Risk Management Strategy

Transcription

1 Risk Management Strategy

2 Created by: Role Name Title Author / Editor Kevin McMahon Head of Risk Management & Resilience Lead Executive Margo McGurk Director of Finance & Performance Approved by: Forum Date Operational Risk Management Group (ORMG) 22/08/2017 Executive Management Team Risks &Opportunities Group 23/08/2017 Audit & Risk Committee 21/09/2017

3 CONTENTS 1. EXECUTIVE SUMMARY INTRODUCTION NHS 24 STRATEGIC OBJECTIVES ORGANISATIONAL APPROACH NHS 24 VALUES NHS 24 RISK APPETITE STATEMENT RISK DEFINITIONS ASSURANCE GOVERNANCE & ACCOUNTABILITY DELEGATED AUTHORITY PROCEDURES REVIEW & REPORTING TRAINING, LEARNING & DEVELOPMENT STAKEHOLDER ENGAGEMENT

4 1. Executive Summary NHS 24 Risk Management strategy formalises the responsibilities and supports the organisations Enterprise Risk Management (ERM) framework that sets out how risks are identified and managed effectively. The management of risk underpins NHS 24 Strategic Objectives. The organisation fully supports that risk management contributes to enable safe, effective, quality patient care. Risk management is also key in supporting the strategic and business planning processes to ensure efficient use of resource and value for money in delivering health care services to the population of Scotland. NHS 24 is clear that risk management is the responsibility of all staff and managers within the organisation. To support this the Board have articulated their risk appetite that will drive the amount and type of risk NHS 24 is willing to accept. Broadly this is considered in types of risk - business, staff, clinical and reputational. NHS 24 will maintain a low risk appetite to clinical risk and patient safety. The Board understands that it is impossible to deliver services and achieve positive change without taking risks. As a result, The Board recognise that the type and amount of risk the organisation is willing to accept is clearly aligned to the benefits and opportunities for NHS 24 and NHS Scotland. Risk management is requires both a top down, bottom up approach to support operational activities and strategic decision making. NHS 24 is clear that risk management is not a standalone requirement and will be integrated into daily management, planning and performance and organisational change. NHS 24 are committed to working in partnership to manage risk and maintain the NHS 24 values and embed a risk aware culture and create a safe working environment. The strategy is subject to a review every 2 years. 2. Introduction The NHS 24 purpose is defined as: "Helping to deliver a healthier Scotland by connecting people to health and care advice, information and support 24/7" The purpose of this strategy is to support the aim of NHS 24 by supporting the strategic objectives of the organisation. Risk management strategy provides the direction in which the organisation drives risk management forward to be embedded within the culture and values of the organisation. Risk is defined as the "effect of uncertainty on objectives", whether positive opportunity or negative threat, or a deviation from what is expected. Risk has to be assessed and managed in respect of the combination of likelihood of something happening, and the impact arising. Risk is inextricably linked to objectives of the organisation. Risks are considered in relation to achieving the strategic objectives of the organisation. 4

5 Risk management is an essential component to the strategic management of NHS 24. It is the process whereby the organisation methodically addresses the risks to the corporate activities. Risk management is a continuous process that supports the development and implementation of the NHS 24 strategy. Integrating a risk aware culture will support the development of strategic risk management into tactical and operational objectives. This Strategy and the ERM Framework applies to all services provided by NHS 24 to all systems and processes that support these services, and to all NHS 24 employees. Contractors and 3 rd party suppliers will be made aware of the risk management process within the organisation. 3. NHS 24 Strategic Objectives NHS 24 has established six strategic objectives. Risk management will support each strategic objective to achieve the organisations overarching strategic plan. NHS 24 Strategic Objectives: Fig.1 Risk management being used as a mechanism that drives change to ensure leadership and accountability of horizon scanning when considering opportunities and risks to improve services. Risk management supports a culture of openness and honesty to enable safe services and learning from internal and external incidents to promote a quality improvement culture. NHS 24 will also increase staff awareness of risk management, the responsibilities and values required to deliver an effective framework. The risk appetite statement will be reviewed annually by the Board to embed clear communication throughout the organisation. 5

