RISK MANAGEMENT STRATEGY

(1)

Risk Management Strategy DN128 Review date: September 2013

Page 1 of 15

RISK MANAGEMENT STRATEGY 2014-17

DOCUMENT NO: DN128

Lead author/initiator(s): Head of Quality Performance

Contact email address:

[email protected]

Developed by: Quality Performance Team

Approved by: Quality Improvement Safety Committee Approval date: May 2014

Review date: May 2017

Version no: V3

For office use only:

Ratified by:

(enter Board of Directors or Sub-committee of Board)

Trust Board

Date ratified: June 2014 Version Control And Revisions:

Version Page/Para No. Description of change Date

1 First published January 2011

2 All Full review to reflect organisational restructure and NHSLA standards 2012/13.

September 2012

2.1 Sec 9 monitoring changed to table format Feb 2013

3 All Updated to reflect revised Board

Assurance and Escalation Framework and Risk Assessment Policy. Revised governance structure appendix 1.

References to Datixweb, risk register included through the document including appendix 2.

April 2014

THIS IS A CONTROLLED DOCUMENT

Whilst this document may be printed, the electronic version maintained on the CCS NHS Trust Intranet is the controlled copy. Any printed copies of this document are

not controlled.

(2)

Page 2 of 15

DOCUMENT CONTROL SHEET Purpose of

document:

This strategy sets out the Trust’s approach to managing both strategic and operational risks (both clinical and non clinical).

Dissemination:

Available on the trust’s intranet and notified via internal communication cascade.

Implementation:

All staff groups

Review:

Annual review

This document

supports (enter Standards and Legislation:

NHSLA Risk Management Standards

CQC Essential standards for Quality and Safety Monitor Governance Compliance Framework

Key related documents:

Risk Assessment Policy DN44

Management of Incidents Policy DN37 Management of serious Incidents DN57

Training, Education and Development Policy DN62 Raising Concerns at Work (whistleblowing) Policy DN94 Board Assurance and Escalation Framework DN262 Complaints Policy DN60

Claims Policy DN32

Health and Safety Policy DN64

Information Governance Policy DN106

Equality & Diversity:

A Rapid Equality & Diversity Impact assessment has concluded that this strategy is compliant with the Equality and Diversity Policy. No negative impacts were found.

Financial Implications:

The financial implications for the organisation relate to the management of specific risks identified.

Key word search

Risk, strategy, management

(3)

Page 3 of 15

Chapter Page no

1.0 Introduction 4

2.0 Aims 4

3.0 The Board’s intent 5

4.0 Who the strategy applies to 5

5.0 Duties 5

6.0 The systems and processes process for managing risk (including use of the Quality Early Warning Trigger Tool and associated risks).

9 7.0 Learning from Experience 9

8.0 Risk Management training 10

9.0 Monitoring compliance and effectiveness of the strategy 10

10.0 Equality and Diversity statement 11

Appendix 1: Trust Board Governance Structure 11

Appendix 2: Identification of risk 12

Appendix 3: Key Performance Indicators 13

Appendix 4: Terms of Reference for risk related committees 14

Appendix 5: Board Assurance and Escalation Framework 15

(4)

Page 4 of 15

1.0 INTRODUCTION

1.1 This is a trust wide strategy describing the Cambridgeshire Community Services NHS Trust (the Trust) approach to managing both strategic and operational risks (both clinical and non-clinical).

1.2 All actions contain inherent risks. Risk management is central to the effective running of any

organisation. At its simplest, risk management is good management practice. It should not be seen as an end in itself, but as part of an overall management approach. The Trust will ensure that decisions made on behalf of the organisation are taken with consideration to the effective management of risks.

1.3 For the purpose of this strategy risk is defined as ‘the likelihood that harm or damage may occur and the consequence/severity of the outcome’. Risk Management is the proactive process by which an organisation identifies risks, assesses their relative importance, determines the appropriate risk control mechanism and most importantly ensures that the agreed action is taken. The Trust has a legal requirement to give assurance that risks in the organisation are identified and appropriately managed. Failure to manage risks effectively can lead to harm, loss or damage in terms of both personal injury but also in terms of loss or damage to the Trust’s reputation; financial loss; potential for complaints; litigation and adverse or unwanted publicity.

