Risk Management Policy and Process Guide Status: pending Next review date: December 2015 Page 1
Information Reader Box Directorate Medical Nursing Patients & Information Commissioning Operations (including regions and sub-regions) Commissioning Strategy Finance Transformation and Corporate Operations Publications Gateway Reference Document Purpose Document Name POL_1002 Policy and Process Risk Management Policy and Process Guide Publication Date January 2015 Target Audience Additional Circulation List Description Superseded Document Action Required Timing/Deadlines For further information All NHS England staff n/a Policy and high level processes for risk management n/a To note and apply n/a Corporate programme management office E-mail: england.pmo@nhs.net Status: pending Next review date: December 2015 Page 2
Risk Management Policy and Process Guide Version number: 1.0 First published: January 2015 Updated: (only if this is applicable) Prepared by: Corporate programme management office Status: pending Next review date: December 2015 Page 3
This is a controlled document. Whilst this document may be printed, the electronic version posted on the intranet is the controlled copy. Any printed copies of this document are not controlled. As a controlled document, this document should not be saved onto local or network drives but should always be accessed from the intranet. Status: pending Next review date: December 2015 Page 4
Contents 1 Introduction... 6 2 Purpose... 6 3 Audience... 7 3.1 Distribution plan... 7 3.2 Training plan and support... 7 4 Roles and responsibilities... 8 4.1 Risk management roles... 8 4.1.1 Risk lead... 8 4.1.2 Risk owner... 8 4.1.3 Action owner... 8 4.1.4 Corporate programme management office (PMO)... 9 5 Risk management process... 9 5.1 Risk identification and recording... 9 5.1.1 Identification of risk... 9 5.1.2 Risk register... 10 5.2 Risk assessment and scoring... 10 5.3 Action planning... 11 5.4 Monitoring and closure... 11 6 Reporting and escalating risks... 11 6.1 Corporate risk register... 11 6.2 Escalating risks... 12 7 Assuring implementation of this policy... 12 8 Equality and health inequalities analysis... 12 9 Associated documentation... 12 10 Glossary... 13 Appendix A NHS England Risk Management Governance and Escalation Route 15 Appendix B NHS England Risk Management Responsibilities... 16 Appendix C Risk register guidance... 20 Appendix D Risk scoring and rating matrices... 21 Status: pending Next review date: December 2015 Page 5
1 Introduction This document provides guidance on the policy, process and procedures for risk management in NHS England. Risk management is the recognition and effective management of all threats and opportunities that may have an impact on NHS England s reputation, its ability to deliver its statutory responsibilities and the achievement of its objectives and values. NHS England is committed to developing and implementing a risk management policy and process that will identify, analyse, evaluate and control the risks. 2 Purpose The aim of this policy and process document is to: evidence the importance of risk management to NHS England; support staff to understand their roles and have a consistent approach to risk management; and ensure that correct systems and processes are in place to manage corporate and operational risks across NHS England. It is the policy of NHS England that: we seek to reduce risks that are a threat to the delivery of objectives and put in place actions that address the likelihood and impact of each risk to an acceptable level. This policy and process document supports this by: setting out a risk management framework, which provides assurance to the Board that appropriate processes are in place to manage corporate and operational risks effectively; recommending procedures for the effective identification, prioritisation, treatment and management of risks to minimise or maximise the effect of an uncertain event or set of events on the delivery of objectives; ensuring a cohesive approach to the governance of risk; identifying risk management resources; and establishing risk management as an integral part of the NHS England culture. All identified risks will be required to: be recorded with a core minimum amount of information as set out in this document; be assessed on the likelihood of the risk being realised and the level of impact should the risk be realised; and have an identified risk owner and action owners. The policy element of the document describes the governance structures in place to ensure that risks are managed and escalated through NHS England as appropriate. Status: pending Next review date: December 2015 Page 6
