Risk Management Strategy and Policy

Transcription

1 SH NCP 25 Version 4 Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review Date This document details the Trust s framework within which it directs and controls the risks to its key functions. It sets out the Trust s approach to the identification, assessment, treatment, and tolerance of risk throughout the organisation. The overall objectives of the document are to provide: A framework and clear processes for robust risk management at all levels of the organisation. A framework to deliver assurance that risks are being appropriately identified, assessed, prioritised, addressed and monitored. Detail staff roles and responsibilities to embed the concept of risk assessment and risk management into the day to day working practices of the Trust. Support and promote on-going development as a learning organisation. Risk, risk management, risk register, risk assessment, strategy, tolerance, risk appetite, assurance, assurance framework, mitigation All staff employed by Southern Health NHS Foundation Trust May 2018, or sooner if changes are made to the risk framework Approved and Ratified by: Trust Board Date of meeting: 27 Date issued: June 2017 Author: Sponsor: Jake Pursaill, Risk Manager Sara Courtney, Acting Chief Nurse 1

2 Version Control Change Record Date Author Version Page Reason for Change Fiona Richey Head of Risk and Business Continuity Fiona Richey Head of Risk and Business Continuity Fiona Richey Head of Risk and Business Continuity August 2015 August - October 2016 November 16 December 16 Louise Hartland Governance, Quality and Compliance Manager, LEaD Fiona Richey Head of Risk and Business Continuity Ryan Taylor, Interim Head of Incident Management & Patient Safety Ryan Taylor, Interim Head of Incident Management & Patient Safety Jake Pursaill, Risk Manager 1.0 Revised following organisational change/ restructure for Southern Health NHS Foundation Trust 2.0 Revised following Trust internal audit Risk Maturity Review to combine and clarify existing separate Risk Strategy and Risk Management Policy in to a single document. Review and clarification of risk appetite and risk escalation , 22 Revised to remove and reflect current year, person and time sensitive detail. 9 Revised clarification of risk appetite following Board Seminar 24 th June Revised to clarify risk escalation. Inclusion of Risk Score Guidance 20 2 Page 14 section Page 23 3 Page 5 Section 4.2 Section 4.4 P 6 Section 4.12 P 9 Sections 5.3 and Page 10 P10 Sec 7 P11 Sec 9, 10, 11 P13 Sec 11.5 and P 25 Appendix 3 Page 16 Section 15.2 Page 12 Page 17 Page 21 Cover page 3.4 Page 14 Page 23 4 Page 7 Page 22 & 23 Page 17 & 18 Revised to reflect training provision for managers Revised to reflect training provision for executive and nonexecutives. Updated Training Needs Analysis Sponsorship changed to Acting Director of Nursing and Allied Professionals Minor changes to wording for clarity throughout document Revised to reflect risk management responsibilities for all staff Revised to include the post of Divisional Governance Business Partners and their role within the framework Awarded the responsibility for maintaining the Board Assurance Framework to the Company Secretary Interim Head of Patient Safety and Quality and Risk Manager roles added. Trust level risk register replaces Corporate Risk Register Removed risk appetite and tolerance information and referenced separate Board Risk Appetite Statement Trust Executive Risk and Assurance Group included Risk terminology and guidance re-ordered for clarity. Training expectations and requirements for staff and managers updated. Amendments requested by Trust Board Changes made to reflected revised application of risk tolerance to reflect the amended risk appetite statement agreed by the Board in October Revised the risk matrix in line with the risk appetite Revised process of obtaining assurance of effectiveness removed internal control and local evaluation, replaced with NHSI, CQC, internal audit and when adverse events occur Amended positive and negative assurance Review - April 2017, at request of the Trust Board due to forthcoming changes with the BAF and high level risk management As agreed by the Chief Nurse Added review for moderate level risks. Altered review periods for low level risks Inserted impact matrix that matched the risk appetite document, but which also included an impact domain for Information Governance Removed reference to the Head of Risk Management and assigned responsibilities to the Risk Manager Adjusted scoring criteria for fatalities, and references to CIPs and CQUINs Updated committee reporting structure 2

3 Reviewers/contributors Name Position Version Reviewed & Date Dr Helen McCormack Medical Director December 2013 Non - Executive Directors Southern Health NHS Foundation Trust December 2013 Compliance Team Southern Health NHS Foundation Trust December 2013 Julie Jones Associate Director of Governance December 2013 Divisional Directors Southern Health NHS Foundation Trust December 2013 Executive team Southern Health NHS Foundation Trust September 2016 Fiona Richey Head of Risk September 2016 Jake Pursaill Risk Manager Support September 2016 Related Documents Title Board Risk Appetite Statement Board Assurance Framework Standard Operating Procedure Policy for Managing Incidents and Serious Incidents Procedure for Reporting and Managing Incidents and Serious Incidents Procedure for Reporting and Investigating Deaths Procedure for Management of Serious Incidents that Require Investigation Organisational Learning Strategy Health and Safety Policy Quality Strategy 3

