BOD39 /2012 BOARD OF DIRECTORS – 14 MARCH 2012 RISK MANAGEMENT POLICY FOR APPROVAL This report is for publication Summary: The Risk Management Policy has been reviewed and is attached for approval by the Board. The policy has been considered by the Audit Committee and the Executive Board. The key changes are to the style and layout of the policy; the fundamental principles of the system of risk management within CNWL are not affected. Key changes 1 2 3 The policy has been significantly shortened and reformatted. The contents have been reviewed to ensure they comply with the requirements of the NHSLA Risk Assessment standard. The draft policy was reviewed during an informal NHSLA assessment in January and found to be acceptable. The Board is recommended to approve the Risk Management Policy Regulatory framework This report supports all of the Strategic Priorities and the management of risks associated with their achievement. RESPONSIBLE DIRECTOR – Associate Director, Corporate Governance DATE – 07 March 2012 RISK MANAGEMENT POLICY Introduction The Risk Management Policy has been reviewed and is attached for approval by the Board. The policy has been considered by the Audit Committee and the Executive Board. The principles of the system of risk management are not affected by this review. Key changes 1 It has been significantly shortened and reformatted to comply with the requirements of the Trust’s Policy on the Development of Procedural Documents. 2 The contents have been reviewed to ensure they comply with the requirements of the NHSLA Risk Assessment standard. The Trust will be reviewed for level 1 in June 2012 and the policy has been developed so that it will not only match the level 1 requirements, but also those for levels 2 and 3. 3 The draft policy was reviewed during an informal NHSLA assessment in January and found to be acceptable (with some minor changes that have been incorporated). 4 A monitoring compliance and effectiveness matrix is shown at Appendix E. The Board may be interested to know that ALL Trust-wide policies are now required to have such a matrix. This is a tool that should provide assurance that the key requirements of policies are being followed by staff The Board is recommended to approve the policy. Richard Vergez Associate Director, Corporate Governance RISK MANAGEMENT POLICY Policy lead: Associate Director, Corporate Governance Ratifying Committee or Group Board of Directors Status of policy: Final Policy Reference: TBC Signed: ____________________________________________ Dame Ruth Runciman, Chairman, Board of Directors Ratification date: ___________________________________________ Essential reading for the following staff groups: 1 - Board of Directors 2 - Service Directors 3 - Corporate and Clinical Governance Team members 4 - Designated risk management leads Following staff groups should be aware exists for reference purposes: Other staff identified by local managers POLICY IMPLEMENTATION DATE: March 2012 DATE POLICY TO BE REVIEWED: March 2014 3 CONTENTS 1 Key Points 3 2 Purpose and Scope 3 3 Responsibilities 3.1 3.2 4 Organisation for risk management Operational Management 3 4 Risk Management Policy 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 Risk Management Policy Board Assurance Framework Risk Management Process Risk Assessment Procedure Risk registers Clinical Risks Local management of risk Acceptable risk Support and expertise Training 4 5 5 5 5 6 6 6 6 5 Monitoring compliance and effectiveness 7 6 References 7 APPENDICES APPENDIX A Responsibilities – Organisation for Risk Management APPENDIX B Responsibilities - Operational Management APPENDIX C Board Assurance Framework APPENDIX D Risk Management Process APPENDIX E Monitoring of the policy APPENDIX F References APPENDIX G Impact Assessment 8 10 12 14 18 19 20 4 1 KEY POINTS The Trust has a system for managing risks, which is described in this policy. Individual responsibilities for risk management are shown in Appendix B (hyperlink). Risks are assessed using a multiplier of the impact of a risk by its likelihood of occurring, both of which are scored on a 1-5 grading. This is known as a risk matrix (see Appendix D) (hyperlink). The grading determines the way in which a risk is managed and reported. Service line management teams and corporate directorates must identify risks and place them on a local risk register. They must monitor them regularly and develop action plans with specified leads and timescales. Higher level risks are brought together in a Trust-wide Risk Register, which is presented to the Executive Board quarterly and the Board of Directors every 6 months. A Top Risk Register comprises the highest level risks and is reviewed by the Board of Directors every month. A Board Assurance Framework (see Appendix C) (hyperlink) describes the principle risks that could stop the Trust from achieving its main objectives and the action being taken to address them. This is reviewed regularly by the Board of Directors. 