Risk Management - Enterprise-Wide Risk Management Policy and Framework NSW Health

Transcription

1 Policy Directive Ministry of Health, NSW 73 Miller Street North Sydney NSW 2060 Locked Mail Bag 961 North Sydney NSW 2059 Telephone (02) Fax (02) Risk Management - Enterprise-Wide Risk Management Policy and Framework NSW Health Document Number PD2015_043 Publication date 13-Oct-2015 Functional Sub group Corporate Administration - Governance Summary This Policy Directive describes the requirements for NSW Health organisations to establish, maintain and monitor risk management practices in accord with the Australian/New Zealand Standard ISO 31000:2009, consistent with whole of Government policies. Replaces Doc. No. Risk Management - Enterprise-Wide Policy and Framework - NSW Health [PD2009_039] Author Branch Legal and Regulatory Services Branch contact Legal and Regulatory Services space space Applies to Local Health Districts, Board Governed Statutory Health Corporations, Chief Executive Governed Statutory Health Corporations, Specialty Network Governed Statutory Health Corporations, Affiliated Health Organisations, Public Health System Support Division, Dental Schools and Clinics, NSW Ambulance Service, Ministry of Health, Public Health Units, Public Hospitals, NSW Health Pathology, Cancer Institute (NSW) space Audience Boards, Chief Executives, Directors, Health Service Managers, Audit and Risk Committees Distributed to Public Health System, NSW Ambulance Service, Ministry of Health Review date 13-Oct-2020 Policy Manual Not applicable File No. H15/24603 Status Active Director-General space This Policy Directive may be varied, withdrawn or replaced at any time. Compliance with this directive is mandatory for NSW Health and is a condition of subsidy for public health organisations.

2 PURPOSE ENTERPRISE-WIDE RISK MANAGEMENT POLICY STATEMENT Risks and being risk aware are an integral part of organisational operations and must be identified and managed at the appropriate level for an organisation to be effective. Opportunities and threats should be addressed through a risk management process in order to maintain and improve performance and achieve identified objectives. NSW Health is committed to developing a risk management culture, where risk is seen as integral to the achievement of our aims at all levels of the organisation. This Policy Directive outlines the minimum mandatory requirements for NSW Health staff in complying with risk management standards, consistent with Principle 1 and Core Requirement 1.1 and 1.2 of the NSW Treasury Policy TPP MANDATORY REQUIREMENTS Each Health organisation is required to implement a risk management approach in line with this Policy Directive and the attached Enterprise-Wide Risk Management Framework. In order to achieve this, health organisations must: Embed risk management into corporate governance, planning, financial, insurable, clinical, workforce management structures, operational service delivery, project management and support functions such as procurement and asset management Include risk management as a part of the strategic, operational and annual business planning activities of the organisation, its facilities and/or networks Have an up-to-date Risk Register in place Have a Risk Management Plan that identifies how the organisation will manage, record, monitor and address risk, and includes processes to escalate and report on risk to the Chief Executive, Audit and Risk Committee and Board, as appropriate Have in place processes to monitor and review the risk and governance system Consider nominating a senior executive (other than the Chief Audit Executive) to be responsible for designing the agency s risk management framework and coordinating, maintaining and embedding the framework in an agency. IMPLEMENTATION Ministry of Health will: Champion a culture of risk awareness and monitoring systemic risk across NSW Health Update and monitor compliance with this Policy Directive Identify systemic risk issues in consultation with health organisations, central agencies and accountability bodies Review quarterly risk register reports received from health organisations and provide regular feedback on system-wide trends PD2015_043 Issue date: October-2015 Page 1 of 3

3 Provide feedback to health organisations, based on quarterly reports received POLICY STATEMENT Monitor compliance with NSW Health annual Audit and Risk Attestation Statements Maintain the Ministry of Health Risk Register and formal reporting requirements. Chief Executives will: Champion risk management culture within their organisation that includes a focus on continuous improvement and identifying opportunities as well as risks Ensure the Risk Management Plan is implemented and the Risk Register is current Ensure appropriate resources are allocated to managing and monitoring risk and to implementing risk mitigation strategies identified through risk planning activities Allocate accountability for managing individual risks at an appropriately senior level to ensure risk mitigation strategies are implemented Communicate risk management requirements to management and staff Take appropriate action on risks reported or escalated Provide the Audit and Risk Committee and Board with regular reports on risks and management actions being taken to mitigate these risks Determine the level of management that will be delegated authority to accept risks Provide quarterly reports to the Ministry of Health on the organisation s top 10 risks inclusive of all extreme risks Approve the annual Audit and Risk Management Attestation Statement. Senior Managers have key responsibilities to: Promote risk management within their areas of responsibility, including communication of requirements to relevant staff Be accountable for risks and mitigating controls within their area of responsibility and take appropriate action on risks reported or escalated Report on changes and updates to the organisation Risk Register, including updates on risk management strategies, current risk ratings and emerging risks. Risk Owners have key responsibilities to: Manage the risk, including designing, implementing and monitoring actions to address (or risk treatments for) a particular risk Assess the effectiveness of existing controls and design improvements as required Escalate the risk for effective management as appropriate to the level of the risk. Organisation Board will: Ensure an effective risk management framework (including risk appetite and risk tolerance) is established and embedded into the clinical and corporate governance processes of the organisation Provide strategic oversight and monitoring of organisation s risk management activities and performance PD2015_043 Issue date: October-2015 Page 2 of 3

