AGENDA ITEM NO: Meeting Title/Date: Governing Body - 21 July LNCCG Risk Management Strategy and Policy

Transcription

1 AGENDA ITEM NO: Meeting Title/Date: Governing Body - 21 July 2015 Report Title: Paper Prepared By: Executive Sponsor: Committees where Paper Previously Presented: Background Paper(s): LNCCG Risk Management Strategy and Policy Margaret Williams Date of Paper: June 2015 Kevin Parkinson Responsible Manager: Margaret Williams Quality Improvement Committee Summary of Report: Recommendation(s): Identified Risks: The CCG Governing Body is asked to adopt the revised policy Please Select Y/N N Impact Assessment: (Including Health, Equality, Diversity and Human Rights) Strategic Objective(s) Supported by this Paper: To Improve the health of our population and reduce inequalities in health N Please Select (X) To reduce premature deaths from a range of long term conditions To develop care closer to home To commission safe, sustainable and high quality Hospital Health Care To commission safe, sustainable and high quality Mental Health Care To improve capacity and capability of primary care services to respond to the changing health needs of our population Please Contact: Kevin Parkinson Chief Finance Officer/Director of Governance

2 NHS LANCASHIRE NORTH CCG RISK MANAGEMENT STRATEGY AND POLICY Date of Approval: Approved by: CCG Governing Body Review Date by: July 2016 Document Number: Issue Date: Status: DRAFT Version Number: 0.6.

3 C O N T E N TS 1.0 Introduction 2.0 Aims 3.0 Strategic Intent 4.0 Scope of the Strategy 5.0 Culture of the Organisation 6.0 Assurance Framework 7.0 Risk Management 7.1 Risk Definition 7.2 Risk Management Process 7.3 Risk Evaluation 7.4 Recording Risk 8.0 Claims and Complaints 9.0 Implementation 10.0 Risk Categories 11.0 Structures for Risk Management 11.1 Structure 12.0 Responsibility for Risk Management 12.1 All Managers 12.2 Responsibilities of All Staff, Including Agency & Locum 12.3 Risk Management Key Performance Indicators 12.4 Monitoring Arrangements for Risk Management 13.0 Risk Management Objectives 14.0 Information Governance 15.0 Equality Impact Assessment NHS Lancashire North CCG - Risk Management Strategy and Policy V June

4 Appendices Appendix 1 - Glossary of Terms Appendix 2 - Committee Structure Appendix 3 - Risk Matrix Appendix 4 - Screen Shot of Datix Risk Assessment Form Version Control Version Date Author Status Comment 1 10/12/12 Kevin Parkinson Working Draft Ratified by CCG Governing Body as part of authorisation process 2 30/04/12 Margaret Williams 3 21/05/13 Margaret Williams Amended Draft Draft CCG Quality Improvement Committee to agree amendments to recommend to Governing Body To be ratified by CCG Governing Body Elizabeth Hill - Reviewer Draft Revised Draft for review by Quality Improvement Committee 5 03/06/15 Margaret Williams Lead Nurse Draft Update post QIC meeting on the 3 rd June /06/15 Kevin Parkinson Draft Minor drafting changes NHS Lancashire North CCG - Risk Management Strategy and Policy V June

5 RISK MANAGEMENT STRATEGY AND POLICY 1.0 Introduction NHS Lancashire North CCG must be aware of all significant risks and must allocate resources appropriately to manage risk and ensure that the CCG meets its objectives. The risk management process supports the CCG s determination to commission services people need in a way that complies with its legal duties, makes best use of financial resources, and is of good standards of quality and safety. To ensure this process is carried out effectively formal structures are required which enable the CCG to identify, assess, control and mitigate risks. The CCG will ensure that decisions made by and on behalf of the organisation are taken with consideration to the effective management of risks. 2.0 Aims The aim of the strategy is to ensure that risks to employees, reputation, finances, patients (through commissioned services) and to the business continuity of the CCG are protected through the process of risk identification, assessment, control and where possible elimination. 3.0 Strategic Intent The CCG recognises that Risk Management is an integral part of effective management practices and, to be most effective, must be embedded within the culture of the CCG. The CCG is committed to a strategy that reduces risk to an acceptable level to all its stakeholders through this comprehensive Risk Management Strategy and Policy, which allows for flexibility, innovation and best practice and the delivery of its strategic objectives. NHS Lancashire North CCG - Risk Management Strategy and Policy V June

