Skip to main content

Risk management framework

Contents

  1. Introduction
  2. Principles of risk management
  3. Risk appetite and statement
  4. Levels and status of risk
  5. Operational risk process
  6. Strategic risk process
  7. Training implications
  8. Equality impact assessment screening
  9. Evaluation
  10. Links to any other associated documents
  11. References
  12. Appendices

1 Introduction

Successful risk management enhances strategic planning and prioritisation, assists in achieving objectives and strengthens the ability to be agile to respond to the challenges that our trust faces. If we want to meet our objectives successfully, improve service delivery and achieving value for money, risk management must be an essential and integral part of planning and decision-making. This risk management framework has been developed to improve risk management further and to embed this as a routine part of how we operate.

Risk is inherent in everything we do to deliver high-quality services and must be an integral part of informed decision-making, from policy, through implementation to the everyday delivery of services. This isn’t about adding new processes; it is about ensuring that effective risk management is integrated in the way we lead, direct, manage and operate.

The effectiveness of risk management depends on the individuals responsible for operating the systems put in place. Our risk culture must embrace openness, support transparency, welcome constructive challenge and promote collaboration, consultation and co-operation. We must invite scrutiny and embrace expertise to inform decision-making.

This framework has been developed to provide an approved framework for all staff that sets out the:

  • main principles of effective risk management.
  • procedure for both strategic and operational risk to facilitate a consistent, structured and systematic approach to the operational management of risk.

Risk management is everybody’s responsibility and is a fundamental part of the trust’s governance structure providing the following benefits:

Benefits of risk management, detailed below.

Benefits to risk management:

  • supports the safe delivery of care
  • support the achievement of trust objectives
  • avoids or mitigates the impact of failure
  • supports the cost efficiency and value for money
  • compliance with legal and regulatory frameworks
  • management of external impacts and changes
  • exploits opportunities encouraging innovation

2 Principles of risk management

There are 5 key principles of risk management (as defined in the HM Treasury Orange Book):

  1. governance and leadership, an essential part of governance and leadership and fundamental to how our trust is directed, managed and controlled at all levels
  2. integration, integral to our trust activities to support decision making for the achievement of our objectives
  3. collaboration, informed by the available information and expertise.
  4. structure, process is structured to include (also refer to section 5):
    • identification and articulation
    • assessment and scoring
    • treatment
    • monitoring, review and reporting
  5. continually improved, through learning and experience

3 Risk appetite and statement

The trust recognises that it is impossible to deliver its services and achieve positive outcomes for its stakeholders without taking risks. Only by taking risks can the trust realise its aims. It must, however, take risks in a controlled manner, thus reducing its exposure to a level deemed acceptable from time to time by the board and, by extension, external inspectors or regulators, and relevant legislation. This is the risk appetite,  defined as “the amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time” (HM Treasury Orange Book).

The aim of the trust’s risk appetite statement is to articulate the levels and types of risk the trust is prepared to accept in delivering of its objectives. This then informs planning and objective setting, focusing on priority areas within our trust as well as underpinning the threshold used when determining the tolerability of individual risks.

“The trust recognises that its long term sustainability depends on the delivery of its strategic objectives and, its relationships with its communities, including service users and families, the public and partners. Patient and staff safety is paramount and as such the trust will not accept risk that materially provide a negative impact on quality and governance. The trust acknowledges the challenging business environment in which it operates and has a greater appetite to take considered risks in terms of the impact to achieve innovation and excellence.”

In agreeing the board assurance framework the board will consider and agree a risk appetite statement in respect of each strategic risk.

4 Levels and status of risk

Within the trust there are 2 levels of risk:

  • operational risk
  • strategic risk

Operational risk, these are the identified risks that have the potential to impact on the delivery of business, projects or programme objectives. Operational risks are recorded within risk registers. Further detail regarding the systems and processes for managing operational risks is outlined in section 5, operational risk process.

