Version 1 – Aug.10

SUPPORTING PAPER (ACTION REPORT) BOARD OF DIRECTORS’ MEETING Date of meeting:

Tuesday, 29th May 2012

Title of paper:

Risk Management Strategy

Presented by:

Head of Risk and Claims

Executive Summary:

The Board receives the Risk Management Strategy on an annual basis; the document is the base for all of the Trust’s risk management process and is a key document for assurance purposes. This version contains a number of revisions which are shown in red text for ease of reference.

Recommendations/and or actions required:

The Board is requested to review and ratify the content of the updated Strategy for 2012/2013.

Consultation and/or PPI involvement process (inc with staff): In line with NHS Constitution

Policy Review Group

Joint Consultative Committee

Governance and Risk Committee

Risks attached to this project/initiative:

Inadequate consideration of the document will impact on the quality standards and NHSLA, the lack of current strategy is a direct breach of the various standards listed.

Resources Required: None

Legal issues:

There are no specific legal issues arising from the document.

Equality Impact Screening:

Yes

CQC Essential Standards of Quality & Safety:

VALUES

Involvement and Information

Personalised care, treatment and support

Safeguarding and safety

Suitability of staffing

Quality and management

Suitability of management

Co

mm

itte

d,

Pro

fessio

nal

&

Acco

un

tab

le

Sh

ap

ing

th

e f

utu

re

Sh

ow

ing

we c

are

Wo

rkin

g t

og

eth

er

Deli

veri

ng

co

ns

iste

ntl

y

What NEAS strategic intention does this paper support:

STRATEGIC INTENTIONS

To lead in the provision of emergency care To be a key partner in urgent care reform To transform our patient transport services To be a first-rate employer To have sound financial health To be well governed and accountable

Author: Alan Gallagher

Date: 18th May 2012

Risk Management Strategy

Document Profile Box

Document Reference: Q.S.S.D 2003

Version: 0006

Ratified by: Trust Board

Date ratified: 27th March 2008

Name of originator/author: Alan Gallagher

Name of responsible committee/individual Governance and Risk Committee

Date issued:

Review date: March 2013

Target audience: All staff

Document owner: Alan Gallagher

Authorised signatory:

Contents

Section Page

1 Introduction 3

2 Aims 3

3 Strategic Intentions and Objectives 3

4 Target Audience, Communication and Implementation 4

5 Definitions of Risk 6

6 What is Risk 7

7 What is Risk Management 7

8 Risk Identification 7

9 Risk Management Processes 8

10 Acceptable Risk 8

Risk Management Overview Flowchart 9

11 Process 10

12 Assurance Framework Process 12

13 Risk Registers 15

14 Monitoring Effectiveness 18

15 Who is responsible for Risk Management 18

16 Review 21

17 Consultation, Approval and Ratification 21

18 Review and Revision Arrangements Including Version Control 21

19 Dissemination and Implementation 21

20 Document Control Including Archiving Arrangements 22

21 Associated Policies/Procedures 22

22 Equality and Diversity Statement 22

Appendices

Appendix A Risk Matrix Guide Consequence and Likelihood Scores 23

Appendix B Risk Register Example 25

Appendix C Risk Action Plan Example 27

Appendix D Risk Management and Organisational Controls Framework 29

Appendix E Version Control Sheet 31

1 Introduction

The North East Ambulance Service NHS Foundation Trust is committed to the provision of high quality care in a setting that puts the safety of patients and staff first. However all activities contain inherent risks. Risk Management is defined as “identifying all risks which have potentially adverse effects on the quality of care and the safety of patients, staff visitors, assessing and evaluating those risks and taking positive action to eliminate or reduce them”. The Trust therefore regards the promotion of health and safety as an integral part of Risk Management and a mutual objective for management and employees at all levels. The Trust will meet it’s commitment through a system of risk management that is understood and implemented at all levels of the organisation. The Risk Management Strategy promotes the philosophy of integrated governance and requires all risk management to be systematic, robust and evident. This strategy requires that risk management processes are applied to business planning at all levels and that risk management issues should be communicated to key stakeholders where necessary. The strategy covers clinical, organisational and financial risk, and identifies the key management structures and processes defining objectives and responsibilities within the Trust. The Trust has a requirement for a Board approved Risk Management Strategy and policies which are outlined in the NHS Litigation Authority Risk Management (NHSLA) document “Risk Management Standards for Ambulance Trusts”.

2 Aims

The aim of this Strategy is to document the holistic approach taken by the Trust to provide an environment which minimises risks to all its stakeholders. This will be achieved through a comprehensive system of internal controls, maximising the potential for flexibility, innovation and best practice in delivery of the Trust’s strategic objective of delivering high quality, caring services for the North East.

3 Strategic Intentions and Objectives Patients are at the heart of everything that we do to support our mission of "right care, right place, right time". The Trust has a strong track record of delivering high quality patient care, focussing resources to produce the most effective outcomes. Whilst at the leading edge of innovative service design which has consistently led to the Trust being one of the highest performing ambulance trusts in the country. The Trust’s vision is to make a difference by integrating our care and transport in the pursuit of equity and excellence. This means we will drive through improvements in service delivery and work to ensure all of our patients have a positive experience, not losing sight of our requirement to eliminate waste, inefficiency and unnecessary costs. Strategic intentions:

To lead in the provision of Emergency Care - We want to be the provider of choice for A&E services and lead through innovation, research and performance.

To be a first rate employer - We want to ensure our staff are appropriately supported, with

fair pay and flexible working conditions and a safe productive working environment.

Be a key partner in Urgent Care reform - We want to help deliver the changes that our patients and our commissioners are asking for using our expertise and infrastructure.

To have sound financial health - We want to maintain strong financial health that enables

us to invest in new service developments, constantly taking the organisation forward.

To transform our Patient Transport Service - We want to continue to be the provider of choice for patient transport services in the North East.