6 3.1 Effective Risk Management Supports better project management Supports effective change management Minimise waste; fraud and supports effective use of resources Supports policy formulation Assists business continuity Facilitates successful commissioning of services to patients, wider community and other external organisations Encourages compliance with relevant laws and external enforcing agencies Supports the achievement of aims, objectives and targets Supports propriety and regularity of expenditure Supports better decision making 4.0 Scope This document applies to all employees of the CCG. Managers at all levels are expected to take an active lead to ensure that risk management and systems of internal control are of the highest standard and integral to the operation of the organisation. 5.0 Culture of the Organisation To meet its demanding targets the organisation is required to take measured risks, it is only by being innovative that it will meet the challenges faced by the CCG. As a principle the CCG will seek to eliminate, reduce and control risks but recognises that it is impossible and not always desirable to eliminate all risks. Therefore, the CCG may explicitly decide, on a case by case basis, to agree a level of acceptable risk for a particular project or operation. Occasionally, despite our best efforts, things can go wrong and it is important that risk management is about promoting a just, fair and positive culture which fosters learning and improvements as a result of risk identification or occurrence of untoward incidents. All efforts will be made to avoid cover ups of untoward incidents, mistakes or near misses and the overall approach within the CCG shall be one of help and support to each other, rather than recriminations and blame. The CCG is committed to this fair approach, and the requirements of the Duty of Candour (Nov 2014) to ensure that the CCG is open and transparent when certain incidents occur in relation to the care and treatment provided to people who use health services By adopting this stance, the CCG aims to promote an accountability culture which is just and fair to the staff and enables the CCG to learn from events and situations in order to continuously improve management processes and where necessary change policy/procedure to enable this to happen. NHS Lancashire North CCG - Risk Management Strategy and Policy V June

7 6.0 Assurance Framework/Corporate Risk Register The organisation structure is supported by the CCG Risk Register (a log of strategic Assurance Framework risks and CCG Corporate Internal risks). Through review of the Risk Register the CCG gains assurance from others that risks to the achievement of the organisation s objectives are being appropriately managed throughout the organisation. The Risk Register is a dynamic live document which is updated to reflect changes in risk and controls exercised. In this respect the Assurance Framework and Corporate Risk Register is updated and reviewed by the Senior Managers and Quality Improvement Committee. This is to provide assure to the Governing Body that all risks in relation to the achievement of the CCG Strategic Objectives have been identified and are being monitored and managed. 7.0 Risk Management 7.1 Risk Definition The CCG defines risk as; "Anything that could cause harm to stakeholders to whom we owe a duty of care, or threatens the achievements of our strategic objectives. This includes damage to reputation and public confidence, risk that threatens achievement of CCG objectives, prevent ability to discharge our duty of care". A glossary of terms used as part of Risk Management is detailed in Appendix Risk Management Process The CCG operates two major systems to facilitate the management of risk throughout the organisation: Proactive r i s k m a n a g e m e n t, v i a t h e r i s k a s s e s s m e n t p r o c e s s (Health and Safety Policy: Guidance on Carrying Out Risk Assessments and Populating Risk Registers) Risk Assessment Form Reactive risk management, via incident reporting, investigation, the learning of lessons and the consequent changing of practice. (Health and Safety Policy: Untoward Incident Reporting and Investigation, Serious and Untoward Incident Policy) Both systems use the same risk grading matrix Appendix 3 in order to assess risks consistently across the organisation in terms of Likelihood and Consequence 7.3 Risk Evaluation The Risk Management Process being implemented by the CCG is based on the Australian Standard Risk Management AS/NZS 4360:1999 This methodology allows the systematic and quantifiable assessment, NHS Lancashire North CCG - Risk Management Strategy and Policy V June

8 COMMUNICATION & CONSULTATION MONITOR & REVIEW recording and treatment of risks. The process can be applied to any level in the CCG and to any procedure, project or decision. Adequate records must be maintained at each stage of the process, capable of being verified by independent audit. ESTABLISH CONTEXT IDENTIFY RISKS ASSESS RISKS ANALYSE RISKS EVALUATE & RANK RISKS TREAT RISKS RISK REGISTER The main elements of the above process are defined below: Establish context Establish the strategic, organisational and risk management context in which the rest of the process will take place. Criteria against which risk will be evaluated are established and the structure of the analysis defined. Identify risks Identify what, why and how things can arise as the basis for further analysis. Analyse risks Determine the existing controls and analyse risks in terms of consequence and likelihood in the context of these controls. The analysis should consider the range of potential consequences and how likely they are to occur. Consequence and likelihood may be combined to produce an estimated level of risk. Evaluate and rank risks Compare estimated levels of risk against preestablished c r i t e r i a. This enables risks to be ranked so as to identify management priorities. If the levels of risk established are low then risks may fall into an acceptable category and treatment may not be required. Treat risks Accept and monitor low priority risks. For other risks, develop and implement a specific management plan (action plans), which include cost considerations. Monitor and review Monitor and review the performance of the risk management system and changes which might affect it. Communicate a n d c o n s u l t C o m m u n i c a t e and c o n s u l t w i t h NHS Lancashire North CCG - Risk Management Strategy and Policy V June

