Herefordshire CCG Risk Framework

Status: Draft Reviewed: Autumn 2015 Page 1 of 21

Version: 1 Next Review Date: Autumn 2017

Herefordshire CCG Risk Framework



Version History

Version Date Issued Brief Summary of Change Author/Contributors

D0.01 17/09/2012 Document Created Lindsey Mclean

D0.02 23/09/2012 Documented updated with governance and escalation processes

Mike Emery/Lindsey Mclean

D0.03 24/09/2012 Cross-referencing and Appendix A updated Mike Emery/Lindsey Mclean

D1.0 10/2012 Agreed by CCG GB Mike Emery

D2.1 6/2015 Revised Policy Mike Emery`

D2.2 20/6/2015 Further updates after feedback from CSU Risk lead & Internal Auditors

Mike Emery/Liz Hill

D2.3 July 2015 Updates with feedback from Audit Committee Mike Emery

D2.4 October 2015 Updates from Consultation with staff Mike Emery

D2.4i December 2015 Reformatting into new corporate logo Gillian Pearson/M Emery

Document Location

Document Location File Name

Q:\CCG\HCCG\1. CCG Policies\2. Draft Policies HCCG0026 Risk Framework Revised v 2.4 20151109.doc

Document sign off

Name Date Signature

SMT 26/09/2012

Audit Committee 09/10/2012

GB October 2012

Audit Committee (revised) July 2015

Document Distribution List

Name Purpose Department/Organisation

SMT and key managers For comment and review Autumn 2015



Contents Page 1. Introduction ........................................................................................................ 4

2. Principles of Risk Management ........................................................................ 5

2.1. Introduction ................................................................................................... 5

2.2 Step 1 - Identifying Risk ................................................................................ 7

2.3 Step 2 - Identify Existing Controls And Assess The Risk .............................. 8

2.3.1 Risk Scoring Matrix – Likelihood............................................................. 8

2.3.2 Risk Scoring Matrix - Impact ................................................................... 9

2.3.3 Risk Scoring - Severity ......................................................................... 12

2.4 Step 3: Determine Additional Controls Required ......................................... 13

2.4.1 The 4T’s of Risk Control ....................................................................... 13

2.5 Step 4: Implement Additional Control Measures ......................................... 14

2.6 Step 5: Monitor Completion & Effectiveness of Controls Assurance ........ 15

3 Assurance Framework .................................................................................... 17

3.1 Applying the Process to Opportunity Management ..................................... 19

4 Risk Governance and Escalation ................................................................... 20

4.1 Risk Governance and Escalation Process – Corporate Risk Register ........ 20

4.2 Risk Governance and Escalation Process – Business Area Risk Registers 20



1. Introduction

Risk management can be defined “as a means of reducing adverse events occurring in

organisations by systematically assessing, reviewing and then seeking ways to minimise their

impact or possibly prevent their occurrence.” Risk management brings huge benefit to NHS

Herefordshire CCG as it enables us to be positive in the decisions we make.

When we consider potential risks we must remember there is an “upside” as well as a “downside”

in whatever we do and it is important not to focus only on the adverse effects but to balance it

with the opportunities that may arise. Through this guidance CCG aims to manage risk to add

value by achieving the balance between undermanaging risks – unaware and therefore no

control - and over-managing them – an obsessive level of involvement in the fine details, which

could become overwhelming and stifle innovation and creativity.

Risk management is one of the main components of Clinical and Corporate Governance; it

requires us to:

Understand risks that may prevent us from delivering our strategic objectives

Have clear policies aimed at managing risks and grasping opportunities

Undertake risk assessments to identify and manage risk and opportunities

Have action plans and programmes in place to reduce risk.

The full benefits of risk management will only be obtained if there is a comprehensive and

coordinated approach which is supported at every level of management throughout the

Herefordshire CCG. This Guidance is intended to be used by all staff and departments in the

organisation.

The purpose of this policy is to define and document the CCG’s approach to risk and risk

management and to;

Enable the Governing Body to have an overview of the risks it faces, taking into account

all aspects of its business, developing a risk-aware culture throughout the organisation

Provide assurance to the Governing Body that actions are being taken to mitigate risks to

acceptable levels

Embed consideration and assessment of risk in all aspects of planning, commissioning

and delivery

Ensure a consistent approach to risk management across the organisation

Assure the public, patients, member practices, staff and our partner organisations that the

CCG is managing its risks effectively and appropriately

Enable resources to be deployed effectively to manage risk



Enable constant and consistent improvement of healthcare provision and patient

experience.

