Version: V9
Ratified by:
Finance & Investment Committee
Quality and Safety Committee Audit Committee
Date ratified: 05/12/2023
Job Title of author:
Director Nursing & Allied Health Professions
Reviewed by Committee or Expert Group Quality and Safety Committee
Equality Impact Assessed by:
Related procedural documents
Director Nursing & Allied Health Professions
QSPOL01 Incident Reporting and Management Policy
QSPOL03 Being Open and Duty of Candour Policy
FPOL01 Anti-Crime Policy
HRPOL01 Freedom to Speak Up (Whistleblowing) Policy
Review date: 05/12/2026
It is the responsibility of users to ensure that you are using the most up to date document template – i.e. obtained via the intranet
In developing/reviewing this policy Provide Community has had regard to the principles of the NHS Constitution.
Version Control Sheet
Version Date
V1 3/03/10 Annie Pearson Ratified New
V2 October 2011 Annie Pearson Ratified Updated
V3 January 2014 Head Quality & Safety Updated
V4 July 2014 Assistant Director Quality & Safety Ratified Review/updated
V5 July 2015 Assistant Director Quality & Safety Total Review
V6 January 2018 Head Quality & Safety Ratified Ratified at January 2018 Board
V7 January 2020 Director Nursing & Allied Health Professions Ratified Ratified at Q&SC, F&RC, Audit and Board January 2020
V8 January 2021 Director Nursing & Allied Health Professions Ratified Update to include Counter Fraud info. No change to review date
V9 December 2023 Director Nursing & Allied Health Professions Ratified Updated to reflect implementation of the new Datix cloud system and new function to hold separate risk registers for each part of the Provide Group
1. Introduction
This document sets out the Provide Group policy for managing risks across Provide CIC and Provide Subsidiary Companies (collectively the Provide Group). The Provide Group will develop an organisational culture that optimises our ability to achieve our strategic objectives while ensuring appropriate management of risks.
This policy sets out aframework for themanagement of risk* acrossthe Provide Group.
Provide Group recognises that identifying hazards* and managing these well, enables invaluable opportunities to continuously improve the care of people who use our services.
Provide Group has an active awareness of risk and how to manage it at the core of all their activities.
Risk Management processes are implemented to achieve a balance between high quality safe care, treatment and rehabilitation of people and the achievement of organisational objectives within a sustainable business framework.
Provide Group recognises that it is vital to develop and maintain systems and procedures which identify and minimise risks to corporate objectives.
The Provide Group Board is committed to an open and honest approach in all matters. All staff are expected to identify and manage risk with openness and transparency
* A hazard is something that can cause harm. A risk is how likely it is to do so
2. Purpose and Scope
Risk Management is about identifying obstacles which hinder achievement of corporate objectives and identify mitigating action required to minimise impact and when required accept the level of risk presented as a result of a balanced critique of the circumstances.
Risk Management also identifies hazards and obstacles that directly impact or has the potential to impact on the provision of safe, effective, caring, responsive and well led services or on our achievement of legal and regulatory requirements.
To manage risk effectively, all staff need to be proactive within their sphere of responsibility to ensure that hazards are identified and risks are assessed, controlled, managed and where appropriate escalated.
The Provide Group Board, its sub- committee’s subsidiary boards and executive team will lead the risk management process across the Provide Group and ensure that assurance is provided to demonstrate the effectiveness of the risk management processes.
Monthly oversight and management of the corporate risk register is delegated to the Risk Management Review Group.
3. Risk Management Approach
Our Approach to Risk Management within the Provide Group is as follows:
• Risk Management Policies will be accessible and communicated to staff
• The benefits of effective risk management will be clearly communicated to all staff.
• Senior managers will be the nominated risk owner where they identify and record risks in their area of responsibility and accountability and will support, promote and lead in risk management.
• The organisational cultures will support well thought out risk taking and innovation by defining the risk tolerance and appetite and promoting effective risk recognition, reporting and management at all levels of the organisation
• Risk Management is everyone’s business and risk management processes will enable prompt reporting and recording of risks and effective oversight of all risks and mitigations from the Board down to service level
• Organisational objectives will be reviewed using a risk approach to support oversight of delivery
• All risks will be identified, assessed and managed whenever significant service changes are made or when managing complexity of contracts and partnership arrangements
• We will ensure information on risk is gathered in a planned, consultative and timely way.
