| Field | Value |
| Recommended by | Audit Committee |
| Approved by | Board of Directors |
| Approval date | 24 April 2024 |
| Version number | 0.5 |
| Review date | April 2027 |
| Responsible Director | Director of Corporate Affairs |
| Responsible Manager (Sponsor) | Head of Risk and Assurance |
| For use by | All our people |
Change record form
| Version | Date of Change | Date of Release | Changed By | Reason for Change |
|---|---|---|---|---|
| 0.1 | December 2020 | – | J Taylor | New Policy |
| 0.2 | January 2021 | January 2021 | J Taylor | Amendments from Audit Committee |
| 0.3 | 1 April 2022 | April 2022 | J Taylor | Annual Review |
| 0.4 | February 2023 | April 2023 | S White | Annual Review |
| 0.5 | February 2024 | April 2024 | J Taylor | Annual Review |
1. Introduction
Risk management is both a statutory requirement and a key element of good management and risk
management is everyone’s responsibility, with the principles of effective risk management forming an integral component of decision making at all levels.
The activities associated with caring for patients, recruiting our people (staff and volunteers), providing
facilities and services, and managing finances are all, by their nature, activities that involve risk. These risks are present on a day-to-day basis throughout the organisation and whilst it may not always be possible to eliminate these risks, they can be managed to an acceptable level by ensuring that risk management is embedded into day-to-day practice and the culture of the organisation so that appropriate risk-based
decisions are regularly made by managers and staff at all levels.
Effective risk management enables the Board of Directors to determine the extent of risk exposure it currently faces with regard to the achievement of its objectives. As a key component of the internal control framework, regular review and routine monitoring of this policy will also inform the Trust’s Annual Governance Statement.
2. Purpose
The purpose of this Risk Management Policy is to define the approach taken by North West Ambulance Service NHS Trust (the Trust) in applying risk management to its decision making at all levels and the main objective is to establish the foundations for a culture of effective risk management throughout the organisation.
This policy sets out clear definitions, responsibilities, and process requirements to enable the principles and techniques of risk management to be applied consistently throughout the organisation.
The principles and techniques of risk management as defined in this policy should be fully integrated within the formal governance arrangements and decision making processes of the organisation. All our people are responsible for making sure that they are aware of the organisation’s aims and objectives and are empowered to make decisions to manage risks as long as those decisions are within the scope of their role and level of authority.
Where a risk is identified but cannot be managed without some significant change to the way the organisation operates, it must be escalated through the relevant line management structure. The Risk Management Policy applies to all areas and levels of the Trust.
It defines the basic principles and techniques of risk management that the organisation has decided to adopt and forms the basis of all riskbased decision making. All risk management activities in the Trust will follow the process described within this document to ensure a common and robust approach is adopted to risk management.
3. Roles & Responsibilities
This section details those groups and individuals within the Trust that have specific responsibilities withregard to the Risk Management Policy.
The Board of Directors is responsible for providing strategic leadership to risk management throughout the organisation, which includes:
• Maintaining oversight of strategic risks through the Board Assurance Framework (BAF)
• Leading by example in creating a culture of risk awareness
The Audit Committee is responsible for reviewing the established and maintenance of an effective system of integrated governance, risk management and internal control across the whole of the organisations’ activities. The Committee will provide assurance to the Board of Directors that there are effective systems operating across the Trust.
The Chief Executive as the Accountable Officer is responsible for ensuring an effective system of internal control is maintained to support the achievement of the Trust’s strategic objectives. This includes:
• The establishment and maintenance of effective corporate governance arrangements
• Ensuring that this Risk Management Policy is applied consistently and effectively throughout the Trust
• Ensuring that the Trust is open and communicates effectively about its risks, both internally and externally
• Retaining sufficient professional risk management expertise to support the effective implementation of this Policy
The Director of Corporate Affairs is accountable to the Board of Directors and Chief Executive for the Trust’s Governance and Risk Management activities. With Executive responsibility for governance and risk management the Director of Corporate Affairs (with support from the Head of Risk and Assurance) provides a clear focus for the management of organisational risks and for coordinating and integrating all of the Trust’s risk management arrangements on behalf of the Board of Directors.