The policy relates to the management of CCG risks. Its scope therefore relates to resources

directly managed within or by the CCG. Where activities of other providers and partners in

collaborative arrangements and the actions of other organisations outside of the CCG acting on

its behalf through commissioning agreements involve risk that can have an impact on whether

the CCG achieves its objectives, these activities and actions come within the scope of this policy

2 Principles of Risk Management

2.1 Introduction

A risk can be defined as “an uncertain event or set of events which, should it occur, will have an

effect on the achievement of objectives. A risk is measured by a combination of the probability of

a perceived threat or opportunity occurring and the magnitude of its impact on objectives” (OGC

Glossary of Terms, 2008)

Risk management brings huge benefits to NHS Herefordshire CCG as it enables us to be positive

in the decisions we make.

There are Five Steps of Managing Risk:

Identify Risks from Hazards and Threat events.

Evaluate the level of risk based on adequacy of existing controls.

Determine additional controls required.

Implement control measures and action plan.

Monitor controls, Record & Review assessment i.e. Assurance.



The five steps for the managing of risk are described below:

Step 1 - Identify the risks from hazards and/or threats in your area;

and factors that could prevent or inhibit delivery of strategic objectives

Step 2 - Identify the existing controls in place and evaluate the level of risk (likelihood/impact) and the adequacy of the existing controls

to reduce risk in your area.

Step 3 – Determine additional controls which may be required to further reduce the risk or threat ensuring that you allocate a risk

owner.

Step 4 – Implement the additional control measures, record and review your assessment on a regular basis.

Identify audit (including clinical) topics

Identify future training and development needs

Address the risks and action plan in the business / service

plan

Step 5 – Monitor that identified actions are completed and these, together with existing controls are effective i.e. assurance



2.2 Step 1 - Identifying Risk

Risk identification is concerned with identifying events that can impact on the business objectives

and delivery of services (strategic and operational) – ‘what could happen’ (these objectives are

outlined in the annual integrated business plan and CCG clinical strategy). This should be

considered from both the positive and the negative effect and so ask ‘what could happen if we do’

as well as ‘what could happen if we don’t…’, this will enable confident risk taking and exploitation

of opportunities.

Common areas to prompt identification of risk include:

Clinical: the clinical delivery of health and healthcare and access to services

Patient Experience/Quality – poor patient experience and unacceptable quality

Patients /public: understanding their needs; delivery of and access to services and care

People: risks associated with all employees, managers, directors and Non- Executive

Directors.

Operational: delivery of health and social care services, quality of services, continuity of

business and clinical governance assurance i.e. doing the right things in the wrong way

Finance: losing monetary resources or incurring unacceptable liabilities

Strategic: successful achievement of the organization’s objectives i.e. doing the wrong

things as an organisation; missing opportunities

Reputation: the image of NHS Herefordshire CCG, loss of public confidence

Legal / Regulatory: non-compliance with standards (CQC),claims against CCG

Information: loss or inaccuracy of data, systems or reported information

In order to really be able to manage risks well you need to be explicit about how the events you

have listed could impact on what you want to achieve in order to focus the action in the right

area. This is done by:

Identify the objective/tasks - involved in the job or activity you are undertaking, this will

help you to break the activity down into its component parts and more easily see the

hazards involved. E.g. providing services (clinical or social) to people in their own homes.

Identify the hazards/threats – what could prevent this objective/task being achieved. E.g.

hazards/threats from recruitment difficulties making it difficult to employ correctly qualified

staff.

Identify the Consequence/Impact – should the hazard or threat be realised what would

happen e.g. People may not receive necessary clinical or social care resulting in

deterioration in their condition.

Sometimes it can help to phrase the risk or opportunity into three parts: Event – Consequence – Impact



2.3 Step 2 - Identify Existing Controls And Assess The Risk

Once the risk or opportunity has been identified it needs to be assessed for how likely it is the

event could occur and the impact it will have if it should. This assessment should take into

consideration existing controls and their effectiveness.

Typical examples of existing controls will include written policies and procedures, staff training,

referral or admission criteria and the physical environment. In describing the controls it is

important to consider how effective they are, when they were last reviewed or tested or when

staff were last trained. The assessment should be based on the risk scoring matrix below to

ensure all risks are assessed objectively. Focus should be on the descriptor not the number.

