Risk Management Strategy - Supplement 1: Procedure for Production of Risk Registers

Transcription

1 This is an official Northern Trust policy and should not be edited in any way Risk Management Strategy - Supplement 1: Procedure for Production of Risk Registers Reference Number: NHSCT/12/557 Target audience: All Trust staff Sources of advice in relation to this document: Alex Lynch, Corporate Risk Manager Dr Peter Flanagan, Director of Medical & Governance Replaces (if appropriate): NHSCT Risk Management Strategy (incl Risk Management System for Production of Risk Registers (NHSCT/09/126) Type of Document: Trust Wide Approved by: Policy Committee Date Approved: 20 June 2012 Date Issued by Policy Unit: 28 June 2012 NHSCT Mission Statement To provide for all the quality of services we would expect for our families and ourselves Version 1_0

2 Risk Management Strategy Supplement 1: Procedure for production of Risk Registers (March 2012) 1

3 1.0 Risk Management System 1.1 The Trust s risk management system is based on the Australian/ New Zealand Risk Management Standard (AS/NZC 4360:2004) as described below: Establish context Consider actual and potential risks to Trust objectives in context of: * patient & client safety * failing performance * service quality falling below recognised standards * financial loss * service/business interruption * Identify adverse hazards publicity & and risks damage to Trust s reputation * environmental hazards Managers & staff at all levels must proactively identify potential hazards in their work environment which might harm patients, clients or staff. Risks and hazards when identified from sources such as incidents, complaints & claims, will be assessed and managed as described below. The Governance Department will facilitate collation & provision of such intelligence, including from external reviews & enquiries, to directors, managers & to relevant committees within the Governance Accountability Framework. COMMUNICATE AND CONSULT Analyse, assess & evaluate the risk Having identified a risk firstly consider what controls are in place, eg policies, training or physical measures. If those controls are considered adequate then no further action is required other than to ensure maintenance of those controls. If controls are not considered adequate then the risk must be assessed & evaluated using the risk rating system attached as Appendix 1 & a risk rating assigned. Treat risks Where risk control is required the most common options are: * Avoiding the risk, ie deciding where practicable not to proceed with the activity likely to generate risk by, for example, withdrawing equipment from use or terminating an activity. MONITOR AND REVIEW * Reducing likelihood of risk materialising, ie through contract negotiation, audit & compliance programmes; policies & procedures,training, supervision, & preventative programmes. * Reducing potential impact if risk materialises, ie by contingency planning, minimising exposure to the risk, public relations or relocation of activity. * Transferring the risk, ie by involving another party to bear or share some part of the risk through contracts & other organisational structures such as partnerships or joint ventures. 2

4 2.0 Structure of the Trust Risk Register 2.1 The Trust Risk Register records risks at two different levels; corporate and operational. Governance Committee on behalf of Trust Board oversees the corporate risks associated with the Trust s activities, with the strategic management of those risks being undertaken by Governance Management Board (with additional input and guidance from relevant specialist committees as required). Each Director is responsible for the tactical management of those strategic risks as well as managing operational risks within their own directorate. 2.2 The system by which risks are identified and approved for inclusion in risk register(s) is displayed at Appendix Definitions 3.1 Corporate risks A risk which, regardless of grading, is beyond the ability of any one Directorate to control because, for example: the risk applies to more than one directorate; or the risk requires escalation to another HSC body due to its significance or the need for commissioner involvement; or the risk is beyond the capacity of one directorate to address, eg additional corporate funding is required or requires action by more than one directorate; or has been rated as Extreme, A corporate risk would: normally be identified by Directors or other Trust Board member, or by any committee within the Trust s Governance Accountability Framework; have a named Director as the Risk Owner (ie the person with overall responsibility for the risk); have a named Manager (or appropriately delegated manager / advisor) as the Risk Manager; require the Risk Owner's, ie the named Director, support and direction in the development of risk control measures such as new corporate policies / guidelines; be overseen by the Governance Management Board in monitoring its management, eg reviewing the adequacy of risk assessments or identifying where risk registers have not been updated or have become static; and by Governance Committee to be assured that the necessary controls and assurances are being maintained so as to minimise or eliminate the likelihood of occurrence A new corporate risk will be considered by the Governance Management Board in relation to determining the benefit of its allocation to a lead committee to oversee its management on a more detailed basis and 3

