Risk Management Strategy

Transcription

1 High Value Health Care Risk Management Strategy (Reference No. GR ) Version: Version 4, September 2014 Version Superseded: Version 3, March 2012 Ratified by: Date ratified: 11 th November 2014 Designation of originator/ author (Lead Officer): Name of responsible committee/ individual: Name of executive lead: Hertfordshire Community NHS Trust Board Tracey Westley, Acting Deputy Director Quality, Risk & Assurance Hertfordshire Community Trust Board/ David Law, Chief Executive Officer Clare Hawkins, Director of Quality & Governance/Chief Nurse Date issued: 31 st January 2015 Review date: Target audience: 2 years from date issued or earlier at discretion of the Executive Lead or Author All Hertfordshire Community Trust (HCT) staff Risk Management Strategy GR , V.4 Page 1 of 19

2 Contents Introduction... 3 Purpose... 3 Scope... 4 Vision... 4 Risk Management Strategic Aim... 4 Framework... 6 Risk Hierarchy... 8 Roles and Responsibilities for Delivery of the Risk Management... 9 Delivering the Risk Strategy and Achieving the Vision Monitoring Compliance and Effectiveness Equality Impact Assessment (EIA) Reference and Bibliography Appendix 1 - Delivering the Risk Vision : Key Milestones Appendix 2 - Committee Structure Appendix 3 - Risk Register Framework Risk Management Strategy GR , V.4 Page 2 of 19

3 Introduction 1.1 Hertfordshire Community NHS Trust (HCT the Trust) is committed to ensuring all services are provided to a high quality. The Board of Directors recognise that successful risk management must be forward thinking, must be the responsibility of all, must be comprehensive and coordinated, and that proactive and continuous identification and management of risk is essential to the delivery of high value healthcare. Further we recognise that risk management is integral to all elements of Trust business and should be embedded in the Trust s philosophy, practices and business at all levels throughout the organisation. The Trust expects all staff to subscribe to its vision, values and strategic objectives to which this strategy relates. This strategy is therefore integral to the work of all the Trust s Directorates/Business Units and supports the delivery of strategic objectives. It sets out why risk management is important for HCT at this time, and describes both the current and aspirational status of risk management. Delivery of the strategy vision is set out in the expected milestones (Appendix 1) which will be monitored by the Audit Committee and annually by the Board. 1.2 This strategy for risk is supported by the: Risk Management Policy Assurance and Escalation Framework Quality Strategy 1.3 This strategy will be accessible to public and staff through the HCT Intranet or by the issue of controlled paper copies where appropriate. Purpose 2.1 The purpose of this risk management strategy is to set out the Trust s vision and overall consistent approach to identify, analyse, evaluate and control risk across the organisation in order to contribute to the Trust s overall strategic objectives. This includes the structures and processes which support effective risk management, including the high level committees (Appendix 2) with responsibilities for risk, the duties and authorities of staff, and the mechanisms to review compliance with the strategy. The Board Assurance Framework (BAF) and High Level Risk Register (HLRR), along with other management tools, will be used to ensure that the Board have a comprehensive view of the Trusts risk profile. Risk Management Strategy GR , V.4 Page 3 of 19

4 Scope 3.1 This policy applies to all staff working for, or on behalf of, the Trust (HCT), with an active lead from the Chief Executive, Executive team, Assistant Directors, General Managers, Heads of Service, Managers and Supervisors to ensure that risk management is a fundamental part of the total approach to the delivery of high quality healthcare. It is intended to cover all potential risks that the Trust may be exposed to. Vision 4.1 To become a leading light in the provision of innovative programmes of care which maintain and improve the health and wellbeing of the people of Hertfordshire and other areas served by the Trust. 4.2 HCT will demonstrate increased risk maturity, moving along the continuum of awareness, and embedding risk management at all levels throughout the Trust; using effective risk management process to enable self-managed teams and support the attainment of the strategic objectives. The risk management vision serves the following purpose for HCT: It is integral to the governance mechanism of the Trust It allows the evaluation of risk in terms of the strategic impact upon the organisations objectives It enables supported decision making for effective safe clinical care, improved patient experience and sustained effective financial management It provides a practical tool which enables effective prioritisation and decision making by identifying priorities for action and revealing operational areas for improvement Risk Management Strategic Aim 5.1 The Trust aim is to operate in a culture of creativity and innovation, in which risks are identified, understood and proactively managed, and where we continuously learn from and review the efficiency of our risk management. In order to be the best community healthcare provider HCT will have the best practice in relation to risk management which will be based on national evidence and be in context to the local risk management status for HCT. The principal strategic aim of the risk management strategy is: HCT Board, Executive Directors and all staff to have understanding and ownership of, and commitment to, the control and management of all reasonably foreseeable risks that may arise within the context of the Trust s activities, ensuring the Trust remains within its risk appetite. Risk Management Strategy GR , V.4 Page 4 of 19

