Risk Management Strategy
Document InformationDocument location:
This document is only valid on the day it was printed.
Authorship:
This document has been prepared by:
Name / Designation / OrganisationSuzanne Pickering / Head of Governance / NHS North Derbyshire Clinical Commissioning Group
Revision history:
The current version of this document supersedes all previous versions.
Revision date / Summary of changes / Version12/07/12 / CCG Version of PCT Adopted Risk Management Policy / V1
18/09/12 / CCG Draft document full policy / V2
05/11/13 / Revised Risk Management Strategy 2013-14 / V3
01/03/15 / Revised Risk Management Strategy 2014-15 / V4
May 15 / Revised appendix 3 following audit recommendations / V4
August 16 / Revised for annual review and following new guidance / V5
Approvals:
This document requires the following approvals:
Name / Signature / Date taken / VersionNHS North Derbyshire Governing Body / 27/09/12 / V2
Governing Body Assurance Committee / 23/03/15 / V4
Governing Body Assurance Committee / 26/09/16 / V5
Distribution:
This document has been distributed to:
Recipient / Date of Issue / VersionAll CCG Staff and CCG Website and Intranet / V5
Date for review:
Date of review / Name / Designation and OrganisationMarch 2015 / Suzanne Pickering / Head of Governance
August 2017 / Suzanne Pickering / Head of Governance
Contents
Section / Description / Page
One / The Seven Principles of Public Life………………………… / 4
Two / Why is a Risk Management Strategy needed….………… / 5
Three / Background……………………………………………………… / 6
Four / Definitions and Terms Used……………………………………… / 6
Five / The CCG’s Approach to Managing Risk……………………… / 7
Six / Identification of Principal Risks………………………………… / 8
Seven / Sources of Risks…………………………………………………… / 9
Eight / Measuring Risks…………..…………………………………… / 9
Nine / Risk Types- A Matrix to Determine Risk Severity…..…………… / 9
Ten / Matrix Levels of Authority for Grading Risk…...……………… / 10
Eleven / Acceptable Levels of Risk…………………………………….… / 11
Twelve / Risk Treatment Plans……………………………………………… / 12
Thirteen / Key Controls………………………….…………………………… / 12
Fourteen
Fifteen / The Assurance Framework……..……………………………….
The Three Lines of Defence…………………………………….. / 12
13
Sixteen / CCG Structures…………………………………………………… / 16
Seventeen / Training………………………………..……………………………… / 16
Eighteen / Deployment of Resources…………………………………………… / 17
Nineteen / Patient Advice and Liaison Service(PALS) Complaints, Litigation Support and Equality……………………………..…… / 17
Twenty / Health and Safety and Security Management..……………… / 17
Twenty One / Relationships with Internal and External Audit…………… / 18
Twenty Two / Reporting Arrangements…………………………………….. / 18
Twenty Three / Reviewing the Strategy…………………………...………… / 19
Twenty Four / Additional References…………………………….………… / 19
Appendix / Description / Page
One / Risk Management Forms…………………………………………… / 20
Two / Summary of responsibilities for the Management of Risk and Seeking Assurances in the CCG……………………… / 27
Three / Contacts……………………………………………………………… / 29
Section One – The Seven Principles of Public Life
The CCGhas signed up to the seven principles of public life as set out in the first report of the Committee on Standards in Public Life. These principles are reproduced below to provide support and guidance to staff when conducting business on behalf of the CCG.
Selflessness
Holders of public office should act solely in terms of the public interest. They should not do so in order to gain financial or other benefits for themselves, their family or their friends.
Integrity
Holders of public office should not place themselves under any financial or other obligation to outside individuals or organisations that might seek to influence them in the performance of their official duties.
Objectivity
In carrying out public business, including making public appointments, awarding contracts, or recommending individuals for rewards and benefits, holders of public office should make choices on merit.
Accountability
Holders of public office are accountable for their decisions and actions to the public and must submit themselves to whatever scrutiny is appropriate to their office.
Openness
Holders of public office should be as open as possible about all the decisions and actions that they take. They should give reasons for their decisions and restrict information only when the wider public interest clearly demands.