4 POLICY STATEMENT Seek information from the Chief Executive as necessary to satisfy itself that risks are being identified and mitigation strategies are in place and effective. Audit and Risk Committees, with support of the Internal Audit function, will: Operate in accordance with the Committee s Charter as approved under the Internal Audit Policy Directive (PD2010_039 or current) Monitor and review risk management attestation compliance and report to the Agency Head on risk management and control frameworks within the organisation Ensure audit plans for the organisation include appropriate consideration of risk. REVISION HISTORY Version Approved by Amendment notes PD2015_043 Deputy Secretary, Updated policy directive (October 2015) Governance, Workforce PD2009_003 (June 2009) ATTACHMENTS and Corporate Director General New policy directive 1. Risk Management Enterprise-Wide Risk Management Policy and Framework NSW Health: Procedures. PD2015_043 Issue date: October-2015 Page 3 of 3

5 Risk Management Enterprise-Wide Policy and Framework NSW Health Issue date: October 2015 PD2015_043

6 Risk Management Enterprise-Wide Policy and Framework NSW Health CONTENTS 1. BACKGROUND AND DEFINITIONS Key Definitions and Concepts The Australian Standard on Risk Management KEY CONCEPTS AND OBLIGATIONS What is risk and risk management? Why a risk management framework? How can you embed risk management within an organisation? Risk Management Tools in the Framework NSW Health Risk Categories NSW Health Risk Matrix Risk Rating Types Risk Escalation THE RISK MANAGEMENT METHODOLOGY Step 1 Communication and consultation Step 2 Establish the context Step 3 Identify Risks Step 4 Analyse Risks Step 5 Evaluate Risks Step 6 Treat Risks Step 7 Monitor and review RISK REGISTER AND REPORTING Organisation Risk Register Risk Reporting Organisation Level Reporting State-wide Reporting LIST OF RISK MANAGEMENT TOOLS (Web Links) REFERENCES PD2015_043 Issue date: October-2015 Contents page

7 1. BACKGROUND AND DEFINITIONS This document describes the structures and processes Heath organisations are required to use to manage risks. The systematic process described here applies to all services obtained or provided internally or externally, and takes into account both clinical and non-clinical (service) reporting structures. It can be applied to any risk, regardless of severity. TPP15-03 Internal Audit and Risk Management Policy for the NSW Public Sector issued by NSW Treasury ( the Treasury Policy ) establishes whole of Government standards to support effective corporate governance and risk management practices across the NSW public sector. To this end the Treasury Policy sets out Core Principles and Core Requirements, including Risk Management. This requires organisations to establish and maintain an enterprise risk management process appropriate to their operations and adopts the Australian New Zealand Standard on Risk Management, to ensure common and generally accepted risk management terminology and processes are applied across Government. The current standards are AS/NZS ISO 31000:2009 (Risk Management Principles and Guidelines). NSW Health is committed to developing a risk management culture, where risk is seen as integral to the achievement of our aims at all levels of the organisation and where all staff are alert to risks, capable of an appropriate level of risk assessment and confident to report risk or opportunities perceived to be important in relation to each Health organisation s priorities. The Framework complements other NSW Health policy directives (such as those for incident management and workplace health and safety) and other key programs or initiatives specifically designed for the identification and management of individual incidents. The Framework is structured in 6 parts: Part 1 Background and Definitions Part 2 Key Concepts and Obligations Part 3 The Risk Management Methodology Part 4 Risk Registers and Reporting Part 5 List of Risk Management Tools (web links) Part 6 References 1.1 Key Definitions and Concepts The following definitions are used in this Framework: The Australian (AS/NZS ISO 31000:2009) means the Australian/New Zealand Standard Consequence and International Standard on Risk Management. means the outcome of an event that has a positive or negative effect on objectives. PD2015_043 Issue date: October-2015 Page 1 of 29

