Integrated Risk Management Framework

Transcription

1 Integrated Risk Management Framework Document Reference Information Version 1.0 Status 3 nd Draft Author/Lead Bridget Pratt Head of Governance & Complaints Date Effective TBC Date of Next Formal Review July 2014 Other relevant documents to this Strategy: 1. NWL Cluster Risk Management Strategy 2. Standing Orders & Standing Financial Instructions 3. Incident Reporting Policy 4. Serious Incident Policy 5. Quality Strategy 6. Complaints Policy 7. Claims Policy 8. Health & Safety Policy 9. Information Governance Policy 10. Whistle-blowing Policy 11. Bullying and Harassment policy Brent CCG incorporates and supports the Equality Act 2010 and the human rights of the individual as set out in the European Convention on Human Rights and the Human Rights Act 1998

2 CONTENTS 1. INTRODUCTION 3 2. AIMS, OBJECTIVES AND RATIONALE 3 3. ACCOUNTABILITIES FOR RISK MANAGEMENT 3 4. RISK MANAGEMENT FRAMEWORK 7 5. RISK MANAGEMENT PROCESS REPORTING ARRANGEMENTS OPEN AND FAIR CULTURE TRAINING AND SUPPORT CONSULTATION AND COMMUNICATION WITH STAKEHOLDERS MONITORING THE EFFECTIVENESS OF THIS STRATEGY REVIEW AND REVISION OF THE STRATEGY DISSEMINATION AND IMPLEMENTATION EQUALITY AND DIVERSITY 14 APPENDIX A CCG RISK ASSESSMENT SCORING GUIDELINES 15 APPENDIX B CCG AF AND RISK REGISTER TEMPLATE 24 APPENDIX C CCG STRUCTURE DIAGRAM FOR RISK MANAGEMENT 25 APPENDIX D CCG RISK ASSESSMENT TEMPLATE 26 APPENDIX E AF AND RISK REGISTER ARRANGEMENTS 27 APPENDIX F CCG RISK APPETITE TRIANGLE 28 Page 2 of 28

3 1. INTRODUCTION 1.1 Brent Clinical Commissioning Group (CCG) is part of the Outer North West London Federation of 4 CCGs including Brent, Harrow, Hillingdon and Ealing. Brent CCG has a responsibility to ensure that the organisation is properly governed in accordance with best practice in corporate, clinical and financial governance. Every activity that the CCG undertakes or commissions others to undertake on its behalf, brings with it some element of risk that has the potential to threaten or prevent the organisation achieving its objectives. 1.2 This Integrated Risk Management Framework enables the organisation to have a clear view of the risks affecting each area of its activity; how those risks are being managed, the likelihood of occurrence and their potential impact on the successful achievement of the CCG objectives. This document sets out the approach for the identification and management of risk within the CCG. 1.3 This framework applies to all members of the CCG, the CCG Governing Body, CCG Executive team and all managers to ensure that risk management is a fundamental part of the CCG approach to governing the organisation and all its activities. 2. AIMS, OBJECTIVES AND RATIONALE 2.1 The CCG Governing Body recognises that robust risk management and assurance is an integral part of its governance responsibilities and part of Brent CCG s culture. The Governing Body is, therefore, committed to ensuring that risk management forms an integral part of its philosophy, practices and business plans rather than viewed or practised as a separate programme, and that responsibility for implementation is accepted at all levels of the organisation. 2.2 The CCG Governing Body aims to take all reasonable steps in the management of risk with the overall objective of protecting patients, staff, and publically funded resources and assets by recognising, preparing for or avoiding events or inactions, which could have a negative impact; making the organisation more effective and meeting national objectives and the local corporate, clinical and financial governance core objectives. The purpose of this Integrated Risk Management Strategy is: To encourage a culture where risk management is viewed by the CCG and staff as an essential process of the CCG s activity To ensure structures and processes are in place to support the assessment and management of risks throughout the CCG. To assure the public, patients and their carers and representatives, staff and partner organisations that the CCG is committed to managing risk appropriately 3. ACCOUNTABILITIES FOR RISK MANAGEMENT 3.1 Brent CCG Governing Body has a duty to assure itself that the organisation has properly identified the risks it faces, and that it has processes and controls in place to mitigate those risks and the impact they have on the organisation and its stakeholders. The Governing Body discharges this duty as follows: Identifies risks to the achievement of its strategic objectives Monitors these on an ongoing basis via the Governing Body Assurance Framework and Risk Register Page 3 of 28

