Document Title. Version: 8 Author (name and designation) Trish Armstrong-Child, Director of Nursing

Transcription

1 Document type: Document Title Version: 8 Risk Management Strategy Author (name and designation) Trish Armstrong-Child, Director of Nursing Ratified by: Board of Directors Date ratified: 26 th June 2014 Name of responsible committee/individual: Risk Management Committee Name of Executive Lead: Trish Armstrong-Child, Director of Nursing Master Document Controller: Date uploaded to intranet: 11 th July 2014 Review date: March 2017 Annette Cox, Risk and Assurance Secretary Equality Impact Bolton NHS Foundation Trust strives to ensure equality of opportunity for all service users, local people and the workforce. As an employer and a provider of healthcare Bolton NHSFT aims to ensure that none are placed at a disadvantage as a result of its policies and procedures. This document has therefore been equality impact assessed by the Board of Directors to ensure fairness and consistency for all those covered by it regardless of their individuality. The results are shown in the Equality Impact Assessment (EIA) at appendix J. Version Control Schedule Version Type of Change Date Revisions from previous issues 8 Major March 2014 Duty of Candour added. Changes to risk escalation process New risk grading matrix Additional KPI for training added to monitoring section Risk Appetite matric added Sources of risk added 1

2 Index Executive Summary 4 1. Introduction 6 2. Purpose and Scope 7 3. Strategic Objectives 7 4. Risk Management Organisational Structure 9 5. The Risk Management Process Risk Assessment, Evaluation & Registering Risk Roles and Responsibilities Dissemination and Implementation Training Monitoring Resources Review NHS Constitution Equality Impact Assessment References 33 Appendices A. Governance Structure 34 B. Assurance Map 35 C. Risk Assessment Form 36 D. Risk Evaluation Tool 39 E. Identifying Risks 44 F. Recording Risk 46 G. Risk Escalator 47 H. Risk Appetite for NHS Organisations 48 I. Risk Categorisation Matrix 50 J. Equality Impact Assessment 53

3 RISK MANAGEMENT STRATEGY RISK MANAGEMENT STRATEGY N 3

4 Executive Summary Risk Management Strategy Risk management is an integral part of Bolton NHS Foundation Trusts (BFT) approach to quality improvement and good governance and is a central part of the Trust s strategic and operational management. It is the process whereby the Trust identifies, assesses and analyses the risks inherent to and arising from its activities, whether clinical or non-clinical including strategic, financial, workforce or any other and puts in place robust and effective controls to mitigate those risks. The aim of risk management is to improve safety and reduce the probability of failure to meet regulatory compliance requirements or achieve strategic and operational objectives. This strategy describes the systems that the Trust will use to embed risk management throughout the organisation in order to provide assurance that risks are managed and an effective internal control system is in place. The strategy is a trust wide document, and is applicable to employees, as well as seconded and subcontracted staff at all levels of the organisation. The Trust believes that effective risk management is imperative not only to provide a safe environment and improved quality of care for service users and staff, it is also significant in the business planning process where a more competitive and successful edge and public accountability in delivering health services is required. The risk management process involves the identification, evaluation and treatment of risk as part of a continuous process aimed at helping the trust and individuals to reduce the incidence and impact of the risks they face. Risk management is therefore a fundamental part of both the operational and strategic thinking of every part of service delivery within the organisation. The Trust is committed to working in partnership with staff to make risk management a core organisational process and to ensure that it becomes an integral part of the Trust philosophy and activities. This will be achieved by building and sustaining an organisational culture, which encourages appropriate risk taking, effective internal control systems and accountability for organisational learning in order to continuously improve the quality of services. As part of this, the Trust undertakes to ensure that adequate provision of resources, including financial, personal training and information technology in as far as reasonably practicable is made available. This strategy is subject to annual review via the Risk Management Committee and approval at Trust Board every three years. The Trust is committed to a duty of candour by ensuring that all interactions with patients, relatives, carers, the general public, commissioners, governors, staff and regulators are honest, open, transparent and appropriate and conducted in a timely manner. These interactions be they verbal, written or electronic will be conducted in

5 line with the NPSA, Being Open alert, (NPSA/2009/PSA003 available at and other relevant regulatory standards and prevailing legislation and NHS constitution) It is essential in communications with patients that when mistakes are made and/or patients have a poor experience that this is explained in a plain language manner making a clear apology for any harm or distress caused. The Trust will monitor compliance with the principles of both the duty of candour and being open NPSA alert through analysis of claims, complaints and serious untoward incidents recorded within the SAFEGUARD Risk Management System.

6 1. Introduction Bolton NHS Foundation Trust (BFT) is an integrated care organisation providing a wide range of services including community health services. The Trust recognises that the larger and more complex the organisation, more varied the risks it may face. It is therefore crucial that this strategy is a live document which recognises, reflects and responds to the risks faced. The Trust takes a holistic approach to all risk management issues incorporating clinical, business and financial as well as the traditional safety related topics. The Risk Management Strategy provides the Trust with a basis to deliver safe, responsive and continual learning in the provision of high quality services. Bolton NHS Foundation Trust recognises that there are risks in delivering health services. In brief risk can be defined as: The possibility of incurring misfortune or loss; it can arise from SERVICE USERS/RELATIVES/CARERS in contact with our services whether in the community or in hospital, the ENVIRONMENT i.e. buildings, car parks, roads gardens in which the Trust operates, the EQUIPMENT used, the PEOPLE employed by or visiting the Trust or the CLINICAL AND MANAGEMENT SYSTEMS of the Trust In summary, risk can be defined as: What can go wrong and how likely is it to go wrong Risk management is an integral part of the Trust s internal control and is a management responsibility. As part of our continuous quality improvement programme, the identification, evaluation and control of risk will result in the development of safer systems to work and a safer environment. Staff awareness of their responsibility, whatever their role in the organisation, is a key element of risk management. Risk management is vital in contributing towards: ensuring we provide a high quality, safe service to our service users/carers and the staff who care for them; and providing a more cost effective service by eliminating or reducing unnecessary potential risks thus reducing costs The Trust Board recognises that Trust wide quality performance includes being responsive to: ensuring required standards are achieved investing and taking action on substandard performance planning and driving continuous improvement identifying sharing and ensuring delivery of best practice identifying and managing risks to quality of care This strategy has been developed having consulted and considered the nature of the Trust s business. To ensure that these areas are always reflected within

7 the strategy, this document will be reviewed by the Trust Board on an annual basis. The strategy will support the Board and help inform the Board Assurance Framework in identifying and managing all its strategic risks and will in turn support the organisation s strategic plan. From a strategic perspective, the Trust aims to fully understand the current and future risks to the organisation and to ensure that risk reduction/mitigation strategies are developed to address the risks, and provide assurance to the organisation that the controls in place to reduce those risks are working effectively. The system of internal control should: be embedded in the operation of the organisation and form part of the culture be capable of responding quickly to evolving risks include procedures for reporting and escalating any significant control failings immediately to appropriate levels of management 2. Purpose and Scope The purpose of the Risk Management Strategy is to detail the Trust s framework within which the Trust leads, directs and controls risks to its key functions in order to comply with Health and Safety legislation, Foundation Trust Terms of Authorisation and its strategic objectives. The Risk Management Strategy underpins the Trust s reputation and performance and is fully endorsed by the Trust Board. The strategy is to continue to improve the management of risk within the organisation, to assist with implementation of the key priorities within the 2014 Annual Plan. The Trust acknowledges its legal duty to safeguard staff, patients and members of the public. There are also sound moral, financial and good practice reasons for identifying and managing risks. Failure to manage risks effectively can lead to harm/loss/damage in terms of both personal injury but also in terms of loss or damage to the Trust s reputation; financial loss; potential for complaints; litigation and adverse or unwanted publicity. 3. Strategic Objectives Risk can be defined as anything that poses a threat to the achievement of the Trust s objectives, service delivery or patient safety. This may include damage to the reputation of the Trust, which could undermine public confidence. The Trust recognises that it faces a range of risks. Overall, the strategic purpose of this document can be summarised as being to manage all types of risk the Trust may face, including:

8 Risk Strategic Clinical Health and Safety Financial Information Governance Reputation Compliance Description Risks which have the ability to affect the achievement of strategic objectives of the Trust. Also includes risks such as loss of business or breach of contract, reputational risks leading to loss or jeopardising the business of the Trust and risks posed by competitors Risks which have the ability to affect patient care and may cause harm to the patient, including patient safety risks. This covers anything related to the diagnosis, treatment and outcome of each patient s care. Psychological harm or distress is also included. Risks to staffing levels to provide safe, high quality care to patients. Risks relating to recruitment as well as staff conduct, competency, registration and professional practice. This also includes potential future risks to quality through the Trust Cost Improvement Programmes Risks which do not have the ability to directly affect individual patient care or harm the patient in a clinical or treatment focused way, but has the ability to affect patients and others on site such as visitors, contractors and staff. This includes fire, security, environmental and health and safety issues. Risks which have the ability to affect the financial wellbeing of the Trust, including risk of fraud and claims against the Trust. This also includes protecting intellectual property Risks which pose the possibility of a breach of confidentiality, either personal or professional (e.g. leak of information sensitive to the Trust). Protecting and maintaining the reputation of the Trust Ensuring the Trust meets the requirements of external regulators and auditors. It is recognised that the boundaries between these categories are not always clear, and that some risks may fall into more than one category. The Trust Risk Register will hold a record of all risks. BFT is committed to ensuring the safety of patients, staff and the public through the integrated management of all aspects of governance and risk. The Trust recognises that this is best achieved through an environment of honesty and openness, where mistakes and adverse events are identified quickly and dealt with in a positive and responsive way. This commitment is made through the establishment of a formal process for controlling and managing risk, which reports directly to the Trust Board.

9 4. RISK MANAGEMENT ORGANISATIONAL STRUCTURE 4.1 Governance and Risk Management Committees A strong organisational structure, lines of reporting and accountability are key to the delivery of the Trust s risk management objectives. Appendix A outlines the organisational structure of the Trust including lines of reporting. To strengthen the Trust s ability to deliver effective risk management, the organisational structure includes a number of high level Committees with responsibility for risk as appropriate to their function. The Board, the Audit Committee, Quality Assurance Committee, Finance Committee, Risk Management Committee and the Workforce Committee all have a critical function in considering a range of policy and strategic issues covering both clinical and non-clinical activities, and provide a forum for addressing and managing areas of risk. These structures are designed to ensure that there is clear accountability and that information flows quickly to the Board and its committees. In this way the Trust can identify patterns and promote best practices throughout the organisation. The identification of roles and responsibilities provides a culture of transparency of decision-making. 4.2 Board of Directors The Board gains assurance that risks are being appropriately managed throughout the organisation through the Board Assurance Framework (BAF). The Board Assurance Framework includes risks that are associated with the strategic objectives of the organisation. The Board accepts prime responsibility for corporate governance and the development of systems and processes for internal control, including risk management, the Board Assurance Framework and compliance with Care Quality Commission (CQC) regulations. Those risks associated with an initial rating of 15 or more will be escalated to the Executive Director Meeting and will be reported to the appropriate Board Committee. 4.3 Audit Committee The Audit Committee reviews the establishment and maintenance of an effective system of risk management and internal control across the Trust, delegating the management of clinical risk to the Quality Assurance Committee. The Audit Committee provides an oversight of the activities of internal audit, external audit, the local counter fraud service and the assurance on internal control, including compliance with the law and regulations governing the Trust s activities. The Audit Committee is chaired by a Non-Executive Director and membership consists solely of Non-Executive Directors. Board Executives are invited to attend.

10 The full Terms of Reference for the Audit Committee and the key Governance /Risk Committees (updated annually) can be found on the Trusts intranet. The Audit Committee oversee the annual audit programme for the Trust. This includes verifying that the Trust has suitable and effective systems of internal controls with respect to risk management in place. An annual Head of Internal Audit Report is presented to the Audit Committee. 4.4 Quality Assurance Committee The purpose of the Quality Assurance Committee is to assist the Board obtaining assurance that high standards of care are provided and any risks to quality identified and robustly addressed at an early stage. The Committee will work with the Audit Committee to ensure that there are adequate and appropriate quality governance structures, processes and controls in place throughout the Trust to: promote safety and excellence in patient care identify, prioritise and manage risk arising from clinical care ensure efficient and effective use of resources through evidence based clinical practice The Committee is responsible for the following aspects of Risk Management: promote systems which provide assurance and improve the quality of care, safety and experience of patients, carers, staff and visitors to the Trust exercise oversight of the systems of governance and risk management and seek assurance that they are fit-for-purpose, adequately resourced and effectively deployed to concentrate on matters of concern oversee the effective management of risks as appropriate to the purpose of the committee seek assurances that the Trust complies with its own policies and all relevant external regulations and standards of governance and risk management (CQC essential standards of quality and safety) review quality governance and require action to address any noncompliance with Monitors Quality Governance Framework review of relevant external reports including CQC and ensure actions plans are devised and performance managed to address any identified deficiencies in clinical governance monitor and sign off action plans of serious untoward incidents satisfy itself and the Board that structures, processes and responsibilities for identifying and managing risks to patients, staff and the organisation are adequate ensure that standards and procedures relating to risk are embedded throughout the Trust, with mechanisms through the committee for

11 detailed scrutiny of high and significant areas, including consultation with appropriate Trust staff 4.5 Risk Management Committee The Risk Management Committee is a management committee accountable to the Board of Directors. The committee is responsible for determining the most appropriate course of action to manage risk and report this to the Executive team and where appropriate to the Board. The committee will provide reports to the Audit Committee on assurances relating to the effective operation of controls. The committee is responsible for the following aspects of Risk Management: provide leadership to ensure risk is identified and managed proactively in accordance with the Board s risk appetite champion and promote highly-effective risk management practices and ensure that the risk management process and culture are embedded throughout the organisation maximise the delivery of objectives through an effective control system keep risk under prudent control at all times and minimise over exposure to risk improve the standard of decision making on risk management To receive and review the BAF bi-monthly and agree corporate risks for addition to the BAF 4.6 Finance and Investment Committee The Finance and Investment Committee supports and advises the Board on all aspects of the Trust s Annual, Medium and Long Term Financial Plans and recommends adoption of the plans to the Board of Directors. The Committee is responsible for the following aspect of Risk Management: To oversee Financial Risk Assessment and Financial Risk Management 4.7 Workforce Committee The purpose of the Workforce Committee is to support and advise the Board on Human Resource performance, strategic plans and programmes and policy and strategic direction. The Committee is responsible for the following aspects of Risk Management: The monitoring of recruitment of staff in accordance with the CQC Essential Standards of Quality and Safety. For overall Assurance Map on the interaction between the Committees and the Groups see Appendix B

12 4.9 Internal Audit The Trust currently uses Pricewaterhouse Coopers (PwC) as its Internal Auditors that meets mandatory NHS Internal Audit Standards and provides appropriate independent assurance to the Audit Committee, Chief Executive and Board. They primarily provide an independent and objective opinion to the Trust on the degree to which risk management, control and governance processes support the achievement of the Trust s objectives. Further, the Trust s Medical Director will also set out an annual clinical audit forward programme and report results back to the Clinical Governance and Quality Committee External Audit The Trust s external auditors are KPMG. External Audit is an essential element of corporate governance, contributing to the stewardship and process of accountability for use of resources. The scope of audits is extended to cover not just financial statements but the arrangements to secure value for money. This reports into the Audit Committee Approaches to Risk Bolton NHS Foundation Trust will adopt the following approaches to risk management: Pro-active approaches to risk management (see also appendix G) Developing and maintaining the BAF and Risk Registers Ensuring a consistent approach to risk assessments/development of risk registers through implementation of this policy and the Trust Online Risk Register Devising robust systems of maintaining policies and procedures across the organisation Putting in place policies to ensure achievement of corporate objectives and mitigating risks associated with their achievement e.g. Incident and Serious incident Reporting Policy, Health and Safety Policy Ensuring an effective Safety Alert System Clinical Audit Ensuring efficient Emergency Planning and Business Continuity Planning Ensuring appropriate response to recommendations of National Institute of Clinical Excellence (NICE) guidelines Ensuring training and development of staff Reactive approaches to risk management through (see also appendix G) Near-miss and Incident reporting process