1.4 The Trust recognises that delivering health care provision and associated activities, employing staff, managing premises and finances all involve a degree of risk and is building an integrated approach to the overall management of strategic and operational risk, including those originating from clinical, financial, workforce or other sources.

1.5 Strategic risks can be considered as:

Those risks that, if realised, could fundamentally affect the way in which the organisation exists or operates. These risks will have a detrimental effect on the organisation’s achievement of its key business objectives. The risk realisation will lead to material failure, loss or lost opportunity (for example loss of significant sums of money), failing to meet Care Quality Commission (CQC) targets and/or experiencing a death or serious injury and/or failing to meet significant strategic targets.

Strategic risks are detailed in the Trust’s Board Assurance Framework and mapped against the Trust’s strategic objectives.

1.6 Operational risks can be considered as:

The main operational and clinical risks associated with the day to day workings of the organisation that would increase the likelihood of the realisation of a strategic risk. These risks will be

considered at community unit level in the first instance and then escalated to the relevant director for inclusion on the corporate risk register.

2.0 AIMS

2.1 Our aim is to reinforce a culture of creativity and innovation in which risks are identified, understood and proactively managed thus ensuring that risk management is embedded throughout the

organisation and becomes an integral part of the Trust’s objectives, plans, practices and

management systems in a risk aware environment where individual and organisational learning flourishes.

(5)

Page 5 of 15

2.2 The aim of this Risk Management Strategy is to provide a supportive risk management framework that ensures:

 Integration of risk management into policy making, planning and decision making processes throughout the Trust.

 Risks which could have prevented strategic objectives being achieved are proactively identified, mitigated or managed to an acceptable level.

 Appropriate reporting arrangements and individual responsibilities are clearly identified

 Compliance with legal and statutory requirements relating to health and safety risks alongside other risks incurred for staff as part of their work.

3.0 THE BOARD’S INTENT

3.1 The Board is committed to leading the organisation forward to deliver high quality services and achieve excellent results for the populations served, thereby ensuring the very best use of public funds. The Board intends to use the risk management processes outlined in this strategy as a means to help achieve these goals.

3.2 The Board is committed to an open and honest approach in all matters. It expects staff to acknowledge that risks within the Trust can be identified and managed if everyone adopts an attitude of openness and honesty. The overall approach expected within the organisation is one of help and support to each other rather than recrimination and blame (the Trust’s Raising Serious Concerns at Work Policy supports this).

3.3 The purpose of the Risk Management Strategy is to create a culture that supports and encourages employees to use related Trust documents in order to:

 Identify and control risks which may adversely affect operational ability.

 Compare one risk to another using the grading system explained in the Risk Assessment Policy.

 Where possible, eliminate or transfer risks or reduce them to an acceptable and cost effective level.

 Otherwise ensure the organisation openly accepts the remaining risks.

4.0 WHO THIS STRATEGY APPLIES TO

This Strategy is intended for use by all employees and contractors engaged on the Trust’s work in respect of any aspect of that work. As noted in section 1.2 all actions contain inherent risks.

Although the management of key strategic risks is monitored by the Board, operational risks are managed on a day to day basis by employees. In order that progress in managing all risks can be acknowledged, a single web based recording system (Datix) has been implemented, which provides a central record of all risks to the organisation.

5.0 DUTIES

5.1 The Trust’s committee structure for managing risk is outlined in Appendix 1 and described in sections 5.2.5 – 5.2.7.

The organisational responsibilities for risk management within the organisations are detailed as follows:

(6)

Page 6 of 15

5.2 Corporate responsibilities 5.2.1 The Chief Executive

The overall responsibility for effective risk management meeting statutory requirements and adhering to relevant best practice guidance including the NHS Foundation Trust Code of Governance Monitor 2010, lies with the Chief Executive.

5.2.2 Directors

 The Chief Nurse has Executive Director Responsibility for clinical risk.