4 Ensures that there is a structure in place for the effective management of risk throughout the CCG Receives assurance regarding risk management within organisations providing services Approves and reviews strategies for risk management on an annual basis Receives regular reports from the Joint Audit and Joint Remuneration Committee and the Quality, Safety & Clinical Risk Committee on significant risks, progress on mitigating actions and assurance regarding commissioned services Demonstrates leadership, active involvement and support for risk management 3.2 North West London Cluster Chief Executive (Shadow Period) During the shadow period up until 31 st March 2013, the North West London Cluster Chief Executive (CCE) has been designated as the Accountable Officer for the whole of NHS North West London. The CCG Accountable Officer discharges the Accountable Officer role at CCG level on a day to day basis and is a member of the Cluster Executive Management team and Cluster Board. Significant CCG risks are escalated in line with the North West London Cluster Risk Management Strategy. 3.3 The Accountable Officer The Accountable Officer has overall accountability for the management of CCG risks and is responsible for: Continually promoting risk management and demonstrating leadership, involvement and support Ensuring an appropriate committee structure is in place, with regular reports to the CCG Committee Ensuring that the CCG Governing Body, Executive Team, Clinical Directors and Senior Managers are appointed with managerial responsibility for risk management Ensuring appropriate Policies, Procedures and Guidelines are in place and operating throughout the CCG Ensuring Complaints, Claims and Health and Safety Management are managed appropriately 3.4 Managing Director of the North West London Commissioning Support Unit (CSU) The Managing Director of the CSU is responsible for ensuring that services commissioned by the CCG are in line with best practice and national guidance and ensuring that assurance is provided to the CCG on services commissioned The Managing Director is also responsible for ensuring risk assessments are conducted and when awarding contracts for services, ensure that risks and plans to mitigate them are assessed during the tender process. Providers must give adequate assurance that they manage significant risks appropriately. 3.5 Chief Operating Officer The Chief Operating Officer is accountable for the effective management of risk within their area of responsibility, including assurance that appropriate controls are in place and that controls are being monitored. This involves maintaining systems to: Page 4 of 28

5 Identify and assess risk Ensuring Locality Risk Holders are nominated to ensure population and management of risk registers Implement effective risk mitigations Report risk in accordance with the CCG Risk Management Strategy Ensure all managers and staff under their management control are aware of the CCG s Risk Management Strategy and of their responsibility for implementing them. 3.6 Head of Governance The Head of Governance is the management lead for risk management and has delegated responsibility for: Information Governance Local Security Management Ensuring risk management systems are in place throughout the CCG Ensuring that an organisational Risk Register and an Assurance Framework are developed and maintained and reviewed by the Executive Team Ensuring the Assurance Framework and Risk Register is regularly reviewed by the senior managers designated as risk holders, updated and reported to the Governing Body and all of its sub committees Ensuring that there is appropriate external review of the CCG s risk management systems, and that these are reported to the CCG Committee Overseeing the management of risks as determined by the CCG Governing Body Ensuring that identified risk mitigation and actions are put in place, regularly monitored and implemented Ensuring that risks are reviewed in line with the CCG reporting arrangements (section 7) Providing advice on the risk management process Working collaboratively with Internal Audit Ensuring that the Integrated Risk Management Strategy is updated on an annual basis and approved by the CCG Committee 3.7 Chief Finance Officer The Chief Finance Officer has delegated responsibility for financial risk management and will ensure: The effectiveness of the Trust s financial control systems Significant financial risks faced by the CCG are identified and managed effectively The Audit Committee and internal audit effectively perform their roles in assuring the Trust s system of internal control Robust Counter Fraud arrangements is in place 3.8 Director of Quality & Safety The Director of Quality & Safety has delegated responsibility for clinical risk management including: Page 5 of 28

6 The professional lead responsible for safeguarding adults and children, executive lead responsible for Clinical Governance including Caldicott Guardian, Health & Safety, Infection, Prevention and Control Managing and overseeing the performance management of serious incidents reported by the providers of health services commissioned by the CCG. Ensuring that processes are in place to provide assurance with regard to clinical risk management within commissioned services, this includes (but not exclusively), patient safety regarding commissioned services in line with local and national legislation and guidance Collating intelligence from the CCG Governing Body with responsibility for quality of primary care, secondary care and mental health services. 3.9 Clinical Chair of CCG Committee, Deputy Clinical Chair, Vice Chair of CCG Committee, GPs with lead responsibility for General Practice, Secondary care, Mental Health Quality, Children s and Adult Safeguarding The individuals identified above have responsibility for identifying risks in their specific areas and discussing these with the Director of Quality & Safety and ensuring that assessment and mitigation is carried out providing assurance to the CCG Governing Body via the Joint Audit and Quality, Safety & Clinical Risk Committee Clinical Leads and Managers Clinical Leads and Managers are responsible for incorporating risk management within all aspects of their work and for directing the implementation of the CCG Integrated Risk Management Strategy by: Demonstrating personal involvement and support for the promotion of risk management Ensuring that staff accountable to them understand and pursue risk management in their areas of responsibility Setting personal objectives for risk management and monitoring their achievement Ensuring risks are identified and managed and mitigating actions implemented in functions for which they are accountable and are included in the organisational risk register as appropriate Ensuring risks are escalated where they are of a strategic nature Implementing the framework in relation to Health & Safety and other employment legislation by: a) Ensuring that they have adequate knowledge and/or access to all legislation relevant to their area and as advised by appropriate specialist officers ensure that compliance to such legislation is maintained b) Ensuring that adequate resources are made available to provide safe systems of work c) Ensuring that all employees attend appropriate mandatory training, as relevant to the role, e.g. Health & Safety, Fire, Moving and Handling and risk management training d) Ensuring that all staff are aware of the system for the reporting of accidents and near misses e) Monitoring of health and safety standards Page 6 of 28

