Risk Management Strategy Review Deloitte recommendations and Implementation Plan 1. Purpose 1.1. This paper provides the results of the annual review of the current Risk Management Strategy. The results of the review establish a benchmark from which CHUFT can measure risk maturity, and set a target for 2014/15. 2. Background 2.1. The Trust Board reviewed and approved version 9, of the Risk Management Strategy in March, 2014. The strategy sets out the requirement for a formal evaluation of the implementation of the Risk Management Strategy annually. 3. Review Methodology and Results 3.1. In order to fully review the Risk Management Strategy Implementation Plan consistently on an annual basis the Quality Hub has adopted a risk management maturity assessment based on a modified version of the HM Treasury Risk Management Assessment Framework. This self-assessment framework measures the extent to which good risk management policies are being practised across an organisation and is derived from the European Foundation for Quality Management (EFQM) excellence model. 3.2. It covers seven core areas with each category having an individual assessment that is then aggregated up to provide an overall rating for the Trust. 1.Risk leadership 2.Risk strategy and policies 3.People 4.Partnerships 5.Risk management process 6.Risk handling 7.Outcomes Category 4. Category and Weighting 4.1. In order to determine the Trust s Overall Risk Maturity Rating, weightings have been applied to categories (weights 1-5) indicating level of importance to the Trusts (5 being very important and 1 less so). Weightings applied to the Trust s core areas are: Category Weightings(w) Risk leadership 4 Risk strategy and policies 3 People 3 Partnerships 2 Risk management process 2 Risk handling 3 1
Outcomes 5 4.2. A baseline self-assessment using this methodology was undertaken in March (year 1) prior to version 9 of the Risk Management Strategy being approved. Category Weightings x Assessed Level (AL) Score Risk leadership 4 1 4 Risk strategy and policies 3 2 6 People 3 2 6 Partnerships 2 1 2 Risk management process 2 2 4 Risk handling 3 2 6 Outcomes 5 1 5 Total Score 33 5. Overall Assessment Levels / Rating 5.1 The overall Risk Maturity Matrix Score for the Trust was 33/110. The overall Risk Maturity Matrix Score for the Trust was 33/110. This translated to an overall risk maturity rating of Level 2: Approaches for addressing risks are being developed and action plan for implementation being devised Levels Score Descriptor 1 1-30 The organisation has an awareness and understanding of risk management 2 31-60 Approaches for addressing risks are being developed and action plan for implementation being devised 3 61-80 Risk management applied consistently and thoroughly across the organisation 4 81-95 The organisation is proactive in driving, and maintaining the embedding of risk management and integration in all areas of the organisation 5 95-110 The organisation sustains risk capability, organisational & business resilience and commitment to excellence in risk management, leaders regarded as exemplars 5.2 The following section describes in detail the assessment and implementation plan for CHUFT in 2014/15. The plan is constructed in a tabular format with levels of assessment, core weighting scores, summary evidence that is informed by the February, 2014 Deloitte risk report (denoted in red), additional summary evidence has been provided by the quality hub. 2
The plan has been designed to improve the CHUFT risk maturity from level 2 in 2013/14, to level 3 in 2014/15. 3
6. Risk Maturity Detailed Assessment and Implementation Plan (inclusive of Deloitte actions) A. Leadership Level 1 Awareness & understanding Level 2 Implementation planned & in progress Level 3 Implementation in all key areas Level 4 Embedding and improving Level 5 Excellent capability established Top management are aware of need to manage uncertainty and risk and have made resources available to improve Executive Directors and Non-Executives take the lead to ensure approaches for addressing risk are being developed and implemented Executive Directors act as role models to apply risk management consistently and thoroughly across the organisation Executive Directors are proactive in driving and maintaining the embedding and integration of risk management; in setting criteria and arrangements for risk management and in providing top down commitment to well managed risk taking to support and encourage innovation and the seizing of opportunities Executive Directors reenforce and sustain risk capability, organisational & business resilience and commitment to excellence. Leaders regarded as exemplars Leadership Self Assessment Score Level 1 4
