Risk management procedure - South West Yorkshire Partnership
advertisement
Document name: Risk management procedure Document type: Procedure What does this policy replace? Guidelines for the use of the Risk Management Framework including the Risk Register & Risk Matrix due for review by November 2012 Staff group to whom it applies: All staff within the Trust Distribution: The whole of the Trust How to access: Intranet Issue date: August 2012 Next review: August 2014 Approved by: Executive Management Team 30 August 2012 Developed by: Datixweb Risk register project manager /project board Director leads: Director of Corporate Development Contact for advice: Integrated Governance Manager Datix queries – Patient Safety Support Team 106744338 Page 1 Risk Management Procedure Contents 1 Introduction 3 2 Definition of risk 3 3 Control systems 3 4 Trust approach to risk management 4 5 Datixweb electronic risk recording 5 6 Duties, roles and responsibilities 5 7 Risk management process 6 7.1 7.2 7.3 7.4 7.5 6 6 8 8 9 Risk reporting mechanisms Risk recording via Datixweb risk assessment record Updating risks Escalating risks Risk Registers 8 Risk management systems - monitoring and review 10 9 Communication 10 Appendices Appendix 1 Appendix 2 Appendix 3 Appendix 4 11 Version Control Sheet Recording Risks: guidance on using the risk grading matrix Risk Reporting and Escalation Flowchart Related policies and procedures 106744338 Page 2 Risk Management Procedure 1. Introduction This procedure has been developed to support the implementation of the Risk Management Strategy in the organisation. It outlines how risks should be recorded and managed in the organisation, including instructions on using Datixweb to support this process. It includes clarity around roles and responsibilities at all levels in the organisation. It should be read in conjunction with the Risk Management Strategy. 2. Definition of risk At its simplest, risk is the probability that harm will arise from a given situation. In the context of the South West Yorkshire Partnership NHS Foundation Trust, this covers everything from the possibility of injury to an individual service user or member of staff to anything which impacts on the Trust’s abilities to fulfil its objectives. The Trust is a large and complex organisation, operating in an increasingly competitive and contestable health economy and as such faces political and financial challenges. The Trust is also subject to public scrutiny and providing services to people whose conditions or behaviour may be unpredictable. In this context, risk cannot be completely eliminated and the Trust’s approach will be to have in place systems and processes that enable it to anticipate where risks might occur, and to minimise the likelihood or impact of potential risks. The Trust is committed to the establishment of a supportive, open and learning culture, the aim being not to apportion blame but to learn from experience and improve practice accordingly. The Trusts Integrated Business Plan identifies a number of key risks to the organisation. These can be broadly defined as: 3. Strategic risks – risks generated by the national and political context in which the Trust operates that could affect the ability of the Trust to deliver its plans; Clinical risks – risks arising as a result of clinical practice or those which are created or exacerbated by the environment, such as cleanliness or ligature risks; Financial or commercial risks – risks which might affect the sustainability of the Trust or its ability to achieve its plans, such as loss of income, inability to recruit or retain an appropriately skilled workforce, damage to the Trust’s public reputation which could impact on commissioners’ decisions to place contracts with the organisation; Compliance risks – failure to comply with the terms of authorisation, CQCregistration standards, NHS LARMS, or failure to meet statutory duties, such as compliance with health and safety legislation. Summary of control systems (see risk management strategy for further details) The Trust Board has overall responsibility and accountability for setting the strategic direction of the Trust and ensuring there are sound systems in place for the management of risk. One element of the current control systems is the risk register and the scrutiny of this. The Executive Management Team (comprising of all Executive Directors) reviews the Organisational Risk Register and scans and triangulates clinical incidents, claims, complaints, human resources processes and external inquiries to ensure that they are being effectively managed and action is being taken to minimise the risk of recurrence. They 106744338 Page 3 consider clinical and non-clinical risks identified within services and ensure these are recorded on risk registers and that appropriate action is being taken. Risk registers are held at Trust Board level and by each Business Delivery Unit (BDU). The Risk registers held by BDUs are reviewed regularly in the relevant BDU group, and any risks which could have an impact across the Trust are reported to EMT monthly to ensure risks which may have a Trust wide impact are recorded on the Trust’s risk register. Individual directors are responsible for determining whether a risk register is required for non-clinical services for which they have responsibility and for adding items to the Trust Board risk register. Risk registers held at Trust Board and service level are designed to be ‘live’ working documents which support the organisation to identify, assess and manage risks. Risk registers are also held for Trust Action Groups and for a number of programmes or projects. 