In addition to the formal risk registers, when delivering specific projects or programmes, our trust also utilises the project risk logs which are an essential tool as part of any project management methodology.

Strategic risks, a board assurance framework is developed in order to identify and record the key strategic risks for the trust that may impact on the achievement of its strategic objectives. Further detail regarding the board assurance framework is outlined in section 6, strategic risk process.

In addition to the levels of risk our trust also defines the status of each risk:

  • live, those risks that are actively being treated and action above and beyond ‘business as usual’ are being taken to reduce the impact and likelihood of the risk occurring
  • tolerated, there are some risks that must remain open as the trust is unable to implement mitigations that eliminate the risk in its entirety. In these circumstances the trust may acknowledge that no further action can be taken to mitigate against the risk and decide to tolerate it
  • closed, fully mitigated and no risk remains

5 Operational risk process

Before we can identify our risks, we need to understand what a risk is. A risk is the chance of something happening that will have an impact on business objectives and this can be in terms of either:

  • a threat, a possible event we want to try to reduce the chances of occurrence or limit the impact to us if it did happen
  • an opportunity, a possible event that we might exploit by taking action which could deliver a benefit or positive effect for our trust

So how does this differ from an issue? An issue is an unplanned event that has already happened. As the issue has already happened it is not a risk. However, that does not mean there is no risk associated with the issue.

For example, patients waiting excessive time on a waiting list is an issue as this is happening. Not having an adequate process to manage the care of those patients poses the potential risk of harm.

Risk management is the process of identifying and evaluating potential consequences and determining the most effective method of controlling and responding to the risk(s) that we face. It is an ongoing cyclical process, not just a point in time that requires a corporate approach across the whole trust.

Risk management process loop detailed below.

Risk management process loop:

  • Identification and articulation.
  • Assessment and scoring.
  • Treatment.
  • Monitoring, review and reporting.

5.1 Identification and articulation

The trust cannot manage its risk effectively unless it knows what the risks are. Risk identification is therefore vital to the success of the trust’s risk management process and ultimately the safe delivery of care. Risk should include both threat and opportunity, and mature risk management should also address both types of uncertainty, seeking to minimise threats and maximise opportunities.

When identifying a risk, consideration should be given as to what could pose a potential threat to the achievement of objectives or otherwise impact on the success of the trust. Risks can be identified from many sources of information. Some of these are reactive (for example, incidents), proactive (for example, risk assessments), internal (for example, staff consultations) or external (for example, inspections).

Helpful resource, appendix C prompts for identifying risk, to assist in identifying risks.

Reactive:

  • current incidents complaints and claims
  • external decisions which could impact the organisation
  • external recommendations, CQC HSE MHRA etc
  • audits, quality, internal or external
  • national Initiatives

Proactive:

  • delivery plans, corporate planning and objective setting
  • looking at lessons learned and previous issues
  • benefits of proposed projects and improvement actions
  • horizon scanning risk assessments
  • staff, staff and stakeholder consultations
  • benchmarking

If you identify a potential or actual risk, discuss this with your line manager so that the most appropriate course of action can be taken.

Helpful resource appendix E risk form, for use when risk identified to aid discussion and articulate the risk

Once we have identified a risk, we then need to articulate what the risk is. Our trust has adopted the ‘If’ and ‘then’ statement model and it is used to describe:

  • the risk
  • the cause
  • the effect

Once we have considered these three elements, we can articulate what the risk is:

  • If (the risk)… due to (the cause), then this could or would lead to… (the effect).

Example, if we fail to ensure the safety and security of staff and patients due to business continuity plans not being kept reviewed and in date then staff will be unfamiliar with the process this could lead to injury, death, prosecution, and reputational damage.

5.2 Assessment and scoring

5.2.1 What is in place already to stop this risk occurring?

The first stage of assessment is exploring what key controls are in place already, what is in place that reduces either time impact or the likelihood of the risk occurring.