It sets out the respective responsibilities for corporate and operational risk management for the Board and staff throughout NHS England. The document describes the corporate standard process to assist staff to identify, analyse and manage risks in their respective areas. 3 Audience This policy and process document is applicable to all corporate and operational risks that NHS England could be exposed to, including information governance, programme, project and clinical risks and those arising from the oversight of the NHS commissioning system as a whole. This is a corporate policy and it is expected that central team directorates, regions and programme and project teams will develop and document their own local level procedures based on this policy. Hosted organisations may develop local risk management processes which adhere to the principles of the NHS England risk management policy. Significant risks affecting NHS England from hosted organisations will be escalated through the appropriate sponsoring national director. 3.1 Distribution plan This policy and process document will be made available to all staff via the NHS England internet and intranet sites. Notification of this document will be included in the all staff email bulletin, as well as through the corporate programme management office (PMO) communication and engagement routes such as PMO news, PPM advocates and the community of practice. 3.2 Training plan and support To support the implementation and embedding of the risk management policy and procedures; an e-learning package Introduction to risk management will be made available to all staff through the NHS England intranet; and bespoke advanced risk management training will be available to all NHS England teams, tailored to their specific needs. This could include advice and guidance on the management of risk in their area, peer reviews and / or support with development of risk registers. Further guidance and support is available on the corporate PMO intranet pages here or by contacting the corporate PMO at england.pmo@nhs.net Status: pending Next review date: December 2015 Page 7
4 Roles and responsibilities Each area of the business must undertake an ongoing robust assessment of risks and escalate risks through the formal NHS England governance and escalation route, as set out in Appendix A. To support the governance and escalation process Appendix B sets out the specific risk management responsibilities. It is the responsibility of all staff to maintain risk awareness, identifying and reporting risks as appropriate to their line manager and / or director. 4.1 Risk management roles 4.1.1 Risk lead All central team directorates, regions and programme and project teams must have an identified risk lead. They will be responsible for: consulting with teams to identify and assess risks and determine mitigating actions; the ongoing maintenance of a risk register for their area of the business; ensuring risk registers undergo regular review and quality assurance; promoting the risk management policy, procedures and best practice within their area of the business; communicating changes to the risk management policy and procedures to their area of the business; sharing information and knowledge on risks within their area of business, directorate and those on the corporate risk register; and being the key contact for the corporate PMO for assurance on the management of risk and compliance with this policy. 4.1.2 Risk owner All risks will have an identified risk owner who is responsible for ensuring that risk is managed, including the ongoing monitoring of the risk, ensuring controls and further actions are in place to mitigate the risk and reporting on the overall status of the risk. It is the responsibility of the risk owner to escalate risks where appropriate in line with local risk procedure and the risk escalation process detailed in Appendix A. 4.1.3 Action owner All risks have action owner(s), to whom the risk owner has delegated responsibility for ensuring the delivery of a task or activity that will help to mitigate the risk and to provide regular reporting on progress. Status: pending Next review date: December 2015 Page 8
4.1.4 Corporate programme management office (PMO) The corporate PMO will support the executive risk management group by providing assurance on the implementation of the risk management policy, the management of the corporate risk register and the review of directorate, regional, programme and project risk registers. 5 Risk management process Identify & record Monitor & review Report & Escalate Assess & score Plan 5.1 Risk identification and recording 5.1.1 Identification of risk When identifying a risk consideration should be given to what could pose a potential threat (or opportunity) to the achievement of objectives within the context of the organisation. For example, whether the risk is strategic, programme or operational. Risks and issues often get confused and a useful way of remembering the difference is; Risks are things that might happen and stop us achieving objectives, or otherwise impact on the success of the organisation. Issues are things that have happened, were not planned and require management action. Once identified, the risk needs to be described clearly to ensure that there is a common understanding by stakeholders of the risk. The recommended form for risk descriptions is to identify the cause, the event and the effect. Appendix C includes guidance on how to write a risk. Status: pending Next review date: December 2015 Page 9