To be well governed and accountable - We want to continue to ensure that the safety and

quality of our services to patients remains our highest priority. Specific Objectives 0-12 months

To maintain level 1 and work towards level 2 compliance with the NHSLA Risk Management Standards for Ambulance Services.

To ensure compliance with Care Quality Commission Outcomes.

Continue to work in collaboration with the Training Department to ensure the delivery of risk management training.

Integrate the risk management system to facilitate robust data capturing and reporting.

Review security/health and safety provision at all sites across the Trust as part of a rolling

programme.

Continue to develop vehicle risk management/accident reduction processes.

Provide a safe environment for all staff, patients and stakeholders.

Implement the Corporate Health and Safety Plan.

Reduce the number of clinical negligence and employers liability claims.

Ensure all incidents are recorded, investigated, monitored and lessons learnt.

4 Target Audience, Communication and Implementation This strategy is intended for use by all directly employed staff, agency workers and external contractors.

The Risk Management Strategy will be communicated to all levels of the Trust. This will include copies of the Strategy being made available on all Trust sites and to all managers. The Strategy will be communicated to the wide audience of its stakeholders through existing communications mechanisms, including staff training/induction programmes, internal/external newsletters and publication on the Trusts external Internet and internal Intranet sites. All internal and external stakeholders will be informed of its location.

Under the Freedom of Information Act 2000, the Risk Management Strategy will be made available to any person making such a legally based request. The Head of Risk and Claims will be responsible for co-ordinating the implementation of the strategy and policy. All management levels including executive level and staff will be expected to adopt the principles of the strategy, incorporating it into their day to day role and processes. Management will also be expected to support and encourage staff in adopting the principles of the strategy by promoting an open and fair culture and the identification of hazards through incident reporting

Risk Management will also be a statutory component of all induction programmes delivered by the Trust. This will include members of staff at all levels within the Trust and will include familiarisation of the strategy. As a part of the Trust’s Appraisals process and the Personal Development Plan processes, staff will have specific levels of competency in relation to risk management appropriate to their specific role. Risk Management will form part of the mandatory training for all management grades within the Trust and will cover all aspects of this Strategy. The extent of an individual’s personal contribution to the implementation of the Risk Management Strategy may include, for example:

Reporting of Seroius Incidents (SIs) Reviewing which may have scope for improvement Referring potential risk issues for review and corrective measures Participating in audit Seeking the support and/or advice of available in house expertise and/or infromation Asking to be involved Seeking/providing feedback for self or others Being aware of/finding out their own level of responsibility and contribution to risk

management By using such an approach the Trust is enabled to maximise its opportunities to develop and learn lessons because it is maximising the involvement and contribution of all concerned.

5 Definitions of Risk Appropriate definitions in relation to risk management are important. This policy will use certain phrases within this document which are defined as follows:

Hazard A hazard is anything with the potential to cause harm

Risk A risk is the likelihood that a hazard will cause a specified harm to someone or something

So Far as is Reasonably Practicable

Take action to control the health and safety risks in your workplace except where the cost (in terms of time and effort as well as money) of doing so is “grossly disproportionate” to the reduction in the risk

Risk Management The systematic identification, reduction an/or elimination of risks

It is important to note on some occasions, identified risks can not always be controlled but are accepted and formally recorded as risks by the organisation (see Residual Risks)

Risk Matrix The mechanism through which all risks are rated and scored

Board Assurance Framework The documentation that provides the Trust Board with assurance(s) that the key risks associated with not achieving the Corporate objectives are being mitigated

Risk Register The method used to record identified risks, their rating, scores, control measures and where evidence of controls can be located

High Level Risks Risks that are rated and scored at 15 or above

Risk Treatment Proposed control measures that may reduce the risk of an identified hazard

Residual Risk Level of acceptable risk following implementation of risk treatment solutions

Risk Review Matrix A 12 month overview of monthly risk management identification, assessment and analysis processes utilised by the Trust

Risk Management Calendar A 12 month overview of monthly risk management activities carried out by the Trust

Risk Management Sub Committees/Groups

Delegated committees/groups of theTrust Board responsible for ensuring that identified risks are appropriately managed within the Trust

6 What is Risk?

Risk can be defined as the chance that something will happen that will have an adverse impact on the achievement of the Trusts aims and objectives. In the NHS this can be further categorised as follows

1. Direct Patient Care Risks – this includes risks relating to: standards of care, consent to treatment, working beyond competence, communication failure and delay in treatment.

2. Indirect Patient Care Risks – this includes risks relating to: security, fire, buildings, plant &

equipment and waste. 3. Health & Safety Risks – this includes risks relating to: Health & Safety obligations, unsafe

systems of work, Control of Substances Hazardous to Health (COSHH), failure to provide information, instruction, training & supervision, failure to provide a safe place of work and risks to health.

4. Risks of an Organisational Nature – this includes risks relating to: communication, provision of

goods & services, data protection, finance & insurance, and information systems.

7 What is Risk Management?

Risk Management is concerned with ensuring that risks are recognised and their impact on the Trust is assessed in order that the appropriate resource can be channelled to minimise or eliminate any potential loss. There are five stages to risk management:

Risk Identification What could go wrong? How could risk events happen? What would be the effect?

Risk Measurement How often are risk events likely to happen?

How much are they likely to cost? How severe would their effect be?

Risk Treatment How can the Trust eliminate or avoid these events?

If they occur how can we make them less likely and less damaging?

Risk Funding Transferring risk with or without an ’excess’ (NHSLA

Risk Management Standard), or self insurance (i.e. retaining risk)

Monitoring Effectiveness Measuring the effectiveness of the controls and repeating the cycle if further action is required?

8 Risk Identification

The Trust operates two systems to facilitate the identification, analysis and treatment of risks:-

Pro-actively: - Production of risk registers and treatment action plans at department,

directorate and organisational level, with the organisational risks reported to the Board.