6 Risk management is integral to strategic decision making. As NHS 24 transition into the new technology and align to the national clinical strategy, risk will be a key component of the programme management. NHS 24 Operational Risk Management Objectives The NHS 24 risk management objectives are to: Develop mechanisms to ensure risk management is used as a driver for quality improvement. Risk management is a systematic embedded process that will support effective decision making by ensuring risk governance arrangements are appropriate throughout NHS 24. Risk Management is focussed to support the organisations decision making, planning and performance arrangements, by providing appropriate information to the respective management and governance structures. This will include project and programme risk management. Enhance the risk management capability through a training and development programme. Embed risk management within the culture, values and behaviours of the organisation through supporting mechanisms, awareness raising, staff training and supporting systems. Embed the risk appetite of NHS 24 and actively apply it to the organisation. It is vital to embedding risk management that it is integrated into NHS 24 business planning processes. NHS 24 has a strategic planning structure that implements and monitors the NHS 24 strategy. Risk is a key component of this process, with outputs managed in line with risk management processes. 4. Organisational Approach NHS 24 s methodology for achieving the above risk management objectives will be outlined in the NHS 24 Enterprise Risk Management Framework. The basic principles of the framework are to enable an integrated and consistent approach to risk management, outline the governance arrangements, explain how risks are identified, managed and escalated. An ERM framework is defined as: Enterprise Risk Management (ERM) is a framework implemented to embed the board s response towards risk. ERM allows the organisation to measure and respond to issues & risks as they arise NHS 24 will aim to continually improve the quality of the information within its risk registers. Specific actions such as increased ownership of risks within risk registers, improved challenge and scrutiny from risk leads. This aims to increase consistency across NHS 24 and the application of the information collated. The presentation of risk 6

7 management information will be developed and include a dashboard of key risk areas to NHS 24. The Board has overall responsibility to ensure there is a risk management process in place. The process will be implemented with the support of managers and staff. The commitment of staff to identify and manage risk is key to the ongoing success of the organisation. 5. NHS 24 Values The NHS 24 values demonstrate the organisations commitment to risk management. The values support staff in this process by embedding openness, honesty and responsibility. The organisation will not seek to apportion blame and will encourage risks to be identified and promote responsibility to empower staff to manage the risks appropriately. Risk management is the responsibility of all staff in the organisation. Teamwork is encouraged across directorates to manage risks, where various expertise is required to mitigate a risk. The values and ethics are required to ensure decision making is conducted with integrity, are compliant with regulations and are transparent. NHS 24 will embed these values by ensuring executive directors and risk leads influence risk based decision making. Fig.2 6. NHS 24 Risk Appetite Statement The Board will not accept risks that negatively impact, or are in detriment to the quality, safety and effectiveness of patient care. In specific areas, the Board has a greater appetite for risk. These areas are included in the strategic objectives and include resetting culture, creating capacity, capability and confidence in people and teams. NHS 24 is a digital organisation in the health and care environment; and will proactively respond to changes and opportunities arising from the alignment of NHS 24 with Health & Social Care Integration and the National Clinical Strategy and will accept a higher level or risk in this area. 7

8 The Board will look to optimise opportunities from different ways of working and more effective use of technology and systems to benefit the public, the wider health and social care system and support the Scottish Government 2020 vision for health care. Change decisions will be considered where innovation improves the quality, safety and effectiveness of patient care. The risks arising from innovative change will be managed through the governance forums and senior management teams. Strategic innovation in other areas will be limited to only essential developments and with decision-making held by senior management. NHS 24 recognises that our staff are absolutely critical to the effective delivery of services and the success of the organisation as a whole, we therefore recognise that the support and development of our staff must be a key priority if we are to attract and retain highly skilled staff. NHS 24 therefore has a moderate to low appetite for risks concerning staff which could adversely affect our standing as an employer or the experience of the staff working for us. There is a great degree of public scrutiny across the health sector and there is also a high level of interest in NHS 24. The Board recognisees that confidence in the service is an outcome of implementing a successful strategy. As such, the Board is prepared to take considered decisions which have the potential to bring scrutiny to NHS 24, but only where the potential benefits are aligned to strategic objectives and outweigh the risks. Actions will only be progressed where there is effective mitigation in place and the Board will proactively engage and involve stakeholders to manage any reputational consequences. There is a low tolerance for decisions not aligned to strategic priorities. NHS 24 accepts a moderate to low level of operational risk arising from its service delivery. Operational risk will be managed through effective operation of the risk management framework and the governance forums. NHS 24 has a statutory responsibility to maintain the financial balance and sustainability of the organisation and will only accept a low level of risk in delivering against this. NHS 24 is also accountable for the delivery of best value and efficiency in resource allocation and must evidence value add to the NHS Scotland. Therefore, realising benefits and efficient resource allocation are key drivers for NHS 24 in making financial decisions. The Board will accept a moderate to low appetite for risk in this area. 7. Risk Definitions A risk is defined below: A risk is an uncertain future event that could affect the organisation s ability to meet its goals and/or objectives The key aspect of the definition is the uncertainty and the link to the organisation achieving its objectives. Through enabling NHS 24 to consider the uncertainties of future events encourages the organisation to horizon scan for both risks and opportunities. 8

9 There is a wide range of risks that may affect the organisations ability to deliver its strategic objectives. NHS 24 broadly define risk by the definitions below. 9