8 Current risk is a level of risk at a point in time. Subsequent re-assessments of risk rating usually made as a part of the review of the actual effectiveness of any additional controls, is referred to as Current risk rating. Health organisation means a Local Health District, Specialty Health Network, Statutory Health Corporation, Units of the Health Administration Corporation (including the NSW Ambulance Service, HealthShare NSW, ehealth NSW, Health Infrastructure and NSW Health Pathology), the Ministry of Health and health bodies established under their own statute, including the Cancer Institute of NSW and the NSW Institute of Psychiatry. Initial risk Likelihood Projected risk Risk is the first time the level of risk is assessed. The term is synonymous with the term Inherent Risk Rating. is the chance of something happening (whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically). is the level of risk assessed on the assumption that additional controls (additional treatments or mitigation) are in place. The term is synonymous with the terms Targeted Risk and Residual Risk. is the chance of something happening that will have an impact on an organisation s objectives. May be a positive or negative impact, and is measured in terms of impact and likelihood. Risk is also defined in the Australian Standards as the effect of uncertainty on objectives. Risk Management is generally understood as coordinated activities to direct and control an organisation, with regard to risk. The Australian Standards refer to risk management as including the the systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk. Risk owner is the officer designated as responsible for designing, implementing and monitoring actions to address (or risk treatments for) a particular risk. Risk Management sets out the organisations strategies for implementing and Plan maintaining a robust risk management framework, including activities, resources, responsibilities and timeframes. Risk Matrix means the NSW Health Risk Matrix, set out in Table 3 of this Policy Directive. Risk Treatment means an action identified to address or mitigate a risk. PD2015_043 Issue date: October-2015 Page 2 of 29

9 Stakeholder Strategic risks is a person or an organisation that can affect or be affected by a decision or an activity and includes those who have the perception that a decision or an activity can affect them; can be internal or external. are a source of uncertainty that may arise from a Health organisation s pursuit of a strategic objective, performance indicator or health system/support outcome. For example, a strategic risk might arise from substandard execution of decisions, inadequate resource allocation, or a failure to respond well to changes in the business environment or to failure to take advantage of untapped opportunities. 1.2 The Australian Standard on Risk Management The Australian Standard has been adopted by the NSW Government to ensure consistent terminology and to guide the approach of NSW public sector agencies. The Standard is not therefore a compliance standard, but provides a generic and flexible set of principles for risk management practice that can be applied to a wide range of activities and includes: An outline of the benefits to an organisation for adopting a consistent, systematic and integrated approach to managing risks and opportunities Concepts to be adopted when designing and implementing a risk management framework A focus on integrating risk management into organisation culture, creating continual improvement and best practice. How an organisation applies the Standard will depend on its size, nature, complexity and objectives, and maturity in risk management. Common features should include: A commitment by the executive to risk management A process which outlines how risks are to be managed A process in how risks are to be monitored and reported Clear accountabilities for the management of risks A process to review and improve on the local risk management procedure/plan. The Table 1 illustrates the relationships between the risk management principles, framework and process. Paragraph references are to the Australian Standards. The Standard forms the basis of the NSW Health Framework, as set out in the following Parts. PD2015_043 Issue date: October-2015 Page 3 of 29

10 (Extract from AS/NZS ISO 31000: Risk management Principles and guidelines) Table 1. PD2015_043 Issue date: October-2015 Page 4 of 29

11 2 KEY CONCEPTS AND OBLIGATIONS 2.1 What is risk and risk management? Risk is the effect of uncertainty on objectives with a likelihood and frequency that something will occur. Risk is expressed in terms of consequence or impact (How bad will an event be if it happens?) and likelihood (How likely is it that the event will happen?) As the outcomes of operational and business activities can be uncertain, they are said to have some element of risk. In the Health context, risks can contribute to strategic failures, operational failures, failures in quality and safety systems, financial failures, major environmental or public health incidents, deficiencies or ineffective plant or equipment, or failures in regulatory compliance. Risk management involves identifying the types of risk exposure within an organisation, measuring those potential risks and proposing means to mitigate them. While it is impossible to remove all risk, it is important for organisations to understand their risks and manage and identify the level of risk they are willing to accept in the overall context of effective operation and service provision. Risk management is essential to good management practice and effective corporate governance and ensures decisions are made with sufficient information about risks and opportunities. 2.2 Why a risk management framework? Managing risks identifying, assessing and controlling them is part of everyday activity throughout the NSW public health system. By identifying risks, a Health organisation is identifying any threats or opportunities in achieving its goals and objectives, as outlined in the Service Agreement or Agency Compacts and organisation planning documents and at a public health system level in the State Plan NSW 2021 and the State Health Plan. A Risk Management Framework provides a structure for a consistent risk management approach and for embedding risk management across all operations. An effective framework involves the examination of all aspects of an organisation s functions and responsibilities in order to identify and manage opportunities and threats. This includes, for example, consideration of risk and opportunities during: Strategic, business, service and workforce planning Budget planning and monitoring Planning, development and implementation of new service delivery methods, programs, clinics or projects Planning, development, implementation and maintenance of new and existing information technology hardware and software systems PD2015_043 Issue date: October-2015 Page 5 of 29

