Paper J WEST LEICESTERSHIRE CLINICAL COMMISSIONING GROUP BOARD MEETING. 10 February 2015. Governance How we manage our business

Paper J WEST LEICESTERSHIRE CLINICAL COMMISSIONING GROUP BOARD MEETING 10 February 2015 Title of the report: Section: Report by: Presented by: Risk Management Strategy & Policy Governance How we manage our business Amy Stevens Corporate Affairs Officer Ket Chudasama Assistant Director Corporate Affairs Report supports the following West Leicestershire CCG s goal(s) 2012 2015: Improve health outcomes Improve the quality of health-care services Use our resources wisely Equality Act 2010 positive general duties: 1. The CCG is committed to fulfil its obligations under the Equality Act 2010, and to ensure services commissioned by the CCG are non-discriminatory on the grounds of any protected characteristics. 2. The CCG will work with providers, service users and communities of interest to ensure if any issues relating to equality of service within this report are identified and addressed. Additional Paper details: Please state reason why this paper is being presented to the WLCCG Board For approval of the updated Risk Management Strategy & Policy Discussed by CMT and Audit Committee in January 2015 Alignment with other strategies 2012-15 Commissioning Strategy Environmental Implications Has this paper been discussed with members of the public and other stakeholders, if so please provide details None Identified No EXECUTIVE SUMMARY: 1. The CCG s current Risk Management Strategy & Policy was adopted from the PCT Cluster and was rolled over into the CCG when it became a new

organisation. The Strategy & Policy document (Appendix 1) has now been formally reviewed and refreshed in order to ensure it meets the requirements of the CCG. 2. The Risk Management Strategy & Policy provides an over-arching summary of how the CCG operationally manages risk. 3. Minor changes have been made to the Strategy & Policy in order to clarify the operational processes, roles and responsibilities within the CCG. 4. The updated Risk Management Strategy & Policy document was has been reviewed and commented on by both CMT and the Audit Committee in January 2015. RECOMMENDATIONS: The West Leicestershire Clinical Commissioning Group is requested to: APPROVE the updated Risk Management Strategy & Policy. 2

POLICY DOCUMENT RISK MANAGEMENT STRATEGY & POLICY 2014-16 Version: 1 Ratified by: Date ratified: Name of originator/author: Name of responsible committee/individual: Date of issue: Corporate Management Team TBC Ket Chudasama Assistant Director Corporate Affairs Ket Chudasama, Assistant Director of Corporate Affairs TBC Review date: February 2016 Target audience: All Staff All policies can be provided in large print or Braille, if requested. Interpreting services are also available for individuals of different nationalities.

Contents Page 1. Policy Statement 3 2. Aims & Objectives 3-4 3. Scope of the Policy 4 4. Statutory and NHS Requirements 5 5. Benefits and Outcomes 5-6 6. Risk Management Model 6-8 7. Risk Management Process 8-9 8. Risk Categorisation 9 9. Assessing and Evaluating Risks 10 10. Risk Appetite 10-11 11. Key Controls and Assurances 11-12 12. Net/Residual Risk 12 13. Monitoring and Review of All Risks 12 14. Board Assurance Framework (BAF) 12-13 15. Responsibilities 14-17 16. Implementation and Training 18 17. Monitoring / Audit Arrangements 18 Appendix 1 Risk Prioritisation and Reporting 19 2