• We will find risk control solutions that address the cause not the symptoms.
• We will ensure our risk management systems are robust and effective and are tested regularly to ensure effectiveness
• When assessing risks we will balance the risks, weighing the cost of reducing risk against resources and the impact in risk reduction that can be achieved.
• We will ensure feedback and learning is shared with staff.
4. Risk Management Responsibilities
The Provide Group Board as the parent company will ensure that effective risk management processes are set in place across the Provide Group.
The Provide Group Board will be made aware of incidents and risks through the board sub- committee reporting structure and process on a bi-monthly basis. The Board will also review the Board Assurance Framework (BAF) at each of its business board meetings.
The Provide Group Board is responsible for:
• Ensuring Provide and subsidiary companies have a single overarching risk management policy in place.
• Reviewing high level risks across the Provide Group on a bi-monthly basis.
• Reviewing any significant resource allocations requested for the execution of the policy, either within the business plan or on ad hoc proposals.
• Ensuring that external assurance is given to the process in place for managing high level risks.
The Board is responsible for defining the risk tolerance to ensure that risk management throughout the organisation is consistent. This is determined on a case-by-case basis to ensure each risk is considered within the appropriate context.
The Provide Group Board has delegated the more detailed oversight of the management of risk across the group of companies to the Risk Management Review Group which feeds into the Finance and Risk Committee, Quality and Safety Committee and Audit Committee.
Quality and Safety Committee
The Quality and Safety Committee (QSC) is a sub-committee of the Board and its duties in relation to risk management are to:
• Receive a risk management report and minutes of Risk Management Review Group including details of significant and high-level risks across the Provide Group. The committee will maintain oversight of the quality and safety impacts of the risks reported and the controls in place to manage or mitigate those risks on a monthly basis.
• Provide assurance to the Provide Group Board that there are robust structures, process and accountabilities in place for identifying and managing all aspects of clinical governance.
• Support the Provide Group Board in achieving success as a standalone, competitive organisation which achieves its objectives and targets and successfully grows, whilst maintaining high standards of clinical governance
• Assure the Provide Group Board that Provide and its subsidiary’s meet statutory and regulatory standards in relation to quality and safety.
Finance and Investment Committee
The Finance & Investment Committee (FIC) is a sub-committee of the Provide Group Board that has responsibility for overseeing the performance and financial management of the Provide Group. It’s duties in relation to risk management are to:
• Receive a Risk Management Report and minutes of the Risk Management Review Group including details of the significant and high-level risks across the Provide Group. The committee will maintain oversight of the financial, business, performance and Human resource impacts of the risks reported and the controls in place to manage or mitigate those risks on a monthly basis.
• Review the content of the Group Board Assurance Framework in order to assure the Provide Group Board that there are robust structures, process and accountabilities in place for identifying and managing performance and finances, including risk management.
• Maintain monthly oversight of all high-level risks, with devolved responsibility to define risk tolerance on behalf of Provide Group Board.
• Consider the risks arising from driving efficiency or not achieving efficiencies across the Provide Group and in their dealings with external organisations and partners.
• Supporting a business-like and value-driven culture that puts customers at the heart of what we do, and which embraces continuous performance development.
• Support Provide Group to achieve success as a competitive group of companies which achieve their objectives and targets and successfully grow.
The Terms of Reference of the Finance & Investment Committee are available from the Group Chief Finance Officer and Company Secretary.
Audit Committee
The Audit Committee is a sub-committee of the Board. It is responsible, for:
• Reviewing the effectiveness of risk management arrangements across the Provide Group through the deployment of audit time and the review of resulting reports
The Terms of Reference of the Audit Committee are available from the Group Chief Finance Officer and Company Secretary.
Risk Management Review Group (RMRG)
The Risk Management Review Group is a subgroup of the Provide Group Board Committees. It is responsible for reviewing the corporate risk register along with the designated risk registers for all areas of the business including the corporate inherent and non-inherent risk registers, divisional risk registers and subsidiary company risk registers
The Risk Management Review Group will:
• Follow the principles set out in this policy to ensure appropriate and effective recording, reporting and management of risks across the Provide Group.
• Escalate to QSC, FIC and Provide Group Board all significant and high risks across the Group and emerging themes or areas of concern such as rising risks via monthly risk reports.
• Review all new risks entered on the risk registers to consider and moderate the risk rating and controls. Gaps in controls will be escalated via the risk report to QSC and FIC and where applicable to subsidiary company Boards.