Members of the Executive and Directorate Senior Management Teams are responsible for the consistent application of this Policy within their areas of accountability, which includes:
• Maintaining an awareness of the overall level of risk within the organisation
• The management of specific risks that have been assigned to them, in accordance with the criteria set out in this policy
• Promoting a risk aware culture within their teams and in the course of their duties
Area Directors/ Assistant Directors/ Heads of Operations/ Service/ Area Consultant Paramedics are responsible for the consistent application of this Policy within their areas of accountability, which includes:
• Making active use of the Trust risk register and the processes described in this Policy to support the management of their service
• The management of specific risks that have been assigned to them in accordance with the criteria set out in this policy
• Promoting a risk aware culture within their teams and in the course of their duties
• Ensuring that as far as possible risk assessments carried out within their service are based on reliable evidence.
All of our people (staff and volunteers) are responsible for identifying and managing risks within their dayto-day work, which includes:
- Maintaining an awareness of the primary risks within their service
- The identification and as far as possible the management of risks that they identify in the course of
their duties - Bringing to the attention of their line manager any risks that are beyond their ability or authority to
manage
4. Risk Management Approach
The basic principle at the heart of the Trust’s risk management approach is that an awareness and
understanding of risk should be used to inform decision making at all levels.
This requires not only the active engagement of all our people with risk management activity in practice, but also the integration of risk management principles and techniques within the formal governance
arrangements of the organisation.
This will ensure that major strategic, policy and investment decisions are made with a full and reliable
appreciation of the risks associated with them as well as any existing risks that those decisions may serve to mitigate.
5. Risk Management Process
The risk management process, which can be seen in Figure 1 below, involves the identification, analysis,
evaluation and treatment of risks. More importantly, the process provides iterative steps, which when taken in a coordinated manner can support recognition of uncertain events which could lead to a negative outcome and therefore allows actions to be put in place to minimise the likelihood (how often) and consequence (how bad) of these risks occurring.
5.1 Scope, Context and Criteria
The Trust Strategy sets out our purpose to help people when they need us the most and a vision to deliver the right care, at the right time, in the right place; every time. This is broken down into 3 aims, these are:
- Providing high-quality, inclusive care.
- Be a brilliant place to work for all.
- Work together to shape a better future.
Risks are linked to our aims because failing to control risks may lead to non-achievement of our strategic aims and/ or objectives.
5.2 Risk Assessment
Risk assessment is an objective process and where possible, staff should draw upon evidence or qualitative data to aid assessment of risk. Where evidence or data is not available, assessors will be required to make subjective judgement.
Risk vs Issue
It is important to understand the difference between a risk and an issue/ incident.
The fundamental difference between a risk and an issue/incident is that an issue/incident has already
happened, there is no uncertainty, and it is a matter of fact.
A risk is an uncertain event that has not yet happened, but if it did, it could affect the achievement of an objective.
| Risk | Issue / Incident |
| An uncertain event that HAS NOT happened | An unplanned event that HAS happened |
Risk Articulation
In order to assist the risk management process, it is essential that risks are described in a way that allows
them to be understood by all who read them. Articulating a risk in this way will enable effective controls, assurances and action plans to be put in place to mitigate the risk.
There should be three components to the description of a risk:
| Cause (Source of Risk) | Risk (Uncertain Event) | Consequence (Impact) |
| What has caused the risk? Where has the risk originated from? | The uncertain event (risk) that may happen if we do nothing | What would be the impact if the risk materialised? |
| Risk descriptions must tell a convincing story | ||
| There is a risk ‘as a result of/ due to/ because of’… existing condition Present Condition | An uncertain event… may occur Uncertain Future | Which would lead to… effect on objectives Conditional Future |
Risk Identification
New risks and factors which increase a known risk may be identified at any time and by anyone within the organisation and can take many different forms.
All our people play a vital role in the identification of risk. All new risks should be reported and discussed with your line manager in the first instance, who will consider the best approach to manage the risk; this could be actions to immediately eliminate the risk, signposting of the risk to the appropriate person to manage the risk or inclusion on a risk register with an action plan in place.
Some risks can be managed effectively by the person identifying them taking appropriate action themselves or within their immediate team. This is particularly true with types of safety risk, where identification and removal of the hazard will often be sufficient to manage the risk.
Our people should initially consider what their main areas of work are and how these relate to their local objectives, and the objectives of the Trust. Every work activity that has a significant hazard should be assessed for risk. Identification using a systematic approach is critical because a potential risk not identified at this stage will be excluded from further analysis.