The key controls are the processes, plans, measures that are in place to assist in the impact of the risks or likelihood of the risk occurring, such as:

  • operational plans
  • statutory frameworks, for instance standing orders, standing financial instructions and associated scheme of delegation
  • actions in response to audits, assessments and reviews
  • workforce training and education
  • clinical governance processes
  • incident reporting and risk management processes
  • complaints and other patient and public feedback procedures
  • performance management systems
  • strategies or policies or procedures or guidance
  • robust systems or programmes in place
  • objectives set and agreed at appropriate level
  • frameworks in place to provide delivery
  • SLA or contracts or agreements in place

It is important that do not just list these controls but provide narrative for example

5.2.2 How much risk?

Each risk once identified needs to be assessed. This is done by using a risk evaluation tool called the risk scoring methodology. This tool measures the impact of the risk occurring and the likelihood that the risk will occur.

Impact times likelihood equals risk score.

A risk assessment seeks to answer four simple questions:

  • what can go wrong?
  • how bad?
  • how often?
  • is there need for action?

The impact is the consequence or ‘how bad’ it would be if the risk occurred. When assessing this you should not use the worst case scenario, think what the most probable outcome would be.

The likelihood is a measure of how likely the risk will occur. When looking at this you should take into account the current environment. Consider the adequacy and effectiveness of the controls already in place and likeliness of the risk being materialised.

Likelihood score, rare, unlikely, and possible
Impact score 1 Rare 2 Unlikely 3 Possible
5 Catastrophic 5 10 15
4 Major 4 8 12
3 Moderate 3 6 9
2 Minor 2 4 6
1 Negligible 1 2 3
Likelihood score, likely, and almost certain
Impact score 4 Likely 5 Almost certain
5 Catastrophic 20 25
4 Major 16 20
3 Moderate 12 15
2 Minor 8 10
1 Negligible 4 5

Helpful resource, appendix D risk scoring methodology, to aid scoring both the impact and likelihood.

5.3 Treatment

Treatment is how the risk will be managed, and what the required actions are to achieve an acceptable level of risk.

5.3.1 What can we do about this risk?

After assessing the risk score, a decision is made on the required risk treatment using the following criteria:

Treat, in many cases action can be taken to change the way activities are carried out in order to reduce the risk identified

Tolerate, low and minor risks can be accepted as requiring no further action.

Transfer, this involves another party bearing or sharing some part of the risk, for example, though the use of contracts, insurance arrangements and organisational structures such as service level agreements.

Terminate, it may be decided a particular risk should be avoided altogether. This may involve ceasing the activity giving risk to the risk.

The trust will regard any risk with a score of 8 or below to be acceptable as a tolerated risk, only when the likelihood is 2 or less. If the likelihood is 3 or higher and the risk owner deems that the risk should be tolerated (no further reasonable mitigation can be applied) then authorisation and agreement should be sought from the risk management group (please see table below).

What can we do about risk?
Risk score Definition Decision
1 to 3 (low) An acceptable level of risk which remains subject to review Tolerate
4 to 6 (moderate) An acceptable level of risk (if the likelihood is 2 or less) which is subject to possible action and remains subject to review Tolerate or treat all risks assessed with likelihood score of 3 or above must be treated, any exceptions to this must be authorised by risk management group.
8 to 12 (high) Requires action and review Tolerate, Treat or Transfer
All risks assessed with likelihood score of 3 or above must be treated, any exceptions to this must be authorised by risk management group.
15 to 25 (extreme) Unacceptable level of risk. Requires urgent or immediate review and action. Risk is escalated to the risk management group meeting for moderation. Treat or transfer or terminate

Any risks classed as tolerated will be assessed by the risk and assurance officer, and where the above detailed criteria are not met, an explanation will be requested as to why the risk should be tolerated. The risk will then be presented to the risk management group for authorisation and agreement.

