides the overall residual risk rating. Once the residual risk rating is determined an action plan identifying further mitigating action is put in place.
5.3.4 For each risk that is not adequately controlled, an action plan to reduce or eliminate the risk is required. The implementation of the action plan and residual risk assessment must be kept under review, to assess whether planned actions have reduced or eliminated the risk as expected.
5.3.5 Any risk that is identified through the risk assessment process and which
the CCG is required legally to report will be reported accordingly to the appropriate statutory body, e.g. Health and Safety Executive or Information Commissioner.
8
5.4 Risk Appetite
South Tees CCG endeavours to reduce risks to the lowest possible level that is reasonably practicable. All risks can be avoided, transferred or retained. Where risks cannot reasonably be avoided, every effort will be made to mitigate the remaining risk.
5.5 Risk Tolerance
The threshold level of risk exposure which, when exceeded, will trigger an escalation to bring the situation to the attention of a senior manager. Any risks scored as 12 or above should be escalated to a senior manager and the Governance and Risk Committee for review and monitoring and reported to the Governing Body quarterly. Low, moderate & high risks will be managed and monitored at team level, any risks of concern even if not scoring as an extreme risk can be highlighted to the Governance and Risk Committee for escalation to the Governing Body.
6. Distribution and Implementation 6.1 This strategy and risk register SOP will be made available to all staff via
CCG internal communications. 6.2 Notifications of strategy and SOP changes will be shared via internal
CCG communications. 6.3 Any further guidance will be provided via the CSU governance team.
7. Training Plan
7.1 Risk management training will be provided to all executive members on
an annual basis. 7.2 A training needs analysis will be undertaken by the CSU Senior
Governance Manager (lead for Risk Management). 7.3 Based on the findings of that analysis, a CCG risk management training
plan will be developed for staff. 8. Monitoring
8.1 The Governance and Risk Committee will review the strategy and SOP
annually and the Governing Body Assurance Framework on a quarterly basis and function / team risk registers on a bi monthly basis
8.2 Senior leads will ensure that teams review their risk registers on a
monthly basis (or within individually agreed review times).
9
9. Equality Impact Assessment 9.1 This document has been developed in line with NHS England’s
commitment to create a positive culture of respect for all staff and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age religious or other belief, marriage or civil partnership, gender reassignment and pregnancy and maternity) as well as to promote positive practice and value the diversity of individuals and communities.
9.2 As part of its development this document’s impact on equality has
been analysed and no detriment identified. 10. Associated documentation
10.1 POL - 1015 Risk Management Strategy
10.2 POL – 1000 Risk Management: Policy and Procedure
10.3 POL – 1002 Health & Safety: Policy & Corporate Procedures
10.4 POL – 1003 Incident management: Policy & Corporate Procedures
10.5 POL – Business Continuity Policy: Policy & Corporate Procedures
10
Appendix 1 – Definitions Action plan How the identified gap is to be addressed and how the risk isto
be diminished.
Assurance Framework (AF)
The AF is an integral part of the system of internal control and defines the significant potential risks which may impact on delivery of the organisation priorities. It also summarises the controls and assurances that are in place, or are planned, to mitigate against them. Gaps are identified where key controls and assurances are insufficient to reduce the risk of non-delivery of objectives. This enables the governing body to develop and subsequently monitor an assurance action plan for closing the gaps.
Consequence This is a numerical value from one to five (five = catastrophic) for the impact that a risk may have on the organisation or individual, and may be physical, financial, reputational etc.
Control The control of risk involves taking steps to reduce the risk from occurring such as application of policies or procedures.
Directorate risk register
The directorate risk register is a summary of the risks identified through internal processes.
External assurance
External evidence that risks are being effectively managed (e.g. planned or received audit reviews).
Gaps in controls or assurances
Where an additional system or process is needed, or evidence of effective management of the risk is lacking.
Impact A measure of the impact that the predicted harm, loss or damage would have on the people, property or objectives affected.
Issue A relevant event that has happened was not planned and requires action. It can be any concern, query and request for change.
Likelihood A measure of the probability that the predicted harm, loss or damage will occur. This is a numerical value from one to five (five = almost certain) for the potential of the risk to be realised.