2 PURPOSE AND SCOPE This document sets out the approach by Central and North West London NHS Foundation Trust (the Trust) to identifying and managing risk as well as the governance arrangements for ensuring that they are effective. This document contributes to meeting the organisation’s legal and regulatory obligations. It applies to all activities of the Trust, and all of the staff and contractors who are involved in them. Central to this is the need to ensure the safety and welfare of service users and carers and the staff of the Trust. Effective management of risk helps to create and sustain a safe environment in which high quality care and treatment can be provided. 3 RESPONSIBILITIES 3.1 Organisation for risk management Overall responsibility for risk awareness and risk management lies with the Board who will take active measures to ensure that they are adequately assured that risks are being identified and managed, and that they are adequately informed so that they can make appropriate decisions to ensure that this is adequately resourced and managed effectively. The Audit Committee shall review the establishment and maintenance of an effective system of integrated governance, risk management and internal control, across the whole of the organisation’s activities (both clinical and non-clinical), that supports the achievement of the organisation’s objectives. 5 The Executive Board will regularly review the Top Risks and Trust-wide Risk Registers. It will also review the Assurance Framework, prior to presentation to the Board of Directors and determine the risks that are included in the Top Risk Register. Further specific details on the organisation of risk management can be found at Appendix A (hyperlink). 3.2 Operational Management Managers are responsible for the day-to-day management of risks of all types within their remit and budget allocation. Additional specific responsibilities may be defined in job descriptions. They are charged with ensuring that risk assessments are undertaken throughout their area of responsibility on a proactive basis and that remedial action is carried out where problems are identified. They are also responsible for reporting difficulties in reducing risk to their executive director and relevant committees or governance groups. Individual managers should: ensure that risk management policies and procedures are implemented within their area of responsibility, foster a supportive environment to facilitate the reporting of risks and incidents, ensure that all staff are aware of their responsibilities, ensuring that staff are aware of all relevant risks relating to their environment and the activities that they are involved in, keep staff informed of the risks faced by the organisation and what is being done to address them, ensure that staff complete training requirements, ensuring that the required resources are identified and provided, including: 1. people and skills, 2. documented processes and procedures, 3. information systems and databases, 4. money and other resources for specific risk treatment activities. A detailed description of the general and specific responsibilities of individuals within the Trust is shown at Appendix B (hyperlink). 4 RISK MANAGEMENT POLICY 4.1 Risk Management Policy Risk is an integral part of all activities and a certain amount of risk taking is inevitable if the organisation is to achieve its objectives. Risk management will be embedded within the daily operation of the organisation from strategy formulation through to business planning and operational processes. Actively managing threats and opportunities can give the organisation a competitive advantage. The Trust is committed to building and sustaining an organisational culture which encourages appropriate risk taking, effective performance management and organisational learning in order to achieve continuous quality improvement of the services provided. The Board of Directors and Executive Board are the leaders in risk management and will work actively to promote a culture 6 where risk is considered as a matter of course, and is appropriately identified and managed, with staff positively engaged in risk management. The Trust is committed to an integrated approach to risk management across all of its activities. Through understanding risks decision makers will be better able to evaluate the impact of a particular decision or action on the achievement of the organisation’s objectives. 4.2 Board assurance framework The assurance framework will identify the principal risks against achieving the principal objectives. It will also set out the activities in place to control or mitigate those risks and identify the assurance (both internal and external) that such activities are effective. The process for the operation of the Board assurance framework is outlined at Appendix C (hyperlink). 4.3 Risk management process The process by which risks are identified, assessed, analysed and managed is outlined in Appendix D (hyperlink). 