Risk Management is the Business of Every Member of the PCT in Order to Ensure the Safety of our Patients and Staff
To be read in conjunction with: Risk Management Policies Issue Date: April 2007 Replaces: South Sefton PCT Risk Management Strategy Southport & Formby PCT Risk Management Strategy Author/Originator: Susan Giles, Risk Manager Authorised by: PCT Board Review Date: April 2008 Date: March 2007
Statement of PCT Board Commitment Risk Management Philosophy & Principles Organisation Arrangements and Management of Risk Roles and Responsibilities Risk Management Process Reporting Arrangements
Risk Matrix Guidance on the Risk Matrix Board Committee Structure Risk Reporting Structure & Relationships Sefton Primary Care Trust Terms of Reference (key risk committees) Supporting policies & procedures Sources of support and expertise in relationship to Risk Management Risk Management Performance Indicators
Page 3 of 37
Page 4 of 37
It is the policy of Sefton PCT to identify, assess and control the risks that threaten or compromise its ability to fulfil its aims of improving the health of the local community, providing the highest quality primary care and commissioning the highest quality secondary care, whilst providing a safe working environment for staff. This document sets out the PCTs approach to the management of risk and implementation of a system, which enables informed management decisions in regard to identification, assessment, treatment and monitoring of risk. The objective of the Risk Management Strategy is to provide a structured direction for all PCT staff and independent contractors to follow in identifying and managing risk across all activities. A framework and plan is provided by which the organisation can further develop its capability and capacity to meet the demands of effective risk management. The management of risk is integral to the PCTs Integrated Governance approach to improving quality of care by creating an environment in which clinical excellence will flourish and the quality of patient care continuously improves.
2.2.
Risk management (RM) is a framework for the systematic identification, assessment, treatment and monitoring of risks. Its purpose is to prevent or minimise the possibility of recurrence of risks and their associated consequences, which have potentially adverse effects on the quality of care, both provided and commissioned, and safety of patients, staff and visitors, and the financial management of the organisation. The PCT is committed to ensuring robust systems are in place to ensure high standards of risk management. A proactive structured and systematic approach supports informed management decision-making by providing a greater understanding of risks and their impact. Effective management of risk has the potential for reducing the frequency and severity of adverse incidents, complaints and claims. The management of risk is the business of every person within the organisation and requires commitment and collaboration from all staff. It is essential that the PCT has a clear and defined strategy for managing risk as this will impact upon its ability to deliver key objectives, achieve defined goals and ultimately to effectively deliver services. Fundamental to the management of risk are the following held values: Effective risk management is dependent upon a developing fair blame culture, which encourages open reporting of problems and errors from which lessons are learned. Effective risk management systems are an integral part of good clinical practice and should discourage defensive clinical practice and reduce clinical risk.
There are three areas of risk, which have the potential to adversely affect the PCTs patients, staff, services which are provided or commissioned, resources and reputation: Clinical Corporate (non-clinical) Financial
Page 5 of 37
2.3
Policy Statement
It is the policy of Sefton PCT to: Establish an organisational philosophy, which ensures risk management is an integral part of corporate objectives, plans and management systems Identify and manage existing and potential risks in an active and sensitive manner Develop and improve the systems and processes within the PCT for the management and control of risk Eliminate or minimise harm to people and property
2.4
The PCT believes that the risk management programme should: Demonstrate PCT Board support and commitment to meeting the Risk Management agenda Be a fundamental part of the PCTs Integrated Governance Strategy Ensure that the development of the Risk Management Programme is an integral part of all Corporate, departmental and team, service and workforce plans Continually develop the Risk Management Strategy and ensure communication at all levels of the PCT Clearly define the stages within the Risk Management process Ensure that arrangements for leading the PCTs implementation of Standards for Better Health and the NHSLA Risk Management Standards for PCTs are agreed and managed by each lead director Manage risks at an Organisational, Corporate, Departmental and team level Continually monitor and review responsibility for, and performance of the management of risk Develop corporate and local risk registers within the PCT by implementing a comprehensive risk assessment and grading system Provide an effective system to reduce clinical risk and improve and maintain the quality of patient care Provide an effective system to reduce non-clinical risk and improve and maintain the safety of the environment in which the service is delivered Develop and monitor Risk Management Performance Indicators Encourage a culture of fair blame with regard to the management of incidents, near misses, complaints and claims, being transparent when things go wrong Ensure that lessons are learned from good and deficient practice
Page 6 of 37
Ensure all employees are involved in all relevant risk related and development activities Provide a framework to ensure that the NHSLA Risk Management Standards for PCTs at levels 1, 2 and 3 are achieved and maintained Agree and firmly establish clearly defined roles and responsibilities for the management of all risk within the PCT Ensure that all departments and teams accept their responsibility for managing risk at a local level
2.5
The PCT utilises the frameworks of Standards for Better Health (DoH 2004) and the NHSLA Risk Management Standard for PCTs (2005) to provide evidence that the organisation is doing its reasonable best to manage, direct and control risk so as to meet its objectives. These frameworks for Risk Management also enable the PCT to demonstrate that it is protecting patients, employees and stakeholders safety and interests against risks of all kinds. Evidence will be provided to demonstrate continuous progress against risk management standards and action plans. Management of risk is the responsibility of everyone in the organisation. It requires commitment and collaboration from all staff, both clinical and non-clinical. Responsibilities are further defined within this document (see Section 4). The PCT recognises that by its very nature, health care is a risk business, not least because some risks have to be taken in order to improve the quality of treatment and care for patients. The PCT also recognises that mistakes and errors can happen, therefore a strategy and a framework is required to deal with the hazards and risks associated with its main functions of providing and commissioning high quality health care and improving the health of the local population.