1. Policy Statement 1.1 This document combines both strategy and policy for the management of strategic and operational risks at West Leicestershire Clinical Commissioning Group (WLCCG), hereafter referred to as WLCCG or the CCG. 1.2 WLCCG attaches great importance to the effective management of risks that may be faced by patients, members of the public, staff, partners and other stakeholders, and by the CCG itself. 1.3 The quality of care delivered and the safety of patients are vital elements in the philosophy and culture of the CCG, which are embodied in its leadership and its staff. Ensuring risks are managed effectively, consistently and systematically must be an integral part of everyday practice throughout the organisation. 1.4 It is imperative that a culture of transparency and honest reporting is promoted and upheld throughout the CCG to ensure risks are properly identified, evaluated, documented and managed. 1.5 To support the development of a proactive risk management approach across the organisation, the CCG is committed to: Embed effective organisational governance arrangements that respond to strategic change, secure a safe and positive experience for patients, and support high quality and effective service delivery Ensuring accountability and responsibility by leading and supporting clinicians and staff Identification of risk appetite, i.e. definition of the level of risk the CCG is prepared to accept in pursuit of its objectives, and appreciation that this level will vary dependent on the specific risk 1.6 WLCCG has adopted the ISO (International Organization for Standardization) 31000 risk management model. 2. Aims & Objectives 2.1 The purpose of this document is to provide guidance to all staff on the management of strategic and operational risks within the organisation. It aims to: set out the risk management process, including how strategic and operational risks are identified; and describe the procedures to be used in identifying, analysing, evaluating and controlling risks to the delivery of critical success factors. 2.2 The objectives of WLCCG s risk management policy are to: 3

minimise chances of adverse incidents, risks and complaints by effective risk identification, prioritisation, treatment and management; maintain a risk management framework, which provides assurance to the Board that strategic and operational risks are being managed effectively; maintain a cohesive approach to corporate governance and effectively manage risk management resources; ensure that risk management is an integral part of the CCG s culture minimise avoidable financial loss ensure that WLCCG meets its obligations in respect of health and safety. 2.3 The CCG has a statutory and regulatory obligation to ensure that control systems are in place to minimise the impact of all types of risk, which, could affect the proper functioning of the organisation. 2.4 The Strategy encompasses those risks associated with partnership/collaborative working arrangements and sets out to influence and control partnership risks through agreed management processes. 2.5 The Strategy will be reviewed and updated regularly to reflect the changing role and functions of the CCG and in accordance with appropriate good practice or legislation. 3. Scope of the Policy 3.1 The Risk Management Strategy and Policy covers the management of strategic and operational risks. Strategic risks are significant risks that have the potential to impact across the organisation and are raised and monitored by the executive team and the CCG Board. Operational risks are keys risks that impact on individual programme areas and are managed through subgroup risk registers and senior responsible officers. 3.2 This strategy applies to all employees and premises of WLCCG, including any persons/contractors engaged in business (for and on behalf of WLCCG), its activities and functions, including both clinical and non-clinical risks, information and financial risks. 3.3 It primarily relates to the resources directly managed by WLCCG. However, it is recognised that as some services are provided by other organisations outside of the CCG (e.g. local authorities, primary care contractors, other commissioning organisations, hosted and shared services etc.), which act on its behalf, they too are included within this strategy. Risks in these situations will be managed through formal partnership working/contract monitoring. 3.4 This document sets out the CCG s approach to the management of risk and the development of a system, which enables informed management decisions in the identification, assessment, treatment and monitoring of risk. 4

4. Statutory and NHS Requirements 4.1 There is a legal requirement for all employers to ensure that assessment of health and safety risks to employees, patients, others and the organisation itself are carried out in full and reviewed regularly to maintain their accuracy and validity. 4.2 The CCG s approach to effective risk management is based on the following: Workplace (Health, Safety and Welfare) Regulations 1992 (as amended 2002) and the Management of Health and Safety at Work Regulations 1999 require that employers should carry out assessments of the risks created by their operations, which may affect staff and others; The Data Protection Act 1998 and the Freedom of Information Act (FOIA) 2000 and other legislation requires organisations to comply with rules relating to the handling of information and thus minimising information related risks; Corporate Manslaughter and Corporate Homicide Act 2007 highlights the commitment required of senior management to take reasonable steps to protect employees and others who may be affected where risks are created by their operations, the implementation of robust risk management systems is of paramount importance. WLCCG s Corporate Governance Framework (i.e. Standing Orders, Scheme of Delegation and Standing Financial Instructions); 4.3 As good practice, the policy also meets the minimum requirement for Level 2 of the NHS Litigation Authority s Risk Management Standards for NHS Trusts providing Acute, Community, or Mental Health & Learning Disability Services and Non-NHS Providers of NHS Care 2013-14. These standards are designed to address organisational, clinical/non-clinical and health and safety risks. 5. Benefits and Outcomes 5.1 The objective of the strategy is to embed risk management throughout the CCG so that we: enhance patient care through safer practices minimise injury or loss through safer systems of work create a safer environment for patients, visitors and staff increase awareness and ownership of risk and liabilities reduce the financial and other cost of risk taking and accidents 5