• Review all risks that are closed to ensure there is a clear and reasonable justification for closure.
• Review all significant and high risks to consider if the rating remains the same or there is a requirement review the rating.
• Review themes and trends of recorded risks and escalate to QSC and FIC where trends indicate a rising risk and where applicable to subsidiary company Boards.
• Review timeliness of risk reviews to ensure risks are being regularly reviewed and updated by the risk owner.
• Review the length of time risks have been opened on the risk register and escalate to QSC and FIC and where applicable to subsidiary company Boards where risks are open longer than 12 months or have passed their target closure date.
• The membership of the RMRG will include a nominated Director from each subsidiary company to enable agreement and coproduction of risk management and provide a feedback mechanism for the subsidiary company Board.
Provide Group Board Committees Subgroups
The Quality and Safety Committee, Finance and Investment Committee and People and Culture Committees have a number of specialty subgroups in place to support the oversight of clinical and corporate governance, there groups will maintain oversight of risks pertinent to their role, providing expertise in the management and control of relevant risks:
• BI Performance Team
• Property Health and Safety Group
• Technology Programme Board
• Learning and Development Strategic Group
• Medicines Management and Safety Group
• Infection Prevention Group
• Strategic Safeguarding Group
• Quality Reference Group
• Harm Free Care Group
• Mortality Review Group
Group Chief Officers, Directors and Assistant Directors
The Group Chief Executive Officer has overall responsibility for having an effective Risk Management system and assurance framework in place within the Provide Group and for meeting all the statutory requirements.
All Group Chief Officers are responsible for reporting significant and high-level risks at every Provide Group business board meeting. Subsidiary company boards will review all subsidiary company risks at every board
All Directors and Assistant Directors will:
• As a fundamental part of their roles be responsible for undertaking a detailed review of all hazards with their service area with managers and team leaders on a regular basis.
• Record all risks on their Provide CIC Divisional or Subsidiary Company risk register on the Datix system where a local risk assessment of a hazard/s and local action plan to mitigate the risk does not provide assurance that the risk can be safely managed locally. All risks rated as moderate, significant or high should be recorded on the relevant Divisional or Subsidiary company risk register for visibility.
• As risk owners review and update their risks on a monthly basis. Ensure all staff within their services are aware of the risk management policy and processes and understand how to recognise, manage and report risks, including identifying any training needs for both clinical, non-clinical staff
All service managers and line managers will:
• Ensure all staff in their area of responsibility are aware of all risks relevant to their area of work and the actions in place to mitigate and control the risk.
• Ensure good staff engagement and involvement throughout the assessment, action planning and communication stages of the risk assessment process.
• Attend to all new risks identified promptly to ensure staff and service user safety is maintained
• Ensure all new risks or worsening risks are escalated to the Director /Assistant Director responsible for the service as soon as practically possible.
Staff Responsibilities
Proactive management of risk is the responsibility of all members of staff no matter where they work within the Provide Group All staff, irrespective of profession, grade or discipline, including locums, must:
• Be vigilant and identify and report any risks or hazards to their line manager
• Comply with incident reporting policies and procedures.
• Participate in risk assessment programmes relevant to the post/specialty.
• Contribute to identifying and implementing risk management solutions to prevent or reduce
• the adverse effects of the risk.
Work to this policy. Employee
Responsibilities for Risk Management
The Health and Safety at Work Act 1974, obliges all members of staff to accept some responsibility for maintaining a safe workplace environment. In practice this means that in carrying out their duties all staff have a responsibility to adopt procedures and to work at all times in a manner which minimises risk. In addition, staff have a right to highlight their concerns about any risk issue, either directly to their manager, or through their appointed health and safety representative, Freedom to Speak Up Guardian, staff side representative or through a member of the Board.
Provide Group is committed to supporting staff in exercising their roles and responsibilities, and re-affirms that where an incident has occurred, no disciplinary action will be taken against staff who can demonstrate they have exercised reasonable clinical judgement and followed the relevant policies and procedures.
Contractors
Specific risks identified by the Provide Group will be shared with any other relevant organisation working in partnership with the Group. Equally, the Group expects that any relevant risks identified by partners contractors or subcontractors will be shared with the organisation.
It is the responsibility of each contractor employed within the Provide Group to ensure that all staff working on their behalf are fully conversant with the health and safety requirements for the activity for which they are engaged and report any risks or issues identified immediately directly to the Provide Group.
