RISK MANAGEMENT STRATEGY

Transcription

1 RISK MANAGEMENT STRATEGY

2 2016 Amendments This is a five-year strategy that is subject to annual review by the Board of Directors. The first review took place on 29 November At this time three amendments to the strategy were approved. The strategy as approved in 2015 included this table in section 7.2. Two 2016 revisions can be found in the same table at section 7.2. Risk Score Primary Descriptor Management level 1-6 Minor Risk Usually managed at Clinical Service Unit (CSU) level. May be retained if any further control limits management capacity to control higher scoring risks Moderate Risk These must be reported to the Divisional Governance meeting. They are generally managed locally by the CSU with oversight by the Divisional leadership team. Again, they may be retained if any further control limits management capacity to control higher scoring risks Significant Risk These must be reported by the General Manager or Divisional Director to the monthly performance meeting led by the Chief Operating Officer. Corporate Directors will discuss significant risks in their offices with the Chief Executive in the executive team meeting. 16 and above Significant Serious Risk These must be reviewed by the TMC and reported to the Board of Directors via the Chief Executive Report; and quarterly when the Risk Register and BAF are reviewed by the Board. The third and final revision addresses the annual review of the statement of risk appetite. The 2015 statement of appetite was: The Rotherham NHS Foundation Trust operates within the Rotherham health and social care economy. As a provider of hospital and community services the Foundation Trust is regulated by Monitor and the Care Quality Commission. The Trust recognises that its long term sustainability depends upon the delivery of its strategic objectives and its relationships with its patients, the public, staff (colleagues) and strategic partners. As such the Trust will take a cautious approach to risks that materially impact on patient safety, clinical outcomes, finance, and regulatory compliance. However the Trust has a greater appetite to pursue innovation, collaboration and challenge current working practices, taking opportunity where positive gains consistent with the five strategic objectives can be anticipated, within the current constraints of the regulatory environment.

3 1.0 Introduction 1.1 The principle purpose of The Rotherham NHS Foundation Trust (TRFT) is to provide healthcare services to the local community and those referred from further afield into specialist services such as Photopheresis. To ensure that the care provided at TRFT is safe, effective, responsive, caring and well-led the Board must be founded on and supported by a strong governance structure. 1.2 TRFT is committed to developing and implementing an approach to strategic risk management that will identify, analyse, evaluate and control the risks that threaten the delivery of its key strategic objectives including the achievement of statutory, regulatory or best practice requirements. The Board Assurance Framework (BAF) will be used by the Board Committees and Board to monitor and evaluate risks to the achievement of those objectives. 1.3 The risk management strategy should not be confused with the numerous operational policies and procedures that are required on a day-to-day basis such as clinical procedures, emergency preparedness procedures and business plans. These are separate documents which should be used to achieve the management of risk alongside other management tools such as performance and quality dashboards and financial reports. 1.4 In the context of the risk management strategy the Trust s overall aim is to make the effective management of risk an integral part of everyday management practice. Risk management is a fundamental part of both the operational and strategic thinking of every part of the service delivery within the Trust; this includes clinical, non-clinical, corporate, business and financial risks. 1.5 The Trust is committed to working in partnership with colleagues (staff) over the next five years to make risk management a core organisational process and ensure that it becomes an integral part of the Trust philosophy and ways of working. The risk management strategy represents a developing and improving approach to risk management which can only be achieved by building and sustaining a culture which is synonymous with the Board of Directors statement of risk appetite 1, effective performance management and accountability for organisational learning in order to continuously improve the quality of services. 1.6 This strategy will be subject to annual review, and as part of the annual governance statement the Chairman and Chief Executive will make a public declaration of compliance. 1 See appendix 1

4 2.0 Our Risk Management Vision 2.1 Our vision is to become a risk intelligent organisation such that the safety and effectiveness of our services are enhanced. 3.0 Definitions 3.1 Risk The probability or threat of a change, injury liability, loss or other negative occurrence, caused by internal and external vulnerabilities, and which may be neutralised through premeditated actions. 3.2 Risk management is defined as the culture, processes and structure that are directed towards the effective management of potential opportunities and adverse effects (Governance in the New NHS. HSC 1999/123). 4.0 Our Risk Management Strategic Outcomes: 4.1 To deliver a risk management framework which highlights to the Executive Team and Board of Directors any risks which prevent the Trust from complying with its provider licence (Monitor) and regulatory compliance with standards set by the Care Quality Commission. 4.2 To deliver a risk management framework which drives resource allocation and collaboration decisions consistent with organisational strategy. 4.3 To continue development of the BAF as a vehicle for monitoring and evaluating risks to the achievement of key strategic objectives, and informing the annual governance statement. 4.4 To continue development of a comprehensive risk register such that all risks are being identified through effective risk assessment processes, captured and regularly reviewed on the Datix system. 4.5 To have all adverse events, errors, incidents and deviations from expected performance reported on the Datix system and learning being shared throughout the Trust.