4 Contents Page 1 Introduction 5 2 Purpose and Scope of the Strategy and Policy 5 3 Strategy and Policy Objectives 6 4 Duties / Responsibilities 6 5 Definitions of risk 8 6 Risk Management Overview 9 7 Risk Tolerance and Appetite 10 8 Risk Management Process Overview 10 9 Risk Register Process Risk Identification Risk Assessment Managing and Mitigating the Risks Risk Review, Escalation and Assurance Communication of Risk with Third Parties Training Requirements Equality and diversity Strategy/Policy review Communication strategy Monitoring compliance Associated documents Supporting references Useful websites 18 Appendices Appendix 1 Risk Management Definitions 19 Appendix 2 Risk Scoring Guidance 21 Appendix 3 Organisational Committee Structure 24 Appendix 4 Training Needs Analysis 25 Appendix 5 Equality Impact Assessment Tool 26 4

5 1. Introduction 1.1 Southern Health NHS Foundation Trust (hereafter known as the Trust) provides community health, mental health, and learning disability services. 1.2 Our overall aim is to improve the health, wellbeing and independence of the people we serve by improving patient and service user experience, improving clinical outcomes and giving value for money. The Trust is committed delivering care in a safe environment to protect patients, visitors, staff and the organisation from harm. 1.3 The aim of this strategy and policy is to support the delivery of the organisational aims and objectives through effective management of risks across all of the Trust s functions and activities through effective risk management processes, measurement, analysis and organisational learning. 1.4 The Trust recognises that Risk Management forms an integral part of its philosophy, practices and the business planning cycle. The Trust Board must be able to assure itself the organisation is operating effectively and meeting key aims, goals and principle strategic objectives. 1.5 The Trust s approach to risk management aims to be forward looking, innovative and comprehensive; to make the effective management of risk an integral part of everyday practice. It also aims to support a culture which encourages continuous improvement and development and a focus on proactive rather than reactive risk management, and to support well thought through decision making. 2. Purpose and Scope of the Strategy and Policy 2.1 The purpose and scope of the Trusts is to detail the framework within which the Trust leads, directs and controls the risks to its key functions in order to comply with Health and Safety legislation, Foundation Trust Terms of Authorisation and its strategic objectives. The Risk Management Strategy and policy underpins the Trust s reputation and performance and is fully endorsed by the Trust Board. 2.2 The Trust acknowledges its legal and moral duty to safeguard staff, patients and members of the public. There are also sound moral, financial and good practice reasons for identifying and managing both clinical and non-clinical risks. Failure to manage risks effectively can lead to harm/loss or damage in terms of both personal injury but also in terms of loss or damage to the Trust s reputation; financial loss; potential for complaints; litigation and adverse or unwanted publicity. 2.3 This document is intended for use by all Trust employees and contractors. All staff members will be made aware of the contents on commencement of employment as part of their induction. 2.4 Significant changes to this document will also be cascaded via the Trusts staff update communication process and/or line management cascade. 2.5 The Trust uses a web-based Risk Management system, Ulysses for the recording, management, and reporting of incidents and risks at local, Divisional, Corporate and Strategic levels. 2.6 This Strategy and Policy should be read in conjunction with the Policy for Managing Incidents, the Board Assurance Framework Process and Standard Operating Procedure, 5

6 the Policy for Investigations, Analysis and Improvement, the Health and Safety Policy, Fire Policy, the Trust Quality Strategy and Trust Organisational Learning Strategy. 3. Strategy and Policy Objectives 3.1 The objectives of this are as follows: To set out the Trust s approach to risk and provide a framework and clear process for robust risk management at all levels within the organisation. To outline the framework to provide assurance that risks at all levels of the organisation are being appropriately identified, assessed, prioritised, addressed and monitored. To detail the expectations in terms of roles and responsibilities of all staff in order to embed the concepts and ideas of risk assessment, risk management and risk accountability into the day to day working practices of the organisation. To support and promote on-going development as a learning organisation. 4. Duties / Responsibilities 4.1 The management of risk is an integral part of management and clinical practice. Every individual within the Trust is therefore responsible for identifying and managing risk. The following individuals have specific risk management responsibilities, accountability and authority, as part of their existing roles. 4.2 All Employees (including contracted employees) are responsible for: The identification of both clinical and non-clinical risks that exist or emerge within the area in which they work, and the escalation of these identified risks to managers, risk leads, or senior management as appropriate. Undertaking working practices that comply with all policies, regulations, procedures and Department/ workplace/task specific safe systems of work. Ensuring they act in a manner which is safe and secure for themselves, colleagues, patients, visitors and others who may be affected by their actions, being aware they have a duty to take reasonable care for their own safety and safety of others who may be affected by their acts or omissions. Report any hazardous situations and accidents/ near-miss incidents to the relevant manager(s) as soon as possible and through the Trust incident and near miss reporting system in line with the Managing Incidents Policy. 4.3 Senior/Line Managers are responsible for: Ensuring that they and their staff fulfil their responsibility for risk management by identifying, reporting, monitoring and managing risk in line with this and other associated policies, including the policy for managing incidents. Ensuring that appropriate and effective governance processes are in place to proactively identify, assess and manage risk within their designated area and scope of responsibility. Ensure that identified risks are recorded, properly assessed, escalated, communicated and managed effectively and appropriately in line with guidance within their area of responsibility so that the consequences of a risk patient harm, financial loss, reputational damage, etc. are minimised. 6

