NHS Dorset Clinical Commissioning Group

Risk Management Framework

Supporting people in Dorset to lead healthier lives

Document Status: Approved/Current

Policy Number 52

Date of Policy March 2017

Next Review Date March 2019

Sponsor Director of Quality

Governing Body December 2012

Approved by/on Appended version approved Directors and Performance
May 2015

Version Date Comments By Whom

1.2 August 2012 Reviewed for authorisation Head of Patient Safety and Risk

1.3 August 2012 Comments and amendments Patient Safety and Risk Manager

1.4 August 2012 Comments and amendments Deputy Director of Quality

1.5 March 2015 Amendments and inclusion of Patient Safety and Risk Manager
additional information

1.6 January 2016 Amendments to reflect Patient Safety and Risk Manager
changes from CCPs to CDGs
and introduction of web based
reporting of adverse incidents.

1.7 March 2017 Minor amendments to include Patient Safety and Risk Manager
revised and updated
appendices

1.8 October 2017 Update to Appendix E to Patient Safety and Risk Manager
reflect new GBAF format

EVIDENCE BASE REFERENCES Date

NHSLA Risk Management Handbook April 2009

2009/10
NHS England The CCG Assurance Framework: 2014/15 Operational Guidance June 2014

NHSLA Risk Management Standards for Acute CCGs Primary Care CCGs and February 2009
Independent Sector Providers of NHS Care 2009/10
Department of Health and NHS Appointments Commission. (2003). Governing 2003
the NHS: A guide for NHS Boards. London: NHS Appointments Commission.
Available at: [Link]
Department of Health. (2002). Assurance: The Board Agenda. London: 2002 (8.4)
Department of Health. Available at: [Link]
Department of Health. (2006). Integrated Governance Handbook. A handbook 2006
for executives and non-executives in healthcare organisations. London:
Department of Health. Available at: [Link]
Monitor. (2006). NHS Foundation CCGs: Clinical Quality and Service 2006
Performance. London: Monitor. Available at: [Link]
Monitor. (2006). The NHS Foundation CCG Code of Governance. London: 2006
Monitor. Available at: [Link]
Monitor. (2008). Compliance Framework. London: Monitor. Available at: 2008
[Link]
NHS Appointments Commission. (2006). The Intelligent Board. London: NHS 2006
Appointments Commission. Available at: [Link]
NHS Appointments Commission. (2006). The Intelligent Commissioning Board. 2006
London: NHS Appointments Commission. Available at:
[Link]
“Winning Ways: Working Together to Reduce the Healthcare Associated 2003
Infection in England” Report from the Chief Medical Officer, Department of
Health Publications, December 2003.
Directions to NHS Bodies on Security Management Measures, 25 March 2004 2004

Information Governance Toolkit Knowledge base Version 14.1

Target Audience All staff within NHS Dorset Clinical Commissioning Group

Distribution List

Intranet Trust Website Communications Bulletin

✓ ✓ ✓

POLICIES

This risk framework links to a number of CCG policies and procedures. A list of these documents can
be found in Appendix A.
 CONTENTS

PAGE

1.0 Relevant to 2
2.0 Introduction 2
3.0 Scope 3
4.0 Purpose 3
5.0 Definitions 3
6.0 Roles and responsibilities 3
7.0 Corporate Risk Register 5
8.0 Process for managing the Corporate Risk Register 6
9.0 Governing Body Assurance Framework 7
10.0 Information Security Risk Assessment and Management Programme 8
11.0 Organisational monitoring of Corporate Risk Register and Governing Body Assurance 9
Framework
12.0 Adverse Incident Reporting 11
13.0 Training 12
14.0 Approval process 12
15.0 Communication and dissemination 12
16.0 Monitoring the effectiveness of and compliance with the Risk Framework 13
17.0 Document review frequency 14

APPENDICIES

A CCG Policies and Procedures linking to the Risk Management Framework 15

B Glossary 17
C NPSA Risk Matrix 18
D Corporate Risk Register Assessment Form 21
E Governing Body Assurance Framework - Template 22
F Organisational Committee Structure 23
G Information Governance Risk Assessment Form 23

1
 RISK MANAGEMENT FRAMEWORK

1. RELEVANT TO

1.1 The Risk Management Framework provides information intended to be of interest to, and used by,
all individuals within NHS Dorset Clinical Commissioning Group (hereafter known as the CCG) and
the wider health community.

1.2 The Risk Management Framework applies to all members of the CCG, the Governing Body,
Executive team and all managers to ensure that risk management is a fundamental part of the CCG
approach to governing the organisation.

2. INTRODUCTION

2.1 NHS Dorset Clinical Commissioning Group is a commissioning organisation and has a responsibility
to ensure that robust corporate, clinical and financial governance arrangements are imbedded
across the organisation in accordance with best practice.

2.2 The CCG is committed to maintaining a Risk Management Framework that will facilitate the
identification, analysis, management, monitoring, prioritisation and control of risks that threaten the
delivery of its strategic objectives.

2.3 The process of appropriately managing identified risk helps the CCG achieve agreed standards,
reduce overall costs and maintain and enhance the standard of service provided.

2.4 Every activity that the CCG undertakes or commissions others to undertake on its’ behalf, brings
with it an element of risk that has the potential to threaten or prevent the organisation achieving its
strategic objectives.