5 5.2 HCT is committed to achieving excellence in the delivery of patient centred care in an environment that promotes the safety, wellbeing and experience of our patients, staff and visitors, whilst safeguarding the continuity of services, assets and reputation of the Trust; that is High Value Healthcare. 5.3 The management of risk is the responsibility of all staff. All staff will be involved in the identification, management and mitigation of risks in their day to day work. The ownership of risk will be evident at all levels of the organisation. Risk management will be all about approach and less about checklists, and moving forward a culture of enabled risk management. All staff will take responsibility to identify (I), analyse (A) and manage (M) risk (I AM responsible) and patient safety will continue to be at the heart of everything we do. 5.4 The Trust acknowledges that there is progress to be made in order that risk management becomes an instinctive part of the everyday working practice of staff and not a bureaucratic process, and that staff feel fully empowered in managing risk. The key milestones in to achieving our vision are outlined in Appendix 1. Risk management will fully support the delivery of HCT s strategic objectives. The key outcomes for patients, staff and stakeholders, which will be demonstrated by 2017 as a result of this strategy, are: Patients, carers and their families will be confident that they will receive excellent patient-centred care in an environment that promotes their safety, well-being and satisfaction as well as that of visitors and staff receive care in an organisation which promotes a culture of creativity and innovation, in which risks are identified, understood and proactively managed. Every member of staff will be involved in, and take responsibility for, the identification, management and minimisation of negative / harmful risks in their day to day work be involved in, and take responsibility for the identification, management, and realisation of opportunistic risks within the Trust risk appetite in their day to day work escalate risks without delay, including incidents and feedback with potential or actual serious impact be competent to consistently describe and measure the impact and consequence of risks and the outcomes of effective risk management make informed management decisions based on risk HCT will demonstrate increased risk maturity through sharing identified risks and their management in an open and transparent way Risk Management Strategy GR , V.4 Page 5 of 19

6 be seen to continuously learn from and review the efficiency of its risk management. be recognised for best practice in relation to risk management Thus the Board will be confident in their systems on internal control and be provided with assurance on the effectiveness of systems in place throughout all levels of the Trust to ensure risks are being managed and mitigated. Risk management reports will be provided to the Board and linked to review of the risk management strategy. Framework 6.1 The Trust is committed to a unified approach to risk management and has integrated safety and incident reporting systems. The Trust has developed a governance system of internal control (SIC) which ensures that the strands of governance such as financial, clinical, operational and research are brought together in a coherent way. Key Features Governance Risk Appetite Risk Identification Risk Assessment Efficacious Controls and Assurances Risk Mitigation(s) Effective Risk Management Robust Risk Management underpins all decisions and business planning to deliver strategic objectives Organisational approach towards risk Each risk is assessed to determine if within the risk Trust appetite of acceptable risk (as per risk score and type of risk) Context and impact on Trust strategic objectives is considered Type of risk Clinical, Organisational/Strategic, Financial, Reputational, Health & Safety, Information, Environmental cause of the risk, its predicted effect and the resultant potential adverse consequence Description of the risk including type, effect and adverse consequences Evaluation/quantification of potential financial and non-financial impact as per risk matrix scores (1-5) of likelihood and consequence Management approval of risk assessment including efficacy of controls and assurances, risk score against Trust risk appetite, Sources of internal and external assurances (audits/reviews) and controls (reports to committees/trust Board) Analysis of current level of controls or assurances Decisions and actions to address the cause of the risk by improving existing controls and assurances resulting in a reduction the consequence and/or likelihood to within an acceptable / manageable risk appetite level. Risk Management Strategy GR , V.4 Page 6 of 19