7 4.4 Divisional Governance Business Partners Play a key role in supporting the systems and processes for the review and recording of all risks from team level to divisional board providing expert advice on the grading and escalation / de-escalation where appropriate. This will involve working closely with underperforming teams, providing education and encouragement of how risk reporting improves patient safety. Will provide education throughout the division on the reporting of risks and incidents through the Ulysses system. Support their division in the identification, assessment and reporting of risk. 4.5 Chairs of all Trust Meetings are responsible for: Ensuring all relevant risks are brought to the meeting on a regular basis for review to ensure they are up to date and being effectively managed. Agreeing proposed risk tolerance score or risk appetite score for each risk and ensure risks are transferred to risk registers and are correctly assessed. 4.6 Risk Manager is responsible for: The development of strategic plans, policies, procedures and statement of purpose documents with regard to risk management. Provision of training, information and support for Trust staff in relation to risk management. Will support the Divisional Governance Business Partners in developing and educating staff regarding risk management including risk registers and the Board Assurance Framework. Ensuring relevant risks are reported to external agencies such as commissioners through the oversight groups. Ensuring the Ulysses risk management system and associated processes are maintained and updated in line with Organisational requirements. Undertaking consultations with the Executives and NEDS the annual review of the Trust Risk Appetite statement. Through oversight provides a check and challenge process for all risks on the register with the risk owners through a systematic and documented process. Ensuring an appropriate Board Assurance Framework (BAF) is prepared and regularly updated, and that it receives appropriate consideration at relevant committees and groups. 4.7 Associate Director of Quality Governance has: Operational management responsibility for the implementation of all aspects of the Governance and Risk Management agenda through management of the Governance Team. 4.8 Chief Nurse for: Executive sponsorship of the Trust. Ensuring that the Annual Governance Statement adequately reflects the risk management process within the Trust. 4.9 The Executive Team In addition to their roles as senior managers; members of the executive team will act as Accountable Lead Directors for their respective areas of the business and will ensure 7

8 that within their directorates all risk management issues are coordinated, managed, monitored and reviewed including: Lead in the management of risk by devising and implementing short, medium and longterm strategies to tackle identified risk. Recommending to the Board of Directors the raising and closing of identified strategic risks, using the Board Assurance Framework Non-Executive Directors Challenge risk management and governance arrangements within the organisation and provide assurance of the robustness of these arrangements as part of their role as members of the Trust Board and its sub-committees Chief Executive has responsibility for: Maintaining a sound system of internal control and assurance that supports the achievement of the Organisation s objectives. Ensuring that full support and commitment is provided and maintained in every activity relating to risk management Planning for adequate staffing, finances and other resources, to ensure the management of those risks which may have an adverse impact on the staff, finances or Trust stakeholders. Ensuring and signing off the Trust Annual Governance Statement, which adequately reflects the risk management issues within the Trust. Operationally, the Chief Executive delegates responsibility for the implementation of the Risk Management Strategy to other individuals, as described above 4.12 The Board Executive and non-executive directors share collective responsibility for the success of the Trust, including the effective management of risk and compliance with relevant legislation. Providing the strategic direction and leadership to the Trust including: Protecting the reputation of the Trust; Providing leadership on the management of risk and ensuring the approach to risk management is consistently applied; Determining the risk appetite for the Trust; Ensuring that assurances demonstrate that risk has been identified, assessed and all reasonable steps taken to manage it effectively and appropriately; and Endorsing risk related disclosure documents. 5. Definitions of Risk 5.1 At its best risk management will radically improve the quality of services provided and provides strategic direction to the Organisation by guiding staff on the appropriate level of risk they are permitted to take and enables staff to seize important opportunities. 5.2 Risk can relate to: A threat - an event or circumstance which could cause harm or loss, or affect the ability of the organisation to achieve its objectives. An opportunity the organisation must take some risks in order to obtain a benefit, to innovate, grow and improve. 8