Reactively: - The incident reporting and investigation policy requiring all incidents to be

recorded, investigated and recommendations acted upon

9 Risk Management Processes The Trust uses the NHS Executive endorsed Australian / New Zealand Risk Management Standard – AS/NZS 4360:1999. This standard provides a generic non-prescriptive method of managing any type of risk in any organisation. The principles outlined in the standard are universal and can be applied in any healthcare risk management context whether that is financial, organisational or clinical. Figure 1 provides an overview of the risk management process documented in the standard.

Using the key stages and processes identified within AS/NZS:4360 the Trust will be able to profile identified and potential risks, develop prioritised action plans for the management of risks and evaluate the effectiveness/end results of the implemented action plans using residual risk scoring. Risk Prioritisation and action planning will take account of incident reporting, complaints, litigation/ claims information, audit information and issues raised by individual directorates/departments as well as national requirements and guidance. In addition to utilisation of the information sources referred to above, in depth risk assessments will be undertaken across the Trust when:

New activities are introduced Introducing change Developing and/or revising systems, procedures or working practice Introducing new equipment and/or facilities Planning and managing projects Business planning

Management and operational structures have delegated responsibility for implementing risk management systems and control the risks that the Trust faces. The current dedicated risk management committees and risk management groups are shown in diagrammatic form at Appendix ‘D’. The terms of reference of these committees, which are reviewed on an annual basis can be found on Docuviewer. 10 Acceptable Risk Defining what an acceptable level of risk is very difficult, as acceptability will vary depending on each risk and the prevailing circumstances. The North East Ambulance Service NHS Foundation Trust Board has agreed the following definition of “Acceptable Risk”. “North East Ambulance Service NHS Foundation Trust acknowledges that no system can be “Risk Free” and defines “Acceptable Risk” as that risk which remains after rigorous assessment of equipment, work processes and procedures have been undertaken and steps have been taken, including information, instruction, training and supervision, to remove all risks so far as reasonably practicable” Decisions about risk acceptability and appropriate risk treatment may be based on any number of criterions such as operational, technical, financial, legal, social and humanitarian. Identified risks should be formally acknowledged, quantified and addressed. Action plans and risk treatment solutions should be devised detailing proposed control measures to be implemented to address risks which it has not been possible to resolve in the first instance.

Asse

ss R

isk

Establish Context 1. Identify factors which support or impair the ability to manage risk 2. Identify the healthcare and risk management goals and objectives of the Trust 3. Define the criteria against which risk will be evaluated 4. Decide the Risk Management Structure

Identify Risks 1. What can occur? 2. Why can it occur? 3. When can it occur? 4. Who can it affect? 5. Where is the level of risk? 6. How can it occur?

Evaluate and Rank Risks 1. Compare the levels of risk against the previously identified criteria 2. Determine if the risk is to be accepted or not 3. Evaluate options for controlling/reducing risks 4. Quantify costs of actions to control/reduce risks 5. Identify actions, which reduce total cost of risk and give best value for money 6. Compare costs against benefit

Treat Risks 1. Identify the options 2. Consider and evaluate the merits and practicalities of the options 3. Select the most suitable option 4. Prepare action plans 5. Implement action plans

Co

mm

un

icati

on

an

d C

on

su

lta

tio

n

Ma

xim

ise I

nvolv

em

ent of all

Sta

kehold

ers

M

on

itorin

g, A

ud

iting

an

d R

evie

win

g

Ma

xim

ise In

volv

em

ent a

nd u

se o

f Inte

rnal a

nd/o

r Exte

rnal E

xpertis

e a

nd

Support

Risk is Not

Accepted

Risk is

Accepted

Ap

pro

pria

te R

isk R

eg

iste

r

Analyse Risks 1. What is the likelihood of something occurring? 2. What is the consequence or likely outcome? 3. Who could be affected and how? 4. What is the level of risk? 5. What are the existing and required controls?

Figure 1 – Risk Management Overview (Adapted from AS/NZS 4360:1999 – Risk Management)

11 The Process

The following steps should be used when managing a risk: 11.1 Establish the Context

Identify factors which support or impair the ability to manage risk Identify the healthcare and risk management goals and objectives of the Trust Define the criteria against which risk will be evaluated Decide the Risk Management Structure

11.2 Identify the Risks

What can occur? Why can it occur? When can it occur? Who can it affect? Where is the level of risk? How can it occur?

11.3 Analyse the Identified Risks – Risk Assessment

What is the likelihood of something occurring? What is the consequence or likely outcome? Who could be affected and how? What is the level of risk? What are the existing and required controls?

The process of risk assessment is to establish the hazards facing the Trust and the “Risk” of them occurring. Because of the degree of uncertainty associated with such a process, a methodical system is used to ensure consistency, ensuring that all activities undertaken by the Trust are identified, assessed, controlled, registered, monitored and reviewed. Risks should be assessed and quantified using 2 criterions:

1. The likelihood of occurrence 2. The consequence of impact

The Trust has adopted a systematic and common approach to quantifying risk through defining qualitative measures of likelihood of occurrence and consequence of impact (defined in Appendix 4) Once a risk has been identified, either through incident reporting or via the Risk Registers, it is measured in terms of likelihood (frequency or probability of the risk occurring) and severity (impact or magnitude of the effect of the risk event occurring). A 5-by-5 matrix is used by the Trust to quantify risks. This allows standardisation of risk assessment across the Trust, from the risk assessment form (HS 5) to the classification of incidents. The matrix also provides a common currency, which can be used across the Trust when communicating about aspects of risk in general A risk matrix has been produced to help calculate the score and grade the risk in terms of severity (see figure 2) Figure 2 - Qualitative Risk Assessment Matrix – Level of Risk

Likelihood C

on

se

qu

en

ces

Rare 1

Unlikely 2

Possible 3

Likely 4

Almost Certain 5

Insignificant 1 2 3 4 5

Minor 2 4 6 8 10

Moderate 3 6 9 12 15

Major 4 8 12 16 20

Catastrophic 5 10 15 20 25

Management Level

Low (Green)

1 to 3 (Unit)

Moderate (Yellow) 4 to 6 (Department)

Significant (Orange) 8 to 12 (Organisational)

High (Red) 15 to 25 (Organisational)

Definitions of Consequence and Likelihood and shown in Appendix A and B respectively. Within the matrix the Trust has agreed levels of acceptable and unacceptable risk. Those risks rated at between 1 and 6 are deemed to be controlled or trivial risks (green to yellow). Those that score between 8 and 25 are deemed to be significant to high risks The quantification and grading of the risk also helps determine the level of authority that the management of risks can be delegated to (see figure 3 below).