7 Monitoring and Reporting Risk Escalation Regular monitoring through re-assessment of risk and effectiveness of the actions on improving controls and assurances and therefore reducing the overall risk score (to an acceptable risk appetite level). An integral element of robust monitoring and reporting at each stage to enable timely escalation includes current and new risks 6.2 The Trust is committed to an integrated governance approach to risk management which is achieved by a structure that functions to support a coordinated approach to governance and risk management. The Trust s system of internal control is underpinned by the governance committee structure (Appendix 2). 6.3 The key committees with responsibility for receiving assurances on risk management and the delivery of this strategy are the Trust Board and four of its sub-committees; Audit Committee, Healthcare Governance Committee, Strategy and Resources Committee and the Executive Team. All committees, sub committees, groups and forum have responsibility to identify and escalate risks to the parent committee and thus to Board via the Assurance and Escalation Framework. This is further supported by the Trust s commitment of compliance with the registration requirements of the Care Quality Commission. It is based upon a re iterative internal risk management process and a live risk register framework (Appendix 3) showing movement between service and Board. The Board Assurance Framework (BAF) assesses the principle risks to achieving the Trust corporate objectives. This framework enables identification of risks to the achievement of the organisation s strategic objectives; to evaluate the nature and extent of those risks and to manage them efficiently, effectively and economically, identifying gaps in control and gaps in assurance which require action and monitoring. 6.4 The Trust risk management framework encompasses: A risk management strategy from providing the overall strategic aims to enable the Trust to achieve its overall vision A risk management policy which describes HCT s approach to risk management, including process, roles and responsibilities. The Chief Executive has overall responsibility for the Trust risk management processes A live risk register held on an electronic management system, which includes current historical risk assessments and record of current risk status and is linked to analysis of complaints and incident reporting An approved Board Assurance Framework which is aligned to the Trust corporate objectives and records the strategic risks, which are detailed in the electronic risk register Risk management principles which are embedded in HCT s approach to project risk management of change whilst being sufficiently balanced to allow for the development innovative practice Risk Management Strategy GR , V.4 Page 7 of 19

8 Competency Decisions Risk management principles which are embedded within business planning process which require the directorates and business units to identify record risk linked to the integrated HCT strategies and annual planning process. Risk Hierarchy 7.1 HCT has adopted the IRM iterative approach to risk management; this ensures that risks are identified and managed by staff with the appropriate level of knowledge and responsibility for the specific risk faced. This includes the authority to identify and implement appropriate actions. This approach allows the escalation of risk through service, business unit and directorate structures when the likelihood changes or significant risk have been identified. Tone at the top Governance Risk leadership Dealing with bad news Accountability Transparency Informed risk decisions Reward Risk resources Risk skills IRM Executive Directors have the authority to manage risks on the BAF and risks on the HLRR (current score 15 and above) in particular where the risk extends across a directorate and is not limited to a business unit or service within that directorate. 7.3 Assistant Directors have the authority to manage risks on the HLRR (current score 15 and above) where the risk is limited to their area of responsibility within the business unit or directorate and risks on their business unit/directorate risk register (current score less than 15) where the risk extends across the business unit or directorate and is not limited to a service. 7.4 Line Managers have the authority to manage risks on the business unit/directorate risk register where the current risk score is less than 15 and where the risk is limited to their area of responsibility. What does this mean for people who use our services? Risk Management Strategy GR , V.4 Page 8 of 19

9 HCT will put patients first. The patient will feel HCT undertakes a risk managed approach to provide innovative programmes of care which are aimed at maintaining and improving the health and well-being of people for whom HCT are commissioned to provide services, therefore delivering risk managed high value healthcare. This supports HCT s belief to deliver the right care at the right time to the right person. It ensures staff are trained to assess and manage the healthcare for those people who use our services Roles and Responsibilities for Delivery of the Risk Management Strategy 8.1 The delivery of this strategy is dependent not only on the responsibility delegated to key committees and their integrated reporting structure but also through the responsibilities held within key roles within the Trust. More detail on the roles and responsibilities to service level are outlined in the Risk Management Policy. 8.2 Chief Executive of HCT The Chief Executive Officer is the Accountable Officer for the Trust and has overall accountability and responsibility for the operational implementation of this strategy, development of the Annual Governance Statement and for ensuring that Executives and Non-Executive members of the Trust Board access annual training and education for risk management in healthcare. 8.3 Director of Quality & Governance/Chief Nurse The Director of Quality & Governance/Chief Nurse has delegated overall responsibility from the Chief Executive Officer and is the Executive Lead Director for ensuring that all risk and assurance processes are devised, implemented and embedded throughout the organisation and for reporting to the Chief Executive and Executive Team any significant issues arising from the implementation of this strategy including evidence of non-compliance or lack of effectiveness arising from the monitoring process so that remedial action can be undertaken. As Chief Nurse the Director of Quality & Governance has responsibility for seeking assurances on the management of risks related to professional practice of nurses and allied health professionals in the Trust, liaising with the Trust s lead Allied Health Professional (AHP) and professional bodies as required. 8.4 Medical Director The Medical Director has responsibility with the Director of Quality & Governance/Chief Nurse for clinical risk management and clinical Risk Management Strategy GR , V.4 Page 9 of 19