6. Board Assurance Framework
The Board Assurance Framework (BAF) is a high-level document that records and provides assurance about progress against the Provide Group strategic corporate objectives and identifies the risk associated with delivery of the objectives, identifying gaps in controls or assurance.
The nominated owner of each corporate objective will consider the risks on the Group risk registers along with other sources of information to update the BAF on a regular basis, ensuring any gaps in controls or risk to delivery and achievement of the objective and the direction of travel is identified
Any significant gaps in controls or serious risks of achieving the corporate objectives should in turn be recorded on the corporate risk register. The Provide Group Board Assurance Framework (BAF) is reviewed by the Board twice yearly
7. Risk Registers
The Provide Group utilising the Datix Risk Management System to record risks across the Provide Group as follows:
The Provide Group Corporate Risk Register
This is the overarching risk register that logs all significant and high risks across the Provide Group as well as any risk that spans all or multiple areas of the Provide Group. All risks on the corporate risk register will be reviewed monthly by the risk owner i.e. the Assistant Director /Director responsible for the service.
Subsidiary Company risk registers
Each subsidiary company within the Provide Group will have their own risk register. All significant and High risks will be escalated to the corporate risk register. All risks will be reviewed and updated on a monthly basis by the risk owners i.e. the Assistant Director /Director responsible for the service.
Divisional Risk Registers
Each Division within Provide CIC will have their own risk register. All significant and high risks will be escalated to the corporate risk register. All risks will be reviewed and updated on a monthly basis by the risk owner i.e. the Assistant Director /Director responsible for the service.
Provide Group Inherent Risk Register
This is the overarching Provide Group risk register where inherent risks are recorded to increase visibility. All significant and High risks will be escalated to the corporate risk register. Inherent risk owners will maintain oversight of these risks and update these 3 monthly or sooner should the risk level change.
8. Definition of Risk
A Hazard is something that could potentially cause harm Risk is “the likelihood that harm or damage may occur and the consequence / severity of the outcome”.
Risk Management is “a systematic process to identify and control risks present in the activities of Provide to the benefit of service users, staff and the public”.
The types of Risks Provide Group might encounter and the source of those risks is shown in the table below. All risks added to the Provide Group risk registers will be categorised to one of these domains to enable the monitoring of themes and trends in within the risk register
Source Hazard
Strategic
Corporate Governance
Clinical, including complaints.
Operational
Financial
Environmental
Legal / Regulatory
Reputational
Technological
Achievement of organisational objectives, workforce issues, financial viability, business continuity planning, competitor behaviour.
Inappropriate organisational structure, conflicts of interest, Fraud, Bribery, Board lack relevant skills
Medication errors, pressure ulcers. Most clinical risks are supported by clinical risk assessment and policies and protocols. Whistle blowing.
Hazards and risks encountered in the daily course of work – e.g. lone working, recruitment problems, supply chain, failure to deliver within agreed terms.
Ability to meet financial commitments, inadequate reserves and cash flow, insufficient insurance cover. Failure to achieve turnover targets
Consequences of actions e.g. pollution, waste, natural disaster.
Failure to follow legislation, judicial proceedings, CQC conditions, regulator enforcement.
Failure to meet needs and expectations of patient, relatives, carers, commissioners and the wider public. Adverse publicity.
The capacity to deal with pace and scale of technological changes, risks inherent in IT systems.
Personal Health, safety and security of individuals including discrimination.
External/ Inherent
9. Inherent Risks
Demographic changes that affect the delivery of objectives, pandemic, expectations change. Consequences of actions e.g. pollution, waste, natural disaster, cyber-attacks.
The Provide Group defines inherent risk as the risks to our business, services and staff that could have a significant impact on our viability or reputation as a result of external factors or factors innate to delivering health and social care services.
Inherent risks are identified and recorded on the Provide Group Inherent risk register. These are risks that are identified and although they cannot be mitigated against in terms of controlling the likelihood, the organisation can prepare by having plans in place to minimise the impact in the event that a risk is realised. This preparation takes the form of business continuity plans.
When an inherent risk is identified, reasonable measures are put in place to minimise impact. There is then little further action to be taken until such time as service delivery radically changes. When further actions to reduce impact become possible these are built into the business continuity plans.