Once the levels of likelihood and impact have been assessed, the two scores are multiplied to

give an overall objective assessment of the existing (residual) level of risk.

2.3.1 Risk Scoring Matrix – Likelihood Description and definitions of LIKELIHOOD of RISK occurring:

Level Description Probability

5 Risk almost Certain to occur >50 per cent

4 Risk likely to occur 10 to 50 per cent

3 Risk could possibly occur 1-10 per cent

2 Risk unlikely to occur 0.1 to 1 per cent 0.2

1 Risk highly unlikely to occur (rare) <0.1 per cent



2.3.2 Risk Scoring Matrix - Impact

Consequence Types

1

Insignificant

2

Minor

3

Moderate

4

Major

5

Catastrophic

Financial

Overspend of less than or euql to £10,000

Less than or equal to

0.1% of budget

Overspend in range of greater than £10,000 to

less than or equal to £50,000

Loss of budget greater than

0.1-02.5% of budget

Overspend in range of greater than £50,000 to

less than or equal to £250,000

Loss of budget greater

than 0.25% to less than or equal to 0.5% of budget

Overspend of greater than £250,00 to less than or equal

to £2,000,000

Loss of budget greater than 0.5% to less than or equal to

1% of budget

Overspend of greater than £2,000,0000

Loss of Budget of >1%

Service redesign

Insignificant cost

increase.

Minimal project

timescale slippage.

< 5%over project

budget.

Minor project

timescale slippage.

5-10%over project

budget.

Moderate project

timescale slippage.

1—25%over project

budget

Major project timescale

slippage.

A key objective not

met.

>25%over project

budget.

Catastrophic project

timescale slippage.

Multiple key

objectives not met.

Commissioning

Some minor impact to

the quality and cost

effectiveness of

commissioning.

Manageable within

project/team/work

stream.

Minor impact on the

quality and cost

effectiveness of

commissioning

activities. Less than two

week delay to

milestones/plans.

Short term impacts

to quality and cost

effectiveness of

commissioning.

Resources used from

other parts of the

organisation.

Significant delays or

quality reduction in

provision of effective

commissioning across

multiple work streams

(<1month delay to

work stream).

Realisation of risk

would prevent the

Group from

delivering significant

services through its

contracts with

providers to the

public.

People - Patient

Safety/Safeguarding/staff

safety

Minimal injury

requiring no/minimal

intervention.

Mortality rates or

serious incidents which

require routine

monitoring.

Major injury or

illness, requiring

minor intervention.

Mortality rates

within normal limits

or individual serious

incidents that require

monitoring.

Moderate injury requiring

professional intervention.

An increasing

mortality rate or serious

incident/never event trend requiring monitoring with

Major injury leading to

long-term

incapacity/disability.

Increased mortality

rates or serious

incident/never event

trend indicating urgent

interventions e.g.

improvement

Incident leading to

Death or multiple

fatalities.

Increased

mortality

rates or serious

incidents/never

event trend

indicating failure of



action plan to mitigate risk.

plan/contractual action.

Well being jeopardised,

abuse, neglect, assault.

the service to deliver

patient safety

requiring immediate

intervention such as

suspension of service

or escalation.

Quality/Patient experience Peripheral element of

treatment or service

suboptimal.

Unsatisfactory patient

experience not directly

related to patient care.

Overall treatment or

service suboptimal.

Single failure to meet

internal standards.

Minor implications

for patient safety if

unresolved.

Reduced

performance rating if

unresolved.

Unsatisfactory

patient experience –

readily resolvable.

Treatment or service has significantly

reduced effectiveness.

Repeated failure to meet internal

standards. Major patient safety

implications if findings are not acted

on. Mismanagement of patient care – short

term effects.

Non-compliance with

national standards with

significant risk to

patients if unresolved.

Low performance

rating.

Critical report.

Mismanagement of

patient care – long

term effects.

Totally unacceptable

level or quality of

treatment/service.

Gross failure of

patient safety if

findings not acted on.

Inquest/ombudsman

Inquiry.

Gross failure to meet

national standards.

Totally

unsatisfactory

patient outcome or

experience.

Delivery of Services/Strategic No impact on ability to

operate local services.

Could threaten the

efficiency of effectiveness

of some services but dealt

with internally.

Severe disruption to a

service. Non achievement

of local delivery plan.