10 governance, and is jointly responsible with the Director of Finance for information governance. The Medical Director is the Caldicott Guardian, and facilitates medical and dental staff compliance with all safety and risk management procedures and seeks assurances on the management of risks related to their professional practice and revalidation, liaising with professional bodies as required. 8.5 Director of Finance The Director of Finance has responsibility for ensuring that the Trust operates within financial constraints and balances competing financial demands and for coordinating the internal audit programme for the Trust. The Director of Finance is the SIRO (Senior Information Risk Owner) for the Trust with delegated responsibility for information governance risk management. 8.6 Company Secretary The Company Secretary is responsible for maintaining the BAF on behalf of the Board and the Executive Team and ensuring that it is presented to the Board and Audit Committee at the agreed intervals. 8.7 Executive Directors and Executive Team The Executive Directors are accountable to the Chief Executive for all areas of risk and assurance in respect of their areas of remit. As such, in addition to being collectively accountable as an Executive Team, they are also individually accountable to the CEO, the Audit Committee and the Board. This includes populating the BAF and ensuring within their directorates the appropriate and timely populating and reporting of risk registers. Executive Directors are responsible for directing the implementation of the risk strategy and associated policies and ensuring that risk management arrangements are embedded within their areas of responsibility. 8.8 Deputy Director of Quality, Risk & Assurance The Deputy Director of Quality and Assurance is accountable to the Director of Quality & Governance and Chief Nurse, and has delegated responsibility for the implementation of risk management and clinical assurance processes across the Trust working through the Risk & Assurance Team and with the Directors, Deputy Directors, General Managers and Service/Locality Managers in the Trust. The Deputy Director of Quality & Governance is responsible for maintaining progress against the milestones outlined in the risk management strategy, and for ensuring the HLRR is maintained on behalf of the Board and the Executive Team and analysing the CQC Quality & Risk Profile for the Trust and ensuring that they are presented to the Board and Audit Committee at the agreed intervals. Risk Management Strategy GR , V.4 Page 10 of 19

11 8.9 Non-Executive Directors The Board chair is the designated Non-Executive link for the Risk Strategy. All Non-Executive Directors have been consulted in the development of the strategy. All have responsibility to provide appropriate objective challenge and to seek assurance of effective implementation All Staff All staff have a responsibility to be familiar and comply with the Trust s risk management policies and processes, and to identify, assess and report risks, and to mitigate risks over which they have control in their daily work and to cooperate with their line managers in respect of the line manager s responsibilities. This includes using the Assurance and Escalation Framework to raise concerns. They are also responsible for undertaking training identified by their line manager and to report known breaches of compliance with the risk management policies whether by others or by themselves. Delivering the Risk Strategy and Achieving the vision 9.1 Risk assessment is an iterative process and all risks are periodically reviewed and reassessed in view of contextual changes. Reassessment is undertaken proactively at intervals proportionate to the risk magnitude and risk appetite as well as reactively in response to anticipated or known changes (Appendix 3). Risk appetite is explored for strategic and operational risks throughout the BAF, High Level Risk Register (HLRR) and Business Unit or Directorate risk registers and evidence considered for whether residual risks are acceptable or not. All strategic risks are reviewed by the Executive Team who confirms their management through the content of the BAF in preparation for presentation to the Board for their consideration. All high level risks (risk score 15-25) are reviewed by the Executive Team who confirms their management through the content of the HLRR in preparation for presentation to the Board for their consideration. All lower level risks (risk score less than 15) are reviewed by the General Manager, Deputy Director or Director (risk owner) who confirm their management through the content of the Business Unit/Directorate risk registers. 9.2 Risks which are not considered acceptable (outside the Trust risk appetite) will be managed out through strategic and operational change or transferred (e.g. by contracting out) leaving acceptable (and opportunity) risks. Such risks are managed and mitigated through the Trust s risk management processes and retained risks are recorded and reviewed through the Trust s risk registers. Risk Management Strategy GR , V.4 Page 11 of 19