12 Development and implementation of new or revised policies, procedures and guidelines Changes to service delivery, projects or agreed levels of activity Planning and implementing capital projects and programs Procurement and acquisitions processes. Applying the framework helps management to make decisions that impartially and systematically consider both opportunities and threats. The framework also helps management and staff to prepare for and deal with risks in a timely manner, and the process of reviewing risks will allow new risks to emerge. 2.3 How can you embed risk management within an organisation? To integrate risk into everyday activities, it is essential to define responsibilities and accountabilities for staff in relation to risk management. Staff must understand what risks they are accountable for, and what activities and actions must be taken to manage those risks. Risk management must also be supported at the most senior level of the organisation, to ensure it is integrated into, and not viewed as separate from, core operational activities and to ensure accountabilities and responsibilities are clearly defined. Some ways of embedding risk in organisation operations and achieving greater engagement of staff across the organisation are: Including risk management accountabilities and expectations in internal performance management systems, both informal and formal, to support a culture where by risk and opportunities are proactively managed and learnings are shared Including consideration of risk in the terms of reference of significant organisation committees (e.g. committees overseeing quality and safety, infection control, disaster management) to engage them in identifying, monitoring and reviewing risks relevant to their area of oversight Ensuring risks identified by the organisation are allocated a risk owner to oversee the management of a risk. The risk owner should be sufficiently senior to properly direct and implement risk controls and assess their effectiveness. As such, while they should be knowledgeable about the risk, they will not generally be the person who implements the actions required to address the identified risk Ensuring local processes focus on risks being managed at as low a level as reasonably practicable, but also ensure there are processes are in place for staff to identify and escalate risks as the need arises to a more senior management for consideration, review and appropriate management action and direction to be given Ensuring senior executives and senior management accept responsibility for promoting risk management within the organisation, designing the organisations risk management framework and for the day-to-day activities associated with coordinating, maintaining and embedding the framework in day to day business. PD2015_043 Issue date: October-2015 Page 6 of 29

13 All staff are expected to manage risks in their own area, and within their capacity and delegation of authority. Risks that are beyond a staff member's capacity or delegation of authority need to be escalated to a higher level of management for review. Any subsequent mitigation should be communicated to the staff member who identified the risk. Reporting or communicating risks in this way will help to prevent errors, improve care and performance and achieve business objectives. 2.4 Risk Management Tools in the Framework An effective risk management system requires the application of consistent processes for identifying and categorising risk. The Framework sets out four main tools in this regard in the following subsections NSW Health Risk Categories Categorising risks supports identification of risks across all key aspects of a health organisation s business. They also assist in reporting and allow comparison and assessment across the wider health system. To this end a set of NSW Health Risk Categories has been developed (Table 2), including relevant examples. Table 2 NSW Health risk category Clinical Care and Patient Safety Health of the Population Examples of areas to consider within category Clinical KPIs in organisation Service Agreement Access appropriate to needs and prioritised according to clinical need Care evaluation, clinical handover, clinical ethics, clinical pathways and variance analysis Clinical quality improvement and clinical practice improvement Decision making at end of life and mortality management Discharge and transfer of care and recognition and management of deteriorating patients Ongoing care and management of chronic disease Patient safety, including infection control, medication safety and response to complaints and concerns about clinicians and near miss or incident trends Protection of children and others who are unable to care for themselves while accessing health services Monitor the continuum of care and clinical performance across the State Community health Disease prevention and control Human behaviour and demographics Health protection and surveillance Clinical strategic direction, planning, monitoring and performance of population health services across the State PD2015_043 Issue date: October-2015 Page 7 of 29

14 NSW Health risk category Workforce Communication and Information Facilities and Assets Security Emergency Management Examples of areas to consider within category Continuing education, learning and professional development Human resources performance management Claims (including general insurance) Organisational culture, Recruitment selection, credentialing, retention and appointment, including internationally trained medical officers Succession planning Workplace relations, including grievances Visiting medical officers, contracts and volunteers Hardware infrastructure (switchboards, pager systems, etc.) Information and data management system Informed consent Privacy and confidentiality Knowledge management Records management Risk communication Alerts Software Staff communication Technology and technical issues Release of information Digital Information Security eg. electronic medical record Social Media Assets management, including buildings, equipment, land, plant, vehicles, supplies and utilities Catering and food hygiene Preventative, repairs and maintenance Minor & Capital works Procurement Access and controls Identification Surveillance/CCTV Personal threat Security management Security monitoring Business continuity planning, management and resilience Infectious disease outbreaks, including emerging infectious diseases, and other biological threats Drinking water, pharmaceutical, food or other contamination Natural disasters, (eg. Extreme weather event) Man-made disasters (eg widespread power failure, explosion) Chemical, radiation or hazardous material incident PD2015_043 Issue date: October-2015 Page 8 of 29