4.4 Risk Assessment Procedure Risk assessment is a key risk management process which must be applied to all activities undertaken by the Trust and embedded within relevant processes. Further information about when and how to conduct risk assessment and who should be involved can be found in the Risk Assessment Procedure (hyperlink). This document also covers the treatment of risks, i.e. action and controls to minimise negative risk and enhance positive risk. 4.5 Risk registers The Trust’s portfolio of risk is maintained as a risk register. Identified risks will be entered onto the risk register and regularly reviewed to ensure that the information is up to date. The Risk Register will include the following components: Source of the risk (e.g. incident reports, risk assessments) Description of the risk Risk score Summary of the action plan required to address the risk Date when the risk is to be reviewed The residual risk rating Information held in the risk register is used for a wide variety of purposes by groups and individuals at all levels of the organisation. The Trust-wide Risk Register incorporates significant risks from service lines and corporate directorate risk registers, incident reports and risk assessments and will be presented to the Executive Board quarterly and the Board of Directors twice annually. 7 4.6 Clinical risks Clinical Risks identified in local risk registers will be reported on a quarterly basis to the Clinical Safety Group. The Group will be responsible for considering whether clinical risks have Trustwide implications and identifying whether any further action is required. 4.7 Local management of risk Service Lines and corporate departments will be responsible for identifying and treating risks in their area in a manner which reflects the principles of this policy and strategy. They will maintain their own risk register, which will feed into the Trust-wide Risk Register and consider their risks on a regular basis at their local management meetings. Each risk will have an identified lead(s) responsible for coordinating and implementing the action plan. 4.8 Acceptable risk When risks have not been eliminated the organisation may choose to accept the risk and take no further action to reduce it. The organisation’s risk tolerance may be different across the range of risks. In general it is expected that risks with potential negative impact will be reduced to a level which is as low as reasonably practicable. Action should always be taken to reduce the risks unless it involves measures which are clearly disproportionate in relation to the risk. Where there is any uncertainty guidance or a decision should be sought from the committee or governance group with responsibility for the area or type of risk in question. 4.9 Support and expertise Staff within the Trust have a variety of knowledge and skills that can be called upon to support risk management activities. In addition the Trust contracts external agencies to provide services and advice in a number of areas relating to risk management. 4.10 Training Senior management training - Board members (including non-executive directors), Service Directors and nominated risk management leads will receive risk management training annually to support them in their roles. A list of these managers and will be held by the Associate Director Corporate Governance. The Director of Operations and Nursing (the designated Board member with responsibility for risk) is responsible for ensuring that an appropriate programme is provided. Attendance at such training will be recorded on the Trust’s electronic training record system and the Associate Director Corporate Governance will be responsible for follow up action in relating to non-attendance. Training of other staff - The training and development of its staff is an integral part of the Trust’s approach to risk management. Risk management is considered as part of the organisation’s process for training needs analysis. All training activity will be recorded and managers and staff are responsible for ensuring that identified training is completed within the relevant timescales. Details of staff attendance on risk management will be recorded on the Trust’s electronic training record system. Non-attendance will be reported to relevant managers to enable follow-up action. 8 5 MONITORING COMPLIANCE AND EFFECTIVENESS In order to monitor the effectiveness of this policy the CNWL Corporate Governance Team will undertake a periodic audit of policy compliance. The Auditable standards for this policy are: 1. Sample of risk registers to ensure compliance with the criteria in the NHSLA Risk Management Standard 2, Monitoring of risk management training of senior managers and other staff. 3. Monitoring of risk management process by local services to assess whether a continual, systematic approach to risk assessments is being followed Compliance will be reported to the Executive Board and Audit Committee where action will be monitored to address any shortfalls in performance. Further detail can be found within the Monitoring Compliance and Effectiveness tool found at Appendix E (hyperlink). 6 REFERENCES The references to this policy and strategy are attached at Appendix F (hyperlink). 