12 9.3 In accordance with the Risk Escalation framework when monitoring the acceptable risks, the Board and committees will consider: existing controls to determine whether the risk score is appropriate whether identified additional controls are suitable and sufficient to mitigate the risk within appropriate timescales whether there are links between identified risks, which point to broader corporate issues whether identified risks represent risks to the Trust s strategic aims and should therefore be escalated to the Board Assurance Framework (BAF) 9.4 Committee observations and required actions will be communicated to the parent committee reporting to the Board via the Chair s report. These will be considered by the committee under the standing agenda item of Reflection and issues for escalation and be focused towards assurance, escalation, integration (interdisciplinary work recommended) or the commissioning of additional actions / monitoring by a junior committee. 9.5 HCT uses the principles outlined by the NPSA (2007) and the procedures detailed within the Trust s Risk Management Policy. Monitoring Compliance and Effectiveness 10.1 The Audit Committee s scrutiny of risk and governance will provide assurance of delivery against the Quality Governance framework and delivery of the Risk Management Strategy The actions required to implement this strategy are set out in the Risk Management Action Plan. Progress against the Risk Management Milestones will be reported quarterly to the Executive Team and half yearly Audit Committee and to the Board. Equality Impact Analyses (EIA) 11.1 The completed EIA form for this policy has been undertaken by the Lead Officer and is available on request References and Bibliography There are a number of other strategies/documents that are critical to successful delivery of risk management within HCT. These are: Quality Strategy 2014/17, incorporating the clinical governance strategy Information Governance Plan NHS and professional codes of conduct Monitor s Compliance Framework 2012/13 Risk Management Strategy GR , V.4 Page 12 of 19

13 The policies below support the effective delivery of enabled risk management: Risk Management Policy Assurance and Escalation Framework Incident Policy and Procedure Serious Incident Policy and Procedure Whistle Blowing Policy Legality and Claims Management Policy Education, Training and Development Policy Complaints and Concerns Policy Lessons learnt from Complaints, Litigation, Incidents & PALS Enquires Policy Being Open Policy Bibliography Building the Assurance Framework: A Practical Guide for NHS Boards (DH, 2003) Integrated Governance Handbook (DH, 2006) Risk Management Standards, NHS Litigation Authority (NHSLA) Risk Matrix for Risk Managers, (NPSA, 2008) Audit Committee Handbook (published 2011) Care Quality Commission 2010; Essential Standards of Quality and Safety Good Governance Institute: Risk Appetite for NHS Organisations 2012 Quality Governance Framework (Monitor July 2010) Monitor s Compliance Framework 2012/13. Monitor Risk Assurance Framework 2013 (Update 2014) Risk Culture (Institute Risk Management 2012) Fundamentals of Risk management Understanding, Evaluating and Implementing Effective Risk Management (Kogan 2012) Risk Management Strategy GR , V.4 Page 13 of 19

14 Appendix 1 Delivering the Risk Vision: Key Milestones Timescale Milestones April 2014 to March 2015 Governance arrangements Assurance (re efficacious) Monitor & Reporting (incl. Outcomes) Training & Development Assurance & Escalation Framework included in Induction material Risk Management Strategy (incorporating Risk Escalation and Assurance Framework) signed off by Trust Board HLRR and BAF reviewed monthly by Executive identifying critical issues and mitigating actions. (Complete) BAF updated monthly and Board approval quarterly Publication of BAF extract on Trust intranet Risk Appetite for each type of risk agreed and defined by Board annually Risk appetite informs Annual review of KPIs All service managers able to identify, analyse, mitigate and manage risks effectively, I AM responsible demonstrated Consistent risk scoring is applied Quality Impact Assessment model is revised Quality Impact review model is revised BAF signed off the Trust Board LTFM downside model re-quantified and signed off by Trust Board Business Unit Business Plans are quality impact assessed and associated risks assessed, quantified, managed and aligned on the risk register Risks from Business Planning assessed and routinely reported in BUPR Quality Impact Assessments undertaken for all service changes and reported to Executive team Senior manager risk awareness refresh guidance cascaded Refresh coaching of Business Unit managers Agree annual risk management training plan Provide Datix risk register module training to all risk owners Introduce risk surgeries in localities October 2014 April 2015 Governance arrangements Confirmed adaption to Monitor Risk Assessment Framework and Enforcement Guidance Assessment Risk Management Strategy GR , V.4 Page 14 of 19

