Risk Management Strategy

Risk Management Strategy

Document Profile Box
Document Reference: / Q.S.S.D 2003
Version: / 0008
Ratified by: / Trust Board
Date ratified: / 27thMarch 2008
Name of originator/author: / Alan Gallagher
Name of responsible committee/individual / Governance and Risk Committee
Date issued:
Review date: / April 2015
Target audience: / All staff
Document owner: / Alan Gallagher
Authorised signatory:

Contents

Section / Page
1 / Introduction / 3
2 / Aims / 3
3 / Strategic Intentions and Objectives / 3
4 / Target Audience, Communication and Implementation / 4
5 / Definitions of Risk / 6
6 / What is Risk / 7
7 / What is Risk Management / 7
8 / Risk Appetite / 8
9 / Risk Appetite Statement / 9
10 / Risk Maturity / 9
11 / Risk Identification / 10
12 / Risk Management Processes / 10
13 / Acceptable Risk / 11
Risk Management Overview Flowchart / 12
14 / Process / 13
15 / Assurance Framework Process / 15
16 / Risk Registers / 18
17 / Monitoring Effectiveness / 21
18 / Who is responsible for Risk Management / 21
19 / Review / 24
20 / Consultation, Approval and Ratification / 24
21 / Review and Revision Arrangements Including Version Control / 24
22 / Dissemination and Implementation / 24
23 / Document Control Including Archiving Arrangements / 25
24 / Associated Policies/Procedures / 25
25 / Equality and Diversity Statement / 25
Appendices
Appendix A / Risk Matrix Guide Consequence and Likelihood Scores / 26
Appendix B / Risk Appetite Matrix for NHS Organisations / 27
Appendix C / Risk Management and Organisational Controls Framework / 28
Appendix D / Version Control Sheet / 29

1Introduction

The North East Ambulance Service NHS Foundation Trust is committed to the provision of high quality care in a setting that puts the safety of patients and staff first. However all activities contain inherent risks. Risk Management is defined as “identifying all risks which have potentially adverse effects on the quality of care and the safety of patients, staff visitors, assessing and evaluating those risks and taking positive action to eliminate or reduce them”. The Trust therefore regards the promotion of health and safety as an integral part of Risk Management and a mutual objective for management and employees at all levels. The Trust will meet it’s commitment through a system of risk management that is understood and implemented at all levels of the organisation.

The Risk Management Strategy promotes the philosophy of integrated governance and requires all risk management to be systematic, robust and evident. This strategy requires that risk management processes are applied to business planning at all levels and that risk management issues should be communicated to key stakeholders where necessary. The strategy covers clinical, organisational and financial risk, and identifies the key management structures and processes defining objectives and responsibilities within the Trust.

The Trust have therefore embraced Enterprise Risk Management (ERM) which is a process, effected by an organisations board of directors, management and other personnel, applied in strategy setting and across the organisation, designed to identify potential events that may affect the organisation, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of organisational objectives.The Trust views Business Continuity (BC) and disaster recovery asintrinsically linked components of ERM. All the resources and plans that make up a business continuity plan are developed to address business interruption risk in an organisation and should be part of a comprehensive mitigation plan for all the enterprise risks.

It is recognised that embedding or incorporating BC into an overall program to identify, evaluate and mitigate risk. The Board expect that the Trust has a comprehensive and effective process for identifying, measuring and managing risk. By viewing BC as a key component of risk management function and embedding it into the enterprise level ERM program, which has been aligned with the strategic imperatives of the company, boardroom expectations are met and alignment achieved.

Whereas risk management tends to be pre-emptive, business continuity planning (BCP) was invented to deal with the consequences of realised residual risks. The necessity to have BCP in place arises because even very unlikely events will occur if given enough time.

Risk management and BC are often mistakenly seen as rivals or overlapping practices. In fact, these processes are so tightly tied together that such separation seems artificial. For example, the risk management process creates important inputs for the BC (e.g., assets, impact assessments, cost estimates). Risk management also proposes applicable controls for the observed risks. Therefore, risk management covers several areas that are vital for the BC process.

Risk Management is not about risk elimination; it is about encouragingappropriate risk-taking, i.e. those risks that have been evaluated andwhich are understood as well as is possible with currently availableinformation. It is recognised that only through appropriate risk-taking will the Trust be able to provide healthcare services in line with our mission statement of ‘right care, right time, right place’. Successfulorganisations are by their nature successful risk takers and aware of theirrisk appetite.

It is also recognised that inadequately managed risks within our services have the potential to prevent the Trust fromachieving its strategic intentions and objectives and may directly or indirectly cause harm tothose it cares for, employs or otherwise affects as well as incurring lossrelating to assets, finance, reputation, goodwill, partnership working orpublic confidence.

2Aims

The aim of this Strategy is to document the holistic approach taken by the Trust to provide an environment which minimises risks to all its stakeholders. This will be achieved through a comprehensive system of internal controls and external controls, maximising the potential for flexibility, innovation and best practice in delivery of the Trust’s strategic objective of delivering high quality, caring services for the North East.