Audit Commentary - Summary Evidence Implementation Plan Requirements 2014/15 With regard to the Risk Management Strategy ensure: suggested improvements are implemented to develop a comprehensive risk management strategy that is fit for purpose; that the draft is subject to widespread clinical and operational consultation prior to Board ratification and approval; and the document and the approach to risk escalation throughout the organisation is communicated to all staff. Ensure that the proposed Quality Impact Assessment process for CIP schemes is: developed in conjunction with clinical teams; Includes a requirement for clinical lead sign off for each quality impact assessment; and includes reference to quality indicators to allow tracking post implementation. Ensure communications regarding risks to the organisation are delivered effectively through a variety of platforms to ensure full understanding by all staff groups. Ensure improved communications to staff regarding changes that have been made as a result of their concerns, for example using You said, We did campaigns Review the scope for greater executive participation in operational sub-committees and for more scrutiny of papers at EMT meetings to ensure that there is appropriate Executive oversight prior to consideration of issues at the assurance committees. Implement suggested improvements to ensure that BAF is a useful tool and gives value to the Board. Version 9, of the Risk Management Strategy to be Board approved in March, 2014 New Corporate Risk Register to be developed maintained by the Executive Team and presented at each board subcommittee meeting. Board Assurance Framework to be designed and populated with 2014 strategic objectives/priorities. Board to review content and consider assurances from its sub-committees prior to amending risk rating Strategy to be launched and communicated to all staff and stakeholders 2014/15 Governance structure to be implemented Annual review of risk maturity to be presented to Risk and Assurance Committee Language of risk to be included as a part of the organisational dictionary Implement suggested improvements to ensure that the CRR is a useful tool and gives value to the Board. Senior manager do not know how to apply risk systems to identify or keep their respective risks current 5
Audit Commentary - Summary Evidence Implementation Plan Requirements 2014/15 Risk not used to support innovative service developments Accountability arrangements unclear Risk not proactively identified via horizon scanning 6
B. Risk Strategy and Policies Level 1 Awareness & understanding Level 2 Implementation planned & in progress Level 3 Implementation in all key areas Level 4 Embedding and improving Level 5 Excellent capability established The need for a risk strategy and related policies has been identified and accepted A risk management strategy & policies have been drawn up and communicated and being acted upon Risk strategy & policies are communicated effectively and made to work through a framework of processes Risk strategy & policies are communicated effectively and are an inherent feature of department policies and processes Risk management aspects of strategy and policy, making help to dive the risk agenda and are reviewed and improved, role model stratus Risk Strategy and Policies Self Assessment Score 2 Audit Commentary - Summary Evidence Implementation Plan Requirements 2014/15 Develop a risk appetite statement and then align expected behaviours to manage risk within the boundaries set by the appetite statement. Current risk strategy (Version, 8) is dated and does not reflect organisational structure or roles and responsibilities. Horizon scanning, treatment, risk profile, benchmarking. Link to risk domains or risk treatment not defined Risk Appetite statement to be written and communicated to all relevant staff. Implement Risk Management Strategy Version 9, 2014. Strategy not supported by plan for improvement or assessment 7
C. People Level 1 Awareness & understanding Level 2 Implementation planned & in progress Level 3 Implementation in all key areas Level 4 Embedding and improving Level 5 Excellent capability established Key people are aware of the need to assess and manage risks and they understand risk concepts and principles Suitable guidance is available and a training programme has been implemented to develop risk capability A core group of people have the skills & knowledge to manage risk effectively People are encouraged and supported to be innovative and are generally empowered to take well-managed risks. Most people have relevant skills & knowledge to manage risks effectively and regular training etc. is available for people to enhance their risk skills and fill any gaps All staff are empowered to be responsible for risk management and see it as an inherent part of the Divisional / Directorate business. They have a good record of innovation and well managed risk taking People Self Assessment Score 2 Audit Commentary - Summary Evidence Conduct risk management training for all current Board members, focusing on the NHS environment and Trust context. The training should focus on an effective risk management process with emphasis on risk treatment, how to make decisions about risk and using risk appetite. Implementation Plan Requirements All risk training to be evaluated, linked to appraisal system and made mandatory at induction Levels of risk training to reflect role and responsibilities of individuals and their respective banding 8