7 3.11 All CCG Staff f) Ensuring the identification of all employees who require Health Surveillance according to risk assessments; ensuring that where Health surveillance is required no individual carries out those specific duties until they have attended the Occupational Health Department and have been passed fit g) Ensuring that the arrangements for the first-aiders and first aid equipment required within the organisation are complied with. That the location of first aid facilities are known to employees; ensuring that proper care is taken of casualties and that employees know where to obtain appropriate assistance in the event of serious injury h) Making adequate provision to ensure that fire and other emergencies are appropriately dealt with All staff working for the CCG are responsible for: Being aware that they have a duty under legislation to take reasonable care of their own safety and the safety of others who may be affected by the CCG s business and to comply with appropriate CCG rules, regulations, instructions, policies, procedures and guidelines Taking action to protect themselves and others from risks Identifying and reporting risks to their line manager Ensuring incidents, claims and complaints are reported using the appropriate procedures and channels of communication Co-operating with others in the management of the CCG s risks Attending mandatory and statutory training as determined by the CCG or their Line Manager Being aware of emergency procedures relating to their particular locations Being aware of the CCG s Integrated Risk Management Strategy and complying with the procedures 3.12 Contractors, Agency and Locum Staff Managers must ensure that where they are employing or contracting agency and locum staff they are made aware of and adhere to, all relevant policies, procedures and guidance of the CCG, including: The incumbent CCG Incident reporting Strategy and Procedure and the Health and Safety Policy Take action to protect themselves and others from risks Bring to the attention of others the nature of risks which they are facing in order to ensure that they are taking appropriate protective action 4. RISK MANAGEMENT FRAMEWORK 4.1 The main systems to facilitate the identification and management of risk throughout the CCG are as follows: Page 7 of 28

8 Establish, populate and maintain an organisation Risk Register (see Appendix B) that profiles all objectives and associated risks relating to the business planning and delivery of services and is reported on a regular basis to the relevant committees in line with the CCG s reporting requirements Establish, populate and maintain a Governing Body Assurance Framework (AF) that identifies the strategic objectives of the CCG and the risks that could threaten their achievement, and is reported on a regular basis to the CCG Governing Body, Joint Audit and Quality, Safety & Clinical Risk Committee Ensure that the Integrated Risk Management Strategy (see Appendix C) is reviewed thoroughly every year by the CCG Governing Body and the Quality, Safety & Clinical Risk Committee Involve all staff across the CCG in the system for identifying risks Monitoring and identification of risks across the CCG is undertaken on a regular basis, and the Organisational Risk Register is updated appropriately 4.2 Roles and Responsibilities The CCG Governing Body is responsible for the performance management of the CCG s Integrated Risk Management Strategy and systems of clinical, financial and organisational control, and oversees the overall system of risk management and assurance to satisfy itself that Brent CCG is fulfilling its organisational responsibilities and public accountability. Accountable Sub Committees The Joint Audit Committee, in line with the NHS Audit Committee Handbook and Outer Federation of CCG Joint Audit Committee Terms of Reference, is to ensure the CCG has an effective process is in place with regards to risk management. The Joint Audit Committee is the Assurance Committee and monitors the quality of the Assurance Framework and refers significant issues to the Governing Body. The Joint Audit Committee is the central means by which the Governing Body ensures that effective Internal Control arrangements are in place. The Joint Audit Committee receives and considers the latest iteration of the Assurance Framework at every meeting, along with updates on significant developments The CCG Executive Committee monitors in detail individual risks to achieving individual corporate objectives including action plans with focus on amber and red risks (see section 5.5 and Appendix F) The Quality, Safety & Clinical Risk Committee will be chaired by the appointed member of the CCG Governing Body. This is a committee of the CCG and has overarching responsibility for clinical risk management, information governance and health & safety risks. The Quality, Safety & Clinical Risk Committee will ensure that there is a sound system of risk management and quality assurance in place. As part of that work it: Initiates and monitors all clinical risks Receives and reviews all quality issues of concern and ensures that any actions to mitigate them are carried out. Ensures that appropriate plans are in place for emergency situations. Page 8 of 28