For any risks that have been mitigated including those where the risk rating has been reduced to low, it is acceptable that the risk(s) remain open for a set period of time for monitoring purpose to ensure that the actions taken have in fact mitigated the risk. The time set should be proportionate to the risk and the implemented actions being monitored.

5.3.2 How to treat a risk?

For those risks that are to be treated we now need to evaluate what additional controls can be put in place to reduce the level of risk whether this is the impact and, or the likelihood. We do not automatically try to eliminate the risk but instead managing it down the appropriate level. The time, effort and cost to eliminate may not be appropriate and therefore proportionate actions need to be undertaken to create controls dependant on the risk and the risk appetite.

The aim of identifying actions is to identify further controls that can be put in place which reduces either time impact or the likelihood of the risk occurring. Examples include:

  • risk around the failure of a process, actions could be:
    • the process or policy to be reviewed
    • training for the revised process to be developed and delivered
    • monitor implementation of the process
    • evaluate whether the revised process is working
  • risk around difficulties in recruitment, actions could be:
    • role or service redesign
    • utilisation of a range of networks to continue to recruit
    • collaboration with other providers
  • risk around achieving activity targets, actions could be:
    • review of accuracy of data being extracted from the data warehouse
    • meetings and electronic sharing of reports with team managers to raise concerns and issues
    • identify finances to offset the loss of income
    • team managers to ensure that all clinical staff are recording information accurately
    • monitor progress on re-portal
    • use of increased staffing on a temporary basis to address backlog

The risk should then be reassessed and a post mitigation risk score identified as to what level of risk will remain once the action plan has been completed and additional controls have been put in place. The target level of the risk should be the agreed acceptable level for the Trust that is achievable and proportionate of the risk being faced.

5.3.3 Recording the risk?

All risks are recorded on a risk register which is the formal record of the risks that the trust has identified. There are 23 risk registers within the trust:

  • children’s mental health, children’s care group
  • children’s physical health, children’s care group
  • Doncaster acute, Doncaster adult metal health and learning disabilities care group
  • Doncaster community, Doncaster adult metal health and learning disabilities care group
  • learning disabilities and forensic, Doncaster adult metal health and learning disabilities care group
  • North Lincolnshire acute, North Lincolnshire adult metal health and talking therapies care group
  • North Lincolnshire Community, North Lincolnshire adult metal health and talking therapies care group
  • talking therapies, North Lincolnshire Adult metal health and talking therapies care group
  • rehabilitation, physical health and neurodiversity care group
  • community and long-term conditions, physical health and neurodiversity care group
  • neurodiversity, physical health and neurodiversity care group
  • Rotherham acute, Rotherham adult mental health care group
  • Rotherham community, Rotherham adult mental health care group
  • corporate assurance
  • health informatics
  • finance
  • estates
  • medical and pharmacy
  • nursing and quality
  • operations
  • people and organisational development
  • strategy and communications
  • therapies

Nominated risk owners are identified for all risks and further information is detailed in appendix A roles and responsibilities.

5.4 Monitoring, review and escalation

Part of managing operational risk is to continually review and update, to capture the changes and progress of mitigation. Each risk is allocated a risk owner who is responsible for ensuring changes to the risk are captured, that actions are implemented and the risk is updated accordingly. Reviews of each risk are to be undertaken as follows:

  • ‘live’ risks on a monthly basis
  • low and moderated rated ‘tolerated’ risks at least annually
  • high rated ‘tolerated’ risks at least quarterly

All risks must be robustly and routinely monitored and updated and the following should be considered:

  • live risks:
    • risk description, does it still reflect the current situation and potential or actual impact of the risk occurring?
    • actions:
      • what is the progress being made?
      • have the actions created new controls? If so, does this now affect the risk scoring, can it be reduced?
      • are more actions required?
      • tolerated risks
    • is the risk still to be tolerated?
    • are the controls up to date and still in place or are there any additional controls to be added?