5.1.2 Risk register As a minimum a risk register must contain: risk reference; risk owner; risk description; ratings of likelihood and impact, for both current and after actions; risk proximity; action plans; action owner for each action; and completion date for each action. It is recommended good practice to also include: trend analysis; and sources of internal and external assurance. NHS England s policy is to mandate the use of the standard risk register template, this is available on the corporate PMO intranet pages here. Additional columns can be added to the standard template to enable the best management of risks by those responsible. Guidance on completing a risk register can be found in Appendix C. 5.2 Risk assessment and scoring It is vital that all risks are assessed in an objective and consistent manner if they are to be managed, and to guide operational, project and programme planning and resource allocation. Risks are firstly assessed on the probability (likelihood of the risk happening) and secondly on what would happen (impact) should the risk occur. When assessing how likely it is that a risk will occur, take into account the current environment. Consider the adequacy and effectiveness of the controls already in place within the environment, which could address the causes of the risk and therefore the likelihood of the risk being realised; for example, systems, policies, training and current practice. When assessing what the impact of the risk could be if it happened, consider what the impact of the risk would be in most circumstances within your environment and what is reasonably foreseeable. The assessment is completed by scoring the likelihood and impact. Appendix D sets out the NHS England scoring tables which are based on a scale of 1-5 and the NHS England risk rating matrix which gives the scoring a RAG status. NHS England s procedure is to score and rate a risk twice as a current score and post action score. Status: pending Next review date: December 2015 Page 10
Risks are also assessed in terms of proximity i.e. when the risk would occur. Estimating when a risk would occur helps prioritise the risk. The proximity scale used in NHS England is: zero to three months; three to six months; six to nine months; nine to twelve months; and twelve months plus. 5.3 Action planning Following completion of the risk assessment, consideration must be given to whether the risk requires further management actions that ideally minimise the likelihood and/or impact of a threat or maximise the likelihood of opportunities. For each risk an action plan to eliminate, minimise, or maximise the risk is required. It is not always possible to identify and then fully implement actions that eliminate or minimise a risk. Where this is the case, it is essential that the significance of the risk that remains is understood and the organisation in accordance with the risk management governance confirms that it is prepared to accept that level of risk. This is known as the residual risk. 5.4 Monitoring and closure The implementation of the action plan and the level of risk must be kept under review. Where implementation of action plans is not producing the anticipated results, the risk should be re-assessed and a revised action plan agreed as necessary. Once all possible actions have been completed or the event has passed, the risk should be closed and moved to the closed risk register for audit purposes. 6 Reporting and escalating risks 6.1 Corporate risk register NHS England has a corporate risk register, which is an integral part of the system of internal control and defines the highest priority risks which may impact on NHS England s ability to deliver its objectives. The corporate risk register enables the Board and Audit and Risk Assurance Committee to be assured of the management of these risks. The executive risk management group (ERMG) manages these risks on behalf of the Board. Status: pending Next review date: December 2015 Page 11
6.2 Escalating risks The governance and escalation diagram set out in Appendix A also includes an example of the process for how risks can be escalated for inclusion on the corporate risk register. It is recommended that at each level Amber/Red and Red risks are escalated. It is the responsibility of each directorate, region and programme and project to define an internal escalation process in line with this policy. This should be documented in an appropriate programme document such as a programme definition document or directorate risk management procedure. A risk management procedure template can be found on the corporate PMO intranet pages here. 7 Assuring implementation of this policy The corporate programme management office will be responsible for assuring the implementation of the policy and procedures. This will be through discussions with risk leads and assessment of risk management processes and risk registers from central team directorates, regions, programme and project teams. The recommendations of the reviews will be reported to the executive risk management group for consideration and where required, further action taken. Internal audit will conduct an annual audit to provide an independent assessment of the design of the risk management policy, processes and procedures and the extent to which they are applied across the organisation. The recommendations of the review will be reported to the National Director, Transformation and Corporate Operations and the Audit and Risk Assurance Committee. The Audit and Risk Assurance Committee oversee the establishment and maintenance of an effective system of assurance on risk management through approval of the risk management policy, regular reporting on the management of corporate risks and progress updates against audit recommendations. 