All risks, whether under the control of the Trust or not, should be included at this stage. The aim is to generate an informed list of events that might occur. Key sources that will inform this exercise include (but are not limited to):
• Compliance requirements with regulators and stakeholders such as the CQC, HSE, NHSE etc
• Recommendations from recent internal / external audit reports
• Thematic and trend analysis of incidents, inquiries, complaints, claims and inquests
• Performance data
• Quality Assurance Audits
• Quality Impact Assessments
• Safety Alerts
• Trend and forecasting analysis
• Risks associated with the achievement of corporate objectives
• Other methods of horizon scanning.
Resilience and Response
The NWAS Resilience Team work with partners in the Local Resilience Forums and Local Health Resilience Partnerships to examine National and Community Risk Registers and plan for multiagency risk mitigation and response. This is reviewed for the potential impact on the Trust, anything identified is recorded in accordance with this Policy and highlighted to the Emergency Preparedness, Resilience and Response (EPRR) Group, chaired by the Accountable Emergency Officer.
Recommendations from critical, major, or business continuity incidents and exercises are captured within the risk management processes to ensure the delivery of actions to reduce the risk of failure in the event of an actual incident.
Fraud Risk Management
Recommendations from thematic exercises from NHS Counter Fraud Authority (CFA) are captured within the risk management process to ensure the delivery of actions to reduce risk of failure in the event of an actual fraud, bribery, theft, and corruption incident.
5.3 Risk Analysis
The purpose of analysing and scoring a risk is to estimate the level of exposure which will then help inform how the risk should be managed.
When analysing a risk, you will need to:
• Identify who is affected and what is the potential consequence/ impact should the risk occur
• Estimate the likelihood (how often) the risk may possibly occur
• Assess and score the level of exposure to that risk using the risk scoring process below.
Risk Analysis Process
Risks are analysed using the Trust Risk Matrix. The Trust has adopted a 5×5 matrix with the risk scores taking account of the consequence and likelihood of a risk occurring.
The scoring of a risk is a 3-step process:
Step 1: Evaluate the consequence of a risk occurring. The consequence score has five descriptors:
| Table 1: Consequence Analysis | ||
| Score | Consequence Descriptor | Consequence Description |
| 1 | Insignificant | |
| 2 | Minor | |
| 3 | Moderate | |
| 4 | Major | |
| 5 | Catastrophic | Please see Appendix 2 for Consequence Descriptions |
Step 2: Analysing the likelihood (how often) a risk may occur. The table below gives the descriptions of the likelihood of a risk occurring:
| Table 2: Likelihood Analysis | ||
| Score | Likelihood Descriptor | Likelihood Frequency |
| 1 | Rare | Not expected to occur in years |
| 2 | Unlikely | Expected to occur at least annually |
| 3 | Possible | Expected to occur at least monthly |
| 4 | Likely | Expected to occur at least weekly |
| 5 | Almost Certain | Expected to occur at least daily |
Step 3: To calculate the risk score, multiply the consequence score with the likelihood score:
CONSEQUENCE score x LIKELIHOOD score = RISK score
| Likelihood / Consequence | 1 Insignificant | 2 Minor | 3 Moderate | 4 Major | 5 Catastrophic |
| 5 Almost Certain | 5 Low | 10 Moderate | 15 High | 20 High | 25 High |
| 4 Likely | 4 Low | 8 Moderate | 12 Moderate | 16 High | 20 High |
| 3 Possible | 3 Low | 6 Moderate | 9 Moderate | 12 Moderate | 15 High |
| 2 Unlikely | 2 Low | 4 Low | 6 Moderate | 8 Moderate | 10 Moderate |
| 1 Rare | 1 Low | 2 Low | 3 Low | 4 Low | 5 Low |
5.4. Risk Evaluation
Once the risk analysis process has been completed, the risk score should now be compared with the level of risk criteria below which enables the Trust to measure the potential level of risk exposure and proceed to identify appropriate actions and management plans.
| Level of Risk | Range | Classification |
| Low | 1 – 5 | Low |
| Moderate | 6 – 12 | Moderate |
| High | 15 – 25 | High |
Each risk will be assigned 3 risk scores: initial, current and target. The risk scoring process above will be carried out three times for each score using the guidance below.
1. Initial Risk Score
The initial risk score is when the risk is first identified, the risk analysis process for initial risk scores should be a measure of the consequence and likelihood before any controls/ mitigating actions are proposed. The initial risk score will not change for the lifetime of the risk.