Figure 3 – Risk Rating Key

Key to risk rating:

Risk of 1 - 3 (Unit) Adequately Controlled Risk of 4 – 6 (Department)

Risk of 8 – 12 (Organisational) Inadequately Controlled Risk of 15 – 25 (Organisational)

Low and Moderate Risks Where the cost in terms of time and resource to reduce the risk far outweigh the potential harm caused by a particular situation, the risk would be considered as acceptable. However careful monitoring should still be undertaken to identify trends or pre-cursers to more significant events. Significant Risks These risks should be managed or reduced within a reasonable timescale through measures such as review of work practices, training or the purchase of new equipment. These are reportable to the Trust Board in the Organisations Risk Register High Risks These risks have a serious impact on the Trust and threaten achievement of its objectives. As such they are managed at Director Level and reportable to the Trust Board in the Organisations Risk Register. 11.4 Evaluation and Ranking Risks

Compare the levels of risk against the previously identified criteria

Determine if the risk is to be accepted or not Evaluate options for controlling/reducing risks Quantify costs of actions to control/reduce risks Identify actions, which reduce total cost of risk and give best value for money Compare costs against benefit

Risks are prioritised according to the severity of the risk (risk score) and the existing controls in place. The key objectives of this process are:

Develop a comprehensive, prioritised Board Assurance Framework process that includes the population, monitoring and management of the content of the Trust risk registers.

Develop appropriate associated action plans for all uncontrolled risks

Develop a profile of high level risks and populate the Trusts Corporate (Organisational)

risk register. Identify existing control measures and assess the potential for improvement, according

for financial and practical implications.

Identify suitable monitoring and reviewing arrangements for all identified risks to the Trust from Departmental to Trust Board level.

Provide suitable support from the Trusts Risk and Claims Management team.

12 Board Assurance Framework Process The Board Assurance Framework directly links the Directors objectives with the risks the Trust faces to achieving those risks. For risks identified, the same process applies as to the treatment of any risk in the risk management process. As such the Trust recognises that the content of the Trust’s Board Assurance Framework and Corporate (Organisational) risk register must be considered as an integral part of the Trusts annual business planning process. Each financial year the Trust’s strategic (showstopper) objectives are agreed by the Executive Team, these are then shared with the management team at a dedicated event to communicate these and identify potential risks against their achievement. This event provides an environment which facilitates the various areas of the Trust to have input into the creation of the Board Assurance Framework and Corporate (Organisational) Risk Register (see figure 4) The Board Assurance Framework is completed by Directors at the beginning of each year and approved by the Trust Board having received assurances from the Audit Committee and Governance and Risk Committee. The Board Assurance Framework is reviewed at least annually by the Governance and Risk Committee and Audit Committee and a close out is completed at the end of the financial year, which is approved by the Trust Board. The Trust will ensure that checks are carried out to ensure that all relevant items identified within the Trusts Board Assurance Framework and Corporate (Organisational) Risk Register have been appropriately considered and addressed within the business planning process. Senior managers of the Trust will need to take account of this need while developing their proposals for objectives and all objectives, once agreed, will be risk assessed and control measures identified. Each department and directorate will be responsible for ensuring that risks identified appear on the relevant risk registers so that the Trust can in turn ensure that all known key risks are utilised to inform current and future business planning.

12.1 Board Assurance Framework

Organisational Objectives Agreed

Directors Individual Objectives Agreed

with Chief Executive

BAF Event to Identify Risks

BAF and ORR Populated onto

Ulysses

Directors Quarterly Objective Review

with Chief Executive

Quarterly BAF/ORR/DRR update required

Meeting is arranged between the Head of Risk and Claims and

each Director

Content of BAF/ORR/DRR

agreed and updates undertaken by

appointed person on Ulysses system

Head of Risk and Claims attends

Executive Team Meeting on a

quarterly basis to present BAF and ORR updates to

seek joint approval

Content of BAF/ORR/DRR

updates undertaken by appointed person on Ulysses system

This process continues throughout the year until closure of the BAF. Once this

cycle is complete then the process will commence from the

initial stage to formulate the new strategic objectives

and directors individual objectives

Process to establish strategic objectives to

support the Trust’s mission and vision of

‘Right Care, Right Place, Right Time’

Figure 4 – Creating and Updating the Board Assurance Framework

The Trust will utilise the following components within their Assurance Framework process: (see figure 4)

Trust Board Assurance Framework Action Plans Directorate Actions Plans Assurance Framework Identification Process Corporate (Organisational) Risk Register

Figure 4 – Assurance Framework Process

The Executive Team will be responsible for managing the content of the Trusts Corporate (Organisational) Risk Register.

All risks populated on the Trusts Corporate (Organisational) Risk Register will be aligned to the appropriate organisational objective on the Trusts Board Assurance Framework. All risk on the Trusts Board Assurance Framework will be assessed in terms of the provision of appropriate assurances via the Trusts assurance identification process. Any high level risk that does not provide adequate or fully compliant positive assurances will require an action plan, developed by the appropriate Directorate to demonstrate how assurance will be gained. The Executive Team will be responsible for ensuring that those high level risks without adequate or fully compliant positive assurances, have in place an appropriate Directorate action plan. The Trust Board will be responsible for monitoring progress of the Trusts high level risks and their assurances via a Trust Board Assurance Framework. The Executive Team will be responsible for monitoring progress of the Trusts risks and their assurances, other than high risk via Directorate action plans.