13 Serious Incident Reporting Complaints and Patient Advice and Liaison Service (PALS) contacts Claims Management Implementing recommendations from National Enquiries, internal/external reviews/recommendations etc Implementing legislative changes to those resulting from changes in national policy Using information in public domain published by the regulatory bodies 4.12 Risk Taking, Appetite, Tolerance and Opportunities (see appendix H) Risk Taking The Bolton NHS Foundation Trust acknowledges that in delivering health improvements and in embracing positive advantages it may involve taking risks. We cannot create a risk free environment, but rather one in which risk is considered as an integral part of everything we do and is appropriately identified and controlled. Risk Appetite Bolton NHS Foundation Trust will need to establish the risk appetite of the organisation. Risk appetite is the amount of risk that any organisation is prepared to accept, or tolerate, or be exposed to at any point in time and every risk needs to be assessed for the acceptable level of risk appetite (see appendix H) Risk Tolerance Risk tolerance is the acceptable level of variation relative to achievement of an individual objective. It is the amount of risk to which a programme or an activity is prepared to be exposed to or that its resources allow it to be exposed to, before actions become necessary. The Trust has set its tolerance threshold for acceptable risk at medium. This threshold is set in expectation of what risks are likely to be actually realised and the resources needed to realistically control them. Below this level all risks are monitored and evaluated on an on-going basis to confirm or reassess that rating. All risks at and above this threshold (at any level of the organisation) are actively managed and mitigating actions taken to bring the risks back to within tolerance. Risks and Opportunities Risk is not always negative or representing loss, hazard, harm and adverse consequences. The Trust acknowledges that as part of risk assessment process, the possibility of upside risk or opportunity must be explored i.e. uncertainties that could have a beneficial effect on achieving objectives.

14 5. THE RISK MANAGEMENT PROCESS 5.1 Accepted risks Bolton NHS Foundation Trust is committed to minimising all risks to as low as reasonably practicable. However, it is not realistic to aim to eliminate or reduce all risks. In many instances it is necessary to make judgements as to whether the benefits to be gained by taking a specific risk outweigh the risk itself. There is always a balance to be struck between risk and benefit. Accepted risks are formally reviewed at least quarterly by the appropriate locality to ensure the controls are still sufficient to keep the risk at the accepted level. If the risk has remained at the appropriate level for a 12 month period these risks can be closed off. Risk management is having in place a corporate and systematic process for reporting and evaluating the impact of risk in a cost effective way and having staff with the appropriate skills to identify and assess the potential for risk to arise. The Risk Management Process provides a framework by which organisational risks are identified, reviewed and monitored. This is achieved through the following stages: Risks are: Identified from a diverse range of sources, including front line staff Recorded on the Risk Register Subject to robust and effective reporting and review arrangements Escalated to the Board Assurance Framework (where and when appropriate) Subject to effective monitoring Aims of the Trust Risk Management Framework: To safeguard and enhance the quality of healthcare provided To protect the services, reputation and finances of the Trust To promote risk management as an explicit part of the function of individual staff members and the organisation so that staff may operate according to clear policies, standards and protocols, which are monitored and reviewed through the process of audit, including clinical audit To identify, assess, reduce and manage risk to people who use the service, staff who provide the service and others, for example visitors, contractors and the general public To reduce the incidence of actual harm from suicide, deliberate selfharm, violence, self-neglect, abuse, exploitation, accidents to staff and other non-clinical incidents

15 To ensure risks and the achievement of the Trusts annual objectives set by the Trust Board are identified and managed, and to promote an awareness of a risk management culture within the Trust To identify any future risks to the Trust through review of national enquiries and learning and recommendations for health organisations To ensure Cost Improvement Programmes are fully assessed for the impact they may have on the quality of services delivered, as well as for the financial impact and delivery To monitor the market position of the Trust and its strengths and weaknesses in relation to its competitors To provide assurance to the Board that risk controls are effective 5.2 The Trust Risk Register The Trust Risk Register is a log of all risks (operational and strategic) that threaten BFT s success in achieving its objectives. It is a dynamic living document which is populated through the organisation risk assessment and evaluation process. The risk registers (divisional and corporate) enables risks to be quantified and ranked and provides a structure for collating information about risks. Safeguard is Bolton Foundation Trust s Risk Management system and is used to manage and report risk from a variety of sources by all services throughout the Trust. Each Team/Service undertakes risk assessments which feed into the Divisional level Risk Register. These registers will include identified risks related to both strategic and local objectives e.g. those related to key performance targets, as well as departmental risks of high rating. Action required to mitigate risks should be identified within the directorate and documented within the risk registers. The Divisional risk registers are collated to form the single Trust Risk Register. Risks are treated and filtered upwards through different levels of management to the Board. These risks will be combined with the strategic risks thus allowing for a bottom up/ top down approach to identifying the Trust s principle risks and informing the Board Assurance Framework. (See appendix G). This empowers risk management decision making to occur as near as practicable to the risk source. In addition, significant risks and those that cannot be treated can be passed upwards to the appropriate level. 5.3 Escalation of Risk Strategic Risk Register (Appendix G) The Trust operates an escalation process depending on the level of risk identified, this determines whether risks can be managed at Directorate/Divisional (operational) level i.e. negligible, minor or moderate risks or need to be escalated to Trust level and managed via the Corporate Risk Register.

16 The highest ranking risks assessed at 15 and above from the Divisional level and any risk impacting across the Trust will be used to populate and inform the Trust s Corporate Risk Register. The Corporate Risk Register risks rated at 15 or above is monitored and reviewed at the Risk Management Committee meeting monthly. This proactive approach to risk management is holistic and intends to identify all risks to the operation, including clinical, organisational, health and safety, business, marketing and financial. The Trust Board carries out a risk analysis as part of the development of the Trust s Annual Plan. A risk action plan will be developed to contain details of each action required to treat the identified principle risks, and will be set out in the Board Assurance Framework. A rolling programme of review is in place to ensure that the risks are appropriately captured, accurately recorded and scored, mitigated by appropriate actions, reviewed at directorate level and escalated to the Board when necessary via its committees. The Divisions review all relevant corporate and local risks at all levels on their risk registers at the Divisional Governance Boards on a monthly basis to monitor progress of the implementation of action plans. They have authority to adjust the risk level as actions are put in place to close gaps, and/or accept risk if necessary. This is carried out monthly and presented to the Risk Management Committee. 5.4 The Board Assurance Framework The Board Assurance Framework (BAF) is a statutory requirement and is a management tool that provides the Trust Board with evidence that effective controls and assurance are in place to manage the key risks associated with achieving its principle strategic objectives. It provides the Trust with a simple but comprehensive method of describing the organisation s objectives, identifying the key risks to their achievement and the gaps in assurances on which the Board relies. It is maintained by the Trust Secretary and reviewed at the Risk Management Committee. The BAF is reviewed in its entirety by the Audit Committee three times a year. The key risks and actions to mitigate the risks, target date for achievement of actions and a summary statement, drive and shape the Trust Board agenda. The BAF will be reported to, and reviewed by the Trust Board twice a year. There is a clear relationship between the BAF and the Trust s Risk Register. For example if a report is received by the Trust that heightens the risk of achieving a particular strategic objective then it should be featured within the BAF and also identified as a significant risk within the Risk Register. Similarly