2. Current Risk Score
The current risk score, the risk analysis process for current risks should be a measure of the
consequence and likelihood once controls and mitigating actions are in place, taking into account the effectiveness of the controls added.
3. Target Risk Score
The target risk score, the risk analysis process for the target risk should be a realistic measure of the consequence and likelihood once improved mitigating actions have been achieved and improved controls added.
5.5. Risk Management
Effective risk management requires a reporting and review structure to ensure that risks are effectively identified, analysed and that appropriate controls and responses are in place.
Risk Treatment
Risk treatment is a process to modify risk and the selection and implementation of measures to treat the risk.
This includes as its major element, risk control/ mitigation, but extends further to the appropriate selection of a risk treatment option, these are outlined in the table below.
Tolerate (Accept)
Can we accept the risk as it is i.e., without further controls? Would the
cost of controlling the risk outweigh the benefits to be gained?
Where the ability to do anything about certain risks may be limited or the cost
of taking any further action may be disproportionate to the potential benefit gained.
In these cases, the response is to manage the risk to as low as
reasonably practicable (ALARP) then tolerate the risk. This option can also be
supplemented by contingency planning for handling the consequences that
may arise if the risk is realised.
Where the status of the risk is to tolerate, the risk must be monitored and
reviewed by the risk owner at least annually. All risks tolerated, will be subject
to review by the Events and Risk Assurance Team and a decision made by the
Trust Management Committee if the risk should be tolerated or not.
Treat (Reduce or Remove)
Can we put controls in place to reduce the likelihood of the risk
occurring or its impact?
Treat is the most widely used approach and will be the course of action to take
for the majority of risks within the Trust before any other course of action is
considered.
Terminate (Suspend the risk situation/ activity)
Can we avoid or withdraw from the activity causing risk? Can we do
things differently?
A decision will be made by the Trust Management Committee if the risk should
be terminated or not.
Transfer (Responsibility)
Can we transfer or share, either totally or in part, by way of partnership,
insurance or contract?
This course of action should only be taken following consideration and
decision by the Trust Management Committee.
Identifying Controls and Gaps
Controls are arrangements that are already in place to mitigate or manage the risk and these can include policies and procedures, monitoring, and audit.
Every control should be relevant to the risk that has been described, it should be clear that the control directly impacts on managing the risk and the strength of the control should be considered when deciding the influence this will have on the risk score.
Despite having identified controls, where the service has established a risk exists, it is the uncontrolled issues that are articulated as gaps. Gaps are issues which are not controlled and directly affect our mitigation of the risk. Gaps require clear and proportionate actions to address them.
Preventative
Designed to limit the possibility of an undesirable outcome being realised. They
are important to stop an undesired outcome. It is crucial to implement these
types of controls.
For example, elimination of the hazard/ physically remove the hazard if
possible/ substitute with hazard with something less risky
Corrective
Designed to limit the scope for loss and reduce any undesired outcomes that
have been realised. These may also provide a route of recourse to achieve
recovery against loss or damage.
For example, isolating people from the hazard, the use of guards, or barriers,
or reducing the exposure of the hazard
Directive
Designed to ensure that a particular outcome is achieved. This is based on
giving directions to people on how to ensure that losses do not occur. These
are important but depend on people following established safe systems of work.
For example, administrative controls such as changing the way people work,
training and supervision to enforce policies, procedures, processes, pathways,
use of Personal Protective Equipment (PPE)
Detective
Designed to identify occasions when undesirable outcomes have been realised.
Their definition, ‘after the event’ they are only appropriate when loss or damage
has occurred.
For example, monitoring and surveillance, such as closed-circuit television
(CCTV), smoke detectors, fire alarms.
Risk Mitigating Action Plans
The purpose of risk action plans is to document how the chosen treatment options will be implemented.
Information should include:
- A description of what the planned action is
- Expected benefit(s) gained
- Responsibilities (risk owners and action owners)
- Reporting and monitoring requirements
- Resourcing requirements
- Timing and scheduling
Differentiating between Controls, Gaps and Actions
To summarise:
- Controls are things that are already in place to manage or monitor the risk
- Gaps are the issues that we need to address to control the risk fully
- Actions describe how you will address the gaps to reduce the risk identified.
Contributory Factors
Contributory factors are the influencing and casual factors that contribute to the identified risk.
These factors affect the chain of events and can be positive as well as negative, and they may have mitigated or minimised the outcome of the risk materialising. More than one contributory factor can be selected.