Loss of a service. Loss of

stars / reduction in score in

national performance review.

Threatens the viability of

the organisation.

Organisational Objectives Management

information does not

meet business

requirements.

Service objectives not met

or project failures in one

service.

Seviceobjectives not met

or project failure in

multiple services.

Failure to meet one key

organisational objective.

Failure to meet multiple

key organisational

objectives.

Reputation No impact on the

reputation of the CCG.

Increase in

patient/customer

complaints or staff

dissatisfaction.

Short term

reduction in public

Negative press in local

paper. Greater scrutiny by

external bodies e.g. NHS

England or CQC

Moderate loss of

public confidence in

National media

coverage with < 3 days

service well below

reasonable public

expectation.

Long term reduction in

public confidence.

National media

coverage with > 3

days service well

below reasonable

public expectations.

Possible International



confidence. the CCG,

Intervention by SHA / Central

Government.

television coverage.

External investigation

(CQC, HSE, Police)

Prosecution.

Replacement of Board.

MP concerned

(questions in House).

Staffing & Human Resources Short-term low staffing

level that temporarily

reduces services quality

(<1 day).

No impact on staff

morale.

Low staffing level

that reduces the

service quality (>1

day)

Staff dissatisfaction.

Late delivery of key

objective/service due

to lack of staff.

Increased staff sickness

and absenteeism.

Uncertain delivery of

key objective/service

due to lack of staff.

High rate of staff leaving &

very low staff morale.

Non-delivery of key

objective/service due

to lack of staff.

Ongoing unsafe.

Inability to recruit or

retain.

Industrial action.

Legal No breaches of law or

local procedures /

standards.

Breaches of local

procedures / standards.

Breaches of regulation

national procedures /

standards.

Breaches of law punishable

by fines.

Breaches of law

punishable by

imprisonment.



2.3.3 Risk Scoring - Severity The risk rating then equals LIKELIHOOD x IMPACT/SEVERITY

Consequence

Likelihood 1 Insignificant

2 Minor

3 Moderate

4 Major

5 Catastrophic

5 Certain

5

10

15

20

25

4 Likely

4

8

12

16

20

3 Possible

3

6

9

12

15

2 Unlikely

2

4

6

8

10

1 Rare

1

2

3

4

5

Risk Rating:

Extreme Risk 20 to 25 (Red)

Serious Risk 15-16 (Amber)

Moderate Risk 8 to 12 (Yellow)

Low Risk 1 to 6 (Green)

The score of a particular risk will determine at what level decisions on acceptability of the risk

should be made and where it should be reported to.

General guidelines are:

Level of risk before mitigation

Level of risk after mitigation

How the risk should be managed Who to make aware

Extreme

(20-25)

Extreme or serious risk Score 16 or above

Requires active management and clear action plan, assurance to Governing Body High impact / High likelihood: risk requires active management to manage down when possible and maintain exposure at an acceptable level.

Audit Committee and CCG Governing Body* Reviewed monthly by CCG SMT

Extreme and

Serious Risk

(15 -16)

Extreme, serious or moderate risks Score 8 or above

Clear action plan and assurance to lead committee Significant impact, likely to occur requires clear actions to mitigate risk, without which could become an ‘extreme risk’

GB Committees responsible for functional risk register where risk resides Reviewed monthly by CCG SMT

Extreme, Serious

and Moderate Risk

All inc- low risk Contingency plans A robust contingency plan may

Reviewed monthly by CCG SMT



(8-12) suffice together with early warning mechanisms to detect any deviation from profile.

All inc - Low Risk

(1-6)

All inc- low risk Review periodically Risks are unlikely to require mitigating actions but status should be reviewed frequently to ensure conditions have not changed.

Reviewed by SRO, Programme Management Office monthly and Programme Managers

*the Governing Body will receive in addition to the corporate risks it identifies annually those ’extreme risks’ that require escalation.

2.4 Step 3: Determine Additional Controls Required

Once risks and opportunities have been identified and assessed for likelihood and impact,

this will provide you with a Current/Residual risk rating. The rating will identify those risks

where further resources may need to be allocated to reduce the risk. This will be included on

the risk assessment form as the Action Plan.

An Action Plan should be completed for all residual risks rated extreme, serious or

moderate and should include the following information:

Risk Owner - Each risk will be assigned a risk owner who will own and determine

how the risk/opportunity will be managed, controlled or exploited.