 The Director of Finance holds responsibility for non clinical risk throughout the Trust and acts as the Trust’s Senior Information Risk Owner (SIRO). This role is responsible for all business risks including commissioning, finances, control of assets, provisions for liabilities, and general

Controls Assurance. The Director of Finance will report via the Estates Committee and the Audit Committee on all non-clinical risk governance activities. All risks relating to fraud are also

covered by this role.

 The Medical Director is the Caldicott Guardian and is responsible for research activity and related risks.

5.2.3 The Assistant Director of Corporate Governance

It is the role of the Assistant Director of Corporate Governance to manage the implementation of corporate governance systems including preparation of the Board Level risks and risks monitored by Sub-Committees.

The Head of Resilience and Information Governance reports to the Chief Nurse and is responsible for supporting the Community Unit Managers in their operational management of information governance risks and incidents. This role supports both the Caldicott Guardian and SIRO.

5.2.4 Community Unit Managers

It is the responsibility of Community Unit and Corporate Services Managers throughout the organisation to identify, record and escalate risks following the Board Assurance and Escalation Framework. Regular review of actions and controls should be undertaken and reported

appropriately.

5.2.5 The Board

The Board is responsible for:

 Ensuring the Trust has a strategy in place for managing all types of significant risk.

 Identifying and assessing the Trust’s principle risks which threaten the achievement of the organisation’s corporate objectives as per the Board Assurance and Escalation Framework and those risks escalated from the Clinical Operational Boards.

 Reviewing any significant resource allocations requested for the execution of the strategy, either within the business plan or in ad hoc proposals.

 Acting on any significant risks escalated by Board sub-committees (the process is described in the Board Assurance and Escalation Framework (section 9) appendix 5 and terms of Reference appendix 4).

5.2.6 Board Sub-Committees

The Board has delegated the more detailed oversight of the management of various types of risk to its sub-committees which each have a role in the management of risk. Terms of reference are attached at Appendix 4. The escalation process is described in section 9 of the Board Assurance and Escalation Framework (DN262).

(7)

Page 7 of 15

Audit Committee

The Audit Committee is a sub-committee of the Board which has responsibility for providing

assurance to the Board that risk is being managed appropriately, maintaining direct oversight of all financial risks, including generic risks, specific risks arising from the Integrated Business Plan and risks to financial processes and control. It is also responsible for reviewing the effectiveness of risk management arrangements through the internal audit programme and the review of resulting reports.

Quality Improvement and Safety Committee

The Quality Improvement and Safety Committee is responsible for overseeing all areas of Quality and safety. Its key strategic duty is to ensure that effective Quality governance is at the heart of the delivery of services by the Trust and to review all clinical risks allocated for review by this committee and those escalated from related sub-groups.

Strategic Change Board

The Strategic Change Board is responsible for monitoring the delivery of the Trust’s portfolio of strategic change programmes relating to the achievement of the Trust’s strategic objectives as set out in the Integrated Business Plan and associated risks.

Estates Committee

The Estates Committee is responsible for ensuring that the Estates Strategy is implemented and that all risks relating to estates (and relevant reporting sub groups) are monitored and escalated as per Terms of Reference (appendix 4) .

5.2.7 Supporting Sub-Groups

Each of the Board sub-committees described above has a variety of approved sub-groups reporting to it. These are outlined in Appendix 1. Each of these has an agreed terms of reference and reporting arrangements to its parent sub committee. Their roles include identifying relevant risks from their specific area and escalation to the relevant committee where required.

5.2.8 Chief Nurse Directorate

Within the Chief Nurse Directorate, the following key posts support the management of risk in the Trust:

The Head of Quality Performance is responsible for the areas of clinical quality, clinical risk, safety, compliance, clinical audit and effectiveness. The role involves ensuring that appropriate systems and processes are in place and utilised fully to improve identification, reporting and

monitoring of clinical risks. This role is responsible for managing the Trust’s compliance programme for clinical risk regulatory requirements.

The Head of Professional Practice is responsible for managing the Trust’s Infection Prevention &

Control, Research and Patient Experience and Safeguarding Adults functions including related risk systems. This role also supports monitoring of risks related to professional practice for

professionally registered staff.