9 5.3 All risks are managed through the Trust s risk register; the risk register has four levels of management: Strategic Any risk affecting the whole organisation and its ability to achieve the Organisational Objectives. Trust Any risk which may affect more than one Division or require Corporate Management. Divisional Any risk that affects Divisional services or the service only. Risks that are within the Divisional Directors/local managers delegated budgetary limits and financial resources. Local/ Service/Team Any risk that affects service or team level only. Risks that are within the Deputy Directors/local managers delegated budgetary limits and financial resources. Further detailed risk management definitions can be found as Appendix Risk Management Overview 6.1 By its very nature healthcare is a high risk activity and effective management is often based on taking calculated risks. Risk management helps to ensure that those judgements can be made from a measured range of fully identified options and from a sound knowledge of the risk causes, effects, and consequences. 6.2 Effective risk management is best achieved in an environment of openness and transparency in which it is recognised that whilst risk can never be eliminated, it can and must be managed. 6.3 The Trust Board has delegated the responsibility for the management of risk to key committees. These Committees are responsible for ensuring individual Directors undertake a full programme of risk management activities, maintain up-to-date risk registers and take action to control these risks commensurate with their risk management responsibilities. 6.4 Each Committee has Terms of Reference which have been agreed by the Board. Terms of Reference for formal Board sub-committees are held by the Company Secretary. A full depiction of the Trust s Governance Structure and the purpose of each Key Committee can be found within the Trust s Board Assurance Framework Standard Operating Procedure. 6.5 Risk management is also monitored by external and internal agencies. Performance is monitored against national standards and is subject to self-assessment review and audit. Where performance in these assessments falls below acceptable levels, detailed action plans will be produced and work programmes put in place to improve standards. 6.6 There are a number of indicators that support the implementation of the Trusts Risk Management Strategy and Policy, for example; adverse incidents, complaints and litigation. These indicators are reported monthly via the Trust Quality Dashboard and are reported on in more detail by the Divisions and the Governance Team via Divisional Performance Review meetings, Quality & Safety Committee, and the Health and Safety Forum. 6.7 The Process for Managing Incidents is provided in the Trust Policy for Managing Incidents and Trust Procedure for Grading and Managing Incidents. The Management of Serious Incidents Requiring Investigation (SIRIs) is also included in the Incident Management Policy and Procedure and which are available to staff via the trust web site. 9

10 6.8 The Trust s approach to investigating and learning from incidents focuses on what went wrong and not on who to blame. However if staff have a concern or feel unable to report an incident via the incident reporting system, they should follow the policies: Speak Up (Whistle Blowing) Policy. 7. Risk Tolerance and Appetite 7.1 The Board recognises risk is inherent in the provision of healthcare and its services, and therefore a defined approach is necessary to identify risk context, ensuring that the Trust understands and is aware of the risks it s prepared to accept in the pursuit of the delivery of the Trust s aims and objectives. The Trust recognises it will have to in some circumstances accept a level of risk. Accepting risk is often required to achieve overall objectives. It must, however, take and accept risks in a controlled manner, thus reducing its exposure to unacceptable risk. Further information can be found in the Trust s Board Risk Appetite Statement, separate from this document. 8. Risk Management Process Overview 8.1 Systems for risk management provide a structured method to identify and manage risks: 8.2 Detailed information around the risk management process, specific guidance and risk management tools are available via the Trust website. 10

11 9. Risk Register Process 9.1 The principle tool The Trust uses for managing its identified risks is the Risk Register which can be described as a log of all the risks identified, both clinical and non-clinical, that might have an impact on the Trust s delivery of its aims and objectives. 9.2 The Trust has a single Risk Register which operates at a local/ Service Team, Divisional, Trust-wide and Strategic levels. The Risk Management and escalation process is outlined in detail in the Trust s Board Risk Appetite Statement. 9.3 The Risk Register will be reviewed at all levels in line with Trust Board Assurance Framework Standard Operating Procedure and the Board Risk Appetite Statement which further define roles, responsibilities, and reporting schedules. 10. Risk Identification 10.1 Risks will be identified from both internal and external sources. The Trust aims to be as proactive as possible, as this makes a managed response to risk possible. This avoids the need to make decisions under unnecessary pressure without adequate information or resource The Trust has a comprehensive range of risk assessment tools to identify risk and potential risks associated with its activities. Examples include; Visual Display Risk assessments, Falls Prevention Assessment, Ligature Risk Assessment, and Risk Register Assessment pro formas. 11. Risk Assessment 11.1 Southern Health NHS Foundation Trust deploys a standardised approach to risk assessment across the entire organisation to ensure consistency Risks are assessed based on the impact of the risk and the potential likelihood to occur: The impact is based on a number of factors, for example; the financial implications, the number of service users or staff potentially affected the ability of the Trust to achieve its objectives or the effect on Trust reputation. The likelihood is based on the probability of the risk emerging, and the timeframes in which the risk might occur, e.g. weekly, monthly, etc Evaluation and ranking of risks (risk scoring) The Trust uses a standard 5x5 risk scoring matrix for assessing the impact and likelihood of the risk (see table below). 5 Catastrophic 5 10 MONTHLY MONITORING BY EXECUTIVE TEAM All RED RISKS: MONTHLY MONITORING BY EXECUTIVE TEAM 4 Major MONTHLY MONITORING BY EXECUTIVE TEAM