Page 7 of 37
SECTION 3: ORGANISATION ARRANGEMENTS AND THE MANAGEMENT OF RISK 3.1 Risk Management Arrangements
This Risk Management Strategy describes the relationships and responsibilities, which form the framework for the management and control of risk within Sefton PCT. Risk Management standards require NHS organisations to ensure that their arrangements for Risk Management are robust and effective. All Board committees carry a responsibility for monitoring and overseeing risk that is relevant to the nature of their duties and responsibilities. However, the PCT Board has agreed that the Governance Committee (GC) will take the overview of all risk and report directly to the PCT Board. This approach, of having a combined Clinical Governance, Patient Services and Risk Management Committee was commended by the Audit Commission in their guidance on Governing the NHS (June 2003). This Group will also report to the Audit Committee in terms of information that the Audit Committee may wish to consider, when deciding on audit forward plans. Also to enable the Audit Committee to be reassured that systems and processes are in place and in operation, so that all risks are identified, evaluated and controlled. The Governance Committee and Audit Committee will communicate via the formal sharing of minutes and common membership of Executive and Non Executive Directors.
3.2.
Standards for Better Health (S4BH) is the process by which PCT Boards can reassure the public that the PCT has developed an appropriate framework to continue to work towards a safe, high quality and modern health service and mitigate against risk. The PCTs risk management system is one of the mechanisms by which these standards are effected and co-ordinated throughout the PCT, by identifying potential and actual lapses in compliance with the standards, and ensuring action is taken to maintain compliance.
3.3
Performance Measurement
The success of risk control measures must be monitored in an appropriate manner to provide information to guide future progress. The PCT committee structure (Section 6) provides a vehicle for monitoring risk management activity. The Governance Committee (GC) will be responsible for ensuring information from the directorate risk registers is reported to the appropriate Board committee(s), comments will be reported back to the GC. The Governance Committee receives information from the incident reporting system and considers policy changes as a result of information from incident reporting. The Governance Committee is responsible for overseeing the production of the risk management annual report. The GC is responsible for overseeing and monitoring of all risk management activity and reporting such activity to the PCT Board. The Governance Committee monitors the risk management performance indicators (Appendix 8) on a 6-monthly basis.
3.4
There are various ways in which the PCT assesses and monitors risk. These include:
Risk Management Strategy Page 8 of 37
Reactively monitoring appropriate use of incident, complaints and claims reports and trend analysis Proactively monitoring adherence to procedures through audit, workplace inspections, staff surveys and performance indicators
3.5
The Governance Committee will review progress against implementation of the strategy. The review will be based on the information available from the risk assurance framework, directorate risk registers, performance against Standards for Better Health core standards and the NHSLA Risk Management Standards for PCTs.
3.6
Each year, the Chief Executive produces a Statement of Internal Control. The Audit Committee and Mersey Internal Audit Agency (MIAA) approve this for inclusion in the Annual Report. This is a statement of assurance of effective systems of control in the following areas: Finance Risk Management Governance
3.7
The PCT has developed a corporate approach to identify and manage risk through a process of risk assessment. During 2007 the PCT intranet section on risk management shall be developed to provide guidance on risk assessment. This shall include: A Guide to Risk Assessment and Developing a Local Risk Register A risk assessment form & action plan Risk matrix
The intranet section shall also include: Online incident reporting Incidents Trigger List Guidance on reporting incidents Root Cause Analysis Tools and Techniques Risk management policies and procedures
3.8
The PCT believes a team approach to risk management is essential. The following training is provided across the PCT on an on ongoing basis:
Risk Management mandatory training to promote ownership of the Risk Management Strategy, including providing guidance on Incident Reporting, Root Cause Analysis, Risk Assessment and the Risk Register, delivered by the Risk Manager Risk Management for managers mandatory training for all supervisors and managers Risk Management included in the corporate induction programme As identified in training needs analysis from staff personal development plans
Page 9 of 37
By providing support in response to information notices i.e. Medical Devices Alerts and Health & Safety Notices.
3.9
It is accepted that it is neither realistic nor possible to totally eliminate all risk. It is, however, feasible to develop a systematic approach to the management of risk so that adverse consequences are minimised, or in some cases, eliminated. The PCT aims to provide an environment geared to innovation and service development and recognises that risk taking can achieve some benefits. However, risk taking without evaluation and management can result in adverse outcomes for patients, staff, resources and reputation. The PCT utilises an accepted system for grading risk, which takes into account parameters that include probability of occurrence and impact on the organisation. This system is aligned with National Patient Safety Agency (NPSA) recommendations and described in detail in section 5. The risk grading system also covers clinical and non-clinical reporting of incidents. The level of authority required for managing the different grades of incidents is described in the incident reporting procedure. A grading system enables a method of quantification that can be used to prioritise risk treatment at all levels. The following table indicates the authority of managers to act in accordance with the quantification of risk. Table 1: Managerial Authority to act on risks
This table indicates the level of individual(s) who would normally be involved in determining the degree of risk and taking action.