Risk Monitoring and Review
The monitoring process should provide assurance that there are appropriate controls and risk mitigating
actions in place. The frequency of ongoing monitoring and review depends upon the seriousness of the risk.
As a minimum, this must be:
| Current Risk Score | Review Timescales |
| 1 – 5 (Low) | Bi-Annually |
| 6 – 12 (Moderate) | Quarterly |
| 15 – 25 (High) | Monthly |
| Consequence Score | Review Timescales |
| 5 | Monthly |
6. Risk Registers
A risk register is a centralised repository of identified risks that may threaten the delivery of services. A risk register should be live, dynamic, and populated through the risk assessment and evaluation process. The Datix Cloud IQ (DCIQ) Enterprise Risk Management (ERM) system is used by the Trust to record, manage and monitor risks throughout the organisation. Where risks cannot be immediately resolved, these risks should be recorded onto the Departmental/ Team Risk Register.
The purpose of the risk register is to:
- Provide a summary and overview of potential risks to each Directorate
- Evaluate the level of existing internal control in place to manage the risk
- Be an active live system to record and report risks using the risk management process.
Risk registers must: - Be fully complete
- Be updated and reviewed regularly
- Have measurable controls added for all live risks
- Have action plans in place
- Be discussed and reported to Directorate SMT Meetings at least quarterly.
7. Risk Escalation
The Trust aims to support staff throughout the organisation to manage risk at the most appropriate level in the organisation whilst ensuring that there is a clear process for risk to be escalated when necessary to ensure discussion, action, advice, and support can be provided.
All risk owners can escalate a risk for discussion, action, advice, and support via the risk record in the DCIQ system. The risk owner must clearly articulate the reasons for the risk escalation. The table below shows the team to Board escalation route.
- Directorate Senior Management
- Team Trust Management Committee
- Trust Management Committee
- Board of Directors
The diagram below defines the ‘Assurance and Escalation Pyramid’ and demonstrates the route of
assurance and escalation takes.
8. Executive Oversight
All risks held in the ERM Module in DCIQ scored 15 and above are automatically reviewed by the Events
and Risk Assurance Team. The below steps are followed to ensure the Trust Management Committee haveoversight of all high risks to the organisation.
- All new risks scored 15 and above are reviewed and analysed by the Events and Risk Assurance
Team - Risks are discussed with Risk Owners and Executive Lead to explore the risk in further detail and
ensure risk scoring is accurate - Corporate & Commercially Sensitive Risk Register is submitted to Trust Management Committee
monthly for review, discussion, and approval of risks for inclusion onto the Corporate & Commercially
Sensitive Risk Register.
9. Risk Management Governance Structure
Risks are overseen at various levels throughout the Trust as per the table below:
| Meeting | Type of Risk | Report Type | Risk Cycle |
|---|---|---|---|
| Board of Directors | Risks identified against delivery of strategic objectives | Quarterly Board Assurance Framework | As per Terms of Reference |
| Board Committees | Risks identified against delivery of strategic objectives relevant to their area of focus | Committee Board Assurance Framework Report | As per Terms of Reference |
| Audit Committee | Risks identified against delivery of strategic objectives | Quarterly Board Assurance Framework | As per Terms of Reference |
| Trust Management Committee | New & existing risk(s) scored 15 and above which indicate a high level of risk or where support is requested by the Directorates in the management of risk | Quarterly Board Assurance Framework Corporate & Commercially Sensitive Risk Register | As per Terms of Reference |
| Executive Led Groups | Visibility of risks scored 12 and above relating to the executive groups area of focus | Group Risk Report | As per Terms of Reference |
| Directorate Senior Management Team Meetings | Risks identified on the Directorate Risk Register | Directorate Risk Register | At least quarterly |
Directorate Senior Management Teams are responsible for exporting their own risk registers and ensuring risks on team/ departmental risk registers are being managed and reviewed in accordance with this Policy.
10. Risk Reporting and Assurance Diagram
The risk reporting and assurance diagram highlights how the Trust aims to assure, scrutinise, escalate, and alert on risk management from front line to Board:
11. Assurance
A key element of the Trust’s risk management system is providing assurance. Assurance provides evidence that risks are effectively managed by ensuring the effectiveness of controls and actions being put in place are making a positive impact and mitigating risks appropriately.