Management assurance/actions
What are we doing to manage the risk and how this is evidenced? Sources of information used to ascertain whether controls are working or not. Examples include minutes of meetings, internal or external audit reports, survey results and reports to the Executive Group
11
Operational risks A key risk that impacts on individual directorate operational achievement. Operational risks are managed locally within the directorate and are the responsibility of the appropriate Director /Senior Manager.
Risk appetite The organisation’s unique attitude towards risk taking that, in turn, dictates the amount of risk that it considers is acceptable.
Residual risk The risk remaining after the risk response has been applied.
Risk An uncertain event or set of events that, should it occur, would have an effect on the delivery of objectives. It is measured in terms of consequence and likelihood.
Risk assessment The process used to evaluate the risk and to determine whether precautions are adequate or more should be done to mitigate the risk. The risk is compared against predetermined acceptable levels of risk.
Risk management
The systematic application of management policies, procedures and practices to the task of identifying, analysing, assessing, treating and monitoring risk.
Risk owner A named individual who is responsible for the management, monitoring and control of all aspects of a particular risk assigned to them.
Risk tolerance The threshold level of risk exposure which, when exceeded, will trigger an escalation to bring the situation to the attention of a senior manager. Any risks scored as 12 or above should be escalated to a senior manager for review at Executive Group for review and monitoring.
Strategic risks A significant risk that has the potential to impact across the organisation. These risks have been mapped to the business plan objectives and will be presented to the Governing Body in the AF.
12
SIRMS
Safeguard Incident & Risk Management System
Standard Operating Procedure Risk Register
NHS South Tees CCG Version 14 Review date: 31/03/2015
Appendix 2
13
V14 D.Elliott / K.Watson
Contents
General points 3
Access rights 3
Assessing risks 3
Printing reports 3
Accessing the web-based risk register 3
How to add a risk 4
Entering a risk 5
Select organisation’s risk register 5
Date added to risk register 6
Risk Source 6
Description of risk 6
Organisational risk type
NECS/CCG
7 7
Corporate objective 8
Risk Co-ordinator 8
Risk Owner and Responsible Director 8
Responsible committee 9
Initial risk rating 9
Controls and assurances 10
Action plans 11
Risk updates 12
Review details 13
Residual risk rating 13
Closing a risk 14
Risk register reports 15
Appendix 1: Risk assessment and escalation process 16
Appendix 2: Describing a risk 22
Appendix 3: New Risk Form 23
14
V14 D.Elliott / K.Watson
General points Users are responsible for familiarising themselves with their duties for risk management as laid out in the CCG risk management policy.
Access rights Access will only be set up for nominated staff. Security access levels will be set by the
governance team as specified by your risk lead.
Assessing risks Risks should be assessed according to the ‘Risk assessment and escalation process’ procedure (Appendix 1) using the risk matrix below.
Consequence
Likelihood 1 2 3 4 5
Negligible Minor Moderate Major Catastrophic
5 Almost Certain 5 10 15 20 25
4 Likely 4 8 12 16 20
3 Possible 3 6 9 12 15
2 Unlikely 2 4 6 8 10
1 Rare 1 2 3 4 5
Printing reports The system allows for both single risk reports which provide all the details logged against a single risk and also a full risk register report. The content of these reports is fixed, however it is possible for the NECS governance team to design other reports on an ad hoc basis that can be scheduled to run and be forwarded to users automatically on a periodic basis.
Accessing the web-based risk register To access SIRMS (Safeguard Incident and Risk Management System) go to https://sirms.necsu.nhs.uk
You should log into the system with the username and password you log into your computer with. If you require access to the risk register, a request should come from your nominated risk lead, to [email protected]
This document, along with other relevant risk management guidance, can be requested
from Kate Watson 0191 217 2659 [email protected], Wendy Marley 0191 374
4157 [email protected] or Debra Elliott 0191 374 2749 [email protected]
15
V14 D.Elliott / K.Watson
How to add a new risk
You will then be asked to decide whether the new risk is ‘extreme’ (risk score 15 to 25)
or ‘high, moderate, low’ (risk score 01 to 12).
To add a new risk
click here.
Once signed in,
open the Risk
module here.
Select Extreme or Low, Mod, High
risk.
Extreme Risks are those rated 15
to 25 which have the potential to
impact adversely on the
organisation’s ability to deliver its
corporate (strategic) objectives
16
V14 D.Elliott / K.Watson
Entering a risk
Select organisation’s risk register
Select your organisation from the drop down list. The first four fields select the register
the risk will appear on. Please take care to select the options for YOUR organisation.