9 Liaises with the Governing Body to ensure that there are agreed Clinical Quality and Risk protocols across the CCG Receive Safeguarding children and adult reports from the CCG Safeguarding Sub Groups and Local Safeguarding Boards In addition, it supports the development and reviews annual Quality Accounts from the main contracted providers, oversees the process for distribution of service alerts for independent contractors, reviews the Clinical Risk Register and AF, receives the Integrated Quarterly Report, Quarterly Complaints reports and receives assurance and information on: Information Governance Serious Incidents and Complaints Infection, Prevention and Control Safeguarding Adults Safeguarding Children Service Alerts The QIPP and Finance Committee will ensure the CCG develops effective strategies and plans for use of its delegated financial resources in order to achieve its strategic objectives. The Committee will also ensure appropriate recovery plans are in place where performance deviates and recommend approval of strategies to the CCG Governing Body. The Sub Committee also serves to provide the CCG, with assurance that the budgets as delegated are being managed effectively and efficiently, and with due regard to the governance and financial procedures. The Committee will continuously assess financial and non-financial risks relating to the QIPP plans and ensure the CCG has in place measures and mitigation to manage risk Each Locality Group will promote risk management processes, as part of clinical governance, with all Brent CCG member practices. This ensures that practices continuously improve quality of primary care and report risks relating to primary care or to commissioned services to the CCG to ensure that risks are identified and managed Inter-relationships/Collaboration with other CCGs - As part of the transition to the new commissioning landscape, the Outer Federation of CCGs has agreed to work together as part of a Collaborative. The four CCGs which make up the Federation are committed to working together in a collaborative way where a common approach is desired The four CCGs have already identified that joint committees/working groups should be established in the following areas: Audit and Remuneration Committees Commissioning Support Services Strategic Planning and Service Transformation Provider performance and contract management Page 9 of 28

10 5. RISK MANAGEMENT PROCESS 5.1 Risk Identification - The CCG has established and maintains, via the Joint Audit and the Quality, Safety & Clinical Risk Committee, continual reporting, auditing and monitoring to ensure standards are being implemented, and therefore, risk is controlled to the lowest reasonably practicable levels. 5.2 Methods for identifying and managing levels of risk would include: Internal methods, such as; Incidents, complaints, claims and serious incident reporting and identification of trends, audits, QIPP related risks, project risks based on the achievement of project objectives, patient satisfaction surveys, risk assessments, surveys including staff surveys, whistle-blowing. Contract quality monitoring of commissioned services. External methods, such as; HM Coroner reports, media, national reports, new legislation, NPSA surveys, reports from assessments/inspections by external bodies, reviews of partnership working. 5.3 All identified risks will be recorded and managed through the CCG Risk Register and risks identified which could impact on the achievement of the CCG s strategic objectives are recorded and managed through the CCG Assurance Framework. 5.4 All Committee/groups reporting to the CCG Governing Body highlight risks for inclusion within the CCG Risk Register or AF. Risk identification is also obtained from member practices through practice visits, locality meetings, GP Reference Group meetings, patient engagement forums, practice feedback forms and practice managers meetings. 5.6 Risk Assessments are the responsibility of Locality/Service Manager who will keep a register of risk assessments and ensure they are managed in line with the CCG risk appetite (section 5.5 and Appendix F). The CCG has developed a common template (Appendix D) that may be used for the assessment of risks such as operational, organisational or health & safety risks. Areas in which risks must be assessed include: Health and safety risks; Organisational and financial risks; Commissioned service risks. 5.7 Local Incident reporting will be via the Locality/Service Manager who will be responsible for ensuring that all incidents are reported in line with the CCG incident reporting policy, an incident investigation is carried out and the appropriate measures to reduce the likelihood of re-occurrence are put in place 5.8 All incidents will be categorised to indicate severity using the risk matrix (Table 3).Details of all incidents are recorded, and trend analysis information will be submitted to the Joint Audit and Quality, Safety & Clinical Risk Committee. The Quality, Safety & Clinical Risk Committee oversees the management of clinical incidents and management of management of Health and Safety incidents. Page 10 of 28

11 5.9 Quantifying and Scoring Risk - Once a risk is identified it is important to establish the likelihood of it occurring and the potential impact if it did occur. This is measured by using a risk assessment matrix found at Table 3. The risk assessment is a systematic and common approach to quantifying all categories of risk. The matrix assigns values between 1 and 5 to both the likelihood of the risk being realised and the possible consequences of this. These are then multiplied together to give a risk rating. Appendix A contains a detailed guideline for assessing and quantifying risks Definitions of an Acceptable Risk and Risk Appetite An acceptable risk may be defined as a potential hazard that is either small enough to have an immaterial effect on the achievement of organisational objectives, or is a significant risk that has been mitigated by the establishment of effective controls to minimise the likelihood of the risk occurring, or to minimise the adverse consequences should the risk identified occur Risk appetite is a threshold the amount of risk that an organisation is prepared to accept before it takes action As part of the Brent CCG s risk management process, all risks identified are evaluated and given a risk level rating. The higher the risk level, the greater the likelihood an opportunity or threat will occur and the greater its impact The risk appetite for Brent CCG is defined as follows: Risk Level Low and Moderate/Green and yellow These represent low levels of opportunity/threat and actions shall be limited to contingency planning rather than active risk management action. Risks shall be recorded on the Locality/Service Risk Register. Risk level shall be monitored as part of the local risk register review of activities such as locality and service meetings. Risk Level High/Amber These represent medium levels of opportunity/threat which may have a short-term impact on contract objectives. Risks in this category shall have actions defined on the risk register or on an action plan for risk treatment. Risks shall be recorded Locality/Service Risk Registers and reviewed at appropriate meetings and relevant committees with responsibility for risk management. The risk level shall be monitored as part of CCG Executive Risk Register review together with the status of controls in place and risk treatment. Risk Level Extreme/Significant/Red These represent higher levels of opportunity/threat which may have a major or long term impact on benefits realisation, organisation objectives and which may also impact on Strategic objectives and outcomes positively or negatively. Risks in this category shall have individual action plans for risk treatment. Risks shall be proactively managed via the AF and reported to the CCG Executive, Audit Committee and to the Brent CCG Governing Body. The risk level shall be monitored as part of the CCG Executive bi-monthly AF review together with the status of controls in place and risk treatment. Appendix F provides a diagrammatic representation of Brent CCG s risk appetite Evaluation of Risk Page 11 of 28