9 i n t e r n a l and external stakeholders as appropriate at each stage of the risk management and overall process. 7.4 Recording Risks All CCG members are responsible for ensuring that risk assessments are undertaken which will form the basis of the Risk Register. The risk register will be compiled by the CCG and reviewed by the Senior Managers and Executive Committee. The risk register is a prioritised list of risks identified to the CCG through the risk assessment process. It will be a dynamic document that details the organisation's risk profile at any given time. All organisational risks will be reviewed by the Senior Executive Committee; Risks scoring 12+ will be reviewed by the Audit Committee and Quality Improvement Committee. Following review by the Audit and Quality Committee risks scoring 15+ will be reported to the CCG Governing Body. 8.0 Claims and Complaints There is an agreed process for reporting, managing, analysing and learning from complaints and claims which is in accordance with NHS guidelines. Regular reports of complaints and claims received by the CCG will be presented through the Quality Improvement and Executive Committees respectively. 9.0 Implementation The effective implementation of the Risk Management Strategy and Policy will facilitate the commissioning and delivery of a quality service. The CCG will, Ensure all employees and stakeholders have access to a copy of the Risk Management Strategy and Policy and related documents Undertake Risk Assessments and produce risk registers across the organisation which will be subject to routine review Communicate to employees any action to be taken in respect of risks identified Develop policies, procedures and guidance based on the results of assessments and all identified risks to assist in the implementation of this strategy Provide new employees with induction training including Health and Safety, fire, incident reporting, risk assessment and general risk management. Provide all employees with update training in Health and Safety, incident reporting, risk assessment, fire, manual handling and other training as required Ensure that employees have the knowledge, skills, support and access to expert advice necessary to implement the policies, procedures and guidance associated with this strategy Risk Categories Traditionally within the NHS risk has been identified as clinical or physical and more latterly strategic or operational. With a greater awareness of risk NHS Lancashire North CCG - Risk Management Strategy and Policy V June

10 comes a greater understanding of risk categories which will help to provide a structure and framework to allocate accountability and responsibility more effectively. The following categories may be helpful in identifying the risk to be assessed. Risk Category Change Financial Governance Legal and Compliance Operations Information and Technology People Strategic Clinical Reputational Risk Definition Risks that programmes and projects do not deliver agreed benefits on the line and within agreed budget and or/introduce new or changed risks that are not effectively identified and managed. The effective management and control of the finances of the CCG. The risk events can range from insufficient funding, poor budget management, mismanage assets and liabilities. Effective public bodies require a robust organisational structure with clear lines of authorities and accountabilities. Risk events can include inappropriate decision making and delegation of authorities. All can result in sub optimal performance and losses for the CCG. Legal issues such as contract and competition law, H&S, consumer protection, data protection, employment practices, failing to comply with employment legislation, claims against the CCG, and related regulatory issues The day to day concerns the CCG is confronted with as it strives to deliver its strategic objectives. They can include anything from loss of key staff to process failure. Risk events such as failure by a 3 rd party to deliver a service for the operation, breakdown in partnership with 3 rd party, failure to manage internal change etc. Operational risks are largely short to medium term where frequency is high/medium likelihood and low to high impact. This can include anything from loss of data to failure of a key IT system. It covers risk events such as technological breakdown, loss of hard or soft copy data, failure by a 3 rd party to deliver a service, breakdown in partnership with 3 rd party, failure to manage internal change etc. Staff resources (capacity and capability). These concern the long term strategic objectives of the CCG. They can be affected by external factors such as the economy, changes in the political environment, technological changes, and changes in legal and regulatory changes. The strategic risks are mainly significant risks that can potentially impact the whole CCG. They are also in a lot of cases cross-cutting risks the impact across the CCG rather than just one area. Risks that arise directly from the commissioning of healthcare to patients. This includes clinical errors and negligence, healthcare associated infection and failure to obtain consent. CCG s and CCG Board members may be at risk via H&S legislation if they do not have systems ensure that the services they commission are safe The reputation of the CCG will impact upon public confidence in local services NHS Lancashire North CCG - Risk Management Strategy and Policy V June