Select your organisation
from drop down list: this
will assign the risk to the
correct risk register.
The orange fields are mandatory sections
that must be completed.
The risk reference number will not appear
until you have saved these details.
To change risk level: use drop down
option before saving. If you change after
saving, you will need to provide a reason
for escalation/de-escalation.
NB: Changing the risk level will generate
an automatic email notification to the risk
owner and responsible director.
The system will assign a
sequential number that
should be used to identify the
risk.
The sequence runs across all
the organisations that are
using SIRMS.
A new version must be
created BEFORE existing
risks are updated.
17
V14 D.Elliott / K.Watson
Date added to risk register
This is the date the risk is added to the risk register.
Risk Source
Description of risk
The default date will always
be the current date. If you
wish to change this, use the
drop down calendar.
NB: if the date of entry
differs from the date the risk
was identified do not worry
as the new risk form can be
uploaded to the risk to form
part of the audit trail.
The source of the risk
identifies how you became
aware of the risk, i.e.
through national guidance,
through a reported incident,
complaint etc.
The risk cause, event and effect
allow you to describe the risk in
detail. Take care to describe the
consequence of a risk in addition
to the cause. E.g. ‘management of
staff sickness’ is not a risk, but
failure to deliver a high quality
service due to inability to manage
staff sickness effectively’ would
be.
13
18
V14 D.Elliott / K.Watson
Orginisation Risk Type
First select ‘organisational risk type’ to select South Tees risk type.
Then in ‘risk type’ select the appropriate South Tees risk is type:
NECS/CCG
Choose your organisation from drop down list. (Please note this field ties the organisation to its
corportate objectives.)
Click on the drop
down arrow and select
the type of risk here.
Select NHS South
Tees CCG
19
V14 D.Elliott / K.Watson
Corporate Objectives
Risk co-ordinator
Risk owner and responsible director
From the list of corporate
objectives, select which
one the risk impacts on.
Select the risk co-
ordinator for your CCG
from the drop down list.
Type the surname in and the relevant
person will be found – please note, you
have to click on the name to select
them. If the name does not appear in
the system please contact
20
V14 D.Elliott / K.Watson
Responsible Committee
Initial Risk rating
You will now need to save the risk before you can complete the rest of the form.
If you have not completed all of the mandatory (orange) fields, you will not be able to
save.
Apply the initial risk rating. This is the
score that is given to the risk before
controls have been applied. Either select
the score from the table, or use the drop
down boxes.
See ‘Risk assessment and escalation
process’ in Appendix 1..
Click ‘save’ after
completing initial
risk rating.
Select the committee that is
responsible for monitoring
risk from drop down list.
21
V14 D.Elliott / K.Watson
Controls and Assurances
Please enter any control measures already in place as well as any new ones that will be
implemented to manage the risk. For example in the case of a litigation risk, you could
list ‘Claims Procedure’ or ‘Claims handling service provided by NECS’ as part of the
existing control framework. You will also need to enter the control measures that need
to be in place so that you can record the gaps that need to be addressed in order to
achieve the control.
To add a control
choose “New”
Complete details,
selecting level of
effectiveness of
the control from
drop down box.
22
V14 D.Elliott / K.Watson
Then go to Action plan
Action plans
To add a new
action, click ‘new’.
Click on the ‘Action
Details’ tab and complete.
If you are updating actions,
click on the ‘Progress’ tab and
complete section.
23
V14 D.Elliott / K.Watson
Risk Updates
NB: A new version should be created with each update in order to ensure that
the movement of the risk is captured.
Risks should be reviewed and updated on a regular basis and the frequency of review
should be considered when assessing the risk.
Every time an update is conducted you should make a note in this section of the date
the risk was reviewed and by whom. The process should involve:
Create new version (either by changing the ‘risk level’ or clicking on ‘new
version’).
Enter assurance against each control measure.
Review and update the progress on the action plan.
Reassess and apply the residual risk score (this is the score following
implementation of control measures).
Enter the actual date of review and by whom.
1. If you know that the ‘risk level is
going to change (from ‘Extreme’ to
‘Low, Moderate, High’ or vice
versa), change this first as this will
automatically create a new version
number, however of the risk level
is to remain the same then please
click on ‘New Version’. You will
need to provide an explanation for
‘Escalation’ or ‘De-escalation’, and
enter the names of the Risk Owner
and Responsible Director. This will
generate a notification email of this
action.