5 4.6 To have the effectiveness of the risk management policies and procedures being monitored 2 against an agreed set of key performance indicators. 4.7 To deliver improved understanding and management of risk by agreeing an annual improvement plan. 4.8 To develop and deliver an annual risk management training and education programme consistent with all individuals being aware of their role, responsibilities and accountabilities for risk management. 4.9 To cite risk management at the heart of the organisations culture evidenced by the extent to which the risk of management decision is consistent with the Board s annual statement of risk appetite and the speed with which colleagues are provided with feedback on their decisions. 5.0 Accountabilities, Responsibilities and Governance arrangements 5.1 All TRFT colleagues have a responsibility to manage risks however; managers have a greater formal responsibility and accountability for managing risk which often increases with seniority. 5.2 Specifically, the contribution of managers is that they establish and lead a culture of risk management and governance and this is especially the case in regard to the Board of Directors. Managers throughout TRFT must create and control an environment which drives consistency and compliance with policies and procedures such that the Trust operates safely when conditions are normal. 5.3 In addition they must build in preparedness and flexibility to safely accommodate unusual conditions and continuously learn and improve risk management performance. 2 By the Risk Management Committee.

6 5.4 Chief Executive The Chief Executive is the accountable officer for all aspects of governance. 5.5 The Chief Nurse The Chief Executive has delegated responsibility for risk management to the Chief Nurse. The Chief Nurse is responsible for ensuring the effective implementation of this risk management strategy and for producing quarterly reports to the Board on the incidence of risk and the steps taken to manage it The Chief Nurse is also responsible for managing risks related to infection prevention and control, and those related to the protection and safeguarding of children & young people and vulnerable older people including the application of Deprivation of Liberty Safeguards. 5.6 The Company Secretary / Director of Corporate Affairs The Company Secretary / Director of Corporate Affairs is responsible for ensuring that the BAF is reviewed by the Board quarterly and supported by the Board Risk Register. The Company Secretary / Director of Corporate Affairs will ensure that the Board committees review related sections of the BAF at least quarterly The Company Secretary / Director of Corporate Affairs in her role as Senior Information Risk Owner (SIRO) is also responsible for the assessment and management of risk to information security. 5.7 The Finance Director The Finance Director is responsible for establishing mechanisms for appropriate financial control thereby managing risk relating to achievement of the financial plan. This includes the management of risk relating to commissioning contracts.

7 5.8 The Director of HR The Director of HR is responsible for managing workforce risks including those relating to high sickness absence, poor retention in some professional groups, recruitment and high agency usage. 5.9 The Medical Director The Medical Director is responsible for managing risks associated with the Trust s clinical service strategy, and those related to mortality The Medical Director is also responsible for the management of risks relating to the security of person identifiable information in his role as the Caldicott Guardian The Chief Operating Officer The Chief Operating Officer is responsible for managing risks relating to IT infrastructure, emergency preparedness, estate, catering, transport and security The Chief Operating Officer is also responsible for managing risks relating to performance against national performance targets such as Referral to Treatment times and the 4-hour emergency care target The Board of Directors The unitary Board of Directors has a collective responsibility to ensure that the risk management processes are providing them with adequate and appropriate information and assurances relating to risks against the Trusts objectives If at any time performance reporting and risk management processes indicate that the Trust will not meet a current or future regulatory requirement [or target] then the Board will notify Monitor via an exception report The unitary Board of Directors is responsible for the annual review of this risk management strategy and the refresh of the statement of risk appetite.

8 5.12 Trust Management Committee (TMC) The Chief Executive leads the TMC and as the accountable officer is ultimately responsible for ensuring that the Trust is compliant with statutory legislation and Health Sector regulations. The Chief Executive discharges accountability for performance through the TMC by consulting with the executive and senior leadership team and holding them to account for the delivery of safe, effective, responsive, caring and well-led services. The Chief Executive reports on matters relating to the TMC agenda through her monthly report to the Board of Directors The TMC utilises the risk register to understand the risks to achieving the accountabilities of the Chief Executive. Specifically the TMC owns all risks with a score of 16 (or more) on the risk register and has responsibility for ensuring that those risks are regularly reviewed, that risks are being mitigated and resources are being effectively allocated in line with the level of risk appetite and tolerance established by the Board. As such the TMC agenda, and that of its subgroups, will be constructed to ensure that there is clinical and managerial oversight of risks and the processes in place to minimise negative risk and enhance positive opportunity consistent with the risk appetite The Risk Management Committee will report to the TMC providing detail on how it is assured that risks are being effectively assessed and managed Quality Assurance Committee (QAC) The Quality Assurance Committee is a committee of the Board, and as with all Board Committees it is led by a Non-Executive Director. It is responsible for the provision of assurance to the Board on matters relating to quality and safety and in particular it seeks evidence that clinicians and managers have benchmarked performance, especially but not restricted to, the Quality Priorities, and triangulated soft and hard intelligence in the analysis of risk The QAC pays close attention to lead risk indicators such as near misses, serious incidents, complaints, claims and mortality indices which are often the first warning signs of emerging clinical risk.