Honesty
Holders of public office have a duty to declare any private interests relating to their public duties and to take steps to resolve any conflicts arising in a way that protects the public interest.
Leadership
Holders of public office should promote and support these principles by leadership and example
Page 1of 30
Section Two – Why a Risk Management Strategyis neededEvery activity that the CCG undertakes, or commissions others to undertake on its behalf, brings with it some element of risk that has the potential to undermine, or even prevent the successful achievement of the CCG’s objectives.
A risk management strategy is necessary to enable the Governing Body to have a clear view of the risks affecting each area of its activity; how those risks are being managed; their likelihood of occurring; and their potential impact on the successful achievement of the CCG’s objectives.
The purpose of this Risk Management Strategy is therefore to;
- Enable the Governing Body to have an overview of the risks it faces, taking into account all aspects of its business;
- Assure the Governing Body that where risk is not at an acceptable level then action is in hand to make it acceptable;
- Assure the public, patients, our staff, our partner organisations, internal and external audit and the Audit Committee that the CCG is managing its risks appropriately;
- Enable the strategic deployment of resource to meet risk, if it is necessary, beyond the resource allocations already made. This applies to financial funding, human resources, capacity and knowledge;
- Enable constant and consistent improvement of health care and the patient experience;
- Encourage a culture where all staff look at and deal with risk as an integral part of their working lives.
This strategy will also assist the CCG in meeting the principles and rights set out in the NHS Constitution[1].
Good quality risk management has a positive impact on being able to set and meet high standards of excellence and professionalism; work in partnership with other organisations in the best interests of communities and the wider population; and provide best value for money with fair and sustainable use of resources. Failure to understand and manage risks in these areas of our work would be a serious impediment to delivering on these principles.
Section Three – BackgroundThis document is produced on behalf of North DerbyshireCCG Governing Body and to set out the Risk Management Strategy for the organisation.
The strategy applies to all employees of the CCG, with an active lead expected from senior officers, GPs, heads of service, managers and supervisors at all levels in order to ensure that risk management is a fundamental part of the total approach to quality and governance.
It is the responsibility of senior officers, heads of service, managers and supervisors to ensure that the Risk Management Strategy is brought to the attention of all staff, via mandatory induction training, local induction training, annual mandatory training updates and other meetings.
Section Four – Definitions and Terms UsedIt is important at the outset to define some key terms that are used in this strategy.
Risk- Isthethreatthatanevent or actionwill adverselyaffectan organisation’s abilityto achieveitsbusiness objectives.Risk arises asmuchfromthepossibility thatopportunitieswill notberealised as itdoes from thepossibilitythatthreats willmaterialise orthaterrors willbemade.
ResidualRisk- Istheremaininglevel ofriskafter controlshave been putin
Place, this mayor may not be acceptabletothe organisation. If not,further actionmay need tobetaken.
TheRiskRegister-Isalog of alltypes or risk thatcould impactonthesuccess ofNHS North Derbyshire Clinical CommissioningGroup achievingits declared aims and objectives.Itisa dynamic livingdocument,whichis populatedthrough the trusts risk assessmentand evaluation process.Thisenablesrisk tobe quantifiedand ranked,it provides astructurefor collatinginformationaboutrisks thathelpsboth intheanalysis ofrisk andindecisionsaboutwhether or howrisksshouldbe treated.
Governing BodyAssuranceFramework- Isthestructure and process that enablesthe organisationtofocusonits principlerisksthatmightcompromise achievingitsstrategicaimsandobjectives; andtomapout boththecontrols thatshouldbein placetomanage thoseobjectives andconfirmtheGoverningBodyhas gained sufficientassuranceaboutthe effectiveness ofthesecontrols.
RiskManager-TheExecutive identifiedbytheCCG with theappropriate authorityandknowledge tomanage therisk to anacceptablelevel
RiskLead -TheresponsibleSenior Manager identified to for maintaining the Governing Body Assurance framework and Risk Register and toensure thattherisk owner effectivelycarries outtheirrisk management duties.The attributionofrisks and strategic objectiveswill be alignedwith their portfolios, where possible.