11 11.0 Structures for Risk Management. Organisation Structure In order to ensure that the risk management and external assurances are adhered to, the CCG has developed a structure with clear lines of responsibility and accountability. The diagram in Appendix 2 depicts the key established groups committed to support good governance, risk management and external assurances within the CCG. Details of the roles and responsibility of each group are outlined below. The Governing Body The Group s Membership Council has delegated authority to its Governing Body for the management of all risk. The governing body demonstrates commitment to managing risk through its endorsement of the Group s Risk Management Strategy and Risk Policy. SLA Quality schedules detail how the organisation manages risk issues with its health and social care providers. NHS Commissioning Board 2013/14 NHS Standard Contract- Particulars. The governing body has also established a number of committees and collaborative arrangements to enable it to discharge its responsibilities and to receive assurances that the Group s functions are being discharged appropriately and that risk is being managed. These are outlined below. Audit Committee The Audit Committee is responsible for providing assurance to the Governing Body in relation to the existence, suitability and robustness of risk management systems across the CCG. Remuneration Committee The role of the Remuneration Committee in relation to risk management is to monitor, review and reduce risks relating to financial reimbursement. Quality Improvement Committee The role of the Quality Improvement Committee is to ensure that the CCG commissions safe and effective services by ensuring that the CCG has systems and processes in place to support its quality objectives and accountability for commissioning high quality healthcare. It is responsible for ensuring that the risk register and the assurance framework are regularly reviewed, challenging risk owners where mitigating actions are not reducing the risks and ensuring that the CCG Governing Body regularly receives a report on the risks that will affect the achievement of the CCG s Corporate Objectives. Executive Committee The role of the Executive Committee is to keep under review and ensure the CCG governance requirement and legal duties. The Executive Committee is responsible for ensuring that the RED/ high level risks are regularly reviewed, challenging risk owners where mitigating actions are not reducing the risks. NHS Lancashire North CCG - Risk Management Strategy and Policy V June

12 12.0 Responsibility for Risk Management The Chief Officers overall accountability and responsibility for risk management lies with the chief officer. The chief officer reviews the internal control systems annually to ensure sound systems are in place to support the achievement of the Group s policies, aims and objectives. The chief officer is also responsible for safeguarding the public funds and the Group s assets. Other governing body members and managers have responsibilities to manage risks effectively as outlined below. The Chief Finance Officer / Director of Governance is: Responsible for advising the governing body on all matters relating to risk management and for ensuring there is an integrated governance approach to risk management. This includes ensuring the governing body receives the group s assurance framework/corporate risk register for review and that risk registers are in place and maintained to support the group s discharge of its statutory functions. the group s and governing body s expert on finance and advises the group on the effective, economic and efficient use of its allocation and ensures through robust systems and processes, the regularity and propriety of expenditure is discharged; the governing body member with responsibility for the group s code of conduct, risk management including risk policies, advising on governance, security, claims, health and safety and reporting on the Group s performance concerning these matters directly to the governing body; is the group s senior information risk owner. The clinical leader on the governing body with responsibility for quality is responsible for: ensuring a non-punitive and systems-based approach to the reporting and investigation of adverse incidents is embedded in the culture of the group; ensuring a robust system for the reporting and monitoring of serious untoward incidents and never events in provider organisations as the co-ordinating commissioner; and providing assurance to the governing body that appropriate controls are in place and that effective learning and improvement in services have taken place; agreeing patient safety and governance indicators with healthcare providers through the quality schedules of the contract and for ensuring that effective monitoring systems are in place; for ensuring that the incident reporting policy and associated policies and procedures are implemented by directly employed staff and people working on behalf of the group. NHS Lancashire North CCG - Risk Management Strategy and Policy V June

13 The Chief Commissioning Officer is responsible: for the Group s contracts for healthcare services and for ensuring that the procurement arrangements for those services comply with best procurement practice with the lead clinician for commissioning, seeking agreement to and managing the Group s memorandum of understanding with the local authority s public health service; oversight of the commissioning support services commissioned from the Group s commissioning support service provider in conjunction with the Chief Finance Officer. Elected Clinical Leaders, the Chief Officer, the Chief Finance and Governance Officer and the Chief Commissioning officer are responsible for ensuring that: responsibilities for the management and co-ordination of risks within their spheres of speciality are clear using the agreed mechanisms, set out in the Group s risk policy, to record risks and controls. Where significant strategic risks are identified, these will be reported in the assurance framework/corporate risk register; they identify and allocate the required reasonable resources to implement risk management; the business planning process takes into account risk management and legal issues which are fed into the Group s performance management process for regular review; CCG members and managers at all levels must stimulate the interest of their staff in the identification and reporting of hazards and risks which exist and managers must address these proactively. Additionally, all managers are expected to ensure that any adverse incidents and near misses, which occur in their areas of responsibility, are reported immediately, through the agreed reporting systems, and responded to positively through the agreed procedures. The overall risk management responsibilities of managers and staff are outlined below All Managers All Managers are responsible for ensuring that risk management is an integral part of the management process within their area of responsibility. They have a responsibility for ensuring that risk management tools e.g. Risk assessment and incident reporting are used effectively. All Managers must ensure that identified risks within their area of responsibility are actioned. Identified risks that can be adequately controlled using local control measures and resources must be addressed locally. Where a risk is identified or local control measures would not suffice to manage the identified risk, it should be escalated for inclusion onto the CCG Risk Register. NHS Lancashire North CCG - Risk Management Strategy and Policy V June