5 provide advice as to the adequacy of control and remedial measures being effected. 3.2 Operational risks A risk which: has the potential for a directorate(s) and service(s) (either collectively or individually) to fail to meet their objectives; may impact upon service delivery itself or on those who work within the Service (eg staff, partner organisations, volunteers, contractors, etc.) or indeed those in receipt of the services provided (eg patients, public, relatives and visitors). falls within the remit of a single service or directorate but which may impact on the wider organisation; have a named Director as the Risk Owner (ie the person with overall responsibility for the risk) and an appropriately delegated member of staff as the Risk Manager; may require the Risk Owner's, ie the named Director s lead in the development of risk control measures such as new corporate policies or guidelines, as well as effective implementation of such risk controls already established within the Trust; is overseen by the Governance Management Board in relation to monitoring the management of the risks and managed by individual Directors and local line management; and should also be discussed through local governance arrangements where appropriate to do so Escalation/de-escalation of risk from one level of responsibility, ie from operational to corporate and vice-versa, to another will be required on occasions. 3.3 Risk Owner A Risk Owner is the named Director with overall responsibility for a particular risk - albeit the management of the risk may be delegated to another person. In particular, in their role as Risk Owner, the Director has overall responsibility for: ensuring that the risks they 'own' are managed appropriately. (Management of individual risks will normally be delegated to the appropriate management levels within each directorate or service); monitoring progress against action plans established to support the management of corporate or operational risks; ensuring that the review process is carried out in a timely manner within their areas of responsibility; and having overall ownership and responsibility for the management of the operational risk register within their directorate. (Support and guidance will be provided by the Corporate Risk Management Department as required). 4

6 3.4 Risk Manager A Risk Manager is the person who has responsibility for ensuring that: identified risks are analysed appropriately in accordance with the Trust s risk management process; the effectiveness of the controls in place is regularly evaluated; management of the risk is proportionate to the risk evaluation; Risk Treatment Action Plans are prepared, maintained and revised as necessary to support the management of the risk including where new controls require to be developed and implemented, or the effectiveness of existing controls requires careful ongoing monitoring. risks and their supporting action plans are evaluated / reviewed in a timely manner;timely; the risk is discussed through the appropriate line management arrangements and the Risk Owner (ie the appropriate Director) is informed in all cases (or potential cases) where a risk possibly requiring escalation onto the Corporate Risk Register is identified; and the Risk Owner (ie the appropriate Director) is informed on a case by case basis where the management of a particular risk is of concern and guidance requires to be sought from, or the matter requires to be referred to the Governance Management Board. 4.0 Action following completion of risk rating 4.1 Following assessment and rating of the risk (Tables 1 to 4 of Appendix 1 refers) the Risk Manager will: decide, in conjunction with colleagues as necessary, that the risk can be accepted and monitored and that no further action is required; take action within the timescales outlined in Tables 5 & 6 of Appendix 1; decide whether in addition to being included in the department/directorate risk register as an operational risk that it also needs to be brought to the attention of their Director as representing a potential corporate risk for inclusion in the Trust s Corporate Risk Register because: - it has risk rating of 25 - whilst having a risk rating or less than 25 it is beyond the capacity of one directorate to manage because, for example, additional funding is required, or the risk requires action from more than one directorate; or - the risk applies to more than one directorate; or - it requires escalation to another HSC body due to its significance or the need for commissioner involvement. 5