15 NSW Health risk category Legal Finance Work Health & Safety Environmental Leadership and Management Community Expectations Examples of areas to consider within category Litigation Commercial and legal management Contract management Intellectual property Regulatory Compliance Fraud Medical indemnity insurance and Treasury managed fund Operational budgets and financial performance requirements under Service Agreements Public liability Administration, including accommodation, payroll and transport and travel Commercial income Procurement of goods and services, maintenance and contracts management Workplace health and safety Workers compensation and injury management Contractor non compliance Air quality, heating, noise, lighting and radiation Hazardous substances and dangerous good Waste management Cleaning services Infection control Complaints and compliments management Credentialing and delineation of clinical privileges Economic circumstances Effective Leadership Enquiries and ministerials External and internal auditing Governance structures, delegations and financial management Legislative compliance Monitoring performance Performance Management Political circumstances Professional development and Mentoring Reputation and image Resource accountability Service Agreement requirements Strategic and operational planning Succession planning Access to services Consumer engagement and empowerment, and stakeholders expectations Consumer feedback, cultural and special needs, planned and delivered in partnership with patient rights and responsibilities The right care and services including the protection of children provided in the right setting within appropriate timeframes PD2015_043 Issue date: October-2015 Page 9 of 29

16 2.4.2 NSW Health Risk Matrix The Risk Matrix (Table 3) was developed in 2009 to support classification of risks across the public health system with specific reference to the indicia relevant to health service providers. The Matrix provides a tool to apply a severity rating to each risk, by assessing the potential consequence of the risk and its likelihood of occurring. The Risk Matrix is required to be used for assessment and management of Health organisation risks, development of organisation Risk Registers, and forms the basis for reporting at the local, Chief Executive, Board (where applicable), Audit and Risk Committee and to the Ministry of Health (State-wide level). Rating the risk The Consequence and Likelihood descriptors are used to determine the possible outcome if the risk were to occur, which in turn provides the overall risk rating. The Risk Matrix should be used to determine the initial, current and projected risk ratings. In rating risks, it is important to use the matrix and follow these steps: Step 1 rank the consequence Step 2 rank the likelihood (probability/frequency) Step 3 classify the level of risk Step 1 Rank the consequence For each identified risk, determine the consequence of the event occurring (from catastrophic to minimal), using the examples contained within the NSW Health Risk Matrix, as a guide. Step 2 Rank the likelihood (probability / frequency) For each identified risk, determine the likelihood that the event will occur. Step 3 Classify the level of risk Once the consequence and likelihood of each risk has been determined, the position on the NSW Health Risk Matrix is represented alphabetically, from A to Y. The alphabetical representation highlights the risk position in relation to its consequence and likelihood, in doing this it clarifies the context of the risk position (risk rating). PD2015_043 Issue date: October-2015 Page 10 of 29