Action Description- A detailed description of the action required to manage or treat

the risk. Should the risk be avoided, eliminated, reduced, transferred or accepted? A

useful framework for considering these questions is the “4 T’s”

2.4.1 The 4T’s of Risk Control

Risk Control Type Description

Terminate Stop the activity

altogether

Rarely an option in public sector activity though this may be possible for some non-core activities.

Tolerate Accept the risk and live

with it

Applies to risks within the tolerance threshold or those where the costs of treatment far outweigh the benefits.

Should be backed up by appropriate contingency plans, business continuity plans and recovery plans.

Transfer To a third party or through insurance

Can transfer all or part of the risk.

Beware – although responsibility can be transferred, accountability rarely can, so it requires close monitoring.

Treat Take action to control the likelihood and/or

impact

This is where the bulk of the risk management action falls. The purpose of treating a risk is to continue with the activity which



gives rise to the risk but to bring the risk to an acceptable level by taking action to control it in some way through either:

containment actions (lessen the likelihood or consequences and apply before the risk materialises) or

contingent actions (put into action after the risk has happened, i.e. reducing the impact. Must be pre-planned)

When completing an Action Plan it is important to ensure that:

The action is proportionate to the risk.

Whether new risks are caused by the action.

Controls are SMART – Specific, Measurable, Achievable, Realistic and Timebound.

c) Resources Required – Are resources required to implement the actions and if so what

type i.e. personnel or financial and how can they be secured. The cost of management and

control of the risk should be proportionate to the risk that is being addressed

d) Target/ Review Date – enter target date for completion of action(s) or when the actions

will be reviewed. As a guide it is suggested that the following timescales be used:

Extreme Risk Score 20 to 25 – Within 3 months

Serious Risk 15-16 - within 6 months

Moderate risk 8 to 12 - within 12 months

e) Target Risk Rating – unless a risk is terminated it is impossible to remove it completely

and so the risk owner needs to identify what is acceptable as a target.

2.5 Step 4: Implement Additional Control Measures

It is important to ensure that any new controls are implemented and that the assessment is

regularly reviewed. Controls may need to be included in service or business plans or

identified as part of future training & development needs.

An essential element of the risk management process is that risks / opportunities can be

cascaded up or down according to the levels of risk and available resource – see 2.3 Step 2,

Management Response to Risk Rating. For example a risk identified at specialty level may

be managed or contained adequately until a sudden change in the internal or external

environment means the service does not have capacity, authority or resources to manage or

contain the risk. The risk is then cascaded up to the next level (e.g. Directorate or Board).



The risk is then assessed at that level and management determined. This clear process

enables assurance to the highest level that risks (and opportunities) are being managed at

their appropriate level.

2.6 Step 5: Monitor Completion & Effectiveness of Controls Assurance

Circumstances and organisational priorities can, and do, change, and therefore risks, opportunities and their circumstances need to be regularly reviewed. Some risks will move down the priority rating, some may leave, and others will be identified. The risk management process requires that risk owners review their risks each month at Directorate, Departmental or team meetings. That review should incorporate the following questions:

Is the risk still relevant (what changes have occurred in the internal / external

environment)?

How do I know the controls have been effective – have there been any internal or

external reports to provide assurance?

What progress has been made in managing the risk?

Given the progress (or not), does the risk score need revising?

Are any further controls required, if so what should these be?

Risk management should be included as an item of the agenda of all department management team/Governing Body meetings. 2.7 Accountabilities [revised section]

Risk accountabilities, are invested in the following roles:

The Chief Officer has overall accountability for having an effective Risk Management

system in place within the CCG and for meeting all the statutory requirements and

adhering to the guidance issued by the Department of Health in respect of

Governance.

The Director of Operations is the executive director for risk management and has

delegated responsibility for leading the organisation in responding to Risk and Health

and Safety, ensuring systems are in place to manage Health & Safety and that the

CCG complies with Health & Safety legislation, including the legal requirements for fire

safety. The Director will report through the SMT/Audit Committee on all non-clinical

risk management activities.

The Chief Finance Officer is responsible for all finance risks, control of assets and

provisions for liabilities

The Executive Board Nurse: is the Caldicott Guardian and the Governing Body

member with delegated responsibility for aspects of clinical risk management,



ensuring quality and governance systems are in place and inclusion of risk

management processes in commissioning mechanisms. The Caldicott Guardian will

review confidentiality breach and data loss incident assessments for the purposes of

ensuring appropriate use of the HSCIC IG Toolkit Incident Reporting Tool.