The Senior Quality and Safety Manager has responsibility to implement and support operational risk management systems alongside incident management processes.

Safety Managers have responsibility for the day-to-day implementation of this Strategy and include the ‘competent health and safety person’ for the Trust within the Safety Team. These roles also deliver identified risk management training (including root cause analysis)

(8)

Page 8 of 15

The Clinical Audit and Effectiveness Manager is responsible for identifying, reporting and monitoring related risks in these areas, and ensuring escalation where appropriate.

5.3 Local arrangements for managing risk (including authority of all managers)

One of the key goals of this strategy is to embed proactive risk management throughout the Trust by ensuring that risks are identified and managed using the Trust’s agreed risk assessment

methodology detailed in the Trust’s Risk Assessment Policy. The Board Assurance and Escalation Framework (Appendix 5 section 9) details escalation routes for all risks including those held locally.

5.3.1 Directors

Directors are responsible and have authority to ensure that risks are appropriately managed in their areas of responsibility alongside a corporate responsibility for integrated risk management. This includes monitoring local systems of identification, recording, review of actions and escalation as outlined in the Board Assurance and Escalation Framework.

5.3.2 Community Unit Managers

Community Unit Managers are accountable and have authority to ensure that risks are appropriately managed in their areas of responsibility. Key responsibilities include:

 Identifying, managing and reviewing risks on a regular basis.

 Escalating appropriate risks for possible inclusion on the Corporate Risk Register as per Risk Assessment Policy (DN44).

 Reviewing incidents, complaints and claims to identify any learning.

 Identifying any changes to practice that could be implemented either locally or Trust wide to improve patient care.

 Acting on outcomes from audits and committee recommendations relating to risk management.

 Ensuring staff receive relevant risk related training (including mandatory training elements).

5.3.3 All staff

Proactive management of risk is the responsibility of all members of staff. Therefore each member of staff should:

 Be aware of local risk issues and the Trust’s risk management policies.

 Record and notify managers of any risks identified.

 Take reasonable care of the health and safety of themselves and others.

 Be aware of and comply with incident reporting policies and procedures.

 Participate in risk assessment programmes relevant to the post/specialty.

 Recommend risk management solutions.

 Initiate action, within their sphere of responsibility, to prevent or reduce the adverse effects of risk.

6.0 SYSTEMS AND PROCESSES FOR MANAGING RISK

The Trust operates two major systems for facilitating the management of risk throughout the organisation:

 Proactive risk management, via the risk assessment process (described in detail in the Risk Assessment Policy DN44).

 Reactive risk management via the Datix reporting system for near miss and incidents (described in the Management of Incidents and Management of Serious Incidents Policies).

Both systems use the same risk grading process in order to assess risks consistently across the organisation described below.

6.1 Assessing risk

Risks are assessed at both operational and strategic levels in the organisation. Appendix 2 describes the pathway for managing risks within the Trust. The Trust’s Risk Assessment Policy

(9)

Page 9 of 15

(DN44) describes the process for standardised assessment of risk including assessment of likelihood (how likely it is that the adverse consequence described will occur when considering frequency or probability) and consequence (the outcome or the potential outcome of an event.

Clearly, there may be more than one consequence of a single event).

6.1.1 Local or operational risks identified by Community Units and corporate teams are recorded on the web based Datix Risk Assessment tool. These are escalated as outlined in the Board Assurance and Escalation Framework.

Community Unit Dashboards align reporting of quality and workforce information and are used by the Community Units as an operational management tool to give an integrated view of performance.

6.1.2 Strategic risks are identified from a variety of sources including the identification of risks to the achievement of Trust strategic objectives by the Board. The nominated lead for each risk will identify existing controls and sources of assurance that these controls operate effectively. Any gaps in controls will be identified and action plans put in place to strengthen controls where appropriate.

The outcome of this process will be articulated in the Board Assurance Framework which will be presented to the Board for endorsement.

6.1.3 Early Warning Trigger Tool (Quality)

The Trust has adopted a Quality Early Warning Trigger Tool (adapted from National Patient Safety Agency and Norfolk Community Health and Care NHS Trust tools). This assists teams to identify key risks to delivering a quality service that can be quantified, scored and appropriate actions taken.