12 3 Moderate MONTHLY MONITORING BY EXECUTIVE TEAM 15 2 Low Negligible Extremely Unlikely 2 Unlikely 3 Possible 4 Likely 5 Almost Certain Risk scores are not intended to be precise mathematical measures of risk, but are a useful tool to help in the prioritisation of control measures for the treatment of risk. The scoring system allows the levels of risk to be easily identified and therefore prioritised. Further detail on risk scoring and effective assessment is given in Appendix As part of the risk assessment process, a course of action must be agreed in line with the Trust s defined Risk appetite approach and risk tolerance levels. Courses of action to be taken are to: Treat Tolerate Transfer Terminate Take the opportunity Further guidance on action required with each option is provided within the Trust s Board Risk Appetite Statement The Trust Executive Risk Group has responsibility to review monitor on a monthly basis all risks scored at 15 and above outside the tolerance threshold of the Trust and the course of action to take. In addition the Executive Group will in also review on a monthly basis any and all risks rating of 10 with a Likelihood rating of unlikely (2) and an Impact rating of Catastrophic (5). 12. Managing and Mitigating Risks 12.1 As part of the risk assessment process discussed in 11. Risk Assessment, each identified risk will be assessed a total of three times: Inherently, as though there were no controls in place, or that all of the controls are failing; Residually, assuming the controls in place are adequately designed and operating effectively. Target, the risk score that should be achieved through implementing actions, bringing the risk in line with articulated appetite and tolerance. 12

13 12.2 Controls to manage the risk and assurance measures can then be applied to provide a proportionate response with need to revisit should the risk assessment score change over time Measures of Assurance should indicate the adequacy of the controls in place. Assurance should be identified as internal or external and the information gathered using these measures should be identified as reflecting either positively or negatively on the effectiveness of controls in place Gaps in controls should also be clearly identified with actions in place to address. Actions should be specific, measurable, achievable, realistic and timely and should have an identified action owner. The target date to achieve the action must also be recorded Recorded risk information, controls, and actions should be reviewed thoroughly by the monitoring committee to ensure these are adequate effective, and current The target risk score should be agreed in line with the risk appetite and tolerance by the monitoring committee to establish at what point the risk becomes acceptable and can simply be monitored. 13. Risk Review, Escalation and Assurance 13.1 All Risks are managed on the Risk Register. Within the Risk Register there are several levels of risk management as identified in the following table: 13

14 Risk Review 13.2 The frequency of review of risks, dependent on their risk score, risks graded as: Red will be reviewed at least monthly and; Amber risks will be reviewed at least quarterly (with the exception of risks 5x2 which will also be monthly) Yellow risk will be reviewed at least every 6 months Green risks will be reviewed at least annually. Risk review frequency may be increased based on the risk s alignment with the Trust s identified risk appetite. Risk Escalation 13.3 All parts of the Trust will, on a regular basis, review their identified risks and the controls put in place to manage those risks. All levels of risk will be monitored and escalated to the relevant level of the Risk Register dependant on: The risk score The area of affect The budgetary requirements to manage/mitigate the risk Assurance 13.4 To support increasing levels of assurance the Trust Board Assurance Framework, and Risk Control Framework will undergo continuous review and development to ensure a focused approach to the strength of assurance received by Board and Sub - Committees. The process for rating and mapping assurance received against the relevant risks will be undertaken through the use of the three key lines of defence assurance model of: Service Management; Functional oversight; Independent review. Additional information on assurance is provided in the Trust Board Assurance Framework Standard Operating Procedure The, Trust Board Assurance Framework, Risk Management Standard Operating Procedures and guidance tools will be updated to reflect developments in line with Trust risk management and assurance development and Trust Quality Programmes as well as document review schedules. 14. Communication of Risk with Third Parties 14.1 If an organisational risk is identified which is shared with or wholly relates to another organisation the risk must be shared with that organisation. Advice on the appropriate method of communicating and sharing the risk must be sought from the relevant Executive or Divisional Director. The third party must not be named in the Risk Register and the risk 14