17 NSW Health Risk Matrix Risk rating Red = Extreme (A E) Orange = High (F K) Yellow = Medium (L T) Action required Escalate to CE or Head of Health service or Secretary, MoH A detailed action plan must be implemented to reduce risk rating with at least monthly monitoring and reporting. Escalate to Senior Management A detailed action plan must be implemented to reduce risk rating. Specify Management Accountability and Responsibility Monitor trends and put in place improvement plans. NSW HEALTH RISK CATEGORIES Clinical Care & Patient Safety Health of the Population Workforce Communication & Information Facilities & Assets Security Emergency Management Legal Finance Work Health & Safety Environmental CONSEQUENCE EXAMPLES Catastrophic Major Moderate Minor Minimal Unexpected multiple patient deaths unrelated to the natural course of the illness. An increase in the prevalence of known conditions contributing to chronic diseases across the state-wide population health KPI categories currently measured by NSW Health and or an increase of more than 10% in one or more category. Unplanned cessation of a critical statewide program or service or multiple programs and services. Cessation of services due to loss, damage or unauthorised access to property, assets, records and information. State-wide system dysfunction resulting in total shutdown of service delivery or operations. Legal judgement, claim, non compliance with legislation resulting in indeterminate or prolonged suspension of service delivery. More than 5% over budget NOT recoverable within the current or following financial year. Unable to pay staff or finance critical services. Multiple deaths or life threatening injuries or illness to non-patients. Permanent effect on the environment or is unlikely to recover. Unexpected patient death or permanent loss/reduction of bodily function unrelated to the natural course of the illness. Failure to materially reduce the prevalence of known conditions contributing to chronic disease across the majority of the state-wide population health KPI categories measured by NSW Health and or an increase of more than 5% up to 10% in one or more category. Unplanned cessation of a service or program availability within a Service Area with possible flow on to other locations. Prolonged service disruption or suspension of services due to the loss, damage or unauthorised access to property, assets, records and information. Services compromised as service providers are unable to provide effective support and other areas of NSW Health are known to be affected. Legal judgement, claim, non compliance with legislation resulting in medium term suspension of service delivery. Up to 5% over budget or a material overrun NOT recoverable within the current financial year. Unable to pay creditors within MOH benchmark. Death or life threatening injury or illness causing hospitalisation of non-patients. Long term effect on the environment. The environment will only recover through external assistance / intervention (EPA) Unexpected temporary reduction of patient s bodily function unrelated to the natural course of the illness which differs from the expected outcome. Failure to materially reduce the prevalence of more than one of the known conditions contributing to chronic disease from the statewide population KPI categories measured by NSW Health and or an increase of more than 2% and up to 5% in one or more category. Unplanned restrictions to services and programs in multiple locations or a whole hospital or community service. Temporary suspension of services due to the loss, damage or unauthorised access to property, assets, records and information. Disruption of a number of services within a location with possible flow on to other locations in the area. Legal judgement, claim, non-compliance with legislation resulting in medium term but temporary suspension to services. Up to 5% over budget but recoverable within current financial year. Serious harm, injury or illness causing hospitalisation or multiple medical treatment cases for non-patients. Short term effect on the environment. Environment likely to make a full recovery through local planning and response measures. Patient s care level has increased unrelated to the natural course of the illness. Failure to reduce the prevalence of one of the known conditions contributing to chronic disease from the state-wide population health KPI categories measured by NSW Health or an increase of up to 2% in one or more category. Unplanned service delivery or program delays localised to department or community service. Localised disruption to services. Minor loss, damage or unauthorised access to property, assets, records and information. Some disruption within a location but manageable by altering operational routine. Legal judgement, claim, noncompliance with legislation resulting in short term disruption to services. Up to 1% temporarily over budget and recoverable within current financial year Minor harm, injury or illness to a nonpatient where treatment or First Aid is required. Minor effect on the environment. Environment to make a full recovery by routine procedures First Aid provided to patient unrelated to the natural course of the illness. A preventative Health program has not demonstrably met planned objectives but the prevalence of known condition is continuing to decrease in line with KPI targets. Minimal effect on service delivery. Minimal effect on services. No loss or damage to property, assets, records or information. No interruption to services. Legal judgement, claim or legislative change but no impact on service delivery. Less than 1% over budget. Temporary loss of or unplanned expenditure related to individual program or project but no net impact on budget. Harm, injury or illness not requiring immediate medical treatment. No lasting effect on the environment. Green = Low (U Y) Manage by routine procedures Monitor trends. Leadership and Management Community Expectations Failure to meet critical priority KPI s included in the service s performance agreement. Sustained adverse national publicity. Significant loss of public confidence, loss of reputation and/or media interest across NSW in services. Failure to meet a significant number of priority KPI s included in the service s performance agreement. Sustained adverse publicity at a state-wide level leading to the requirement for external intervention. Systemic and sustained loss of public support/opinion across a service. Failure to meet a number of priority KPI s included in the services performance agreement. Increasing and broadening adverse publicity at a local level, loss of consumer confidence, escalating patient/consumer complaints. Extended loss of public support/opinion for a Facility/Service. Failure to meet one or more of the KPI s (excluding priority KPI s) included in the service s performance agreement. Periodic loss of public support. Minimal impact on local operations, local management review and occasional adverse local publicity. CONSEQUENCE RATINGS Probability Frequency Catastrophic Major Moderate Minor Minimal > 95% to 100% Several times a week > 70% to 95 % Table 3 Monthly or several times a year LIKELIHOOD Almost certain A D J P S Likely B E K Q T > 30% to 70% Once every 1-2 years Possible C H M R W > 5% to 30% Once every 2 5 years Unlikely F I N U X < 5% Greater than once every 5 years Rare G L O V Y PD2015_043 Issue date: October-2015 Page 11 of 29