Related risks are identified and reported via local held risk registers on Datix as defined in the Board Assurance and Escalation Framework.

7.0 LEARNING FROM EXPERIENCE

7.1 The Trust is committed to learning from the experiences of our patients, carers, service users, staff and the experiences of other organisations. This includes learning from identified risks, how they were mitigated and managed and ultimately either resolved or accepted within tolerance levels.

7.2 Information from a variety of sources is considered in a holistic manner to provide learning and inform changes to practice that would improve patient safety and overall experience.

7.3 Analysis of information relating to patient safety incidents, complaints, claims, PALS contact, Back to the Floor sessions and patient stories is undertaken by local teams alongside trust wide analysis of experience.

7.4.1 Lessons applicable to other Trust services are also shared in the Communication Cascade.

8.0 RISK MANAGEMENT TRAINING

81 The Trust’s training needs analysis details the requirements for staff to undertake relevant

components of risk management training to enable them to manage risk effectively. This includes relevant training for Board and Senior Managers.

8.2 For further details please refer to the Trust’s Training Education and Development Policy which includes details of recording attendance, non attendance , follow up and monitoring compliance.

9.0 MONITORING COMPLIANCE AND THE EFFECTIVENESS OF THIS STRATEGY

The Trust will seek assurance that risk management systems and processes are being used

appropriately with relevant identification, recording and management of risks. The key performance indicators outlined in Appendix 3 will be reported and updated annually to the relevant committees with responsibility for risk and Board.

(10)

Page 10 of 15

The following key elements of this strategy will also be monitored as below:

10 EQUALITY & DIVERSITY STATEMENT

10.1 Cambridgeshire Community Services NHS Trust will ensure that this document is applied in a fair and reasonable manner that does not discriminate on such grounds as race, gender, disability, sexual orientation, age, religion or belief.

Element to be monitored

Lead Tool Frequency Reporting

arrangements The organisation’s

risk management structure detailing committees and groups with some responsibility for risk

Assistant Director of Corporate Governance

Review committee reporting structure and audit of information flow to and from Board and related

committees and groups relating to risk.

Annual Board

How the Board or high level risk committee(s) review the organisation wide risk register

Audit of process for reviewing organisation wide risk register Internal Audit review risk register process and effectiveness

Annual

Every 2 years

Board

Audit Committee How risk is

managed locally

Audit of local Datix Risk Registers and escalation to Corporate Risk register

Annual Board

Element to be monitored

Lead Tool Frequency Reporting

arrangements Duties of key

individuals for risk management activities

Audit of duties Annual Board

(11)

Page 11 of 15

APPENDIX 1: TRUST BOARD GOVERNANCE STRUCTURE

(12)

Page 12 of 15

APPENDIX 2: RISK FLOWCHART – IDENTIFICATION OF RISK

Sources of Risk

Strategic and operational risks identified from a variety of sources

Community Unit review of risks

SIs/complaints/

poor performance

Contract performance reviews

Soft intelligence, e.g. stakeholder

meetings, etc.

Risk information loaded on the Datixweb risk register

software

Risk Escalated as per Board Assurance and Escalation Framework

Monthly combined Executive/Management Team review strategic and

Committee/Operational Board risks and action plans

Quality Early Warning Trigger Tool

Monthly risk summaries presented to the board.

Audit Committee oversight of entire risk reporting process

(13)

Risk Management Strategy DN128 Review date: April 2017

Page 13 of 15

APPENDIX 3 KEY PERFORMANCE INDICATORS (KPI) CHART

Indicator  Assessment criteria

1 Implementation of CCS NHS Trust Risk Management Strategy.

 Disseminated to all service and corporate teams.

 Regular reporting through Committee structure with evidence of risk issues being escalated and

feedback received.

 Evidence that actions agreed have been completed or progressed.

2 Improved attendance of staff at identified mandatory risk

management training identified in training needs analysis.

 Improvement in staff attendance at mandatory risk management training to 95% reported via

Performance report to Quality Finance, and Performance Committee.

