RISK MANAGEMENT PROCEDURE

November 2006
 Contents

1. Introduction

2. Responsibilities

3. The Approach

3.1 Risk Identification

3.2 Risk Analysis and Assessment

3.3 Risk Treatment and Control

3.4 Risk Reporting - The Risk Register

3.5 Communication and Training

3.6 Monitoring and Review

Appendices

A Categories of Risk

B Risk Form

C Flowchart
1. Introduction

1.1 The Risk Management Strategy, which sets out the organisation’s approach to
risk, was approved by the PCT Board in October 2006.

1.2 This procedure document provides detailed guidance to PCT managers

regarding the operation of the risk management system outlined in the
Strategy. It highlights the processes to be followed and the responsibilities of
the managers and staff involved. The procedure is intended to ensure
compliance with the Risk Management Strategy and facilitate a consistent
approach to risk across the PCT.

1.3 Risk management is part of every manager’s day to day responsibilities – it

should inform judgements about the appropriateness of policy options or
service delivery methods and as such should be integral to both strategic and
operational management.

1.4 The term “risk” in this procedure document is intended to encompass all risks
facing the PCT, including organisational, financial and clinical.

2. Responsibilities

2.1 The PCT Board is responsible for overseeing the effective management of risk.
The Chief Executive, as Accountable Officer, has overall responsibility for
governance and risk management. The Integrated Governance Committee will
ensure, on behalf of the Board, that appropriate risk management processes
are in place.

2.2 The Assistant Director of Corporate Services maintains the PCT’s Risk
Registers and is responsible for advising on risk.

2.3 Directors are responsible for ensuring that risk is managed effectively within
their own directorates. Line managers are responsible for managing and
reviewing risks within their own departments and ensuring that the Risk
Register is updated on a regular basis.

2.4 All staff have a responsibility to work with their departmental manager to
identify and manage risks.

3. The Approach

3.1 Risk Identification

3.1.1 Each director will be responsible for co-ordinating the systems for identifying
risks within their own directorate. Individual directors should nominate lead
managers to take responsibility for this function within their directorates.

3.1.2 The director (or lead manager) should liaise with each manager within their
directorate to ensure that they are aware of their duties regarding the risk
management system. It is the responsibility of each manager to identify the
risks associated within their particular operational area. As part of this risk
 identification process, managers should seek the involvement and comments
of their staff. This will enable ownership of the process to be shared throughout
the PCT.

3.1.3 It is recommended that the ‘top down’ approach to the identification and
consideration of risks within each department should be undertaken formally at
least twice per annum and linked of the production of the Local Delivery Plan.
Risks are also likely to be identified on a ‘bottom up’ ad hoc basis.

3.1.4 Risks identified by either the top down or bottom up approaches, should be
considered against the organisational/departmental objectives. Managers
should consider with their staff what they perceive to be the risks to achieving
each of these objectives. Appendix A outlines a number of risk types that
managers may wish to consider when undertaking the formal risk
assessments. The categories included in the Appendix are not considered to
be exhaustive and some will not be applicable to all departments.

3.1.5 Details of all risks identified must be recorded by the departmental manager on
a Risk Form (Appendix B).

3.1.6 The completed Risk Form will be sent to the relevant director for approval, who
will then forward to the Assistant Director of Corporate Services in order that
details can be entered onto the Risk Register. The departmental manager
should retain a copy of each Risk Form completed.

3.1.7 Although the top down process should be undertaken formally twice per
annum, all managers and staff should be encouraged to consider their actions
and functions in terms of risk at all times. Any additional risks identified outside
of the formal review process should be discussed with the departmental
manager and a Risk Form completed and sent to the relevant director as soon
as possible.

3.1.8 Risks may also be identified from a number of other sources including:

• Work place risk assessments

• Clinical audit reports and reviews
• Incident reports
• Complaints
• PALS reports
• Patient surveys
• External and internal audit reports
• External reviews and reports e.g. Health and Safety Executive,
Healthcare Commission, National Patient Safety Agency
• Business Plan Performance Reports
• Controls Assurance
• Alerts
3.2 Risk Analysis and Assessment

3.2.1 In order to decide how to handle risk, it is essential not only to identify that a
certain risk exists, but also to evaluate its significance. The Risk Form will
include the departmental manager’s assessment of the risk.