Senior Clinician
Low Moderate High Extreme
PCT Board
x x
In the event of incidents classified as `high` and/or extreme the Executive Directors and/or the Chief Executive (CE) must be informed. A decision will be made as to whether to undertake an internal/external inquiry or root cause analysis to investigate root cause and/or systems failure. The CE will appoint an inquiry team in these circumstances. Table 2: Authority for deciding on acceptable levels of risk
A grading system also enables decision making on the basis of what is an acceptable level of risk for the organisation to sustain. The following table indicates the level of authority of individual(s) who would normally be involved in deciding the level of risk relating to an issue which the organisation is prepared to accept.
Page 10 of 37
Senior Clinician
Low Moderate High Extreme
PCT Board
x x
3.10
Risk Funding
Identified capital and revenue expenditure is determined during the PCTs local delivery planning process. Risks are identified via risk assessment and action planning. The Executive Team reviews the risk register on behalf of the PCT Board. High priority risks are identified and submitted to the Board for consideration. The PCT Board ultimately decides on the appropriate level of investment required to address and mitigate against risks identified.
3.11
The PCT is a member of the Clinical Negligence Scheme for Trusts (CNST), Liabilities to Third Parties (LTPS) and the Property Expenses Scheme (PES) that are administered by The NHS Special Litigation Authority (NHSLA). Funding is on a pay as you go basis. PCT contributions are based on range criteria such as NHS income, numbers of staff and property values. From April 1st 2003 these contributions can be reduced if the PCT meets the NHSLA Risk Management Standard for PCTs criteria. The PCT has action plans in place to meet criteria set out by these schemes.
3.12
The PCT contracts certain services out; however, the PCT is still ultimately responsible for ensuring the service provider regularly reports progress or areas of concern. Therefore Service Level Agreements will be reviewed on an annual basis to ensure compliance of service provision. This also confirms that risk assessments have been completed and the appropriate action taken, and that there are clear lines of accountability and responsibility for staff working in another organisations facility.
3.13
The Risk Manager will ensure that the Risk Management Strategy is communicated throughout the PCT. The following methods will be adopted: Internal PCT Intranet Staff Newsletter Team Brief Identified induction and training sessions Circulation to all Departmental/Practice/Clinic Managers with a covering letter requesting that the strategy is circulated to all members of the PCT with a checklist for signature. Copies of the checklist should be kept for future reference. The document will be easily accessible in a prominent place within departments/practices/ clinics Leaflets summarising the Risk Management Strategy shall be circulated to all PCT staff
Page 11 of 37
External The Risk Manager is responsible for ensuring that the document is distributed to relevant stakeholders including the Strategic Health Authority, Local Authority and local trusts PCT website
3.14
Directors shall hold managers to account for communicating and implementing the Risk Management Strategy within their service/department. An effective way of ensuring that the Risk Management Strategy is adopted into the culture of the organisation is via the appraisal process when managers are reviewing staff members performance against the Knowledge and Skills Framework outlines. A suggestion of evidence to be looked for is listed below: KSF Core Dimension 3: Health, Safety and Security: Level 1: Assist in maintaining own and others health, safety and security. Staff members can demonstrate that they report incidents and near misses via the PCT incident reporting system and that risks are identified to their line manager, this may be evidenced by contributing to the completion of a risk assessment. Level 2: Monitor and maintain health, safety and security of self and others Staff members, for example, supervisors and department managers, can demonstrate that they take action in response to incidents and near misses, for example, removing trip hazards, actioning health and safety workplace inspection reports. Staff members should also be able to evidence that they have conducted risk assessments and highlight any risks out of their control to the relevant manager, this may be via the PCTs risk registers. Level 3: Promote, monitor and maintain best practice in health, safety and security Senior managers should be able to demonstrate that they are able to investigate high level incidents and take action to prevent recurrence, that they can manage risks effectively and contribute to the development and maintenance of their directorate risk register, or that they have sought specialist advice on the management of risks or incidents, i.e., Infection Control, Risk Manager, Health & Safety Manager.