12 Risks are identified and managed by all teams across the CCG and are recorded in the CCG Organisational Risk Register. Risks are escalated by the CCG Executive Team to the AF if it is considered that they would impact on the strategic objectives of the CCG Actions identified to minimise a potential risk are recorded on the Risk Register and include a time scale for expected completion of that action. When actions are complete they form part of the controls within the system. 6. THE CCG GOVERNING BODY ASSURANCE FRAMEWORK AND RISK REGISTER 6.1 The CCG has an integrated Governing Body Assurance Framework (AR) and Risk Register (RR) template. The template can be found in Appendix B. 6.2 Governing Body Assurance Framework (BAF) is a requirement established by the Department of Health in Assurance: the Board Agenda in July The AF is a tool for the Governing Body to satisfy itself that risks are being managed and objectives are being achieved. The AF sets out: Strategic objectives Principal risks Mitigating controls Assurances on controls, including Governing Body Reports Gaps in control Gaps in assurance Action plans Lead Director 6.3 The CCG has established a clear AF so that it can confidently sign its Annual Governance Statement (Statement on Internal Control). The CCG AF will reflect significant risks (15+) impacting on the CCG s Corporate Objectives. Significant risks (15+) are those that potentially threaten the achievement of the Trust s corporate objectives. This would include risk that could impact on the performance of the CCG as well as other high profile risks such as performance indicators and risks arising from external reviews. 6.4 Risk Registers are a management tool that enables an organisation to understand its comprehensive risk profile. It is simply a repository for all risk information. It records dependencies between risks and links between risks on the AF and locality/service risk registers. 6.5 The risk registers will be used to manage lower level and operational risks below 15. Risk registers will be maintained and updated by each locality in line with section 5.5 and Appendix F and forwarded to the governance team quarterly. All significant risks should be notified to the Clinical Director and Chief Operating Officer for agreement and inclusion on the AF. All Risk Registers will be prepared in the same format (Appendix B) to facilitate collation of information across the Trust into a single CCG wide Risk Register. Page 12 of 28

13 7. REPORTING ARRANGEMENTS 7.1 The CCG Governing Body will review the AF bi-monthly. The AF will be scrutinised at the bi-monthly Joint Audit Committee. The AF and Risk Register will be presented at the CCG Executive bi-monthly with specific focus on amber and red risks. The output of the risk management system for clinical risk will be considered by the Quality, Safety & Clinical Risk Committee. Chief Operating Officers/ Clinical Directors will be required to attend the Joint Audit Committee on a timetable rotational basis to discuss the significant risks in their business areas and how these are being managed and mitigated. Appendix E details the CCG AF and Risk Register arrangements. 8. OPEN AND FAIR CULTURE 8.1 The CCG supports an open, fair and a positive learning culture. A culture of openness is central to improving patient safety and the quality of healthcare systems. Encouraging openness and honesty about how and why things have gone wrong will help improve the safety of NHS services. 8.2 However, disciplinary action may be appropriate to be considered in the following circumstances: Repeat occurrences of incidents involving the same individual Deliberate failure to report an incident Failure to co-operate fully in subsequent investigation. 8.3 All employees should be familiar with the CCG s whistle-blowing and bullying and harassment policies and procedures. These procedures support staff to raise concerns in accordance with the Public Interest Disclosure Act TRAINING AND SUPPORT 9.1 To ensure the successful implementation and maintenance of this Integrated Risk Management Strategy, Committee members and staff will have access to appropriate advice, guidance, information and training in order to carry out their respective responsibilities for risk control and risk assessment. 9.2 All staff will receive mandatory training annually in Health, Fire & Safety, including risk assessment and management, via the CCG s corporate learning and development programme. 9.3 General awareness raising for staff is also undertaken through staff briefings, induction programmes and inclusion of relevant documents on the Intranet. The Integrated Risk Management Strategy is accessible to all CCG staff via the CCG intranet. 10. CONSULTATION AND COMMUNICATION WITH STAKEHOLDERS 10.1 It is good practice to involve stakeholders, as appropriate, in all areas of the CCG s activities, and this includes informing and consulting on the management of any significant risks. Interested parties would include: Staff, Patients and the Public within the CCG s area Page 13 of 28