15 Assurance (re efficacious) Annual review of RM Strategy signed off by Trust Board Self / external assessment to demonstrate : I AM responsible embedded in GM/DDs/Service leads daily working practices Evidence of scrutiny and challenge of risks at Board, sub committees of Board, Executive, and GM/DD/Service leads level of organisation Consistent examples of effective risk management at service and BUPR level Improved data quality re accurate (and open) reporting. To include number of incidents and near misses. Evidence of change in practice arising from learning from Serious Incidents Information routinely shared across the organisation of types of incidents and actions taken as a result Evidence shared across organisation re the management of risks associated with business unit plan developments Datix risk management system informs the Business Intelligence platform Internal review to demonstrate Risk Management is a core element of everyday work Monitor & Reporting (incl. Outcomes) Training & Development April 2015 September 2015 Assurance (re efficacious) Nov March 2017, Effective and transparent consolidation from service to HLRR and BAF is evident IBPR routinely updated, noting exception reports triangulated with HLRR and BAF Quality Impact review process developed and implemented reporting outcomes to Executive Team 80% of staff have completed risk management training aligned to the organisation TNA needs Learning and training requirements identified with targeted approach to address highest needs Develop online elearning risk management training package Annual review and develop Datix risk register module to meet needs of Trust External review to demonstrate Risk Management is a core element of everyday work Management Training & Development March 2017 I AM responsible all staff able to identify and escalate risks clinical and non-clinical. Annual risk management training plan is signed off and delivered Routine Internal / external review demonstrate Risk Management is a core element of everyday work Risk Management Strategy GR , V.4 Page 15 of 19

16 Appendix 2 Committee Structure Board as Corporate Trustee Charitable Funds Committee Council of Governors HCT Board Appointments & Remuneration Committee CoG Working Groups (eg Membership, Engagement, and Quality) Remuneration Committee Healthcare Governance Committee Foundation Trust Committee FT PMO Strategy & Resources Committee Audit Committee Business Planning Trust PMO (Projects as tasked) Executive Team SMT Business Unit Performance Reviews External / Multi- Agency Boards: HSAB HSCB Quality Strategy (Dir. Q&G) Clinical Services Strategy (Med. Dir.) Estates & Capital Investment Strategy Sub Committee (FD) Market Strategy (FD) Finance Strategy (FD) Workforce & OD Strategy Sub Committee (Dir. of HR & OD) IM&T Strategy Sub Committee (FD) Communications & Engagement Strategies (CEO) Risk Management Strategy (Dir Q&G) Clinical Effectiveness Group Patient Safety & Experience Group Joint Negotiating Committee Information Governance Group Fraud Risk Group Emergency Planning & Resilience Group Health & Safety Group Procurement Group Medicines Management Forum Clinical Effectiveness Forum Research & Development Forum Safeguarding Forum Infection Control Forum Medical Devices Forum Mortality Review Forum Serious Incident Panel (Informal and time limited Working Groups / Project Teams) Risk Management Strategy GR , V.4 Page 16 of 19