2. If the risk level
is to remain
unchanged click
on ‘New Version’
instead. You will
need to click ‘OK’
to confirm creation
of the new version.
24
V14 D.Elliott / K.Watson
Review detail
Describe what has been updated: controls and assurance; action plan; review frequency;
increase/decrease to residual risk rating. This section can also highlight suggested actions,
such as discussing at a committee or recommended closure of the risk.
Residual risk rating
This is the consequence and likelihood score
Review details
Complete sections to record
when the risk was reviewed
and by whom.
The details of the review should be a summary of
what has been updated in this version i.e.
assurance on controls, progress update in action
plan, reduction in residual risk rating etc. You can
also use this field to note if the risk is to be
considered for removal.
If the risk rating has changed
following review, apply the
residual risk rating score. Either
select the score from the table,
or use the drop down boxes.
See ‘Risk assessment and
escalation process’ in appendix
1.
New risks
When entering a new risk, select from the
drop down list how often it is to be reviewed.
To add review details (i.e. date of
review, reviewer and details of the
fields that have been updated) –
click ‘new’.
The next review date will be displayed –
this is dependent on the date entered
when adding the review (update).
Please note – changing the residual risk rating will not automatically
change the risk level at the top of the screen. The risk level has to be
changed manually. Remember – changing the risk level will create a
new version therefore it is best practice to change the risk level at the
start of your update.
25
V14 D.Elliott / K.Watson
Closing a risk
Scroll to the bottom of the page and select ‘Closed’ from current status options:
In the Controls and
Assurances section, click on
each control measure and
provide your assurance
regarding the closure of the risk,
and select ‘Action Plan
Completed Risk Removed’ from
the ‘Effectiveness’ drop down
list.
You should also provide
progress on your action plan
and provide a completion
date and outcome.
26
V14 D.Elliott / K.Watson
You should then enter the date of closure and select the appropriate reason for closing
the risk from the drop down list. In the Details box you should enter an explanation for
the closure.
Risk register reports
To print a report click on ‘Print’
icon, this will generate a PDF
copy of the report. As the system
becomes more developed, more
reports will become available.
Whatever is
highlighted in this
window will be the
report that is
generated.
NB: Closed risks will be archived
but you can still access them by
changing the filter at the top left to
‘Closed’.
27
V14 D.Elliott / K.Watson
Appendix 1
Risk assessment and escalation process
Step 1: Determine the consequence score
This is offered as guidance when completing a risk assessment, either when an incident has occurred or if the consequence of potential risks is being considered.
Choose the most appropriate domain for the identified risk from the left hand side of the table. Then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column. Note consequence will either be negligible, minor, moderate, major or catastrophic.
Table 1: Consequence score
Consequence score (severity levels) and examples of descriptors
1 2 3 4 5
Domains Negligible Minor Moderate Major Catastrophic
Impact on the safety of patients, staff or public (physical/psychological harm)
Minimal injury requiring no/minimal intervention or treatment.