7 5.0 Risk Notifications 5.1 A Trust Risk Notification Form RN1 (Appendix 3) will be completed to record operational risks identified by directorates through the Trust s risk assessment and evaluation process and will be added to the department/directorate Risk Register. 5.2 For those risks identified and approved by a Director as representing a corporate risk a copy of that Risk Notification Form will also be forwarded without delay to the Corporate Risk Department for inclusion in the Trust Corporate Risk Register. 5.3 All risks graded as Extreme, High or Medium will require completion of a Trust Risk Treatment Action Plan Form 1 (Appendix 4) which will describe: the risk identified risk grading before preparation of a Risk Treatment Action Plan and anticipated risk rating following implementation of all, or parts of the plan control measures required to eliminate/reduce the identified risk to an acceptable level commencement, completion and review dates for the plan associated costs, if any name of Risk Manager and of Risk Owner arrangements for monitoring the plan s implementation, for ensuring that it is achieving the required risk reduction and for revising it if necessary. 5.4 All employees should be encouraged and supported by managers to identify and report risks including incidents to supplement that ongoing risk identification process internally and externally sourced from risk assessments, audit findings and external agencies. 6.0 Risk Registers 6.1 Subject to future approval it is planned that all Risk Registers will be maintained by utilising the DATIX Risk Management Module. Pending which the format included at Appendix 5 will be used for the recording of operational risks at directorate level. 7.0 Review of risks 7.1 By Risk Manager Risks will be critically reviewed and managed by the Risk Manager (Line Manager). However, it is likely that much of the mitigating actions and controls may be delegated to staff at a lower level. If a delegated person with responsibility for managing a particular operational risk has concerns around the significance of the risk and is unable to source the necessary resources to reduce the significance of the risk, they should discuss the risk with their manager. If issues cannot be resolved locally, in conjunction 6

8 with line managers and general managers, then the risk should be discussed with the relevant Director regarding further action. 7.2 By Risk Owner The Risk Owner (Director) will advise regarding any further management of the risk and may (or may not) decide to escalate the risk to the corporate level for as long as is necessary. 7.3 By Governance Management Board If wished the Director may prepare a paper regarding the risk, for review by GMB which will discuss and advise as necessary regarding the future management of the risk, including whether it should remain at operational level or be escalated to corporate level? 7.4 Ongoing Review Operational Risks Will be reviewed on an individual basis by the appropriate Risk Manager and Risk Owner in accordance with the review date determined by the rating of the risk. The Governance Management Board will also periodically review all operational risks to determine whether or not any of these risks should be escalated to corporate level. 7.5 Bi-monthly Review Corporate Risks Will be facilitated by the Trust Corporate Risk Manager for review on a bi-monthly basis by Governance Management Board to assure itself that the necessary action is being taken to, as a minimum, ensure that the necessary measures are being effected to control the risk or, preferably, reduce or eliminate the risk. And to identify which corporate risks may be de-escalated to operational status. A risk identified by members of the Governance Management Board which has not been recorded on the electronic risk register system will be notified to the appropriate Risk Owner and advice given as to what level the risk should be recorded at. If appropriate to so do GMB may propose the risk for escalation to corporate level. 7.6 Closure of risks Risks may be removed from the Trust Risk Register if the risk is deemed to have been reduced to an insignificant level or if it is deemed no longer relevant to the Trust. The closure of risks must be authorised by the relevant Risk Owner. 8.0 Equality, Human Rights and DDA This policy has been drawn up and reviewed in the light of Section 75 of the Northern Ireland Act (1998) which requires the Trust to have due regard to the need to promote equality of opportunity. It has been screened to identify any adverse impact on the 9 equality categories and no significant differential impacts were identified, therefore, an Equality Impact Assessment is not required. 7

9 9.0 Alternative formats This document can be made available on request on disc, larger font, Braille, audio-cassette and in other minority languages to meet the needs of those who are not fluent in English Sources of Advice in relation to this document The Policy Author, responsible Assistant Director or Director as detailed on the policy title page should be contacted with regard to any queries on the content of this policy. 8