14 Local politicians and the Secretary of State for Health Statutory and Voluntary agencies Local Authority Health Scrutiny Committee Primary Care Practices Patient and Public Involvement Forum/Links Health and Wellbeing Governing Body 10.2 A wide range of communication and consultation mechanisms already exist with relevant stakeholders, both internal and external. General public awareness raising of the CCG s Integrated Risk Management Strategy will be achieved through its presentation at CCG Committee meetings, which are all open to the public, at the Annual General Meeting and in the Annual Report, posting on the CCG s Website and through the patient involvement networks (LINKS). 11. MONITORING THE EFFECTIVENESS OF THIS STRATEGY 11.1 The CCG monitors and reviews its performance in relation to the management of risk, and the continuing suitability and effectiveness of the systems and processes in place to manage risk through a programme of internal and external audit work, and through the oversight of the CCG Governing Body, CCG Executive, Quality, Safety & Clinical Risk Committee and Joint Audit Committee. 12. REVIEW AND REVISION OF THE STRATEGY 12.1 This Integrated Risk Management Strategy is a working document and will be reviewed once the CCG has received notification of statutory organisation status or if not before, 1 April 2013 and then on an annual basis. 13. DISSEMINATION AND IMPLEMENTATION 13.1 This document will be made available to all employees via the CCG intranet. 14. EQUALITY AND DIVERSITY 14.1 The CCG aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage over others. All policies and procedures should be developed in line with the CCG s Equality and Diversity policies and need to take into account the diverse needs of the community that is served. The equality impact assessment for this Strategy will be published on the CCG website. Page 14 of 28

15 APPENDIX A CCG RISK ASSESSMENT SCORING GUIDELINES 1. Introduction 1.1 Risk management is a systematic and effective method of identifying risks and determining the most cost effective means to minimise or remove them. It is an essential part of any risk management programme and it encompasses the processes of risk analysis and risk evaluation. 1.2 The Brent CCG Governing Body ensures that the effort and resource that is spent on managing risk is proportionate to the risk itself. Brent CCG has in place efficient assessment processes covering all areas of risk. 1.3 To separate those risks that are unacceptable from those that are tolerable risks should be evaluated in a consistent manner. Risks are usually analysed by combining estimates of consequence and likelihood in the context of existing control measures. The rating of a given risk is established using a two dimensional grid or matrix with consequence as one axis and likelihood as the other. 1.4 The following properties are essential for a risk assessment matrix: simple to use provides consistent results when used by staff from a variety or roles or professions capable of assessing a broad range of risks including clinical, health and safety, financial risk or reputation 1.5 This guidance can be used on its own as a tool for introducing risk assessment or for improving consistency or scope of risk assessments already in place within the organisation and for training purposes. 1.6 Where elements of this guidance are to be used as part of an organisation wide risk assessment system the guidance is integrated with or directly referred to within the Governing Body approved risk management strategy. In particular the organisation should use this guidance only within the framework of its strategic risk appetite and risk management decision making process. 2. Guidance on Consequence Scoring 2.1 When undertaking a risk assessment the consequence or how bad the risk being assessed is must be measured. In this context consequence is defined as the outcome or potential outcome of an event. Clearly there may be more than one consequence of a single event. 2.3 Consequences can be assessed and scored using qualitative data. Whenever possible, consequences should be assessed against objective definitions across different domains to ensure consistency in the risk assessment process. Despite defining consequence as objectively as possible it is inevitable that scoring the consequences of some risk will involve a degree of subjectivity. It is important that effective, practical based training, and use of relevant examples form part of the implementation of any assessment system to maximise consistency of scoring across the organisation. Page 15 of 28

16 2.4 The information in Table 1a should be used to obtain a consequence score. First define the risk explicitly in terms of the adverse consequence that might arise from the risk being assessed (see example 1 for cause and effect methodology). Then use Table 1a to determine the consequence score of the potential adverse outcomes relevant to the risk being evaluated. The examples given in Table 1a are not exhaustive. 2.5 How to Use Consequence Table 1a: Choose the most appropriate domain for the identified risk from the left hand side of the table. Then work along the columns in the same row to assess the severity of the risk on the scale of 1-5 to determine the consequence score which is the number given at the top of the column. Consequence scoring 1 Negligible 2 Minor Moderate Major Catastrophic 2.6 Many issues need to be factored into the assessment of consequence. Some of these are: Does the organisation have a clear definition of what constitutes a minor injury What measures are in place to determine psychological impact on individuals What is defined as an adverse event and how many individuals may be affected 2.7 A single risk area may have multiple potential consequences and these may require separate assessment. It is also important to consider from whose perspective the risk is being assessed because this may affect the assessment of the risk itself, its consequences and the subsequent action taken. 2.8 By implementing these guidelines the CCG will benefit from having more detailed definitions or samples for each consequence score. Page 16 of 28