Due to the level of these risks not tending to fluctuate in in the same way as risks that are within the control of Provide. Review of inherent risks is undertaken in full every 3 months with ad hoc reviews in between should the current social climate increase the likelihood of an inherent risk being realised.
The Provide Group Major Incident Plan and Business Continuity Plan contains action cards with designated roles. These plans are reviewed by the Health & Safety Forum and then the Finance & Investment Committee on an annual basis.
10.Risk Appetite and Tolerance
Risk appetite and tolerance are terms regularly used in risk management. They are fundamental in setting the parameters of the risk management framework of an organisation.
This provides the boundaries of what is an acceptable level of risk and what are acceptable levels of control. This provides a cut-off point to prevent innovation and ‘risk taking’ progressing, unchecked, outside of acceptable parameters. This also prevents the organisation from becoming so risk averse that the cost of risk management deems the activity no longer viable.
The Provide Group Board is prepared to take calculated risks to achieve the Group vision and strategic priorities. Agreement of acceptable mitigated levels of risk are defined on a risk-by-risk basis through the risk management process of scrutiny.
Risk Tolerance represents the outer parameters of risk levels acceptable to the business. The Provide Group Board is responsible for defining the risk tolerance to ensure that risk management throughout the organisation is consistent.
The Provide Group Board will tolerate the temporary hazards associated with the operation of activities beyond a particular definition of risk outlined as high, significant, moderate or low on the basis that a satisfactory explanation, action plan with responsibilities and a proposed timeline is provided regarding the treatment, transfer, termination or tolerate (acceptance of the higher level of risk) is provided and approved by the appropriate level of management.
Risk appetite is about what the organisation does want to do and how it goes about doing it, whilst remaining within the predefined risk tolerance. Risk appetite will fluctuate dependent on the nature of the objective.
The Provide Group Board will not accept a risk which threatens to undermine the achievement of its objectives across the entirety of the activities of the organisation. Our appetite for risk is expressed in terms of the definitions of impact set out in our risk management policy regarding customers and our services, long term financial stability, health and safety and technology. This is modelled on the National Patient Safety Agency Consequence matrix.
11.Incident Reporting
There is a system for incident reporting throughout the Provide Group described in the Provide Group Incident Reporting and Management Policy.
The reporting of incidents, including “no harm” incidents, is a fundamental element of the identification of risk, therefore this process is given a high profile and all staff are actively encouraged to report incidents and near misses
12.Risk Assessment Process
Managers at all levels have an important part to play in Risk Management by ensuring that they respond quickly and decisively to any reports of adverse incidents or complaints by staff or service users.
Risk assessment is the act of identifying possible risks, calculating how likely they are to happen and estimating what effects they might have, in other words, the process of calculating how much risk is involved in a particular action or situation.
Provide manages risk as follows:
• Use recommended methods of assessing risks where they are measurable and keep a risk register. Those risks that are not immediately measurable will still be assessed using professional judgement
• Undertake continuous assessment of exposure to risk across all activities and ensure that sufficient risk management resources are available to promote, support and maintain a high profile for risk management throughout the Provide Group.
• Use a mixture of bottom up and top-down methods for assessing risk and attempt to measure the impacts where possible.
The risk assessment process and approach will be consistent across the Provide Group and be adopted for clinical and non-clinical issues i.e. all risks.
Risk assessments should identify the significant risks arising out of the tasks/activities undertaken within the organisation and assess their potential to, for example:
• Cause injury or ill health to people
• Result in complaints / civil claim/ litigation
• Result in enforcement action e.g. from the Health and Safety Executive
• Cause damage and loss to assets
• Result In operational/service delays
• Result in loss of reputation
• Result in financial loss
Risk analysis
Risk analysis uses descriptive scales to describe the magnitude of potential consequences and the likelihood that those consequences occur.
Provide uses a 5 by 5 matrix technique for both “proactive” risk assessments and “reactive” adverse incident forms. Use of the matrix enables a list of prioritised risks to be developed with an indication of the action that may be required and highlights the most significant risk issues to be considered by the Risk Management Review Group, the Quality and Safety Committee, the Finance and Risk Committee and subsequently the Board.
Table 1: Consequence score (C)
To establish the consequence of a risk, choose the most appropriate domain for the identified risk from the left-hand side of the table then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column.