The Three Lines of Defence – The Three Lines of Defence Model is seen as a simple and effective way to clarify the roles and responsibilities in relation to risk management. Importantly, it outlines the role Internal Audit plays is providing assurance on the effectiveness of governance, risk management arrangements and internal controls within the CCG.
Section Five – North Derbyshire CCG’s Approach to Managing RiskNorth Derbyshire CCG recognises that it is impossible to eliminate all risk from its activities and that systems of control should not be so rigid that they stifle innovation and imaginative use of limited resources to achieve health benefits for local residents.
As a general principle the CCG will seek to eliminate or control all risks that could potentially:
- Cause harm to people that the CCG interacts with, be they patients receiving services that the CCGhas commissioned, staff working for the CCGand employers with whom the CCG does business, members of the public using CCGpremises, and other stakeholders;
- Have a high potential for incidents to occur that would result in loss of public confidence in the CCG and/or its partner agencies; and
- Have severe financial consequences that would prevent the CCG from carrying out its functions on behalf of its residents.
The CCG’s system of internal control is based on an on-going process designed to:
- Identify and prioritise the risks to the achievement of the organisation’s policies, aims and objectives; and
- Evaluate the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively and economically.
Furthermore, as an organisation that is responsible for overseeing the commissioning of healthcare and other services from a wide variety of providers, one of the key purposes of the CCG’s risk management process is to ensure that services are commissioned from providers who themselves operate high standards of risk management processes. This strategy is therefore a tool for the constant improvement of health care and the patient experience.
Section Six – Identification of Principal RisksThe CCGpublishes its strategy through annual review of operating framework requirements, national policy implementation plans and evaluation of local priorities. Keystrategic objectives have been identified, each of which will make a significant contribution to the successful achievement of the strategic aims. However, for each primary objective there are significant risks that could adversely impact upon its successful achievement, and thereby deflect the CCG from its strategic direction. This approach is summarised in the CCG’s Board Assurance Framework, complemented by a risk register and the Strategic Commissioning Framework.
Risks will be categorised as Corporate or Local risks, which shall be defined as follows:
- Corporate risks are those that have an impact on the CCG’s strategic objectives, affect the CCGas a corporate entity, or have an impact across two or more CCG functional teams.
- Local risks are those that are specific to a particular building, workplace, function, or local/team objective, which in themselves do not impact upon a corporate or strategic objective and can largely be managed through the CCGs’ risk management processes.
Corporate risks that score 3 or aboveshall be reported to the CCG’s Governance Team (see Appendix Dfor contact details) for inclusion on the corporate risk register and they will form part of the regular reporting of risks to the Governing Body. For any corporate risk reported to the Governance team that scores a total of 10 or more a completed Risk Assessment Form and Risk Treatment Plan that sets out how the risk is to be managedshould be completed. (See Appendix A for the relevant forms). Corporate risks scoring less than 5will be deemed to be sufficiently low enough to be handled on behalf of the CCG by the team responsible for the risk.
Local risks should be kept on a register held by the team responsible for managing the risk who will ensure that the risks are added to their local risk registers. The teams responsible for managing local risks will be expected to be able to produce evidence of the risk assessment and the management of those risks at any time an inspection or audit so requires.
Health and Safety risks shall be reported to the Health and Safety service for review, advice and logging on the Health and Safety risk register (Please contact Suzanne Pickering, Head of Governance for details).
Section Seven – Sources of RisksAny risks or hazardsthat are identified will be assessed using the appropriate risk assessment form by appropriately trained risk assessors. Managers are responsible for ensuring that all risk assessments take place within their departments and ensuring that risks are recorded on either local or Corporate Risk Registers. The Executive Teamand the Governing Body will review risks in line with the table set out next to the 5x5 matrix in Appendix A,and as described in the following paragraphs.
Section Eight – Measuring RisksEach significant risk identified by the organisation is measured against two dimensions:-
- the consequences it will have on the CCG should it occur;
- and the likelihood of it occurring once all necessary controls have been established and put in place.