3.2.2 Risk analysis may concentrate on impacts in one area only or on several
possible areas of impact. Areas of impact include the following:

• Asset and resource base (of the organisation, including personnel)

• Revenue
• Costs
• People
• Community
• Performance
• Timing and scheduling of activities
• The environment
• Intangibles (such as reputation, goodwill etc)
• Organisational behaviour

3.2.3 The significance of the identified risk will be assessed in terms of likelihood,
and consequence, each of which will be categorised on a scale of 1 to 5. The
following is intended to assist in the assessment of risk:

QUALITATIVE MEASURE OF LIKELIHOOD

Level Descriptor Description
1 Rare Extremely unlikely. May only occur in exceptional
circumstances. Has never occurred before.
2 Unlikely Unlikely to occur/re-occur, but possible. Occurred less than once
per annum.
3 Possible May occur/re-occur, but not definite. Has previously occurred
once or twice per annum.
4 Likely Will probably occur/re-occur. Has happened several time per
annum before.
5 Very Likely Continuous exposure to risk. Has happened before regularly
and frequently.
QUALITATIVE MEASURE OF CONSEQUENCE
Level Descriptor Description
1 Minimal Financial loss <£10. No or little impact on working arrangements. No
injuries.
2 Minor Financial loss between £10 and £1,000. Slight impact on
working arrangements. First aid required.
3 Moderate Financial loss between £1,000 and £50,000. May affect
achievement of some objectives. Medical treatment required.
4 Major Financial loss between £50,000 and £250,000. Likely to
affect achievement of some objectives. Extensive injuries.
5 Severe Financial loss >£250,000. Likely to affect achievement of
multiple objectives. Death.
3.2.4 The risk matrix is reproduced below.

Green: Low; Yellow: Moderate; Amber: Significant; Red: High

Consequence
1 2 3 4 5

Likelihood
1 1 2 3 4 5
2 2 4 6 8 10
3 3 6 9 12 15
4 4 8 12 16 20
5 5 10 15 20 25

3.2.5 The above approach does not automatically identify which areas of risk require
greatest attention. However, it will help to inform discussion about which risks
are most significant and what action is required to address them. The risks
that score the most points are likely to be those which most demand some
form of control action and those risks which are assessed as “Significant” or
“High” should be given particular attention.

3.2.6 If the Director, or the Assistant Director of Corporate Services disagree with
the original assessment of the risk, this will be discussed with the lead
manager before the risk is entered onto the Risk Register.

3.3 Risk Treatment and Control

3.3.1 The selection of the most appropriate option for treating risks involves
balancing the cost of implementing each option against the benefits derived
from it. Where large reductions in risk may be obtained with relatively low
expenditure, such options should be implemented. Further options for
improvement may be uneconomic and judgement needs to be exercised as to
whether they are justifiable.

3.3.2 The Strategy outlines four possible responses to identified risks:

• Avoidance (or Terminate) – Some risks will only be treatable, or

containable to an acceptable level by terminating the activity.
• Reduction (or Treat) – The purpose of treatment is not necessarily to
remove the risk, but may reduce it to an acceptable level.
• Transfer - For some risks the best response may be to transfer them. This
might be done through insurance (where appropriate) or by paying a third
party to take the risk in another way.
• Retention (or Tolerate) – The ability to take action to mitigate some risks
may be limited, or the cost of action may outweigh the potential benefit
gained. In these cases the response may be toleration.

3.3.3 The arrangements for risk treatment and control, outlined in the Strategy are as
follows:

High Risk (15 – 25).

All risks graded as “High” will be notified by the Director responsible to the
Assistant Director of Corporate Services immediately, who will advise the
 Integrated Governance Committee in order that specific action be considered
and taken where necessary. Wherever possible the activity should be
terminated until the risk is reduced to an acceptable level.

Significant Risk (8 – 12)

All risks graded as “Significant” will also be notified by the Director responsible
to the Assistant Director of Corporate Services immediately, who will advise
the Integrated Governance Committee in order that specific action be
considered and taken where necessary. These risks are not normally
acceptable and action should be taken to either remove them or reduce the
risk to an acceptable level.

Medium Risks (4 – 6)
These risks are the maximum acceptable by the PCT, providing they are
effectively controlled. They should, however, be monitored as the likelihood or
impact could increase in the future.

