Hazard Identification, Risk Assessment and Management Procedure
Documentation Control
Reference:
GG/CM/007 (linked document)
Date approved:
30 October 2014
Approving Body:
Trust Board (Medical Director)
Implementation Date:
1 November 2014
Version:
7
Supersedes:
Version 6 (March 2013)
Consultation:
Clinical and Non-Clinical Hospital Staff
Organisational Risk Committee
Directors’ Group
Trust Board
Executive Directors, Clinical Directors, Clinical
Leads, Directorate General Managers, Heads of
Service
Members of the Quality Assurance Committee, DG
and Committees of DG
Specialists Advisors, as set out in the Trusts Risk
Management Policy
Relevant External Stakeholders
All Trust staff and relevant Stakeholders
Distribution:
Target Audience
Supporting Policies
and Procedures
NUH Risk Management Policy
Trust Annual Plan
Board Assurance Framework.
Review Date:
Lead Executive(s):
Author/Lead Manager:
Further
Guidance/Information
September 2015
Medical Director
Head of Organisational Quality, Risk and Safety
Head of Organisational Quality, Risk and Safety
(ext 76018 / 62553)
Hazard Identification, Risk Assessment and Management Procedure
Version 7
October 2014
Page 1 of 13
HAZARD IDENTIFICATION, RISK ASSESSMENT AND
MANAGEMENT PROCEDURE
1. Introduction
This procedure sets out the Trust operational processes for Hazard Identification,
Risk Assessment and the Management of risk. This document should be read in
conjunction with the Risk Management Policy.
This procedure covers all of the Trust’s activities and should be used when
assessing any kind of hazard (e.g. clinical, strategic, organisational, financial and
health & safety).
It can be used by any member of the Clinical or Non-Clinical teams in all
Directorates and Departments of the Trust.
The Hazard Identification, Risk Assessment and Management procedure supports
the principle that risks which can be reasonably managed locally should be
managed locally. Where this is not practical or where the risk score dictates; the
procedure sets out the escalation process to Trust Committees and Groups.
The tool has been designed for a wide range of purposes i.e.
• it can be used to review and manage all known risks,
• it can be used to assess potential risks from new activities, service
development and projects
• it can also inform business cases and development projects allowing
comparisons and prioritisation to be made.
2. Risk Registers
The Trust requires that all risks are recorded on DATIX. No other systems are
permitted.
The Trust will maintain a Significant Risk Register which comprises of all 20 or 25
scoring risks (as ratified by the Directors’ Group and the Trust Board).
The Significant Risk Register will be reported to the Trust Board each month.
The Trust requires that all Directorates, Specialties and Departments undertake
systematic and proactive hazard identification and risk assessment to identify local
risks to service provision, service quality, legislative compliance, financial and
Hazard Identification, Risk Assessment and Management Procedure
Version 7
October 2014
Page 2 of 13
delivery of the Trusts objectives and operational requirements. Clinical Directors and
Heads of Service are responsible for ensuring this happens.
All Risk Assessments (irrespective of score) must be recorded on the DATIX
system. Please see appendix 4 for the minimum information to be recorded on the
Risk Register. The system entry must include details of any mitigating actions
required to further mitigate the risk (including responsibilities and timescales).
Where Risk Assessment forms are generated these must be uploaded into DATIX
in the document section of the electronic record along with any supporting e-mails,
reports and documents.
The Trust’s Risk Register is a dynamic and continually evolving document.
The Risk Register provides a focus for the work of the Trust Board and its
Committees by communicating risk information throughout the organisation, and
provide assurance that risks are being effectively mitigated and managed.
3. Definitions
Hazard is defined as a source of potential harm or a situation with a potential to
cause loss
Risk is defined as the possibility of suffering some form of loss or damage and / or
the possibility that objectives will not be achieved or that opportunities will not be
taken. This can be opportunities / benefits (Upside risk) or threats to success
(Downside Risk).
Risk Assessment is defined as the process of determining the level of harm that a
hazard poses and the likelihood of its occurrence.
Risk Control is defined as the part of the risk management process that is
concerned with the implementation of policies, processes, tools, and techniques that
accept, eliminate, remove or transfer risk; or establish business continuity
processes. Controls may be preventative, detective or post-event.
Risk Treatment is defined as the selection and implementation of options for
managing risks.
Risk Transfer is defined as the treatment or control of risk through sharing the
burden of loss or benefit from a risk with another party.
A Risk Register is a formal record that captures all known Trust Risks. For each
risk, the Risk Register will capture the source of the risk, a description of the risk,
the risk score (Consequence x Likelihood), the actions required to further mitigate
the risk, a review date and an assessment of the affect of those further mitigating
actions on the risk (Residual Risk).
Hazard Identification, Risk Assessment and Management Procedure
Version 7
October 2014
Page 3 of 13
4. The process
Step 1
IDENTIFING HAZARDS
At local level, there will be different people leading on different aspects of risk
management, e.g., Clinical Governance Co-ordinators, Health & Safety link persons,
Directorate managers, risk assessors, infection control link persons, Trust Specialist
Advisers to name a few.
It is not intended that these activities are merged into a single role. It is more about
people working together to integrate activity at a local level and to work together in
the identification, assessment and management of risk.
Hazard identification can take many forms including;
•
•
•
•
•
•
•
•
•
•
•
•
Through the local review of Incident, Claims and Complaints data,
As a result of an Health & Safety audit / inspection,
Following a Patient Safety conversation,
In response to an Internal Audit report,
In response to an external report / directive / Alert,
In response to a Department of Health directive,
To respond to gaps identified from the Health & Safety Compliance review,
Accreditation Standards compliance (CQC etc.)
To respond to Trust requirements such as CIP’s, Essence of Care
Benchmarks, CQuins, HR including Mandatory Training performance
To meet legislative requirements
Through review of service specific standards, service quality and service
delivery
In response to advice received from Specialist Advisers
The above list is not exhaustive and the Integrated Governance Team can help
facilitate hazard identification sessions if required.
When assessing any service or activity, you will identify a number of hazards. You
will need to decide if you are going to record these as a single risk or as a collective
group on Datix. Either way is perfectly legitimate. It is strongly recommended that
initially you record your assessment on the Trust approved “Generic Risk
Assessment Form” (see Appendix 2). Which ever route you adopt you will need to
ensure that the action plan addresses all component hazards and not just the
highest scoring one. The hazards identified should be recorded in the “Hazards,
Controls and Assessment” section on the Trust approved “Generic Risk
Assessment Form” (see Appendix 2). For each hazard identified you will also need
to decide who or what can be harmed (and how) and document any controls that
are in place. The next step will be to determine the consequence and likelihood
scores for each i.e. the risk (see steps 2&3 below).
Hazard Identification, Risk Assessment and Management Procedure
Version 7
October 2014
Page 4 of 13
No other risk assessment forms are permitted.
Step 2
DETERMINE THE CONSEQUENCE
The tool incorporates 5 consequences factors against which a hazard could impact,
1.
2.
3.
4.
5.
Objectives / Financial, (A-Objectives)
Degree of Harm (to Staff, Patient, Visitor or Member of the Public), (B-Harm)
Claims & Complaints / Patient Experience, (C-Experience)
Impact on Services / Business Interruption / Projects, (D-Service Delivery)
Adverse Publicity / Reputation/ Inspection / Audit / Enforcement Action. (E-External)
Appendix 3, sets out the 5 consequence factors along with descriptors for each that
depict a range of outcomes from 1 to 5. For each hazard identified, you will need to
determine a consequence score for each of the factors, which will need to be
recorded on the form. You should look at the controls in place when deciding the
level. If any of the factors don’t apply to the hazard being assessed then add a
score of 1 in the appropriate column on the Generic Risk Assessment Form.
Helpful Process Definitions
Primary Objective
Trust Key Task
Temporary Non-Compliance
Non Achievement
Control Measures
For 2013/14, the Trust’s Objectives are detailed in the
Trusts Annual Plan. These are the “major things” that the
Trust has declared it want to achieve in year to meet its
Strategic aims.
For each of the Objectives the Annual Plan also
describes a number of “sub-issues” that could impact on
the delivery of the primary objective. These are important
things the Trust wants to deliver on but failure of one or
more would not necessarily prevent the Primary Objective
being achieved.
This applies where you have an objective or key
task, which at the time of assessment is not being
complied with, but there is a plan in place that will bring
the objective back into compliance within year.
This applies when the objective or key task, which at the
time of assessment is not being complied with, and there
is no plan in place or possibility that compliance will be
achieved in year.
These are the things that have already been put into
place to manage/ mitigate the risk. These can be things
such a Policies, training, safe systems of work, physical
safeguards etc.. These are only control measures once
they are in place. If things are planned but not in place,
they should be recorded as actions. Generally as action
are completed these will become controls.
Hazard Identification, Risk Assessment and Management Procedure
Version 7
October 2014
Page 5 of 13
Step 3
DETERMINE THE LIKELIHOOD
Once you have determined the consequence (for each of the hazards you
identified), you will need to determine the likelihood of the level of consequence you
have identified being realised. Remember it’s the likelihood of the consequence
occurring, not how often the activity takes place.
It is also important that any existing control measures are taken into account when
determining the likelihood score. The derived score should also evaluate whether:
 the control adequately addresses the hazard
 the control measure is documented and communicated
 the control measure is in operation and applied consistently.
Once you have determined the score enter the score(s) in the Likelihood box on the
Generic Risk Assessment Form.
TIP: The worst-case scenario doesn’t always yield the highest risk. You can have a
catastrophic consequence such as a death (consequence = 5) which due to the
controls in places gives a likelihood of 1 and therefore a risk score of 5. But the
same hazard may cause less severe harm (consequence = 3) each month
(likelihood = 4) giving a risk score of 12.
Step 4
ASSESS THE RISKS
The risk score is determined by multiplying the consequence and likelihood scores
you have recorded for each hazard.
It has been recognised that by using a 5 by 5 tool there will be limited stratification
of risks within the possible score bandings. (i.e. the possible scores (CxL) that can
be achieved are 1, 2, 3, 4, 5, 6, 8, 9, 10, 12, 15, 16, 20 and 25). To aid prioritisation
of risks particularly within the higher scoring bandings (15, 16, 20 and 25) a second
score is determined by adding together the 5 individual consequence scores to give
a unique score for each risk.
This Priority Indicator Score will then be used to help stratify the risks recorded
against a given scoring banding. The PI Score for each risk should be recorded on
the Generic Risk Assessment Form.
Hazard Identification, Risk Assessment and Management Procedure
Version 7
October 2014
Page 6 of 13
Step 5
MANAGE THE RISK
By comparing the Risk Score (Risk Rating) obtained with the table below, you will
be able to determine whether the risk you have assessed is “unacceptable”,
“tolerable” or “acceptable”. The table also prescribes where the risk needs to be
communicated and the management action required.
Table 1 – Levels of Risk, Reporting and Accountability
Risk Rating
Level at which the risk
must be reported
Directors’ Group
Who needs to be
informed
Trust Board
High
(15-19)
Unacceptable
Appropriate Sub
Committee of DG
Directors’ Group
Moderate
(10-14)
Unacceptable
Directorate
Organisational
Risk Committee
Low
(4-9) Tolerable,
manageable
Specialty / Directorate
Directorate
Very Low
(1-3) Acceptable
Specialty / Directorate
Directorate
Significant
(20- 25)
Unacceptable
Management Actions Required
Immediate action required to eliminate or manage
risk. Report to Directorate Clinical Director / Head of
Department & Directors’ Group and the Trust
Board. Risks scoring 20 or 25 will be routinely
monitored and actions performance managed via
the Directors’ Group. Operational management and
oversight of these risks will be apportioned to the
relevant governance committee / forum, for
example clinical risks will be forwarded to the
Clinical Risk Committee for monitoring delivery of
agreed actions.
Urgent action/senior management attention
required to eliminate or reduce the risk. Report to
Directorate Clinical Director / Head of Department.
Risks scoring between 15 and 19 will be reviewed
by the Organisational Risk Committee who will
agree at what level the risk and subsequent actions
should be managed.
Action/senior management attention required to
eliminate or reduce the risk. Report to Directorate
Clinical Director / Head of Department. Risk can be
managed at Directorate Level if appropriate. Report
upwards to relevant Sub Committee of DG.
Action if cost efficient to reduce or manage risk.
Local actions. Delivery against any plans will be
monitored via the Directorate Governance
arrangements.
Manage situation with routine procedures at a
Specialty or Department Level. Action if easy to
implement and inexpensive. Delivery against any
plans will be monitored via the Directorate
Governance arrangements.
If any actions / controls are required to further mitigate the risk these should be
recorded in the “Action Planning & Monitoring” section of the form along with named
persons responsible for undertaking the action and the timescale for completion.
The responsibility for ensuring that any actions identified are taken forward will be
dependant upon the risk score. For example a risk scoring 8 (from the table above)
would be “reported / managed” by the Specialty / Department whereas a risk scoring
12 would be “reported / managed” by the Directorate.
Hazard Identification, Risk Assessment and Management Procedure
Version 7
October 2014
Page 7 of 13
Step 6
IF RISK CAN’T OR SHOULDN’T BE MANAGED LOCALLY
Where possible, risks should be managed at the lowest practical level.
However where this is not possible (e.g. due to the resources required) the risk
should be escalated to the next level. i.e. if a Department can’t manage a risk it
should pass to the Directorate / Corporate Function. If the Directorate / Corporate
Function it should be passed to the ORC.
It is also acknowledged that certain risks shouldn’t be managed locally, i.e. where
the issue impacts across the Trust. In these instances it is appropriate to escalate
the risk so that a Trust wide response can be actioned and implemented. A key part
of the process within the Organisational Risk Committee will be to agree the route
for handling those issues that can’t or shouldn’t be handled at Directorate level. The
Organisational Risk Committee will oversee these risks and ensure that appropriate
committees / groups are taking action.
Risks may have to be accepted or, in the case of significant risks, shared with the
commissioners of services, members of the health care community and other
stakeholders.
If you are unsure what to do please seek advice from a member of the
Directorate Team or the Integrated Governance Team who will advise you on
action to be taken.
Step 7
UPDATE THE RISK REGISTER
All risks identified, along with the risk score, controls and actions, need to be
recorded on the DATIX Risk Management System in order to inform the Trust Risk
Register. Each Directorate and Corporate Function has a named lead who will be
able to assist with this process. All relevant information to support the risk
assessment should be imported into the record. To ensure that all key information is
captured in the Risk Register a number of fields have been made mandatory (see
Appendix 4).Staff adding risks to DATIX will need to access the training provided.
Data can be copied and pasted from the Generic Risk Assessment Form into the
DATIX risk entry.
All risks scoring 20 or more will be added to the Trusts Significant Risk Register and
Board Assurance Framework. This will help to facilitate the management of risks,
the identification of trends and significant risks, as well as the monitoring of risk
management.
All risk registers need to be formally reviewed at least quarterly at Trust, Directorate,
Speciality and Departmental Governance Forums. At each review the risk register
needs to be updated to reflect progress on actions and to review risk scores.
Hazard Identification, Risk Assessment and Management Procedure
Version 7
October 2014
Page 8 of 13
Appendix 1
HAZARD IDENTIFICATION, RISK ASSESSMENT AND MANAGEMENT
PROCEDURE FLOWCHART
Directorates and
Departments supported where
appropriate, by the
Integrated
Governance Team
STEP 1 Record the details of the activity
being assessed on the Generic Risk
Assessment Form. Use the tools and
techniques available to identify and record
the key hazard to the activity, process or task
being assessed.
STEP 2 – For each hazard identified
determine the Consequences
Refer to Governance
Checklists, Policies and
Guidance to identify risks.
(Checklists to incorporate
legislation, external
accreditation standards,
best practice, etc.)
Incident, Claims and
Complaints data
See Generic Risk
Assessment Form
STEP 3 - Determine the corresponding
Likelihood (for the highest scoring
Consequence)
STEP 4 – Determine the Risk Rating and
Priority Indicator score
Add to Directorate, Specialty, Department
Governance Action Plan
Performance Managed by
Directorate
STEP 5 - Manage the risk
STEP 6 - Issues that can’t/shouldn’t be
managed by the Specialty / Department, OR
can’t be accepted, as they score 10 or more
Add to Directorate Governance Action Plan
Manage the risk
Performance Managed by
Organisational Risk
Committee
STEP 6 - Issues that can’t/shouldn’t be
managed by Directorate OR can’t be
accepted, as they score 15 or more
STEP 7
Update Risk
Register on Datix
Filtered by Organisational Risk Committee
and referred to relevant
Committee/group/individual for action, e.g., to
Clinical Risk Committee to be added to Trust
Governance Action Plan
Performance Managed by
the DG or relevant Trust
Board Committee
STEP 6 - Issues that can’t be managed OR
can’t be accepted, as they score 20 or more
Any risks scoring
20 or more
Raise at the Board
Hazard Identification, Risk Assessment and Management Procedure
Version 7
October 2014
Page 9 of 13
Appendix 2
GENERIC RISK ASSESSMENT
FORM
Assessment No.
Campus:
Directorate:
Speciality/Department:
Location:
Assessor:
Job Title:
Date:
Description of activity
Supporting information (for example, case of need, explanation of activity)
1
2
3
4
5
10
Risk Score
(Highest Score A-E
x Likelihood)
Likelihood
E- External
D- Service Delivery
Controls in place
C- Experience
Hazard Identified
B- Harm
No.
A- Objectives
Hazards, Controls and Risk Assessment
Priority
Indicator
Score
(A+B+C+
D+E)
Does the
control
adequately
address the
risk?
Yes / No
Is the control
Is the control
measure
Measure in
documented and operation and
communicated?
applied
Yes / No
consistently?
Yes/ No
Summary of action taken to date
Action Planning and monitoring (dependant upon score)
Hazard Ref
No.
Action required
Cost (£)
(If known)
Official Use Only
Approval Group
Added to the Risk Register Y / N
By Whom
Due Date
Date Score Approved
Date added to the
Register
11
Review Date
Revised /
Residual
Risk Score
post action
Consequence and Likelihood Matrix
1
Minor
2
Moderate
3
Serious
4
Major
5
Catastrophic
Impact on Service
Delivery / Business
Interruption /
Projects
Appendix 3
Objectives* /
Financial
Degree of Harm (to
Staff, Patients,
Visitors or Members
of the Public)
Claims & Complaints /
Patient Experience /
Outcomes
Minor impact on Trust
objective.
AND /OR
Barely noticeable
reduction in scope or
quality
AND /OR Small loss.
Temporary non
compliance with Trust Key
Tasks*
AND /OR
Minor reduction in quality /
scope
AND /OR
Loss > 0.1% of Trust
budget
Temporary noncompliance with Trust
Primary Objective*
AND /OR
Reduction in scope or
quality.
AND /OR
Loss > 0.25% of Trust
budget
Non-achievement of
Trust’s Key Tasks*
AND /OR
Loss > 0.5% of Trust
budget
Minor injury not requiring
first aid or no apparent
injury / adverse
outcome, Near Miss.
Verbal locally resolved
Complaint. Reduced quality of
patient experience not directly
related to the delivery of patient
care Small claims (up to
£25,000)
Negligible impact, brief
loss / interruption > 1
hour of service.
Insignificant cost
increase / schedule
slippage. <1%)
Local interest, rumours within Trust. Little
effect upon staff morale.
Small number of minor recommendations,
which focus on minor quality improvement
issues.
Minor non-compliance with CQC
Not expected to occur
for years
Probability <1%
Temporary Minor Injury /
Illness / Effect. First aid
treatment needed,
referral to A&E / OH /
GP
Justified formal Compliant.
Unsatisfactory patient
experience directly related to
patient care- readily resolvable
Local only. Some loss /
interruption delays in
service provision (> 8
hours)
< 5% over budget /
schedule slippage.
Expected to occur
annually in the UK or 15 years in the Trust
Probability 1-5 %
The event may only
occur in exceptional
circumstances
Semi-permanent Injury,
Over 3 day reportable
injury. RIDDOR / Agency
reportable
Independent review.
Mismanagement of patient care,
short term effects (<1 week)
Justified complaint involving lack
of appropriate care. Significant
claim (up to £250,000)
Critical Service loss /
interruption, minor
delays > 1 day.
5 -10% over budget /
schedule slippage.
Major injuries, or long
term incapacity /
disability, Major
Specified Injury
(RIDDOR)
Critical Service loss,
major reduction in
service > 1 week
10 - 25% over budget /
schedule slippage.
Non -achievement of Trust
Primary Objective(s)*
AND /OR
Loss > 1% of Trust budget
Death or major
permanent incapacity
Ongoing National publicity.
Regional inquiry. Ombudsman.
Serious mismanagement of
patient care, long term effects
(>1week)
Multiple justified complaints.
Multiple claims or single major
claim (over £250,000).
Full National Inquiry. Select
Committee. Public Accounts
Committee. Totally
unsatisfactory patient outcome
or experience
Local adverse publicity, local media coverage,
adverse publicity for < 3 days. Minor effect on
staff morale/public attitudes.
Internal inquiry reported to local committee
structure. Recommendations made which can
be addressed by low-level management
action.
Non-compliance with the Developmental
requirements of the CQC
Local media coverage, adverse publicity for >
3 days. Significant effect on staff morale /
public perception of organisation.
Internal inquiry reported to external agency.
Challenging recommendations that can be
addressed with appropriate action plan.
Reduced rating.
Non-compliance with core requirements of the
CQC
National media coverage, adverse publicity
for < 3 days. Regional inquiry. Severe effect
on staff morale, public confidence in
organisation undermined.
Enforcement action
Low rating / Critical report
Major non-compliance with core requirements
of the CQC
National/international media coverage with
adverse publicity for > 3 days. Loss of key
staff.
Public inquiry / MP Concerns raised in
Parliament. Court enforcement.
Non-compliance with legal requirement, which
may result in Prosecution, Zero rating.
Severely critical report
Total loss of Critical
Service or facility.
>25% over budget/
schedule slippage.
*FOR CURRENT YEAR OBJECTIVES PLEASE REFER TO THE TRUST ANNUAL PLAN.
12
Adverse Publicity / Reputation /
Inspection / Audit / Enforcement
Action
Likelihood
x
Expected to occur at
least annually
Probability 6-20%
The event may occur at
some time
Expected to occur
monthly
Probability 21-50%
The event will occur at
some time
Expected to occur at
least weekly
Probability > 50%
The event is expected
to occur in most
circumstances
Appendix 4
Minimum Information to be captured on the Trust Risk Register
In order to ensure that the Trust’s Risk Register captures all of the required information
upon which the Trust can base subsequent decisions, the following dataset represents
the minimum information to be captured within the Trust’s DATIX system.
•
Risk Reference (Local reference defined to provide a unique identifier)
•
Title (Title of the Risk to include clear description of impact
•
Description of the Risk (include context and background)
•
Controls in Place (Details of safeguards in place)
•
Adequacy of Controls (Adequate, Inadequate, Uncontrolled)
•
Risk Assessor (name of person completing the risk assessment)
•
Manager (name of the relevant manager for the location / Directorate)
•
Initial Assessment Date (Date of original assessment)
•
Planned review date (Minimum every 3 months)
•
Campus (as applicable from drop down list)
•
Directorate (as applicable from drop down list)
•
Specialty (as applicable from drop down list)
•
Location Type (as applicable from drop down list)
•
Location Exact (as applicable from drop down list)
•
Directorates affected (as applicable)
•
Source of the Risk (as applicable from drop down list)
•
Category (based on Trust Incident Categories)
•
Impact (Strategic, Tactical or Operational)
•
Trust Objectives (as applicable from drop down list)
•
NHSLA subjects (as applicable from drop down list)
•
Initial scoring (Scoring at the time of adding risk to DATIX)
•
Current scoring (Current score at any point in time)
•
Target scoring (Residual risk once all identified action has been taken)
•
Action title (Description of action to be taken)
•
Action assigned to (Name of person responsible for completing the action)
•
Action due date (Date the action is to be completed)
13