15 must not be entered on to the Risk Register without the knowledge of the third party organisation. 15. Training Requirements 15.1 All staff All staff will be provided with and governance risk management training as part of the Trust induction process. Attendance will be recorded and monitored in accordance with the Organisational Induction Policy. The Governance and Risk Management e-learning and e-assessment module is mandatory for all staff. Staff members that are unable to achieve the required level of e-assessment competency will be identified through the Trust electronic training monitoring system; with face-to-face training for these staff provided regularly in response to need. Attendance will be recorded, monitored and appropriate follow up will occur in line with the Trust Organisational Policy. Please refer to the training needs analysis at Appendix Managers An e-learning module that covers all aspects of risk management is available for all staff on the LEaD website. The e-learning module is mandatory for all managers with a responsibility for managing risk. It is expected that it will be completed by all Band 6 posts and above. Specific learning on the completion of risk registers is delivered by the risk team, and bookable via the staff intranet. Specific training delivered face to face by the risk manager is available on request. Please contact the risk team for more details Trust Board Risk Management training is assessed, identified and provided for all executive and nonexecutive Directors as part of the Board Annual Development Programme. Individual Directors will receive risk training as required and or as part of Trust induction. The Board will assess the need for whole Board additional training as necessary. Individual training will be recorded as part of Induction and individual training records. Board Wide Training attendance will be monitored by the Company Secretary and recorded via the Board Development Programme. 16. Equality and diversity 16.1 The Trust aims to ensure that its healthcare and facilities are not discriminatory and, wherever possible, attend to the physical, psychological, spiritual, and social and communication needs of any patient or visitor showing no discrimination on the grounds of ethnic origin or nationality, disability, gender, gender reassignment, marital status, age, sexual orientation, race, trade union activity or political or religious beliefs The process for identifying and managing risk, and the manner in which this is undertaken, should not inadvertently discriminate against any groups in society based on their race, disability, gender, age, sexual orientation, religion and belief. Any person who has concerns regarding the equality & diversity impact of risk management activity within the Trust should refer them in the first instance to the Equality & Diversity Lead, who may require equality impact assessments to be undertaken in order to determine whether any particular groups 15

16 of patients are experiencing variations in practice. The Policy Equality Impact Assessment is provided as Appendix Strategy and Policy Review 17.1 This should be reviewed following the first year of implementation, the review cycle should be 3-yearly. However due to the changes with the BAF the Trust Board have agreed it should be reviewed in April This should be reviewed twice in the first year following the approval of this policy unless a significant change or organisational learning indicates otherwise. Following the first year of approval, the review cycle should be 3- yearly. 18. Communication Strategy 18.1 This Strategy and Policy will be circulated to all members of the Trust Board, Divisional Directors, Heads of Services, Corporate Service Leads and Locality Managers, and Service leads for disseminated and cascade to their staff. The full document will be available for download on the Trust web site so that patient and members of the public can access it. 19. Monitoring Compliance 19.1 Effective monitoring is important to identify successful delivery of this Strategy A Risk Management Annual Report will be presented to the Trust Board. It will summarise the Trust s achievements against the annual work plan for risk management, including: An assessment of the organisational risk management culture and how this is changing over time Performance against NHS high level risk management indicators and assessment of the key risks facing the organisation and how these are being managed Benchmarking activity internally and externally Use of risk management tools by departments Compliance with Induction and mandatory training standards relating to risk management 19.3 The Annual Report will make recommendations for the ongoing development and improvement of risk management and processes in order to achieve the strategic vision and objectives of this Strategy The effectiveness of the Risk Management processes and systems will be evaluated against the following: Findings and recommendations from internal and external audit reports (typically annually) External reviews, such as the NHSI or the CQC In the event of adverse incidents 19.5 Progress will also be reported as part of the Annual Governance Statement provided by the Chief Executive in the Trust Annual Report. 16

17 19.6 Internal Audit will verify compliance with the Annual Programme on a yearly basis and will assure the Trust Board that progress is in line with predicted performance, and highlight any areas for concern. These will be reported with an attached Action Plan to address the concerns The following table outlines how the Trust will monitor compliance with key elements of this Strategy: Monitoring Compliance Element to be monitored Lead Tool/Method Frequency Reporting arrangements Process for ensuring continual, systematic approach to all risk assessments is followed throughout the organisation Risk Manager Divisional Performance Review reports Monthly Divisional Performance Reviews Incident and Risk Report Monthly Trust Executive Risk & Assurance Group Annual strategy and policy review report and Internal Audit process Annually Trust Executive Risk & Assurance Group Appropriate assignment of the management responsibility / escalation for different levels of risk within the organisation is carried out Risk Manager Annual strategy and policy review report and action plan Internal audit Annually / Quarterly Annually Audit, Assurance and Risk Committee Sources of risk are comprehensive, internal and external (including, but not limited to, incident reports, risk assessment and Divisional and Corporate level registers) Risk Manager High level Risk register review description of Risk risk score summary risk treatment plan date of review residual risk rating Audit, Assurance and Risk Committee Quality and Safety Committee, Service Performance and Transformation Committee, Strategic Workforce Committee Delivery and record of attendance of risk management awareness training to board members and senior managers, in line with the training needs analysis Risk Manager Trust Board - Recorded in Board minutes / Nonattendance will be documented via Company Secretary Annually Quality Safety Committee For senior managers LEaD training report which will be monitored via Annual Strategy and Policy Review. Annually Follow up of non-attendance at training. Risk Manager Board Appraisal process Annually / Escalated via line management For managers LEaD training report which will be monitored quarterly and reported via Annual Strategy and Policy Review. Six monthly Escalated via line management All staff See Organisational Induction Policy Annually Escalated via line management 17

