4 November 2013 Performance and Resources Board 15 To consider Risk Management Framework Issue 1 To consider a draft revised Risk Management Framework as requested by Council at its meeting on 7 February 2013. The Framework will be discussed by the Audit and Risk Committee at its meeting on 6 November 2013, and then considered for approval by Council on 10 December 2013. Recommendations 2 The Performance and Resources Board name] is asked to: a consider the draft revised Risk Management Framework, at Annex A b endorse the basic principle of a Risk Summary tool (at Annex B), which was commissioned by the Audit and Risk Committee as a means of displaying our high-level risk profile, and to note that this will be further developed in line with the emerging Corporate Strategy.
Risk Management Framework Issue Revising the Risk Management Framework 3 At its meeting on 7 February 2013, Council asked the Audit and Risk Committee to oversee a review of the Risk Management Framework. This review was necessary because: a the Framework had not been substantively reviewed since 2009, and there had been improvements made to internal practice since then b the Framework needed to incorporate outstanding improvement actions identified in recent internal audit recommendations c there would be a clear benefit in this work as it would provide members with the chance to reflect, as a newly formed Audit and Risk Committee, on a range of issues linked to risk management d other changes to our governance structure, such as the role of the Performance and Resources Board, also needed to be reflected in the Framework. 4 The Audit and Risk Committee considered the project at its meeting on 30 April 2013 and agreed that this should be taken forward with external support and expertise. The Audit and Risk Committee was asked to report back to Council with a draft Framework for approval by the end of 2013. 5 The exercise of revision and approval offers the opportunity to re-assert the value of the Framework in driving good risk practice and performance management within the organisation. 6 The revised Risk Management Framework: a reflects the outcomes of the review, overseen by the Audit and Risk Committee. It was driven by opinion expressed by our business champions and by Council members, and by a comparison of good practice from other regulators and review of internal risk process b updates roles and responsibilities for risk management to reflect recent changes to our governance, for example inclusion of the Performance and Resources Board, within the monitoring and decision making process around risk c removes inconsistency and gaps in the existing Framework highlighted in recent audits and resulting from improvements to internal practice made 2
since the publication of the previous version in 2009, for example, the provision of a clear process for the escalation of risk d Following approval of our revised Risk Management Framework by Council, we will begin its roll out and embedding within our work, including training relevant staff. We will undertake internal communication activity to ensure that the changes to the framework are well understood by our staff. Our Review 7 Initial engagement with the Business Champions helped us identify their perceptions of the strengths and weaknesses of the existing Framework. A record of outstanding actions from recent risk audits was considered, and external support from PA Consulting was commissioned. 8 A seminar on risk management for members of the Audit and Risk Committee and other interested Council members was held on 5 September 2013. The objectives of the session were to: a ensure a consistent understanding of the current Framework b share understanding of the different models of risk management c discuss the main risks facing the GMC which the Audit and Risk Committee would like to consider d agree the themes to be taken forward in the review e confirm the next steps. 9 The seminar also included a presentation on alternative models for risk management, together with innovative methods for reviewing key risks, as used by several UK regulators from other sectors. This generated Audit and Risk Committee interest in designing a Risk Summary tool to support discussion on corporate risks; a straw man for which is presented at Annex B. 10 Further work to support the review included: a assessment of where our current practice may have moved on from that outlined in the current Framework b a line by line review of the Framework by both PA Consulting and the Intelligence Unit c views on good practice by PA Consulting. 3