No time off work
Minor injury or illness, requiring minor intervention
Requiring time off work for >3 days
Increase in length of hospital stay by 1-3 days
Moderate injury requiring professional intervention
Requiring time off work for 4-14 days
Increase in length of hospital stay by 4-15 days
RIDDOR/agency reportable incident
An event which impacts on a small number of patients
Major injury leading to long-term incapacity/disability
Requiring time off work for >14 days
Increase in length of hospital stay by >15 days
Mismanagement of patient care with long-term effects
Incident leading to death
Multiple permanent injuries or irreversible health effects
An event which impacts on a large number of patients
Quality/complaints/audit
Peripheral element of treatment or service suboptimal
Informal complaint/inquiry
Overall treatment or service suboptimal
Formal complaint (stage 1)
Local resolution
Single failure to meet internal standards
Minor implications for patient safety if unresolved
Reduced performance rating if unresolved
Treatment or service has significantly reduced effectiveness
Formal complaint (stage 2) complaint
Local resolution (with potential to go to independent review)
Repeated failure to meet internal standards
Major patient safety implications if findings are not acted on
Non-compliance with national standards with significant risk to patients if unresolved
Multiple complaints/ independent review
Low performance rating
Critical report
Totally unacceptable level or quality of treatment/service
Gross failure of patient safety if findings not acted on
Inquest/ombudsman inquiry
Gross failure to meet national standards
28
V14 D.Elliott / K.Watson
Human resources/ organisational development/staffing/ competence
Short-term low staffing level that temporarily reduces service quality (< 1 day)
Low staffing level that reduces the service quality
Late delivery of key objective/ service due to lack of staff
Unsafe staffing level or competence (>1 day)
Low staff morale
Poor staff attendance for mandatory/key training
Uncertain delivery of key objective/service due to lack of staff
Unsafe staffing level or competence (>5 days)
Loss of key staff
Very low staff morale
No staff attending mandatory/ key training
Non-delivery of key objective/service due to lack of staff
Ongoing unsafe staffing levels or competence
Loss of several key staff
No staff attending mandatory training /key training on an ongoing basis
Statutory duty/ inspections
No or minimal impact or breech of guidance/ statutory duty
Breach of statutory legislation
Reduced performance rating if unresolved
Single breach in statutory duty
Challenging external recommendations/ improvement notice
Enforcement action
Multiple breaches in statutory duty
Improvement notices
Low performance rating
Critical report
Multiple breaches in statutory duty
Prosecution
Complete systems change required
Zero performance rating
Severely critical report
Adverse publicity/ reputation
Rumours
Potential for public concern
Local media coverage – short-term reduction in public confidence
Elements of public expectation not being met
Local media coverage – long-term reduction in public confidence
National media coverage with <3 days service well below reasonable public expectation
National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House)
Total loss of public confidence
Business objectives/ projects
Insignificant cost increase/ schedule slippage
<5 per cent over project budget
Schedule slippage
5–10 per cent over project budget
Schedule slippage
Non-compliance with national 10–25 per cent over project budget
Schedule slippage
Key objectives not met
Incident leading >25 per cent over project budget
Schedule slippage
Key objectives not met
Finance including claims
Small loss Risk of claim remote
Loss of 0.1–0.25 per cent of budget
Claim less than £10,000
Loss of 0.25–0.5 per cent of budget
Claim(s) between £10,000 and £100,000
Uncertain delivery of key objective/Loss of 0.5–1.0 per cent of budget
Claim(s) between £100,000 and £1 million
Purchasers failing to pay on time
Non-delivery of key objective/ Loss of >1 per cent of budget
Failure to meet specification/ slippage
Loss of contract / payment by results
Claim(s) >£1 million
Service/business interruption Environmental impact
Loss/interruption of >1 hour
Minimal or no impact on the environment
Loss/interruption of >8 hours
Minor impact on environment
Loss/interruption of >1 day
Moderate impact on environment
Loss/interruption of >1 week
Major impact on environment
Permanent loss of service or facility
Catastrophic impact on environment
29
V14 D.Elliott / K.Watson
Step 2: Determine the likelihood score
Now determine what is the likelihood of the impact occurring.
The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency. The frequency-based score will either be classed as rare, unlikely, possible, likely or almost certain.
Table 2: Likelihood score Likelihood score 1 2 3 4 5
Descriptor Rare Unlikely Possible Likely Almost certain
Frequency How often might it/does it happen
This will probably never happen/recur
Do not expect it to happen/recur but it is possible it may do so
Might happen or recur occasionally
Will probably happen/recur but it is not a persisting issue
Will undoubtedly happen/recur,possibly frequently
Step 3: Assigning a risk rating
Now apply the consequence and likelihood ratings to give you a risk rating for each of the risks you have identified. Calculate the risk rating by multiplying the consequence by the likelihood: C (consequence) x L (likelihood) = R (risk score)
Table 3: Risk rating = consequence x likelihood (C x L) Likelihood score
Consequence score
1 2 3 4 5
Rare Unlikely Possible Likely Almost certain
5 Catastrophic 5 10 15 20 25
4 Major 4 8 12 16 20
3 Moderate 3 6 9 12 15
2 Minor 2 4 6 8 10
1 Negligible 1 2 3 4 5
For grading risk, the scores obtained from the risk matrix are assigned grades as follows:
Green 1 – 3 Low
Yellow 4 – 6 Moderate
Amber 8 – 12 High
Red 15 - 25 Extreme
Step 4: Control measures Consider the control measures that will be put into place to mitigate the risk.