The monitoring of the action plan and level of risk must be kept under review. Where the implementation of the action plan is not producing the anticipated results, the risk should be re-assessed and a revised action plan agreed as necessary.

Once all actions have been completed and the risk has been mitigated as far as possible then the risk is moved to tolerated.

Project risk logs, where the project or a risk on the project risk log begins to have a significant impact on the trust then a risk should be added or the risk escalated to the appropriate risk register for formal monitoring through the trust’s structure (see appendix B monitoring arrangements).

5.4.1 Escalation

Where the implementation of the action plan is not producing the anticipated results and further support and guidance is required then these should be reported to the risk management group via the Corporate Assurance team.

All risks assessed and scored as 15 or above must be reported to the corporate assurance manager so that the risk can be moderated by the risk management group for agreement as an extreme risk.

Any risk with a likelihood of possible (3) or above that is deemed should be tolerated is to be reported to the corporate assurance manager so that authorisation from the risk management group can be obtained.

Any risks identified with an impact of catastrophic (5) is to be reported to the corporate assurance manager so that the risk management group can review and moderate.

6 Strategic risk process

In accordance with the annual reporting manual issued by NHS Improvement, all foundation trusts are required to present in their annual report an annual governance statement signed by the chief executive and underpinned by a supporting board assurance framework (BAF). This aims to provide the board of directors with assurance that systems are safe and subject to appropriate scrutiny and that the board of directors are able to demonstrate that they are informed of key strategic risks. The BAF contains all the strategic risks that have the ability to undermine the trust’s strategic objectives.

The BAF is built up of the strategic risks and includes:

  • current and target risk scores
  • lead committee and lead director
  • key controls intended to manage the risk
  • sources of assurance to evidence that control measures in place are working effectively to manage risk
  • gaps in either control or assurance and actions to address the gaps
  • risk appetite

6.1 Sources of assurance

The key difference in monitoring strategic risk from operational risks is the use of assurance. Source of assurance refers to the evidence that describes how well the controls are operating. We have adopted the ‘three lines of defence’ model which categorises the assurance according to how independent it is likely to be:

  • first line, operated by managers across the business
  • second line, corporate oversight functions and challenge
  • third line, independent external assurance

Examples for each line of defence are as follows:

  • first line of defence, operational management:
    • budgets
    • risk assessments
    • work programmes of groups or committees
    • planning exercises when, who, relevance
    • training needs assessments
  • second line of defence, corporate oversight:
    • performance or quality monitoring in place and at what level, how and when
    • action monitoring reports
    • complaints and compliments or Incident monitoring
    • national returns
    • training compliance monitoring
    • routine reporting of key targets together with any necessary contingency plans
  • third line of defence, independence assurances:
    • external audit
    • external inspection bodies, such as the Care Quality Commission and Royal Colleges
    • systems of accreditation
    • mandatory reporting systems
    • internal audit
    • health and safety executive

6.2 Monitoring, review and escalation

6.2.1 Monitoring and review

Part of managing strategic risk is to continually review and update, to capture the changes and progress of mitigation. Each risk is allocated a director of the board as the risk owner, who is responsible for ensuring changes to the risk are captured, that actions are implemented and the risk is updated accordingly. Reviews of each risk are to be undertaken with support from the corporate assurance manager as follows:

  • ‘live’ risks on at least a bi-monthly basis
  • ‘tolerated’ risks on at least a six monthly basis

All risks must be robustly and routinely monitored and updated and the following should be considered:

  • risk description, does it still reflect the current situation and potential or actual impact of the risk occurring?
  • gaps in control or assurance, are all gaps covered?
  • actions:
    • what is the progress being made?
    • have the actions created new controls? If so, does this now affect the risk scoring, can it be reduced?
    • are more actions required?
  • tolerated risks
    • is the risk still to be tolerated?
    • are the controls up to date and still in place or are there any additional controls to be added?