3 Risk assessment process fully embedded.

 All Business Units hold a Datix Risk Register and risks reviewed monthly with relevant Unit Manager.

4 Compliance with SABs reporting requirements

 100% SABs received by appropriate teams and 100% compliance with acknowledging and reporting requirements.

5 BAF risks recorded appropriately and reviewed by appropriate committees

 100% compliance quarterly review of relevant BAF risks by Board sub committees.

 Annual audit of BAF risks to ensure all relevant components recorded and review undertaken.

6 Learning from Serious Incidents, patient safety incidents, complaints, claims and PALs enquiries shared appropriately across the Trust with changes in practice identified and implemented.

 Trend analysis presented to Quality Improvement and safety Committee at designated times.

 Evidence of changes to practice

7 Compliance with internal and

external assessments relating to risk management

 NHSLA level 1 maintained.

 Compliance with CQC Essential standards of quality and safety.

 IG Toolkit compliance level 2.

 Evidence of discussion by Community Units of Quality Early Warning Trigger Tool scoring and associated risks

 Evidence of debate relating to Quality information presented on Community Unit dashboards 8 Document control register is

maintained and policies all up to date

 Register includes all Trust wide approved documents

 All documents up to date and available on Intranet 9 Local Risk Registers maintained to

identified standard.

 Local risk registers are reviewed and updated on an on going basis.

 Formal annual audit of risk registers 10 Number, type and severity of

incidents reported across the Trust

 Number of near miss and incidents reported remains consistent or increases annually.

 No increase in overall severity

 Evidence of feedback and actions taken to reduce risk as result of reporting.

(14)

Risk Management Strategy DN128 Review date: April 2017

Page 14 of 15

Appendix 4: TERMS OF REFERENCE for Risk related committees

BOARD OF DIRECTORS AND SUB-COMMITTEE STRUCUTRES

TERMS OF REFERENCE

Content Page

1. Purpose and Duties 2

2. Authority of the Sub-Committees 2

3. Membership 2

4. Attendance 3

5. Quorum 3

6. Frequency 4

7. Reporting 4

8. Delegation 4

9. Administration 5

10. Review

Appendix 1 Board 6

Appendix 2 Audit Committee 9

Appendix 3 Charitable Funds 12

Appendix 4 Estates 14

Appendix 5 Public Involvement and Patient Experience 16

Appendix 6 Clinical Operational Boards 17

Appendix 7 Quality Improvement and Safety 19

Appendix 8 Remuneration, Terms of Service and Nominations 21

Appendix 9 Strategic Change Board 23

Appendix 10 Evaluation Form 26

Appendix 11 Board and Committee Membership and Leads 27 Appendix 12 Board and Committee Structure Charts 30 Appendix 13 Quality information reported at Board and Committees 31

Appendix 14 Board Report Template 35

Appendix 15 Board Performance Review 36

Approved by: CCS NHST Board, 3^rd July 2013 Due for Review: July 2014

Version no: 6

Author: Ally Retallick

Trust Board Secretary June 2013

(15)

Page 15 of 15

BOARD ASSURANCE AND ESCALATION FRAMEWORK

DOCUMENT NO: DN262

Lead author/initiator(s): Chief Nurse

Developed by: Head of Quality Performance and Corporate Secretary

Approved by: Quality Improvement and Safety Committee

Approval date: May 2014

Review date: May 2015

Version no: 3

For office use only:

Ratified by:

(enter Board of Directors or Sub-committee of BoD)

Trust Board

Date ratified: June 2014 Version Control And Revisions:

1 First published November 2008

Version Page/Para No. Description of change Date

1 All Version 1 September 2012

2 All Incorporation of QEWTT to be

incorporated into Board Governance Compendium

September 2012 (Board approval Nov 2012) 3 All Updated to reflect Strategic risk

assessment project and organisational restructure including job titles, committee structures etc.

April 2014

THIS IS A CONTROLLED DOCUMENT

Whilst this document may be printed, the electronic version maintained on the CCS NHS Trust Intranet is the controlled copy. Any printed copies of this document are not controlled.

RISK MANAGEMENT STRATEGY