Proactive Risk Management. Risk in NHS Tayside. Risk Management Guidance Note

Transcription

1 Proactive Risk Management Risk in NHS Tayside Risk Management Guidance Note Author: Safety, Governance & Risk Department Review Group: Operational Risk Health and Safety Management Group Review Date: November 2014 Last Update: November 2013 Document No: RM/01 Issue No: UNCONTROLLED WHEN PRINTED

2 RISK MANAGEMENT Risk Management - The systematic identification, evaluation and treatment of risk. A continuous process with the aim of reducing risk to organisations and individuals alike. The culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects. (Australian/New Zealand Risk Management Standard 4360:2004). (NHS Quality Improvement Scotland, 2007) Risk - The likelihood, high or low, that somebody or something will be harmed by an unwanted event or incident, multiplied by the severity of the potential harm. Risks are measured in terms of their likelihood and consequences. (NHS Quality Improvement Scotland, 2007) Heath care risk management is not a new management initiative. It is a way of considering the very important issue of risk in health care and building in a formal structure to manage and support the decision making process. Managing risk in our job is something that we all do, however large or small the organisation and whatever position we hold within it. Within NHS Tayside there are various levels of risk and the nature of these risks based mainly on their consequences for the patients, staff and services will be reviewed at different levels of the management structure. The overall aim of risk management activity is to continually improve patient care. The risk management framework within NHS Tayside has developed to enable the organisation to take the right risks. This allows the organisation to explore alternative solutions, examining in detail the ways in which we currently control some of the risks and identify where improvement is required. Implementing a risk management system is not easy. However, NHS organisations are currently required to demonstrate that risk management is an integral component of everyday activity. This requires risk management to be embedded within the culture of the organisation. The rewards for getting it right will result in a more forward thinking organisation, which will have a common purpose to anticipate problems and solve them imaginatively. The organisation will also be able to seize the opportunity to influence its future. This guidance note is designed to help all staff understand and use the risk management process to inform decision making processes throughout the organisation. TYPES OF RISK Whilst risks cover all aspects of health care activity, there are some generic risks to the organisation that must be considered. Key triggers/identifiers of particular importance for NHS Tayside may be developed from the key areas detailed in Trigger Areas for NHS Tayside (Appendix A). No one category or trigger should be analysed in isolation but all can be used as an aide memoir to identify the key areas where Tayside NHS risks lie. It is also useful to consider the key business processes as part of the exercise to identify the main risk areas. Any risk identified should be able to be tied in with an objective. All activities are carried out with a view to achieving an objective be it safe patient care, delivery of an effective service or maintaining a budget for example and the risk should be in relation to failure to meet that objective or opportunities for innovation, change or improvement related to the objective. Risk assessment and risk management are closely related but distinct concepts. Risk assessment will look at an area or a process and attempt to identify all risk areas. Risk Management is concerned with identifying, from the risks detailed in the risk assessment, key risks for inclusion in the Organisation s risk register (See the Electronic Risk Register system below) and putting in place management measures to mitigate these. 2

3 Within NHS Tayside all key risks are divided into one of three categories of either Corporate, Operational or Service Level Risk. Corporate Risks are risks which are at the highest level within the Organisation and are always owned by an Executive Director. These are reported to the Strategic Risk Management Group and Tayside NHS Board on a quarterly basis with a mid year progress report given to the most appropriate Standing Committee of Tayside NHS Board on an annual basis. They are also linked to the NHS Tayside Corporate Objectives, a copy of which is available from colleagues in the Deputy Chief Executive s Department on Extension Operational Risks are the suite of 5 or 6 risks which directly relate to the achievement of all corporate risks. These are also owned by an Executive Director but will be managed by a nominated member of staff. These must be agreed by the Strategic Risk Management Group and linked to a parent Corporate Risk. All other risks are known as service level risks and are owned by a member of staff, who has received Datix Risk Module User Training, within NHS Tayside. These service risks are then reviewed as portfolios of risk by an identified lead individual on a quarterly basis. However, all risks identified must be recorded within the Organisation s electronic risk register and a review timescale set for the content of the risk to be reconsidered. THE ELECTRONIC RISK REGISTER NHS Tayside operates a single risk register to record and monitor the Organisation s Risk profile. This is an electronic system which can be found under Business Systems on Staffnet, or via the link below, and which includes both clinical and non clinical risk. The Electronic Risk Register is intended to be dynamic risk register which records risks which have been identified, who owns and manages these risks, the level of control and any associated action plan for improvement. Each corporate risk should have under pinning operational risks recorded within the Electronic Risk Register. However, only key risks for an area need be recorded on the electronic risk register. That is to say not all risks identified in a risk assessment need be recorded, only those requiring continued monitoring and action to be taken to increase control and mitigate impact. 3