Step 5: Assessing the effectiveness of the control(s)
For each of the risks (and especially extreme and high risks) identify the controls that are in place. For example, in an operational setting and where an incident may have occurred, the controls may take the form of a policy, guideline, procedure or process, etc. For risks that have been identified as preventing achievement of organisational objectives then the control is likely to be a management action plan.
30
V14 D.Elliott / K.Watson
Table 4: Assessing the effectiveness of control(s) Review the control(s) for each of the risks and apply the following criteria:
Satisfactory: Controls are strong and operating properly, providing a reasonable level of assurance that objectives are being delivered.
Some Weaknesses: Some control weaknesses/inefficiencies have been identified. Although these are not considered to present a serious risk exposure, improvements are required to provide reasonable assurance that objectives will be delivered.
Weak: Controls do not meet any acceptable standard, as many weaknesses/inefficiencies exist. Controls do not provide reasonable assurance that objectives will be achieved.
Step 6: Determine risk type The risk type should be specified. In South Tees risks can be classified as: Confidential
Step 7: Align risk to corporate objective The risk should be aligned to the corporate objective that it will impact on.
1. Demonstrate measurable improvement in the quality and safety of services.2. Develop primary care strategy to maximise role of primary care.3. Develop CCG as membership organisation with active engagement and
contribution of Practices.4. Fulfil statutory obligation of delivering financial balance, surplus and QIPP.5. Development and implementation of IMProVE.6. Partnership working to improve health and wellbeing of patients and
communities.7. Lead the development of effective urgent care strategy across the local
economy.
Step 8: Developing an action plan An action plan must be developed for all risks, regardless of the risk rating in order to record progress on control measures and who is responsible for carrying them out as the system is capable of generating automatic reminders to action owners.
Step 9: Determine frequency of review
The frequency of review should also be specified as this will need to be added to
SIRMS ‘Review Details’ section by choosing the appropriate option from the drop down
list.
31
V14 D.Elliott / K.Watson
Risk Updates
Risks should be reviewed and updated on a regular basis.
Please follow the guidance below:
Before entering your update, ensure you have created a new version – this can be
done in two ways:
1. If your ‘Risk Level’ has changed as a result of review you should change the
risk level to ensure it corresponds with the residual risk rating that has been
applied. This will automatically create a new version.
2. If your ‘Risk Level’ remains the same following review you should click on
‘New Version’.
Scroll down to ‘Controls and Assurances’, click on each control measure in turn and
edit to enter the assurance against each control. You will also need to alter the
control effectiveness accordingly You can also enter any new controls. NB: As long
as you have created a new version you can overwrite the assurance from the
previous version as this will be archived in the previous version, and will provide an
audit trail of progress. This will ensure that only the current position is seen on the
printed risk register.
Scroll down to ‘Action Plan’, add any 'New' actions and update any existing actions
by clicking on each action in turn and edit to provide an update on progress where
possible. NB: Please ensure you provide your update in the 'Progress' section.
Scroll down to ‘Review Details’, click on ‘New’ and enter the actual ‘Review Date’
(you can use the calendar for this). Please also enter the name of the person the
risk was ‘Reviewed By’. Then, in ‘Details of Review’ please describe what has been
updated, e.g. controls and assurances; action plan; changes to residual risk rating.
This section can also be used to highlight where (i.e. which committee) the risk will
be discussed and also if closure is recommended.
Scroll down to ‘Residual Risk Rating’ and where appropriate enter/amend the
residual consequence and likelihood scores. Remember, this should correspond
with the ‘Risk Level’ at the top of the form.
Residual risk rating
This is the consequence and likelihood after the control measures have been applied.
Taking into account the initial risk rating and the assessment of the effectiveness of the control together, you can now assess the residual risk that needs to be managed. The consequence and likelihood ratings should be applied, as in table 3 above.
32
V14 D.Elliott / K.Watson
Risk Management Action Guide
Where risks have been identified and scored, then the following escalation arrangements should be used.