17 TABLE 1 ASSESSMENT OF THE SEVERITY OF THE CONSEQUENCE OF AN IDENTIFIED RISK: Domains, Consequence Scores and Examples of the Score Descriptors Choose the most appropriate domain for the identified risk from the left hand side of the table Then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column. Consequence score (severity levels) and examples of descriptors Domains Negligible Minor Moderate Major Catastrophic Impact on the safety of patients, staff or public (physical/psycholo gical harm) Quality/complaints/ audit Human resources/ organisational development/staffi ng/ competence Minimal injury requiring no/minimal intervention or treatment. No time off work Peripheral element of treatment or service suboptimal Informal complaint/inquiry Short-term low staffing level that temporarily reduces service quality (< 1 day) Minor injury or illness, requiring minor intervention Requiring time off work for >3 days Increase in length of hospital stay by 1-3 days Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved Low staffing level that reduces the service quality Page 17 of 28 Moderate injury requiring professional intervention Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Low staff morale Poor staff attendance for mandatory/key training Major injury leading to long-term incapacity/disability Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with long-term effects Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Loss of key staff Very low staff morale No staff attending mandatory/ key training Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients Totally unacceptable level or quality of treatment/serv ice Gross failure of patient safety if findings not acted on Inquest/ombu dsman inquiry Gross failure to meet national standards Non-delivery of key objective/servi ce due to lack of staff Ongoing unsafe staffing levels or competence Loss of several key staff No staff attending mandatory training /key training on an ongoing basis

18 Consequence score (severity levels) and examples of descriptors Domains Negligible Minor Moderate Major Catastrophic Statutory duty/ inspections No or minimal impact or breech of guidance/ statutory duty Breech of statutory legislation Reduced performance rating if unresolved Single breech in statutory duty Challenging external recommendations/ improvement notice Enforcement action Multiple breeches in statutory duty Improvement notices Low performance rating Critical report Multiple breeches in statutory duty Prosecution Complete systems change required Zero performance rating Adverse publicity/ reputation Rumours Potential for public concern Local media coverage short-term reduction in public confidence Elements of public expectation not being met Local media coverage long-term reduction in public confidence National media coverage with <3 days service well below reasonable public expectation Severely critical report National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Business objectives/ projects Insignificant cost increase/ schedule slippage <5 per cent over project budget Schedule slippage 5 10 per cent over project budget Schedule slippage Non-compliance with national per cent over project budget Schedule slippage Key objectives not met Total loss of public confidence Incident leading >25 per cent over project budget Schedule slippage Finance including claims Small loss Risk of claim remote Loss of per cent of budget Claim less than 10,000 Loss of per cent of budget Claim(s) between 10,000 and 100,000 Uncertain delivery of key objective/loss of per cent of budget Claim(s) between 100,000 and 1 million Purchasers failing to pay on time Key objectives not met Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Service/business interruption Environmental impact Loss/interruption of >1 hour Minimal or no impact on the environment Loss/interruption of >8 hours Minor impact on environment 3. Guidelines on Likelihood Scoring Page 18 of 28 Loss/interruption of >1 day Moderate impact on environment Loss/interruption of >1 week Major impact on environment Claim(s) > 1 million Permanent loss of service or facility Catastrophic impact on environment

19 3.1 Once a specific area of risk has been assessed and its consequences score agreed, the likelihood of that consequence occurring can be identified by using Table 2 below which includes probability and frequency descriptions. As with the assessment of consequence the likelihood of a risk occurring is assigned a number from 1 to 5 the higher the number the more likely it is the consequence will occur: 1 Rare 2 Unlikely 3 Possible 4 Likely Almost certain 3.2 When assessing likelihood it is important to take into consideration the controls already in place. The likelihood score is a reflection of how likely it is that the adverse consequence described will occur. Likelihood can be scored by considering: Frequency (how many times will the adverse consequence being accessed actually be realised?) or Probability (what is the chance the adverse consequence will occur in a given reference period?) What is the likelihood of the consequence occurring? The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency. Page 19 of 28

