NHS GRAMPIAN

Corporate Risk Control Plan

Introduction

A number of changes have taken place with the format and use of the corporate risk control plan and these need to be communicated and implemented.

Aim

To update the Board on the changes to the Corporate Risk Control Plan (CRCP) and to decide how to proceed following these changes.

Discussion

The CRCP has been in place for sometime. Whilst the plan is now firmly established there are still gaps in the use of, monitoring and accountability of the plan and these have been highlighted to the Executive team.

The redesign of the senior management meetings also meant that the CRCP and its process for use needed to be reviewed.

The strategic objectives have been refreshed and the ensuing action of refreshing the associated risks needed to take place.

All these points resulted in working with an expert in the field and then holding a workshop with the Executive team to identify the strategic risks.

The CRCP process was also discussed at the workshop and the following points were made:

  1. It was agreed that the CRCP would be split into two parts – strategic and operational.
  2. The Strategic Management Team (SMT) will own the strategic risks and the Operational Management Team (OMT) will own the operational organisational wide risks.
  3. Strategic risks were extracted from the current CRCP and new ones were formulated, the agreed strategic risks are attached in appendix one.
  4. The remaining risks within the CRCP were defined for a) removal or b) to be managed by OMT. OMT needs to consider what the operational risks are and if any of the removed risks are in fact operational ones and need to remain.
  5. OMT has scheduled time to have a workshop to develop the operational CRCP.
  6. Executive group discussions will ensure that any identified risks relevant for the strategic and operational CRCPs will be included within these plans.
  7. Named risk owners will still be responsible for the risks
  8. Formal acceptance of risks on to the plans will take place at SMT and OMT meetings.
  9. Risks should be incorporated into management discussions at all levels of the organisation and that RCPs should be dynamic. The roll out of training to sectors and directorates, as monitored recently by Risk Management Group (RMG), will facilitate this.
  10. To facilitate the use of RCPs the plans should be visible at all meetings and that items discussed are referenced against the plan, as OMT did with the October agenda and as used in the Pandemic Influenza Management Team (PIMT) meetings. This means risks will be part of the decision making process and not a separate entity.

The report from the workshop highlighted the following:

Board - The role of the Board was discussed and it was recognised that the Board did get involved annually in the risk management process through their workshop that was used to gather their views on risks to the organisation. They also receive regular reports on changes in the CRCP. In the future it was agreed that the Board should have visibility and a chance to challenge the strategic risk control plan.

Performance Governance Committee – this committee has the overall responsibility for ensuring that risks are effectively identified and managed across the organisation. It should regularly receive reports about both the strategic risk control plan and the CRCP.

Clinical Governance Committee – this committee has the responsibility of reviewing and challenging risks that are on the strategic or corporate risk control plans in respect of clinical governance issues. They should be satisfied that all clinical risks have been appropriately identified and that the control measures that are in place and that are planned to be in place are adequate to manage the risk identified.

Staff Governance Committee - this committee has the responsibility of reviewing and challenging risks that are on the strategic or corporate risk control plans in respect of staff governance issues. They should be satisfied that all staff risks have been appropriately identified and that the control measures that are in place and that are planned to be in place are adequate to manage the risk identified.

The next steps included:

  • Action planning
  • Consolidation of Strategic RCP – almost complete – strategic risks now agreed
  • Appetite for risk – to clarify at another workshop
  • Monitoring
  • Development of operational RCP by OMT – workshop being planned
  • Board and PGC education

Next steps – action planning

The risks that are within the very high/ high / medium category now require to be actively managed to ensure that they do not hinder the delivery of the organisation’s strategic themes. In some instances there are existing controls in place to manage the risks but it is essential that they are fully reviewed and a comprehensive plan of action is established to effectively manage these risks.

For each of the risks a risk owner needs to be identified. It is the risk owner who is the person accountable for ensuring that action plans are in place and reporting progress.

Next steps – monitoring

There needs to be regular monitoring of both the strategic and corporate risk control plans to ensure that they continue to be up to date, relevant and are dynamic in the way that they support the organisation in delivering its objectives.

Every quarter SMT should formally review the strategic risk control plan alongside an annually facilitated comprehensive review. The annual review could involve Board members and members of the Executive team.

It has already been suggested that at all SMT / Executive team and OMT meetings the SRCP and CRCP should be made available so that as issues are discussed the relevant risk can be discussed at the same time and any changes to either the risk, its profile or the action plan can be seamlessly picked up. This a shift towards continuous risk management which ideally is where NHS Grampian needs to get to and moves risk management on from a process approach to a more organic approach. It also requires increased knowledge and ownership of the corporate risk register by SMT/OMT.

Next steps – Board training / PGC training

Developing the strategic risk control plan provides an ideal opportunity to provide some refresher training for the Board and the various committees of the organisation. The training will ensure that there is understanding of the different tiers of risk control in place across the organisation and will remind members of their respective roles in terms of contributing to and monitoring the risk control plans. This will strengthen the governance of the organisation and raise the profile of risk management as a proactive management tool rather than perhaps being seen more as a control process.

The Board now needs to consider how it will monitor the Strategic Risk Control Plan.

Summary of Changes to Corporate Risk Control Plan following workshop

The table below shows the changes to the corporate risk control plan/s following the workshop. As previously indicated this process is still to be completed with discussion and agreement with OMT regarding the proposed risks to be monitored and reviewed there.

While there has been an overall reduction in the number of risks across both the strategic and operational CRCP (see table below) from 40 to 33(16+17=33), there have been 11 new risks added and 20 risks removed. There is further work to be undertaken though to confirm the operational corporate risks.

Number of risks / Risk level
Very High / High / Medium / Low
Corporate Risk Control Plan November 2009 / 40 / 4 / 19 / 11 / 6
Strategic (Corporate) Risk Control Plan January 2010 / 16 / 2 / 10 / 4 / 0
Proposed Operational (Corporate) Risk Control Plan January 2010 – still to be confirmed. / 17 / 1 / 8 / 6 / 2

Key Risk

The risk is that the momentum gained will not be sustained and that the Board does not fulfil its role in monitoring the strategic risks. A planned improvement approach and commitment from Board members will help mitigate this risk.

Conclusion

NHS Grampian seems to be recognising that risk management can assist with decision making and facilitate the successful and effective achievement of objectives. The sustained improvement in the use of RCPs is required to achieve this. Board members need to move to a role of continuous risk managementand monitor the organisation’s strategic risks through an undertaking to use the plan within decision making processes at the meetings.

Recommendations

Board members are asked to:

  1. note the improvements and changes made to the RCP process and content
  2. recognise the new strategic risks and risk control plan
  3. consider how to monitor these risks
  4. consider how to personally use the risk control plan within meetings when seeking assurance, making decisions and asking challenging questions
  5. request that the Board agenda be structured to take account of the strategic risks. This may include asking risk owners to attend to account for risk control
  6. agree to undertake further education as suggested within the report from the workshop

Elinor Smith

Director of Nursing

Helen Robbins

Head of Clinical Governance and Risk Management

Janet Seaton

Technical Services Manager - Datix

February 2010

1