13 Risk Registers The Trust has Risk Registers for each Directorate which detail risks within all areas of work. Each risk is assigned an owner, and as a living document, the risks are updated constantly. The highest

Trust Board Assurance Framework Action Plan

Directorate Action Plans

Assurance Identification Process

Assurance Framework (Key Risks Aligned to Corporate Objectives)

Corporate (Organisational) Risk Register

scoring risks feed through to a single Trust Wide Organisational Risk Register with associated Treatment/Management Plans. The Organisational Risk Registers are monitored by the Executive Team and Governance and Risk Committee on a quarterly basis.

The Trusts risk registers will include as a minimum: Location and Management Unit Service Name and department/directorate

Risk Assessor Name of the person conducting the assessment

Risk Owner Name of the person with overall responsibility

for managing the risk Date Date of conducting assessment

Date of Review Date assessment requires review

Risk Reference A unique reference for each risk identified

Risk Description Description of the principle risk and its possible

impact upon the Trust

Adequacy of Existing Controls Tick boxes to identify existing controls, Adequate or Inadequate options

Likelihood The probability of the realisation of risk score

Consequence The degree to which the interests of the Trust

would be harmed by the realisation of risk

Risk Rating The total of the sum, consequence multiplied by the Likelihood

Trust Risk Ranking Risk Rating Key The risk rating key positioned at the bottom of

the risk registers with guidance on risk scores

Designated leads will be responsible for maintaining and reviewing the Departmental Risk Registers, ensuring any required actions are undertaken and the provision of evidence or assurances.

Corporate (Organisational) Risk Register

Directorate Risk Registers

Trust Wide Risk Register

Department Risk Registers

8+ 8+

Designated leads will be responsible for maintaining and reviewing the Directorate Risk Registers, ensuring the any required actions are undertaken and the provision of evidence or assurances. All risks scored at 8 and above will be known as ‘High Level’ risks to the Trust. All identified risks scored at 8 and above will be added to the Trusts Corporate (Organisational) Risk Register if deemed to be a risk to against the corporate objectives, risks scoring 8 and above may remain on directorate and department risk registers if appropriate. In practice further consideration is given to organisational risks by the Executive Team before input onto the Organisational Risk Register. This means that risks given an initial scoring of 8 or above are not necessarily featured within the Corporate (Organisational) Risk Register. The Executive Team will have responsibility for reviewing the Corporate (Organisational) Risk Register and making recommendations to the Governance and Risk Committee. The Governance and Risk Committee will be responsible for reviewing the Corporate (Organisational) Risk Register and making any recommendations for change or approval to the Trust Board.

The Governance and Risk Committee Report will be based on any high level risks identified that do not have positive assurances. It will be the responsibility of the nominated lead to produce an update/progress report for the inclusion in the committee report. The Head of Risk and Claims will co-ordinate this process. The Governance and Risk Committee will be expected to make recommendations on actions to be taken. The Trust Board will monitor progress against high level risks in the Trust via the Trust Board Assurance Framework. The Trusts Board Assurance Framework will be reviewed by the Trust Board, as minimum, 4 times within any calendar year. The Trust Board will receive the Trust Corporate (Organisational) Risk Register, for review, as a minimum, on an annual basis. The Head of Risk and Claims will provide support in conjunction with the Risk Officer/LSMS and Risk Management Systems Officer. The Head of Risk and Claims will be responsible for ensuring that the Departmental and Directorate and Corporate (Organisational) Risk Registers are co-ordinated, maintained and kept up to date. 13.1 Risk Treatment Eliminate - Not proceeding with activity likely to generate the risk Reduce - Reducing or controlling the likelihood and consequences of the occurrence Transfer - Arranging for another party to bear or share some part off the risk through

contracts, partnerships, joint ventures etc. Accept - Some risks may be minimal and retention acceptable 13.2 Controlling Risk Once a risk has been assessed and its impact upon the Trust determined, measures will be implemented to reduce the impact to a level that is as low as reasonably practicable, this may be influenced by some of the following:

Statutory or Regulatory requirements Nature – Strategic, Operational, Financial or Compliance Stakeholder requirements and expectations Likelihood of occurrence and safety outcome Human Resources, Financial, Operational or Technological constraints Current controls Degree of acceptance for level of risk

13.3 Risk Actions Plans Risk Action Plans will be developed for all risks rated at 8 and above. These will record existing controls, implementation arrangements for the new controls together with achievement dates and estimated residual score. It is the responsibility of the delegated officer (as defined in Figure 3 and Appendix ‘C’) to ensure production of a risk action plan. It is the responsibility of the delegated manager (as defined in Figure 3 and Appendix ‘C’) to review any Risk Action Plans produced, progress made and their effectiveness. The Risk Action Plan should clearly identify the controls that are to be recommended and the resource implications of the implantation of controls i.e. Financial, Humanitarian, Operational and Resources. There should also be clear evidence that the implementation of those controls will reduce the risk to a level that is acceptable. The Risk Action Plan can also be provided as part of a Business Case to show evidence that risks have been considered, this is of particular importance in the case of new equipment, resources, practices and procedures. 13.4 Monitor and Review of Risks Monitor risk impact Review effectiveness of action Has the risk priority changed? All risks identified and assessed will be monitored, reviewed and re-assessed on the following basis: Low Risk Score, 1-6, green - Reviewed at least Annually Moderate Risk Score, 8-12, amber - Reviewed at least Quarterly High Risk Score, 15-25, red - Reviewed at least Quarterly An organisational process and guide can be found via the Docuviewer system under (Risk Register Process and Guide QSSD 2017, this details the processes for identification, assessment and analysis of risk, including reporting. The matrix will specify the department responsible, the lead person(s) or group for managing the activities and the review process. The frequency of reviews may be subject to alteration if additional information (such as incident reports, claims or complaints) indicates there is a requirement for earlier assessment and action. This will be monitored via development of a key performance indicator, which will be reported to the Governance and Risk Committee. 14 Monitoring Effectiveness

The Trust can monitor the effectiveness of its risk management controls in a number of ways: Annual Governance Statement (AGS) – Each year the Chief Executive, on behalf of the

Trust Board, must sign a statement on the effectiveness of the systems of internal controls and detail any weaknesses identified. This is also independently verified by Internal Audit.