20 Table 2 Likelihood Scores (Frequency and Probability Descriptors) Likelihood Score Descriptor Rare Unlikely Possible Likely Almost Certain Frequency How often might it/does it happen Probability Will it happen or not? Can t believe the risk will ever happen Do not expect the risk to happen but it is possible Page 20 of 28 The event may occur occasionally The event will probably occur but is not a persistent issue The event will undoubtedly occur, possibly frequently <0.1 per cent per cent 1-10 per cent per cent >50 per cent 3.3 It is possible to use more quantitative descriptions for frequency by considering how often the adverse consequence being assessed will be realised. A simple set of time framed definition for frequency is shown above in Table However frequency is not a useful way of scoring certain risks, especially those associated with the success of time limited of one off projects such as a new IT system that is being delivered as part of a three year programme or business objective. For these risks the likelihood score cannot be based on how often the consequence will materialise. Instead it must be based on the probability that it will occur at all in a given period. In other words a three year IT project cannot be expected to fail once a month and the likelihood score will need to be assessed on the probability of adverse consequences occurring within the project s time frame. 3.5 With regard to achieving a national target the risk of missing the target will be based on the time left during which the target is measured. The CCG might have assessed the probability of missing a key target as being quite high at the beginning of the year but nine months later if all the control measures have been effective there is a much reduced probability of the target not being met. 3.6 This is why specific probability scores have been developed for projects and business objectives. Likelihood scores based on probability have been developed from project risk assessment tools from across industry. The vast majority of these agree that any project which is more likely to fail than succeed (that is, the chance of failing is greater than 50 per cent) should be assigned a score of Risk Scoring and grading 4.1 Risk scoring and grading as follows: a. Define the risk(s) explicitly in terms of the adverse consequence(s) that might arise from the risk. b. Use Table 1a to determine the consequence score(s) (C) for the potential adverse outcome(s) relevant to the risk being evaluated. c. Use Table 2 to determine the likelihood score(s) (L) for those adverse outcomes. If possible, score the likelihood by assigning a predicted frequency of occurrence of the adverse outcome. If this is not possible, assign a

21 probability to the adverse outcome occurring within a given time frame, such as the lifetime of a project or a patient care episode. If a numerical probability cannot be determined, use the probability descriptions to determine the most appropriate score. d. Calculate the risk score by multiplying the consequence by the likelihood: C (consequence) x L (likelihood) = R (risk score). e. The five by five risk matrix in Table 3 shows both numerical scoring and colour bandings. XXX CCG Risk Management Strategy is used to identify the level at which the risk will be managed in the CCG, assign priorities for remedial action, and determine whether risks are to be accepted, on the basis of the colour bandings and/or risk score. Page 21 of 28

22 Table 3 Risk Matrix Likelihood of occurrence 1) Rare - Can t believe the risk will ever happen <0.1 per cent 2) Unlikely - Do not expect the risk to happen but it is possible per cent 3) Possible - The event may occur occasionally 1-10 per cent 4) Likely - The event will probably occur but is not a persistent issue per cent 5) Almost certain - The event will undoubtedly occur, possibly frequently >50 per cent Most Likely Consequence 1)None No obvious injury or harm Loss of per cent of budget Claim less than 10,000 2) Minor More than 3 days off sick due to injury Loss of per cent of budget Claim(s) between 10,000 and 100,000 3) Moderate Hospitalised or medium term injury Major financial loss ( 20K to 100K) including litigation settlement. 4) Major Significant / permanent harm Uncertain delivery of key objective/loss of per cent of budget. Claim(s) between 100,000 and 1 million Purchasers failing to pay on time ) Catastrophic Death or major disaster / loss Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Claim(s) > 1 million For grading risk, the scores obtained from the risk matrix are assigned grades as follows Red (15-25) Amber (8 12) Yellow (4 6) Green (1-3) Extreme risk High risk Moderate risk low risk Instructions for Use: Define the risk(s) explicitly in terms of the adverse consequence(s) that might arise from the risk. Integrate the likelihood score to the matrix Page 22 of 28

23 This model risk matrix has the following advantages: o Most NHS organisations are familiar with the five by five matrix o It is simple yet flexible and therefore lends itself to adaptability o It is based on simple mathematical formulae and is ideal for use in spreadsheets o Equal weighting of consequence and likelihood prevents disproportionate o effort directed at highly unlikely but high consequence risks. This should o clearly illustrate the effectiveness of risk treatment o There are four colour bandings for categorising risk o Even if the boundaries of risk categorisation change we are able to compare o scores to monitor whether risks are being evaluated in a similar manner Source: A risk matrix for risk managers NPSA January 2008 Example 1: Risk identification and management with the Cause and Effect methodology. Example risk: Concern about the CCG s adherence to the Data Protection Act Risk description Risk of breaching the DPA Causes: Lack of understanding of the Act by staff Low completion rate by staff of IG and data protection e-learning modules Line managers do not encourage staff to read and be aware of CCG policies Effects: Patient and/or staff data may be incorrectly processed and shared with 3 rd parties CCG may incur financial penalties if investigated by the Information Commissioners Office CCG may receive adverse publicity and reputational damage Level of complaints and litigation claims received may increase With the knowledge of our individual causes, we now know where to concentrate our controls and actions to mitigate or at least reduce the risk. If we can eliminate or at least reduce the likelihood of each cause occurring then we can reduce the overall likelihood (L) score. However the chance of us being able to actually reduce the consequence (C) score is low because should the risk be realised the outcome is still likely to be the same (in most cases but probably not all) so it is the likelihood we are essentially trying to reduce which in turn will of course reduce the overall risk score. Page 23 of 28