4 THE RISK MANAGEMENT PROCESS Most if not all of the techniques used in risk management are not new but have been taken from other areas of organisational activity. However, the pace of change in recent times has brought new risks and new forms of risk. Information technology, new legislation, cost reductions, staffing issues; all create risks that threaten the organisation s ability to meet its key objectives. Risk management requires the development of a method to identify, measure and manage the risks thereby reducing the potential for unexpected loss or harm. Such a method involves the consistent use of suitable techniques throughout the organisation. A typical risk management process will involve five main stages: RECOGNISE the risks and potential risks to organisation at all levels. Some of these risks will be immediately identifiable others may be less recognisable. Once the risks have been identified, the next step is to ANALYSE (evaluate) those risks. Measurement is defined by how serious the risks are in terms of consequence and relative frequency of occurrence. The next stage is to DETERMINE THE CURRENT CONTROLS of those risks. This can include many actions such as the use of protective measures, special training, new policies and procedures. The fourth stage in the risk management process is to ensure that AN ACTION PLAN is or will be available to meet the impact of any proposed/additional actions and measures that have been identified in order to avoid the potential risks. The fifth stage is to establish a system where all risks have a REVIEW process and defined reassessment timetable. This will ensure that the risk management process is dynamic and continuous. The review process includes the addition of new risks as they develop. Once all 5 stages have been completed and recorded the document in its entirety is commonly referred to as a Risk Control Plan. While any member of staff can raise an operational risk, all line managers are responsible for the implementation of a risk identification and management in line with this guidance. STAGE 1 RECOGNISE THE RISK This stage sets out to identify the risks facing the organisation/service and to understand its unique risk position. When complete this exercise will determine the broad risk areas, in terms of risk control and resource requirements. Identify key risks Strategic leadership and direction is fundamental to the development of the organisation s risk management framework. The risk assessment will initially be a top down approach looking at the significant risks and controls at corporate level, then cascade throughout the organisation. An individual may identify risks, but the assessment of any risk is a team or group activity. An important feature of this stage is to focus on the full range of risks across the organisation s objectives as well as departmental and individual objectives. The risks should be stated explicitly, giving each risk a title and then in more depth a narrative description which provides an effective summary of the risk considering the nature and characteristics of the risk. The risks must be communicated to the organisation and other relevant stakeholders through recording in the organisations electronic risk register. 4

5 STAGE 2 ANALYSE THE RISKS Now that the risks are identified the next step is to consider the likelihood (often referred to as probability or frequency) of the risk actually happening and then identify the potential consequences (impact) this event would have on the organisation, patients and staff. Likelihood This will be based on the likelihood of the risk materialising or the event occurring, e.g. the probability/frequency of the event. Identifying the likelihood of most events occurring in health can be subjective and based upon the knowledge and expertise of those involved in the risk scoring exercise. However, evidence and statistics may be available regarding the reoccurrence of certain events and this information can help you to assess the likelihood score. The likelihood score should be selected from Table. ONLY ONE SCORE MAY BE SELECTED. Table 1 Likelihood Score Descriptor Frequency of event occurring Timescales (Guide Only) Rare Can t believe this event would 5-10 years or more happen Unlikely Not expected to happen but might 2-5 years Possible May occur occasionally Annually Likely Could occur several times Quarterly Almost certain Could occur frequently Daily / Weekly / Monthly Consequences Once the likelihood is decided the consequences of the risk on the organisation must then be determined. The establishment of accurate severity categories is fundamental to the risk management exercise. This will reflect on the organisation should an identified risk or event occur. The severity must include the consequential losses as well as the direct loss to enable an accurate and consistent appraisal of the risks. In identifying the score, consider the most realistic worst case scenario if your risk were to occur. Referring to previously completed Incident Reports or other documentary evidence should enable you to reach an informed decision. A sample severity banding is provided in Table 2. Consider the impact under each heading and select the score, from 1 to 5, which is the highest to be your consequence score. 5