11 These recommendations were circulated to Audit and Risk Committee members. A draft Framework was then developed and refined in consultation with the Business Champions and the Head of Consultancy and Review Service. Revisions made to the Framework 12 Whilst substantial updating of the document was required, the existing Framework was fundamentally sound in approach and principle. 13 The draft revised Framework is at Annex A, and features the following substantive changes: a Introduction - a short Purpose section is included, some definitions have been added, and we have emphasised the importance of embedding risk management in our organisational culture. b Policy Principles - we are adding two new principles that, firstly, advocate clear ownership for each risk, and secondly ensure risk review and mitigation is an active process which is considered as part of our everyday work. c Risk Management Overview this section has been added, to replace the previous Planning & risk section. It provides a clear view of risk management through all levels of our organisation and provides guidance for staff in framing their thinking about risk. d Roles and Responsibilities updated largely to reflect changes in our governance structure. We are now including the role of the Performance and Resources Board in the monitoring, discussion and approval of risk. The responsibilities of individual risk owners and of all staff have also been emphasised. e Risk Management Methodology We have provided clearer guidance on how to assess both the impact of the risk to us as an organisation and the likelihood of it occurring. We have also stressed the importance of clear definition of risks, and discussed the roles of the Performance and Resources Board, Audit and Risk Committee and Council. f Throughout the Framework we have highlighted the importance of ownership of risk, raising awareness and taking action. 14 We are encouraging the use of evidence in our identification, assessment and mitigation of risk to take advantage of our research programme, continuing insight received through engagement with stakeholders and the increasing sophistication of our understanding of the regulatory environment. 15 We are communicating the importance of connecting risk management with delivery of our new Corporate Strategy 2014-17. 4
Supporting information How this issue relates to the corporate strategy and business plan 16 Risk management forms an essential part of our corporate and planning processes by ensuring our activity is based on a sound risk assessment. Our local risk register forms part of our Operational Plan. The framework helps manage threats and opportunities effectively thereby creating an environment where surprises are minimised and projects managed effectively. Other relevant background information 17 Risk management forms a central part of our internal control and corporate governance. A good framework enables the Council and the executive to communicate effectively about the risks to the delivery of our aims and objectives at strategic and operational levels How the action will be evaluated 18 The Corporate Risk Register, created using the Risk Management Framework guidance, will be reviewed at the Audit and Risk Committee twice a year. If you have any questions about this paper please contact: Paul Chase, Planning and Reporting Manager, pchase@gmc-uk.org, 0207 189 5304 5
15 Risk Management Framework Annex A Draft Risk Management Framework A1
Contents Purpose page 3 Introduction page 3 Policy principles page 4 Risk management overview... page 4 Roles and responsibilities.. page 6 Risk management methodology and guidance. page 8 o Risk identification page 9 o Risk assessment. page 10 o Risk mitigation page 11 o Risk evaluation. page 12 o Risk monitoring and assurance page 12 Annex A Risk glossary page 14 Annex B Business champions.. page 16 Annex C Version Control Log... page 17 A2
Purpose 1 This document sets out our approach to risk management, defines roles and responsibilities, and provides you with guidance on identifying and managing risks. A risk may represent a hazard to our work but it can also present a positive opportunity for action. This framework applies to the entirety of the GMC, including the MPTS. References to Directors should be read as including the MPTS Tribunal Clerk. Introduction 2 A risk is defined as the possibility of an event that could affect the achievement of objectives. For the GMC this ultimately means events that could affect fulfilment of the organisation s statutory purpose: To protect, promote and maintain the health and safety of the public by ensuring proper standards in the practice of medicine. 3 Effective risk management should be embedded in our culture and everyday business, and should not be seen as a separate process outside the normal responsibilities of line management. 4 Risk management is a central part of our internal control and corporate governance arrangements. A good risk management framework enables consistency of approach and a shared view throughout the organisation on the risks to our aims and objectives at strategic and operational levels. 5 The risk management process supports the delivery of the GMC corporate strategy, and is an important part of our business planning processes. It requires us to identify and manage threats and opportunities effectively, creating an environment which minimises unexpected events or surprises. 6 Through our risk registers we classify each risk and identify planned courses of mitigating action to reduce both the impact and also the likelihood of the risk occurring. Both corporate and local risk registers, along with our Performance Review of operational plan delivery, are made available to staff in a central resource, in order to engage them in the day-to-day management of corporate and local risk. 7 We have a Business Continuity Plan which details our immediate response, in the event of an incident, to enable us to deliver an agreed level of key services to stakeholders. A Pandemic Plan is also in place. 8 As a registered charity, we are required under the Charities (Accounts and Reports) Regulations 2005 ("the 2005 Regulations" - SI No.572) to produce an Annual Report. This must contain a statement in which we confirm that our trustees have given consideration to the major risks to which the charity is exposed, and that systems and procedures have been established within our Risk Management Framework in order to manage those risks. A3