Audit Commentary - Summary Evidence Where necessary, design and implement more comprehensive and customised risk management training to meet the requirements of individual NEDs. Consider the need for a wider NED skill set and capability review to identify additional development requirements for NEDs. Determine the most appropriate Executive Director to be responsible for non-clinical risk management, to include due consideration of the benefits of combining risk management of clinical and non-clinical risks into a single portfolio. Proactively encourage an increase in uptake of training for clinical staff as incident investigators to ensure a wider and more appropriate resource pool for allocation of incidents. Implementation Plan Requirements Board development plan to consider risk management training Board risk workshop organised for March, 2014 Access to advice and support to create and maintain risk culture to be the remit of the quality hub. Guidance to be created and developed by the quality hub, on an integrated risk management toolkit Allocation/delegated overall responsibilities for Risk and Safety to agreed and reflected in risk management strategy, version, 9 2014. Review the training provision and content to all grades of staff in line with the revised Risk Management Strategy. Determine the most appropriate Executive Director to be responsible for non-clinical risk management, to include due consideration of the benefits of combining risk management of clinical and non-clinical risks into a single portfolio. Risk culture not evident, risk seen as bad news and failure Staff not confident risks will be treated or escalated in a timely fashion Risks are in silos, not integrated, linked or aligned to other HR issues. 9
D. Partnerships Level 1 Awareness & understanding Level 2 Implementation planned & in progress Level 3 Implementation in all key areas Level 4 Embedding and improving Level 5 Excellent capability established Key people are aware of areas of potential risk with partnerships and understand the need to agree approaches to manage these risks Approaches for addressing risk with partners are being developed and implemented Risk with partners is managed consistently for key areas and across organisational boundaries Robust risk management arrangements have been established. The most suitable: partnership arrangement (PFI, arms length etc.); partners; suppliers etc are selected in full knowledge of the risks, risk management capability & compatibility Excellent arrangements in place to identify and manage risks with all partners and to monitor and improve performance. Organisation regarded as a role model Partnerships Self Assessment Score 1 Audit Commentary - Summary Evidence Implementation Plan Requirements 2014/15 No common agreement (risk register, log, shared risk or risk information exchange with partners. No clarity about partnership risk accountability/responsibility identification and treatment. No agreement for access to risk information Negotiate and agree formal process with partners for risk and risk management arrangements.subject to CEO/Board approval 10
E. Risk Management Processes Level 1 Awareness & understanding Level 2 Implementation planned & in progress Level 3 Implementation in all key areas Level 4 Embedding and improving Level 5 Excellent capability established Some stand-alone risk processes have been identified Recommended risk management processes are being developed Risk management processes implemented in key areas. Risk capability self - assessment tools used in some areas Risk management is an integral part of the organisation s core processes (policy, planning, delivery etc.) and data are collected to monitor and improve risk management performance Management of risk & uncertainty is an integrated part of all business processes. Best practice approaches are used and developed. Selected as a benchmark site by other organisations Risk Management Processes Self Assessment Score 2 Audit Commentary - Summary Evidence Implementation Plan Requirements 2014/15 Ensure the accountability framework includes a clear understanding of the roles and responsibilities of the triumvirate leadership teams in relation to risk management. Ensure the Divisional Directors and their leadership teams have access to appropriate professional development support/training in relation to risk management and more Implementation plan to achieve level 3 for 2014/15 in place and agreed Risk data capture system (Datix) to be re-mapped against required data fields: Cause, Effect and Impact Risk Domains CQC Standards 11
Audit Commentary - Summary Evidence Implementation Plan Requirements 2014/15 generally. Consider the function and role of the Quality Hub, and the support to the divisions in conjunction with the Divisional Directors. Continue with the plans to introduce a robust and consistent performance management framework that enables the clinical divisions to operate on an earned autonomy basis, which is supported by the Executive Directors. Introduce a programme of education at the Ward, Service and Divisional level aimed at improving awareness around the recording of appropriate risks on the Risk Register. Ensure incidents and complaints are jointly analysed with the ability to identify local areas of concern through the process. Service, Divisional, and Corporate Risk Register Board Assurance Framework Integrated risk, safety Incidents and complaint reports to be generated from Datix and presented to relevant board subcommittee and stakeholders Validity, reliability and evidence for risk control/mitigation will be scrutinised by the relevant board sub-committee for assurance All board sub-committees will close with a request for any items for the risk register Audit and re-define use of LEAP process, focussing on SMART action planning. Introduce complaint and incident rates and benchmarking data to the suite of divisional management information. Expand the programme of internal inspections to ensure that wards are reviewed using the CQC essential standards. Introduce a list of minimum requirements for committee papers to comply with, including consideration of associated risks, and a clear and concise overview of the key issues focussing on providing assurance rather than operational detail. This should include a standardised cover sheet. Ensure incidents and complaints are jointly analysed with the ability to identify themes, trends and local areas of concern 12