17 if a major risk featured in the Risk Register has the potential to impact on the achievement of strategic objectives then, as such this should be recorded in the BAF. Clear plans of action must be put in place to reduce extreme risks and will be overseen by the Audit Committee and Trust Board. 6. RISK ASSESSMENT, EVALUATION AND REGISTERING RISKS 6.1 Risk Assessment All risks that are proactively identified will be assessed using the Trust risk grading matrix (appendix J). The risk assessment process may identify single or multiple risks that require the creation of a risk record(s) and entry onto the Trust Local or Corporate risk register. For risks identified reactively e.g. from incident, complaint, claim etc. a risk record can be created directly onto the Trust risk register or can follow the risk assessment route. The first stage is to identify the risks the Trust carries. This will be achieved by considering the Trust strategic objectives and the areas ability to achieve these. Other considerations are listed in Appendix F. It should be noted that the list is not exhaustive. It is unlikely that one particular method of identification will be sufficient to address all the hazards faced by the Trust, therefore a combination of methods will be required to ensure that there are no gaps in hazard identification. Risk assessments will be carried out by staff in line with Trusts How to do a Risk Assessment, Appendix D to ensure Trust wide consistency. Risk assessments and associated reports will be discussed with the appropriate managers/clinicians to agree actions to mitigate or reduce potential risks. Systems for risk assessment will provide a structured method to: Identify hazards Establish which hazards are most dangerous and to whom Assess adequacy of existing precautions and controls Assess how likely is it to occur and what the impact would generally be if it occurs Multiply the likelihood score by the impact score using the matrix to define the level of risk severity Assign responsibility to an appropriate senior manager or clinician Devise plans to meet any shortcomings Establish how changes can be introduced 6.2 Risk Evaluation Risks are evaluated to establish the level of risk as part of the Risk Assessment process above, using one tool enabling a systematic approach to

18 risk evaluation See Appendix J. The level of risk is its magnitude. It is estimated by considering and combining consequences and likelihoods. A level of risk can be assigned to a single risk or to a combination of risks. Bolton NHS Foundation Trust will utilise three risk ratings; current, target and residual Current risk rating reflects the controls that are currently in place to mitigate the risk; Target risk rating is realistically the level of risk that would be acceptable once all actions have been implemented; this is the level of risk that is reasonably expected once all controls are in place and active. Residual risk rating is the risk that is left once all actions have been implemented this be may differ from the target risk rating that is expected. The residual risk will be the acceptable level of risk determined by the Trust. 6.3 Registering Risks - Risk Record A risk is formally registered through the creation of a risk record. The risk record is an electronic record of the risk and associated actions required to mitigate the risk, maintained via the Trust risk register. Each risk will have a risk handler assigned. The risk handler will advise whether a risk will form part of the Trust local or corporate risk register e.g. a risk which does not impact on strategic objectives of the Trust would be registered and managed at a local level and assigned to an appropriate manager (risk lead). Ideally the appropriate manager is the Risk Manager for corporate risks and operational leads for local level risks. Corporate risks will also be assigned an executive lead. 6.4 Risk Register The Trust records risks on Risk Registers, this provides a tool to help the ongoing management and review of identified risks and through a process of risk grading allows managers to prioritise risk reduction activities. The Trust operates two types of risk registers, both following the same format, local registers and a corporate register defined by the risk locality. The corporate risk register feeds into the BAF which includes the key risks to corporate objectives Corporate risk register: refers to those risks that would affect the delivery of the Trust principle/strategic objectives; or impacts across the Trust i.e. not divisional specific Local risk register: refers to a level lower than the corporate risk register department/ward/divisional/directorate or specialist group level risks that are important to these areas but are not likely to impact at Trust strategic level. Areas from ward/department level upwards are able to access risks relevant to their area making the on-going management of risks simpler. Risks will be defined as local risks or corporate risks (risk locality). It will be possible to have a high local risk that is not on the corporate risk register if the filtering

19 mechanism agrees to this. The filtering mechanism will be Risk Handlers in the first instance and then Divisional Governance Boards for clinical areas or Executive Directors/Directors in the case of non-clinical risk. Verification or rejection on the CRR, and assignment to the Executive lead is through the Risk Management Committee. Once actions have been taken to manage risks and local management has been proved effective a risk may be closed Risk Treatment For each risk identified within Bolton NHS Foundation Trust that is added to the risk register, a risk treatment plan will also be identified and attached to each risk. These plans will include detail on the following: A description of the risk Current control measures Current risk rating Target risk rating Identified actions to mitigate the risk Who has responsibility for implementing the risk treatment plan Committee with responsibility for monitoring progress with the risk treatment plan Expected date of implementation Review dates Residual risk rating The organisation will be expected to evidence that such plans have been produced as a result of the risk management process. Risk Treatment Plan should be included within the SAFEGUARD Risk Register for each identified risk 6.5 Risk Management Framework The Trust operates an escalation/de-escalation process depending on the level and locality of the risk identified, this determines whether risks can be managed at local level, or needs to be escalated to corporate level and managed via the Corporate Register. 6.6 Escalation/De-escalation Escalation: Medium-High Level Risk that cannot be reduced locally or poses a significant risk to the organisation and its objectives are escalated to the corporate risk register for on-going monitoring by the Risk Management Committee (medium-high) and the Trust Board (high) De-escalation: Corporate risks reduced to a low level following mitigation of the residual risk will be de-escalated for local management but will remain on the corporate risk register. High-level corporate risks which have been reduced to a medium residual risk will be de-escalated by the Trust Board to the Risk Management Committee.

20 6.6.3 De-activation: Risks will be de-activated from the risk register when the risk is fully controlled and no longer poses any threat to the Trust or when the risk is transferred. 7. ROLES AND RESPONSIBILITIES OF KEY INDIVIDUALS All staff are responsible for managing risk. They have a key role in identifying, reporting and escalating risks and incidents promptly, thereby allowing risks to be managed and added to the risk register if appropriate. In addition, staff have a responsibility for taking steps to avoid injuries and risks to patients, staff and visitors. The duties and roles of key individuals responsible for advising and coordinating risk management activities can be summarised as follows: 7.1 The Board of Directors The Board of Directors is required to have the capability within is structure to carry out its roles and functions in relation to risk as defined in Monitor s Risk Assessment Framework. The Accountable Officer, the Chief Executive has a specific responsibility for internal control, and the Board has a collective responsibility to ensure that the direction, once set, is being followed. 7.2 Chief Executive The Chief Executive has overall responsibility and accountability for risk with the Trust. The Chief Executive is responsible for the Trust Risk Register. The Chief Executive will sign an annual Statement of Internal Control, outlining the Trust s governance and assurance systems, and a Statement of Accounting Officer Responsibilities which are submitted to Monitor, and published in the Trust s Annual Report. The Chief Executive provides leadership and strategic direction to risk management processes. This responsibility includes consideration of the Trust s Risk Register and resource allocation relating to the significant risks of the Trust. 7.3 Chair of the Audit Committee There is a named non-executive director who has responsibility for risk management and chairs the Audit Committee. 7.4 Director of Nursing The Director of Nursing has the responsibility for the production of key documents such as the Trust s Quality Account and for developing processes

21 to improve the Quality of services provided by the Trust. The Director of Nursing also holds responsibility for the Trust on non-compliance with the CQC essential standards and is the Director for Infection Prevention and Control (DIPC). 7.5 Director of Finance The Director of Finance is responsible for the management of financial risks and ensuring that any significant risks are brought to the attention of the Board. The Director of Finance ensures that the Trust carries out its business providing healthcare within sound Financial Governance arrangements that are controlled and monitored through robust audit and accounting mechanisms that are open to public scrutiny on an annual basis. 7.6 Director of Workforce and Organisational Development The Director of Workforce and OD is responsible for the management of risk in relation to staff, including recruitment processes and staff side negotiations, and for ensuring appropriate processes are in place to manage any workforce associated risks. 7.7 Medical Director The Medical Director has responsibility and authority for risk management relating to their professional fields. Acts as Caldicott Guardian. 7.8 Chief Operating Officer The Chief Operating Officer is responsible for the operation of clinical services, IT and Estates and has responsibility and authority for risks arising from these services. The Chief Operating Officer is the Senior Information Risk Owner (SIRO). 7.9 Trust Secretary Leads on the management of strategic risk within the organisation and is responsible for: ensuring compliance with the Constitution regular reviews of the Trust Risk Register ensuring appropriate training is given to Board members on risk management accessing and providing legal advice where appropriate maintaining the Trust Policy Database, to ensure version control, and Records Management