Page 12 of 37
It is important to clarify that every PCT member of staff has an individual responsibility for risk management activities. It is also important to make explicit how the responsibility of the individual contributes to the lines of management accountability through to the PCT Board. There are four identifiable tiers: 1. 2. 3. 4. Chief Executive/Executive Team Senior Management Department/Practice/Clinic Managers All staff
4.2
It is the responsibility of the Chief Executive and Executive team to ensure that standards of risk management are applied at all levels within the PCT and that assurance mechanisms are in place to assure the PCT Board. The team will ensure that this is led and monitored through the work of relevant committees and directorate risk registers. The Chief Executive and Executive Team are members of committees of the Board, with responsibility for overseeing the work of the specialist risk groups. Through these committees, the Chief Executive and his team provide leadership and strategic direction in terms of Risk Strategy, Policy and Management. This responsibility includes consideration of the PCTs Risk Registers and resource allocation based on significance of risk and risk reduction. The recommendations of the Governance Committee on behalf of all aspects of risk are submitted to the PCT Board, where decisions are made on a priority basis. Clinical & Corporate (Non Clinical) Risk: Director of Governance The Director of Governance has executive responsibility for Clinical and Corporate Risk, and the development of clinical governance. The Director of Governance is a member of the Governance Committee. Financial Risk: Director of Finance The Director of Finance has executive responsibility for Financial Risk and is responsible for ensuring that the PCT carries out its business of providing healthcare within sound Financial Governance and risk management arrangements that are controlled and monitored through robust audit and accounting mechanisms that are open to public scrutiny on an annual basis. The Director of Finance
Risk Management Strategy Page 13 of 37
will seek the Chief Internal Auditors opinion on the effectiveness of internal financial control. The Director of Finance is a member of the Governance Committee and the Audit Committee. Early Warning System (Executive Team) The Executive Team operates an Early Warning System, which enables any issue with the potential to pose a significant risk to the PCT, to be brought immediately to the attention of the Executive Team without using the formal committee route. The decision to use this route must be approved by a member of the Executive Team. Professional Executive Committee (PEC) The PEC is responsible for supporting systems and structures which promote excellence in clinical care and which minimise risk by incremental improvement in service quality. The PEC Clinical Governance Lead is responsible for advising and supporting the Governance Committee, including identifying new risks and highlighting these to the GC.
Take the necessary action to ensure that appropriate resources are made available for staff to meet all the requirements of risk management Periodically assess the effectiveness of the Risk Management Strategy and ensure that any necessary changes are made Ensure that advice to clinicians and managers on effective risk control mechanisms is provided Ensure that standards for responsible risk management practice are maintained and improved Ensure that arrangements are in place to audit compliance with standards.
Health and Safety Manager The Health and Safety Manager has responsibility for ensuring a safe environment for staff and clients by adhering to relevant Health and Safety legislation, regulations and codes of practice. The Health and Safety Manager will: Provide specialist advice, guidance and support to staff regarding their Health and Safety responsibilities. Develop systems for Health and Safety risk assessment management and auditing Health and Safety. Support the development of policies and procedures to support the Risk Management Strategy. Develop and deliver Health and Safety training across the PCT. Attend the Health and Safety Committee and report to relevant Board committees on matters relating to Health and Safety.
Specialist Expertise Expertise in specific areas of risk may be obtained from a variety of sources, both internal and external such as: Fire Officer Estates Manager Infection Control Nurses Occupational Health Manager Manual Handling Advisor Local Security Management Specialist NHS Counter-fraud and Security Management Service National Patient Safety Agency NHS Litigation Authority
Page 15 of 37
Risk management responsibilities are properly assigned and accepted at all levels. All risks associated with their area of responsibility are risk assessed and the results of these assessments and resulting control mechanisms are recorded on the Directorate Risk Registers. Control procedures will be periodically reviewed for continued effectiveness. A periodic review of the effectiveness of risk management within their area of responsibility is undertaken and take action to eliminate deficiencies Information, instruction and training are delivered to staff appropriate to the findings of the risk assessments. Safe systems of work are in place and that effectiveness is periodically monitored. Accidents, occupational illness or dangerous occurrences which are defined by the "Reporting of Injuries, Disease and Dangerous Occurrences Regulations (1985) are reported to the Risk Management Department and a copy of the report form is forwarded to the Health & Safety Executive. Outcomes of risk assessments are used as part of the service planning process to assist with planning and resource allocation. Information captured by complaints, litigation and accident/incident reporting is used as a means of continuous monitoring and review, leading to risk reduction in services within their sphere of control Bringing any significant risks which have been identified, and where local controls are considered to be potentially inadequate, to the attention of the Governance Committee or Executive Team via the Early Warning System. All staff within their department or team attend risk management training in line with the PCTs Mandatory Training Policy.
Page 16 of 37
Page 17 of 37
SECTION 5: THE RISK MANAGEMENT PROCESS 5.1 The Risk Management Framework
The PCT has adopted the risk management framework described in the NHS Executives Controls Assurance risk management standard. This draws on the main components of risk strategy, that is, risk identification, risk analysis, evaluation and prioritisation and risk treatment.
Risk Identification
Risk Assessment
Risk Treatment
5.2 Risk Identification
5.2.2 Grading
All incidents will be graded at source and as a result of a local investigation, local management when appropriate will ensure controls are put into place and advise Senior Management of the risk treatment and controls accordingly. The Risk Manager considers all incidents and reviews the grading applied. Training is provided to enable staff to grade incidents at source.