provide stakeholders with an understanding of our intent regarding the management of risk prevent prosecution under Statute and Regulation improve the reputation of the CCG and confidence of the public in NHS services 6. Risk Management Model 6.1 Risk and risk taking is inherent in everything the CCG does: determining commissioning priorities, managing a project, purchasing equipment, taking decisions about future strategies, or even deciding not to take any action at all. Therefore, a structured, systematic and consistent approach to risk management, which encompasses all the CCG s functions and activities, has been adopted. 6.2 The resources available for managing risk are finite and so the aim is to achieve an optimum response to risk, prioritised in accordance with an evaluation of the risks and to take action to manage risk in a way, which it can justify to a level, which is tolerable. 6.3 WLCCG has adopted the Risk Management Guidance provided by Australia/New Zealand (AS/NZS 4360:2004), as this provides a generic model for identifying, prioritising and dealing with risks in any situation. 6.4 There are 7 stages to managing risk in this model as described in Table 1 below: Table 1: Risk Management Model National Patient Safety Agency Stage Description 1. Establish the define the activity, context what are the goals and objectives? The environment in which the CCG functions influences the risks it faces and provides a context within which risk has to be managed. The CCG also works in partnership with other organisations to deliver its objectives. Full consideration needs to be given to the context in which the CCG functions and to the risk priorities of partner organisations to ensure risk management is effective. 6

2. Identify hazards / risks Articulate the risk: what could happen? how could it happen? What would the effect be? Use the cause and effect x, y, z model to assist in articulating the risk: - concern that x could happen - because of y - resulting in z 3. Analyse and assess risk 4. Evaluate and prioritise risk 5. Risk Treatment and Control 6. Monitor and review 7. Communicate and consult For example: - concern that x could happen e.g. loss of key personnel in business function A - because of y e.g. because of salary differentials due to local competition for skilled staff, because of work/life balance issues in relocation and restructuring - resulting in z e.g. results in significant reduction in ability to deliver to quality performance objectives; results in functional inability to deliver day-to-day to ops; results in loss of business - direct financial loss. how could risks occur? what would be the effect if they did? how could they be reduced? evaluate options for reducing risks, quantify costs of actions to reduce risks, identify action, which reduce total cost of risk and give best value for money, compare costs against benefits. Terminate / avoid: not proceeding with activity likely to generate the risk; Treat / reduce: reducing or controlling the likelihood and consequences of the occurrence; Transfer: arranging for another party to bear or share some part of the risk, through contracts, partnerships, joint ventures etc.; Tolerate / accept: some risks may be minimal and retention acceptable. monitor risk impact, review effectiveness of action, has the risk priority changed? who needs to know, who is affected? 6.5 Each stage of the risk management process should be documented in order to: a. demonstrate the process is conducted properly 7