22 production of the Annual Governance Statement and the Board Assurance Framework maintenance of appropriate insurances and indemnities ensuring compliance with Freedom of Information 7.10 Head of Governance The Head of Governance reports to the Director of Nursing and is responsible for conducting/overseeing a programme of clinical risk assessments, root cause analysis and incident reporting throughout the Trust to ensure where possible an integrated risk management approach, and is the major interface between the Trust and overall quality with external bodies, i.e. Monitor, CQC and NHSLA. Risk Manager The Risk Manager reports to the Head of Governance and is responsible for the management of the Trust s SAFEGUARD risk management system and is responsible for the line management of the Risk Co-ordinators The Risk Manager will also provide mandatory training to all staff in risk management and will act as a focal point of expertise within the Risk and Assurance Department Patient Safety Lead Practitioner The Patient Safety Lead Practitioner reports to the Medical Director and Director of Nursing and is responsible for the day-to-day management of clinical audit and effectiveness, across the Trust Health and Safety Manager The Health and Safety Manager oversees the Trust Health and Safety Advisors who provide speciality advice to managers to maintain best health and safety practice. The Health and Safety Manager acts as a Trust link with the Health and Safety Executive and ensures Trust wide Health and Safety Audits are undertaken and action plans carried forward within directorates. The Health and Safety Manager will ensure RIDDOR reportable adverse incidents are reported to the HSE and identifies trends to mitigate reoccurrence Local Security Management Specialist (LSMS) The Chief Operating Officer is supported by an appropriately qualified Local Security Management Specialist who is responsible for ensuring the requirements of the Secretary of State Directorate for Security Management are completed within the Trust. The LSMS also works with the police to prosecute individuals for physical assault against staff and support staff after adverse incidents and through legal proceedings, as well as ensuring proactive

23 actions are taken to safeguard Trust premises and assets. The role is also to investigate all cases of loss to ensure robust procedures are in place and being followed Senior Information Risk Owner (SIRO) COO (7.8) Acts as the lead to foster a culture that values, protects and uses information for the success of the organisation and benefit of its customers: Advise the Chief Executive on Information Risk Aspects Ensure incidents are reported via the Incident Reporting System 7.15 Caldicott Guardian The Medical Director is the Caldicott Guardian and represents and champions confidentiality requirements and issues within the organisation to ensure that NHS and partner organisations satisfy the highest practical standards for handling patient information, and will act as the conscience of the organisation Divisional Management Team (Head of Division (HoD), Divisional Directors of Operations (DDO), Professional Lead (PL) Are responsible for compliance with this strategy and for ensuring that remedial action is taken wherever key risks are identified within their area of responsibility, including: Ensuring that appropriate and effective risk management processes are in place within their designated area(s) and scope of responsibility Ensuring Risk Assessments are undertaken and action implemented Are responsible for implementing and monitoring any identified and appropriate risk management control measures within their designated area(s) and scope of responsibility Ensuring staff undertake mandatory and statutory training Ensuring the reporting of Adverse Incidents is undertaken, together with action to prevent or minimise a reoccurrence Risks should be dealt with at a management level appropriate to the assessed rating as follows: Low risk Moderate risk High risk - individual staff/first line manager - hospital/service manager - Director/Chief Executive 7.17 Risk Handlers: Divisional Governance Leads, Risk Manager and Health and Safety Manager

24 These teams are able to advise about risks, facilitate risk assessments, assist in incorporating risks onto the relevant risk registers for their areas and verify risks for inclusion and onward management on the local risk register or reject the risk if more work/information is required All Trust Employees All employees of the Trust have a responsibility to: 7.19 Specialist Advice Ensure they work in accordance with all policies and procedures Ensure they practice within the standards of their professional bodies, any other national standards and any locally determined clinical policies and guidelines to ensure their practice is as risk free as possible Identify through their own departments self-assessment process and line management arrangements, any risks they feel exist within the service and their practice Provide incident reports and supporting documentation for any unexpected event or incident arising from clinical care or treatment provided Ensure they attend induction and receive mandatory update training on risk management policy and procedures. Advice and expertise in specific areas of risk is available from: Caldicott Guardian Research and Development Manager (Research Governance) Divisional Governance Leads Head of Governance Trust Secretary Director of Estates and Facilities Fire Officer Health and Safety Team Infection Control Lead Nurse Local Security Management Specialist Local Counter Fraud Management Specialist Senior Information Risk Owner Information Governance Risks 7.20 Learning The Trust will continue to promote an open learning culture to identify and disseminate local examples of good practice. This includes systems of information sharing, collation, monitoring, analysis and reporting of themes and trends arising from the data of complaints, incidents and patient and carer feedback to give early warning or emerging patterns of risk behaviour, in the interests of patient safety. This facilitates the detection of problems, failures

25 and trends in the management of risk; promotion and participation in audit projects within clinical risk; and ensuring information is disseminated through clinical and operational management structures. The following describes how the Trust learns from its risk management processes: Adverse incidents, complaints and claims are collated and analysed in monthly reports and discussed at the Quality Assurance Committee and disseminated to Directorate Management Teams for consideration of trends and shared learning; A focus on clinical risk at team away days with lessons to be learnt and practice changes identified through a cycle of audit for significant actions to demonstrate improvement; National reports and external enquiries are reviewed at the Quality Assurance Committee. A local action plan is drawn up and implemented via Directorate Management Groups; Adaptations to training programmes are made in response to learning from identified/managed risks Financial forecasts are adjusted in the light of identified risks In addition, identified groups receive daily incident reports

26 Risk Escalation Process 7.21 Risk Register Low Risk: Coded Green Risks assessed at this level will be managed locally and will appear on the local risk registers. These risks will still need to be reviewed to ensure controls remain robust and risk does not change Medium Risk Coded Amber Medium risks may be held at corporate and/or local level if this is deemed appropriate by either the RMC/local level. If the risk is of a corporate nature i.e. impacts across the Trust this will be included onto the corporate risk register regardless of score. If these risks cannot be managed by the Division then they will be escalated to the Risk Management Committee for consideration and debate High Risks Coded Red Risks assessed at this level need action to reduce the risk level and monitoring to ensure this is happening in a timely fashion. It may be decided by the Trust Board that in the short term, the only acceptable response may be to suspend the activity associated with the risk. High level risks will still need to be managed by local areas; however a decision on mitigation may need to be made by either the RMC or the Board. These risks will be escalated to the Risk Management Committee on a quarterly basis Review of the Corporate Risk Register Corporate risks are reviewed quarterly by the Risk Management Committee (RMC). Where the resolution of a risk needs funding beyond available budgets, a business case will be developed as part of the Trust s business planning process; this will include an assessment of risk to the achievement of the Trust objective should the business case not be agreed. Those corporate risks, which remain at a high level when all available controls have been put in place, will be reported to Quality Assurance Committee to determine that the risk will be accepted and if escalation to Board is required. 8. DISSEMINATION AND IMPLEMENTATION The Risk Management Strategy (including the Board Assurance Framework) will be available to all staff via the Trust Policy Information Management System. Staff will be alerted to the strategy by a general and Team Brief Current staff will be updated on changes to this document through Trust intranet, and risk management /governance meetings within their area.