9 Appendix A RESPONSIBILITIES Organisation for risk management Board of Directors Determine strategic aims and objectives and identify risks that would prevent the achievement of these. Develop a Board Assurance Framework. Receive reports and assurances on risk management processes and issues from relevant subcommittees. Approve and monitor the Top Risks and Trust Wide risk registers. Approve the Risk Management Policy. Audit Committee* The Committee shall review the establishment and maintenance of an effective system of integrated governance, risk management and internal control, across the whole of the organisation’s activities (both clinical and non-clinical), that supports the achievement of the organisation’s objectives. In particular, the Committee will review the adequacy of: All risk control related disclosure statements (in particular the Statement on Internal Control), together with any accompanying Head of Internal Audit statement, external audit opinion or other appropriate independent assurances, prior to endorsement by the Board. In reviewing the Statement of Internal Control the Chief Executive should be invited to attend. The underlying assurance processes that indicate the degree of the achievement of corporate objectives, the effectiveness of the management of principal risks and the appropriateness of the above disclosure statements The policies for ensuring compliance with relevant regulatory, legal and code of conduct requirements The policies and procedures for all work related to fraud and corruption as set out in Secretary of State Directions and as required by the Counter Fraud and Security Management Service. In carrying out this work the Committee will primarily utilise the work of Internal Audit, External Audit and other assurance functions, but will not be limited to these audit functions. It will also seek reports and assurances from directors and managers as appropriate, concentrating on the overarching systems of integrated governance, risk management and internal control, together with indicators of their effectiveness. This will be evidenced through the Committee’s use of an effective Assurance Framework to guide its work and that of the audit and assurance functions that report to it. Executive Board* The Executive Board shall ensure an effective system of integrated governance, risk management and internal control, operates across the whole of the organisation’s activities (both clinical and nonclinical). In particular, the Executive Board will: Ensure appropriate processes and responsibilities for identifying risks and gaps in control Review the Assurance Framework and monitor progress against each identified action Review the Risk Register and receive update reports from Executive Directors responsible for managing the identified risks Review all risk and control related disclosure statements, in particular the Statement on Internal Control, prior to endorsement by the Board Monitor relevant regulatory, legal and code of conduct requirements and ensure that Trust policies fully reflect their requirements Ensure adherence to Trust key policies 10 Business and Finance Committee* Identify and monitor financial risks that would prevent the achievement of the Trust’s objectives. Review risks relevant to its terms of reference. Quality and Performance Management Committee* The Quality and Performance Management Committee will give assurance that appropriate clinical risk management systems are in place and the Committee shall alert the Audit Committee to any significant unaddressed risks. Information Governance Programme Board Oversee compliance with regulatory standards (e.g. Information Governance Toolkit) and legal requirements that affect the organisation in regard to the management of information risk and data security. Identify and report concerns on the risk register and report to the Executive Board. Service Line Senior Management Teams (or equivalent) / Corporate Directorates To identify and monitor risks that would affect the provision of services and/or developments. Ensure risks are placed on the local risk register and monitor them regularly. Develop action plans with identified leads and clear timescales. Human Resources Group Oversee compliance with regulatory standards and legal requirements that affect the organisation in regard to the management of the workforce and mechanisms for delivery and monitoring of learning and development. Identify and monitor risks that would affect the objectives of the Human Resources Strategy. Identify and monitor risks and report concerns on the risk register to the Executive Board. Medicines Management Group To oversee, agree and monitor overarching strategy, policy, planning and performance relating to regulatory requirements for medicines. Identify and monitor risks and report concerns on the risk register to the Quality Committee. Infection Control Group To endorse all overarching infection control policies, procedures and guidance, provide advice and support on the implementation and monitor the progress of the infection prevention and control annual programme including training and compliance with specific regulatory requirements. Clinical Safety Group* To receive reports on clinical risks identified in local risk registers and responsible for considering whether such risks have Trust-wide implications and identifying whether any further action is required. Corporate Risk / Health and Safety Group* To oversee, agree and monitor overarching policy, planning, training and performance relating to requirements for health and safety. Identify and monitor risks and report concerns on the risk register to the Executive Board. * Key committees / groups shown in the following organisational chart. 