18 20. Associated Documents Board Assurance Framework Standard Operating Procedure Risk Management Standard Operating Procedure Policy and Procedure for Managing Incidents Policy for Investigations, Analysis and Improvement. Health and Safety Policy Southern Health NHS Foundation Trust Assurance Process and Infrastructure (July 2013) Organisational Learning Strategy 21. Supporting References The Institute for Risk Management guidance papers (2011): Risk Appetite and Tolerance Guidance Paper HM Treasury (2004): The Orange Book Management of Risk Principles and Concepts National Health Service Litigation Authority (2008): Risk Grading Tool National Health Service Litigation Authority (2008): Policy for the Management of the NHSLA Assurance Framework and Risk Register Audit Commission (2009): Taking it on trust National Health Report National Health Service Litigation Authority (2009): Risk Management Strategy National Health Service Litigation Authority (NHSLA) Risk Management Standards CEAC (2009) Board Assurance: A Benchmarking Review. Oxford University Hospitals NHS Trust (2013) Published by Foundation Trust Network (Foundations for Excellence): Making Risk Management a Reality Good Governance Institute (2010): What every healthcare board needs to understand about patient safety Good Governance Institute (2012): Risk Appetite for NHS Organisations A matrix to support better risk sensitivity in decision taking. Good Governance Institute (2012): GGI Board Briefing: Defining risk appetite and managing risk by Clinical Commissioning Groups and NHS Trusts Care Quality Commission essential standard of quality and safety March 2010 Health and Safety at Work etc. Act 1974 Section 2 Duties of Employers to Employees Section 3 Duties of Employers to Persons other than Employees Management of Health and Safety at Work Regulations 2003 Regulation 3 Requirement to Assess Risk 22. Useful Websites a. Good Governance Institute b. National Health Service Litigation Authority Risk Management Standards 2011/12 c. National Patient Safety Agency d. Health and Safety Executive 18

19 APPENDIX 1 Definitions Governance - the management systems, processes and behaviours by which the Trust leads, directs and controls its functions to achieve its organisational objectives, safety and quality and the way in which it relates to patients and carers, the wider community and partner organisations. Integrated Governance - the streamlined pulling together of intelligence of the competing pressures on the Trust and its staff, advisors, systems, and processes which enables the Trust to avoid the handling of issues in management silos. Board Assurance Framework (BAF) - enables the Board to: Identify and understand the key risks to achieving its strategic objectives; receive assurance that suitable controls are in place to manage these risks and where improvements are needed, action plans are in place and are being delivered; provide an assessment of the risk to achieving the objectives based on the strength of controls and assurances in place. Risk Scoring /rating - A process by which risks are graded/ scored based on the impact of their occurrence and the likelihood of their occurrence Risk Tolerance The maximum level of risk the organisation is prepared to take in line with the type of risk and the potential level of harm, recognising the Trust has a low appetite for risks that could affect patient safety Risk Appetite - The levels and types of risk the Organisation wants to take in pursuance of its objectives. This informs all planning and objective setting, as well as underpinning the threshold used when determining the tolerability of individual risks Risk Controls Processes or activities already in place to effectively manage the risk to achieve the desired outcome Gaps in Controls processes or activities not yet in place in order to effectively manage the risk Risk Assurance evidence that supports the measurement of controls in place, to ensure they are operating effectively and the desired outcome is being achieved Inadequate Assurance- Where assurance or evidence is limited and cannot provide full assurance that controls are effectively managing the risk. Gaps should be identified and listed with actions to close. Gaps in Assurance lack of measures or evidence to support the measurement of controls Internal Assurance - Assurances provided by reviewers, auditors and inspectors who are part of the organisation, such as Clinical Audit or management peer review External Assurance / Independent Assurance Assurances provided by reviewers, auditors and inspectors from outside the organisation such as External Audit, NHSLA, CQC, Commissioners Positive and Negative Assurances- Adequate / Positive assurance indicates how controls are operating to mitigate the risk to the achievement of desired outcome. 19

20 Inadequate / Negative assurance is the reverse, where evidence shows that controls are not operating effectively to mitigate the risk to the achievement of the desired outcome Residual Risks - are those which remain after considering the controls in place to reduce the risk and the implementation of any additional controls that may have been identified as necessary. Acceptance of residual risk will be made by joint consultation between department leads and the Director with responsibility for the area. 20