27 9. TRAINING A programme of risk management is provided for all employees as outlined within the Trust Training Needs Analysis as described in the Trusts Statutory Mandatory Training Policy which includes a description of risk management training requirements covering: Relevant staff groups Frequency of training Attendance and follow up on non-attendance All new employees receive risk management training at the Mandatory Corporate Induction programme which includes risk awareness training as well as Health and Safety, Fire and Manual Handling. The reporting and monitoring of compliance and the processes the Trust follows when gaps in compliance are identified are managed through the process described in the Trust Statutory Mandatory Training Policy. 10. MONITORING COMPLIANCE All risks including incidents, complaints and claims that have been identified/reported will be responded to immediately. The emphasis is for investigation and action to take place at the level of assessed risk or through the incident reporting process. Specialist input should be sought if required. All managers will review their incidents on an on-going basis to identify any trends and to ensure action is taken promptly. External quality assurance processes include: Care Quality Commission (CQC Visits) NICE Quality Standards Patient Safety Alerts External Audit The Risk Management processes are also subject to external reviews by the CQC and the Health and Safety Executive (HSE)

28 Monitoring Compliance with the Risk Management Strategy Element to be monitored What needs Monitoring Risk Management Systems and Processes Corporate risk registers and exception reports from RMC Board Assurance Framework Lead Who will lead on this aspect of monitoring name the lead and job title Internal Audit Trust Board AC/RMC Trust Board Tool/ Methodology What tool will I use to monitor/chec k that everything is working Frequency How often will we need to monitor/ frequency Reporting arrangements Who or what committee will I report the results to for information and action Audit Annually Audit Committee (AC) Committee meetings Committee meetings Committee meetings Quarterly Risk Management Committee (RMC) Action Lead(s) Who will undertake the action planning for deficiencies Risk Manager/Head of Governance Trust Secretary/ Head of Governance Change in practice and lessons to be shared How will changes be implemented and lessons shared Required changes to practice will be identified and actioned within a specific time frame. A lead member of the team along with Governance Leads will be identified to take each change forward where appropriate lessons will be shared with all relevant stakeholders. Required changes to practice will be identified and actioned within a specific time frame. The Head of Governance will be identified to take each change forward where appropriate and report to RMC Quarterly Trust Board Trust Secretary Required changes to practice will be identified and actioned within a specific timeframe. The Trust Secretary will take any changes forward where appropriate

29 Element to be monitored Terms of Reference of each Board Committee checked to ensure reporting structures remain compliant Risk Management Training Lead Chair of RMC/ Chair AC Head of Governance Tool/ Methodology Committee meeting discussion Evaluation forms Frequency Reporting arrangements Action Lead(s) Annually Trust Board Trust secretary/ Head of Governance Quarterly RMC Head of Governance Change in practice and lessons to be shared Board approved Terms of Reference disseminated to committee members Risk Manager/Head of Governance will review training as a result of feedback from staff.

30 Monitoring Compliance with the risk management process Element to be monitored What needs Monitoring Risk assessments risk registers Lead Who will lead on this aspect of monitoring name the lead and job title Divisional Governance Leads Risk Manager Tool/ Methodology What tool will I use to monitor/check that everything is working according to this element of the policy Check current risk assessment form used Review, moderate and check for consistency against Trust agreed risk evaluation tool Risk Registers are being used effectively in all areas Frequency How often will we need to monitor/ frequency All risks transferred onto a local or corporate risk register monthly Monthly Reporting arrangements Who or what committee will I report the results to for information and action Relevant Divisional Governance Board by exception Overdue actions highlighted to assigned management lead; risk register reports show overdue actions in redproduced for informal meeting, Action Lead(s) Who will undertake the action planning for deficiencies Relevant clinical, corporate Divisional Governance Lead Governance Leads Change in practice and lessons to be shared How will changes be implemented and lessons shared Required changes to practice will be identified and actioned within a specific time frame. A lead member of the team will be identified to take each change forward where appropriate and lessons will be shared with all relevant stakeholders If overdue actions are reported to RMC the committee will ask searching questions as to why an action has not been progressed, the relevant Governance Lead/Executive will be tasked with ensuring this is moved forward. The Executive Director will then report this down to the relevant senior managers for action.

31 Element to be monitored Risk escalation process Lead Risks are escalated to the corporate risk register and to the RMC/Board as appropriate Tool/ Methodology Reports and minutes of meetings Frequency For each new risk escalated bi-monthly Reporting arrangements divisional governance meetings and for RMC/Board RMC Action Lead(s) Head of Governance Change in practice and lessons to be shared Feedback to divisions/regular meetings with key personnel to ensure risks are escalated appropriately.

32 11. RESOURCES Board decisions should clearly demonstrate how resources for risk management are prioritised. When resources are prioritised by Board level debate, the reasons supporting the decision will be fully recorded in the minutes of the meeting. 12. REVIEW The Trust Board will review this strategy every three years and the Risk Management Committee will review it annually. 13. NHS CONSTITUTION The Trust is committed to the principles and values of the NHS Constitution and this document takes into account these principles and values. 14. EQUALITY IMPACT ASSESSMENT The Trust is committed to promoting equality of opportunity for all its employees and the population it serves. The Trust aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage over others. This document has been equality impact assessed Definitions Hazard Likelihood Consequence Risk Risk Assessment Risk Management Anything that has the potential to cause injury, loss, damage or harm A measure of the probability that the predicted harm, loss or damage will occur A measure of the impact that the predicted harm, loss or damage would have on the people, property or objectives affected What can go wrong and how likely is it to go wrong The process by which hazards are identified and the risk rated using tools implemented by the Trust for use by all employees. Assessments can either be general or specific, but will be undertaken by competent persons who have received appropriate degree of information, instruction and training Risk management is the systematic application of management policies, procedures and practices to the tasks of identifying, analysing, assessing, treating and monitoring risk. This includes the application of Health and Safety Regulations in every day working activity

33 Risk Matrix Risk Register Strategic Risk Register Control Residual risk The tool that is used to score each risk and determine its place on divisional and corporate risk registers, levels of authority are determined through the matrix and this will provide a priority list for managers to use within their respective area of control Is a log of all risks (operational and strategic) that threaten the organisations success in achieving its objectives The highest-ranking risks assessed at 12 and above from the Directorate level will be used to populate and inform the Trust s Strategic Risk Register The control of risk involves taking steps to reduce the risk from occurring such as application of policies or procedures Are those which remain after considering the controls in place to reduce the risk and the implementation of any additional controls that may have been identified as necessary 15. REFERENCES Risk Assessment Framework, Monitor, August 2013 The NHS Foundation Trust Code of Governance, Monitor, March 2010 Quality Governance Framework, Monitor, March 2010 Essential Standards of Quality and Safety, Care Quality Commission, 2010 Integrated Governance Handbook: 2006 The Audit Committee Handbook: 2006 Board Assurance Frameworks: A simple rules guide for the NHS 2009 The Health NHS Board Principles for Good Governance, National Leadership Council, 2010 Taking it on Trust, Audit Commission 2009 NHSLA Risk Management Standards, 2012/13 NHSLA Risk Management Strategy Checklist, March 2012

34 Appendix A Bolton NHS Foundation Trust Board and Committee structure and Local Risk Groups and Committees Council of Governors Board of Directors Audit Committee Internal Audit External Audit Clinical Audit Exec Directors Quality Assurance Committee Executive Board/PAF Risk Management Committee Finance and Investment Committee Clinical Governance and Quality Committee PEIP Committee Workforce Committee Informatics Committee Medicines Management Health &Safety Committee CRIG Estates Committee Infection Control Mortality Reduction Resuscitation Thrombosis Nutrition Advisory Critical Care End of Life Safeguarding Research Governance Blood transfusion PAG Equality steering group Medical Education Board E Rostering Project Board Education Governance Data quality sub group Information governance Web development group Medicines management safety group Antimicrobial committee Fire Security Moving and Handling Radiation protection HAB/SABS Medical Devices Emergency planning Updated April 2013