11 Organisational Chart: Risk Management Structure Internal Assurance Independent Assurance BOARD OF DIRECTORS Audit Committee Business and Finance Committee Quality and Performance Committee Reports of external monitoring bodies EXECUTIVE BOARD Clinical Safety Group Internal Audit External Audit Corporate Risk / H&S Group 12 Appendix B RESPONSIBILITIES Operational Management Chief Executive The Chief Executive has overall responsibility for risk management throughout the Trust. Director of Operations and Nursing The Director of Operations and Nursing is the Executive Director with designated responsibility for the implementation of this policy Executive Directors, Service Line Directors and Clinical Directors These Directors will be responsible for ensuring that The Risk Management Policy is implemented within their area of responsibility and appropriate risk assessments have been carried out. All staff managed within their structure are aware of the Strategy and Policy and are informed of their responsibilities in relation to the action required according to the quantification of risk. Appropriate and effective risk management processes are in place within their designated areas and scope of responsibility. All staff attend appropriate training. Appropriate procedures are in place to comply with the Trust’s Risk Management Policy. Associate Director, Corporate Governance* The Associate Director, Corporate Governance is accountable to the Director of Operations and Nursing and the Chief Executive and is a member of the Executive Board. A key objective for this post holder is to develop, implement and review a Trust-wide risk management system. This post is key to ensuring the Risk Management Policy is delivered throughout the Trust. Clinical Risk Manager * The Clinical Risk Manager reports to the Associate Director, Quality and Service Improvement. The Clinical Risk Manager will act as the competent person to the Trust to advise on issues of clinical risk and will liaise, as appropriate, with the Associate Director, Corporate Governance to provide clinical risk guidance. 13 Safety Manager* The Safety Manager will report to the Associate Director, Corporate Governance. The Safety Manager will manage the Health and Safety Managers, who will act as the competent persons on health and safety issues in the Trust and will liaise with the Associate Director, Corporate Governance to provide guidance on health and safety legislation and risks within the Trust. Designated Risk Management Leads Nominated by Service Directors, they will be responsible for the collation and update of local risk registers. All managers All managers in the Trust have a responsibility to manage risk within their area of responsibility. They should be familiar with the arrangements for risk management the process for escalating risks with which they require assistance in managing receptive to risks brought to their attention by others, including staff Employees All employees are responsible for ensuring that any identified hazards, risks, accidents and incidents are reported to their line manager immediately on discovery. They will: Co-operate with their manager in the implementation, monitoring and reviewing of this strategy Communicate and co-operate with others on Trust premises regarding risk management issues. If staff work off site, they must also be familiar with the risk management systems for that site Ensure they are familiar with the contents and requirements of appropriate policies and procedures Attend training sessions when requested by their managers * Note: Within community provider services, specific posts will be identified to provide assurance to the Trust on these functions / areas. 