9 5.14 Audit Committee The Audit Committee is a committee of the Board. It is responsible for providing an independent and objective review of the adequacy of Trust systems of internal control, including audit arrangements (internal and external), financial systems, financial arrangements and assurance arrangements including governance, risk management and compliance with legislation The Audit Committee will approve the annual [internal] audit plan, aligning the plan to the [risk management] strategic outcomes Strategic Workforce Committee (SWC) The Strategic Workforce Committee is a committee of the Board. It is responsible for the provision of assurance to the Board on all matters relating to workforce planning and people management The SWC pays close attention to those human factors which may correlate with the indices monitored by the QAC, e.g. the effect of sickness absence and vacancy rates on adverse patient outcomes Finance and Investment Committee 3 (FIC) The Finance and Investment Committee is a committee of the Board. It is responsible for the provision of assurance to the Board on matters relating to the capital investment programme, delivery of the cost improvement programme, achievement of the financial plan and performance against income and activity contracts. These responsibilities are set in the context of Monitor enforcement action relating to strategic and financial governance The FIC pays close attention to those risks likely to jeopardise achieving the financial risk rating agreed with Monitor at the start of each year in the annual plan. 3 Soon to become the Finance and Performance Committee at which point it will assume responsibility for the management of risk to the achievement of performance objectives (see 5.10 above)

10 5.17 Risk Management Committee The Trust will establish a Risk Management Committee which will report to the TMC The Risk Management Committee will continuously and systematically identify and evaluate internal and external risks that could adversely affect the achievement of Trust objectives. The Committee will provide an annual assurance statement on its activities Individual Divisions and Corporate Offices Individual divisions and corporate offices will, if required, have risk management policies and strategies that comply with this risk management strategy Divisional Directors, supported by General Managers are responsible for establishing divisional governance arrangements consistent with the objectives outlined in this risk management strategy to include the identification, reporting and management of risk Supervisors of Midwives Supervisors of Midwives have an important role to play in making sure that services are run effectively. As such there is an important interface between supervision and risk management Supervisors of Midwives are expected to actively contribute to the maternity services governance arrangements, in a supervisor and non-management capacity. 6.0 Risk Register 6.1 Each clinical service unit will carry out risk assessments which feed into the divisional [Datix] risk register. 4 The Nursing and Midwifery Council is currently undertaking a review of the statutory role of Midwifery Supervision.

11 6.2 Each division will maintain a comprehensive risk register which will be formally reviewed at the monthly performance meeting. At these meetings the divisions will report on risk scoring 12 and above. 6.3 The divisional risks identified at the performance meetings which impact on the corporate objectives will be combined with the corporate risks to inform the BAF. 6.4 The Board Assurance Committees will receive their extract of the risk register quarterly along with the BAF. The extract will contain risks scoring 16 and above. 7.0 Risk Tolerance Levels 7.1 The Trust will use a five-by-five matrix to score the likelihood and impact of a risk Likelihood ( L ) Impact ( I ) Rare (1) Unlikely (2) Possible (3) Likely (4) Almost certain (5) Catastrophic (5) Major (4) Moderate (3) Minor (2) Negligible (1) Likelihood: 1 = rare - do not expect this to happen 2 = unlikely - most probably will not happen 3 = occasionally / possible - 50:50 chance of occurring 4 = likely - most probably will happen 5 = almost certain - confident that this will happen.