18 2.4.3 Risk Rating Types The Risk Matrix should also be used to monitor progress through allocating a risk rating to each risk. These Risk Ratings form a key element of the organisation Risk Register as follows: Initial Risk Rating This is the initial risk, in the absence of any controls or mitigation strategies. The Initial Risk Rating will assist determining the importance of existing controls and the extent to which place are relied on to control the risk. Current Risk Rating Once an Initial Risk Rating is determined, identification of any existing controls in place will establish the Current Risk Rating. The Current Risk Rating will vary from time to time, depending on the effectiveness of those controls. The Current Risk Rating should be assessed regularly, as part of internal and external reporting and to check effectiveness of control strategies or identify any further strategies which may need to be employed. Being a progressive rating of the risk, the Current Risk Rating is usually based on partial implementation of the additional controls at a point in time. It should be noted that when a new risk is identified it is possible that the initial and Current Risk Rating will be the same, until such time as controls/treatments identified begin to be implemented. Projected Risk Rating The Projected Risk Rating will reflect the Current Risk Rating after any additional mitigation strategies are put in place. The Target Risk Rating therefore reflects the expected future level of the risk if and when all treatments (including those currently in train) are successfully implemented Risk Escalation All staff are responsible for identifying risks and reporting those risks to their managers for assessment. External stakeholders can also raise awareness of risks in health services. Once a risk has been identified, managers are responsible for assessing the risk using the NSW Health Risk Matrix. If a risk is beyond the manager s control or delegation to effectively control or mitigate the risk, the manager should escalate the risk to an appropriate, more senior level of management. This process should follow the governance and reporting structure that exist within the Health organisation. There is a direct link between the severity of a risk and the management level to which it should be escalated for action. The greater the risk, the more attention is required from senior management and the executive. The NSW Health risk escalator (Table 4) shows the communication flow to the appropriate authority, consistent with the NSW Health Risk Matrix. PD2015_043 Issue date: October-2015 Page 12 of 29

19 Risk rating Red = extreme (A E) Orange = high (F K) Yellow = medium (L T) Green = low (U Y) Action required Escalate to Chief Executive or head of health service Implement a detailed action plan to reduce risk rating Escalate to senior management Implement a detailed action plan to reduce risk rating Specify management accountability and responsibility Monitor trends and plan for improvement Manage by routine procedures Monitor trends Table 4 PD2015_043 Issue date: October-2015 Page 13 of 29

20 3 THE RISK MANAGEMENT METHODOLOGY The following 7 steps provide a methodology for identifying, assessing, and (where appropriate) addressing organisation risks, and for determining matters which should be recorded in the health organisation Risk Register. The methodology is based on the Australian Standard. The main elements of the methodology, set out in detail in the following paragraphs are as follows: Step 1 Communication and consultation Step 2 Establish the context Step 3 Identify risks Step 4 Analyse risks Step 5 Evaluate risks Step 6 Treat risks Step 7 Monitor and review risks (Steps 3 5 taken together are described as risk assessment ). 3.1 Step 1 Communication and consultation Communication and consultation are continual or iterative processes undertaken to provide, share or obtain information and to engage stakeholders about the management of risk. They are vital aspects of good risk management, and should be used in each step of the risk management process. A consultative approach to the risk process will: Help establish the risk context appropriately Help ensure that the interests of stakeholders are understood and considered Help ensure that risks are adequately identified and defined Ensure a common understanding across the organisation of the risks and strategies to address them Bring different areas of expertise together for analysing risks Help ensure that different views are appropriately considered when defining risk criteria and in evaluating risks Secure endorsement and support for a treatment plan PD2015_043 Issue date: October-2015 Page 14 of 29

21 Enhance appropriate change management during the risk management process. Some actions to take include: Develop a communication strategy for Enterprise-Wide Risk Management. Ensure that the strategy highlights the relevance of risk management to planning, performance, quality and safety, so that risk management becomes part of everyday business Review planning and reporting arrangements to ensure risk and risk management is embedded in the core business and reporting processes of the organisation. If a risk is assessed as having reached its projected rating, ensure that the risk is regularly monitored and reviewed, for example, by the owner of the risk or through team meetings and risk workshops. 3.2 Step 2 Establish the context Defines the context and scope for the organisation risk assessment. To establish the context, it is necessary to consider the strategic, organisational and risk management context in which risks will be managed. This means considering both the internal and external environment. First, consider the following three contexts for the organisation: Strategic Organisational consider the relationship between the organisation and its environment including reputational risk; identify the organisation s strengths, weaknesses, opportunities and threats; consider elements that might support or impair the organisation s ability to successfully manage risks. consider the organisation and its capabilities, including goals and objectives, and the strategies in place to achieve them; align risk management with the organisation s Service Agreement or Compact and consider NSW Health strategic and corporate plans Risk management consider the goals, objectives, strategies, scope and parameters of the risk management process, including the benefits, costs and opportunities of risk management activities and the required PD2015_043 Issue date: October-2015 Page 15 of 29

22 resources. Once the context has been considered: Develop / Use criteria evaluating risk Decide structure Use criteria in the Risk Matrix to evaluate the risk having regard to: organisations objectives outlined in key strategic and the operational documents such as LHD/SHN Service Agreements/Agency Compacts and plans linked to system wide and state-wide plans (such as the State Health Plan and NSW 2021); to be used to establish context, to ensure that it does not overlook any significant risks. Questions that may assist in establishing the context include: What is the policy, program, process or activity? What are the KPIs? Who are the stakeholders? What are the major outcomes expected? What are the significant factors in the organisation that have an impact on this area (for example: operational, environmental, social, community expectations, and technological)? What were the issues identified by previous reviews? What is the best way of structuring risk identification? What risk criteria should be established? What are the cost and revenue considerations? PD2015_043 Issue date: October-2015 Page 16 of 29