In addition, a periodic review of the strategic risks will be undertaken taking into consideration the operational risk profile to assess whether the appropriate strategic risks have been identified.

6.2.2 Escalation

Escalation for strategic risks will be to the board of directors as follows:

  • agree any change of risk description
  • agree and increase or decrease in risk score
  • provide support where the implementation of the action plan is not producing the anticipated results and further support and guidance is required

7 Training implications

In addition to the mandatory training delivered and co-ordinated by learning and development, a programme of risk training is provided for all employees. All staff have access to the ‘000 Risk Management and Governance’ training on ESR.

To ensure full consideration of our trust’s risk management approach further training around risk, risk management and identifying risk will be available and encouraged for all staff to undertake through a series of short training videos.

To support risk owners within directorates with responsibilities for registers 1 to 1 training with the Corporate Assurance team is available for all identified risk owners which is supplemented with the easy step guide provided after the training. Further training around identifying and articulating risk, assessing, treating and reviewing risk will be available and encouraged for risk owners to undertake through a series of short training videos.

In addition, the trust will commission external training for cohorts of staff as and when identified.

8 Equality impact assessment screening

To access the equality impact assessment for this policy, please email rdash.equalityanddiversity@nhs.net to request the document.

8.1 Privacy, dignity and respect

The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’.

As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).

8.1.1 How this will be met

Trust response, no issues have been identified in relation to this policy.

8.2 Mental Capacity Act

Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals capacity to participate in the decision making process. Consequently, no intervention should be carried out without either the individual’s informed consent, or the powers included in a legal framework, or by order of the court.

Therefore, the trust is required to make sure that all staff working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005) to ensure that the rights of individual are protected and they are supported to make their own decisions where possible and that any decisions made on their behalf when they lack capacity are made in their best interests and least restrictive of their rights and freedoms.

8.2.1 How this will be met

All individuals involved in the implementation of this policy should do so in accordance with the principles of the Mental Capacity Act (2005).

9 Evaluation

Content pending.

10 Links to any other associated documents

The Risk Management Framework is supported by the trusts suite of policies as listed on the RDaSH website. There is a strong link to a range of policies including:

11 References

The Orange Book, Management of risk, Principles and Concepts (opens in new window)

12 Appendices

12.1 Appendix A Roles and responsibilities

12.1.1 All staff

All staff are responsible for having a sense of ownership and commitment to:

  • identifying and reporting risk
  • responding to and minimising risk
  • participating in training sessions
  • carrying out any agreed control measures and duties as instructed

12.1.2 Line managers

Line managers are responsible for the identification of risks and for implementing and monitoring any identified risk management control or assurance measures, within their designated area and scope of responsibility. Managers should also ensure that all staff are aware of risks within their workplace and provide adequate information, instruction and training to enable them to work safely.

Managers should seek advice on risk management issues, as required, and liaising with relevant specialist advisors where necessary.

12.1.3 Nominated risk owners

Nominated risk owners, are responsible for the management of identified risks within the scope of their responsibility, ensuring that open risks are reviewed monthly, controlled risks are reviewed at least annually (high controlled risks at least quarterly) and maintained in a timely manner.

12.1.4 Project managers

Project managers, are responsible for the identification of all risks to a specific project, ensuring that they are recorded, regularly reviewed (at least monthly) and maintained in a timely manner.