14 Appendix C Board Assurance Framework There is a requirement for all NHS chief executive officers to sign a Statement on Internal Control (SIC) as part of the statutory accounts and annual report. This heightens the need for boards to be able to demonstrate that they have been properly informed about the totality of their risks, both clinical and non-clinical. To do this they need to be able to provide evidence that they have systematically identified their objectives and managed the principal risks to achieving them. The Assurance Framework fulfils this purpose. The Assurance Framework provides a simple but comprehensive method for the effective and focused management of the principal risks to meeting Trust objectives. It also provides a structure for the evidence to support the Statement on Internal Control. This simplifies Board reporting and the prioritisation of action plans which, in turn, allow for more effective performance management The objectives of the Trust will be set out in the annual plan, approved by the Board of Directors. The business plan will contain a series of strategic priorities, for each of which there shall be a tier of principal objectives. The strategic priorities and principal objectives will be consistent with the Standards for Better Health and the seven domains contained therein. The Assurance Framework will identify the principal risks against achieving the principal objectives. It will also set out the activities in place to control or mitigate those risks and identify the assurance (both internal and external) that such activities are effective. The Board of Directors will be responsible for approving the Assurance Framework. The Executive Board will be responsible, on behalf of the Board of Directors, for developing and monitoring the Assurance Framework. This will involve evaluating and, where necessary, escalating risks identified in the Framework to the Audit Committee or Board of Directors. The Executive Board will also consider the Trust wide and Top Risk registers and determine whether any of these risks should be reflected in the Assurance Framework. It will report progress to the Board of Directors every three months. The work on monitoring the Assurance Framework will be monitored by the Audit Committee, who may ask relevant leads to attend meetings to explain progress. In discharging this responsibility, the Executive Board will monitor that the following are applied in respect of the Assurance Framework: Principal risks: The officer with lead responsibility for each Principal Objective will, on an ongoing basis, identify the principal risks against its achievement. These will be judgments based on knowledge and analysis of the objective and factors, both internal and external, that could affect its successful implementation. It is recognised that situations may change with time and it is important that the Principal Risks are regularly reviewed to ensure they remain accurate. Identified risks will be prioritised in accordance with the risk rating process shown in Appendix 6 (where appropriate, identified risks will be included in the Corporate Risk Register). The officer with lead responsibility will be the identified risk owner, unless another person is specifically identified, and will be responsible for taking the lead in addressing the risk. 15 Control/mitigation of principal risks: The officer with lead responsibility for each Principal Objective will identify the control/mitigation required to address the principal risk. Assurance: The officer with lead responsibility for each Principal Objective will identify sources of internal and external assurance that the control/mitigation of the identified risk has been, or is being, addressed. The officer with lead responsibility for each Principal Objective will identify the committee, sub-committee, group or forum that will take principal responsibility for monitoring progress of the Principal Objective. The identified forum will be provided with evidence of control/mitigation of the Principal Risk, evidence of assurance and be responsible for identifying gaps in either. Any identified gaps will be mapped against the Principal Risks and an action plan developed to address them. The action plan will identify lead responsibility, action required and target date for completion. 16 Appendix D RISK MANAGEMENT PROCESS 1 Management of risk should be integrated into the philosophy of an organisation. The process by which the activities of the Trust are identified and graded for risk is based on a framework recognised as good practice (Standards Australia (1999) Risk Management AS / NZS 4360:1999. Standards Association of Australia. Strathfield NSW). 2 The full benefit of risk management will only be achieved if there is a comprehensive and cohesive system in place, underpinned by an organisation-wide risk management organisational structure. The process must contain guidance on acceptable risk and for the management of situations in which control failure leads to material realisation of risk. 3 A summary of the process is set out below. 3.1 Risk Identification The first stage of risk management is the identification of risks. The identification process embraces both a proactive approach and one that also reviews issues retrospectively. Many lessons can be learnt from examining why an adverse incident occurred and then taking appropriate action to avoid recurrence, as outlined in the Chief Medical Officer’s report “Organisation with a Memory” published in July 2000. The Trust also needs to place emphasis on predicting where incidents could occur and taking steps to stop them before they do so. 3.2 Risk Assessment When the risks have been identified, each one will be analysed in order to assess what is the likelihood of it happening; how often it is likely to occur; and what the likely impact would be. The culmination of this process is the prioritisation of the identified risks, within the Risk Register, in order to create a manageable programme of risk targets. 