4. Trust approach to risk management Risk management is an iterative process consisting of well defined steps which taken in sequence, support better decision-making by contributing a greater insight into risks and their impacts. The risk management process can be applied to any situation where an undesired or unexpected outcome could be significant or where opportunities are identified. Risk management is recognised as an integral part of good management practice. To be most effective, risk management should become part of an organisation's culture. It should be integrated into the organisation's philosophy, practices and business plans rather than be viewed or practiced as a separate activity. When this is achieved, risk management becomes the business of everyone in the organisation. Risk Management may be applied at all stages in the life of an activity, function, project, product or asset. The maximum benefit is usually obtained by applying the risk management process from the beginning. The Trust’s whole system approach to risk assessment and management requires the organisation to have in place a systematic process for evaluating and addressing the impact of risk in a cost effective way. In order to achieve this, the Trust is committed to providing staff with the appropriate skills to identify and assess the potential for risk to arise. The system will support the use of professional judgement and decision-making. Any risk management framework needs to be capable of dealing with the two main approaches to risk management, these being; proactive and reactive risk management. Reactive risk management involves reviewing and analysing when something has gone wrong and identifying actions to improve and prevent reoccurrence, such as learning lessons from adverse events. In proactive risk management the risk is foreseen and anticipated and appropriate action is taken to eliminate or reduce the risk therefore reducing the likelihood of any harm occurring. This may be done through horizon scanning of potential risks and may arise from potential risks being identified through routine risk assessments such as COSHH, Health and Safety, incident reviews, clusters etc. Clearly, wherever possible, proactive risk management is the preferred approach; it is more effective to prevent incidents of harm occurring in the first place. However, as SWYPFT is such a large and complex organisation, which deals with challenging issues in a competitive market, complicated by significant change within the commissioning and political arenas, it is 106744338 Page 4 virtually impossible to eliminate all risks and prevent all adverse events from occurring. When adverse events do occur it is essential that lessons are learned and appropriate action is taken to prevent reoccurrence. Details of the processes for managing adverse events are described in the Trust’s incident, claims and complaints management policies. Both these approaches are essential in a strong and open safety and learning culture. The Trust will seek to provide an environment in which people feel comfortable about reporting incidents and risk issues and discussing them in an open, non-accusatory way. It is recognised that staff need to feel that they work in a safe and ‘just culture’, in which people who report risk or disclose unsafe practice are supported. Every organisation carries some level of risk, whether associated with clinical care, financial planning, organisational reputation or the recruitment and retention of staff. Risk management is about bringing the risks from those activities together in order to allow risks to be viewed both strategically and operationally. This in turn will allow decision makers to consider the quantity and extent of risk presented and to make some choices about them. It is important to define the relationship between the organisation and its environment, identifying strengths, weaknesses, opportunities and threats. The context includes the financial, operational, competitive, political, social, cultural, reputation and legal aspects of the organisation’s functions. This needs to be done within the context of both internal and external factors, including understanding key stakeholders and their impact on the organisation. It is important to emphasise that this framework and procedure is not intended to replace or be a substitute for individual clinical risk assessments (Sainsbury’s or HCR20). 5. Datixweb to record and manage risks Datixweb, the trust’s risk management system, is being used to support the recording, management and review of risks and production of risk registers across the trust to ensure consistency of recording. Datix allows control measures to be recorded and actions to be scheduled, with a full audit trail of changes to the risk assessment. Information can feed through levels of risk registers, through to the organisation-wide risk register. The system has the ability to report at different levels, look at trends across fields and record and manage actions. Identification and prioritisation of risks can be linked to other modules such as incidents and complaints. 