Page 18 of 37
5.3
Risk Assessment
In order to anticipate, rather than react to risks identified a formal mechanism for risk assessment has been adopted within the PCT. The aim of risk assessment is to determine how to manage or control the risk and translate these findings into a safe system of work that is then communicated to the appropriate level of management. A risk assessment is a careful examination of what could cause harm to people. The assessors need to weigh up whether there are sufficient controls in place, if not, they must establish the extent of control and ensure that action is proportionate to the level of risk. Risk assessments are subjective, therefore, a team of no less than 3 people undertake the risk assessment, including preferably the service manager to ensure that the manager takes ownership of the risks within their own area of responsibility. The following process is followed for risk assessment: 1. 2. 3. 4. 5. 6. 7. 8. 9. Identification of hazard/risk Identify who will be affected Determine the level of harm Determine the likelihood of harm occurring Grade Assess the controls already in place (if any) Mitigate / Treat the risk (action plan) Re-grade the residual risk Record
A formula is then applied to identify the severity of risk. This reviews the likelihood (L) (risk of potential harm) and consequence (C) (effect of harm) to determine the risk. LxC=R A scoring matrix of 5x5 is applied to enable grading of the risk. The following table identifies how the PCT quantifies its risks in terms of those identified through incident reporting and formal risk assessment so that decisions about prioritisation and resource allocation can take place. Quantification of risk can be calculated by applying scores to the probability and the likelihood of it happening. The higher the score, the more significant the risk. The user guide for quantification of risk is illustrated in appendix 3.
Page 19 of 37
Extreme Risk = Consequence x Likelihood (1 to 5) (1 to 5) Graded Risk Score Range = 1 to 25 HighModerate Low -
15 - 25 8 - 12 4-6 1-3
Significant Risk
Significant Risk: An organisation-wide risk that attracts a score of 8 or above on the PCT Risk Grading Matrix, that cannot be eliminated or reduced through financial means or through other risk management activities, constitutes a Significant Risk to the Organisation and must be recorded on the Directorate Risk Register and brought to the attention of the relevant Directorate. (PCT definition, 2007)
5.4
Risk Analysis
The risk management incident reporting system collects information enabling simple analysis. The PCT has developed links between incidents, complaints and claims and expanded on data collected to include how/why an event occurred, prevailing factors and what impact/outcome was realised. In the event of certain serious incidents a root cause analysis will be completed by the appropriate team, including at least one member of staff who is trained in the process (see PCT procedure for Root Cause Analysis).
5.5
Risk Evaluation/Prioritisation
The PCT is currently developing and populating directorate risk registers to assist the Board in identifying all risks and to determine whether these risks are acceptable or unacceptable. The criteria utilised to evaluate risk cover the following: Acceptance criteria within the organisation i.e. operational standards Cost benefit analysis i.e. balance of cost against the potential benefits Human issues i.e. injuries, causing pain and suffering Legislative constraints i.e. meeting established legal requirements
The PCTs risk register is a prioritised list of the risks to the PCT. These risks are the risks that would prevent the PCT doing their reasonable best to manage themselves to meet their objectives and protect patients, staff the public and other stakeholders against risk of all kind.
Page 20 of 37
5.6
Risk Treatment
During the process of Risk Assessment, analysis and evaluation it is possible to identify controls in place or required to reduce or eliminate risk. These control strategies cover a number of possible solutions, as described below: Risk avoidance discontinuing a hazardous operation /activity Risk retention retaining /accepting risks within financial operations Risk transfer- the conventional use of insurance premiums Risk reduction prevention/control of any remaining residual risk
Once controls, in place or required, have been identified the risk must be re-graded in order to establish whether the action proposed is adequate and will reduce the residual risk to an acceptable level. These controls and further treatments may be cost neutral or require action that requires investment. At this point it is imperative that action plans are submitted as part of the PCTs usual process for service planning.
5.7
The PCT recognises that risk management only becomes part of an individuals objectives by the acceptance and ownership of our staff. To ensure risk management becomes integrated into all practices and procedures carried out by staff, the PCT supports the implementation of practices and procedures which: Increase the awareness of staff to report all untoward incidents and near misses Facilitate proactive self assessment of risks throughout the PCT Develop systems and processes which have the capability to reduce risk Improve procedures for reporting and feedback mechanism Continue to ensure compliance with policies and professional standards Provide consistency in the management of risks Ensure compliance with professional registration requirements Ensure compliance with professional codes of practice Promote continuing personal and professional development that meets the needs of individuals and the business needs of the PCT Enable staff appraisal to focus on improvements in performance related to untoward incidents / near misses, concerns and complaints received.
5.8
Risk Monitoring
This is an essential component to ensure maintenance and development of standards. Through a process of audit and monitoring the PCT will undertake a review of the effectiveness of the risk control measures regularly and preferably on an annual basis. It is anticipated that Risk control and monitoring measures will include some or all of the following: Statistical and trend reporting of Incidents, Complaints and Claims to the Board and relevant Committees using information from the incident reporting system Correlation between untoward incidents / near miss reporting and dates of occurrence Cross-tabulated reporting over a range of variances Audit of the effectiveness of Serious Untoward Incident Reporting Procedures to enable benchmarking to take place Audit of Patient Records against Untoward Events / Near Miss Reporting Audit of implementation of the range of Risk Management Policies, Procedures and Guidelines at Department level
Page 21 of 37
Audit of the effectiveness of PCT systems and processes such as Fire Training, Fire Drills and Health and Safety Training Establishment and annual review of Directorate Risk Register(s) and re-assessment of risks following implementation of treatment plans Root Cause Analysis of Serious Untoward Incidents via Incident Management Policy and associated Procedures. Monitoring risk management performance indicators.