8 Equality and health inequalities analysis This procedural document forms part of NHS England s commitment to create a positive culture of respect for all individuals including staff, patients, their families and carers as well as community partners. The intention is to identify, remove or minimise discriminatory practice in the areas of race, disability, gender, sexual orientation, age and religion, belief, faith and spirituality as well as to promote positive practice and value the diversity of all individuals and communities. As part of the development of this document, its impact on equality has been analysed and no detriment identified. 9 Associated documentation Best Management Practice Management of Risk (MoR) Guidance for Practitioners. Access to this supplementary guidance is available through the corporate access to project and programme management guidance here. Status: pending Next review date: December 2015 Page 12
10 Glossary Action plan Assurance Control(s) Corporate risk register Directorate risk register Gaps in controls or assurances Impact Issue Likelihood Operational risks Opportunity Risk Risk assessment Sets out the activities that will address the identified gap and reduce, eliminate or minimise the risk. External evidence that risks are being effectively managed (e.g. planned or received audit reviews). Actions in place to manage the risk. A record of the risks identified through internal processes that will impact on the delivery of NHS England s strategic objectives or major programmes. A record of the risks identified through internal processes that will impact on the delivery of directorate objectives and / or plans. Where an additional system or process is needed, or evidence of effective management of the risk is lacking. Is the result of a particular threat or opportunity should it actually occur. A relevant event that has happened, was not planned and requires management action. Is the measure of the probability that the threat or opportunity will happen, including a consideration of the frequency with which this may arise. A risk or risks that have the potential to impact on the delivery of business, project or programme objectives. Operational risks are managed locally within teams and significant operational risks are escalated, where appropriate, to the executive risk management group (ERMG) via the directorate senior management team. An uncertain event that would have a favourable impact on objectives or benefits if it occurred. A risk is an uncertain event or set of events that, should it occur, will have an effect on the achievement of business, project or programme objectives. A risk can be a threat or an opportunity. The process used to evaluate the risk and to determine whether controls are adequate or more should be done to mitigate the risk. The risk is compared against predetermined acceptable levels of risk. Status: pending Next review date: December 2015 Page 13
Risk management Risk proximity Threat The systematic application of management policies, procedures and practices to the task of identifying, analysing, assessing, treating and monitoring risk. The estimate of the timescale as to when the risk is likely to occur. It helps prioritise risk and to identify the appropriate response. An uncertain event that could have a negative impact on the delivery of objectives or benefits, should it occur. Status: pending Next review date: December 2015 Page 14
Appendix A NHS England Risk Management Governance and Escalation Route Risk escalation process Board sub committees Board Approve recommendations made in relation to the corporate risk register Audit and Risk Assurance Committee Chief Executive Executive risk management group Major programmes assurance group ERMG review the corporate risk register and consider any escalated risks for addition or removal and recommend to the Board Risk discussed at National or Regional directors SMT meetings and escalated to ERMG where appropriate Regional Director Regional team National director senior management team Director (VSM) Central team All staff Programme / Project senior responsible officer All programme and project teams Risk registers collated and managed with red and amber/red risks being escalated for discussion at management meetings All identified risks are assessed and scored with controls and actions recorded on standard risk registers and reviewed regularly All staff identify risks and report to a nominated risk lead in their directorate, project, programme or region any potential threats or opportunities that impact on delivery of objectives Status: pending Next review date: December 2015 Page 15