6 Table 2 Consequence Score Descriptor CONSEQUENCES Objectives Cost Physical Harm Schedule Reputation Negligible (Green) Minor (Green) Moderate (Amber) Major (Red) Extreme (Red) Minimal Impact. No service disruption Minor impact on service provision. Service objectives partially achievable. Significant impact on service provision Unable to function. Inability to fulfil corporate obligations Minimal financial loss, < 50k Moderate financial loss k Significant financial loss 250-1M Major financial loss 1M-2.5M Severe financial loss> 2.5M No obvious harm/ injury First aid treatment. Nonpermanent harm up to 1 month Medical treatment required. Semi - permanent harm up to 1 year. Extensive Injury. Major permanent harm. Death Minimal Increased level of care /length of stay1-7 days Increased level of care /length of stay 8-15 days. Pressure on service provision Increased level of care /length of stay >15 days. Temporary service closure Extended service closure No interest to the press. Some public embarrassment. No damage to reputation or standing in the community. Local adverse public embarrassment leading to limited damage. National adverse publicity. Major loss of confidence in organisation. Highly Damaging International adverse publicity. Severe loss of public confidence Risk Exposure Rating The Likelihood and Consequences scores are multiplied together to give a figure that represents risk exposure rating. This rating determines whether a risk is categorised as Red, Amber, Yellow or Green. See Table 3. LIKELIHOOD Table 3 Risk Exposure Rating CONSEQUENCE Negligible Minor Moderate Major Extreme Almost Certain Medium High High Very High Very High Likely Medium Medium High High Very High Possible Low Medium Medium High High Unlikely Low Medium Medium Medium High Rare Low Low Low Medium Medium 6

7 STAGE 3 DETERMINING CURRENT CONTROLS The NHS activity is inherently risky. All staff throughout the organisation currently manage aspects of risk within their existing decision making processes to give some level of control (Control Level). The Risk Register (Appendix B) is used as a repository to list all of your risks. The interrelationship between Likelihood, Consequences and Control Levels has become the generally accepted basis of risk management and is referred to as the Risk Control Plan (Appendix C). The following steps explain how to agree your Actual Risk Control Level. This figure represents the current position reflecting the mechanisms you currently have to control the risk. The systems and processes that are in place to control risk can be categorised into five groups of control; Management, Policies and Procedures, Contingencies, Active Controls and Passive Controls. This grouping ensures that all controls are recorded consistently and accurately throughout the organisation. They are characterised as: Management Policies and Procedures Contingencies Active (Timescales) Passive (External Controls/Guidance) - identify the management systems/ structures/monitoring mechanisms to control the risk e.g. meetings; additional staff appointments made; training available - the policies and procedures in place to control the risk - emergency plans /alternative arrangements that intervene should the risk become apparent - implementation of immediate actions required with clearly identified deadlines e.g. timetables, project plans etc. - activity/information legislation, outside your direct control which may have an effect of reducing the risk e.g. other available information, national directives and best practice. The controls within each group should be explored using brief bullet point information. This will help you to determine how much control you have against each group across the following scale; No Control, Controls Under Review, Controls Planned, Controls Partially Operational, Controls Fully Operational. The meaning of each of these levels and the associated scores is described in the Risk Control Matrix (Table 4). Within each group choose the one level of control that applies collectively to the bullet points you have already identified. This must be done for each of the five control groups. When complete, the accumulative total on a scale of 0 to 100 represents the overall score for the risk. Table 4 Risk Control Matrix Level Group Management 0 None No systems at present 5 Under Review Recognise change is necessary 10 Planned Objectives set Action plan Evidence of problem areas 15 Partially Operational Measured outcomes so some improvement Not applicable over the whole dept. area/organisation 20 Fully Operational Evidence that controls are reducing risk. Audit of system can demonstrate reduction in likelihood or severity 7