Consequence score (severity levels) and examples of descriptors 1 2 3 4 5
Domains Negligible Minor Moderate Major Catastrophic Impact on the safety of patients, staff or public (physical/ psychological harm)
Minimal injury requiring no/minimal intervention or treatment No time off work required
Minor injury or illness requiring minor intervention Requiring time off work for <3 days
Increase in length of hospital stay by 1–3 days
Quality/complain ts/audit Peripheral element of treatment or service sub-optimal Informal complaint/inquiry
Human resources/ organisational development/ staffing/compete nce
Short-term low staffing level that temporarily reduces service quality (<1 day)
Statutory duty/ inspections No or minimal impact or breech of guidance/ statutory duty
Adverse publicity/ reputation
Rumours Potential for public concern
Overall treatment or service suboptimal Formal complaint (stage1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved
Low staffing level that reduces service quality
Moderate injury requiring professional intervention Requiring time off work for 4–14 days
Increase in length of hospital stay by 4–15 days.
RIDDOR/agency reportable incident
An event which impacts on a small number of patients
Treatment or service has significantly reduced effectiveness Formal complaint (stage 2)
Local resolution (with potential to go to independent review) Repeated failure to meet internal standards
Major patient safety implications if findings are not acted on
Major injury leading to long-term incapacity/ disability
Requiring time off work for >14 days
Increase in length of hospital stay by >15 days. Mismanagement of patient care with longterm effects
Incident leading to death
Multiple permanent injuries or irreversible health effects
An event which impacts on a large number of patients
Business objectives/ projects
Insignificant cost increase/ schedule slippage
Breech of statutory legislation Reduced performance rating if unresolved
Local media coverage – short-term reduction in public confidence Elements of public expectation not being met
<5 per cent over project budget
Schedule slippage
Late delivery of key objective/ service due to lack of staff
Unsafe staffing level or competence (>1day)
Low staff morale
Poor staff attendance for mandatory/key training
Single breech in statutory duty
Challenging external recommendations/ improvement notice
Local media coverage –long-term reduction in public confidence
Non-compliance with national standards with significant risk to patients if unresolved
Multiple complaints/ independent review
Low performance rating
Critical report
Incident leading to totally unacceptable level or quality of treatment/service
Gross failure of patient safety if findings not acted on
Inquest/ ombudsman inquiry
Gross failure to meet national standards
Uncertain delivery of key objective/service due to lack of staff
Unsafe staffing level or competence (>5 days)
Loss of key staff
Very low staff morale No staff attendance for mandatory/key training
Enforcement action
Multiple breeches in statutory duty
Improvement notices
Low performance rating Critical report
National media coverage with <3 days service well below reasonable public expectation
Non-delivery of key objective/service due to lack of staff
Ongoing unsafe staffing levels or competence
Loss of several key staff No staff attending Mandatory training/key training on an ongoing basis
Multiple breeches in statutory duty
Prosecution
Complete systems change
required
Zero performance rating
Severely critical report
National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House)
Total loss of public confidence
5–10 per cent over project budget Schedule slippage
Non-compliance with national 10–25 per cent over project budget
Schedule slippage Key objectives not met
Incident leading >25 per cent over project budget
Schedule slippage Key objectives not met
Claim less than
£10,000
Domains Negligible Minor Moderate Major Catastrophic Finance including claims Small loss Risk of claim remote
Service/business interruption Environmental impact
Impact on the safety of patients, staff or public (physical/psychol ogical harm)
Loss/interruption of >1 hour. Minimal or no impact on the environment
Minimal injury requiring no/minimal intervention or treatment No time off work
Additional examples Incorrect medication dispensed but not taken
Incident resulting in a bruise/graze
Delay in routine transport for patient
Loss/interruption of >8 hours
Minor impact on environment
Minor injury or illness requiring minor intervention
Requiring time off work for <3 days
Increase in length of hospital stay by 1–3 days
Claim(s) between £10,000 and £100,000
Loss/interruption of >1 day
Moderate impact on environment
Moderate injury requiring professional intervention
Requiring time off work for
4–14 days
Increase in length of hospital stay by 4–15 days
RIDDOR/agency reportable event
An event which impacts on a small number of patients
Wrong drug or dosage administered, with no adverse effects
Physical attack such as pushing, shoving or pinching, causing minor injury
Self-harm resulting in minor injuries Category 1 pressure ulcer
Laceration, sprain, anxiety requiring occupational health counselling (no time off work required)
Wrong drug or dosage administered with potential adverse effects
Physical attack causing moderate injury
Self-harm requiring medical attention
Category 2/3 pressure ulcer
Healthcare-acquired infection (HCAI)
Incorrect or inadequate information /communication on transfer of care