14 12.2 Responsibilities of All Staff, Including Agency and Locum All staff employed by the CCG must manage risk within their own area of responsibility. Ideally this should include attending mandatory and statutory training, reporting incidents, assessing risks, reporting unsafe occurrences and compliance to policies. All staff have a statutory duty to take reasonable care of their own safety and the safety of others who may be affected by their acts or omissions. NHS Lancashire North CCG - Risk Management Strategy and Policy V June

15 12.3 Risk Management Key Performance Indicators The Risk Management performance devised to ensure that the CCG embeds a safety culture throughout the organisation is audited through these indicators: Target External Assurances:- NHSLA, CQC, Pro-active risk management Re- active risk management Employee Support Key Performance Indicator Monitor compliance to assurances through audit programmes, ensure action plans of deficiencies are implemented effectively and in a timely manner through the Senior Managers and Executive Committee Regularly review (as specified in appropriate policy) of corporate risk registers by the Senior Managers and Executive Committee. Review, i n v e s t i g a t e and a n a l y s e i n c i d e n t s a n d s h a r e l e s s o n s through the Quality Improvement Committee. Provide Risk Management Training analyse and untoward incident trends through the Senior Managers and Executive Committee Monitoring Arrangements for Risk Management Assurances, assessments and risk management key performance indicators will be monitored through the Executive Committee Risk Management Objectives Objectives Date for Attainment Responsible Person 1 To work collaboratively across the health economy to ensure patient safety and the minimisation of risk 31/03/16 Lead Nurse 2 To provide a Risk Management Training Programme specific to role/position held as per CCG training needs analysis 31/03/16 CSU Risk Management Team 3 To maintain reporting of Serious Untoward Incidents on StEIS and Performance Manage from Service Providers where CCG is the lead commissioner. 31/03/16 CSU Quality & Contracts Team NHS Lancashire North CCG - Risk Management Strategy and Policy V June

16 4 To seek approval, dissemination and implementation of the Risk Management Strategy and Policy. 31/07/15 Chief Finance Officer, Director of Governance 5 To maintain the development of structures and processes to create a consistent and cohesive approach to integrated Risk Management. 31/03/16 Chief Finance Officer, Director of Governance 6 To review and maintain all Risk Management Policies and Procedures. Updated Bi- Annually CSU Risk Management Team 7 To produce an annual Risk Management Report. Annually Chief Finance Officer, Director of Governance 8 To populate Risk Registers and maintain on the Risk Management database. Minimum Monthly Review Quarterly Report to QIC and Audit Committee Governing Body Bi- annual Senior Manager Team 9 To support the delivery of CCG s Strategic Objectives 31/03/16 Senior Manager & Executive Team 10 Maintain compliance with NHS Protect requirements 31/03/16 Chief Finance Officer, Director of Governance 11 To maintain compliance to all statutory and mandatory requirements of external agencies 31/03/16 Senior Manager Team Achievement of these objectives will require the co-operation and involvement of all staff at all levels of the organisation 14.0 Information Governance The CCG must ensure that it meets its legal, ethical and quality standards regarding the Governance and Management of Information. The CCG will use the Information Governance Toolkit as the basis for its work in this area and will report through the Executive Committee Equality Impact Assessment The strategy will be applied consistently irrespective of age, disability, gender, race, religion/belief or sexuality. NHS Lancashire North CCG - Risk Management Strategy and Policy V June

17 CCG Identification and Management of Risk Commissioning Managers Risk Identified Working Groups Committees Discuss with responsible owner, may or may not be SMT Risk Register form complete Risk graded below 12 Risk graded 12 and above Held as local portfolio RR Submitted onto CCG RR Decision re: entry into AF QIC Review Commissioning Managers maintain Audit Committee to appraise Review Senior Management Team Audit Committee to appraise Review Executive to receive high level risk Governing Body to receive Audit Committee to appraise NHS Lancashire North CCG - Risk Management Strategy and Policy V June