3.3 Risk Analysis Risk analysis uses descriptive scales to describe the magnitude of potential consequences and the likelihood that those consequences occur. A matrix is used to assign risk priority by combining their likelihood and consequences. Use of the matrix enables a list of prioritised risks to be developed with an indication of the action that may be required and highlights the most significant risk issues to be considered by the Executive Board, Audit Committee and subsequently the Board of Directors. 17 Risk Assessment Matrix IMPACT 1 2 3 4 5 Insignificant Minor Moderate Major Catastrophic 1 2 3 4 5 2 - Unlikely 2 4 6 8 10 3 - Possible 3 6 9 12 15 4 - Likely 4 8 12 16 20 5 - Almost Certain 5 10 15 20 25 LIKELIHOOD 1- Rare Risk Rating Numerical score 1-3 Low risk 4-6 Moderate risk 8 - 12 Significant risk 15 - 25 Extreme risk Impact x Likelihood = Risk Rating Detailed examples of the actual risk matrix are shown on the following page: 18 19 3.4 Risk Treatment Risks scoring significant or extreme should be deemed as unacceptable in the first instance and options for action considered. The Executive Board, Audit Committee or Board of Directors, as appropriate, will then identify and agree whether these risks can be controlled to an acceptable level. All identified risks should be included in a risk register. The incidence of significant risks (i.e. those evaluated as signficant or extreme) should be reported to the Executive Board, Audit Committee and the Board of Directors on a regular basis. An action plan setting out the manner in which the risk will be addressed will be developed by the service most responsible for its treatment. Progress will monitored locally on all risks. 3.5 Risk Monitoring In order to monitor the Trust’s risk profile the Trust will keep a risk register that contains a summary of risk information. The risk register enables all risks identified within the Trust to be categorised and recorded. This enables risks to be assessed against each other and on a Trust-wide and Service basis to facilitate decision-making regarding resource allocation and risk reduction. 3.6 Funding of risk management Risk management is an integral part of the Trust business. Central posts have been funded to co-ordinate the process and support Directorate staff. This includes the Associate Director, Corporate Governance, Corporate Risk Advisor, Clinical Risk Manager, Health and Safety Advisors, Fire and Safety Advisor and Infection Control staff. In addition each Service is expected to identify lead people and consider funding of quality improvement issues identified through risk assessment. This responsibility rests with the service based local management and clinical governance groups. There will be a system of reporting via the Executive Board, Audit Committee to the Board of Directors on issues of significant and extreme risk that have resource implications which cannot be addressed by an individual Service. 3.7 Risk Appetite Risk appetite is the amount or level of risk that an organisation is prepared to accept at a particular time in relation to meeting its objectives. It will be for the Board of Directors to establish and review the level of risk appetite, particularly in relation to higher level risks identified in the Top Risks Register. The Board should determine whether the risk is one that it is prepared to run with or whether further controls and mitigation should be identified (which may require the investment of more resources) to lower the likelihood or impact of the risk should it happen. 3.8 Risk Mitigation Plans to mitigate risks need to be properly constructed and all parties aware of their content. Such plans should be regularly reviewed for the on-going validity and impact. Mitigation plans may be an alternative course of action should a risk materialise and not just a risk avoidance plan. 20 Appendix E Monitoring Compliance and Effectiveness What key element(s) need(s) monitoring as per local approved policy or guidance? Who will lead on this aspect of monitoring? What tool will be used to monitor/check/ observe/assess/ inspect/ authenticate that everything is working according to this key element from the approved policy? How often is the need to monitor each element? How often is the need complete a report ? How often is the need to share the report? Element to be monitored Lead Tool Frequency 1. Sample of risk registers to ensure compliance with the criteria in the NHSLA Risk Management Standard 2, Monitoring of risk management training of senior managers and other staff. 3. Monitoring of risk management process by local services to assess whether a continual, systematic approach to risk assessments is being followed. ALL - Associate Director, Corporate Governance ALL. An excel spreadsheet will be developed to record findings of auditing. This will also include review of NHSLA Risk Management Standard compliance. 