Vehicle carrying patient involved in a road traffic accident
Slip/fall resulting in injury such as a sprain
Claim(s) between £100,000 and £1 million
Purchasers failing to pay on time
Loss/interruption of >1 week
Major impact on environment
Major injury leading to long-term incapacity/ disability
Requiring time off work for >14 days
Increase in length of hospital stay by >15 days
Mismanagement of patient care with longterm effects
Loss of contract/ payment by results
Claim(s) >£1 million
Permanent loss of service or facility
Catastrophic impact on environment
Incident leading to death
Multiple permanent injuries or irreversible health effects
An event which impacts on a large number of patients
Wrong drug or dosage administered with adverse effects
Physical attack resulting in serious injury
Category 4 pressure ulcer
Long-term HCAI
Retained instruments/ material after surgery requiring further intervention
Haemolytic transfusion reaction
Slip/fall resulting in injury such as dislocation /fracture/ blow to the head
Loss of a limb
Post-traumatic stress disorder
Failure to follow up and administer vaccine to baby born to a mother with hepatitis B
Unexpected death
Suicide of a patient known to the service in the past 12 months
Homicide committed by a mental health patient
Large-scale cervical screening errors
Removal of wrong body part leading to death or permanent incapacity
Incident leading to paralysis
Incident leading to long-term mental health problem
Rape/serious sexual assault
To establish the likelihood of a risk, the frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency.
Likelihood score 1 2 3 4 5
Descriptor Rare Unlikely Possible Likely Almost certain Frequency
How often might it/does it happen The event may occur only in exceptional circumstances
The Provide Group will use a 5 x 5 risk scoring matrix to grade the level of risks recorded in the risk registers. The scores are achieved by selecting the likelihood of the risk occurring and the consequences that could arise as a result. By multiplying the likelihood and consequence scores together the overall risk score is achieved. The risk score defines whether a risk is graded as high, significant, moderate or low
Table 3 Risk scoring = Likelihood x Consequence (L x C)
1
Within the Provide Group risks are scored and reported as Low, Moderate, significant or High. The table below demonstrates the rating and score descriptors
Rating Score Descriptor
High 25 It is almost certain these risks could result in major or catastrophic consequences
High 20 It is almost certain to result in major consequences or It is likely to result in catastrophic consequences
High 16 It is likely to result in major consequences
Significant 15 It is almost certain to result in moderate consequences or It is possible to result in catastrophic consequences
Significant 12 It is likely to result in moderate consequences. It is possible to result in major consequences
Moderate 10 It is almost certain to result in minor consequences or It is unlikely but could result in catastrophic consequences
Moderate 9 It is possible to result in moderate consequences
Moderate 8 It is likely to result in minor consequences or It is unlikely but could result in major consequences
Moderate 6 It is possible to result in minor consequences or It is unlikely but could result in moderate consequences
Moderate 5 It almost certain to result in negligible consequences or It is rare but could result in catastrophic consequences
Low 4 It likely to result in negligible consequences or It is unlikely but could result in minor consequences
Low 3 It is possible to result in negligible consequences or It is rare but could result in moderate consequences
Low 2 It is unlikely but could result in negligible consequences. It is rare but could result in minor consequences
Low 1 It is rare but could result in negligible consequences
13.Risk Register
When the Provide Group risks have been identified, each one will be analysed in order to assess what is the likelihood of it recurring and what the likely impact would be. The culmination of this process is the prioritisation of the identified risks, within the Risk Register, in order to create a manageable programme.
The Risk Register enables risks to be assessed against each other, and provides a basis to facilitate decision-making regarding risk control and resource allocation.
Provide Group will maintain an up to date Provide Group Risk Register which will capture data from a variety of sources including:
• Provide objectives
• Business Plan
• Incident reports
• Consultation and observation
• Surveys, inspections, assessments and audit
• Contingency and major incident plans and disaster recovery
• Risk assessments
• Medical records
• Health and Safety reviews
• Claims and complaints
• Task/process analysis
• Equipment purchase/modification
• National initiatives
• Financial information and risks
• Benchmarking
The Provide Group Risk Register will identify:
• Risks that Provide Group can control directly and plan to set up control mechanisms to reduce the possibility of the events occurring
• Risks to which Provide Group are exposed but cannot directly influence
• Plans to reduce the impact on staff, customers and the organisation
Risk Treatment
Once a risk has been identified, analysed and prioritised it will be treated appropriately. It is important for Provide Board to define the level of risk, which is acceptable within the Provide Group by definition, once this has been established all other risks become unacceptable.