18 Appendix 1 GLOSSARY OF COMMON RISK MANAGEMENT TERMS Complaint: Consequence: External Assurance: Cost: Event: Frequency: Hazard: Incident: Incident Reporting and Investigation: Likelihood: Loss: Monitor: Organisation: Action taken by a patient or client of a healthcare facility, or his or her agent, to communicate dissatisfaction or concern about any aspect of care, treatment or experience. The outcome of an event, being a loss, injury, disadvantage or gain in respect of the physical, emotional, financial, social or credibility status of the individual or organisation. A process designed to provide evidence that the NHS in total and its constituent parts is doing its reasonable best to manage, direct and control itself so as to protect itself, its employees', patients and stakeholders' safety and interests against risk of all kinds. Activities, both direct and indirect, which result in a negative outcome or impact for an individual or the organisation - cost includes money, time, labour, disruption, and goodwill, political and intangible losses. An incident or situation occurring in a particular place during a particular interval of time. A measure of the rate of occurrence of an event expressed as the number of occurrences of an event in a given time. A source of potential harm or a situation with the potential to cause loss. Any unplanned event or circumstance resulting in, or having a potential for, injury, ill health, complaint, claim, damage or loss. A formal structured process and approach to enable the occurrence of incidents to be reported, recorded and the root cause of reported incidents identified, in order to manage risk exposure and identify corrective actions. A qualitative measure or description of probability or frequency. Any negative consequence, financial or otherwise. To check, supervise, observe critically or record the progress of an activity, action or system on a regular basis in order to identify change. A NHS Trust, company, firm, enterprise or association etc., which has its own function(s) and administration. NHS Lancashire North CCG - Risk Management Strategy and Policy V June

19 Risk: Risk Assessment: Risk Management: Risk Register: Assurance Framework: Risk Assurance: The possibility of suffering some form of loss or damage and/or the possibility that objective will not be achieved or that opportunities will not be taken. The identification and analysis of risks relevant to the achievement of objectives A systematic process by which potential risks are identified, assessed, managed and monitored. A record of residual risk which details the source, nature, existing controls, assessment of the consequences and likelihood of occurrence, action necessary to manage risk, person responsible for implementing action and timetable for completion A structure within which a board identifies the principal risks to the organisation meeting its principal objectives, and through which they map out both the key controls to manage them and how they have gained sufficient assurance about the effectiveness of those controls Level of scrutiny employed according to the importance or the criticality of the activity being considered. Risk Appetite: How much risk the organisation/individual is willing to except Risk Control: Techniques that utilises findings from risk assessment to develop and apply change to control risks e.g. Polices, standards, procedures, physical changes that reduce or eliminate risk (proactive management) NHS Lancashire North CCG - Risk Management Strategy and Policy V June

20 Appendix 2 Receipt of 15+ Risks Receipt of 12+ Risks Review of 12+ Risks Receipt of all Red risks Assurance that AF+RR process is adequate SMT Review NHS Lancashire North CCG - Risk Management Strategy and Policy V June

21 Risk Rating Matrix Appendix 3 Descriptor Staff/Patient/Visitor Injury (Physical/ Psychological) Patient Experience Negligible 1 Adverse event requiring no/minimal intervention or treatment. Impact prevented any patient safety incident that had the potential to cause harm but was prevented, resulting in no harm. Impact not prevented - any patient safety incident that ran to completion but no harm occurred. Reduced level of patient experience which is not due to delivery of clinical care. Minor 2 Minor injury or illness first aid treatment needed. Health associated infection which may/did result in semipermanent harm. Affects 1-2 people. Any patient safety incident that required extra observation or minor treatment (*w) and caused minimal harm to one or more persons. Unsatisfactory patient experience directly due to clinical care readily resolvable. Moderate 3 Moderate injury or illness requiring professional intervention. No staff attending mandatory/key training. RIDDOR/Agency reportable incident(4-14 days lost) Adverse event which impacts on a small number of patients. Affects 3-15 people. Any patient safety incident that resulted in a in treatment (*x) and which caused significant but not permanent harm to one or more persons. Unsatisfactory management of patient care local resolution (with potential to go to independent review). Major 4 Major injury/long term incapacity/ disability (e.g. loss of limb). 14 days off work. Affects people. Any patient safety incident that appears to have resulted in any permanent harm (*y) to one or more persons. Unsatisfactory management of patient care with long term effects. Significant result of misdiagnosis. Catastrophic 5 Fatalities. Multiple permanent injuries or irreversible health effects. An event affecting >50 people. Any patient safety incident that directly resulted in the death (*z) of one or more persons. Incident leading to death. 20 NHS Lancashire North CCG Risk Management Strategy & Policy V0.5; 12 th June 2015