Low Risks (1 - 3)
These are not significant now and are not likely to increase in future.

3.4 Risk Reporting - The Risk Register

3.4.1 All identified risks will be recorded on the Risk Register, maintained by the
Assistant Director of Corporate Services.

3.4.2 All risks classified as “High” or “Significant” will be used to inform the
Assurance Framework.

3.4.3 The Risk Register will be used to generate regular reports to line managers
and directors to enable them to monitor the risks within their own areas of
responsibility as well as the periodical reports to the Integrated Governance
Committee and the Board.

3.5 Communication and Training

3.5.1 Effective internal communication of the Risk Management Strategy and

process will be required to ensure that all members of staff are familiar with its
aims and objectives.

3.5.2 The Assistant Director of Corporate Services will provide training in the
operation of the risk management processes as required to directors and
managers. In addition, risk management will be included as a topic on the PCT
induction courses.

3.6 Monitoring and Review

3.6.1 Having identified the risks and determined a plan of remedial action, it is
essential that assurance regarding the effectiveness of the action is obtained.
3.6.2 All responsible managers will provide periodical updates, as required, to the
Assistant Director of Corporate Services regarding the progress made in
reducing/removing risks. This information will be used to update the Risk
Register which will be the source of monitoring reports for the Integrated
Governance Committee and directors.

3.6.3 The Integrated Governance Committee will be responsible for the ongoing
monitoring and review of the Risk Management Strategy and the effectiveness
of the risk management processes. In addition an Annual Risk Management
Report will be presented to the Integrated Governance Committee and the
Primary Care Trust Board.

3.7 Summary

3.7.1 Appendix C summarises the risk management process diagrammatically.

AEP16.11.06
 Appendix A
CATEGORIES OF RISK

Financial

Budgetary Availability or allocation of resources.

Capital investment The making of appropriate investment decisions.

Fraud or theft Unproductive loss of resources.

Information Adequacy of information used for decision making.

Environmental

Environmental Fuel consumption, pollution, etc.

Political/Economic

Infrastructure Transport systems for staff, power supply systems, suppliers, business
relationships with partners, dependency on internet and e-mail.

Economic Economic factors such as interest rates, exchange rates, inflation.

Legal & Regulatory Laws and regulations which if complied with should reduce hazards.

Market Competition and supply of goods.

Reputational Public reputation of the organisation and consequent effects.

Human Resources/Human Behaviour

Personnel Availability and retention of suitable staff.

Health and Safety Relating to the wellbeing of people.

Natural Events

“Act of God” Fire, flood, earthquake.

Technological

Technological Use of technology to achieve objectives.

Project Project planning and management procedure.

Innovation Exploitation of opportunities to make gains.

Appendix B
 Gloucestershire Primary Care Trust

Risk Form

The responsible manager should complete this form by reference to the Risk
Management Procedure. The form should then be forwarded/e-mailed to the relevant
Director for approval, who should in turn forward/e-mail to the Assistant Director –
Corporate Services in order that the details can be entered onto the PCT’s Risk
Register.

Directorate:
Department:
Location:
Clinical Group:
Date of completion:
Name of responsible manager
completing:
Details of risk:

Existing Likelihood (1 to 5):

Existing Consequence (1 to 5):
Existing Significance (Likelihood
x Consequence):
Existing Controls:

Proposed Action/New Controls:

Additional cost of Proposed
Action/New Controls:
Planned implementation date:
Residual Likelihood (1 to 5):
Residual Consequence (1 to 5):
Residual Significance:
Manager(s) responsible for
proposed action:
Director agreeing risk significance
and remedial action:
Date of approval:
 Appendix C
RISK MANAGEMENT PROCESS
Board/Integrated
Line Manager Director Asst Director Corporate Services
Governance Committee

Risk identified

Risk analysed
(Likelihood &
Consequence)

Proposed Action Plan

determined

Risk Form completed

Risk Form received.

Appropriateness of action
plan agreed. Form signed.
Action plan Action reviewed as part of
implemented performance monitoring
Risk Form reviewed,
details entered onto the Risk
Register

Updates provided to Director Updates requested/provided Periodical updates/assurances

(or Assistant Director
Corporate Services) on
request
as required regarding action plans sought
Details of progress entered onto
the Risk Register. Risk ratings
amended as appropriate

Report reviewed Report reviewed Report produced Report reviewed