Risk Management Responsibilities
Level of Risk Risk rating
Low Risk score L1 – L4
Moderate Risk score M5 – M10
Significant Risk score S12 - S15
High Risk score H16 - H25
Risk accepted by Provide Group Board & managed by local manager
Risk accepted by Provide Group Board & managed by local manager
Risk accepted by Provide Group Board and managed by Assistant Director / Head of Service
Risk accepted by Provide Group Board and managed by Assistant Director / Head of Service or Director as appropriate, supported by the Audit, FRC or Quality & Safety Committee as appropriate.
This hierarchy enables the Risk Management decision to occur as near as practicable to the risk source. At the identified level, the responsible manager will treat the risk by taking appropriate action. Where a risk rating exceeds a threshold, it will be escalated to the next level within the risk management responsibility hierarchy.
In some instances, effective management of the risk will involve the deployment of resources. Where this is in excess of the funding available within the service budgets, the request will need to be considered by the relevant senior manager, Quality and Safety Committee, Finance and Risk Committee or ultimately the Board for approval.
14.Operational Framework
Policies Procedures and Guidelines
It is important to have up-to-date, easily understood policies, procedures/protocols, guidelines and standards in relation to risk reduction. The Provide Group Board and Quality and Safety Committee will ensure that these are
• Up to date
• Available to those who need to use them
• Put into action as required
A process for self-assessment must be in place to ensure:
• Clinical risks are systematically assessed with programmes in place to reduce the risk
• Procedures are in place for identifying and acting upon poor performance
• Incident reporting which ensures adverse events are identified openly investigated, lessons learnt and promptly applied
• Clear procedures are in place for staff to report any concerns so that early action can be taken
15.Training
All new staff are required to undergo a formal induction programme in line with the corporate induction policy There is provision for staff to undertake supplementary risk training and root cause analysis training.
Managers are also required to complete the IOSH Managing Safely course. All risk owners will receive Datix training to ensure accurate and effective recording and updating of risks on the risk register.
16.Systems for Monitoring the Effectiveness of the Policy
Monitoring of risk management systems and processes will be undertaken by the various control groups described in this policy:
The Provide Group is - audited via internal auditors to ensure there are internal assurances of its risk management processes. Recommendations that are identified from these audits are reported to the Finance and Risk Committee, Quality and Safety Committee and Audit Committee and action plans put in place and monitored to completion. Actions may be delegated to the Risk Management Review group as appropriate.
NHS Resolution require that there are risk management processes in place that are implemented and monitored.
The Care Quality Commission Essential Standards for quality and safety require that there are risk management processes in place. Provide self-assesses against these outcomes and any areas of non-compliance that are identified are amalgamated into an action plan and monitored through the Quality and Safety Committee
17.Approval and Review Mechanisms
The Risk Management Review Group will review the policy in line with review timescales stipulated within the Management of Procedural Documents Policy and submit for formal ratification in line with this document
19.Risk Management Process
EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’
Name of project/policy/strategy (hereafter referred to as “initiative”):
Provide Group Risk Management Policy
Provide a brief summary (bullet points) of the aims of the initiative and main activities:
This document sets out the Provide Group policy for managing risks across the organisation. Provide Group will develop an organisational culture that optimises our ability to achieve our strategic objectives while ensuring appropriate management of risks
Project/Policy Manager: Director Nursing & Allied Health Professions Date: 16/06/2023
This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.
Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.
Equality Neutral
Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?
Equality Neutral
Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.
This initiative does not warrant a more in-depth review. All parties will benefit equally and the document will be reviewed in line with Provide Group’s Management of Procedural Documents Policy
Guidelines: Things to consider
Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.
The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.
Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.
Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.
Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?
It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.
It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.
EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:
(To be used where the ‘screening phase has identified a substantial problem/concern)
This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.
Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?
Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?
Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?
Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.
Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?
Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.
Guidelines: Things to consider
An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised.
It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative.
The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.
If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.
Further information:
Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.efa.org.uk – Employers forum on age
© MDA 2007 EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage One: ‘Screening’