8 Policies Procedures Contingencies Active (Timescales) Passive (External Controls/ Guidance) Not available No evidence that a procedure exists If something goes wrong with current controls no plans available No action taken No evidence available Recognition that current policy requires review /amendment Awareness that plans are required. Evidence of investigation Plans to be reviewed Currently have some knowledge of passives control Action plan to review policy identifiable Implementation plan for policy in operation Contingency plan under development Action plan for this risk underdevelopment with clear deadlines Plan to identify information and other systems which may have an impact on risk exposure Evidence of staff awareness of policy and associated practices within some areas of the organisation /department Evidence of the implementation of contingency plan Tested and reviewed as a result Partially achieved Emerging evidence that changes introduced elsewhere are having an unexpected effect on outcome and reducing risk. Evidence of Audit of Policy, which has reduced the likelihood or severity of the risk identified Contingency plans have been tested and proved to be operational if required In full operation Immediate action of plans Demonstrable reduction in risk from passive risk awareness activity To make easy the analysis of the Risk Control Scores, the score is converted to a Risk Control Level on a scale of 1 to 10 as shown in Table 5, where 1 is Excellent and 10 is Very Poor. Table 5 Score Risk Control Description Level Excellent Very Poor STAGE 4 ACTION PLAN FOR IMPROVEMENT Tolerance Risk Control Level Following detailed appraisal of the identified risk, the risk owner must indicate an acceptable tolerance level for the risk. This is the LOWEST level of control over the risk that is acceptable to the organisation. The Strategic Risk Management Group for Corporate Risks and Operational Units for all other risks should agree the tolerance levels. After considering the relationship between the Actual Risk Control Level and the Tolerance Risk Control Level you may now need to decide whether a Target Risk Control Level is required. The rules a) and b) below will guide your through this process. a) If, for example, the Actual Risk Control Level is 7 but the Tolerance Risk Control Level is 4 then an Action Plan is required and a Target Risk Control Level must be set 8

9 b) If, for example, the Actual Risk Control Level is 2 but the Tolerance Risk Control Level is 4, then an Action Plan is not required but you can complete one if you feel this is necessary Remember: 1 indicates an excellent level of risk control whereas 10 indicates a very poor level of risk control. Target Risk Control Level The target will represent the HIGHEST control level considered realistically and economically achievable for any risk. As part of the process to identify your target risk control level, you must bullet point the additional measures or planned improvements to current controls which can be put in place to further mitigate the risk. These can again be categorised into five groups of control; Management, Policies and Procedures, Contingencies, Active Controls and Passive Controls. This will help you to determine how much control you have against each group across the following scale; No Control, Controls Under Review, Controls Planned, Controls Partially Operational, Controls Fully Operational using the Risk Control Matrix (Table 4). Within each group choose the one level of control that applies collectively to the bullet points you have already identified. This must be done for each of the five control groups. When complete, the accumulative total on a scale of 0 to 100 represents the overall score for the risk. To make easy the analysis of the Risk Control Scores, the score is then converted to a Risk Control Level on a scale of 1 to 10, as shown in Table 5, where 1 is Excellent and 10 is Very Poor. Additional information required to complete the Risk Control Plan: The named Risk Owner the person ultimately responsible for the risk The named Risk Manager the person actually managing the risk It is good practice to ensure that the named risk owner and risk manager are two different individual officers. This helps to ensure risks continue to be managed in the event of unexpected or planned absences. The reporting arrangements for review the review timescale and the person responsible for that if different from Risk Owner. The risk control plans may also be reviewed by a group or committee Details of the person recording the information and the date Capital and Revenue Recurring and Non Recurring Costs Risk Ranking Gives you a suggested order of priority in which to deal with your risks. This is calculated by the Actual Risk Control Level multiplied by the Risk Exposure Rating (Likelihood x Consequence). This highest score should then be converted to first on the list and the lowest score to last on the list. 9