22 Descriptor Environmental Impact Staffing and Competence Negligible 1 Minor onsite release of substance. Not directly coming into contact with patients, staff or members of the public. Short term low staffing level (<1 day) temporary disruption to patient care. Minor competency related failure reduces service quality (1 day). Low staff morale affecting one person. Minor 2 Onsite release of substance contained. Minor damage to Trust property easily remedied < 10K. Ongoing low staffing level minor reduction in quality of patient care Unresolved trend related to competency, reducing service quality % staff attendance at mandatory/key training. Low staff morale (1-25% of staff). Moderate 3 Onsite release no detrimental effect. Moderate damage to Trust property remedied by Trust staff/replacement of items required 10K- 50K Late delivery of key objectives/service due to lack of staff % attendance at mandatory/ key training.. Unsafe staffing level. Error due to ineffective training/ competency. Low staff morale (25-50% of staff). Major 4 Offsite release with no detrimental effect/onsite release with potential for detrimental effect. Major damage to Trust property external organisations required to remedy associated costs > 50. Uncertain delivery of key objectives/service due to lack of staff % attendance at mandatory/ key training. Unsafe staffing level (>5 days). Serious error due to ineffective training and/or competency. Very low staff morale (50%-75% staff). Catastrophic 5 Onsite/Offsite release with realised detrimental/catastrophic effects. Loss of building/ major piece of equipment vital to the trusts business continuity. Non-delivery of key objective/service due to lack of staff. Ongoing unsafe staffing levels. Loss of several key staff. Clinical error due to lack of staff or insufficient training and/or competency. Less than 25% attendance at mandatory/ key training on an ongoing basis. 21 NHS Lancashire North CCG Risk Management Strategy & Policy V0.5; 12 th June 2015

23 Descriptor Complaints/Claims Financial Negligible 1 Informal/ locally resolved complaint. Potential for settlement/ litigation (<5K). Small loss. Theft or damage of personal property < 50. Objectives/Projects Insignificant (<5%) objective/ project slippage (finance, schedule, KPIs). Will not impact on ability to deliver objective/ project. Minor 2 Overall treatment/service substandard. Formal justified complaint. Minor implication for patient safety if unresolved. Loss 50K. Loss of % of budget. Theft of loss of personal property< 750. >Minor (5%) objective/project slippage (finance, schedule, KPIs) Will not impact significantly on ability to deliver objective/project. Moderate 3 Justified complaint involving lack of appropriate care. Claim(s) between 10K- 100K. Major implications for patient safety if unresolved. Loss of 50K- 500K. Loss of 0.25%-0.5% of budget. Theft or loss of personal property > 750. Moderate (5-10%) objective/project slippage (finance, schedule, KPIs). May impact on ability to deliver objective/project if management action not taken to resolve slippage. Escalation to senior management required for guidance. Major 4 Multiple justified complaints. Independent review. Claim(s) between 100K- 1M. Non-compliance with national standards with significant risk to patients if unresolved. Loss of 500K- 1M. Non-compliance with national standards with significant risk to patients if unresolved. >Significant (10-25%) objective/project slippage (finance, schedule, KPIs). Will impact on ability to deliver objective/project. Mitigation plans required. Escalation to relevant committees required. Catastrophic 5 Multiple justified complaints. Single major claim. Inquest/ombudsman inquiry. Claim > 1m. Loss of > 1M or loss <1% of budget. Loss of contract/payment by results. Major (>25%) objective/project slippage (finance, schedule, KPIs). Will significantly impact on the ability to deliver objective/project. Immediate mitigation plans required. Escalation to relevant committees required. 22 NHS Lancashire North CCG Risk Management Strategy & Policy V0.5; 12 th June 2015

24 Descriptor Business/Service Interruption Negligible 1 Loss of interruption of service. 1 hour, no impact on delivery of patient care/ability to provide services Minor 2 Short term disruption, of >8 hours, with minor impact. Moderate 3 Loss/interruption of >1day. Disruption causes unacceptable impact on patient care. Non-permanent loss of ability to provide service. Major 4 Loss/interruption of 1 week. Sustained loss of service which has serious impact on delivery of patient care resulting in major contingency plans being invoked. Catastrophic 5 Permanent loss of core service/ facility Disruption to facility leading to significant knock-on affect across local health economy. Extended service closure. Inspection/ Statutory Duty Small number of recommended actions which focus on minor quality improvement issues. No or minimal impact or breach of guidance/ statutory duty. Minor non-compliance with standards. Minor recommendations which can be implemented by low level of management action. Breach of statutory legislation. No audit trail to demonstrate that objectives are being met (NICE;HSE). Challenging recommendations which can be addressed with appropriate action plans Single breach of statutory duty. Non-compliance with core standards <50% of objectives within standards. Temporary service closure. Enforcement action. Multiple breaches of statutory duty Improvement notice. Critical Report. Low performance rating. Major non-compliance with core standards. Multiple breaches of statutory duty. Prosecution. Severely critical report. Zero performance rating. Complete systems change required. No objectives/ standards being met. 23 NHS Lancashire North CCG Risk Management Strategy & Policy V0.5; 12 th June 2015