NHSLA Risk Management Standards for Ambulance Services – The Trust is regularly assessed against a set of standards prepared by the NHSLA. The higher the level achieved, the greater the discount afforded the Trust against its premiums.

DOH Care Quality Commission – The Trust is regularly reviewed by a number of external

assessors each with their own set of performance and control standards against which the Trust is measured.

Performance against Key Performance Indicators 15 Who is responsible for Risk Management?

The Chief Executive and Trust Board have overall responsibility for the Trust’s risk management programme. It is the Trust Board that endorses and resources all formalised risk management plans. The four categories of risk described previously in section 5 are grouped into two distinct areas,

Those that could be regarded as having direct patient care risks, managed by the activity of the Quality Committee. This Committee takes responsibility for the development of controls for meeting clinical standards and implementing clinical policies and

Those that posses non-clinical risks and managed by the Governance and Risk Committee, the responsibility having been delegated by the Audit Committee. This Committee is responsible for the implementation of risk management.

The Governance and Risk Committee and the Quality Committee must work in a co-ordinated way to make sure that all the areas of risk are properly managed. Both committees have strategic responsibilities, they set standards, provide risk related policies that are clear and up-to-date, and check that the Trust is meeting these standards and operating accordingly. Responsibility for meeting standards and implementing these are delegated to all staff and overseen by Trust Managers. Individuals and individual departments have certain defined responsibilities as follows.

Executive Directors

The Director of Finance is the designated Executive Director with overall responsibility for ensuring the implementation of risk management and organisational controls relating to financial risk management. The Director of Clinical Care and Patient Safety is the designated Executive Director with overall responsibility for ensuring the implementation of risk management and organisational controls for clinical and non-clinical risk. All Directors will have involvement in ‘amber risks’, through their Directorate Risk Registers. Red risks will be brought to the attention of the relevant director through the same mechanism and be incorporated in the Organisational Risk Register presented to the Governance and Risk Committee and Trust Board. Executive Directors are also responsible for ensuring that:

All staff managed within their structure are clear about their responsibilities in relation to risk These responsibilities are made clear within job descriptions Appropriate policies and strategies are in place to comply with the Trust Risk Management

Strategy Audit programmes are undertaken.

Non-Executive Directors

Non-Executive Directors are specifically responsible for:-

Ensuring the systems for governance, risk management and internal control are effective

and maintained across all the organisation’s activity; ensuring the strategic goals and corporate objectives of the organisation are achieved; Constructively challenging and contributing to the development of risk management

systems; One of the Non-Executive Directors is appointed as the Chair of the Governance and Risk

Committee which is the Committee responsible for risk management.

Council of Governors

The Council of Governors is responsible for holding the Board of Directors to account for the performance of the Trust, including ensuring the Board of Directors acts so that the Trust does not breach the terms of its authorisation. The Trust will ensure that it supports governors in this role by proactive notification to governors of the following:-

Any issues identified by the Trust which put the Trust at risk of breaching its terms of

authorisation; Any serious incident, media interest or similar issue which may impact upon the Trust’s

reputation and which is also notified to the CQC and Monitor; Any Corporate risk which has the potential to impact on the achievement of the Trust’s

Corporate Objectives.

Trust Managers

Regardless of the severity of the risk, Trust managers are responsible for management of day-to-day risks of all types within their management structure and budget allocation. They are charged with ensuring that risk assessments are undertaken throughout their area of responsibility on a pro-active basis and that remedial action is carried out where problems are identified. All managers can employ the following with regards to risk: Risk Avoidance - Avoid completely a particular risk by discontinuing the operation or activity

producing the risk.

Risk Reduction - Examine the extent to which the risks can be reduced and employ risk treatment plans.

Risk Action plans can sometimes include a financial element. Managers can act independently up to their financial budgetary limit. Managers are responsible for implementing and monitoring any identified and appropriate risk management control measures within their designated area(s) and scope of responsibility. In situations where significant risks have been identified and where local control measures are considered to be potentially inadequate, managers are responsible for bringing these risks to the attention of the Governance and Risk Committee if local resolution has not been satisfactorily achieved. Managers are also responsible for reporting difficulties in progress

to the appropriate committee. All major financial investments however, must be agreed through the Capital Monitoring Group and the Director of Finance.

Staff Responsibilities and Non-punitive (fair blame) commitment

Management of risks is a fundamental duty of all staff and should be recognised as an integral part of good practice whatever grade or designation. All staff must ensure that identified risks are reported to their immediate line manager in order that effective controls may be considered and action taken where necessary. All employees of the Trust have a duty under legislation to take reasonable care of their own safety and the safety of others who may be affected by Trust business. It is the duty of all employees to be familiar with the Trust Risk Management Strategy and comply with Trust rules and regulations and instructions to protect health safety and welfare of anyone affected by the Trust’s business. The

Trust cannot condone any intentional or reckless interference with or misuse of any equipment provided for their protection, health and safety. The Trust believes that this is best achieved through an environment of honesty and openness, where mistakes and untoward incidents are identified quickly and dealt with in a positive and responsive way. Staff may at one time or another have concerns about what is happening at work. Usually these concerns are easily resolved. However, if those concerns are about possible unlawful conduct, financial malpractice or dangers to the public or the environment it can be difficult for staff to know what to do. Staff may be worried about raising issues or may want to keep concerns to themselves, perhaps feeling it’s none of their business, that it’s only a suspicion or they would be being disloyal to colleagues, managers or the organisation. As a result, the Trust introduced the Policy for Raising Matters of Concern (Whistle Blowing Policy) to enable staff to raise concerns about possible unlawful conduct, financial irregularities or dangers to the public or environment at an early stage and in the right way. The Trust would rather staff raise their concerns when they are just concerns rather than wait until further problems have occurred.