10 Risk Grading System Appendix 1 Instructions for use 1. Identify the risk 2. Using Table 1 identify the Impact/Consequences should the risk occur and select number from scale 3. Using Table 2 identify the Frequency/Likelihood or immediacy of the risk occurring and select number from scale 4. Impact/Consequences Score X Frequency/Likelihood Score = Risk Grading as described in Risk Grading Matrix (Low, Moderate, High or Extreme) Table 1 Impact/Consequences Descriptors and Scores Descriptors Insignificant Minor Moderate Major Catastrophic Safety (Patients, Clients, Staff & Public) Minor injury or illness requiring minor intervention. Absence from work < 3 days Minimal injury requiring no/minimal intervention or treatment. No absence from work. Moderate injury or illness requiring extended stay in hospital or care/ professional intervention or absence from work > 3 days. RIDDOR reportable and/or other external agency. Potential health and safety prosecution. Death or still birth. Major injury and/or long term/ permanent incapacity/ disability (loss of limb). Delay in diagnosis and/or commencement of patient/client care with long term affects > 3 months). Major outbreak. Premature retirement from work. RIDDOR or/ other external agency notification. Potential Corporate Manslaughter prosecution. Other health and safety prosecution. Multiple deaths, still births or permanent incapacity/ disability requiring life-long care (brain damaged adults or babies),reportable to RIDDOR and/or other external agency. Corporate Manslaughter prosecution. 9

11 Descriptors Insignificant Minor Moderate Major Catastrophic Performance (Objectives/ Targets/ Budgets) Service Quality (Complaints/ Service User Experience/ Inspection/ Audit/ Statutory Compliance/ Quality and Professional Standards/ Staffing Competence) Insignificant cost increase/schedule slippage. No noticeable reduction in scope or quality Locally resolved complaint. Unsatisfactory experience not directly related to care or treatment. Small number of recommendations which focus on minor quality or safety improvement issues. Minor noncompliances advice given. Short term low staffing levels which reduces or disrupts service provision or quality for not more than 1 1% off planned activity targets. Failure to meet PfA or other target or objective for 1 quarter. Less than 5% over budget/ schedule slippage. Justified complaint peripheral to clinical or social care. Unsatisfactory experience readily resolvable. Recommendations made which can be addressed by low level of management action. Reduced rating if not resolved. Single non-compliance with, or to follow internal standards, policy or protocols. Ongoing low staffing level reduces service provision or quality. Minor error due to ineffective or inadequate 2% - 4% off planned activity targets. Failure by meet PfA or other target or objective for 2 quarters. 10% over budget/ schedule slippage. Justified complaint involving lack of appropriate clinical or social care. Delay in diagnosis and/or commencement of care or treatment. Repeated noncompliance with, or to follow internal standards, policy or protocols. Challenging recommendations. Reduce rating following next assessment. Late delivery of key objective/service due to lack of staff. Moderate error due to ineffective or inadequate training or 5 10% off planned activity targets. Failure to meet PfA or other targets or objective for > two consecutive quarters % over budget/ schedule slippage. Secondary objectives not met. Multiple justified complaints. Serious delay in diagnosis and/or commencement of care or treatment. Major non-compliance with standards, policy or protocol. Enforcement action against Trust. Critical report and low rating of compliance. Very challenging recommendations. Failure to meet national/professional standards. Uncertain delivery of key objective/service due to lack of staff. Major error due to ineffective or inadequate training or implementation of training. >10% off planned activity targets. Failure by more than 25% to meet Regional and/or local targets or objectives. More than 25% over budget/ schedule slippage. Primary objectives not met. Totally unsatisfactory outcome of experience. Significant noncompliance. Prosecution. Zero rating. Severely critical report. Gross failure to meet national/professional standards. Non-delivery/cessation of service due to lack of staff. Loss of key staff. Catastrophic error due to ineffective or inadequate training or implementation of training. 10