Policy principles 9 Our policy on risk management can be summarised in the following eight principles: a. Encourage well-managed risk-taking to deliver business objectives. b. Identify and prioritise risk by using effective risk management methodology. c. Embed risk management in the day-to-day business. d. Ensure risk review and mitigation is an active process which is considered as part of our everyday work. e. Require the ownership of risks and their corresponding actions. f. Regularly monitor risks at Chief Executive, Chief Operating Officer and Director level. g. Achieve continuous improvement in risk management. h. Meet the requirements of the Charities Statement of Recommended Practice (SORP) 2005. Risk management overview 10 Consideration and mitigation of risk is embedded at both local and corporate levels. All staff are responsible for identifying and raising awareness of risk and ensuring that risk owners are identified to take any required mitigating action. Three questions help to initiate this: a. What are the nature and the scale of the risk to the GMC? b. Who needs to be aware of this risk? c. Who needs to initiate the appropriate response actions? 11 At a corporate level, Council, Audit and Risk Committee and our Boards provide strong governance through review and challenge to risk. A4
Figure 1: Risk management and communication throughout the organisation 12 At the local level risk management is driven by: a. Our annual Business Plan which is framed in the context of our Corporate Strategy, and outlines priorities and how they will be achieved. Dynamic Operational Plans communicate activity. b. Local risk registers, embedded in our Operational Plans form an essential part of each directorate s assessment of risk as they develop and monitor activity. They are owned and agreed by Directors, and are updated and monitored as part of performance monitoring. c. In line with best practice, directorates undertake robust risk assessment for major project and programme activity, with clear responsibilities for monitoring, decision and reporting. d. On-going identification and management by staff of concerns arising in their operational areas. 13 Directors take responsibility for the management of risk at a local level, receiving regular risk monitoring through their Business Champion (identified in Annex B). This responsibility includes the escalation of risk between a local register and a Corporate Risk Register. 14 Directors collectively own and compile the Corporate Risk Register which is an aggregation of risks escalated from local level, plus cross-cutting risks. It is held centrally by the Strategy and Communication directorate who present a combined bimonthly review of operational plan delivery and risk status to the Performance and Resources Board. A5
15 The Performance and Resources Board is where Directors consider the Corporate Risk register, approving, removing or amending risks. Escalation to the Corporate Risk Register should be driven by: a. An increase in the impact or likelihood of a threat to delivery of the planned activity and/or strategic priorities. b. Where early awareness or discussion of emerging risk by the executive would be beneficial. c. The need to identify increased mitigation especially if executive support and approval is required. 16 The Medical Practitioners Tribunal Service manages its local risks, maintaining a risk register, and escalates risks where appropriate to the Executive level where they are managed alongside all GMC corporate risks. The MPTS Risk Register is reviewed at the quarterly meetings of the GMC/MPTS Liaison Group. 17 Council and the Audit and Risk Committee each receive a full risk review twice a year facilitating an informed discussion and understanding of risk. This includes a full summary of the contemporary Corporate Risk Register, complete with insight into key areas for discussion. An example of this is presented in Annex C. This promotes assurance that the organisation is capable of fulfilling its purpose and strategic priorities. 18 It is imperative to view any risk register as the means to manage risk, rather than the object of the risk management process itself. They are to be used as an objective, evidence-based tool to assist managers organise their understanding of their risk environment and to capture how we have responded to risks. Roles and responsibilities 19 The table below summarises organisational and individual responsibilities for both the operation and monitoring of the risk management process. Council Members (Trustees) Audit and Risk Committee Responsibilities Ultimate responsibility for all risk facing the organisation. Delegated authority for overseeing risk management arrangements on behalf of the Council. Provide assurance to Actions Reviewing the GMC s risk profile within the Corporate Risk Register. Holding the Executive to account, providing challenge, requesting information, or seeking assurance on risks and the appropriateness/ effectiveness of mitigating action. Guidance on appropriate risk appetite. Approval of changes to the Framework. Obtaining assurance on risk management arrangements from internal auditors and senior management. Reviewing and approving the risk A6