1. Internal monitoring Internal monitoring is undertaken by systematic review of progress against action plans. This activity will be directed and overseen by the Governance Committee. (For terms of reference and membership see appendices). In addition key risk management performance indicators have been developed and are monitored on a 6 monthly basis by the Governance Committee. (See Appendix 8) The Audit Committee monitors the effectiveness of systems of internal control and governance. This role incorporates overall risk management and value for money. 2. External monitoring External monitoring is undertaken by Mersey Internal Audit Agency and the Audit Commission who provide assurance to the Audit Committee on the effectiveness of risk management. (a) NHSLA Risk Management Standards for PCTs The PCT was designated Level 1B of the Risk Management Standards in October 2006 and is currently working on an action plan to achieve level 1 compliance with the new Risk Management Standards for PCTs in 2007. (b) Other Statutory Bodies Other external bodies who have a statutory remit for monitoring specific standards will be brought in where appropriate, e.g. Health and Safety Executive, NHS Counter Fraud and Security Management Service.
5.9
Risk Prevention
The organisation has adopted proactive (formal risk assessment) and reactive approaches to Risk. Formal risk assessments and the population of Risk Registers, with the further development of appropriate action plans will provide the PCT with the full knowledge of where our risks lie. As our systems and processes become further defined, the PCT will become more sophisticated in its approach to essential risk prevention.
Page 22 of 37
Governance Committee (GC) The GC has delegated responsibility from the PCT Board for the overall management of all risk and as such receives the minutes from the following underpinning specialist risk management groups: Health & Safety Committee Health Protection Committee Medicines Management Committee Safeguarding Children Committee Information Governance Group Healthcare Standards & Quality Group Clinical Governance Committee Medical Devices Group Practitioner Governance Committee The GC formally reports to the PCT Board and Audit Committee via the sharing of minutes and common membership of Executive and Non Executive Directors. Audit Committee (AC) The AC is responsible for providing the PCT Board with assurance that risk management systems and processes are in place and operational, so that all risks are identified, evaluated and managed appropriately. The Governance Committee and Audit Committee communicate via the sharing of minutes and common membership of Executive and Non Executive Directors. Other specialist risk management groups Other specialist risk management groups as listed above, communicate to the Governance Committee via the formal sharing of minutes. For further information, Terms of Reference for the key committees and groups with responsibility for risk are set out in appendix 6.
6.2
The PCT is required to report on certain risk issues to a number of external organisations. These are listed below: Serious Untoward Incidents & Strategic Executive Intelligence Systems (StEIS) StEIS is a system to report serious untoward incidents to the SHA which has been in place since October 2002. Guidance on reporting procedure is kept by the Risk Manager. The Risk Manager with the relevant Director determines which incidents are required to be reported using this system. The StEIS procedure provides guidance on inquiries/ reviews. Reporting of Injuries & Dangerous Occurrences Regulations (RIDDOR) These regulations lay down the requirements for reporting certain types of injury and disease to the enforcing authority. Definitions cover specified major injury or condition, reportable diseases, deaths, dangerous occurrences and gas incidents (see hospital procedure for more information). National Health Service Litigation Authority (NHSLA) Pre-action claims that are likely to go forward to litigation are reported to NHSLA.
Risk Management Strategy Page 23 of 37
National Patient Safety Agency (NPSA) All patient safety incidents from incident reporting systems are reported to NPSA and National Reporting and Learning system using the categorisation model described in this document.
Page 24 of 37
The grades are subjective and therefore should ideally be applied by a team of no less than 3.
1 Insignificant 5 4 3 2 1
2 Minor 10 8 6 4 2
3 Moderate 15 12 9 6 3
4 Major 20 16 12 8 4
5 Catastrophic 25 20 15 10 5
4 Major
10-25% over budget / schedule slippage Doesnt meet secondary objectives Major injuries, long term disability i.e., loss of limb Claim above excess level. Multiple justified complaints Uncertain delivery of key objective / service due to lack of staff. Serious error due to ineffective training Sustained loss of service which ha serious impact on delivery of patient care resulting in major contingency plans being involved Loss >?% of budget Enforcement Action. Low rating. Critical report National media <3 days. Public confidence in PCT undermined. Usage of services affected
5 Catastrophic
>25% over budget /schedule slippage Doesnt meet primary objectives Reputation of PCT damaged. Failure to appropriately manage finances Death or major permanent harm Impacts on large number of patients Multiple claims or single major claim Non delivery of key objective / service due to lack of staff. Loss of key staff. Critical error due to ineffective training Permanent loss of core service or facility. Disruption to facility leading to significant knock on effect across local health authority Loss >?% of budget Prosecution. Zero rating. Severely critical report. National media >3 days. MP Concern (questions in House)
Small loss Small number of recommendations which focus on minor quality improvement issues Coverage in media, little effect on public confidence / staff morale
Loss >?% of budget Minor recommendations made which can be addressed by low level of management action Local Media short term. Minor effect on public attitudes / staff morale
4 Likely
Expected to occur at least weekly Likely to occur
5 Almost Certain
Expected to occurred at least daily More likely to occur than not
Probability
Appendix 3
The Board
Audit Committee
Governance Committee
Performance Committee
Reporting between committees via formal sharing of minutes and common membership
PCT Board
Executive Team
Governance Committee*
Audit Committee
Specialist Risk Management Committees: Health & Safety Committee Medicines Management Committee Health Protection Committee Safeguarding Children Committee Information Governance Group Health Standards & Quality Committee Clinical Governance Committee Medical Devices Group Practitioner Governance Committee