10 STAGE 5 REVIEW AND MONITORING Review and Monitoring All identified risks and the associated actions must be reviewed and monitored on a continuous basis. In this context the term review means that the risk owner/risk manager must: Review their portfolio of risks to assess if they are still current and relevant and if not these should be archived. Go through all of the steps within the risk management process whilst identifying a risk and update any information, entries and scores as necessary to ensure the risk remains up to date and fit for purpose. A Risk Control Plan that does not change very often would probably indicate that risk is merely being identified, but not being managed or controlled. A key element to ensure adequate follow up is a monitoring process which is able to provide reasonable assurance to the organisation that there are appropriate control procedures in place for all significant risks and that these procedures are being followed. In addition, there should be formal procedures in place for reporting weaknesses and for ensuring corrective action. It is therefore suggested that departmental risk registers are discussed as a standing agenda item at local departmental risk/health and safety/clinical governance fora. In addition, Risk Management is reviewed and reported on to the highest level within the organisation. This includes new risks and risks which have breached their review date by more than one month being reported to the Operational Risk/Health and Safety Management Group on a bi-monthly basis; Corporate Risks being reported on and scrutinised by the relevant Standing Committee of Tayside NHS Board on a biannual basis and reporting on compliance to measures contained within the Critical Systems Checklist on a quarterly basis. Details of an alternative risk management process, entitled Failure, Modes and Effects Analysis is provided in Appendix D. RISK ESCALATION The risk escalation process may be through two key methods; as a formal identification of the need for a risk control plan during the development of business proposals or by agreement and discussion from local fora or NHS Tayside Executive Team members that a risk control plan is required. For any risk where there is uncertainty, this should be raised in the first instance at the appropriate local fora and subsequently if appropriate escalated to the relevant Locality Risk Management Group. The Chair of the group will agree and identify an individual to take formal ownership of the risk or if necessary decide to escalate the issue to the Operational Risk Health and Safety Management Group. If it is felt that any existing Operational risk should be altered to Corporate status as it has implications for the whole organisation, a proposal detailing the risk and the reasons behind this must be presented to the Strategic Risk Management Group for approval and allocation. 10

11 HORIZON SCANNING The Strategic Risk Management Group (SRMG) meets on a quarterly basis and holds 1 extra ordinary meeting every year. These are used to continually review and revise the Organisation s Corporate Risk Profile inclusive of any new risks which require to be added. Individual Corporate Risk Owners (Executive Directors) are responsible for Horizon Scanning in their own area of expertise/accountability, appraising the SRMG accordingly and working with colleagues from Safety, Governance and Risk to ensure any emerging corporate or operational risks are captured within the organisation s risk register which is reported to Tayside NHS Board on a quarterly basis. ARRANGEMENTS FOR PROJECTS AND PARTNERSHIPS Before the commencement of every major organisational change or project, a full risk assessment should be carried out and fully documented. This exercise should then be repeated at regular intervals during the life of the project to determine changes to risks and identify any new and emerging risks. The link below to the Capital Approval and Business Case Guide provides advise and direction in relation to this. Link to Capital Approval and Business Case Guide ARRANGEMENTS FOR WORKING WITH PARTNER ORGANISATIONS As the organisation develops in accordance with national and local initiatives, the risks emerging from joint working between other NHS Boards, other care providers/partners and independent contractors will require joint solutions. To ensure the optimal delivery of joint outcomes, each partner should have in place an effective system which allows for the mutual routine monitoring and updating of existing and emergent risks. SUMMARY HDL(2002)11 introduced the Statement on Internal Control which was replaced by the Governance Statement during 2011/12. The most recent guidance was issued in the Dear Colleague letter dated 10 December 2012, and requires Chief Executives of NHS Boards, in their capacity as Accountable Officers, to report on the internal control and risk management processes in place covering: Corporate Governance Clinical Governance Staff Governance Financial Governance Information Assurance To further support this, in accordance with NHS Healthcare Improvement Scotland (NHS HIS), previously NHS Quality Improvement Scotland (QIS) as an integral component of the Statement of Internal control, it is a mandatory requirement that NHS Boards have systems in place to manage risk (NHS QIS, 2005). Furthermore risk management should be embedded into all organisational processes and involve everyone in the organisation. (NHS QIS, 2005). It should be noted that organisations are advised to consider all risks rather than purely health and safety risks or, indeed only financial risks (Scottish Executive, NHS MEL, Corporate Governance, 1999). The Strategic Risk Management Group, Operational Risk/Health and Safety Management Group, Locality Risk Management Groups and 11