25 Descriptor Adverse Publicity/ Reputation Fire Safety/General Security Information Governance/IT Rumours. Negligible 1 Potential for public concern. Minor short term (<1 month) shortfall in fire safety system. Security incident with no adverse outcome. Breach of confidentiality - no adverse outcome. Unplanned loss of IT facilities <half a day. Health records/ documentation incident - no adverse outcome. Minor 2 Local Media - short term - minor effect on public attitudes/staff morale. Elements of public expectation not being met. Temporary (<1 month) shortfall in fire safety system/single detector etc (non-patient area). Security incident managed locally. Controlled drug discrepancy - accounted for. Minor breach of confidentiality - readily resolvable. Unplanned loss of IT facilities <1 day. Health records incident/ documentation incident - readily resolvable. Moderate 3 Local media - long term. Moderate effect - impact on public perception of trust and staff morale. Fire code noncompliance/lack of single detector - patient area etc. Security incident leading to compromised staff/patient safety. Controlled drug discrepancy - not accounted for. Moderate breach of confidentiality - complaint initiated. Health records documentation incident - patient care affected with short term consequence. Major 4 National media <3 days - public confidence in organisation undermined - use of services affected. Significant failure of critical component of fire safety system (patient area). Serious compromise of staff/patient safety. Serious breach of confidentiality - more than one person. Unplanned loss of IT facilities >1 day but less than one week. Health records/ documentation incident - patient care affected with major consequence. Catastrophic 5 National/international adverse publicity?3 days. MP concerned (questions in the House). Total loss of public confidence. Failure of multiple critical components of fire safety system (high risk patient area). Infant/young person abduction. Serious breach of confidentiality - large numbers. Unplanned loss of IT facilities >1 week. Health records/ documentation incident catastrophic consequence 24 NHS Lancashire North CCG Risk Management Strategy & Policy V0.5; 12 th June 2015

26 Explanation of keys (e.g. w,x,y,z) W Minor treatment is defined as first aid, additional therapy & additional medication. It does not include any re admission into hospital, any extra time as an outpatient or continued treatment over and above the treatment already planned. X Y Z Moderate increase in treatment is defined as a return to surgery, an un-planned re-admission, a prolonged episode of care, extra time as an outpatient, cancelling of treatment or transfer into hospital as a result of the incident. Permanent harm directly related to the incident and not the natural course of the patient s illness or underlying condition is defined as permanent lessening of bodily functions, or sensory, motor, physiologic or intellectual impairment. The death must relate to the incident rather than to the natural course of that patients illness or underlying condition, 25 NHS Lancashire North CCG Risk Management Strategy & Policy V0.5; 12 th June 2015

27 LEVEL DESCRIPTOR EXAMPLES 1 Rare Difficult to believe that this will ever happen again FREQUENCY/ OCCURANCE CONSEQUENCE LIKELIHOOD Annually Unlikely Do not expect it to happen/happen again but it may 3 Possible It is possible that it may occur/reoccur Bi-annually Monthly Likely It is likely to occur/reoccur but is not a persistent issue Weekly Almost Certain Will almost certainly occur/reoccur and could be a persistent issue Daily Risks are now reported via Datix (link: risk reporters must have a Datix login and a copy of the Risk Management Datix Guide both of which can be requested by ing scsu.riskteam@nhs.net. Note all risk entries must be initially discussed with the appropriate senior manager. Telephone support is accessed via; Tel: To access a generic Risk Assessment Form please contact: Jacqui.thompson@lancashireccg.nhs.uk NHS Lancashire North CCG Risk Management Strategy & Policy V0.5; 12 th June

28 Screenshots of Datix Risk For Appendix 4 27 NHS Lancashire North CCG Risk Management Strategy & Policy V0.5; 12 th June 2015

29 NHS Lancashire North CCG Risk Management Strategy & Policy V0.5; 12 th June

30 NHS Lancashire North CCG Risk Management Strategy & Policy V0.5; 12 th June