* The Governance Committee has overview of all risk and reports to the PCT Board on behalf of all other Board Committees. Formally communicates/reports via the sharing of minutes Informally communicates/reports via common membership
Appendix 5
Governance Committee
The Governance Committee will be established as a sub-committee of the Board that exists to: a) b) c) 2 Monitor standards of quality across the PCT to ensure that local and national standards are met, i.e., Standards for Better Health, NHS Litigation Authority Risk Management Standards provide an assurance to the Board that there are robust structures, processes and accountabilities in place for identifying and managing significant risks facing the organisation (i.e. strategic, operational, clinical and organisational) provide corporate focus, strategic direction and momentum for governance and risk management within the PCT. Principal Duties
The principal duties of the Committee are as follows: Ensure effective management of governance areas (clinical governance, corporate governance, information governance, research governance, financial governance, risk management and health & safety): a) Ensure the establishment and maintenance of an effective system of integrated governance, risk management and internal control in line with the Integrated Governance Handbook (DoH February 2006), across the organisations activities (both clinical and non-clinical), that support the achievement of the organisations objectives Provide an assurance to the Audit Committee, and ultimately the Board, that there are robust structures, processes and accountabilities in place for the identification and management of significant risks facing the organisation. Ensure the PCT is able to submit risk and control related statements, in particular the Statement on Internal Control and declarations of compliance with the Standards for Better Health. This will entail initiation and monitoring of action to meet these Standards, by means of an annual plan. Ensure that the organisation has policies for ensuring compliance with relevant regulatory, legal and code of conduct requirements, and to approve such policies. To identify and review lapses in quality and make recommendations for improvements Receive and monitor progress against reports from external agencies, including the Healthcare Commission and Health and Safety Executive. Work collaboratively to identify and promote Best Practice, the sharing of experience, expertise and success across the PCT and with key stakeholders. Ensure that an appropriate sub group infrastructure is established and maintained with clear lines of accountability and responsibility to carry through the integrated governance agenda, e.g. health and safety committee (see chart on page 31) Receive minutes and reports from the committee sub groups
Page 29 of 37
b) c)
d) e) f) g) h) i)
Membership
The following will be members of the Committee: Non Executive Director x2 (one of which will be Chair) Director of Provider Services Director of Commissioning Director of Finance Director of Governance Senior Manager with responsibility for information governance Senior Manager with responsibility for risk management and health & safety Senior Manager with responsibility for clinical governance Representative from Public Health Representative from Medicines Management Staff side representative Patient Forum representative
Minutes and papers shall also be sent to Chair, Chief Executive and Director of Public Health for information who shall all have standing invitations to attend committee meetings. 4 Chairmanship
A non-executive nominated by the PCT Board shall chair the committee. 5 Quorum
A quorum shall consist of one Non-Executive Director, two Directors and two other members. 6 Frequency of Meetings and Reporting Arrangements
The Committee will meet bi-monthly and submit the minutes to the next available Audit Committee and PCT Board. The Committee will submit an annual report and mid year report to the Board and Audit Committee. 7 Secretarial arrangements
Secretariat to the Committee TBC. The agenda for the meetings will be drawn up with the Chair of the Committee. The agenda and papers for meetings will be distributed one week in advance of the meeting.
Page 30 of 37
PCT Board
Duties The duties of the Committee can be categorised as follows: Governance, Risk Management and Internal Control The Committee shall review the establishment and maintenance of an effective system of integrated governance, risk management and internal control, across the whole of the organisations activities (both clinical and non-clinical) that supports the achievement of the organisations objectives. In particular, the Committee will review the adequacy of: all risk and control related disclosure statements (in particular the Statement on Internal Control and declarations of compliance with the Standards for Better Health), together with any accompanying Head of Internal Audit statement, external audit opinion or other appropriate independent assurances, prior to endorsement by the Board the underlying assurance processes that indicate the degree of the achievement of corporate objectives, the effectiveness of the management of principal risks and the appropriateness of the above disclosure statements the policies for ensuring compliance with relevant regulatory, legal and code of conduct requirements the policies and procedures for all work related to fraud and corruption as set out in Secretary of State Directions and as required by the Counter Fraud and Security Management Service
In carrying out this work the Committee will primarily utilise the work of Internal Audit, External Audit and other assurance functions, but will not be limited to these audit functions. It will also seek reports and assurances from directors and managers as appropriate, concentrating on the over-arching systems of integrated governance, risk management and internal control, together with indicators of their effectiveness. This will be evidenced through the Committees use of an effective Assurance Framework to guide its work and that of the audit and assurance functions that report to it. Internal Audit The Committee shall ensure that there is an effective internal audit function established by management, which meets mandatory NHS Internal Audit Standards and provides appropriate independent assurance to the Audit Committee, Chief Executive and Board. This will be achieved by: consideration of the provision of the Internal Audit service, the cost of the audit and any questions of resignation and dismissal review and appropriate approval of the Internal Audit strategy, operational plan and more detailed programme of work, ensuring that this is consistent with the audit needs of the organisation as identified in the Assurance Framework consideration of the major findings of internal audit work (and managements response), and ensure co-ordination between the Internal and External Auditors to optimise audit resources ensuring that the Internal Audit function is adequately resourced and has appropriate standing within the organisation annual review of the effectiveness of internal audit