The Director of Operations is the Senior Information Risk Owner (SIRO). The SIRO

will review confidentiality information security incident assessments for the purposes of

ensuring appropriate use of the HSCIC IG Toolkit Incident Reporting Tool.

The Chair of the Audit Committee is the Lay Member lead for risk management.

CCG Risk Management Policy.

The Business Delivery Manager with responsibility for Information Governance will

review Information Governance related incidents for the purpose of ensuring

appropriate use of the HSCIC IG Toolkit Incident Reporting Tool.

GP Governing Body Members and SMT members are responsible for the day to day

management of risks within their respective areas of responsibility, including

assurance that appropriate controls are in place, and that action plans are owned,

being progressed and monitored. They must ensure that all staff are aware of the

CCG’s Risk Management Policy and guidance, and their individual responsibilities for

management risk. They also take responsibility for Directorate Registers.

Managers and staff should be familiar with the Risk Management Policy including

Risk Registers and methodologies for risk assessment and risk ratings.

Contractors and other external staff must be made aware of their responsibilities under

health & safety and CCG risk management procedures by the CCG manager

responsible for their contract.



3 Assurance Framework

The Assurance Framework enables HCCG to be confident (“be assured”) that the responses

applied in the mitigation of risk are operating effectively. Therefore this is a key element of

the risk management process at HCCG. The application of the Assurance Framework will

help the HCCG Governing Body members to collectively consider the process of securing

assurance via a formal structure that promotes good organisational governance and

accountability in order to deliver on its key objectives.

The Framework puts responsibility for the system of internal control at Governing Body level

and this encompasses the following:

Setting appropriate policies on internal control;

Seeking assurance that will enable the Governing Body to satisfy itself that the system

is functioning effectively; and

The Assurance Framework should provide information on where/how risks are being

managed effectively, the controls in place and also identify which of the CCG objectives are

at risk because of gaps in controls or assurance. The Assurance Framework should outline

the following:

Key Controls - Organisations should ensure that they have key controls in place which

are designed to manage their principal risks. Controls should be documented and their

design subject to scrutiny by independent reviewers, e.g. internal and external

auditors. When assessments are made about controls, consideration must be given

not only to the design but also the likelihood of them being effective in light of the

governance and risk management framework within which they will operate - even the

best controls can fail if staff are not adequately trained.

Assurances on Controls - Where can the organization gain evidence that the controls

are effective? The most objective assurances are derived from independent sources

and these are supplemented from non independent sources such as clinical audit,

internal management representations, performance management and self assessment

reports. These assurances can be separated into internal and external assurance

processes.

Where an assurer’s report is confirmed as relevant, the organisation must endeavour to

confirm that sufficient work has been undertaken in the review to be able to place reliance on

the conclusions drawn. The organisation will need to assess whether a review provides:

Positive Assurances- there are sufficient, relevant, positive assurances to confirm the

effectiveness of key controls and the objectives are met. This should be reported to

the Governing Body and recorded as a positive assurance.



Gaps in Control - these should be recorded when there is a clear conclusion, based on

sufficient and relevant work, that one or more of the key controls on which the

organisation is relying are not effective.

A gap in Assurance - there is a lack of assurance, , about the effectiveness of one or

more of the key controls. This may be as a result of lack of relevant reviews, or

concerns about the scope or depth of reviews that have taken place.

Wherever gaps in response or assurance are identified, then an action must be defined and

allocated to appropriate responsible persons. However, in all cases an assessment will need

to be made as to the level of risk to which HCCG is exposed as a result of the response

failure or assurance gap.

Principal risks cannot be considered in isolation, they will be derived from the prioritisation of

risks fed up through the whole organisation and in this way the Risk Register contributes to

the Assurance Framework. Therefore, whilst the Assurance Framework development is co-

ordinated by the Corporate Team the risks and responsibility for providing information on

assurance continues to lie with Directors and Senior Managers.

Levels of assurance will be attributed to a response when it is reviewed. The levels of the

assurance that will be used are displayed in the table below. These levels of assurance will

be applied in all cases.

Level Details

Significant Taking account of the issues identified, the Governing Body can take substantial assurance that the responses upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective.

Adequate Taking account of the issues identified, the Governing Body can take reasonable assurance that the responses upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective. However further action could be taken to improve the effectiveness and efficiency of responses.