Appendix B NHS England Risk Management Responsibilities Title NHS England Board Responsibilities Responsible for: articulating the key risk management priorities for NHS England; protecting the reputation of NHS England; providing leadership in risk management; determining the risk appetite for NHS England; ensuring the approach to risk management is consistently applied; ensuring that assurances demonstrate that risk has been identified, assessed and all reasonable steps taken to manage it effectively and appropriately; and, endorsing risk related disclosure documents. Audit and Risk Committee Responsible for on behalf of the Board: providing oversight of the establishment and maintenance of an effective system of assurance on risk management and internal control, across the whole of NHS England s activities that supports the achievement of NHS England s objectives. Chief Executive Further information regarding the responsibilities of the committee is available in the Committee Handbook. Responsible for: ensuring that management processes fulfil the responsibilities for risk management; ensuring that full support and commitment is provided and maintained in every activity relating to risk management; planning for adequate staffing, finances and other resources, to ensure the management of those risks which may have an adverse impact on the staff, finances or stakeholders of NHS England; ensuring an appropriate corporate risk register is prepared and regularly updated and receives appropriate consideration; and, ensuring that the governance statement, included in the annual reports and accounts, appropriately reflects the risk management processes in operation across NHS England. Status: pending Next review date: December 2015 Page 16
Title Executive risk management group National directors Responsibilities Responsible for: undertaking a detailed review of NHS England s corporate risk register on a monthly basis and prior to submission to the Board; recommending to the Board the raising of new risks and closing of identified risks, using the corporate risk register; reviewing and discussing the highest key priority risks raised by members of the executive risk management group, with a view to escalating to the corporate risk register, as required; reviewing themes and trends arising from reviews of risks and issues identified; reviewing directorate risk management arrangements; and reviewing the risks of the major organisational programmes and projects, as escalated from the major programmes assurance group. Responsible for: ensuring that directorate and major programme risks are actively managed within their directorate; owner and action owner of individual risks; ensuring staff comply with all organisational policies and procedures and fulfil their responsibility for risk management by identifying, reporting, monitoring and managing risk; leading the management of risk by devising short, medium and long-term strategies to tackle identified risk, including the production of any mitigating action plans; escalation of risks from or to the directorate risk register, for consideration by the executive risk management group for inclusion on the corporate risk register; and ensuring that all activities undertaken within their directorates are consistent with the safe operation of NHS England. Directors (VSMs) / SROs / programme directors Responsible for: ensuring that programme and operational risks are actively managed within their areas of the business; owner and action owner of individual risks (including those delegated by the national director); devising short, medium and long-term strategies to tackle identified risk, including the production of any mitigating action plans; Status: pending Next review date: December 2015 Page 17
Title All teams Responsibilities escalation of risks to the national director for inclusion on the appropriate risk register; evaluation of risks leading to the identification of themes (particularly relevant for regional directors across regional risk registers); cascading information and knowledge on risks that are within their area of the business, directorate and those on the corporate risk register; ensuring staff comply with all organisational policies and procedures and fulfil their responsibility for risk management by identifying, reporting, monitoring and managing risk; and ensuring that all activities undertaken within their directorates are consistent with the safe operation of NHS England. Responsible for: participating (as appropriate) in the identification, assessment, planning and management of threats and opportunities; keeping a record of the identified risks in a risk register; undertaking a regular review of the risks on the risk register; and escalating risks to their director, as appropriate and in accordance with the risk management governance and escalation diagram set out in Appendix A. All staff Responsible for: participating (as appropriate) in the identification, assessment, planning and management of threats and opportunities; ensuring that they familiarise themselves and comply with the policies and procedures of NHS England; and undertaking and / or attending mandatory and other relevant training courses. Internal audit Responsible for: agreeing (with the Audit and Risk Assurance Committee) a programme of audits which assess the exposure and adequacy of mitigation of the principal risks affecting the organisation; prioritising the internal audit programme to reflect the risk evaluation set out in the corporate risk register; and reporting and advising on the processes and management of risk through audits, although Status: pending Next review date: December 2015 Page 18