12. Corporate and Commercially Sensitive Risk Register
The Corporate Risk Register allows the Trust Management Committee to have oversight of risks where:
- Risk owners have communicated the need for additional support;
- The risk has a current risk score of 15 and above; and/or;
- The risk indicates a significant/ increased risk;
- The risk has the potential to significantly impact a strategic objective
Risks held on the Corporate and Commercially Sensitive Risk Register must continue to be managed at their current level, with input and support from the Trust Management Committee where appropriate.
13. The Board Assurance Framework (BAF)
The Board Assurance Framework is a key document used to record and report the Trust’s key strategic objectives, risks, controls, and assurances to the Board of Directors. The Board Assurance Framework takes into account the recommendations from Audit, Executive Leads and Committees of the Board as to what should be included, amended, or removed. The Board Assurance Framework is updated and approved by the Board of Directors four times per year.
13.1. Audit Committee
As outlined in the HFMA Audit Committee Handbook, the Audit Committee’s primary role in relation to the BAF is to provide assurance that the BAF itself is valid. The role of the Audit Committee is not to manage the processes of populating the BAF but to satisfy itself that the systems and processes surrounding the BAF are working as they should. This includes whether:
• The format of the BAF is appropriate and fit for purpose
• The way in which the BAF is developed is robust
• The objectives in the BAF reflects the Boards’ priorities
• Key risks are identified
• Adequate controls are in place and assurance are reliable
• Actions are in place to address gaps in controls and assurances.
13.2. Board Assurance Committees
Board Assurance Committees have the following responsibilities pertaining to the BAF risks pertaining to their areas of focus:
• Review of the BAF to ensure the Board of Directors receive assurance that effective controls are in
place to manage strategic risk;
• Report to the Audit Committee/ Board of Directors on any significant risk management and assurance Issues.
13.3. Executive Led Groups
Executive Led Groups have the following roles regarding the operational risks pertaining to their areas of focus:
• Review the management of the operational risks (risks scored 12+) pertaining to their areas of focus;
• Report to the Trust Management Committee any significant risk management and assurance issues.
14. Annual Governance Statement (AGS)
The Chief Executive is responsible for ‘signing off’ the Annual Governance Statement, which forms part of the statutory Annual Report and Accounts.
The organisation’s Board Assurance Framework gathers all the evidence required to support the Annual Governance Statement alongside the Head of Internal Audit’s annual opinion on the overall adequacy andeffectiveness of the organisation’s risk management, control, and governance processes.
15. Clinical Risk Management
Clinical risk management can be defined as:
“The continuous improvement of the quality and safety of healthcare services by identifying the factors that put patients at risk of harm and then acting to control/ prevent those risks.”
Clinical risk is identified through the analysis of patient safety incidents, clinical negligence claims, and complaints, identified areas of sub-optimal care, clinical audit and non-compliance with clinical policies, guidance, and training
16. Risk Governance and Internal Audit
The Executive Led Groups and the Audit Committee continually review and monitor all aspects of the Trust’s risk management system and play a key role in the standardisation and moderation of risks that are added to the Trust-wide risk register.
The Head of Internal Audit (HoIA) provides an annual opinion, based upon, and limited to the work carriedout to assess the overall adequacy and effectiveness of the organisations’ risk management, control, andgovernance processes.
17. Risk Awareness & Management Training and Support
Risk management guidance and advice are provided through the Corporate Risk and Assurance Team. Risk
management training is made available for staff, via MyESR as per the below table.
| Staff/ Group | Type of Training | Type of Delivery | Frequency of Training |
| All staff | Level 1 Risk Awareness Training | E-Learning | 3 Yearly |
| All staff who require access DCIQ Enterprise Risk Manager Module | DCIQ ERM Module Training | Virtually | Once |
| First line, Middle & Senior Managers | Level 2 Risk Management Training | E-Learning | 3 Yearly |
| Board of Directors | Level 3 – Risk Management and Assurance Training | E-Learning | Annually |
18. Implementation
Taking into consideration the implications associated with this policy, it is considered that a target date of 01 April 2024 is achievable for communications about changes in this Policy, with any specific training being implemented on an ongoing basis. This will be monitored by the Trust Management Committee and the Audit Committee through the review process. If at any stage there is an indication that the target date cannot be met, then the Policy author will implement an action plan.
19. Equality, Diversity, and Inclusion
The Trust is committed to ensuring that, as far as is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on any grounds. The Equality Impact Assessment can be viewed in Appendix 3.