b. provide evidence of systematic approach c. provide a record of risk and to develop the CCG s knowledge of risk d. provide relevant decision makers with a risk management plan for approval etc. e. provide an accountability mechanism and tool; f. facilitate review and monitoring; g. provide an audit trail; h. share and communicate information. 6.6 It is good risk management practice for all levels of the organisation to undertake risk assessments appropriate to their areas of responsibility. Risks of all types are assessed and managed in accordance with this Policy and any additional guidance circulated by the Assistant Director Corporate Affairs. 7. Risk Management Process Risk Identification 7.1 The key to effective risk management lies with the CCG knowing what risks are likely to occur so that it can proactively manage them. An effective mechanism to capture and report risks is therefore essential. Risk can be identified in two ways from internal and external sources using proactive or reactive methods: top down for example, proactive identification of risks that directly affect the CCG s achievement of its objectives e.g. considering political, economic, social, technological environment (PEST); horizon scanning used to identify emerging opportunities and threats. bottom up for example, assessment through sub-group risk registers, claims and litigation, cluster of incidents, cluster of complaints, through performance management arrangements etc. 7.2 Risk identification requires examination of the sources or nature of the threat (or opportunity) and then involves identifying what events might trigger the risk. Identifying new operational risks arising from training or changing working practices or environment is a routine part of the day job for staff. All staff should be actively encouraged to identify and contribute to the risk management process. Furthermore, this should be enhanced by cross- organisational learning and review of past practice. For example, analysis of serious incidents can highlight risks that WLCCG may not have successfully managed. A positive approach to learning from such risk management failures, underpinned by a culture of openness, will allow cross- organisational learning. Similarly proactive risk assessment will ensure that risks are managed actively before they are realised. 7.3 Risk assessments will be performed for all its information systems and critical information assets. Information Risk Assessments will occur at the following times: 8

at least annually for the review of information risk for the SIRO to support the SIRO s written advice on the Annual Governance Statement; at the inception of new systems, applications, facilities, etc, that may impact the assurance of information and Information systems; before enhancements, upgrades, and conversions associated with critical systems and applications; when NHS policy or legislation requires risk determination; an annual exercise of external audit will be undertaken in relation to information risks. 7.4 The findings of the information risk assessments will be shared and discussed with the Audit Committee and the CCG Board. 8. Risk Categorisation 8.1 For organisational reasons and to clarify management responsibilities, risks are categorised into 4 categories as described in Table 2. Table 2: Categories of risk Type of risk Description Examples Clinical risks Clinical risks are defined as those Clinical care activities risks that have a cause or Consent issues effect that is primarily clinical or medical. Medicines management. Organisational risks Organisational risks are defined as those risks that primarily relate to the way in which the CCG is organised, managed and governed. Include property related risks Human resources Corporate governance Health and safety Risks identified through equality Impact assessments Reputation Quality Financial risks Information risks Financial risks are defined as those whose principal effect would be a financial loss or a lost opportunity to deliver a financial gain. Information risk defined as those whose principal effect in result in the theft, disclosure or modification of personal, confidential or sensitive information. Include poor financial control Fraud and ineffective insurance arrangements. Loss of systems availability Loss of access to servers or software Intentional or accidental unauthorised actions or destruction or damage to the CCG s computer systems. 9

9. Assessing and Evaluating Risks 9.1 The CCG has adopted a 5 x 5 risk assessment matrix, as defined in the guidance from the National Patient Safety Agency, for the purpose of risk assessment (see Figure 1 below). An assessment of the risk needs to be undertaken by evaluating both the likelihood of the risk being realised and of the impact/consequence if the risk is realised. Descriptors underpinning consequence/impact and likelihood can be found at Appendix 1. i. the impact / consequence = describes the impact or outcome component of risk i.e. the outcome or the potential outcome of an event. There may be more than one impact / consequence of a single event. ii. the likelihood = describes the probability or frequency of a consequence occurring i.e. how probable it is that the risk (the event or outcome) will occur. LIKELIHOOD IMPACT / CONSEQUENCE 1 RARE 1 NEGLIGIBLE 2 UNLIKELY 2 MINOR 3 POSSIBLE 3 MODERATE 4 LIKELY 4 MAJOR 5 ALMOST CERTAIN 5 CATASTROPHIC Figure 1: 5 x 5 Risk Assessment Matrix IMPACT / CONSEQUENCE 5 4 3 2 1 5 4 3 2 1 10 15 20 25 8 12 16 20 6 9 12 15 4 6 8 10 2 3 4 5 1 2 3 4 5 LIKELIHOOD This will result in risks being rated in one of the following four categories: 10. Risk Appetite Risk score Category 1 3 Low risk (green) 4 6 Moderate risk (yellow) 8 12 High risk (orange) 15 25 Extreme risk (red) 10.1 Each risk identified must have an associated tolerance level, which provides a clear indication of the risk appetite i.e. the level of exposure to the risk the organisation is willing to accept. This will be defined in terms of both tolerable impact if a risk is realised, and tolerable frequency of that impact using the 5 x 5 risk matrix. 10