3Strategic Intentions and Objectives

Patients are at the heart of everything that we do to support our mission of "right care, right place, right time". The Trust has a strong track record of delivering patient care, focussing resources to produce the most effective outcomes. Whilst at the leading edge of innovative service design which has consistently led to the Trust being one of the highest performing ambulance trusts in the country.

The Trust’s vision is to make a difference by integrating our care and transport in the pursuit of equity and excellence. This means we will drive through improvements in service delivery and work to ensure all of our patients have a positive experience, not losing sight of our requirement to eliminate waste, inefficiency and unnecessary costs.

Strategic intentions:

To lead in the provision of Emergency Care - We want to be the provider of choice for A&E services and lead through innovation, research and performance.

To be a first rate employer - We want to ensure our staff are appropriately supported, with fair pay and flexible working conditions and a safe productive working environment.

Be a key partner in Urgent Care reform - We want to help deliver the changes that our patients and our commissioners are asking for using our expertise and infrastructure.

To have sound financial health - We want to maintain strong financial health that enables us to invest in new service developments, constantly taking the organisation forward.

To transform our Patient Transport Service - We want to continue to be the provider of choice for patient transport services in the North East.

To be well governed and accountable - We want to continue to ensure that the safety and quality of our services to patients remains our highest priority.

Specific Objectives 0-12 months

To ensure compliance with Legal and Statutory requirements.

To enhance the risk maturity of the Organisation over the next 12 months from Risk Managedto Risk Enabled

Continue to work in collaboration with the Training Department to ensure the delivery of risk management training.

Integrate the risk management system to facilitate robust data capturing and reporting.

Review security/health and safety provision at all sites across the Trust as part of a rolling programme.

Continue to develop vehicle risk management/accident reduction processes.

Provide a safe environment for all staff, patients and stakeholders.

Implement the Corporate Health, Safety and Wellbeing Strategy and Plans.

Reduce the number of clinical negligence and employers liability claims.

Ensure all incidents are recorded, investigated, monitored and lessons learnt.

Continue to embed partnership working with the 3 Police Forces

4Target Audience, Communication and Implementation

This strategy is intended for use by all directly employed staff, agency workers and external contractors.

The Risk Management Strategy will be communicated to all levels of the Trust. This will include copies of the Strategy being made available on all Trust sites and to all managers.

The Strategy will be communicated to the wide audience of its stakeholders through existing communications mechanisms, including staff training/induction programmes, internal/external newsletters and publication on the Trusts external Internet and internal Intranet sites. All internal and external stakeholders will be informed of its location.

Under the Freedom of Information Act 2000, the Risk Management Strategy will be made available to any person making such a legally based request.

The Head of Risk and Claims will be responsible for co-ordinating the implementation of the strategy and policy.

All management levels including executive level and staff will be expected to adopt the principles of the strategy, incorporating it into their day to day role and processes.

Management will also be expected to support and encourage staff in adopting the principles of the strategy by promoting an open and fair culture and the identification of hazards through incident reporting

Risk Management will also be a statutory component of all induction programmes delivered by the Trust. This will include members of staff at all levels within the Trust and will include familiarisation of the strategy.

As a part of the Trust’s Appraisals process and the Personal Development Plan processes, staff will have specific levels of competency in relation to risk management appropriate to their specific role.

Risk Management will form part of the mandatory training for all management grades within the Trust and will cover all aspects of this Strategy.

The extent of an individual’s personal contribution to the implementation of the Risk Management Strategy may include, for example:

Reporting of Seroius Incidents (SIs)

Reviewing which may have scope for improvement

Referring potential risk issues for review and corrective measures

Participating in audit

Seeking the support and/or advice of available in house expertise and/or infromation

Asking to be involved

Seeking/providing feedback for self or others

Being aware of/finding out their own level of responsibility and contribution to risk management

By using such an approach the Trust is enabled to maximise its opportunities to develop and learn lessons because it is maximising the involvement and contribution of all concerned.

5Definitions of Risk

Appropriate definitions in relation to risk management are important. This policy will use certain phrases within this document which are defined as follows:

Hazard / A hazard is anything with the potential to cause harm
Risk / A risk is the likelihood that a hazard will cause a specified harm to someone or something
So Far as is Reasonably Practicable / Take action to control the health and safety risks in your workplace except where the cost (in terms of time and effort as well as money) of doing so is “grossly disproportionate” to the reduction in the risk
Risk Management / The systematic identification, reduction an/or elimination of risks
Risk Appetite / The amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time
Risk Management Maturity / The level of skills, knowledge and attitudes displayed by
people in the organisation, combined with the level of
sophistication of risk management processes and systems in managing risk within the organisation.
Risk Matrix / The mechanism through which all risks are rated and scored
Board Assurance Framework / The documentation that provides the Trust Board with assurance(s) that the key risks associated with not achieving the Corporate objectives are being mitigated
Risk Register / The method used to record identified risks, their rating, scores, control measures and where evidence of controls can be located
High Level Risks / Risks that are rated and scored at 15 or above
Risk Treatment / Proposed control measures that may reduce the risk of an identified hazard
Residual Risk / Level of acceptable risk following implementation of risk treatment solutions
Risk Management
Sub Committees/Groups / Delegated committees/groups of theTrust Board responsible for ensuring that identified risks are appropriately managed within the Trust

6What is Risk?