17 Hertfordshire Community NHS Trust Board The Board has collective responsibility for overseeing all aspects of risk management throughout HCT and seeking assurances (positive or negative) that this strategy is effectively implemented, monitored and complied with. The Board is the designated committee for this strategy and is responsible for reviewing the Trust s risk management performance against achievement of its strategic objectives. This includes receiving assurances from the Chief Executive and Executive Directors and Board Committees that mitigation is in place through controls and actions, and for setting the risk management strategy and delivery plan, determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives (risk appetite) and allocating resources as required. It has delegated the functions of risk governance to key governance committees, each of which has a responsibility to provide assurance to the Board in respect of the risks that fall within their specific remit. The Board receives a copy of the Board Assurance Framework (BAF) and High Level Risk Register (HLRR) quarterly. The Trust Board and its sub-committees are committed to risk management and will: where appropriate, demonstrate personal involvement and support for risk management approve, review and monitor key strategies, policies and associated training for risk management on a regular basis ensure that there is a structure and training in place for effective risk management within the Trust manage and monitor risk identified in the BAF and HLRR that may prevent the Trust from achieving its objectives identify and manage risks raised by appropriate directors and receive assurance that mitigation is in place be involved in external assessments of risk management. Audit Committee The Audit Committee has delegated responsibility on behalf of the Board to seek satisfactory assurances that the Trust is meeting its statutory internal and external requirements to remain a safe effective business through embedded and effective risk management systems and processes with appropriate support from internal/external audit. It has primary responsibility for all aspects of financial risk and retains an overview of governance risks including clinical risks. The Audit Committee is responsible for seeking assurances that the strategic and high level risks are being controlled and managed effectively and advising the Board on the adequacy of risk management arrangements throughout the Trust. It reviews the BAF and HLRR (and de-escalated high level risks) at every meeting and receives a paper outlining links between them, and progress and issues for review. It receives a summary of the CQC Quality & Risk Profile for the Trust each quarter and undertakes a review of the (draft) Annual Governance Statement each year. Healthcare Governance Committee The Healthcare Governance Committee has overall responsibility for ensuring effective risk management for patient safety, patient experience, infection prevention Risk Management Strategy GR , V.4 Page 17 of 19

18 and control, safeguarding, clinical audit and clinical effectiveness and will bring to the attention of the Audit Committee and the Board risks that may affect patient safety and/or failure to meet the Care Quality Commission Essential Standards of Quality and Safety (CQC 2010). The Healthcare Governance Committee is responsible for considering and reviewing clinical risks and ensuring that high operational or strategic risks are reported to the Executive Committee for consideration to populate the Board Assurance Framework and through this to the Audit Committee. It receives the High Level Risk Register in line with its business cycle with a summary paper outlining progress and issues for review. Strategy and Resources Committee The Strategy and Resources Committee has overall responsibility for ensuring the Trust cooperates within financial constraints and manages risks related to investment and business development and will ensure systems are in place to this effect. The Strategy and Resources Committee is responsible for considering and reviewing finance and business risks and ensuring that high operational or strategic risks are reported to the Executive Committee for consideration to populate the Board Assurance Framework and through this to the Audit Committee. Executive Team The Executive Team has collective responsibility for ensuring that: effective systems, processes and resources are in place for the implementation of the risk management related policies and for their compliance arrangements are in place for receiving and reporting (positive or negative) assurances through to the Trust Board or any relevant committee or sub-committee of the Board as delegated, as to the effectiveness of and compliance with risk management related policies and this strategy. The Executive Team is responsible for all aspects of managing risk, including reviewing the Board Assurance Framework (BAF) and High Level Risk Register (HLRR) every month confirming their validity and considering escalation/de-escalation and linking between the BAF and HLRR ensuring steps are taken to mitigate the risks and reduce them to an acceptable level approving all risk management related policies collating the annual training needs of the Board. Other sub-committees of Healthcare Governance Committee and sub-groups of the Executive Team have delegated responsibility for overseeing all areas of risk management within their specific area/s of remit as defined in their terms of reference These committees have their remit and responsibilities related to risk embedded in their respective terms of reference. Risk Management Strategy GR , V.4 Page 18 of 19

19 APPENDIX 3 - Risk Register Framework Event or Predicted Event Risk Identified Reporting Risk evaluated using the RISK matrix Actions Line manager is informed of the risk & reviews Safeguarding IG & Security Health & Safety Risk & Assurance Manager Infection Control Line manager is informed of the risk at a service review < = 12 Is the risk score? High (15 & above) or Med, Low, Negligible (12 or less) > = 15 Line Manager informs the duty GM/DD of the risk immediately. Yes Can the risk be immediately controlled? No Senior line manager confirms the risk and records on the business unit risk register with an action plan and min. 2/12 reviews GM/DD refutes risk score and agrees mitigation management at service level When the risk is mitigated to score 12 or less GM/DD confirms the high level risk and records / escalates to the High level risk register with an action plan and informs the Risk Manager for consultation. Exec team informed of Escalation to the HLRR and alignment to the BAF 1/12 reviews by the When the action plan is completed and the risk is mitigated to an acceptable level HLRR BAF GM/DD and Risk & Assurance Manager are informed Health Care Gov. Committee 2/12 Trust Board Audit Committee 3/12 Risk Closed and Archived Risk Management Strategy GR , V.4 Page 19 of 19