10.2 Tolerability may be informed by stakeholder perception of an impact/consequence, patient safety, the balance of the cost of the control and the extent of exposure. If this is not done, the CCG will not know what its exposure will be, should the control fail. For instance, WLCCG is not willing to accept information risks in most circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incident(s) of regulatory non-compliance, or potential risk of injury to staff. 11. Key Controls and Assurances 11.1 Effective controls need to be in place if risks are to be effectively managed. One specific risk may be mitigated by a number of controls. Some controls may only be effective when operating in conjunction with other controls and one control may relate to more than one risk. For each risk entered in the risk register, the adequacy of the control(s) relating to the risk will be assessed by the risk owner and any necessary action determined and entered in the action plan. 11.2 Control mechanisms are commonly classified as: Type of Definition Examples control Preventative These focus on the systems and processes which are introduced to deter problems before they arise. Hiring qualified and competent personnel; Controlling access to physical facilities; Sound governance arrangements; Maintenance of equipment; Sound hand-washing Detective These controls are designed to either discover problems or identify related risks soon after they arise, or measure deviations from expected norms or thresholds. practices etc. Failure to meet key performance indicators; Prescribing activity monitoring and financial balance data; Complaints and incident reporting etc. Corrective These are procedures put in place to remedy problems discovered by detective controls, or steps taken to correct errors arising out of a problem. Changes to processes; Introduction of new policies etc. 11.3 An effective documented mechanism of obtaining assurance in relation to the controls also needs to be in place. As such, evidence to demonstrate 11

compliance with the controls is to be submitted to the Corporate Affairs team who will collate it centrally for audit purposes. 12. Net/Residual Risk 12.1 The residual risk is the calculation of the risk having taken into consideration the key controls and assurances in place. When the assessment of the residual risk is compared to the risk appetite, the extent of action required becomes clear. It is not the absolute value of an assessed risk which is important; rather it is whether or not the risk is regarded as tolerable, or how far the exposure is away from tolerability, which is of importance. The Corporate Management Team sets the organisation s risk appetite with approval from the Governing Body. 13. Monitoring and Review of All Risks Sub-Group Risk Registers and Corporate Risk Register 13.1 At the heart of the risk management process is the risk register, which is a management tool that enables the CCG to understand its comprehensive risk profile. It is a repository for all risk information and provides the priority given to managing the risk by the organisation together with the actions needed to address the risk in question. The Risk Register considers all levels of risk from strategic to operational, but will concentrate on the net risks that remain after taking controls into account. These risks are then graded based on impact and likelihood and action plans completed to treat, tolerate, transfer or terminate the risk. It should be noted that individual risks are not the responsibility of the Corporate Affairs Team, but of the individual risk owners. It is their responsibility to ensure that there risks are reviewed and updated in line with the strategy. 13.2 In addition to a Corporate Risk Register, each sub-group has a risk register, which includes current and future actions for each risk. The risk registers are updated monthly by the risk owners and the sub-group risk registers are discussed and reviewed at each respective sub-group meeting (monthly). The Corporate Risk Register is discussed monthly at the Corporate Management Team (CMT) meeting. Where appropriate, risks are escalated to the Board Assurance Framework (BAF). The risk registers are held centrally by the Corporate Affairs Team. 14. Board Assurance Framework (BAF) 14.1 A two-tier process involving the risk registers and the BAF has been implemented. The aim of the two tier approach is to ensure that the bigger strategic picture does not become clouded by the day to day risk management issues that can and are dealt with as a matter of course. 14.2 A threshold for escalating risks to the BAF has been set using the 5 x 5 risk rating matrix, whereby any risk that has a net risk score of 12 or above must be reported on the BAF. However, this should be discussed with the 12