12 Descriptors Insignificant Minor Moderate Major Catastrophic day. training or implementation of training. implementation of training. Finance (Claims & Losses) Service/ Business Interruption Litigation unlikely. Damage/loss of assets/personal property < 5,000 Loss/ interruption > 1 hour Litigation likely. Damage/loss of assets/personal property. > 5000 < 50,000 Loss/interruption > 8 hours Litigation possible. Damage/loss of assets/personal property. > 50,000 < 250,000 Loss/ Interruption > 1 day Litigation probable. Damage/ loss of assets/personal property. > 250,000 < 1M Loss/ interruption > 7 days Substantial litigation involving one or more claimants probable. Damage/loss of assets/personal property. > 1M Permanent loss of service or facility Adverse Publicity/ Reputation Rumours Local media - short-term interest. Little affect on staff morale Local media long term interest. Public confidence affected. Significant affect on staff morale Regional media - < 3 days interest. MLA concern (Questions in Assembly). Service well below reasonable public expectation. Use of services affected. National adverse media and/or local media > 3 days. Interest MP and/or MLA concern (Questions in House or Assembly) Total loss of public confidence. Public Enquiry. Environment Nuisance release On site release contained by Trust Additional Guidance For example Drug error with no apparent adverse outcome Grade 1 Pressure Ulcer Off site release contained by Trust Increased length of stay due to HCAI < 1 week. Grade 2/3 Pressure Release affecting minimal offsite area requiring external assistance, eg fire service or Radiation Protection Service Increased length of stay due to HCAI > 1 week. Grade 4 Pressure Ulcer. Retained instrument after Toxic release with detrimental effect requiring external assistance Unexpected/ unexplained death. Homicide committed by patient known to Trust 11

13 Descriptors Insignificant Minor Moderate Major Catastrophic Ulcer surgery requiring further intervention. Suspected suicide of a patient with mental health problems and known to Trust. with mental health problems. Removal of wrong body part leading to death or permanent incapacity. Risks that have been identified as having an Impact/Consequences assessed as being Major or Catastrophic will require consideration by the Director responsible for the service in which the risk has been identified with, as applicable, the Medical Director or Executive Director Social Work regarding notification to the Department of Health etc as a Serious Adverse Incident and or High risk and a decision regarding further management communicated to the Corporate Risk Manager within 2 working days of the incident s occurrence, or of its occurrence becoming known. (Trust Incident Management Policy and Procedure (including procedure for Serious Adverse Incidents refers). 12

14 Table 2 - Frequency/Likelihood Descriptors The descriptors for each frequency/likelihood (indicators in brackets, of which that considered most relevant to the service area in which to be used, are provided for guidance particularly when grading risks, incidents, claims, complaints and other untoward events) are as follows: Descriptor Rare Unlikely Possible Likely Almost Certain Frequency/Likelihood Remote possibility (1 in 100,000 chance or once every 5 years or more) Could happen but rare (1 in 10,000 chance or typically once a year) Could happen occasionally (1 in 1,000 chance or on average monthly) Could happen often (1 in 100 chance or on average once a week or more frequently) Could happen frequently (1 in 10 chance or once a day or more) Table 3 Risk Grading Matrix Likelihood X Impact = Risk Grading Impact / Consequences Likelihood /Frequency Insignificant Minor Moderate Major Catastrophic Almost certain Likely Possible Unlikely Rare Table 4 Risk Grading Bands LOW MEDIUM HIGH EXTREME 13

15 Table 5 Risk management action and responsibilities These risks are considered to have extreme consequences for the Trust and are unacceptable. They need urgent treatment to ensure that they are eliminated/mitigated and may require considereable resources to rectify. The Risk Treatment Action Plan must be prepared and be subject to close scrutiny through organisational controls. All risks assessed as a red risk must be reported to the Director responsible for the service within which the risk has been identified and to the Corporate Risk Manager within 24 hours of initial identification. These risks are considered to have high consequences for the Trust and need a robust Risk Action Treatment Plan to ensure that they are eliminated/mitigated within 3 months of initial identification. These risks must be reported to the responsible Director within 3 days of initial identification. These risks are considered to be tolerable providing appropriate controls are in place to minimise likelihood of undesirable occurrence and need to be treated within a 6 month period to ensure that they are eliminated or mitigated. These risks will require a greater input to resolve and may require allocation of some financial or other resources. These risks are considered to be broadly acceptable but still need to be controlled and be continually monitored within the service involved to ensure that they are eliminated or mitigated. These risks will require simple measures to be adopted for their elimination or reduction within 12 months. In addition to the actions noted above any risk,which, regardless of grading is considered to represent a corporate risk as defined at section 4.1. will, subject to approval of the Director responsible for the area in which identified, be notified to the Corporate Risk Manager in accordance with the process described at Appendix 1. 14