The table below provides a suggested action guide for the management of a risk:
Risk Rating RAG Rating Action Level of Authority
25 Red Halt activities IMMEDIATELY and review status
Warrants Managing Director attention
15 -20 Red Significant probability that major harm will occur if control measures are not implemented URGENT action required. Director may consider limiting or halting activity
Warrants Director attention
8-12 Amber Unacceptable level of risk exposure which requires constant monitoring and controls at Directorate level
Warrants Director attention
4-6 Yellow Moderate probability of moderate harm if control measures are not implemented. Action in mediate term
Warrants Head of Service/Senior Lead Attention
1-3 Green The majority of control measures are in place. Harm severity is small. Action may be long term
Warrants manager attention
33
V14 D.Elliott / K.Watson
Appendix 2
Describing a risk
In SIRMS, there are three fields in which to describe your risk; the risk cause, event and
effect. These are mandatory fields and whilst details will be entered separately, when
printed, they will appear in one field on the risk register, called ‘description of risk’.
Example
Risk Cause: As a result of…. (This is the trigger)
Risk Event: There is a risk that….(This is what might happen)
Risk Effect: Which will result in….(This is the impact on the achievement of
objectives)
34
V14 D.Elliott / K.Watson
NEW RISK FORM – South Tyneside CCG Appendix 3
Risk Register – New Risk
Risk Ref Leave blank
Date Identified
Responsible Director Name and job title
Risk Owner Name and job title
Risk Details
Delivery Area Frequency of Review Source of Risk
Description of Risk
Risk Cause
Risk Event
Risk Effect (impact)
Risk Assessment Matrix (please circle)
Likelihood score
Consequence score
1 2 3 4 5
Rare Unlikely Possible Likely Almost certain
5 Catastrophic 5 10 15 20 25
4 Major 4 8 12 16 20
3 Moderate 3 6 9 12 15
2 Minor 2 4 6 8 10
1 Negligible 1 2 3 4 5
Initial risk rating score:
(Please include the C x L scores)
Approved to add to risk register:
Yes No
Control Measures Control Details Effectiveness of
Controls Gaps in Control
Actions Required
Action Details Responsibility / Lead Target Date
Form Completed By
Name Job Title Contact Details
Completed forms should be returned to: Your Risk Co-ordinator, for approval to add to Risk Register and entry onto SIRMS.
35
Appendix 3 NHS SouthTees CCG
Risk Management Strategy and Standard Operating Procedure (SOP) Work Plan December 2013
What How Person Responsible By When Resources Required Risk Management Strategy and SOP reviewed by Governance & Risk Committee. Once agreed strategy and SOP to be sent to the Governing Body meeting for review and approval once approved to be published on CCG website
North of England Commissioning (NECS) governance team to arrange for Strategy & SOP to be uploaded and communication to go out internally across the CCG.
Lead is NECS Governance Administrator working with CCG Corporate Governance Risk Officer
Within 5 working days of policy approval
Within 5 working days of policy approval (or go live of website)
Staff time and commitment
Ensure CCG and staff are aware of the new Strategy and SOP
Targeted email to CCG staff Raise at Team meetings
Lead is CCG Corporate Governance Risk Officer
Within 5 working days of policy approval
Staff time and commitment
Risk management training needs analysis to be undertaken and risk management training develop for review at Governance and Risk Committee
CCG Risk management training today baseline review to be undertaken. Outcome Baseline review to be analyzed, training plan drafted and finalized for CCG review and internal comment.
Lead is NECS Senior Governance Manager working with CCG Corporate Governance Risk Officer
February 2014 G&R committee meeting
Staff time and commitment
Risk register management and review
All CCG risks to be subject to peer review and internal security. Outcome all risks on the CCG risk
All relevant CCG staff Lead is NECS Senior Governance Manager working with CCG
Twice a year – January & July
Staff time and commitment
36
What How Person Responsible By When Resources Required
register will be live, well defined, have an agreed risk score and review target date and be aligned to a CCG strategic objective
Corporate Governance Risk Officer
CCG Risk management maturity assessment
CCG Risk Management Maturity Assessment to be developed and undertaken. Outcome CCG Risk Management Maturity Assessment Report to be prepared and presented to G&R Committee. The report would include results of assessment, findings and future recommendations to support enhanced risk management across the CCG.
All relevant CCG staff Lead is NECS Senior Governance Manager working with CCG Corporate Governance Risk Officer
June 2014 Staff time and commitment
Governing Body (GB) Assurance Framework (AF) review and update
CCG AF to be reviewed in line with principal objectives & risks. Reviewing current controls and assurances
All relevant CCG staff Lead is CCG Corporate Governance Risk Officer with support from NECS Senior Governance Manager.
February 2014 Staff time and commitment
37