20. Monitoring Compliance
Monitoring of compliance with this policy will be undertaken on a day-to-day basis by the Events and Risk Assurance Team, discussing any issues with the relevant team/ department/ Directorate and, if necessary, reporting to the Director of Corporate Affairs and relevant Executive Director Leads. The monitoring matrix can be viewed in Appendix 4 for further information.
21. Consultation and Review
This is an existing policy which has had moderate changes that relate to operational and/ or clinical practice and therefore requires a consultation process. The Head of Risk and Assurance has consulted with the Director of Corporate Affairs, Internal Audit and Local Counter Fraud to invite any comments or suggestions regarding this policy. The policy will be presented to the Trust Management Committee, Audit Committee and to the Board of Directors for approval.
22. References
Baker, T (2015). Board Assurance: A toolkit for health sector organisations. England: LLP
CQC (2010), Guidance about compliance; Essential standards of quality and safety. England: Care Quality Commission (CQC).
CQC (2023), Enforcement Decision Tree. England: Care Quality Commission (CQC).
Deloitte, Enterprise Risk Management Approach, A ‘risk-intelligent’ approach.
Good Governance Institute, Risk Appetite for NHS Organisations.
HMFA (2014). NHS Audit Committee Handbook. (3rd ed.). England: Healthcare Financial Management Association (MHFA).
Health Act 1999, Ch 8
Health and Social Care Act 2008, Ch 14
Health and Social Care Act 2012, Ch 7
Health and Social Care Act (Safety and Quality) Act 2015, Ch 28
Hopkin, P (2018). Fundamentals of Risk Management: Understanding, Evaluating and Implementing
Effective Risk Management. 5th ed. London: IRM.
Lark, J (2015). ISO 31000 Risk Management. (1st Ed). Switzerland: ISO
Moeller, R 2011). COSO Enterprise Risk Management: Establishing Effective Governance, Risk, and Compliance Processes. 2nd ed. New Jersey: Wiley & Sons.
NHS Providers (2018). Enterprise Risk Management.
PwC (2017). Delivering system wide sustainability: Managing risk in healthcare transformation. England: LLP.
The Orange Book: Management of Risk – Principles and Concepts, (2023). HM Treasury. London.
Vincent, C (2005). Clinical Risk Management. 2nd ed. London: BMJ Books.
Appendix 1: Risk Management Definitions
| Term | Definition |
| Action | A response to control or mitigate risk |
| Action Plan | A collection of actions that are specific, measurable, achievable, realistic and targeted |
| Assessment | Means by which risks are evaluated and prioritised by undertaking the 4 stage risk assessment processes |
| Assurance | Confidence based on sufficient evidence that internal controls are in place, operating effectively and objectives are achieved |
| Board Assurance Framework | A document setting out the organisation’s strategic objectives, the risks to achieving them, the controls in place to manage them and the assurance that is available |
| Consequence (Impact) | The effect on the Trust if a risk materialises |
| Control | Action taken to reduce the likelihood and or consequence of a risk |
| Gaps in Control | Action to be put in place to manage risk and achieve objectives |
| Frequency | A measure of rate of occurrence of an event |
| Internal Audit | An independent, objective assurance and consulting activity designed to add value and improve organisations’ operations |
| Initial Risk | The score on identification before any controls are added |
| Likelihood | Evaluation of judgement regarding the changes of a risk materialising, established as probability or frequency |
| Mitigation | Actions taken to reduce the risk or the negative impact of the risk |
| Current Risk Score | The score with controls/ actions in place |
| Risk Appetite | The total amount of risk an organisation is prepared to accept in pursuit of its strategic objectives |
| Risk Matrix | A grid that cross references consequence against likelihood to assist in assessing risk |
| Risk Owner | The person responsible for the management and control of all aspects of individual risks |
| Risk Rating | The total risk score worked out by multiplying the consequence and likelihood scores on the risk matrix |
| Risk Register | The tool for recording identified risks and monitoring action plans against them |
| Risk Tolerance | The degree of variance from the Risk Appetite that the Trust is willing to tolerate |
| Strategic Risk | Risks that represent a threat to achieving the Trusts’ Strategic Objectives |
| Operational Risk | Risks which are a by-product of the day to day running of the Trust |
| Domain | Insignificant | Minor | Moderate | Major | Catastrophic |
| 1 | 2 | 3 | 4 | 5 | |
| Compliance: Legislative & Regulatory | No or minimal impact or breach of guidance/ statutory duty | Breach of statutory legislation | Single breach in statutory duty | Enforcement action, multiple breaches in statutory duty | Multiple breaches in statutory duty Inabolity to meet legislative requirements Breach of law Prosecution |