35 Assurance Map - Board to Ward/Floor Visibility of Risk Management Process Outline Appendix B Report Purpose Reviewed by Frequency Sourcing Risk from: Board Assurance Framework Identify, assess and manage all risks to the Trust's strategic objectives Delegate sub-committees with responsibility for managing and tracking actions Feed all risks of a corporate nature regardless of score into the Corporate Risk Register Address any risks flagged as RED Board & Board committees Board - Bi-monthly Sub Committees - In line with committee cycle Board discussion, Monitor, Quality Assurance Framework, Leadership Walkarounds Escalation from sub-committees Performance data (IPR) Compliance Reporting (CQC, NHSLA, Audit, NICE Guidelines Compliance etc) Trust wide risk assessments/clinical Audits Patient & Staff Experience Surveys Risk profile summary Receive and manage exceptions from the Corporate Risk Register (new risks, increased risks, actions outstanding, risks which remain RED) Board Quarterly Corporate Risk Register and BAF Corporate Risk Register Other BFT Risk Registers - IM&T. H&S, HR Identify, assess and manage all risks across the Trust Accept risks and associated actions where these are rated 15 or more Report and manage exceptions (new risks, increased risks, actions outstanding, risks which remain RED) Address any risks flagged as RED Risks to be identified recorded and managed by relevant area. Any risks of a corporate nature to be escalated to the corporate risk register. Any highlevel risks to be reviewed by RMC and the Board. ED's Bi-monthly Committee discussion, Serious Incident Review Group Escalation from sub-committees and Divisional Boards Performance data Compliance Reporting (CQC, NHSLA, Audit, NICE Guidelines Compliance etc) Reporting (Complaints, Litigation, Incidents & PALs) Risk Assessments Patient & Staff Experience Surveys Corporate teams, Divisional Directors and ED's Team discussion - Monthly submission of corporate risks to the RMC if rated 15 or above. Management, operational and clinical team discussion Performance data Clinical Audit Compliance Reporting (CQC, NHSLA, Audit, NICE Guidelines Compliance etc) Reporting (Complaints, Litigation, Incidents & PALs) Risk Assessments Patient & Staff Experience Surveys

36 Risk Reference No: (for risks entered onto risk register -governance Use Only) Appendix C RISK ASSESSMENT FORM This form is to be used for identification and mitigation plans for ad hoc risks which arise and do not replace any existing Health & Safety Risk Assessment tools - supplementary proformas are available from the Health & Safety Team. RISK INFORMATION Description of risk (background information / detail to give risk context): Does this risk relate to national guidance standards / legislation: YES / NO (Please delete as appropriate) If this risk relates to national guidance please outline: Does the risk meet any of the following criteria: (Please note only one option may be selected) Audit IG Internal alerts CAS Health & Safety Medical devices Confidential enquiry Annual plan CQC NICE Security External review Infection control Does this risk affect patient safety? Yes / No (Delete as appropriate) Division: Ward/dept: Assessor: Assessment date: Which staff groups were involved in the assessment? Persons / groups at risk: Frequency of exposure to the risk: Existing control measures: (i.e. what is currently in place to reduce the risks) Current Risk Rating Current Risk Rating Calculated using the risk grading matrix with existing control measures taken into consideration. Consequence Score (C) Likelihood Score (L) Risk Score (CxL) Target Risk Rating An estimate of the risk rating based on what the division feel this risk should be once the mitigations have been implemented. Consequence Score (C) Likelihood Score (L) Risk Score (CxL) Please refer to Trust s Risk Grading Matrix

37 Issue Action ACTION PLAN SUMMARY Responsible Person Name/Designation Due Date Completed Date Residual Risk Rating Consequence Score (C) Likelihood Score (L) Risk Score (CxL) This is the risk remaining after risk treatment. First you have to identify the risks, and then you need to mitigate the risks you find unacceptable (i.e. treat them). Once you treat the risks, you won t completely eliminate all the risks because it is simply not possible therefore some risks will remain at a certain level, and this is what residual risks are. Residual risk cannot be determined until actions have been completed. Once actions are implemented, remember this will strengthen your existing controls too and should reduce your current risk rating; this is why risks will need regular review. If further actions need to be recorded, please continue on a separate sheet and attach to this document Please keep a copy of the assessment in your department and forward to your Line Manager for inclusion onto the Divisional risk register if needed. The risk should be discussed at your service clinical governance meeting and a decision to escalate to the risk register should be made at that meeting. Your governance lead for the Division or Manager can decide if the risk needs to be included on your risk register.

38 How to do a risk assessment Appendix D Purpose The purpose of this document is to assist the Trust staff in conducting a risk assessment. The guidance is intended to encourage greater consistency in the way risk assessment is applied across the Trust and promote vigilance in identifying risk and the ways in which it can be reduced. Introduction The Management of Health and Safety at Work Regulations 1999, Regulation 3 place a legal duty on all employees to assess all significant risks in the work place. This includes all clinical tasks, activities, situations and risks. The Regulations also state that risk assessments should be suitable and sufficient, taking account of the work tasks, activities and situations undertaken and the environment in which these take place. The assessment should identify the hazards associated with the task, activity or situation and establish control measures to minimise the risk. This in turn, based upon the risk levels, allow you to prioritise actions. There is also a legal duty to monitor and review the risk assessments to ensure they remain suitable, (appropriate to the task, activity or situation), effective and sufficient (continue to meet the needs of the task, activity or situation). The important thing that needs to be considered is, does the hazard pose a significant risk? If so, have you implemented control measures to reduce the risk to an acceptable level? If there is a lack of or gap in control to reduce the risk, then further actions and precautions, controls may be required. It is not usually possible to eliminate all risks by the Trust has a duty to protect patients, staff and visitors as far as reasonably practicable. This means you must avoid unnecessary risk. Definitions: Hazard: Likelihood: Consequence: Risk: Anything that has the probability or may cause harm (what could go wrong) The chance of harm occurring as a result of exposure to a hazard The level of harm that may occur as a result of exposure to or contact with a hazard Risk is the chance high or low that an event/hazard will occur or may prevent the Trust from achieving its objectives What is a risk assessment? A risk assessment is simply a careful examination of the hazards associated with work tasks, activities, or situations in the Trust, that could have the potential to cause harm to patients, staff and visitors. It allows you to consider and evaluate if there are suitable (appropriate to the task, activity or work situation) and sufficient (meet the needs of the task, activity or work situation) controls in place to reduce the level of risk to the lowest possible level. In other words have you taken enough precautions (controls) or should you do more to prevent potential harm from the hazard?

39 Using a methodology of the Health and Safety Executives 5 Steps to Risk Assessment and the NPSA Guide to Healthcare Risk Assessment shown in the diagram, a risk assessment seeks to answer the following key questions: Step 1 & 2 HAZARD What could go wrong? Who might be harmed? Step 3 CONSEQUENCE How bad will it be? Step 3 LIKELIHOOD How often? Step 4 & 5 GAPS IN CONTROL & REVIEW Record your findings. What controls are in place? Is there a need for action? Implement the actions Review the risk assessment. How to carry out a risk assessment The steps below will enable you to complete the risk assessment form. A template form can be found at appendix F. Step 1 Identify the Hazards (what could go wrong) Walk around your workplace and look at what could reasonably be expected to cause harm. Ignore the trivial and concentrate on significant hazards, things that could result in serious harm or affect numerous people e.g. Medicines not stored or locked away/trailing electrical lead causing a trip hazard. Ask those involved with the task, activities or situation for their opinion. They may have noticed things, which are not immediately obvious to those not involved with the task on a regular basis Look at and provide a description of the hazards associated with a task/activity/situation, include any hazards associated with any equipment, substances or processes used in the task/activity/situation Remember to prevent harm it is important to understand not only what is likely to go wrong but also how and why it may go wrong Take in to account things that have gone wrong in the past and near miss incidents Check manufacturer instructions for equipment or data sheets for chemicals as they can also help you spot hazards and put risks in their true perspective Check if individual s health has been affected e.g. sickness absence due to skin problems caused by using a particular chemical/complaints of feeling unwell when working in a certain environment

