Understanding the Theory and Process of Strategy Development: Risk Management

Introduction

Good risk management awareness and practice at all levels is a critical success factor for any organisation. Risk is inherent in everything that an organisation does: treating patients, determining service priorities, project management taking decisions about future strategies or even deciding not to take any action at all.

In the NHS, risks are managed continuously - sometimes consciously and sometimes without realising it. But often risks are not managed systematically and consistently. There is a need to adopt a systematic and consistent approach to risk management applied to all NHS bodies, and to all functions and activities within each of these organisations.

On the next page we illustrate just one approach, one tool, for assessing Risk, this one typically assessing Risk in a Project. These aspects are covered in more detail in the Project Management modules.

Assessing the Risks

There are two factors to take into account when assessing risks in undertaking a Project:

1. How likely it is to happen?

2. How serious will it be if it does?

Using this approach you should for each potential/perceived Risk aim to rate the risk on a scale of one to five. For instance, if you were assessing the risk of a labour dispute, you might decide it was fairly unlikely (2), but that the results would be very serious (4). You then multiply the two figures together (= 8) which will give you a figure between one and ten. The higher the figure, the more seriously you need to treat the risk. The tables below set out a common approach, used across the NHS.

QUALITATIVE RISK ASSESSMENT MATRIX - LEVEL OF RISK

Note: where risk assessment indicates catastrophic consequences contingency plans must be in place even if the risk is otherwise moderate.

Hazard = The potential to cause harm or loss
Risk = Likelihood / Probability of that harm occurring

The aim of the assessment is ensure that risk is reduced to As Low As Reasonably Practicable (ALARP)

In order to prioritise treatments, it is necessary to evaluate the level of risk presented by each of the identified hazards. This is done using a simple rating system and a basic multiplication.

First, for each of the hazards, decide how likely it is to happen (Probability/Likelihood ) and how serious the consequences are most likely to be (Severity/Consequences) from the following guide, taking into account the control measures already in place;

Next, work out the risk rating from the following equation;

REMEMBER - RISK RATING = PROBABILITY x SEVERITY

Then do the same calculations when you have implemented your treatment plan and enter this in the 'after ' column.

Recording risks

Once you have identified tasks where the risk is higher than average, you may find it helpful to record them in a 'Risk Register' (see Table 1 below for an example). Using such a document you can regularly review the positions, make notes on any actions taken and thus keep control of the key risks. This approach encourages you to anticipate what might otherwise come as a complete surprise - possibly a nasty shock! It encourages you not only to recognise risk - but also to manage it .

Assurance Frameworks

Strategic Health Authorities, Primary Care Trusts, Acute Trusts and Mental Health Trusts are ultimately responsible for their systems of internal control, including risk management. It needs to have appropriate policies on risk management and internal control and seek regular assurance on whether the system is in place and functioning properly.

Following a review by the Cabinet Office Regulatory Impact Unit and the Department of Health, Controls Assurance, introduced in 1999, was abolished in July 2004. Trusts are now required to embed an Assurance Framework within their Governance structures, which should identify key objectives, risks which could impact on the achievement of those objectives, controls which have been put in place to manage the risks, and any sources of independent assurance which are available, such as Healthcare Commission reviews, internal or external audit reports or inspections by statutory bodies such as the Health & Safety Executive.

Frameworks should be regularly reviewed by key Committees and the Board. At the end of the year the Frameworks are validated by independent auditors and the chief executive is required to complete a Statement of Internal Control , giving their opinion about the effectiveness of their system of internal control, indicating that they are doing their reasonable best to manage the principal risks to the organisation achieving its objectives, and identifying any significant weaknesses which need to be addressed.

Risk management sub-committee

To ensure that all significant risk management concerns are properly considered and communicated, the PCT/SHA should have a sub committee overseeing risk management, chaired by a non-executive Director, which should have explicit links with other key Committees such as Clinical Governance, Infection Control, and Health and Safety.

The committees' responsibilities will include PCT/SHA wide co-ordination and prioritisation of risk management issues, and encouraging and fostering greater awareness of risk management throughout the organisations.

Risk management task groups

The management team may identify discrete programmes which need top be taken forward by specialist groups, sometimes known as risk management task groups. These may be existing groups tasked with a specific task or newly constituted for a specific purpose.

Annual Programme

Identifying the risk areas

The responsibility for identifying risks should set out in the organisations strategy and policies, and is likely to mirror the varying degrees of responsibility held by individuals throughout the organisation: for example, the identification of operational health and safety risks will lie with the operational managers, while identifying strategic level risks will lie with Directors; whatever the case, it is important that there are clear routes for ensuring that risks are fed through to the appropriate management level to ensure risks are managed.

The Health and Social Care Standards and Planning Framework 2005-2008, incorporating Standards for Better Health

These Standards, first published in July 2004, form the basis for risk management and assurance activity in the future. They mirror more closely the range of activities which an NHS body will undertake and the key risks, particularly to patient safety, that organisations will wish to control. They will also abolish the current star rating system and replace it with a more flexible tool which allows an organisation to consistently monitor and assess its own performance.
Future Assurance Frameworks will mirror the 'domains' within Standards for Better Health. A baseline self assessment will be undertaken by September 2005 and future action plans will develop from this baseline.

Action plan

The baseline assessment will identify the risks that the Authority faces at the time. These risks should be prioritised and lead managers identified to ensure appropriate action is taken. Action to be taken should be included within the personal objectives for line managers and performance managed via the appraisal system. Resources required to ensure necessary action should be identified as part of the lead manager's project plan. Action plans and remedial action should be approved and monitored by the risk management sub group.

Reporting

The burden of reporting to the centre has been significantly reduced, with a greater emphasis on organisational autonomy; however, performance against the Standards will be monitored by Strategic health Authorities and the healthcare Commission, although it is not clear at the time of writing what form any inspection or monitoring regime will take.

TABLE 1 - Risk Assessment

References

• DH Making a Difference - Review of Controls Assurance.pdf
• DH National Standards, Local Action.pdf

© K Enock 2006