Performance & Resources Board Directors, Chief Operating Officer, Chief Executive and the MPTS Tribunal Clerk Business Champions Individual risk owners Council on the adequacy and effectiveness of our risk management processes. Oversee the implementation of recommendations, and ensuring continuous improvement. Ownership and responsibility for the risks on the Corporate Risk Register. Ensuring risk management is embedded in the culture and everyday business. Ensuring that each risk has a specific owner, responsible for the corresponding mitigating Reviewing and reporting on risks to Council and other components of the governance model. Identifying and evaluating risks against operational performance, Business Plan activity or Corporate Strategy priorities. Implementing the Risk Management Framework. Responsible for assisting directors to co-ordinate risk management at a local level. Responsible for the identification, assessment and ownership (where appropriate) of individual risks together with ensuring appropriate mitigating actions are taken. Monitoring and reporting any management statement in the Annual Report and Accounts. Review of the Corporate Risk Register. Obtain assurance as to the effective management of risks. Oversight to ensure a fit for purpose Risk Management Framework. Regular review of the Corporate Risk Register and risk therein, to ensure their continued relevancy, and consider proposed escalations. Challenging and identifying risks in the course of meetings and discussions. Ensure both local and the Corporate Risk Registers are up to date, relevant and comprehensive. Ensure that Council and Committee papers provide insightful commentary on contemporary risks and mitigation. Regularly review all risks on their local risk register and assisting Directors with consideration of risks for escalation to the Corporate Risk Register. Acting as a local point of information, knowledge and expertise for staff on the Risk Management Framework. Support the risk assessment of new activity during annual business and operational planning. Development of appropriate management information. Initiating mitigating actions and maintaining progress on these actions. Regular review of risks to assess status of impact, likelihood and the effectiveness/progress of mitigating actions. Exercising judgement on the A7
All staff Strategy & Communication Directorate GMC/MPTS Liaison Group change in the status. Responsible for identifying, assessing and raising awareness of risk. Supporting directors in the production and review of the Corporate Risk Register. Providing guidance and advice on all aspects of our corporate risk management arrangements. Co-ordinating of risk assessment as part of annual business and operational planning The purpose of the Liaison Group is to establish an effective working relationship between the MPTS and the functions of the GMC with which it will interact appropriate level of awareness and escalation of each risk. Communication and explanation of their risks to line management and Directors. Identifying risks and cconcerns against the objectives for which they are responsible, raising awareness and escalating where appropriate. Prompting regular updates of the local registers and the Corporate Risk Register. Reporting changes in risk status as part of the regular management reporting to the Chief Executive and directors. Continually reviewing internal and external events and scanning for changes in the business and political environment to identify risks to the organisation. To work collaboratively to manage corporate risks and issues Risk Management Methodology and Guidance 20 Risk is not the responsibility of a few specialists, but rather of all staff. It must be seen as an essential part of primary management responsibility, and a process which is embedded within all policy formulation and in colleagues decision making in day-to-day delivery. A glossary of terms is provided at Annex A. 21 The methodology is underpinned by five key stages a. Risk identification. b. Risk assessment. c. Risk mitigation. d. Risk evaluation. e. Risk monitoring and assurance. A8
Figure 2: The GMC risk management methodology Risk identification 22 Risk identification is about asking what can happen to hamper delivery of our business objectives and how might it happen? 23 Best practice is to develop and make available insightful sources that support staff in their identification of potential risk such as our Research Programme meetings with stakeholders, and policy and strategy development tools. Intelligent environmental assessment, including regular horizon scanning, forms part of our ongoing insight work. 24 Risks should be recorded in a clear and precise way that describes the event and it s the root cause, thereby enabling effective mitigation, assessment and audit. 25 The impact of a risk on other activities and teams, and on the GMC s external partners, should be described. Where a risk involves external partners working with the GMC in mitigation, the risk description should be clear on the perimeters of the GMC s responsibility. 26 Good practice recommends that identification involves considering risks to: a. Achievement of strategic priorities and/or our core purpose. For example, this might include risk originating from legislative or regulatory change, which might impact our ability to review doctors fitness to practise. b. Achieving operational objectives, for example, delivering a new standard for doctors. c. Operational health, for example, financial shock or ability to recruit staff. 27 When scoping a risk for inclusion in a Corporate Risk Register, risks should be identified as being one of the following categories which help signify their nature: A9