Head of Risk and Claims and Risk Management Team

The Head of Risk and Claims and team co-ordinate the activities of the Trust in the management of risk, monitor the risk assessments programme and complete the following responsibilities:

Maintenance of the Organisational Risk Register Maintenance of the Directorate Risk Registers Maintenance of the Assurance Framework for the Trust Development & Maintenance of the Risk Management Strategy Policy development for Risk Management Development and maintenance of the Risk Management System and software With the Health and Safety Adviser and the respective Divisional / Department Manager,

draws up risk treatment plans based upon the findings within the Risk Registers Reports the risks deemed to be not adequately controlled within the Organisational Risk

Register to the Governance and Risk Committee

Health and Safety Adviser

The Health and Safety Advisors manage the regular reporting mechanisms concerned with maintaining a ‘safe’ internal working environment.

Co-ordinates the risk assessments programme in compliance with Regulation 3 of the ‘Management of Health and Safety at Work Regulations 1999'.

Maintains a central generic risk register and assessment documentation Distributes completed risk assessments to all relevant locations in conjunction with the

NEAS Quality Department Monitors the effectiveness of the agreed risk treatment plans Periodically reviews the risk assessments

Chief Internal Auditor

The Chief Internal Auditor is responsible for verifying the accuracy of the Statement on Internal Controls. 16 Review

An annual report on Risk Management will be produced by the Risk Management Team in the first quarter following the financial year end. As the risk management process is continually evolving, this strategy will be reviewed on an annual basis and in light of the annual assessment, external assessments, changes in guidance, best practice and legislation.

17 Consultation, Approval and Ratification 17.1 Consultation Process

The Strategy has been reviewed by appropriate staff within the Risk and Claims Management Team. 17.2 Strategy Approval Process This Strategy shall be approved by the Trust Board on an annual basis. Any amendments to the Strategy in-year will be approved at the next available Trust Board. 17.3 Ratification Process This Strategy shall be ratified by the Trust Governance and Risk Committee.

18 Review and Revision Arrangements Including Version Control 18.1 Review and Revision Process The Risk Management Strategy shall be reviewed at least annually by the Head of Risk and Claims. The Trust Board shall approve the Strategy thereafter. All reviews and revisions to any procedural document must be approved according to the process described in section 9 of this document.

18.2 Version Control

A Version Control sheet shall be maintained with the document. See Appendix B Version Control Sheet.

19 Dissemination and Implementation 19.1 Dissemination

Once approved, this document shall be circulated by e-mail to all manager and locations. An article will also be placed on the Pulse The document will also be supplied to the Quality Assurance Officer to replace the previous version of the Strategy on Docuviewer.

19.2 Implementation

Implementation shall be carried out by the Head of Financial Services, the Head of Risk and Claims Manager in conjunction with Risk and Claims Management team.

20 Document Control including Archiving Arrangements 20.1 Register / Library of Procedural Documents

This Strategy will be stored on the Trusts document database Docuviewer which can be accessed via the Trusts intranet. This is a secure database maintained by the Quality Assurance Officer. Documents are given a unique reference number and are only updated on the database following full ratification process.

20.2 Archiving Arrangement

The Strategy shall be reviewed on an annual basis and older versions of the Strategy shall be retained by the Quality department.

Copies of previous versions of the document can be obtained on request from the Quality Assurance Officer. 21 Associated Policies/Procedures

The Trust develops and maintains policies and procedures to govern the work that is undertaken and ensure that risks are minimised. All policies and procedures are given a unique number and are available for viewing on the Trusts dedicated policy system “Docuviewer”. All policies and procedures are reviewed and updated on a regular basis. Associated risk management policies and procedures can be located on “Docuviewer”.

The Trust Board acknowledges its responsibility to monitor progress of this strategy and to review it on an annual basis using the results of the annual report and external assessments for reference.

22 Equality and Diversity Statement The Trust is committed to providing equality of opportunity, not only in its employment practices but also in the services for which it is responsible. As such, this document has been screened, and if necessary an Equality Impact Assessment has been carried out on this document, to identify any potential discriminatory impact. If relevant, recommendations from the assessment have been incorporated into the document and have been considered by the approving committee. The Trust also values and respects the diversity of its employees and the communities it serves. In applying this policy, the Trust will have due regard for the need to:

Eliminate unlawful discrimination

Promote equality of opportunity

Provide for good relations between people of diverse groups

Signed:……………………………….. Chairman Date:……………………………….. Signed:……………………………….. Chief Executive Date:………………………………..

Appendix ‘A’

Risk Matrix Guide

Consequence and Likelihood Scores

Appendix ‘A’ - Risk Matrix - Consequence Score

1 2 3 4 5

Domains Negligible Minor Moderate Major Catastrophic

Impact on the safety of patients, staff or public (physical/psychological harm)

Minimal injury requiring no/minimal intervention or treatment. No time off work

Minor injury or illness, requiring minor intervention Requiring time off work for >3 days Increase in length of hospital stay by 1-3 days

Moderate injury requiring professional intervention Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients

Major injury leading to long-term incapacity/disability Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with long-term effects

Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients

Quality/ Complaints /audit

Peripheral element of treatment or service suboptimal Informal complaint/inquiry

Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved

Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on

Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report

Totally unacceptable level or quality of treatment/service Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Gross failure to meet national standards

Human resources/ organisational development/staffing/ competence

Short-term low staffing level that temporarily reduces service quality (< 1 day)

Low staffing level that reduces the service quality

Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Low staff morale Poor staff attendance for mandatory/key training

Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Loss of key staff Very low staff morale No staff attending mandatory/ key training

Non-delivery of key objective/service due to lack of staff Ongoing unsafe staffing levels or competence Loss of several key staff No staff attending mandatory training /key training on an ongoing basis

Statutory duty/ inspections

No or minimal impact or breech of guidance/ statutory duty

Breech of statutory legislation Reduced performance rating if unresolved

Single breech in statutory duty Challenging external recommendations/ improvement notice

Enforcement action Multiple breeches in statutory duty Improvement notices Low performance rating Critical report