23 3.3 Step 3 Identify Risks Identifying risks involves asking: What can happen? and how can it happen? To determine what can happen, it is necessary to compile a comprehensive list of events that might affect the organisation, including sources of risk and areas affected. The aim is to identify all risks, regardless of whether they are within the control of the organisation. The process needs to be systematic and structured, to ensure all potential risks have been identified and considered. The identification of risk can be by an individual or through structured group process, as described below in Table 5. Methods for identifying risks and opportunities Risk identification group Structured risk and opportunity identification process Table 5 Examples Department/Unit planning process Risk workshops Risk profiling Techniques such as strengths, weaknesses, opportunities, threats (SWOT) analysis; brainstorming; analysis of systems or scenarios Risk identification through normal organisation activities Assessment against standards Incident or complaint Team meetings Managers forums Briefings Informal ad hoc meetings Routine data collection and in-patient data sets Stakeholder feedback Clinical quality reviews and audits Internal or external audits Accreditation reviews or other external reviews Workplace Health and Safety (WHS) and injury management (IM) profile audits Observation Professional judgement (from knowledge of standards) Adverse events and incident reporting Patient complaints Health Care Complaints Commission Independent Commission Against Corruption Ombudsman Coroners PD2015_043 Issue date: October-2015 Page 17 of 29

24 Internal Investigation processes Root cause analysis conduct investigations Generic sources of risk might include commercial and legal relationships, budgetary issues, human behaviour, clinical issues, natural events, political circumstances, technological issues or management activities. The categories of risk adopted for NSW Health are set out in Table 2. Questions that may assist in identifying risks: What are we trying to achieve? What are our KPIs or performance criteria? What is going to stop us from achieving our KPIs or performance? What could help us to achieve it & how? What is in our way of getting there & why? How likely what impact? What has to be done? How much will / may it cost? When should it be done? How quickly do we need to respond to prevent/reduce the impact if it does go wrong / realise the opportunities? Who is the Risk Owner accountable for mitigation? What could go wrong and how it could go wrong? What opportunities exist and how can they be realised? What resources do we already have to enable our actions to succeed? If required, can we obtain additional resources? Who else (internal / external stakeholders) needs to know or be involved? Once a risk is identified the risk needs to be described concisely, setting out what the risk is, what it is affecting, and how it impacts on objective(s). This description is important as it is where the risk story is told. It must make a reader understand the impact the risk has on the objectives. It should stand on its own, and be able to be understood by those not necessarily familiar with the background detail. This in turn ensures a common understanding across different operational and management levels as to the nature and consequences of the particular risks. PD2015_043 Issue date: October-2015 Page 18 of 29

25 3.4 Step 4 Analyse Risks Involves understanding the risks requiring action, and then ranking those risks so that resources to treat risks can be allocated to those of greater priority. Risks are analysed by combining estimates of likelihood and consequences, using the NSW Health Risk Matrix Table 3. The aim is to understand the nature of risk, and determine the risk before treatment. Analysis can be qualitative or quantitative, or a combination of both. Questions that may assist when using the Matrix include: What are the potential adverse (threats) consequences of each risk if they occur? What is the potential likelihood (probability) or frequency of the risks happening? What current controls exist to prevent, detect or correct the consequences or likelihood of the risk? PD2015_043 Issue date: October-2015 Page 19 of 29

26 3.5 Step 5 Evaluate Risks Develop a prioritised list of risks requiring attention. When the risk has been rated, the risk level needs to be compared with the Health organisation s management s acceptable level of risk or risk tolerance. Evaluating risks involves comparing the level of risk determined at Step 4 (Risk Analysis) against predetermined criteria, to decide if a level of risk is acceptable as is (referred to as within the tolerance level ), or action is needed to mitigate the risk (ie it needs to be treated ). This requires risk tolerance, which simply means the risk owners review the risk information in their area of responsibility to ensure the information, assessment and actions are reasonable and whether the risk is within the tolerance level. A range of issues arise in determining at what point to classify a risk as acceptable. Appetite for taking on a particular risk will vary from one manager or clinician to another: a risk that is acceptable to one person may be unacceptable to someone else. There is also likely to be different perspectives of risk at different levels of management from unit to department to executive level. Some key issues to consider in risk evaluation are: A decision must be taken on whether to accept or reject the risk, and if the latter to identify controls (see Step 6) Failure to make this decision means the risk has been accepted by default. A risk owner may decide to accept the risk with the current treatments / controls, and this is acceptable if it is within their delegation of authority. Organisations should neverthless have processes in place for review and oversight of risk evaluation to ensure consistency across the organisation and consideration and acceptance of tolerance levels/evaluations at Chief Executive / Board level. PD2015_043 Issue date: October-2015 Page 20 of 29