a. Reputational. b. Policy. c. Operational. d. Strategic/Political. 28 For each risk identified a risk owner should be assigned. The owner is responsible for overseeing the management of that risk and periodically reporting on its status. Risk assessment 29 The risk assessment process should drive a clear and decisive consideration of the severity of impact and its likelihood, which supports risk prioritisation and in turn specific risk controls and allocation of resources. 30 Our Risk Assessment Matrix enables risk owners to record and communicate their risks, and these risks should be derived from an evidence-based assessment in order to make a clear and objective recommendation. This is assessment also essential in understanding risk escalation. Consideration of the expected timeframe of the event is also important. Figure 3: Risk Assessment Matrix IMPACT MINOR MODERATE MAJOR UNLIKELY Possible, but unlikely to occur (<40% chance) Low Low Significant LIKELIHOOD QUITE LIKELY More than possible (40-60% chance) HIGHLY LIKELY Much more likely than not to occur (>60% chance) Low Significant Critical Significant Critical Critical Sources of evidenced for assessment: Research and analysis Available tacit or explicit knowledge Assessment of the impact of your activity on wider GMC outcomes Assessment of the threat to operational functionality/ viability e.g. Financial Organisational experience of a similar risk occurring previously A10
31 A simple guide to deciding the severity of impact can be to consider the following: Operational Functions Achievement of Strategic Aims Reputation Timeframe of effect Minor Limited disruption to GMC operational functions and/or intended outcomes Almost no adverse impact on the achievement of strategic aim(s) Little/limited adverse impact Short term Moderate Very concerning disruption to GMC operational functions and/or intended outcomes Achievement of strategic aim(s) disrupted or inhibited Very concerning adverse impact More enduring, but still time-bound Major GMC operational functionality critically impaired Strategic aim(s) severely compromised or cannot be achieved Highly damaging adverse impact Potentially longlasting 32 The resulting risk ranks are then grouped into critical (red), significant (amber) and low (green) bands to show the relative priority of the risks. These ratings can only provide a guideline of the relative urgency of a risk and must be used along with all other relevant information to aid judgement and decision-making on risk control and mitigation. 33 Directors are accountable for ensuring that risk assessments in local risk registers are up to date. They are supported by Business Champions, activity leads and all staff. The Performance Review Report, presented to Bi-monthly Performance and Resources Board meetings, and containing a summary of the proposed updated Corporate Risk Register facilitates discussion by Directors and the Chief Operating Officer. Risk mitigation 34 Countermeasures in place to mitigate each risk are recorded. We apply the question what have we done to reduce the likelihood or impact of this risk? 35 Examples of mitigating action include: a. Control procedures. Likely to be the largest component of mitigating action, they include measures such as publishing guidance and conducting regional visits. b. Sharing risks with a third party, such as outsourcing aspects of delivery. c. Avoiding the activity creating the risk. d. Making contingency arrangements, for example through the Responses to Concerns Assessment Team (RCAT) in relation to issues arising in medical education and training. A11
36 Mitigating actions are clearly and concisely agreed and regularly updated in a risk register. 37 Once countermeasures have been identified, the risk assessment is applied a second time. The potential severity of impact and likelihood of occurrence is reassessed, taking into account the effect of the countermeasures. The resultant score is known as the residual risk. 38 If the residual risk remains critical on the local risk register, the risk should normally be considered for escalation to the Corporate Risk Register. Risk evaluation 39 Risk evaluation establishes whether risks are adequately mitigated and, if not, determines what additional action is required to reduce their impact or likelihood of occurrence. In each case, we define the level of residual risk that is acceptable. 40 The level of risk appetite is guided by Council and the Audit and Risk Committee during discussion of corporate risk, and at a local level by Directors, guided by the Performance and Resources Board. This supports a clear definition of the level of residual risk that is tolerable and justifiable once mitigating action has been taken. 