16 Table 6 Priority Action Table To determine when a risk requires to be actioned and reviewed KEY TO PRIORITY LEVELS RISK LEVEL TIMESCALE FOR ACTION TIMESCALE FOR REVIEW Red Extreme Action urgently Review within 3 month Purple High Action within 3 month Review within 6 months Green Medium Action within 6 months Review within 12 months Yellow Low Acceptable Action within 12 months/ accept risk Review controls within 24 months 15

17 Appendix 2 Risk Registers Risk Identification, Reporting and Approval Process GMB/Trust Board reviews Corporate Risk Register GMB/Directors highlight other organisational risks for entry on Corporate Risk Register GMB decides if risk identified goes onto Corporate Risk Register Staff highlight risks Directors identify to Corporate Risk Manager risks which cannot be managed at Directorate level for GMB consideration in accordance with Trust Corporate Risk Register criteria* Teams/services/ departments identify and assess risks Any risk which cannot be managed at local level entered on Directorate Risk Register Definition of Corporate Risk refer to para Definition of Operational Risk refer to para

18 Northern Health and Social Care Trust Risk Notification Form (Revised February 2012) Appendix 3 Form RN1 (Part 1 to be completed by Directorate where operational risk only. If also a corporate risk form to be forwarded to Corporate Risk Manager (CRM) for completion of Part 2) Part 1 - Directoate Directorate: Service Area/Speciality: Risk Manager: Risk Owner: 1. Description of risk to (a) Principal Objective (please identify) or (b) other objective (please describe) 2. Risk source (how the risk was identified, eg Complaint, Assessment, SAI etc) 3. Description of existing controls and of their adequacy 4. Consequences/ Impact (Table 2) Likelihood/ Frequency (Table 3) Risk Grading (Table 4) If Corporate Risk date approved by Director If Corporate Risk date CRM informed Risk Register Entered on Departmental Directorate If Corporate Risk under which criteria (refer to Section 3.1.1) Date By Ref Risk Treatment Action Plan (Dates) Completed Implemented Reviewed If Corporate Risk copied to CRM 17

19 7. Risk Register Revisions Directorate Review Date Revised Grading Risk Register (Remove/Retain) If Corporate Risk Remove/Retain Approved by Director (Date) CRM informed (Date) Part 2 Corporate Risk Management Risk Ref # New Revised Remove Date Received Corporate Risk Register Version # (Draft) Date to GMB GMB approved Y/N Corporate Risk Register Version # Final 18

20 Northern Health and Social Care Trust Appendix 4 Form RTAP 1 Risk Treatment Action Plan Directorate: Risk Ref No: Corporate Risk (Y/N) Description of risk identified: Risk rating (when identified and assessed) Action plan (overleaf) 1 Proposed actions 2 Resource requirements/costs 3 Responsibilities 4 Timescale 5 Reporting and monitoring required Compiler......Date..Reviewer...Date.. Impact of Action Plan Revised Risk Rating following partial/complete implementation Risk Register: Date Entered Ref No: Directorate If Corporate Risk Date Sent to CRM By Date Received (by CRM) By Date Removed By 19

21 Detailed Treatment Action Plan Action Timescale * Detail specific actions required with estimated timescales where possible 20

22 Format of Risk Register Appendix 5 Item# Directorate Risk No Risk Owner Risk Manager Date Entered Initial Rating Previous Rating Current Rating Target Rating Principal Objectives Corporate Risk (Y/N) If Yes under which criteria? Risk Description Action Notes Resource requirements/costs to achieve Target Rating (Capital and/or Revenue) - : Year 1: Year 2: Year 3+: Comments (if any): 21