Title Corporate programme management office in the Transformation and Corporate Operations Directorate Responsibilities responsibility remains with the organisation or relevant risk owners. Responsible for: assuring the executive risk management group that risk accountabilities exist; reviewing progress in developing and applying the risk management policy; reviewing the results of the assessment of the management of risk; reviewing directorate, region and programme and project team risk registers; evaluation of risks leading to the identification of themes; making recommendations to the executive risk management group on the management of risk implementation; and ensuring risk information is available for review by the executive risk management group through the corporate risk register. Status: pending Next review date: December 2015 Page 19
Appendix C Risk register guidance Risk description should describe the risk event, the cause and the effect. The risk should be articulated clearly and concisely with appropriate use of language, suitable for the public domain with acronyms spelt out in the first instance. When wording the risk it is helpful to think about it in three parts and write it using the following phrasing: There is a risk that This is caused by. Would lead to an impact/effect on. Risk owner should include full job title (not just names) of the person who owns the risk. Risk assessment / scoring should be completed in line with the guidance set out in section 5.2 and Appendix D. Risk proximity should be selected based on: zero to three months, three to six months, six to nine months, nine to twelve months and twelve months plus. Action plan should be the actions and activities planned to take place that will when implemented or completed reduce, eliminate or minimise the risk. Action owners should include for each action full job title (not just names) responsible for completing the action. Completion date for actions each action should have a completion date set. Assurances this should include internal assurance / evidence (e.g. Board reporting, subcommittee and programme governance) and external assurance / evidence (e.g. planned or received audits or reviews) that the risk is being effectively managed. Trend this indicates any change in the current risk score in the form of an arrow. It is recommended that is an improvement in position and therefore a reduction in the level of risk e.g. amber to amber/green and a indicates an increase in the level of risk e.g. amber to amber/red. Where there is no change in the level of risk this is indicated by. Last review date this is to indicate when the risk was last reviewed and/or updated. Please note: Be careful and sensitive about the wording of the risk, as risk registers are subject to Freedom of Information (FOI) requests. Do not reference blame to other organisations in the risk register (the register may be made available in the public domain). Status: pending Next review date: December 2015 Page 20
Appendix D Risk scoring and rating matrices Likelihood score Likelihood Scoring 1 2 3 4 5 Descriptor Rare Unlikely Possible Likely Very Likely Frequency / How likely is it to happen? This probably will never happen/recur Do not expect it to happen/recur, but it is possible it may do so Might happen or recur occasionally Will probably happen/recur, but is not a persisting issue or circumstance Very likely to happen/recur; possibly frequently Category Impact Scoring Impact score 1 2 3 4 5 Descriptor Very low Low Moderate High Very high Operational Minor reduction in quality of treatment or service No or minimal effect for patients. Reputational Financial Not relevant to mandate priorities No adverse media coverage No negative recognition from the public. Programme- Between 10m and 25m Admin- Between 2m and 5m Single failure to meet national standards of quality of treatment or service Low effect for a small number of patients if unresolved. Minor impact on achieving mandate priorities Low level of adverse media coverage Small amount of negative public interest Programme- Between 25m and 50m Admin- Between 5m and 10m Repeated failure to meet national standards of quality of treatment or service Moderate effect for multiple patients if unresolved. Moderate impact on achieving mandate priorities Moderate amount of adverse media coverage Moderate amount of negative public interest. Programme- Between 50m and 100m Admin- Between 10m and 20m Ongoing noncompliance with national standards of quality of treatment or service Significant effect for numerous patients if unresolved. High impact on achieving mandate priorities High level of adverse media coverage Negative impact on public confidence. Programme- Between 100m and 250m Admin- Between 20m and 50m Gross failure to meet national standards with totally unacceptable levels of quality of treatment or service Very significant effect for a large number of patients if unresolved. Mandate priorities will not be achieved National adverse media coverage Total loss of public confidence. Programme- More than 250m Admin- More than 50m Status: pending Next review date: December 2015 Page 21
Impact Classification: Official Each risk will be rated by taking the likelihood and impact scores, and applying to the matrix below: Very high - 5 A AR R R B High - 4 A A AR R R Moderate - 3 AG A A AR AR Low - 2 G AG AG A A Very low - 1 G G G G G 1 2 3 4 5 Rare Unlikely Possible Likely Very likely Likelihood Status: pending Next review date: December 2015 Page 22