Each dimension is scored from 1 to 5 using definitions that provide a fair scaling of severity across several domains(see below andAppendix A). This provides a degree of standardisation across the CCG that enables a consistent scoring of risks at all levels of the organisation.
The scoring of risks will be done by the risk manager/owner responsible for the treatment of the risk concerned. Scores will then undergo a moderation process where they will be reviewed by the Executive Team. This moderation process will seek to ensure consistency both within the clutch of risks for a particular set of objectives, and also across the team, department or wider organisation.
Section Nine – Risk Types – A Matrix to Determine Risk SeverityThe consequence and likelihood scores referred to above are multiplied together to give a risk type ranging from low to high.
The table that follows shows how risks will be graded using this methodology. This table is identical to that contained in the Incident Reporting policy, which ensures consistency across all the CCG’s risk management processes.
LikelihoodConsequence / 1 – Rare / 2 –Unlikely / 3 - Possible / 4 – Likely / 5 – Almost certain
1 – Negligible / 1 / 2 / 3 / 4 / 5
2 – Minor / 2 / 4 / 6 / 8 / 10
3 – Moderate / 3 / 6 / 9 / 12 / 15
4 – Major / 4 / 8 / 12 / 16 / 20
5 – Catastrophic / 5 / 10 / 15 / 20 / 25
1-3 / Low risk
4-6 / Moderate risk
8-12 / High risk
15-25 / Extreme risk
The risks scores and types are then transferred to the CCG’s risk register, treatment plans are agreed and a review date is set. When the risk becomes due for review the responsible manager will be requested complete a Risk Assessment Follow Up Form to assess whether:
- the treatment plan has been successful in reducing the CCG’s exposure to that risk;
- the risk rating requires amending;
- the risk can be closed down and removed from the register; or
- further action needs to be taken to actively manage the risk.
The results of this review shall then be recorded on the register and, if the risk is not closed down, a new review date set. For risks on the corporate register this process will be administered by the Corporate Governance team and risks scheduled for review will be reported to the manager responsible for the risk to take appropriate action. For local risks the management team responsible for the risk shall ensure that such reviews are carried out in a timely manner.
Section Ten – Management Levels of Authority for Grading RiskThe authority to identify and score risks rests at various levels within the organisation depending upon the level at which the risk has been identified. Generally, all managers have a responsibility to identify risks within their sphere of operations, and to grade the risks accordingly. They are also expected to propose risk treatment plans for consideration and action within their teams and directorate. The following hierarchy of authorities sets out the general approach adopted within the CCG:
Corporate and Strategic Risks: / Chief Officers, both individually and collectively.Functional area risks: / Senior officers and directorate management teams.
Team risks: / Team leader in consultation with team members.
Individual risks (eg those identified in PDPs): / Individual officer in consultation with responsible manager.
Section Eleven – Acceptable Levels of Risk
It is neither possible nor desirable to achieve a risk-free environment when planning, commissioning and delivering health care. Risk is a driver of innovation, change, growth and understanding andto eliminate risk entirely would be to lose this driver for improvement. This strategy is therefore not aiming to achieve the elimination of all risk, but the successful management of those risks that impact most upon the CCG’s work. The approach of this strategy regarding acceptable levels of risk is two-fold:
- Where it is practicable to eliminate a risk at a reasonable cost then action should be taken to do so.
- Where it is not possible to eliminate a risk completely then a judgement has to be formed as to what action shall be taken to mitigate the likelihood of the risk occurring and its potential impact. This judgement will form the basis of the CCG’s tolerance of the particular risk.
Tolerance of a risk can take two forms:
- A conscious decision to take no action on the risk and to bear the consequences of such a decision should the risk manifest itself. This approach might be taken in circumstances where the costs of taking action to mitigate the risk outweigh the costs of the impact of the risk occurring;
- A decision to take action to mitigate the risk, be it to reduce the likelihood of it occurring, the impact of the risk occurring or a combination of both. Having taken such action, if the risk is not then eliminated the CCG will then be tolerating the residual risk.
The CCG’s risk appetite will emerge through the active management of identified risks and supporting plans.