12.1.5 Risk register owners

Risk register owners, are responsible for:

  • identifying, receiving, managing, monitoring, and reviewing relevant risks within the scope of their Directorate or Corporate team
  • undertaking regular ‘horizon scanning’ to identify risks by looking forward as part of the development of the trust risk registers
  • ensuring effective escalation of any extreme risk to the relevant executive lead

12.1.6 Board of directors

Board of directors is responsible for:

  • taking the lead on the assessment and management of risk and take a strategic view of risks in our trust
  • ensuring that roles and responsibilities for risk management are clear to support effective governance and decision-making at each level with appropriate escalation, aggregation and delegation
  • determining and continuously assessing the nature and extent of the principal risks that our trust is willing to take to achieve its objectives, its “risk appetite”, and ensure that planning and decision-making appropriately reflect this assessment
  • assuring itself of the effectiveness of the organisation’s risk management framework
  • assessing compliance with the corporate governance code and those explanations
  • of any departures are recorded within the governance statement of the annual report and accounts

12.1.7 Chief executive

Chief executive as accounting officer is responsible for:

  • ensuring that expected values and behaviours are communicated and embedded at all levels to support the appropriate risk culture
  • demonstrating leadership and articulate their continual commitment to and the value of risk management
  • ensuring that risk is considered as an integral part of appraising option choices, evaluating alternatives and making informed decisions

12.1.8 Audit committee

Audit committee is responsible for supporting the board of director in leading the assessment and management of risk through:

  • Understanding our trust’s business strategy, operating environment and the associated risks, taking into account all key elements of the organisation
  • critically challenging and reviewing the risk management framework, to evaluate how well the arrangements are actively working in our trust
  • critically challenging and reviewing the adequacy and effectiveness of control processes in responding to risks within our trust’s governance, operations, compliance and information systems

12.1.9 Risk management group

Risk management group is responsible for

  • ensuring that our trust is actively identifying and documenting risks in all directorates of the organisation
  • overseeing work to mitigate risks, supporting leaders to do so, where necessary by bringing together expertise across the group
  • taking responsibility for resolving cross-trust risks that are thematic or escalating such concerns for resolution through the clinical leadership executive (CLE) and, or within delivery reviews
  • ensuring that the risk management framework is being implemented effectively and to advise CLE or the audit committee where this is not the case
  • ensuring that risks to delivery of the strategy are reflected within the risk register or, where relevant, the board assurance framework

12.1.10 Senior information risk owner (SIRO)

Senior information risk owner (SIRO), the director of health informatics fulfils the role and function of the SIRO and is accountable to the chief executive for the management of information risk.

12.1.11 Director of corporate assurance or board secretary

Director of corporate assurance or board secretary is responsible for ensuring that all risk and assurance processes are devised, implemented and embedded throughout the trust and for reporting of any significant issues arising from the implementation of the Framework including non-compliance or lack of effectiveness arising from the monitoring processes.

12.1.12 Corporate assurance manager

Corporate assurance manager, is responsible for the development, maintenance and monitoring of risk management processes particularly in relation to:

  • board assurance framework
  • extreme operational risks
  • electronic risk management system (risk module within safeguard)
  • support to the risk owners with regards to the management of risk

12.2 Appendix B Monitoring arrangements

Both operational and strategic risk is subject to continual review and monitoring by the relevant meeting structure and this is facilitated by the Corporate Assurance team in producing reports as outlined below.

12.2.1 Strategic risk oversight

Board of directors will receive reports on:

  • all strategic risks within board assurance framework for approval, as and when required
  • any changes to the risk description and, or risk scoring for approval, as and when required
  • oversight on progress of mitigation of all the strategic risks within board assurance framework, 3 times a year
  • extreme rated operational risks, as when identified

Board committees will receive reports on:

  • oversight on progress of mitigation of the strategic risks within board assurance framework as assigned to the applicable committee(s), 3 times a year
  • any changes to the risk description and, or risk scoring to provide comment and recommend approval, as and when required

12.2. Systems of internal control oversight

Audit committee will receive reports on:

  • an overview of risk management which outlines the process for managing and monitoring risk and provides assurance on achievement to date, each meeting

12.2.3 Operational risk oversight

Clinical leadership executive will receive reports on:

  • out brief from the risk management group summarising decision and any areas of escalation
  • extreme rated risks, as and when identified

Risk management group will receive reports on:

  • longstanding risks, on a rolling programme basis
  • thematic reviews, on a rolling programme basis
  • cross trust risks, on an as and when basis
  • escalating risks, on an as and when basis
  • compliance data, on a rolling programme basis

Delivery review meetings will receive reports on based on the applicable risk register:

  • current state of risks, each meeting
  • top 3 risks, each meeting

Care group business meetings will:

  • have oversight of the care group risks,  at each meeting

Risk owners will:

  • monitor and review all live risks on a monthly basis
  • monitor and review all tolerated risks at least quarterly (high risks) or annually (moderate and low risks)
  • escalate any risks deemed to be extreme to the risk management group for moderation and approval
  • escalate any risks that require further support and guidance to the risk management group

12.3 Appendix C Prompts for identifying risk

  • Strategy, risks arising from identifying and pursuing a strategy, which is poorly defined, is based on flawed or inaccurate data or fails to support the delivery of commitments, plans or objectives due to a changing macro-environment (for example, political, economic, social, technological, environment and legislative change).
  • Governance, risks arising from unclear plans, priorities, authorities and accountabilities, and, or ineffective or disproportionate oversight of decision-making and, or performance.
  • Operations, risks arising from inadequate, poorly designed or ineffective or inefficient internal processes that could result in fraud, error, impaired customer service (quality and, or quantity of service), non-compliance and, or poor value for money.
  • Clinical, risks arising from inadequate, poorly designed or ineffective or inefficient internal clinical processes that could result in non-compliance and, or harm and suffering to employees, contractors, service users or the public.
  • Legal, risks arising from a defective transaction, potential claim or some other legal event occurring that may result in a liability or other loss, or a failure to take appropriate measures to meet legal or regulatory requirements or to protect assets (for example, intellectual property).
  • Property, risks arising from property deficiencies or poorly designed or ineffective or inefficient safety management resulting in non-compliance and, or harm and suffering to employees, contractors, service users or the public.
  • Financial, risks arising from not managing finances in accordance with requirements and financial constraints resulting in poor returns from investments, failure to manage assets or liabilities or to obtain value for money from the resources deployed, and, or non-compliant financial reporting.
  • Commercial, risks arising from weaknesses in the management of commercial partnerships, supply chains and contractual requirements, resulting in poor performance, inefficiency, poor value for money, fraud, and, or failure to meet business requirements or objectives.
  • People, risks arising from ineffective leadership and engagement, suboptimal culture, inappropriate behaviours, the unavailability of sufficient capacity and capability, industrial action and, or non-compliance with relevant employment legislation or HR policies resulting in negative impact on performance.
  • Technology, risks arising from technology not delivering the expected services due to inadequate or deficient system or process development and performance or inadequate resilience.
  • Information, risks arising from a failure to produce robust, suitable and appropriate data or information and to exploit data or information to its full potential.
  • Security, risks arising from a failure to prevent unauthorised and, or inappropriate access to the estate and information, including cyber security and non-compliance with General Data Protection Regulation requirements.
  • Reputational, risks arising from adverse events, including ethical violations, a lack of sustainability, systemic or repeated failures or poor quality or a lack of innovation, leading to damages to reputation and or destruction of trust and relations.
  • Environmental, risks arising from changing macro-environment (for example political, economic, social, technological, environment and legislative change).
  • Project or programme, risks that change programmes and projects are not aligned with strategic priorities and do not successfully and safely deliver requirements and intended benefits to time, cost and quality.

12.4 Appendix D Risk scoring methodology

12.5 Appendix E Risk form

Document control

  • Version: 11.
  • Unique reference number: 1075.
  • Approved by: Board of directors.
  • Date approved: 25 January 2024.
  • Name of originator or author: Corporate assurance manager.
  • Name of responsible individual: Director of corporate assurance.
  • Date issued: 19 February 2024.
  • Target audience: All staff.

Page last reviewed: April 30, 2024
Next review due: April 30, 2025

Feedback

Report a problem