Limited Taking account of the issues identified, whilst the Governing Body can take some assurance that the responses upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective, action needs to be taken to ensure this risk is managed.

None Taking account of the issues identified, the Governing Body cannot take assurance that the responses upon which the organisation relies to manage this risk are suitably designed, consistently applied or effective. Action needs to be taken to ensure this risk is managed.



3.1 Applying the Process to Opportunity Management

Good risk management will also help us to explore and take up opportunities as they are identified. The approach is the same as for risk assessment – we need to ask:

Is there an opportunity we could take to help us achieve our objectives?

What is the likelihood of it happening?

What would be the impact if it did?

What needs to be done – how can we develop this, what actions are needed to ensure

it happens?



4 Risk Governance and Escalation

4.1 Risk Governance and Escalation Process – Corporate Risk Register

The Herefordshire CCG corporate risk register will manage the risks associated with the

achievement of the organisations strategic objectives as well as any major clinical and financial

risks. This register will be owned by the CCG Governing Body and be reviewed quarterly.

The Quality, Performance & Finance Committee will have lead roles in reviewing CCG

functional risk registers in particular the Finance and Quality Risk registers, on a rolling

quarterly basis.

The Audit and Assurance Committee will also review the risk registers to provide assurance that

a process is in place to monitor, mitigate and manage risks. It will do this in full on a quarterly

basis. The Audit and Assurance Committee may also review functional risk registers from time to

time.

The Governing Body Assurance Framework will be reviewed twice yearly by the Governing

Body and Audit & Assurance Committee, to ensure the CCG has the appropriate controls,

assurances, processes and action in place to manage its business and deliver its strategic

objectives. This process will be used to inform and assure the Governing Body’s forward plan

and work programme.

The Audit & Assurance Committee will also review the Assurance Framework, to aid its

assurance role, and use it to inform the CCG’s audit programme.

The CCGs – senior management team – will review the corporate risk register on a monthly

basis, ensuring that risks and actions are reviewed and that the risk register is relevant and

resonates with daily business and hot issues currently facing the organization. Each member of

SMT will also review on a monthly basis those areas of the assurance framework that relates to

their business area and ensure it is updated in a timely and appropriate way.

Risks may be added in one of two ways. Any CCG member/employee may add a corporate risk

at any time. This will be processed through the Portfolio Office using the specified risk recording

template or will be escalated via a business area risk register.

4.2 Risk Governance and Escalation Process – Business Area Risk Registers

Each business area (as detailed in Figure 1) will maintain an individual risk register. All risks

identified at this level which are identified as potential ‘extreme risks’ will be escalated to the

Corporate Risk Register via the Corporate Team.



Clinical Outcomes and Service Transformation Risk Register. The Clinical Outcome

and Service Transformation (COST) risk register will be owned by the Service

Transformation Improvement Group (STIG). The Senior Responsible Officer for this

register will be the Chair of STIG. The risk register will be reviewed monthly and will form

part of the overall STIG report sent to HCCG formal board. These risks will be re-

classified as programme risks and the impact and likelihood reviewed and updated, as

deemed appropriate. Consideration needs to be given if ‘primary care’ risks are

encompassed within this register.

Operations Risk Register(s) (including contracts). The Operations risk register will be

owned by the Corporate Team and the Senior Responsible Officer will be the Director of

Operations. Any member/employee of HCCG may add an Operations risk via the

Corporate Team. The Operations risk register (s) will include key contracts,

communications, OD and performance risks.

Finance Risk Register. The Finance risk register will be owned by the Finance function

and the Senior Responsible Officer will be the Chief Finance Officer.

Quality and Patient Safety Risk Register. The Quality risk register will be owned by the

Quality & Patient Safety Committee. The Senior Responsible Officer for this register will

be the Executive Nurse. The risk register will be reviewed monthly and will form part of

the overall Quality and Patient Safety Report sent to HCCG formal board. Any

member/employee of HCCG may add a clinical risk via the Corporate Team.

Partnership Risk Registers The CCG will also take key risks from system risk registers

in particular any system wide partnership programmes for example System Resilience or

Transformation programmes, they will be reviewed by key partnership boards (eg SRG by

SRG group; BCF by the Joint Commissioning Board).

Date post:	09-Feb-2022
Category:	Documents
Upload:	others
View:	5 times
Download:	0 times

Herefordshire CCG Risk Framework

Documents