Corporate Management Team initially to establish whether there is a case for the risk to be escalated to the BAF. 14.3 The CCG Board will receive the BAF at every meeting along with an accompanying report. The Audit Committee will receive the BAF on at every meeting in order to ensure that the BAF is scrutinsed and that evidence is in place to demonstrate effective control and assurances in place. 14.4 The following diagram shows how system wide risks are captured and reported: Board Assurance Framework (Contains risks with net score of 12 or more and require escalation from sub-groups) Audit Committee has oversight of all risk registers as part of its workplan Corporate Risk Register (Reviewed by CMT) Finance Sub- Group Risk Register Planning & Delivery Sub-Group Risk Register Quality & Performance Sub-Group Risk Register System wide risk areas that are captured by CCG sub-groups: Patient safety e.g. Learning Lessons Provider performance (Clinical and non-clinical) e.g. PPAG PMO Better Care Together Better Care Fund Information risks e.g. LHIS sent to SIRO 13

15. Responsibilities 15.1 The CCG Board has a duty to assure itself that the organisation has properly identified the risks it faces, and that it has processes and controls in place to mitigate those risks by: Monitoring the risks on an ongoing basis via the BAF; Receiving assurance in relation to the risks from the sub-groups and Audit Committee; Approving and reviewing strategies for the management of risk; Demonstrating leadership, active involvement and support for risk management; Actively monitoring risks and the implementation of internal controls to manage the risks through its sub-groups and CMT. 15.2 The Audit Committee is responsible for: Reviewing and ensuring that the CCG has established and is maintaining a robust and effective system of integrated governance, risk management and internal control across all areas of its business; Ensuring that there are appropriate and adequate links between risk management, financial risk, corporate and clinical governance; Obtaining sufficient assurance to enable the Annual Governance Statement to be signed off by the Managing Director by preparing an annual summary report; Reviewing the BAF at each meeting to provide assurance to the CCG Board that the organisation s risk management processes are effective and risks are being properly controlled; Reviewing results of audit work completed on the risk management system and organisational performance; Approving the annual audit plans for Internal Audit and External Audit, which are based on the organisation s BAF and risk registers. 15.3 The CCG Sub-Groups are responsible for: Ensuring that risks arising through their work are reported to the Board in line with this Strategy and Policy and that risks are monitored and managed through the their respective sub-groups; To review the effectiveness of the controls in place for each risk on the subgroup risk register. 15.4 In designing the respective terms of reference for each sub-group, consideration has been given to establishing appropriate risk management processes and corresponding accountability arrangements. Terms of reference for the sub-groups are subject to continuous review and assessment to focus their work to the effective achievement of the key organisation objectives. 14