12 operational units within must work together to ensure that all significant risks to the organisation are identified and managed accordingly. The Risk Control Plans will inform the decision making process throughout the organisation. Each employee has the responsibility to identify the risk areas and actively manage the control of risk. By becoming involved in the process everyone has the opportunity to influence the decisions taken throughout the organisation The Safety, Governance and Risk Department may be contacted on Extension or by at for further advice or guidance on any of the issues discussed above. ACKNOWLEDGEMENTS The original document (2003) was prepared with advice and support and contribution from Mr Brian Kennedy and Mrs Eunice Muir, Management Executives CNORIS, Willis Ltd. 12

13 REFERENCES AND BIBLIOGRAPHY NHS Quality Improvement Scotland Clinical Governance and Risk Management national Standards - Clinical Governance and Risk Management: Achieving Safer, effective, patient-focused care and services. Available online (accessed March 2007) Clinical Negligence and other Risks Indemnity Scheme (CNORIS) Risk Management Standards for NHS Scotland. V4/2003. Scottish Executive: Edinburgh Department of Health, Doing Less Harm, Crown Copywright: London Failure Modes and Effects Analysis (FMEA) Tool, Institute for Healthcare Improvement, Boston, Massachusetts, USA. (accessed March 2007). Scottish Executive NHS HDL (2000) 2 Clinical Negligence and other Risks Indemnity Scheme (CNORIS). Amendment Regulations and Scheme Standards. Scottish Executive: Edinburgh Scottish Executive NHS HDL , Clinical Governance Arrangements Amendment to Mel (1998) 75 and MEL(2000)29. Scottish Executive: Edinburgh Scottish Executive NHS MEL (2000) 18, CNORIS. Scottish Executive: Edinburgh Scottish Executive NHS HDL (2002) 11 Statement of Internal Control (SIC). Scottish Executive: Edinburgh Scottish Executive NHS MEL (1999) 75, Guidance on Clinical Governance in the NHS. Scottish Executive: Edinburgh Scottish Executive NHS MEL (1999) 14, Corporate Governance in the NHS. Scottish Executive: Edinburgh Standards Australia International Limited and Standards New Zealand Risk Management. Sydney: Standards Australia International Limited and Standards New Zealand. AS/NZS 4360:2004 Standards Australia International Limited and Standards New Zealand, Guidelines for managing risk in the Healthcare sector. Sydney: Standards Australia International Limited and Standards New Zealand HB228:2001 Turnbull N Internal Control. Guidance for Directors on the Combined Code Willis Ltd CNORIS Risk Management Standards Guidance Note 2, Guidance on Risk Assessment and Risk Register. 13