41 Using these factors, we identify risks that are not adequately mitigated and determine what additional measures are required. 42 Where the residual risk is still considered significant or critical, the risk register includes a further action column for further mitigation. 43 The Performance and Resources Board and the Audit and Risk Committee should be satisfied that mitigation is appropriate, and if not will require further action to be taken. Risk monitoring and assurance 44 As outlined in this Framework, our risk management process seeks to be dynamic and effective with continuous review, evaluation and improvement. This is done by way of: a. Continual review of local risk registers by Directors and their teams. b. Full review of the Corporate Risk Register by the Strategy and Communication Directorate together with directorate Business Champions on behalf of the Performance and Resources Board. c. Oversight by Audit & Risk Committee and Council, who seek assurance from a and b above of effective management of risk. d. Through our annual internal audit programme, the management of specific risk, as well as the approach to risk management, are subject to scrutiny by the GMC s internal auditors, who provide assurance to the Audit A12
and Risk Committee that risk is being managed appropriately. The Programme is agreed at the Committee and contains a series of reviews into internal processes and actions. A13
Appendix A Risk Glossary Activity Audit & Risk Committee Contingency Corporate Risk Register Effect Evaluation Identification Impact Likelihood Local Risk Registers Milestone Mitigation Monitoring Objectives Operational Plans Operational risk Policy risk Political risk Reputational risk Residual risk Risk Any work which uses resources (people, materials or facilities) and has an associated cost and duration. Has responsibility for overseeing risk management on behalf of the Council. A planned amount of time and/or cost set aside against accepted risks. A record of corporate-level risks from the risk management process. The possible outcome of a risk if it occurs. Establishing if the risks are adequately mitigated and if not, determining what additional action is required to reduce their impact or likelihood of occurrence. The process of exposing knowable risks specifically in relation to business objectives. An assessment of the effect on the activity if a risk occurs. The probability of a risk occurring. A record of all identified risks from the risk management process in each operational area. They are included in the Operational Plans. A marker which notes the end of a phase or project. The planned series of actions to be performed to reduce the likelihood or impact of a risk occurring. Identifying new risks and reassessing and evaluating existing risks in light of any significant changes or developments. Set out what is to be achieved and who will benefit. They should be specific and measurable and included in the Operational Plans. Internal management tools for planning work and reviewing organisational performance. A risk resulting from inadequate or failed internal processes, people and systems, or from external events. A risk to our ability to uphold a policy or arising from a particular policy decision. A risk resulting from unexpected change in government policy. A risk resulting in damage to the GMC through loss of its reputation. The risk remaining after taking into account the effect any actions taken to manage it. The possibility of an event that could affect the A14
Risk appetite Risk assessment Risk management Risk Management Framework Risk owner Risk review Strategic risk achievement of an objective. Defining the level of residual risk that is tolerable and justifiable. The process of prioritising risks in terms of their potential severity of impact and likelihood of occurrence using the Risk Assessment Matrix. The process of managing the risks associated with an activity so that if a risk occurs, the impact is minimised. A GMC internal control which reflects the GMC s commitment to sound risk management principles and practices. The person responsible for overseeing the management of a given risk, ensuring that appropriate mitigating action is selected and implemented and is responsible for periodically reporting on the status of the risk. A structured update of the assessment of current risk exposure. A risk resulting from poor strategic business decisions, improper implementation of decisions or lack of responsiveness to changes in the business environment. A15
Appendix B Business Champions Education and Standards Nathan Lambert (020 7189 5341) Fitness to Practise Tom Russell (0161 923 6766) MPTS Howard Matthews (0161 240 7106) Registration and Revalidation Rob Scanlon (020 7189 5395) Resources and Quality Assurance Steve Downs (0161 923 6257) Strategy and Communication Kimberley Kingsborough (0207 189 5341) A16
Appendix C Version Control Log This current version of the Risk Management Framework was approved [approvals/date] following a formal review of the framework in August - October 2013. The schedule below sets out a summary of all amendments to the framework since then. Date Reason for amendment?? October 2013 Redrafted during formal RMF review and approved by the Audit & Risk Committee A17
Note: Final approved version will feature a new back cover in the house style. A18