10 Risk Category Definitions: Business (Financial): risks which result in actual or potential operational loss or missed opportunity, impacting on the ability to manage finances. Business (Operational): Risks which affect the ability to deliver our services resulting from failed or inadequate systems, processes, resources or infrastructure. Business (Strategic): risks which directly threaten NHS 24 from meeting their key strategic objectives or capitalising on opportunities that may support the achievement of NHS Strategic Objectives Staff: risks which impact on the implementation of NHS staff governance. Clinical: risks which impact on patients and the public either directly or indirectly. Reputational and External: risks which have an impact on the reputation of NHS 24 and engagement with stakeholders. 8. Assurance Assurance is a key component of risk management. Figure 3 below outlines three levels of assurance provided within NHS 24. The organisation faces many daily risks and issues that may disrupt the organisation from achieving its objectives. Management controls, local business processes and policies control the initial issues. Risk management allows a structured process that will support the uncertainties out with the daily management controls. The second line provides oversight and challenge to internal controls used in the first line. This is supported by appropriate governance and reporting mechanisms. The Audit & Risk Committee is a key element in the process that is provided with risk management information in order to seek assurance over the risk management process. Section 9 outlines the Governance and Accountability responsibilities. A third line of assurance includes the internal and external audit process. The Audit & Risk Committee appoint independent internal auditors who will develop and deliver on an annual audit programme for the organisation. The internal audit service also provides the NHS 24 Board with independent assurance on: management processes management of corporate risks, including the effectiveness of the controls and other responses to these External audit will focus review of financial statements to ensure they are a true and fair account of past financial performance and current financial position. External audit will also focus beyond the financial aspects and ensure the organisation is discharging its regulatory obligations and internal guidelines. 10

11 Three Lines of Assurance Fig.3 Lines of Assurance 9. Governance & Accountability Within NHS 24, the following governance arrangements apply in relation to risk management. Detailed responsibilities are outlined within the NHS 24 ERM framework. A key focus for improvement of risk governance is to ensure the correct risk management information is presented to the appropriate committee for assurance. A risk management objective is to improve the quality of information that is presented to the groups and committees below. Continual improvement in this area will support decision making within the organisation. Ensuring the responsibilities are clear and assurance on the arrangements in place are effective. 11

12 NHS 24 Risk Management Governance Structure NHS 24 Board Finance of Performance Committee (Business Risk) Audit & Risk Committee (Risk Management process) Staff Governance Committee (Staff risk) Clinical Governance Committee (Clinical Risk) Executive Management Team EMT Risk & Opportunities Sub-Group Operational Risk Management Group Fig.4 NHS 24 Risk Management Governance Structure The above diagram show the governance arrangements in NHS 24 and how they are organised from the Operational Risk Management Group that will focus on the NHS 24 directorate responsibilities, through the Executive Management Team risk sub-group that manages the strategy development. The Board and the Committees are responsible for governance and overall assurance to all stakeholders. NHS 24 Board The Board has overall responsibility for approval and ensuring the organisation adheres to the NHS 24 Strategy. The Board will provide leadership of the organisation and are provided with assurance that effective controls are in place to effectively identify and manage risk. The Board will set the risk appetite for the organisation. Audit & Risk Committee The NHS 24 Board has delegated elements of the function of risk governance to the Audit & Risk Committee. This includes assessing the risk management strategy and methodology. The Audit & Risk Committee has the overall organisational responsibility for 12

13 the risk management process. As part of an improvement plan the Audit & Risk will receive regular updates on the progress against the risk management improvement plan. Clinical Governance Committee This committee is responsible for assessing and ensuring compliance with the risk management arrangements, procedures, and the risk register relating to the risks to the clinical governance standards. Principally seeking assurance that risks in relation to safe, effective, quality care are being managed effectively. Finance and Performance Committee The Finance and Performance Committee require assurance that the organisation is able to manage business risk. This includes financial risks and operational performance risk. Staff Governance Committee This committee assess and ensures compliance with the risk management arrangements and the risk register relating to Staff Governance risks. Supporting management ensure that staff are well informed, appropriately trained and providing a safe working environment. Executive Management Team (EMT) & EMT Risk & Opportunities Sub-Group As a group, the Executive Management Team has a collective responsibility to deliver effective risk management arrangements within NHS 24. This includes responsibilities for horizon scanning in relation to potential risks and the analysis of risks and development of action plans to eliminate or minimise impact. Risks and opportunities will be identified in line with the NHS 24 strategic objectives. The EMT Risks and Opportunities sub-group will manage this responsibility and escalate to EMT where appropriate. Operational Risk Management Group The Operational Risk Management Group seeks to provide assurances to the EMT that the organisation s risk management that management of risks is occurring locally through a structured process. The group is responsible for implementing the ERM Framework. 10. Delegated Authority The following describes the detail and extent of the delegated authority with regard to Risk Management within NHS 24. Chief Executive The Chief Executive has overall accountability for maintaining a sound system of internal control that supports achievement of the Board strategy. Ensuring effective arrangements in place to manage organisational risk. Director of Finance & Performance The Director of Finance & Performance is directly accountable to the Chief Executive and is the executive lead for the risk management strategy, related processes and systems. The Director of Finance & Performance is responsible for overall leadership and co- 13