15.5 The Corporate Management Team (CMT) (i.e. all Chief Officers) are responsible for: Reviewing the Corporate Risk Register on a monthly basis in order to ensure effective risk management of these risks and to escalate to the BAF where appropriate; Establishing effective links, which enable lessons learned from the risk process to be directly fed into the business planning cycle; Ensuring effective risk management processes are in place within their teams, within their scope of responsibilities and in line with CCG policy Communicating risks within their team to all members of staff within their remit; Ensuring that all staff receive appropriate information, instructions and training to enable them to work safely. 15.6 In respect of Information Assets, the CMT and their direct supports are also required to assist the SIRO in identifying information assets in their work areas, and nominating an Information Asset Owner to undertake and submit risk assessments (and action plans) to the SIRO upon request. 15.7 The Managing Director is the accountable officer for WLCCG and, as such, has overall accountability and responsibility for: Meeting statutory requirements; Adhering to guidance issued by the Department of Health in respect of risk and governance (i.e. Annual Governance Statement); Ensuring there is an effective risk management system in place within the CCG and all personnel with risk management responsibility are appropriately trained. 15.8 The Assistant Director Corporate Affairs has delegated responsibility from the Managing Director for: Managing the strategic development and implementation of organisational risk management systems and processes; Corporate and information governance (including health and safety); Overseeing the handling and monitoring of incidents, complaints and litigation claims; Regularly reporting on the content of the BAF and risk registers to the CCG Board, CMT and Audit Committee; Ensuring there is appropriate internal and external audit review of the CCG s risk management process, internal controls and the BAF on an annual basis; Providing advice, support and leadership on risk management; Ensuring this policy is reviewed and updated on an annual basis. 15.9 The Assistant Director Corporate Affairs will also act as a central reference point for all business risk management issues within the CCG by: 15

Facilitating and forming risk management processes as an integral part of normal management processes; Receiving and collating information on risks within the CCG; Monitoring new developments within the management of risk; Developing knowledge and expertise, and acting as a liaison point for risk management issues (internally and externally); Monitoring proposed developments / initiatives and checking they are likely to be compliant with good risk management practices. 15.10 The Assistant Director Corporate Affairs is also nominated and trained as the Senior Information Risk Owner (SIRO), with responsibility to act as an advocate for information risk management and information governance issues at CCG Board level. The SIRO will: Ensure information risk management is incorporated into the CCG s Risk Management Policy and Strategy and where required, will review and agree action in respect of identified information risks; Take ownership of the risk assessment process for information risk, including a review of an annual information risk assessment to support and inform the Annual Governance Statement; ensuring that WLCCG s approach to information risk is effective in terms of resource, commitment and execution and that this is communicated to all staff; Provide a focal point for the resolution and/or discussion of information risk issues. 15.11 The information risk supporting infrastructure to provide support to the SIRO will consist of the Caldicott Guardian, the Information Security Manager (Health Informatics Service (HIS)) and the Head of Information Governance (Greater East Midlands Commissioning Support Unit (GEM CSU). 15.12 The Chief Nurse and Quality Lead/ Board Nurse is nominated and trained as the Caldicott Guardian (CG), with responsibility for: Protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing; Representing and championing Information Governance requirements and issues at Board or CMT level and, where appropriate, at a range of levels within the organisation's overall governance framework; Managing and overseeing the performance management of serious incidents reported by the providers of health services commissioned by the CCG. 15.13 The Chief Finance Officer has delegated responsibility for: Managing the strategic development and implementation of financial risk management relating to organisational financial performance management; Governing the risks within capital planning and estates management; Ensuring robust counter fraud arrangements are in place. 16