15 Risk Management Framework Annex B Risk Summary Tool Purpose of the Risk Summary 1 The Risk Summary Tool will provide the Performance and Resources Board, the Audit and Risk Committee and Council meetings with a visual representation of the risk profile and trends across the organisation, enabling them to prioritise their discussions on specific risk groupings. Background to development of a Risk Summary 2 At a seminar on risk management for the Audit and Risk Committee on 5 September 2013, it was recommended that the review team consider ways in which the Committee might be able to review corporate risks in a more structured way. The Audit and Risk Committee therefore asked the team to develop two strawman diagrams which would provide a summary view of the risks on the Corporate Risk Register. Taking the Risk Summary tool forward 3 Two options were designed to further the discussion as to how we can best support the Audit and Risk Committee s consideration of the Corporate Risk Register. Both options were tested, the pros and cons were discussed and a paper presented back to Committee members on circulation. 4 In discussion with the Chair of the Committee, a preferred option was identified and refined, and which will be finalised in light of the completion of the corporate strategy and approval of the new Risk Management Framework. It will be brought for consideration to each of the first meetings of the Performance and Resources Board, Audit and Risk Committee and Council in 2014. 5 The finalised Risk Summary will be compiled by the Intelligence Unit and will be a high-level view of the risks to the achievement of our corporate strategy, using the organisation s current corporate risks. B1
Explanation of the preferred option 6 This draft Risk Summary displays the GMC s corporate level risks within five major categories: a Three which link directly to risk to patients. b One dealing with environmental risk, for example political risk. c One covering risk to the business, for example financial risk. 7 Discussions took place at the Audit and Risk Committee seminar on different ways of categorising our organisational risks. The categories used here have been developed subsequently and refined following testing. The categories are based on our purpose, and the organisation s risk profile as recorded in the Corporate Risk Register. 8 The approach taken in this strawman is broadly based on good practice in the Civil Aviation Authority (CAA) (which was discussed at the risk management seminar), which displays the significant seven safety risks facing the CAA. Figure 1: Illustration of draft Risk Summary GMC Purpose: To protect, promote and maintain the health and safety of the public by ensuring proper standards in the practice of medicine RISK TO PATIENTS ENVIRONMENTAL RISK RISK TO THE BUSINESS 1. Failure to provide assurance that doctors are properly qualified and fit to practise 2. Failure to ensure standards in medical education, training and on going practice 3. Failure to detect and act on risk to patients 4. Inability to adapt to external changes in the operating environment 5. Inadequate/ inefficient organisational process or resource utilsation (externally, internally and locally) Crit. Sig. 2.6 2.2 6.1 3.1 3.2 3.3 SP4 SP5 2.4 SP2 7.3/4 2.1 5.2 3.5 3.6 SP3 Low 1.2 2.5 1.1 3.4 5.1 2.3 6.2 SP1 7.2 8.1 7.1 9 The illustration above has been populated using existing corporate risks. The shapes and arrows represent the risk rating (after mitigating action) from the Corporate Risk Register, with the arrows indicating a risk that has risen or fallen in rating since the last Council review, the dots representing a risk which has retained the same rating since the last review, and the squares indicating a new risk. B2
Benefits 10 The benefits of using the preferred option are: a Displays clear linkage of risk categories (1-4) back to the GMC purpose. b Provides a straightforward view of risk and trends at corporate level. c Encourages more discipline in the articulation of risks. d By phrasing the categories in this way we can better see the likely impact, on our purpose, of failure to mitigate a risk. Explanation of the alternate option 11 Following discussions on the preferred option, an alternate option has been developed, using the same structure as the preferred option, but replacing the risk categories with the Priorities for 2014-17. The headings currently used are based on the emerging themes presented to Council on 25 September 2013, and will be finalised alongside the completion of the development of the corporate strategy. Figure 2: Illustration of alternate option for Risk Summary GMC Purpose: To help protect patients and improve standards of medical practice Priorities for 2014-2017 1. Identifying and acting on risk to patients 2. Maximising the impact of our work 3. Being more effective locally 4. Raising professional standards in medical practice. 5. Working better together Crit. Sig. SP3 SP4 2.4 2.2 5.2 2.1 3.1 3.2 SP2 8.1 2.6 6.1 3.6 3.3 3.5 7.3/4 Low SP1 SP5 1.1 2.5 6.2 1.2 7.1 2.3 3.4 5.1 7.2 12 The pros and cons of using the alternate option in place of the preferred option are outlined in the table below. Pros Priorities clearly understood throughout the organisation. Cons Not all of the current risks on the Corporate Risk Register map to the emerging Priorities B3
Avoids adding a level of complexity if risk categories were used B4