40 Step 2 Step 3 Step 4 Step 5 Who might be harmed and how? Identify those individuals or groups of people who may be at risk of harm if exposed to the hazard Remember the most vulnerable patients are more likely to suffer harm When considering people who, potentially could be harmed don t forget to consider new workers or trainees, young workers, new and expectant mothers and people with disabilities Cleaners, visitors, contractors or maintenance workers who may not be familiar or in the work place all the time Evaluate the risks (how bad consequence and how probable (often) Likelihood) and decide on the actions required Having spotted the hazards, detail the existing control measures already in place to prevent harm occurring Are these controls adequate? Intelligence data such as incident reports many indicate that a control you have in place is not effective Are controls reducing risk or harm to its lowest level? Is there a Gap in Control and therefore a need for additional action and controls to reduce the risk? Look at the hierarchy of risk control Record your findings and proposed actions then implement them Complete the risk assessment form and action plan The actions required should be detailed in the action plan section of the risk assessment form, summarising how the controls are to be achieved. A responsible person is then allocated the responsibility of ensuring the actions are completed within a targeted date Using the Trust risk matrix, quantify the level of risk by choosing the level of consequence and likelihood of the harm occurring based on all the information you have gathered Evaluate the risks and decide whether the existing control measures are adequate or if more could be done Consider how likely it is that each hazard could cause harm. This will determine whether or not you need to do more to reduce the risk. Even after all precautions have been taken, some risk usually remains. What you have to decide is, whether the remaining level of risk is acceptable, if not then further action is required When writing the results of the risk assessment keep it simple, for example tripping over rubbish: bins provided, staff instructed, weekly housekeeping checks instigated It is important that you can show that: A thorough check was make to identify all the hazards and treat all the significant risks; The controls are reasonable and the remaining risk is acceptable The solutions are realistic, sustainable and effective NB it may be reasonable to accept some degree of preventable risk, if the benefits to be gained outweigh the risk Review your risk assessment and update if necessary Risk assessments and action planning should be reviewed and monitored regularly Risk levels that are medium or high should be placed on the risk register. So that the action plans can be monitored regularly. Decide if you have a local risk or Corporate risk Once an action on the plan has been completed and the new or additional control implemented the risks should be re-evaluated and the results recorded

41 Remember, research and new developments increase the pace of change, and those changes can alter existing and/or introduce new hazards Review your risk assessment regularly and at least on an annual basis: Regularly and at least on an annual basis When learning from incidents which may indicate a control is not working or needs to be changed When you are planning a change to a task, activity or situation When there has been a significant change to a service or way of working Risk assessment doesn t need to be overcomplicated and identifying hazards is common sense. However risk assessment should only be carried out by a competent person, that is, someone who is familiar with the task, activity or situation, the environment is which the activity takes place and who has sufficient knowledge and understanding that they can identify those hazards present. Additionally the competent person should recognise their limitations and be prepared to seek advice as necessary. Risk Evaluation Tool In order to separate those risks that are unacceptable from those that are acceptable the risks should be evaluated. Control Measures Once the risk assessment has been completed and the risk level indicates further actions and controls are necessary to ensure that the risk is reduced to as low as is reasonably practicable then consider the following: a) Can the hazard be removed altogether? b) If not, how can I control it? When controlling risk, try applying the principles below: Use ERIC PD ELIMINATE get rid of the hazard; replace it with something less hazardous REDUCE the level of risk by reducing the nature of the hazard e.g. use similar quantities, lower voltage etc ISOLATE the hazard from people, for example by putting up barriers or guarding CONTROL exposure to the hazard by controlling who has access or limiting exposure time PPE issue Personal Protective Equipment Discipline and Culture Improving risk management need not cost a lot of money, however failure to carry out suitable and sufficient risk assessments and not controlling significant risk in the workplace can cost the Trust in more ways than one.

42 If a task, activity or situation remains the same then a generic risk assessment can be produced. However, the assessment must be reviewed when the environment changes affecting the task, activity or situation and/or the process changes. Risk Assessment Action Plan The actions required should be detailed on the action plan section of the risk assessment form, summarising how the additional controls required to close the gap are to be achieved. A key individual is then allocated the responsibility of ensuring the actions are completed. A target date must be set and activity against the action monitored. Unless the risk level is specified as acceptable where only actions necessary are to monitor and review the assessment and established controls for effectiveness, all of risk levels will require further actions applied to reduce them to the lowest acceptable level. Once completed, the action is implemented and closed. Monitor and Review All risk assessments must be reviewed not less than annually and/or if: There is a significant change in equipment or process There is a change to the task activity or situation process or environment After an incident or accident There is a change to the people who are affected by the task, activity or situation There is a change in legislation There is a change to or introduction of new equipment The routine, process, system or procedure is no longer valid If you have any questions regarding the completion of the risk assessment please contact the Trust Risk Manager. Training on the risk assessment process is available from the Risk Team References: HSE Guide Five Steps to Risk Assessment IND163 (rev3), revised 06/1 NPSA Healthcare Risk Assessment Made Easy, March 2007

43 Identifying Risks Appendix E The Trust will review compliance with the Care Quality Commission requirements on an on-going basis to identify any risks Effective health and safety audits and inspections and implementation of resulting action plans Each Director will be responsible for ensuring that departmental risk assessments are carried out, producing directorate risk registers and taking action to avoid/minimise risk as appropriate Regular multi-disciplinary review of incidents, complaints and claims data Patient and staff feedback surveys Public perceptions of the NHS e.g. media reviews Root Cause Analysis following serious adverse incidents Underlying root causes of incidents, complaints and claims Concerns raised by Trade Unions Whistle blowing Coroners reports Financial forecasting and reports Board Quality walkabouts New legislation and guidance Recommendation and reports from assessment/inspections from internal and external bodies Safety alerts e.g. Central Alerting System, NHS Protect Non Clinical/Generic Risk Assessments completed by staff Incident Reports Serious Adverse Incident Reports Directorate Risk Registers (for the Corporate Risk Register) Health and Safety Audits Regular Health and Safety Checks e.g. Window checks, Fire Inspections Complaints National Guidance/Reports Patient s conditions (e.g. inherent risk of falls in people with dementia) Major incident (drill or live) Deficiencies with effective controls assurance standards Deficiencies with various elements of the CQC standards Recommendations and reports from external agencies such as NHSLA, Health and Safety Executive, Patient-led Assessments of the Care Environment (PLACE) etc Actions taken to reduce risks which could not be or were not implemented for various reasons such as resource limitations Any other sources of information that could be considered to be a threat to patient, staff visitors, environmental safety or the organisations wellbeing Estates risk profile]

44 Financial/business plans/it reports Underlying causes related to poor trends identified from key performance indicators Considerable deficiencies in/non-compliance with staff mandatory training

45 RECORDING RISK Appendix F

46 S C R U T A S S U R Audit Committee (BAF) RISK ESCALATOR BOLTON NHS FOUNDATION TRUST Appendix G BOARD OF DIRECTORS (Corporate Risk Register and BAF) quarterly Exec Directors (Corporate risk register and BAF) Risk Management Committee Divisional Board Meetings Divisional Governance Meetings Board Assurance Framework and Corporate Risk Register Submitted to the Board and Monitored through Board governance And assurance committees Any risk scoring 15 or above and/or impacting across the Trust escalated To Corporate risk register with agreement By RMC. RMC would recommend Risks to be incorporated into BAF All risks 15 or above (corporate or divisional) and any risks Regardless of score if unmanageable Escalated by the Divisions to RMC I A SERVICE CLINICAL GOVERNANCE TASK GROUPS / BUSINESS MEETINGS Service/Divisional risks reviewed at Service Governance Forums/ Divisional Board N N RISK REGISTER Risks identified populate the Risk Register Y C E Incidents Complaints Claims Assurance framework External Assessments/ CQC/Monitor Audit/Non- Compliance NICE guidance Departmental Risk Assessments Health &Safety

47 Appendix H