1. Risk Registers will be reviewed by the Corporate Governance Team as they are submitted. A report will be submitted to the Executive Board every 6 months. 2. An annual report will be submitted to the Executive Board. 3. Policies will be reviewed by the Corporate Governance Team as they are submitted. An annual report will be submitted to the Executive Board. Who or what committee will the completed report go to. How will each report be interrogated to identify the required actions and how thoroughly should this be documented in e.g. meeting minutes. Reporting arrangements ALL. An annual report on overall compliance will be provided to the Executive Board and Audit Committee. Any identified actions agreed at the meetings should be recorded in the notes of the meeting. Which committee, department or lead will undertake subsequent recommendations and action planning for any or all deficiencies and recommendations within reasonable timeframes? How will system or practice changes be implemented and how will these be shared. Acting on recommendations and Lead(s) Change in practice and lessons to be shared Required actions will be identified and completed in a specified timeframe. Required changes to practice will be identified and actioned within a specific time frame. A lead member of the team will be identified to take each change forward where appropriate. Lessons will be shared with all the relevant stakeholders. 21 Appendix F References 1 Standards Australia and Standards New Zealand, 2004.AS/NZS 4360:2004 RiskManagement. 2 Standards Australia and Standards New Zealand, 2004.HB 436:2004 RiskManagement Guidelines – Companion to AS/NZS 4360:2004. 3 Office of Government Commerce, 2007.Management of Risk: Guidance forPractitioners. London: The Stationary Office. 4 NHSLA Risk Management Standards for NHS Trusts providing Acute, Community, or Mental Health & Learning Disability Services 5 Department of Health, 2006.Integrated Governance Handbook. London: Departmentof Health. Available at: http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/documents/digit alasset/dh_4129615.pdf. 6 Department of Health, 2003.Assurance: The Board Agenda. London: Department of Health. Available at: http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/documents/digit alasset/dh_4110083.pdf. 7 Department of Health, 2003.Building An Assurance Framework: A Practical Guide forNHS Boards. London: Department of Health. Available at: http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/documents/digit alasset/dh_4093993.pdf. 8 Audit Committee Handbook, 22 Appendix H Equality, Human Rights and Privacy Impact Assessment Form 1.What is the name of the service / policy / procedure / project being assessed? Risk Management Policy. 2.Briefly describe the aim of the service /policy /procedure / Trust function that is being Impact Assessed. What needs or duties is it designed to meet? What are its intended outcomes? To ensure a consistent approach to the management of risk across the Trust. 3. If this service /policy /procedure / Trust function has no relevance for Equalities or human rights considerations, please give your reasoning below and sign on page 2. Application of this policy affects the identification treatment and management of risks. This policy does not directly impact on individual groups. The subject matter of the risk areas being reviewed may, and there must be an impact assessment on each of them. Details of monitoring are included in the policy. There is no relevance for equalities or human rights considerations. (Where there is no relevance then the screening section can be signed and countersigned, and there is no need for a full assessments. Where there is relevance, then a full Equality and Human Rights Impact Assessment must be undertaken. Privacy Impact Assessment Screening Tool 4a. Does the project/service development involve any technologies that might have a privacy impact, for example, Smartcards, biometrics, digital imaging, video recording or logging of electronic traffic? No 4b.Does the project/service development involve the use of new personal identifiers or an extension in the use of personal identifiers? No 23 4c. Does the project/service development involve the handling of a significant amount of new personal data? No 4d. Does the project/service development involve new or changed data management processes that might be intrusive, insecure, more permissive in terms of access to data, or unclear? No If the answer to any of questions 4a – 4d is ‘yes’, you are required to contact the Information Governance Team for advice on how to proceed in relation to the privacy issues identified. Manager undertaking the screening assessment Name Richard Vergez Designation: Associate Director, Corporate Governance Date January 2012 To be countersigned by the Senior Manager, i.e. Service Head, Line Manager, Director, as appropriate Name Richard Vergez Designation: Associate Director, Corporate Governance Date January 2012 24