Audit Commentary - Summary Evidence Implementation Plan Requirements 2014/15 through the process. Reconsider the criteria for the completion of LEAPs to ensure that they are meaningful and that staff are able to track implementation and audit to ensure embedded in practice. Also endeavour to look at the changes required for themes The Internal Audit forward plan should be developed to incorporate a robust programme around quality governance including review of the complaints and incidents handling processes rather than individual incidents where appropriate. Risk not routinely identified or recorded in: Safety and Compliance Project Management Operational Management Performance Management Business Planning Spending Review Risk not seen as good management practice Risk process does not demonstrate: Transparency Engagement (internal or external) Consistant activities Validity and reliability of evidence for risk control/mitigation Measurement of organisational risk performance/maturity not annually appraised. Business continuity risks not seen on risk registers 13
Audit Commentary - Summary Evidence Implementation Plan Requirements 2014/15 Risk escalation process not clear or evidenced Risk identification/description poorly defined F. Risk Handling Level 1 Awareness & understanding Level 2 Implementation planned & in progress Level 3 Implementation in all key areas Level 4 Embedding and improving Level 5 Excellent capability established No clear evidence that risk management is being effective Limited evidence that risk management is being effective in at least most relevant areas Clear evidence that risk management is being effective in all relevant areas Clear evidence that risks are being handled very effectively in all areas Risk Handling Self Assessment Score 2 Very clear evidence of excellent risk handling in all areas and that improvement is being pursued Audit Commentary - Summary Evidence Implementation Plan Requirements 2014/15 Reassess whether the responsibilities of the Quality and Patient Safety Committee are appropriate and manageable within the time available with a view to considering the need to reassign responsibility for performance to another Board Committee. Review the adequacy of the administrative support to the committees to ensure that this is not adversely impacting on the Implement 2014, governance arrangements Provide learning and sharing risk information to comms dept. for dissemination across the trust Quality hub to assist divisions in creating KPI matrix for risk 14
Audit Commentary - Summary Evidence Implementation Plan Requirements 2014/15 ability of members to deliver on agreed actions. Amend the Board agenda so that each committee chair provides a brief written and verbal summary of the key issues arising from the most recent committee meeting, specifically which matters are being escalated for the Board s attention and which have been referred to other committees. management Quality hub to assist divisions in creating risk registers and develop processes for onward reporting/escalation Consider organising the agenda so that any points for escalation are presented just prior to the relevant agenda item. For example, report from QPSC is reported immediately prior to quality agenda rather than at the end of the meeting. Provide regular updates to the Audit and Risk Committee on the status and use of Risk Registers at the Ward, Service and Divisional level to include a set of KPIs for the Risk Register. Ensure that all ward, departmental and service governance meetings are supported to meet on a monthly or bi-monthly basis and that core agenda items are discussed. Little evidence of risks being reduced or controlled Risk not being used as an enabler or decision making tool Risk outcomes not being utilised as a vehicle for learning and sharing across the organisation 15
G. Outcomes Level 1 Awareness & understanding Level 2 Implementation planned & in progress Level 3 Implementation in all key areas Level 4 Embedding and improving Level 5 Excellent capability established No clear evidence of improved outcomes Limited evidence of improved outcome performance consistent with improved risk management Clear evidence of significant improvements in outcome performance demonstrated by measures including, where relevant, stakeholders perceptions Clear evidence of very significantly improved delivery of outcomes and showing positive and sustained improvement Outcomes Self Assessment Score 1 Excellent evidence of markedly improved delivery of outcomes which compares favourably with other organisations employing best practice Audit Commentary - Summary Evidence Implementation Plan Requirements 2014/15 No evidence of risk being used for: Better public services Sustained improvements Fewer negative, more positive press reports on delivery Achievements of business/strategic objectives Project(s) success Improved value for money Delivery within budget Effective control of fraud Increased Public confidence Attract positive comments (staff, partners, stakeholders) Share risk management strategy, version 9, 2014 with stakeholders Implement 2014/15 risk plan Enter CHUFT for national ALARM award for risk management 16
9. Recommendations 9.1 The Committee is asked to note and discuss the content of this report. Kevin Street Associate Director of Governance (interim) 17