12 Impact: 1 = negligible / almost non - no obvious harm 2 = minor - no permanent harm (recovery within 1 month) 3 = moderate - semi-permanent harm (recovery takes longer than 1 month but no more than 1 year) and/or adverse publicity for the Trust. 4 = major - permanent harm not resulting in death or severe disability to a person or persons and/or start of a national investigation into the Trust and/or disruption of key Trust services which significantly hinder the Trust in meeting its responsibilities. 5 = catastrophic - death or permanent severe disability to a person or persons and/or significant loss of reputation for the Trust and/or loss of key Trust services which prevent the Trust meeting its responsibilities. 7.2 The Trust will establish the following tolerance levels consistent with the general risk appetite statement. Risk Score Primary Descriptor Management level 1-6 Minor Risk Usually managed at Clinical Service Unit (CSU) level. May be retained if any further control limits management capacity to control higher scoring risks Moderate Risk These must be reported to the Divisional Governance meeting. They are generally managed locally by the CSU with oversight by the Divisional leadership team. Again, they may be retained if any further control limits management capacity to control higher scoring risks Significant Risk These must be reported by the General Manager or Divisional Director to the monthly performance meeting led by the Chief Operating Officer. Executive Directors will manage risks at this level within their own portfolio. 16 and above Significant Serious Risk These must be reviewed by the TMC, monthly and by the respective Board assurance committees quarterly. They will also be presented to the Board quarterly together with the Board Assurance Framework. 8.0 Key Performance Indicators: 8.1 External regulation Maintain registration (without legal enforcement) with the Care Quality Commission Achieve the Financial Risk Rating agreed with Monitor in the annual plan

13 8.2 Outcomes All major change programmes will be known to the Board. Each will be subject to risk assessment and presented with risk management plans. Update reports will include control scores All investment (and disinvestment) decisions will be informed by risk assessment and analysis using the five-by-five matrix Evidence of strategic collaboration decisions being made consistent with organisational objectives, clinical service strategy and risk assessment Evidence of a culture [as measured by the Staff Survey and incident reporting rates] of colleagues feeling that risk management processes are fair and just Achievement of upper quartile performance of reporters of incidents as measured by the NRLS when benchmarked with other Trusts of a similar size Reduction in patient harm rates as measured through participation in the NHS Safety Thermometer and indicative of investment in risk reduction programmes 8.3 Process All staff groups to report incidents and near misses on the Datix reporting system, as evidenced in six monthly Datix analysis reports to the QAC All serious incidents to be reported on the date that they become known as evidenced in the incident management data reviewed by the Operational Quality, Safety and Experience Group All departments to be able to evidence a dynamic risk register The Assistant Director of Patient Safety and Risk and the Chief Nurse will coordinate an annual workshop and update for the Board of Directors.

14 8.3 5 The Assistant Director of Patient Safety and Risk and the Chief Nurse will publish an annual programme of risk management education and training via Insite.

15 Appendix 1 TRFT Risk Appetite The Board is responsible for making choices regarding the risks it is prepared to take in the pursuit of its strategic objectives and the measures it will take to mitigate those risks. Each year the Trust will review and publish its risk appetite and thereafter risks throughout the organisation should be assessed and managed in accordance with the governance arrangements and, tolerance levels described in this risk management strategy. The Trust has set its strategic objectives and these are reflected in the Board Assurance Framework (BAF). The quarterly monitoring of the BAF by Board Committees and the Board is the key mechanism for managing and assessing the strategic and operational risks during the year. General risk appetite statement approved by the Trust Board 29 November 2016 The Rotherham NHS Foundation Trust operates within the South Yorkshire and Bassetlaw sustainability and transformation footprint; the Sheffield City region and is central to the Rotherham PLACE plan. As a provider of healthcare in the home, across the community and in hospital the Foundation Trust is regulated by NHS Improvement and the Care Quality Commission. Delivering high quality services is at the heart of The Rotherham NHS Foundation Trust s ways of working. As such the Trust is committed to the provision of personalised, safe and effective services and the Board has a low appetite for risk that could compromise the quality and safety of services. The Trust recognises that its long term service and financial sustainability depends upon the delivery of its strategic objectives and its relationship with its patients, the public, staff (colleagues) and strategic partners. The Trust is committed to developing partnerships with statutory, voluntary and other organisations that bring value and opportunity to the Trust s current and future services. Working collaboratively requires a degree of risk to be accepted as the Trust develops longer term strategic plans to make local services resilient and sustainable. Cont..

16 The Trust is supportive of innovation and recognises that it may need to tolerate a higher level of risk whilst pursuing innovation and challenging current ways of practice in order to reduce future risk. The Trust therefore has an appetite for a controlled increase in the level of risk in the short term whilst attaining longer term solutions to the resilience and sustainability of local health and care services. The Trust is committed to recruiting, developing and retaining its colleagues and has a low appetite for risks concerning staff safety. The Trust also has a low appetite for non-delivery of quality improvement priorities. The Trust has a low appetite for financial risk in respect of meeting statutory duties but recognises that in order to invest to avoid compromising the quality of care, or maximising opportunities consistent with longer-term service and financial plans some flexibility is required and this could worsen the financial position in the shortterm, whilst giving a longer-term return on investment. In terms of risk to organisational reputation and branding the Trust will take a cautious approach and any decisions that are likely to have significant repercussions will be subject to a thorough risk assessment and will be signed off by a member of the Executive Team. :

17