21 Appendix 2 Risk scoring guidance The Trust uses a standard 5x5 risk scoring matrix for assessing the impact and likelihood of the risk (see table below). 5 Catastrophic MONTHLY MONITORING BY EXECUTIVE TEAM RED RISKS: MONTHLY MONITORING BY EXECUTIVE TEAM 4 Major MONTHLY MONITORING BY EXECUTIVE TEAM Moderate MONTHLY MONITORING BY EXECUTIVE TEAM 15 2 Low Negligible Extremely Unlikely Unlikely Possible Likely Almost Certain Impact Guidance: Domain Impact on the safety of the patient, staff or public (physical/ psychological harm) Quality/ Complaints/audit Negligible Minor Moderate Major Catastrophic Minimal injury requiring no/minimal intervention or treatment No time off work Peripheral element of treatment or service suboptimal Informal complaint/inquiry Minor injury or illness, requiring minor intervention Increase in length of hospital stay by 1 3 days Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Moderate injury requiring professional intervention Increase in length of hospital stay by 4 15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) Local resolution (with potential to go to independent review) Incident resulting serious injury or permanent disability/incapacity. Increase in length of hospital stay by >15 days Mismanagement of patient care with longterm effects Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report Incident resulting in fatality or multiple fatalities An event which impacts on a large number of patients Totally unacceptable level or quality of treatment/service Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Minor implications for Repeated failure to meet internal standards Gross failure to meet national standards 21

22 Domain Negligible Minor Moderate Major Catastrophic patient safety if unresolved Reduced performance rating if unresolved Major patient safety implications Human resources/ organisational development/ staffing/ competence Short-term low staffing level that temporarily reduces service quality (< 1 day) Low staffing level that reduces the service quality Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Low staff morale Poor staff attendance for mandatory/key training Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Loss of key staff Very low staff morale No staff attending mandatory/ key training Non-delivery of key objective/service due to lack of staff Ongoing unsafe staffing levels or competence Loss of several key staff No staff attending mandatory training /key training on an ongoing basis Statutory duty/ inspections No or minimal impact or breech of guidance/ statutory duty Breech of statutory legislation Reduced performance rating if unresolved Single breech in statutory duty Challenging external recommendations/ improvement notice Enforcement action Multiple breeches in statutory duty Improvement notices Low performance rating Critical report Multiple breeches in statutory duty / Prosecution Complete systems change required Zero performance rating Severely critical report Adverse publicity/ reputation Rumours Potential for public concern Local media coverage shortterm reduction inpublic confidence Elements of publicexpectation not being met Local media coverage long-term reduction inpublic confidence National media coveragewith <3 days service wellbelow reasonable publicexpectation National media coveragewith >3 days servicewell below reasonablepublic expectation. MP concerned (questions inthe House) Total loss of public confidence Business objectives/ projects Insignificant cost increase/ schedule slippage <5 per cent over project budget Schedule slippage 5 10 per cent over project budget Schedule slippage per cent over project budget Schedule slippage Key objectives not met >25 per cent over project budget Schedule slippage Key objectives not met Finance including claims Negligible loss Loss of less than 10,000 Loss of between 10,000 and 100,000 Failure to meet CIPs or CQUINs targets of between 10,000 and Loss of between 100,000 and 1 million Purchasers fail to pay promptly Loss of major contract / payment by results Loss of more than 1 million 22

23 Domain Negligible Minor Moderate Major Catastrophic 50,000 Failure to meet CIPs or CQUINs targets of between 50,000 and 0.5 million Failure to meet CIPs or CQUINs targets of more than 0.5 million Service/business interruption Environmental impact Information Governance Loss/interruption of >1 hour Minimal or no impact on the environment Minor breach of confidentiality. Single individual affected Loss/interruption of >8 hours Minor impact on environment Breach with potential for theft, loss or communicating/shar ing inappropriate information with between people affected Theft, loss or clinical information of up to 20 people affected (unencrypted media) Loss/interruption of >1 day Moderate impact on environment Breach with potential for theft, loss or communicating/sharing inappropriate information with over people affected Loss or misuse of very sensitive / confidential information relating to 2-5 persons Loss/interruption of >1 week Major impact on environment Serious breach with potential for theft, loss or communicating/sharing completely inappropriate information with over people affected Loss or misuse of very sensitive / confidential information relating to 5-20 persons Damage to an organisation s reputation/ Local media coverage due to IG breach Permanent loss of service or facility Catastrophic impact on environment Major breach with potential for theft, loss or communicating/sharin g completely inappropriate information with over 500 people affected Loss or misuse of extremely sensitive / confidential information relating to over 20 people (e.g. sexual health information, along with names and addresses) Damage to NHS reputation/ National media coverage due to IG breach Likelihood Guidance Risk Likelihood Guidance Likelihood score Descriptor Frequency 1 Rare This will probably never happen/recur Not expected to occur for years 2 Unlikely Do not expect it to happen/recur but it is possible it may do so Expected to occur at least annually 3 Possible Might happen or recur occasionally Expected to occur at least monthly 4 Likely Will probably happen/recur, but it is not a persisting issue/circumstances Expected to occur at least weekly 5 Almost certain Will undoubtedly happen/recur, possibly frequently Expected to occur at least daily Probability Chance of occurrence < 20% 20%-40% 40%-60% 60%-80% > 80% 23

24 APPENDIX 3: Organisational Committee Structure Trust Executive Risk and Assurance Group *In addition, special purpose Committees of finite life may be established, as directed by the Board 24