Multiple breeches in statutory duty Prosecution Complete systems change required Zero performance rating Severely critical report

Adverse publicity/ reputation

Rumours

Potential for public concern

Local media coverage – short-term reduction in public confidence Elements of public expectation not being met

Local media coverage – long-term reduction in public confidence

National media coverage with <3 days service well below reasonable public expectation

National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Total loss of public confidence

Business objectives/ projects

Insignificant cost increase/ schedule slippage

<5 per cent over project budget Schedule slippage

5–10 per cent over project budget Schedule slippage

Non-compliance with national 10–25 per cent over project budget Schedule slippage Key objectives not met

Incident leading >25 per cent over project budget Schedule slippage Key objectives not met

Finance including claims

Small loss Risk of claim remote

Loss of 0.1–0.25 per cent of budget Claim less than £10,000

Loss of 0.25–0.5 per cent of budget Claim(s) between £10,000 and £100,000

Uncertain delivery of key objective/Loss of 0.5–1.0 per cent of budget Claim(s) between £100,000 and £1 million Purchasers failing to pay on time

Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Claim(s) >£1 million

Service/ business interruption Environmental impact

Loss/interruption of >1 hour Minimal or no impact on the environment

Loss/interruption of >8 hours Minor impact on environment

Loss/interruption of >1 day Moderate impact on environment

Loss/interruption of >1 week Major impact on environment

Permanent loss of service or facility Catastrophic impact on environment

Risk Matrix - Likelihood score

Likelihood score

1 2 3 4 5

Descriptor Rare Unlikely Possible Likely Almost certain

Frequency How often might it/does it happen

This will probably never happen/recur

Do not expect it to happen/recur but it is possible it may do so

Might happen or recur occasionally

Will probably happen/recur but it is not a persisting issue

Will undoubtedly happen/recur,possibly frequently

Appendix ‘B’

Risk Register

Example

Appendix ‘B’ – Example Risk Register

Risk

Reference

Risk Impact Risk Rating Mitigation After Risk Rating

C L CxL C L CxL

Org

08

Unable to progress delivery of equitable A&E performance

targets across localities including

rural locations without additional

funding.

The cost of the provision of A&E locality based targets would not be

financially viable for the Trust if Commissioners were not prepared to

fund additional resources.

Inequalities in service provision would continue and we would be constantly

pressed to seek a solution.

Penalties within the National Ambulance contracts for 2010/2011 increase the financial/organisational

consequences of not meeting performance targets.

4 3 12

The achievement of locality based performance has been modelled and work is ongoing to develop costs and proposals

for Commissioners to consider.

The Trust’s first responder scheme is actively being expanded, particularly in the

rural areas.

The Trust’s Community Resuscitation Initiative to increase numbers in the community to be trained in basic life

support is being developed.

Continue to liaise with the Rural Healthcare Commission.

Explore the potential to expand the community paramedic role (integrating with

GP surgeries).

3 2 6

Org

09

Failure to implement and/or fund the new

Emergency Care System (ECS),

formally known as EPRF, without

adversely affecting A&E performance.

The ECS is a critical development for the Trust to improve clinical

effectiveness through having better information, the ability to measure

clinical performance and technically link information to our other systems

enabling us to build a more comprehensive patient care record.

There is the potential risk that the use of the ECS increases job cycle times and adversely affects performance.

4 3 12

Funding of ECS is built into the capital plan and monitored through the Capital

Monitoring Group. Formal project management arrangements will be put in

place to manage the implementation.

Lessons are being learnt from early implementer sites.

4 2 8

Appendix ‘C’

Risk Action Plan

Example

Appendix ‘C’ – Example Risk Action Plan

Risk Item.

Ref.

56

SUMMARY - Recommended response and impact:

COST (£): Not identified yet

ACTION PLAN

1. PROPOSED ACTION(S):

2. RESOURCE REQUIREMENTS:

3. RESPONSIBILITIES:

4. TIMING:

5. REPORTING AND MONITORING REQUIREMENTS:

COMPILED BY: DATE: DATE IMPLEMENTED:

Appendix ‘D’

Risk Management and Organisational Control Framework

Appendix ‘D’ - Risk Management and Organisational Control Framework

NB: All Working Groups shown below the ‘line’, form part of the Trust’s Risk Management & Organisational Controls Framework. Groups with dotted line are task & finish groups

Assurance

BOARD Audit

Committee

Quality

Committee

Business Investment and Finance Committee

Workforce & Equality

Committee Governance and

Risk Committee

Independent Assurance

Patient Experience

Clinical Effectiveness

Patient Safety

Infection Prevention & Control Gp

Medical Devices Group

ECLIPs Group

Safeguarding Group

R&D Group

Root Cause Analysis Panel

Clinical Audit Steering Group

Clinical Advisory Group

Medicines Management Group

Risk Risk

Ris

ks

an

d A

ssu

ran

ce

Commercial Services Group

Capital Monitoring Group

Workforce Development Group

Health and Wellbeing Group

Workforce Planning Group

Equality and Diversity Group R

isks

an

d A

ssu

ran

ce

Risk

Ris

ks

an

d A

ssu

ran

ce

Ris

ks

an

d A

ssu

ran

ce

New Quality Measures Clinical Indicators Development Group

Improvement Steering Group

Clinical Education Steering Group

Vehicle Risk Management Group

Strategic Health and Safety Committee

Data Quality Assurance & Records Management Group

Policy Review Group

Information Governance Working Group

Emergency Planning and Resilience Group

Environmental Management Working

Group

Risk Repository

Information Security Group

Appendix ‘F’

Version Control Sheet

Appendix ‘E’ - Version Control Sheet

Version Date Author Status Comment

0001 March 2007 Owen Chaplin Archive

0002 April 2008 Judith Hurrell Archive

0003 March 2009 Judith Hurrell Archive

0004 March 2010 Alan Gallagher Archive

0005 March 2011 Alan Gallagher Archive

0006 March 2012 Alan Gallagher Live