14 ordination of the risk management agenda for all categories of risk, in partnership with the Medical Director and Director of Nursing & Care in respect of clinical risk Medical Director and Director of Nursing & Care The Medical Director and Director of Nursing & Care are jointly accountable to the NHS 24 Board for leadership and co-ordination of the clinical risk agenda. Director of Human Resources The Director of Human Resources is accountable to the NHS 24 Board for leadership and co-ordination of the staff risk agenda. Executive Directors (Risk Owners) It is the responsibility of each Director for risk management within their area. The responsibilities of directors is set out in the ERM Framework. Below outlines the broad principles: Ensuring appropriate and effective risk management processes are in place within their scope of responsibility Staff are made aware of the risks to achievement of their directorate objectives Implementing and monitoring any identified and appropriate risk management control measures within their designated area Associate Director of Governance & Performance The Associate Director of Governance & Performance is responsible for ensuring appropriate systems, processes and arrangements are in place to manage risks. Head of Risk Management & Resilience The Head of Risk Management & Resilience will facilitate the development of the systems, processes and arrangements to manage risks. Risk Leads Risk Leads are the nominated individuals from either a directorate that have responsibility to ensure that systems and processes are in place to identify risks within their area of the organisation. They are responsible for ensuring that these risks are documented in the risk register and that timely mitigating action takes place to reduce or eliminate these risks. Full responsibilities of the risk lead are set out in the ERM Framework. Staff All staff and contractors within NHS 24 have a responsibility for contributing to the management of risk. Ongoing training and awareness raising will support staff to fulfil their role. 14

15 11. Procedures The following documented procedures are in place to provide a consistent understanding, approach and deployment of the risk management principles within NHS 24. Enterprise Risk Management (ERM) Framework The purpose of the ERM Framework is to provide the methodology, structure and approach that NHS 24 will follow when managing risks. EMT Risks & Opportunities sub-group Terms of Reference Defines the responsibilities of the strategic risks and opportunities within NHS 24 are managed and how this links into the rest of the organisation, the committees, and the Board. Operational Risk Management Group (ORMG) Terms of Reference Defines how the operational aspect of risk management within NHS 24 is governed and how this links into the rest of the organisation, the committees, and the Board. 12. Review & Reporting The following are the main reports regularly produced by the organisation relating to risk. Appropriate trend analysis and presentation of risk management information will be developed and monitored for improvement to best illustrate the Board risk profile. The reporting requirements vary dependent on the type of risk. Risk will be a key focus of each governance committee and will be reflected in the terms of reference of each Committee. Reporting to the Board Risks to the strategic objectives of the organisation will be reported to the Board on a quarterly basis. The risks that are of high impact/consequence will also be presented to the Board. This will include risks that are scored as a 12 and above. The information presented will be continually reviewed and enhanced where possible. Reporting to the Audit & Risk Committee The Audit & Risk Committee has oversight of all types of risk within the organisation. All risks that score 10 or more will be reported to the Audit & Risk Committee for their consideration and review and comment. Reporting to the Governance Committees Relevant risks are reported to the relevant governance committee (as outlined in figure 4.) on a quarterly basis. A risk may be referred to more than one governance committee dependent on the primary and secondary category of risk. The ERM framework outlines the reporting requirements. 15

16 Annual Report The risk management annual report will be delivered to the Audit & Risk Committee annually. 13. Training, Learning & Development The training requirements of staff are considered in the risk management training needs analysis document to provide the key skills and capabilities to NHS 24 staff. The document will be reviewed annually by the Operational Risk Management group. The purpose of the training is to drive the development and awareness of risk management. The EMT will support training and education of risk. 14. Stakeholder Engagement NHS 24 engage with a wide range of stakeholders. A number of mechanisms are in place to facilitate feedback on the services NHS 24 provide. The benefits of the feedback as they may provide early warning signals of a potential threat or opportunity to NHS 24. At an operational level, local processes will ensure that risks are captured, managed and monitored through the ERM framework. At a strategic level, strategic planning will enable stakeholder engagement to be coordinated in pursuit of the strategic objectives. Risks will be managed through the EMT risks and opportunities sub-group. 16