Risk can be defined as the chance that something will happen that will have an adverse impact on the achievement of the Trusts aims and objectives. In the NHS this can be further categorised as follows

1. Direct Patient Care Risks – this includes risks relating to: standards of care, consent to treatment, working beyond competence, communication failure and delay in treatment.

1. Indirect Patient Care Risks – this includes risks relating to: security, fire, buildings, plant & equipment and waste.

1. Health & Safety Risks – this includes risks relating to: Health & Safety obligations, unsafe systems of work, Control of Substances Hazardous to Health (COSHH), failure to provide information, instruction, training & supervision, failure to provide a safe place of work and risks to health.

1. Risks of an Organisational Nature – this includes risks relating to: communication, provision of goods & services, data protection, finance & insurance, and information systems.

1. Business Continuity Management risks – this includes risks relating to: communication, provision of goods & services, data protection, finance & insurance, and information systems.

7What is Risk Management?

Risk Management is concerned with ensuring that risks are recognised and their impact on the Trust is assessed in order that the appropriate resource can be channelled to minimise or eliminate any potential loss.

There are five stages to risk management:

Risk IdentificationWhat could go wrong? How could risk events happen?

What would be the effect?

Risk MeasurementHow often are risk events likely to happen?

How much are they likely to cost? How severe would their effect be?

Risk TreatmentHow can the Trust eliminate or avoid these events?

If they occur how can we make them less likely and less damaging?

Risk FundingTransferring risk with or without an ’excess’ (NHSLA

Risk Management Standard), or self insurance (i.e. retaining risk)

Monitoring EffectivenessMeasuring the effectiveness of the controls and repeating the

cycle if further action is required?

8Risk Appetite

Risk appetite is the degree of risk exposure, or potential adverse impact from an event, that the Trust is willing to accept in pursuit of its objectives.

It is recognised that the pursuit of one objective may hinder the achievement of another and this will impact upon the associated risk appetite. Similarly, the relative importance of one objective against another may be influenced by external factors, such as changes in national policy or expectations of stakeholders.

The Board recognises the importance of a robust and consistent approach to determining risk appetite in order to ensure:

The organisation’s collective appetite for risk and the reasons for it are widely known to avoid erratic or inopportune risk taking, or an overly cautious approach which may stifle growth and development

Managers in the Trust know the levels of risks that are legitimate for them to take, as well as appropriate opportunities when they arise, in order to ensure service improvements and patient outcomes are not adversely affected.

In order to value and compare the relative merits and weaknesses of different risks, the Trust Board will determine the level of risk the organisation is willing to tolerate in different areas.

This will include deciding whether the Trust will Eliminate, Reduce, Transfer or Accept a risk (as reflected in section 13.1) and what the organisation’s ‘target risk’ should be. Operating within risk tolerances provides the Trust Board with greater assurance that the organisation will remain within its risk appetite and, as a result, achieve its strategic objectives.

Risk appetite will thus be quantified for each organisational risk in the first instance, with the aim of all risks having a target risk informed by risk appetite by the end of the longevity of this strategy.

The Trust Board will put systems in place to manage risks to an acceptable level within its level of tolerance. The parameters of this tolerance are set within the Risk Tolerance Matrix below, as shown inFigure 2 on page 10.

In setting risk appetite levels, the Trust Board will take account of risk tolerance and opportunity risk.

The Executive Management team will recommend to the Board whether to tolerate certain risks from the point at which they are identified. The Executive Directors will provide ongoing assurance to the Trust Board that existing controls are sufficient to mitigate risks above the tolerance levels, particularly where the cost of treating the risk is more than the potential benefits.

In formulating the Trusts Risk Appetite the Board have agreedto utilise a Risk Appetite Matrix (Appendix B) which assesses the Trusts risk appetite and complements other risk management tools. This matrixwas initiated and designed by Southwark Clinical Commissioner Group and the Good Governance Institute and is now widely used by other NHS Organisations.

Risk appetite is ‘the amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point of time’. Risk therefore needs to be considered in terms of both opportunities and threats and are not usually confined to money they will invariably also impact on the capability of our organisation, its performance and its reputation. NEAS commits in its formal risk appetite statement to review this statement on an annual basis. The statement provides direction and boundaries on risk that can be accepted at various levels of the organisation, how the risk and any associated reward are to be balanced and the likely response.