6. Duties, roles and responsibilities Risk management is recognised as being the business of all members of staff within the Trust. To support this, the Trust is committed to an open, just and supportive learning culture, the aim of which is to learn from experience and improve practice accordingly. In addition to the duties defined in the Risk Management Strategy, the responsibilities for recording and managing risks are as follows: All staff The underpinning principle is that the management of risk is the business of everyone within the Trust and that every employee should have a clearly defined process to follow which enables them to bring relevant risks to the attention of the appropriate person. Staff should highlight risk issues with their line manager in the first instance. Staff are able to record risks on Datixweb via the intranet, however this should only be after discussion and with the 106744338 Page 5 agreement of their manager. Guidance for staff on this is available on the intranet via this link: Guidance for all staff on recording risks on Datixweb On rare occasions when agreement cannot be reached between staff and managers, staff should record their concerns by writing to their manager, who remain responsible for safely managing all risks under their sphere of responsibility. Specialist advisors are available as a source of support and advice to all individuals in the Trust in terms of managing or mitigating risk and should be consulted whenever there are doubts about an issue. Managers at all levels in the organisation Managers are responsible for ensuring risks are recorded and managed effectively and escalated when appropriate. Guidance for managers on this process is available on the intranet via this link: Guidance for managers on recording and managing risks on Datixweb Risk Coordinator The risk coordinator is the person identified within a service line, BDU, directorate or TAG who will oversee the administrative process of managing risks. This is usually on behalf of the risk owner (although this may be the same person). The risk coordinator will ensure that risks in their area of responsibility are processed and managed at the appropriate level, processes for approving and reviewing risks are followed, alerting other relevant managers to risks when necessary. The will also ensure that relevant risks are updated in a timely manner to enable approved risks to be extracted accurately from the system. 7. Risk management process The first stage of the risk management process is the identification of risks. As described earlier, the trust uses a variety of sources of information, proactive and reactive, to identify risks. These are detailed further in the Risk Management Strategy. When a risk has been identified, it should be recorded, and Datixweb is now being used for this purpose as below. 7.1 Risk reporting mechanisms The flowchart in Appendix 3 aims to illustrate how risk is managed at all levels and how relevant risks are escalated in the organisation. It also shows how risks are scanned and analysed from a organisational perspective through business meetings and illustrates how the Trust Board receive assurance that risk is being effectively managed at all levels of the organisation through the information gathered via the risk records and registers. This framework will operate though the use of two other documents, the Risk Assessment Record and the Risk Register reports both of which are described below. These documents will be used to record and assess all types/categories of risks, record risk scores (using the Risk Matrix), the outcome of assessments, what action was taken to reduce the risk and where appropriate, report that risk to the relevant person and escalate the risk to the appropriate Risk Register. 7.2 Risk recording via Datixweb risk assessment record The Datixweb Risk Assessment form is the primary document (electronic form) which will drive the risk management process (the form is also available in paper version on the intranet). It has been developed to be generic so that it can be used to assess all kinds of risk and will be the prime source of the information that is gathered together in order to review risks through the compilation of Risk Registers. The Datixweb form enables 106744338 Page 6 consistency in data collection. Risk registers will now be extracted and reported from the Datix rather than as a standalone document. Further guidance for managers on recording and managing risks on Datixweb is available separately on the intranet by clicking here. The Datixweb Risk Assessment Record is structured into the following sections: a) Risk responsibility - this section is used to define where the responsibility level for a risk is held in the organisation and where it is being managed. This risk responsibility level is used in two ways: I. Location information – defines the service responsible for the risk, and II. The current risk rating – this in combination with the risk responsibility ensures the appropriate placement of the risk at the right level in the organisation. The defined levels correlate with the trust structures, eg those risks held at ‘BDU level’ for an area are those risks held by the BDU. The flowchart (Appendix 3) also demonstrates these levels. Also included here is the risk owner (see definitions) b) Risk description and current risk rating - In order to describe risks as accurately as possible, the Datixweb form is separated into fields to record the: I. Issue, situation or activity that is being risk assessed (this is usually what the record will be identified as) II. Category of the risk issue being assessed – this enables the trust to review the risks associated with similar issues collectively and consistently to enable comparisons to be made III. Hazard and the risks associated with that issue: The form should be used to record risks associated with achieving organisational/service delivery objectives. The form should not be used for recording risk assessments related to individual service users, these should continue to be recorded on RIO or any other clinical systems used. IV. Controls that are already in place to manage the risks. V. Grading the risk using the online risk matrix to select the consequence and likelihood, taking into account the current controls that are already in place. Datix will calculate the risk rating and risk level automatically, as below. (see Appendix 2) c) Summary of risk action plan – recording brief details of what further actions and controls will be put in place to manage/reduce/remove the risk. 106744338 Page 7 d) Residual risk rating – a second risk matrix is used on the form to assess the impact of the risk action plan on the consequence and likelihood of the risk, this is described as the residual risk or target risk rating. In some cases, the desired (target) rating may dictate that further actions are required to reduce the consequence or likelihood further. An effective action plan should reduce the risk rating. Two further fields help record if this residual risk rating is acceptable or not. e) Monitoring and review – this section enables details to be recorded of where a risk will be reviewed or monitored, and for recording any decisions made. It also records the frequency/date when the risk should next be reviewed. This includes the identification of a Risk coordinator, ie a person identified to ensure risks are effectively managed at the appropriate level. Each risk responsibility level should have a risk coordinator (this might be the responsible ward/team/dept manager, general manager, director or another nominated person) f) Approval of risks – all risks entered on Datixweb must be approved to be included in any risk reports. This is to ensure information has been completed thoroughly and appropriate actions are in place. An audit trail of every risk record is held on Datix which shows all historical changes. 7.3 Updating risks Because of the way that Datixweb stores information, risk records will be accessible to relevant managers at any time to enable regular review and updating, in conjunction with discussion at the relevant forum. This enables a continuous process of assessment of risks. A manager’s access to risk records will depend upon the risk responsibility level and the manager’s role. For instance, ward/team managers will only have access to their own team/ward risk records, which are defined at ward/team level responsibility. A BDU risk coordinator will have access to risk records at BDU level in their area/district. As further actions are completed the current risk grading should be updated to reflect the current position and the additional controls added to the controls field. The action plan should also be amended. An audit trail is available to track a risk’s history. Completed Risk Assessment Records are essential pieces of evidence which may be required by the Trust in order to demonstrate to external regulators and commissioners that the Trust has robust systems in place for the management of risk and that these are operating effectively. The Records may also need to be made available for the purpose of Internal Audit as part of the Trust’s assurance framework. Data from risk records that meet certain criteria will form risk registers. 7.4 Escalating risks Risks are defined on Datixweb both by the likelihood and impact (consequence) of a risk (based upon the current controls in place), and by the responsibility level in the organisation. This allows for risks to be held at an appropriate level in the organisation, where risks can be escalated up and down in the trust structures. Individuals to team/unit supervisors and or managers Team/unit to Service line level Service line to BDU/Directorate level Trust Action Group to BDU/Directorate level 106744338 Page 8 BDU/Directorate to Organisation/corporate level Trust Action Group to BDU/Directorate level In the event that a risk needs to be escalated to another level in the organisation, a discussion should take place to ensure this is appropriate and accepted at the relevant forum. The risk reporting and escalation flowchart at Appendix 3 demonstrates this process. For example, all BDU level risks that score 15+ on the risk matrix (that are finally approved) will automatically be escalated for review at EMT every month. In the event that one of these risks needs to escalated and appear as a Corporate level risk, the Integrated Governance Manager will ensure the record is copied so it is included at this higher level. When escalating a risk on Datixweb, the risk should be managed by the relevant risk coordinator, to ensure that the responsibility for managing the risk is still owned by the originator. The escalation of the risk to a higher level ensures it can be included on relevant risk registers as appropriate. All risks that are identified as corporate risks by EMT are monitored by the Board, through the organisational risk register. These risks would be those that are the responsibility of EMT, and where the likelihood and impact score (based on the current controls in place) means that it scored 15 or above (graded red). 7.5 Risk Registers The Risk Register is a tool used by the Trust to enable the organisation to comprehensively understand and prioritise significant risks to the organisation requiring focus and attention. The Trust is a large and complex organisation that works within a devolved management framework. This will ensure that risks are being assessed and managed consistently throughout the Trust with decisions being made as near as practicable to the risk source. In addition, key risks can be monitored at the appropriate level and Datixweb is effectively a tool to support this. The Trust risk register is a ‘live document’ generated from live risk records on Datixweb, and as such is reviewed and revised monthly by the Executive Management Team providing a continuous scanning process. Likewise, risks at all other levels held on Datixweb are a living document and should be used as a tool to support managers. All BDUs should have forums where risk is discussed, and where risk reports or registers can be discussed, which are informed by the risks identified through clinical teams and services, Directors and key stakeholders. The BDU risk registers are used to inform the Trust Risk Register through the Executive Management Team. Where appropriate, individual Directors hold a register detailing risks that are managed within support services and through Trust Action Groups. See Appendix 3 for the flowchart. Risk registers should be used to inform decision-making processes. Ideally, all decisions, such as changes in policies, procedures or practices, and all resource commitments, should result in reductions to the organisation’s highest priority risks. This means that at all levels, proposals to make changes or commit resources should include reference to the effects that this may have on the risk profile of the organisation. For significant changes all business plans, bids for funding and proposals are required to include a section which shows how they will help reduce the risks to the organisation and whether any additional risks will arise. Risk Registers should be flexible enough to allow the organisation to respond to unforeseen risks, serious incidents, external events or changes in national policy. A dynamic, comprehensive and effectively used risk register process will not only drive risk management, but will also ensure that the Trust can justify the decisions it has made. 106744338 Page 9 Recording risks on Datixweb is key to the production of risk registers. All risk records on Datixweb are live records and should be reviewed, monitored and updated on a regular basis. This enables the production of risk registers from live data. Although team/unit/department may not have a formal risk register, it will have the facility to record its risks on Datixweb, which will effectively be a ‘register of its risks’. 8. Risk management systems - monitoring and review Risk management systems are scrutinised by the Audit Committee, supported by internal audit and external audit, and the overall management of risk is monitored by the Trust Board, through the Assurance Framework and risk register. The role of internal audit is to provide an independent and objective opinion to the Chief Executive and Trust Board on the system of control. The opinion considers whether effective risk management, control and governance arrangements are in place in order to achieve the Trust’s objectives. The work of internal audit is undertaken in compliance with the NHS Internal Audit Standards. The audit programme is based on a risk assessment of the Trust, using the Assurance Framework and the Trust’s risk register. Action plans are agreed to address any identified weaknesses. The Audit Committee relies on internal audit to support it in its role of providing assurance to the Board on the effectiveness of internal controls. Internal audit is required to identify any areas to the Audit Committee where it is felt that insufficient action is being taken to address risks. External audit also plays a key part in identifying key risks to the organisation in relation to its work and in the monitoring and review of the Trust’s systems and processes, particularly in relation to financial probity and value for money. 9. Communication Effective communication is important to ensure that those responsible for managing risk and those affected understand the basis on which decisions are made and their responsibilities for managing risk. Each step of the risk management process should identify communications activity to take place with internal and external stakeholders at relevant forums. Communications should address issues relating to both the risk itself and the process to manage it. Communication and consultation involve a two-way dialogue between stakeholders. Since stakeholders can have a significant impact on the effectiveness of the arrangements for managing risks, it is important that their perception of risk, as well as their perception of benefits, be identified and documented and the underlying reasons for them understood and addressed. Helen Roberts August 2012 106744338 Page 10 Appendix 1 Version Control Sheet This sheet should provide a history of previous versions of the policy and changes made Version Date Author Status Comment / changes 1 Nov 2010 Jim Gardner 2 August 2012 Helen Roberts 106744338 Approved New framework/guidance for staff developed Previous guidance document developed into procedure, following implementation of Datixweb risk project. Page 11 Appendix 2 Recording Risks: guidance on using the risk grading matrix Table 1 Consequence scores Choose the most appropriate domain for the identified risk from the left hand side of the table Then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column. Consequence score (severity levels) and examples of descriptors Domains Impact on the safety of patients, staff or public (physical/psychological harm) 1 2 3 4 5 Negligible Minimal injury requiring no/minimal intervention or treatment. Minor Minor injury or illness, requiring minor intervention Moderate Moderate injury requiring professional intervention Major Major injury leading to long-term incapacity/disability Catastrophic Incident leading to death Requiring time off work for >3 days No time off work Increase in length of hospital stay by 1-3 days Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agency reportable incident Requiring time off work for >14 days Increase in length of hospital stay by >15 days Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients Mismanagement of patient care with long-term effects An event which impacts on a small number of patients Quality/complaints/audit Peripheral element of treatment or service suboptimal Informal complaint/inquiry Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved 106744338 Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Non-compliance with national standards with significant risk to patients if unresolved Totally unacceptable level or quality of treatment/service Multiple complaints/ independent review Gross failure of patient safety if findings not acted on Low performance rating Inquest/ombudsman inquiry Critical report Gross failure to meet national standards Repeated failure to meet internal standards Major patient safety implications if findings are not acted on Page 12 Human resources/ organisational development/staffing/ competence Statutory duty/ inspections Short-term low staffing level that temporarily reduces service quality (< 1 day) No or minimal impact or breech of guidance/ statutory duty Adverse publicity/ reputation Rumours Potential for public concern Low staffing level that reduces the service quality Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Unsafe staffing level or competence (>5 days) Low staff morale Loss of key staff Poor staff attendance for mandatory/key training Very low staff morale Breech of statutory legislation Single breech in statutory duty Reduced performance rating if unresolved Challenging external recommendations/ improvement notice Local media coverage – short-term reduction in public confidence Uncertain delivery of key objective/service due to lack of staff Local media coverage – long-term reduction in public confidence No staff attending mandatory/ key training Enforcement action Insignificant cost increase/ schedule slippage <5 per cent over project budget 5–10 per cent over project budget Schedule slippage Schedule slippage Ongoing unsafe staffing levels or competence Loss of several key staff No staff attending mandatory training /key training on an ongoing basis Multiple breeches in statutory duty Multiple breeches in statutory duty Prosecution Improvement notices Complete systems change required Low performance rating Zero performance rating Critical report Severely critical report National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) National media coverage with <3 days service well below reasonable public expectation Elements of public expectation not being met Business objectives/ projects Non-delivery of key objective/service due to lack of staff Non-compliance with national 10–25 per cent over project budget Total loss of public confidence Incident leading >25 per cent over project budget Schedule slippage Schedule slippage Finance including claims Small loss Risk of claim remote Loss of 0.1–0.25 per cent of budget Loss of 0.25–0.5 per cent of budget Claim less than £10,000 Claim(s) between £10,000 and £100,000 Key objectives not met Uncertain delivery of key objective/Loss of 0.5–1.0 per cent of budget Claim(s) between £100,000 and £1 million Purchasers failing to pay on time Service/business interruption Environmental impact Key objectives not met Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Loss/interruption of >1 hour Loss/interruption of >8 hours Loss/interruption of >1 day Loss/interruption of >1 week Claim(s) >£1 million Permanent loss of service or facility Minimal or no impact on the environment Minor impact on environment Moderate impact on environment Major impact on environment Catastrophic impact on environment 106744338 Page 13 Table 2 Likelihood score (L) What is the likelihood of the consequence occurring? The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency. Likelihood score 1 2 3 4 5 Descriptor Rare Unlikely Possible Likely Almost certain Frequency How often might it/does it happen This will probably never happen/recur Do not expect it to happen/recur but it is possible it may do so Might happen or recur occasionally Will probably happen/recur but it is not a persisting issue Will undoubtedly happen/recur, possible y frequently Table 3 Risk scoring = consequence x likelihood ( C x L ) Likelihood Consequence 1 2 3 4 5 Rare Unlikely Possible Likely Almost certain 5 Catastrophic 5 10 15 20 25 4 Major 4 8 12 16 20 3 Moderate 3 6 9 12 15 2 Minor 2 4 6 8 10 1 Negligible 1 2 3 4 5 For grading risk, the scores obtained from the risk matrix are assigned grades as follows 1-3 4-6 8 - 12 15 - 25 Low risk Moderate risk High risk Extreme risk Instructions for use 1 Define the risk(s) explicitly in terms of the adverse consequence(s) that might arise from the risk. 2 Use table 1 to determine the consequence score(s) (C) for the potential adverse outcome(s) relevant to the risk being evaluated. 3 Use table 2 to determine the likelihood score(s) (L) for those adverse outcomes. 4 Calculate the risk score, multiplying the consequence by the likelihood: C (consequence) x L (likelihood) = R (risk score) 106744338 Page 14 Risk Reporting and Escalation Flowchart Appendix 3 Risk issue identified – raised with responsible manager Recorded on Datixweb by responsible manager Decision about consequence and likelihood = risk rating Decision about level of responsibility for the risk All risk records must be ‘finally approved’ to be included in risk reports Review and escalation process Corporate level risk Corporate level risks 15+ – reviewed at Trust Board on Trust Board risk register Risk score of 8 to 12 (red/amber) BDU/Directorate level risk BDU/Directorate risks 15+ - escalate to Extended EMT for review. Consider inclusion on EMT risk register Risk score of 4 to 6 (Yellow) Service line level risk Service line risks (as defined locally) escalate to BDU for review. Consider inclusion on BDU risk register Unit/team level risk Unit/team risks (as defined locally) - escalate to Service line for review. Consider inclusion on BDU risk register Risk score of 15 to 25 (red/amber) Risks managed at defined level. Review current risk rating, updating controls and actions as necessary, escalate if required. Close risk when residual risk level achieved AND Risk score of 1 to 3 (Green) TAG and Project level risks 106744338 TAG/Project risks (as defined locally) escalate to Responsible Director for review. Consider inclusion on Directorate risk register Page 15 Risk managed at higher level. Risk should be reviewed, considered for de-escalation and /or closure when residual risk level achieved. Appendix 4 Risk-Related Trust Documents - Policies, Procedures, Protocols and Guidelines All Trust policies and procedures have a role in proactively managing risk by setting in place systems and processes to effectively control and reduce identified risks. A full list of current Trust policies, procedures and guidelines is available on the Trust intranet system. This is a constantly changing list as policies, procedures and related documents are developed and updated to ensure that they reflect current legislation, guidelines, good practice and learning. However, this document should be read in the context of the undernoted related documents all of which are parts of the Trust’s overarching Risk Management Strategy. The following documents are key to risk management. Trust Constitution Trust Board Committee Terms of Reference Standing Orders, Standing Financial Instructions and Scheme of Delegation Business Plan Annual Planning Guidance Integrated Performance Strategy Risk management Strategy Major incident and business continuity policy Serious Untoward Incident management Procedures Incident Management Policy and Procedures Being Open – Policy and Guidelines Complaints policy and procedure Claims policy and procedure Communications strategy Media policy Care Programme Approach (CPA) Policy Health and Safety - Policies and Procedures Human Resources – various related policies, procedures, protocols and guidelines Infection Control Policies and Procedures Information Governance Medicines Management - related policies, procedures, protocols and guidelines Clinical and operational policies including Mental Health Act, Consent, Safeguarding Children, Vulnerable Adults and other related policies, procedures, protocols and guidelines Further additional reading can also be obtained from the NPSA website at www.npsa.nhs.uk and their document entitled “A risk Matrix for Risk Managers” is especially helpful. 106744338 Page 16