15.14 The Corporate Affairs Officer within the Corporate Affairs Team is responsible for: The ongoing maintenance and development of all the risk registers and the BAF on a monthly basis; Coordinating responses and producing reports for the Audit Committee and the CCG Board on a monthly basis. 15.15 All managers are responsible and accountable for the daily management of risks within their areas of responsibility and authorised to undertake risk assessments on a proactive basis. 15.16 All staff (including contractors and agency staff) are bound by this strategy and policy by: Familiarising themselves with this strategy, policy and risk management processes at the point of induction; Identifying risks within their areas of work and reporting these to their line managers; Being aware of their duty under legislation to take reasonable care of their own safety and the safety of others complying with key policies; Attending training and development events as required. 15.17 Where joint working responsibilities exist, WLCCG will ensure that all partner organisations are involved in all appropriate aspects of risk management. Key partners will include NHS England, neighbouring CCG s, acute trusts, police, statutory and voluntary groups (including patient representative groups). 15.18 Specialist risk management support will be provided to the Board, CMT, managers and other WLCCG employees as deemed necessary and following discussion and approval by the Assistant Director Corporate Affairs. 15.19 Information Asset Owners (IAOs) are accountable to the SIRO and will provide assurance that information risk is being managed effectively for those information assets that they have been assigned ownership by: Understanding what information is held, in what form, how it is added and removed, who has access and why; Approving the level and extent of transfer of data to removable media; Ensuring that access rights to information assets are limited to the minimum needed, that usage of information is monitored and best use is made of information assets; Undertaking risk assessment, reduction and prevention for their information assets including ongoing evaluation and risk management. This process includes methods of management, avoidance, mitigation, financing, and/or acceptance of the risk. 17

16. Implementation and Training 16.1 This Strategy and Policy will be made available to all staff via WLCCG s intranet as risk management is everyone s responsibility. 16.2 The training and development of all staff is an integral part of WLCCG s approach to risk management. An effective implementation of the Strategy and Policy requires all staff to be made aware of the WLCCG s approach to risk management, what their role is and the forms of support available to them. This will be achieved through staff induction training and by issuing all staff with a guide to risk management. An annual cycle of updates and learning opportunities will be a core component of the organisational development plan. 16.3 Information Governance training provision will also cover aspects of information risk assessment. As part of the staff mandatory training programme it is expected that all staff receive annual basic information governance training appropriate to their role through the online NHS Information Governance Training Tool. 16.4 All Governing Body members and the CMT will receive risk management awareness training through the Board development sessions and extended CMT development sessions as appropriate. 17. Monitoring / Audit Arrangements 17.1 The risk management process is continually evolving and the systems must be reviewed in the light of changes in the CCG s environment, operations, guidance, best practice and legislation. As a result this Strategy and Policy will be reviewed on at least an annual basis by the Assistant Director Corporate Affairs who will: Monitor and review its performance in relation to the management of risk and the continuing suitability and effectiveness of the systems and processes in place to manage risk; Monitor and review compliance in relation to this Strategy and Policy by using the information it receives from external regulators and internal governance policies, systems and processes (including the effectiveness through the organisational programme of internal audit); Ensure the CCG Board will sign-off the Board Assurance Framework on an annual basis and the Audit Committee will approve (on behalf of the Board), the Annual Governance Statement by the Managing Director. 18

Appendix 1 Risk prioritisation and reporting Risk Category Score 1-3 Low risk (green) 4-6 Moderate risk (yellow) 8-12 High risk (orange) 15-25 Extreme risk (red) Risk priority Acceptable risk, can be managed by routine procedures at a local level; Periodic monitoring and review to be undertaken at subgroup level to ensure that risk has not escalated and controls are still effective. Specific responsibility for risk assessment and action planning must be allocated to a named person (manager, clinician); Usually deadline for completion will be within 6 to 24 months and will depend on resource availability; Action to eliminate or reduce these risks would normally be the responsibility of the relevant directorate; Risk and proposed action plan to be reported to the lead officer. Urgent senior management attention required; Within one month an appropriate action plan must be agreed, usually with a deadline for completion of no more than 6 months; Action to eliminate or reduce these risks would normally be the responsibility of the relevant directorate; Progress and monitoring will be at Executive Team level via the Corporate Risk Report; Risk and proposed remedial action plan to be reported to Audit Committee via reports as per its work programme. Immediate action required; A Chief Officer / Director must be informed and s/he will take responsibility for development and implementation of an appropriate risk action plan and inform the Managing Director; Risk and proposed action plan to be reported at Board level via the Corporate Risk Report and Assurance Framework updates. Progress and monitoring will be at Corporate Management Team level with updates to the Board on a monthly basis or at frequency agreed by the Board. 19