14 ^éééåçáñ=^= Trigger Areas for NHS Tayside Clinical/Patient Safety Clinical Governance Clinical effectiveness/clinical outcomes Clinical Audit Clinical outcomes/standards Medicines management Confidentiality Infection control including HAI Risks & benefits of treatments Informed consent Professional support Standards of record keeping Staffing establishment Continuous professional development Performance indicators Follow up of adverse events Patient & public involvement Resuscitation & first aid Complaints & claims Business Reputational risk/communication Fraud control Employment law HR standards Partnership CPD Incident reporting & rapid follow up Operational/legal risk Managing controls environment Building controls Liability contracting Planning/transport Fire safety Estates maintenance Catering/food handling Emergency/business/continuity planning Contract control Security Medical devices management Corporate governance Financial risk/budget control Insurance IM&T/security Capital expenditure Value for money Performance of risk management Triple AIM Health & Safety H&S management Occupational health Waste management Control of hazardous substances Stress management V & A to staff Manual handling Radiation protection Legionella Asbestos Biological agents Confined spaces Contractors Display Screen Equipment Electricity Ergonomics Food Safety Hygiene Lone working Manual Handling New & Expectant Mothers Noise Asphyxia / drowning Scalding Liquid nitrogen / cold temps Cytotoxic drugs Lasers Vibrating equipment Condition of floors Separation of pedestrians and vehicles Housekeeping Lighting Temperature and ventilation Pressure systems Slip /trip hazards Vehicles (use of) Work at height Young People (16 to 18 yrs) This list is not exhaustive and is intended as a guide only 14

15 EXAMPLE RISK REGISTER Appendix B Location/ Department Date 11/08/2000 Date of Review 30/09/2000 Risk Ref. DESCRIPTION OF RISK 1 Failure to comply with HDL s ( loss of public confidence) RISK EXPOSURE RISK RISK CONTROL LEVEL Likelihood Consequences EXPOSURE RISK RISK OWNER (L) (C ) RATING RANKING ACTUAL TOLERANCE TARGET (L X C) Level Level Level A Smith 2 Failure to forward plan adequately Under over/commitment of resources) Loss of IT system B White C Black 4 Inadequate Clinical Staff cover Patient risks T Green 5 Complaints Failure to learn lessons Root cause analysis 6 Inadequate co-ordination of emergency planning with other organisations Almost Certain 5 Likely4 Possible 3 Unlikely 2 Rare D Brown M Line Extreme 5 Major 4 Moderate 3 Minor 2 Negligible 1

16 APPENDIX C RISK MANAGEMENT RISK CONTROL PLAN Risk Reference Number Directorate/ Department Risk Owner Risk Manager Risk Name Likelihood Consequences Risk Description ACTUAL CONTROLS Management PROPOSED CONTROLS Management Policy & Procedure Policy & Procedure Contingency Contingency Active (timescales) Active (timescales) Passive (external controls/guidance) Passive (external controls/guidance) Total Actual Risk Control Level Resource Requirements Capital: Total Target Risk Control Level Reporting arrangements Revenue: Recorded by Review timescale Date Person responsible

17 Appendix D Failure Modes and Effects analysis (FMEA) Institute for Healthcare Improvement Boston, Massachusetts, USA Failure Modes and Effects Analysis (FMEA) is a systematic, proactive method for evaluating a process to identify where and how it might fail and to assess the relative impact of different failures, in order to identify the parts of the process that are most in need of change. FMEA includes review of the following: Steps in the process Failure modes (What could go wrong?) Failure causes (Why would the failure happen?) Failure effects (What would be the consequences of each failure?) Teams use FMEA to evaluate processes for possible failures and to prevent them by correcting the processes proactively rather than reacting to adverse events after failures have occurred. This emphasis on prevention may reduce risk of harm to both patients and staff. FMEA is particularly useful in evaluating a new process prior to implementation and in assessing the impact of a proposed change to an existing process. Failure Modes and Effects analysis (FMEA) was developed outside of healthcare and is now being used in healthcare to assess risk of failure and harm in processes and to identify the most important areas of process improvements. FMEA can be used as an additional risk management tool alongside the NHS Tayside Risk Management processes and systems described within this Guidance Note, Assessing Risk in NHS Tayside. Further information and access to the FMEA interactive Online Tool can be obtained from either of the following websites: