RISK MANAGEMENT POLICY Approval Process Lead Author: Wendy Lefort Quality & Governance Manager Approved by: Integrated Quality & Governance Business Committee Ratified by: Governance and Compliance Committee Version: 1 Date ratified: November 2011 Review date: November 2013 or earlier if required by local or national changes. NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 1 of 22 Document Control Sheet Development and Consultation: Policy developed in consultation with the Quality & Governance and Corporate Services teams and endorsed by the Governance and Compliance Committee Dissemination This policy will be disseminated to all services within the PCT via the PCT website Implementation Policy implementation involves all staff, managers and will be monitored by the Governance and Compliance Committee . The communication requirements are set out in section 11 Training Training will be provided to the directorate Risk and Safety coordinators (see section 6) Audit The Risk Management system is evaluated through the objectives in the Quality & Patient Safety Strategy. Review The document will be reviewed in November 2013 or earlier dependent on local or national changes . The Policy should be read in conjunction with: Health and Safety policy PCT Claims and Complaints policies Risk assessment guide Incident and Near Miss Reporting Guidance Guidance for Investigation of Incidents Procedure for Investigating Concerns about Professional Performance Escalation Policy Disciplinary policy NPSA Serious Incident framework and PCT SI procedure Service Level Agreement for Risk Services with Anglia Support Partnership The Quality & Governance team have carried out a Rapid Equality & Diversity Impact assessment and concluded the policy is compliant with the PCT Equality and Diversity Policy Links with other polices and procedures Equality and Diversity No negative impacts were found. Revisions Version Page/ Para No Description of change NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Date approved Page 2 of 22 TABLE OF CONTENTS 1. INTRODUCTION ............................................................................................. 4 2. PURPOSE AND SCOPE OF THE POLICY ..................................................... 4 3. EXTERNAL REQUIRMENTS .......................................................................... 5 4. RISK MANAGEMENT RESPONSIBILITIES .................................................... 5 5. DEFINITION OF RISK ..................................................................................... 9 6. OPERATIONAL RISK MANAGEMENT FOR THE PCT ORGANISATION .... 10 7. HEALTH & SAFETY ...................................................................................... 15 8. MONITORING OF SERIOUS INCIDENTS .................................................... 16 9. RISK MANAGEMENT IN PCT SYSTEMS ..................................................... 16 10. RISK MANAGEMENT AS PART OF ESCALATION POLICY .................... 16 11. COMMUNICATION OF RISK MANAGEMENT POLICY ............................ 17 12. EVALUATION OF RISK MANAGEMENT SYSTEMS................................. 17 APPENDIX 1 – ELEMENTS OF RISK MANAGEMENT ........................................ 18 APPENDIX 2 - MANAGEMENT OPTIONS FOR DEALING WITH RISKS ............ 19 APPENDIX 3 - RISK MANAGEMENT IN COMMISSIONING ............................... 20 APPENDIX 4 – STRUCTURE FOR MANAGEMENT OF RISK ............................ 22 NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 3 of 22 1. INTRODUCTION NHS Cambridgeshire (NHSC) and NHS Peterborough (NHSP) (the PCT) are committed to ensuring that risk management is an integral part of the PCT’s role of improving the health of the local population and ensuring an outstanding level of patient safety through commissioning high quality services that meet the needs of local people. To this end the PCT must ensure: Risks within the organisation are identified, assessed, treated and monitored as part of the corporate and clinical governance of the PCT All elements of the commissioning process, including needs assessment, tendering, contract management and evaluation, include robust risk assessment and monitoring mechanisms Risk management is a continuously evolving process and engagement of all staff and partners is essential for its successful implementation. Therefore the PCT will work with its partners to promote robust risk management systems across the whole health and social care economy, working towards improving patient safety and learning from all incidents. It is not the intention of the PCT to use risk management to stifle risk taking and innovation. Risk is inherent in all activity. The risk management systems ensure that risk is identified. In many cases the level of risk will be deemed acceptable as part of the overall impact of the project or process. 2. PURPOSE AND SCOPE OF THE POLICY Effective management of potential risks enables organisations to focus effort on high quality commissioning and working towards health improvement. The benefits of proactively and robustly managing risk include: Improved decision making, planning and prioritisation Support for efficient resource allocation and delivery of business plan Anticipation and management of possible areas of financial, corporate and clinical concern Identification and action planning for project development To manage risk effectively, the commitment and participation of all staff and the support of the Boards is required. The PCT’s policy therefore involves creating an awareness and responsibility for the principles of risk management both as an organisation and as part of the commissioning process. The policy is supported at Board level and aims to complement and support the corporate strategy In the same way, the PCT requires the organisations it commissions to use effective risk management within their organisations. The processes used to manage risks in the PCT are based principally on the process set out in the AZ/NZS 4360, 1999 Risk Management Standards (appendix 1) of Identification, Assessment, Treatment and Monitoring. NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 4 of 22 3. EXTERNAL REQUIRMENTS In addition to the operational need for good risk management, there are a number of external drivers which require organisations to develop and implement robust risk management systems. These include: Health & Safety legislation - governs statutory responsibilities for all employers and provider of services to the public The Care Quality Commission (CQC) – assesses the quality of health and social care organisations through the requirements for registration The NHS Litigation Authority Risk Management Standards – ensures that organisations achieve the requirements for robust risk management in the NHS This affects the premium paid on PCT CNST (Clinical Negligence Scheme for Trusts) and RPST (Risk Pooling Scheme for Trusts) scheme contributions. Commissioning PCTs are not required to show compliance with the NHSLA standards. However, the PCT use these standards as an exemplar of best practice for risk management. Statements of Internal Control - the formal statement published with the annual accounts, which declares compliance within a framework of controls 4. RISK MANAGEMENT RESPONSIBILITIES All staff have responsibilities for risk management within the organisation. Specific responsibilities are given below. 4.1 PCT Boards The PCT Boards are responsible for: Ensuring that a robust strategy is in place for identifying, reviewing and managing all types of significant and high level risk as set out in the Board Assurance Frameworks (BAFs). Reviewing any significant resource allocations requested for the execution of the policy, either within the business plan or in ad hoc proposals. Ensuring that management spreads understanding of the policy throughout the PCT’s staff and among partners, and itself demonstrates commitment to the policy and its dissemination. 4.2 The Governance & Compliance Committee (NHSC) / Audit & Governance Committee (NHSP) The Governance Committees has responsibility for monitoring the implementation of the risk management policy and for ensuring that the PCT Boards are assured of the adequacy and effectiveness of the policy It ensures robust systems are in place and operating effectively for the identification, assessment and prioritisation of potential clinical risk, both within the organisation and in commissioned services and independent contractors. NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 5 of 22 4.3 The Audit Committee (NHSC) / Audit & Governance Committee (NHSP) The Audit Committees report directly to the PCT Boards and is responsible for: Maintaining direct oversight of all risks, including generic risks, specific risks arising from PCT strategic plans, and risks to financial processes and control. Reviewing the effectiveness of risk management arrangements through the deployment of audit time and the review of resulting reports. 4.4 The PCT Senior Leadership Team The Senior Leadership Team (SLT) has the responsibility to review the BAFs and the directorate risk registers on a regular basis to ensure action plans are progressing and the BAFs are kept up-to-date so that it can inform decision making within the PCT. Any high or extreme level risks from the directorate risk registers are escalated to the BAFs. 4.5 Supporting Committee Structures Other committees within the PCT also have a role in risk management: Decision Making Group Information Governance Steering Group HR and Workforce Development Groups Medication Governance and Safety Group Finance & Performance Committee Quality & Patient Safety Committee Emergency Planning Sub-Group Clinical Quality Reviews (CQRs) 4.6 Lead Officers The Chief Executive has overall accountability for having an effective Risk Management system in place within the PCT and for meeting all the statutory requirements and adhering to the guidance issued by the DH in respect of Governance. The Director of Corporate Development and Performance is the executive director for risk management and the Senior Information Risk Owner (SIRO). The director is the member with delegated responsibility for leading the organisation in responding to Risk and Health and Safety, ensuring systems are in place to manage Health & Safety and that the PCT complies with Health & Safety legislation, including the legal requirements for fire safety. The director is responsible for all business risks including commissioning, finances, control of assets, provisions for liabilities, and general Controls Assurance. The director will report through the Audit Committee on all non-clinical risk management activities. The Chair of the Governance and Compliance Committee is the NHSC nonexecutive lead for risk management. NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 6 of 22 The Medical Director is the Caldicott Guardian and the Board member with delegated responsibility for aspects of clinical risk management, ensuring quality and governance systems are in place and inclusion of risk management processes in commissioning mechanisms. 4.7 Directorate Leads All Directors have delegated responsibility for management of risk within their directorate as set out below. Directorate leads have responsibility for: Ensuring regular risk assessment is carried out within the directorate, with action plans developed, implemented and monitored specific to the risks of the local service Ensuring identified risks are managed using the directorate risk register, and details of significant and high level risks are added to the BAFs Implementation of requirements of PCT risk management policies and procedures, including health and safety, and incident reporting Identification of risk management training needs for staff and support for staff to attend the relevant sessions Appointing a member of staff from the directorate to act as risk co-ordinator to raise awareness of risk management issues and systems and link with the PCT risk team. Promotion of an open culture in which staff feel able to report incidents. The PCT encourages, and takes a positive and non-punitive approach to reporting. Where reporting highlights a development area for an individual, the PCT will work with the individual in a positive way to improve the situation. The exceptions to this are when malicious, criminal or gross/repeated professional misconduct is involved Highlighting concerns in commissioned services where there is potential significant risk that requires assessment and management. 4.8 Line Managers Risk Management is the responsibility of all staff. Therefore, line managers must support staff to be proactive in the management of risk by promoting risk assessment and incident reporting in their area, including identifying, assessing, and dealing with any risk issues affecting their staff. Line Managers are responsible for taking action on incidents reported by their staff. All managers and staff need to acknowledge that the overall level of risk within the PCT will be reduced if everyone adopts an attitude of openness and honesty. The overall approach within the PCT will be one of help and support to each other, rather than recrimination and blame. The PCT Boards are committed to this approach. NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 7 of 22 4.9 Staff Responsibilities Proactive management of risk is the responsibility of all members of staff. Therefore each member of staff should: Be aware of risk issues at all times Notify managers of any risks identified Comply with incident reporting policies and procedures Comply with Health & Safety requirements Participate in risk assessment programmes relevant to the post/specialty Initiate action, within their sphere of responsibility, to prevent or reduce the adverse effects of risk. Be aware of emergency procedures 4.10 Contractors and External Staff working in the PCT Contractors and other external staff must be made aware of their responsibilities under health & safety and PCT risk management procedures by the PCT manager responsible for their contract. 4.11 PCT Hosted Services Units that are hosted by the PCT must comply with Health and Safety and PCT Risk Management requirements. There must be a named lead with responsibility for these areas. The PCT and its hosted units will work collaborately to ensure robust Health and Safety and Risk Management systems are in place and there is evidence of compliance. 4.12 Specialist Support Anglia Support Partnership (ASP) Anglia Support Partnership currently provide the risk management support for claims, complaints, incident reporting, patient safety alert distribution and risk management training. The PCT also has access to a named approved competent person to provide risk management advice for general risk issues, health and safety and security and fraud management. All support services Where functions are contracted out to other organisations and support services, that agency will nominate leads who have direct responsibility for ensuring that they deliver services which comply with the Health & Safety legislation, CQC requirements and the NHS Litigation Authority Risk Management Standards as appropriate. NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 8 of 22 5. DEFINITION OF RISK This policy is based on the following simple definitions: Risk is defined as the possibility of loss or injury and is measured using the likelihood that harm or damage may occur and the consequence / severity of the outcome. Risk Management is 'a systematic process to identify and control risks in the activities of the PCT to the benefit of service users, staff and the public'. Risk Management is about improving quality and reducing harm. It is not confined to clinical practice and encompasses health and safety for clients, patients, visitors and staff, as well as environmental issues. It is not limited to physical injury but includes financial damage and psychological harm. Examples of the types of risk the PCT might encounter and needs to protect against include: Corporate risks ~ operating within powers, fulfilling responsibilities, accountability to public Risks to Reputation ~ associated with quality of services, communication with the public and staff, patient experience External risks ~ political, environmental, social, environmental, meteorological Clinical risks ~ associated with service standards, competencies, complications, equipment, medicines, staffing, patient information Health and safety risks ~ ensuring the well being of staff and patients whilst providing or using our services Commissioning risks ~ associated with decisions whether to purchase services or not – to the individual, to financial stability, to opportunities to improve health Business Risks ~ associated with managing the affairs of the PCT, financial and investment decisions, human resources, information and IT management, fraud, internal management, achieving objectives. Risks to Assets ~ security, protection, optimum use, maintenance, replacement Appendix 2 sets out the options available to manage the risks, each of which has an effect on final exposure to risk. Each option has implications for the optimisation of resources and the availability of assets. In general, the aim is to reduce the consequences of un-assessed or unmanaged exposure to risk. Strategic Risks would include such areas as: The PCT’s vision, its objectives and the risks attached to them Serious clinical failure in service redesign and commissioning intentions Finance – failure to achieve financial balance, serious failure of probity Failure to deliver major targets Population growth Business Risks would include any areas which threaten the ongoing business model of the PCT including the loss of corporate memory, changes in organisational structures or non-compliance with standards and legislation Operational risks include risks relating to the day-to-day management of the PCT necessary for the ongoing service delivery. NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 9 of 22 6. OPERATIONAL RISK MANAGEMENT FOR THE PCT ORGANISATION The management of risk involves identification, assessment, treatment and monitoring of all types of risks (see appendix 1). The following systems are in place to support these processes. 6.1 Policies, Procedures & Guidelines The risk management policy is supported by a range of procedures and guides giving further detail of the operational aspects of risk management issues. The Governance and Compliance Committee will ensure that these policies and procedures are up-to-date, issued to those who need to use them, and received, read and understood by those people and put into action as required. In addition, audits will be undertaken to ensure staff understanding and compliance. Supporting documents include: Health and Safety policy PCT Claims and Complaints policies Risk Assessment guide Incident and Near Miss Reporting Guidance Guidance for Investigation of Incidents Procedure for Investigating Concerns about Professional Performance Procedure for Raising concerns Disciplinary policy NPSA Serious Incident policy and PCT SI policy and procedure PCT Escalation Policy 6.2 Risk Assessment Any new projects or services need to identify and assess potential risks to ensure effective management is in place, decisions are made taking account of these risks, and organisations maintain an optimal balance of risk, benefit and cost. Services should also carry out risk assessment when major changes are made or incidents occur. For these assessments only the areas where change is being made need to be assessed. It is a legal requirement to carry out certain risk assessments on a regular basis. Further details are given in the trust Fire and Health & Safety policies. Risk assessments should also be carried out when an issue has been raised, either as an incident or near miss, and there concern that the incident may re-occur. A risk assessment may also be used to support decision making by analysing risks and benefits of differing courses of action. The objective of risk assessment is to identify and manage risk. It is not used to prevent a project or service taking place. Risk is inherent in all activity. Organisations should not be risk adverse, but risk aware. In many cases the level of risk identified will be deemed acceptable as part of the overall impact of the project or service. Risk assessment should be carried out at all levels within the PCT, from Board to directorate to team. Each risk assessment will feed into the next level to provide a hierarchy of risks. Risk assessment is the first stage in risk management, and identifies and assesses actual and potential risks which can then be treated and NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 10 of 22 monitored. All risk assessments should be fully documented and entered onto the risk register. The process of risk assessment should involve all directorate or team members. Training and facilitation to support risk assessment is available from the Quality & Governance team and from Anglia Support Partnership. Where a risk rating exceeds a defined threshold (as set out in the Incident Reporting guide), it will be escalated to the next level within the risk management responsibility hierarchy. This hierarchy enable the Risk Management decision to occur as near as practicable to the risk source. At the identified level, the responsible manager or committee will treat the risk by taking appropriate action (see appendix 2). Significant and high level risks are monitored at Board level, using the BAFs. Further details are given in the trust Risk Assessment Framework (Risk assessment framework). 6.3 Incident Reporting Incident Management includes processes for reporting and investigation of any incidents or near misses that occur in an organisation. Research has shown that the more incidents that are reported the more information is available about any problems, and the more action can be taken to make healthcare safer. The benefits of incident and near miss reporting include: Identifying trends across organisations that may not be apparent for one organisation Pre-empting complaints Making sure areas of concern are acted on Targeting resources more effectively Increasing awareness and responsiveness The PCT requires all its own staff to report incidents and near misses using the Incident and Near Miss Reporting Guidance. Most incidents relate to system failure rather than individual mistakes. Incident reporting needs an open and fair culture so staff feel able to report problems without fear of reprisal and know how to resolve and learn from incidents. The PCT is using the DATIX web-based system of reporting, and this is promoted to all staff. This system ensures action and learning is captured. Managers at all levels have an important part to play in risk management by ensuring that they promote the use of the incident reporting systems and they respond quickly and decisively to any reports of adverse incidents or complaints by staff or service users. The authority to act on incidents is dependent on the risk score, with managers having responsibility to act on low or medium risks. Significant or high level risks are escalated to senior managers and reviewed by the PCT Boards. For further details, refer to section 5 of the Incident and Near Miss Reporting Guidance. The person reporting a risk or incident will be given feedback on any action taken, with some clear indication as to how that particular risk situation has dealt with. The risk management team review and collate all incidents and learning is discussed and disseminated in the appropriate fora (for details of supporting risk committees see section 4.5). NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 11 of 22 The PCT is committed to supporting their staff in exercising their roles and responsibilities, and re-affirms that where an incident has occurred, no disciplinary action will be taken against staff who have exercised reasonable judgement and have followed the appropriate PCT policies and procedures. 6.4 Serious Incidents (Sis) The National Patient Safety Agency has defined certain incidents as Serious Incidents (SIs). These include an accident or incident where a person to whom the PCT owes a duty of care staff, patients, service users, clients, contractors, visitors) suffers or could potentially have suffered a serious injury, major permanent harm or unexpected death that is not part of the disease process or current care delivery. an incident where there is damage or potential damage to the organisation’s assets that will cause a significant disruption in services or an enforcement notice that will result in prosecution. an incident where there is police involvement or media interest. There are regional requirements for the reporting and investigation of SIs, including timescales and requirements for reporting. If a member of staff or directorate thinks an incident may meet the definition of a SI, they should report this immediately to the manager on duty, and complete and return a SI form, as set out in the PCT SI procedure. 6.5 Investigation of Incidents An incident reporting system is of little use on its own. All incidents need to be reviewed so that changes can be made to prevent re-occurance if necessary. The type of investigation is dependent on the grade of the incident and may be at local, directorate or organisational level. Investigation should include all relevant stakeholders so a solution that is acceptable and workable across all areas can be developed. Further details are given in the Guidance for Investigation of incidents (Incident Investigation Guidance). The member of staff leading the investigation also have responsibility for following up relevant action plans to ensure any recommendations have been carried out. Any learning from the incident investigation should be passed to the PCT Risk team to ensure this can be shared with all appropriate stakeholders. 6.6 Learning from incidents The PCT risk team review and collate all incidents and ensure learning is discussed and disseminated as appropriate. Information from all risk management systems, including incidents, complaints, claims and PALS contacts, is presented by providers and reviewed at CQRs. Analysis covers type and severity of incidents, linking of events occurring in the same organisation, review of patient and staff feedback, and trends of type and location of event. SI intelligence and learning is presented to the Quality & Governance Committee. The committee is empowered to request investigation or action from members of staff NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 12 of 22 or directorates if individual incidents or analysis of risk data highlights a concern. Relevant learning from the group is disseminated to the relevant stakeholders in a variety of methods including website, e-mail and newsletter. 6.7 Directorate Risk Co-ordinators Each directorate has a nominated Risk co-ordinator who is responsible for: Reviewing risks reported by directorate staff. Discussing with managers what investigation will be carried out and who will lead this (the lead is not responsible for carrying out or reporting on investigations). Supporting directorate staff in carrying out risk assessments. Updating the risk register following review of risks at directorate team meetings. Uodating incidents on the DATIX incident reporting system Linking with the PCT Quality & Governance team on all directorate risk matters. All co-ordinators will receive training in risk assessment and review. 6.8 Incidents reported concerning other organisations Any incidents reported concerning other organisations should be discussed in the first instance with your manager and the PCT risk team so that a decision about any action / dissemination can be taken. 6.9 Support for staff Some types of incident, particularly SIs, may be stressful or traumatic for staff involved in reporting, investigation or taking action. A competent, confidential occupational health advice service is available to all staff of the PCT. Staff may refer themselves for advice or be referred by their line manager. For further information contact a member of the Human Resources Department. The PCT provides access to a free helpline counselling service which is independent and confidential. The helplines are open 24 hours a day every day of the year and staff are able to speak in confidence to an adviser. Contact HR for further information. If a member of staff is experiencing difficulties associated with the incident, managers should provide support in line with the Stress at Work policy. 6.10 Dissemination of risk management documents The various documents that support Risk Management in the PCT are available on the PCT websites and are highlighted at induction. Any changes to policy and guidance are discussed in the staff newsletter. The Risk Manager also disseminates risk updates to staff via the directorate risk co-ordinators. NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 13 of 22 6.11 Evaluation The Qaulity & Governance team present exception reports on risk issues at the Governance and Complaince Committee. Performance against KPIs in the Risk Management Policy are monitored by the Quality & Governance Business Meeting. 6.12 Issues concerning colleagues If a member of staff has a concern about a colleague or other professional, this should not be raised through the incident reporting system. The principles of the PCT policy on Raising Issues of Serious Concern at Work should be followed (Raising Issues of Serious Concern at Work). 6.13 Risk Register The PCT uses the BAFs and the directorate risk registers to prioritise and manage risks. The risk registers enables risks to be assessed against each other, and provides a basis to facilitate decision-making regarding risk control and resource allocation. Appendix 4 shows the links between BAFs and risk registers and the structure for development and management of these registers. The risk registers requires each risk to be analysed in order to assess what is the likelihood of it recurring and what the likely impact would be, resulting in a score for that risk. The process is then repeated taking into an account any action taken to manage the risk. The risk registers capture data from a variety of sources including: PCT objectives Medical records Incident reports Fire reviews Controls assurance baseline assessments and action plans Claims and complaints Task/process analysis Consultation and observation Equipment purchase I modification Surveys, inspections, assessments and audit Preventative maintenance Issues Contingency and major incident plans, and disaster recovery National initiatives Financial information and risks Benchmarking Risk assessments They identify: Risks that the PCT can control directly and plan to set up control mechanisms to reduce the possibility of the events occurring. Risks to which the PCT is exposed but cannot directly influence Plans to reduce the impact on staff, service users and the organisation The BAFs and risk registers are structured in such a way as to ensure that legal requirements are met. The directorate leads are responsible for keeping the details of their directorate risk up-to-date in the risk register, with current action plans and risk scores, and in presenting any high or extreme risks at the SLT. NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 14 of 22 Significant and high level corporate risks from the risk register are reported to and monitored by the PCT Boards via the BAFs. 6.14 Funding of Risk Management Risk Management is an integral part of the PCT’s business. PCTs have overall responsibility for the provision of an effective risk management service. This will be discharged through a combination of internal provision and buying in through shared services or similar arrangements. 6.15 Training All employees will have access to risk management and health & safety information, instruction and training. The level and nature of the training will vary according to the local need. Risk management and incident reporting are introduced in the corporate induction training. All risk co-ordinators will receive training in basic risk management. 7. HEALTH & SAFETY The Health and Safety Commission and Institute of Directors have issued a guide, Leading Health Safety at Work (INDG417) identifying leadership actions for Directors and Board members This describes best practice concerning top-level involvement in, and direction of, occupational Risk Management. It makes it quite clear that Board members are collectively responsible; including elected co-opted and non-executive Board members. The guide advises that one Board member be appointed to have the lead in this area. The responsibilities of the Boards in regard to Health & Safety are: The Board should accept formally and publicly its collective role in providing health and safety leadership within the PCT Each member of the Board needs to accept his/her individual role in providing health and safety leadership for the PCT. The Board needs to ensure that all Board decisions reflect its health and safety intentions as articulated in the Health and Safety Policy statement The Board needs to recognise its role in engaging the active participation of employees in improving health and safety The Board needs to ensure that it is kept informed of, and alerted to, relevant health and safety Risk Management issues. The Board should appoint one of their number to be the 'Health and Safety' Director All staff have a duty under Health and Safety legislation: To take reasonable care of their own safety and the safety of others who may be affected by the PCT’s business Comply with all PCT rules, regulations and instructions to protect health, safety and welfare of anyone affected by the PCT’s business Not to either intentionally or recklessly, interfere with or misuse any equipment provided for the protection of health and safety NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 15 of 22 Be aware of emergency procedures e.g. resuscitation, fire precaution and evacuation procedures relevant to your department To highlight their concerns about any risk issue, either directly to their manager, or their appointed health and safety representative The PCT has access to competent advice for Health and Safety (as required by the Health and Safety at Work Act) via ASP. 8. MONITORING OF SERIOUS INCIDENTS The PCT has a responsibilty to montior the management of SIs reported to the organisation by its provider services, with a particular focus on maximising benefit from lessons learnt. The PCT SI policy gives details of the commissioner’s responsibilities for management of SIs reported to the PCT. These responsibilities are taken from the NPSA National Framework for Reporting and Learning from Incidents Requiring Investigation, April 2010 (the NPSA framework). The SI procedure sets out the local requirements supporting the NPSA framework. 9. RISK MANAGEMENT IN PCT SYSTEMS Risk Management is an integral part of all process within the PCT. Documented risk assessments and risk management plans are required as part of project initiation documents (PIDs) and business case applications. This information should also be included in PCT stratgeic documents including the PCT Business Continuity & Emergency Planning plans, the Information Governance strategy and Research Governance framework. Policy development requirements include the need for consideration of risks, assessment of Equality and Diversity impact, and information about the PCT incident reporting system. Details of the processes for risk management in commissioning are given in appendix 3. 10. RISK MANAGEMENT AS PART OF ESCALATION POLICY PCTs are accountable for ensuring and demonstrating high quality services and ensuring the most effective and efficient use of resources. NHSC and NHSP have a variety of mechanisms for monitoring performance, quality and safety, and have information relating to performance collected from these processes. If a concern is raised within the commissioning PCT or with any provider, it is essential this is managed within the context of all available information. The PCT Escalation Policy ensures that when potential and actual non compliance is identified action is triggered to ensure concerns are addressed at the earliest opportunity. It provides a structured process to trigger and escalate concerns in a managed way, and to support both individual staff and the organisation in adopting the appropriate response dependent on the risk and the context of that risk in the overall knowledge base. The assessment and management of risk for concerns raised through the Escalation Policy is based on the principles set out in this Risk Management Policy. NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 16 of 22 11. COMMUNICATION OF RISK MANAGEMENT POLICY This policy will be circulated to all management teams to be cascaded onwards to individual members of staff. The document will be made available for staff and users and other stakeholders through the PCT website. The PCT has mechanisms in place in order to ensure that: staff can raise issues of concern with their manager(s) staff are consulted on proposed organisational or other significant changes managers keep staff informed of progress on relevant issues service users, their relatives, carers and advocates can identify points of concern or worry by using the complaints process or PALS service the media are accurately advised of developments in the PCT The PCT principles of risk management are communicated to independent contractors and commissioned organisation through commissioning mechanisms and contract requirements. 12. EVALUATION OF RISK MANAGEMENT SYSTEMS The Quality & Governance team present exception reports on risk issues at the Governance & Compliance / Audit & Governance Committees. The Corporate Governance team also report on Health and Safety issues to the Governance Committees. NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 17 of 22 APPENDIX 1 – ELEMENTS OF RISK MANAGEMENT Identification, assessment, Treatment & Monitoring of Risk The following sections describe the stages of risk management within the PCT. The diagram below (taken from AS/NZS 4360/1999) below summarises the process: Establish Context Strategic context Organisational context Risk Management context Develop criteria Decide the structure Identify Risk What can happen How can it happen Analyse Risk Determine Consequence Determine Likelihood Monitor & Review Communicate & Consult Determine existing controls Estimate level of risk Process Risk Compare against criteria Set risk priorities Accept risk Treat Risk Assess Identify treatment options Risk Evaluate treatment options Select treatment options Prepare treatment options Implement plans NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Yes Page 18 of 22 RISK ~ Prior to considering the response to a risk (e.g. transfer, retain, accept, etc.) the PCT will need to decide the level of risk it is willing to accept for a perceived benefit. The degree to which risks are considered acceptable may be specific, relating to a particular issue or generic, focussing on the total risks which the PCT is prepared to accept. APPENDIX 2 - MANAGEMENT OPTIONS FOR DEALING WITH RISKS ACCEPT ~ is the most passive form of Risk Management. Once chosen the risk requires no further resource investment. RETAIN ~ the PCT needs to prepare for the worst of most likely outcome in its current plans be setting aside resources to meet the loss or by providing a contingency within the current resources. TRANSFER ~ if a risk can be measured in financial terms it may be possible to insure against it, e.g. through CNST. In this case the only retained risks are the premium policy excesses and the uninsured costs. MITIGATE ~ once damage or a loss event has begun, it may be possible for the PCT to mitigate or exercise damage limitation. CONTROL ~ if the PCT is aware of possible risks or losses, exposure can be limited through control. PREVENT ~ knowing that a situation is likely & can be subject to intervention gives the PCT the option of taking preventative action. AVOID ~ halting the line of business or activity can be the most drastic option in Risk Management, however, occasionally it may need to be considered. NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 19 of 22 APPENDIX 3 - RISK MANAGEMENT IN COMMISSIONING The PCT has embedded the principles of improving patient safety and reducing harm through robust risk management in its commissioning mechanisms. Risk management in built into service developments, business plans and service redesign. This includes risk identification and assessment, and planning for management of risks. Commissioned services are required to have risk management systems that involve risk assessment, incident reporting mechanisms, complaints procedures, and risk trend analysis and learning. Patients must be involved in the review of learning to support improvements in patient safety. Risk Assessment Risk assessment is a vital part of service development and service redesign. Risk assessment is built in to the business case application and tendering processes. A risk assessment guide is available for staff developing business cases based on the principles set out in the PCT Risk Assessment guide. This is based on NPSA guidance which uses process mapping techniques, together with 3 questions for assessment: What can go wrong?, How Bad How Often?, Is there a need for action? Care should be taken when that risk assessment does not stifle risk taking and innovation. Risk is inherent in all activity and identified risk can be accepted and managed. Risk Management in Contracts and Service Level Agreements Risk management is built into all contracts and service level agreements. This includes: Safety elements of CQC Reporting of Serious Incidents including regular updates and final report with recommendations and action plan Reporting of trends of incidents, compliant and claims Governance requirements, including a CQC assurance framework Involvement of patients in using learning from incidents to improve patient safety Compliance with the NHS Litigation Authority Risk management Standards. Monitoring risk in commissioned organisations Commissioned organisations are required to report on trends in incident reporting every three months. These reports are reviewed and interrogated at the Clinical Quality Reviews for each organisation. Incidents from services not covered by contract monitoring groups, such as independent contractors and GPSIs, are reviewed and interrogated at the PCT Incident Learning Group. Promotion of risk management to Independent Contractors Independent Contractors have a responsibility to record, review and learn from significant events within their organisation. They are not currently required to share this information with the PCT. Valuable learning is lost when such intelligence is not shared between organisations. NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 20 of 22 The PCT will continue to promote risk management and standardised incident reporting with Independent Contractors, including incident reporting, risk assessment and significant event analysis. Dentists and GPs are required to register with the CQC, by April 2011 and April 2012 respectively. As part of registration they will have to report certain types of incident to the CQC. This requirement will increase awareness of risk management systems and provide learning from IC incidents. Managing professional performance issues Any reported incidents that give rise to concerns about professional performance are discussed with the Medical Director and the Professional Performance Manager. The PCT has a procedure for dealing with such concerns and this would be used if deemed appropriate. Risk Management with partner organisations The PCT has a duty to work with partners to improve the health of the local population. It will ensure that any work carried out across the health and social care economy adheres to the PCT principles of robust risk management. Acting on Incident information The PCT receives information about incidents and adverse events from a range of sources. One organisation may details relating to a problem within another organisation. The PCT must ensure it investigates these incidents in an open and proportional manner that does not prejudice either organisation. Unforeseen Risks in the Commissioning Process The commissioning mechanisms within the PCT are continually developing, and some incidents may occur that are unforessen or not encounted previously. The PCT will investigate such events and ensure learning is fed back into the commissioning process to enable similatr risks to be identified and managed. Risk Management in Transition As the changes in commissioning in the NHS come into force, the Clinical Commissioning Groups should use the same robust risk management principles as set out in this policy. There are various tools available to support CCG groups in the use of risk assessment for decision making, including PCT, DH and NPSA guides. CCG leads should be given the opportunity to access training and support to ensure risk assessment is built into their process NHSC/NHSP Integreated Risk Management Policy Nov11 v 1 Page 21 of 22 APPENDIX 4 – STRUCTURE FOR MANAGEMENT OF RISK (TAKEN FROM BAF V5B JAN 11) Clinical Quality Reviews Risks identified through PCT Senior Leadership Team Monthly Review of Risks and BAF Action Plan Directorate Risk Registers Serious Incidents/ Complaints /Poor Performance Soft intelligence e.g. Stakeholder meetings & Public consultation Clinical Risks overseen by Quality & Patient Safety Committee / Governance & Compliance Committee PCT Board Assurance Framework Overview by Audit Committee Quarterly Assurance to Board 106753505 Cambridgeshire PCT Page 22 of 22 v 2.1 Finance & Performance Risks overseen by Finance & Performance SubCommittee Risks identified by PCT Boards