Page 33 of 37
Internal Audit should have access to the Chair of the Audit Committee via the committee secretary
External Audit The Committee shall review the work and findings of the External Auditor appointed by the Audit Commission and consider the implications and managements response to their work. This will be achieved by: consideration of the appointment and performance of the External Auditor, as far as the Audit Commissions rules permit discussion and agreement with the External Auditor, before the audit commences, of the nature and scope of the audit as set out in the Annual Plan, and ensure coordination, as appropriate, with other External Auditors in the local health economy discussion with the External Auditors of their local evaluation of audit risks and assessment of the Authority and associated impact on the audit fee review all External Audit reports, including agreement of the annual audit letter before submission to the Board and any work carried outside the annual audit plan, together with the appropriateness of management responses
Other Assurance Functions The Audit Committee shall review the findings of other significant assurance functions, both internal and external to the organisation, and consider the implications to the governance of the organisation. These will include, but not be limited to, any reviews by Department of Health Arms Length Bodies or Regulations/Inspectors (e.g. Healthcare Commission, NHS Litigation Authority etc), professional bodies with responsibility for the performance of staff or functions (e.g. Royal Colleges, accreditation bodies, etc). In addition, the Committee will review the work of other committees within the organisation, whose work can provide relevant assurance to the Audit Committees own scope of work, such as the Integrated Governance Committee. In reviewing the work of the Integrated Governance Committee and issues around clinical risk management, the Audit Committee will wish to satisfy themselves on the assurance that can be gained from the clinical audit function. Management The Committee may request and review reports and positive assurance from directors and managers on the overall arrangements for governance, risk management and internal control. They may also request specific reports from individual functions within the organisation as they may be appropriate to the overall arrangements. Financial Reporting The Audit Committee shall review the Annual Report and Financial Statements before submission to the Board, focusing primarily on:
Page 34 of 37
the wording in the Statement of Internal Control and other disclosures relevant to the Terms of Reference of the Committee changes in, and compliance with, accounting policies and practices unadjusted mis-statements in the financial statements major judgemental areas significant adjustments resulting from the audit
The Committee should also ensure that the systems for financial reporting to the Board, including those of budgetary control, are subject to review as to completeness and accuracy of the information provided to the Board. Reporting The minutes of the Audit Committee meetings shall be formally recorded by the Committee Secretary and submitted to the Board. The Chair of the Committee shall draw to the attention of the Board any issues that require disclosure to the full Board or require executive action. The Committee will report to the Board annually on its work in support of the Statement on Internal Control, specifically commenting on the fitness for purpose of the Assurance Framework, the completeness and embeddedness of risk management in the organisation, the integration of governance arrangements and the appropriateness of the self-assessment against the Standards for Better Health. Other Matters The Committee shall be supported administratively by the Committee Secretary, whose duties in this respect will include: agreement of agenda with Chair and attendees and collation of papers taking the minutes and keeping a record of matters arising and issues to be carried forward advising the Committee on pertinent areas
Page 35 of 37
The enquirer must give consideration to policies and procedures unique to the environment in question. Practices and clinics will have policies and procedures to reflect practice in that area, therefore, it would be wise to consult such documents prior to any decision making. All of these policies are available on the PCTs Intranet site http://nww.seftonpct.nhs.uk/policies_and_protocols/default.asp or from the Risk Manager Tel 0151 478 1291.
Page 36 of 37
Chief Executive PA to Chief Executive Asst Chief Executive Director of Finance PA to Director of Finance Director of Governance PA to Director of Governance Asst Director of Governance Risk Manager Manual Handling Advisor Infection Control Nurse Director of Public Health (Infection Control) Information Governance Officer Estates Manager Health & Safety Manager Contractor Performance and Litigation Manager Clinical Audit Manager Complaints & PALS Manager Medical Advisor Dental Advisor Optical Advisor Pharmaceutical Advisor Head of Medicines Management
Page 37 of 37
Appendix 8 Risk Management Performance Indicators Monitored 6 monthly by the Governance Committee
Performance Indicator
Standards for Better Health First Domain Safety % Compliance against Standards for Better Health Domain One Safety Incidents & Near Misses No. of incidents & near misses reported % of departments/services reporting incidents & near misses Average Severity rating of incidents & near misses Trend analysis of incidents & near misses % of staff incidents & near misses % of patient incidents & near misses (reported to the NPSA) Risk Register No. of risks added to the Risk Register % of red / orange risks on the Risk Register % of departments/services with Live Risk Registers Risk Management Training % of Staff attended mandatory Risk Management training Complaints No of formal complaints received % of complaints acknowledged within 2 working days % of complaints answered within 20 working days % of complaints with proven allegations in which an initial incident form was completed % of complaints referred to the Healthcare Commission Claims No of claims received No of claims received predicted to have a high likelihood of success % of claims in which an initial incident form was completed % of letters of claim acknowledged within 14 days % of responses to letters of claim within 3 months Safety Alerts % of SABS alerts received responded to within timescales
Risk Manager
Complaints Manager
Page 38 of 37