| Quality Outcomes | No/ minimal disruption/ impact to the provision of timely and accurate quality care Near-miss, no harm (physical and psychological) caused | Minor disruption/ impact to the provision of timely and accurate quality care Low physical/ psychological harm | Moderate disruption/ impact to the provision of timely and accurate quality care Moderate physical/ psychological harm | Severe disruption/ impact to the provision of timely and accurate quality care Severe physical/ psychological harm | Permanent loss/ inability to provide timely and accurate quality care Fatal |
| People | No injury or minor injury with no treatment required Aggression/ verbal abuse with minimal impact No staff sickness/ absence Temporary short term low staffing levels (less than 1 day) | Minor physical injury, illness or mental health illness requiring minor treatment Physical violence, assault, or verbal abuse with minor impact Short term staff sickness/ absence (less than 3 days) Insignificant staff attendance at mandatory/ key training (5%) Low staffing levels reducing service quality (1-5 days) | Moderate physical injury, illness, or mental health illness requiring hospital treatment Physical violence, assault, or verbal abuse causing moderate distress Staff sickness/ absence (more than 7 days) and/or RIDDOR reportable Poor staff attendance at mandatory/ key training (6-10%) Unsafe staffing levels (1-2 weeks) | Major physical injury, illness, or mental health illness requiring long term treatment or community care intervention Serious physical violence, assault, or verbal abuse leading to psychological harm Long term staff sickness/ absence Frequent poor staff attendance at mandatory/key training (11-20%) Unsafe staffing levels (> 1 month), loss of key staff | Fatality of staff member, life threatening injury, illness, or harm. Permanent injury, harm/ incapacity/ disability. Significant/ persistent low uptake of staff attendance at mandatory/ key training (>21% or 2 months+) Prolonged unsafe staffing levels, loss of several key staff, including industrial action |
| Finance | Small budget loss or claim between £0-£5k | Budget loss of 0.1- 0.25% or a claim between £5k-£10k | Budget loss of 0.25- 0.5% or a claim between £10k-£100k | Budget loss of 0.5- 1.0% or a claim between £100k-£1m Uncertain delivery of key objective Purchase failing to pay on time | Budget loss of >1% or a claim >£1m Loss of significant contract/ income. Non-delivery/ failu to meet key objective/ specification. |
| Reputation | Localised issue, ad- hoc public or political concern | Short term local media interest, reduction in public confidence and/or local political concern | Sustained local media interest, extending to regional interest, regional public and/or political concern with reduction in public confidence | Regional and/or national media interest with significant public and/or political concern and reputational damage | National media interest, parliamentary interest, public inquiry with loss of public confidence and credibility in NWAS |
| Domain | Insignificant | Minor | Moderate | Major | Catastrophic |
| 1 | 2 | 3 | 4 | 5 | |
| Innovation | Minimal or no loss of information containing identifiable data Cyber threat is expected to have negligible impact | Loss/ compromised security of one record containing identifiable data Cyber threat is expected to have limited impact | Loss/ compromised security of 2-100 records containing confidential/ identifiable data Cyber threat is expected to have serious impact | Loss/ compromised security of 101+ records containing identifiable data Cyber threat is expected to have severe or catastrophic impact | Serious breach with potential for identity theft/ compromised security of an application/ system/ facility containing identifiable data Cyber threat is expected to have multiple severe or catastrophic impact |
| Business/ Service | Interruption to provide NWAS services >1 hour | Interruption to provide NWAS services >4 hours | Interruption to provide NWAS services >6 hours Small-scale CBRN attack | Interruption to provide NWAS services >1 day Medium-scale CBRN attack Accidental fire Outbreak of emerging infectious disease | Prolonged/ permanent loss of NWAS service or facility Loss of critical system Terrorism Large-scale CBRN attack Major fire Pandemic |
| Programmes/ Projects | Temporary performance defects causing minor short- term consequences to time and quality | Project expectations not being met | Poor project performance shortfall in area(s) of secondary importance | Poor performance in area(s) of critical or primary objective | Significant failure of the project to meet its critical or primary objective |
NWAS Governance Structure: Levels of Assurance, Escalation and Risk