2.5 Unmanaged risk can impact upon every aspect of activity in which the CCG is engaged and this can
affect people, assets, the organisation and reputation.

2.6 The CCG is not aiming to create a risk-free environment, but rather one in which risk is considered
as a matter of course and appropriately identified, controlled and managed.

2.7 In order to achieve this aim, risk management must be part of the culture of the CCG and a primary
concern of all staff and stakeholders.

2.8 “The CCG faces a broad range of risks reflecting its obligations as a commissioner of health
services. Risks include those resulting from its responsibilities in the areas of financial control,
interpretation of policy, leadership of the health system and strategic planning to ensure the
improved health of Dorset residents.

The risks arising from the CCGs responsibilities can be significant. These risks are managed
through detailed processes informed by policy and strategic principles and led by a Governing Body
that espouses the seven Nolan principles maintaining public accountability.

The CCG is also exposed to risks including staffing, business continuity, IT and regulatory breach.

In terms of its operational risk, the CCG has a low appetite for risk. It monitors resources and
quality closely to ensure operational risks are acceptable to the organisation. The CCG however
recognises that to lead the health system, it needs to be bold and courageous, to ensure
sustainability for the future. Acknowledgement and acceptance of a higher level of risk may
sometimes be necessary to facilitate innovation in the delivery of services.”

Tim Goodson, Chief Officer – NHS Dorset CCG

2
3. SCOPE

3.1 Leadership for the risk management process within the CCG is provided via the Governing Body,
with responsibility delegated to the Audit and Quality Committee. The organisational structure has
been established in order to assist with this process and is described within this framework.

3.2 This document provides guidance on how the CCG:

• manages risk and describes the approach used in identifying, analysing, evaluating, managing
and controlling risks that threaten the delivery of the CCG’s strategic objectives;
• ensures that risk management is part of the culture of the organisation, and is a primary concern
of all staff and stakeholders.

4. PURPOSE

4.1 Risk is the combination of likelihood and severity of consequence of an event/set of events being
realised, and the effect of this on the achievement of strategic objectives.

4.2 The aim of effective risk management is to ensure the identification, analysis and prioritisation of
risks followed by a coordinated application of resources to minimise, manage and control the
likelihood and/or impact of the risk.

4.3 The aim of an effective risk management framework is to:

• standardise and clarify the terminology of risk management;
• set out the organisation’s objective to identify and mitigate risk;
• explain the roles and responsibilities within the CCG relating to risk;
• define the role and objectives of the CCGs committees and groups;
• explain the tools used by the CCG to document and manage risks to the organisation, detailing
the clear, consistent and effective risk scoring systems used;
• detail how the organisation has a clear view of the risks affecting each area of its activity, how
the risks are being managed and their potential impact on the organisational objectives;
• assure the public, patients and their carers and representatives, staff and partner organisations
that the CCG is committed to managing risk appropriately.

4.4 All departments are required to embed this framework within their departmental Standard Operating
Procedures.

4.5 The Risk Management Framework is reviewed every two years to take account of any changes in
national guidance. Necessary changes throughout the year will be issued as amendments to the
framework. Such amendments will be clearly identifiable to the section to which they refer and the
date issued. These will be clearly communicated via the CCG newsletter.

5. DEFINITIONS

5.1 Please refer to Appendix B for a glossary of terms used throughout this framework and supporting
appendices.

6. ROLES AND RESPONSIBILITIES

6.1 Risk management is an integral part of management and clinical practice.

6.2 Every individual within the CCG is responsible for identifying and managing risk. To facilitate this, it
is essential that everyone involved in the identification and management of risk has a clear
understanding of their roles and responsibilities.

6.3 The following individuals and committees have specific responsibility, accountability and authority,
as part of their existing roles.

3
6.4 Executive Directors share responsibility for the success of the CCG, with the Governing Body,
including the effective management of risk and compliance with relevant legislation.

6.5 In relation to risk management the Executive team and Governing Body membership are
responsible for:
• articulating the organisation’s strategic objectives;
• identifying risks to the achievement of its strategic objectives;
• protecting the reputation of the CCG;
• providing leadership, active involvement and support for risk management;
• determining the risk appetite for the CCG;
• ensuring the approach to risk management is consistently applied;
• ensuring that there is a structure in place for the effective management of risk throughout the
CCG and that this structure is consistently applied;
• monitoring these processes on an ongoing basis via the Governing Body Assurance Framework
and Corporate Risk Register;
• reviewing and approving the Risk Management Framework on a bi-annual basis.

6.6 The Chair, as a General Practitioner, provides the focus for leadership of the Clinical Governance
agenda within the CCG.

6.7 The Chief Officer, as Accountable Officer, has overall responsibility and accountability for risk
within the CCG and is required to provide assurance through the Annual Governance Statement
that all risks to the organisation, including those relating to information, are effectively managed and
mitigated. Additionally, the Chief Officer has the responsibility for reviewing the effectiveness of the
system of internal control within the CCG.

6.8 All Directors are responsible for compliance with the Risk Management Framework to ensure that
remedial actions are identified and taken wherever key risks are identified within their area of
responsibility.

6.9 The Director of Quality is the designated lead for risk and patient safety within the CCG, and is
responsible for ensuring that the Risk Management Framework is implemented and evaluated
effectively.

6.10 The Head of Patient Safety and Risk, supported by the Patient Safety and Risk Manager has
delegated responsibility for:
• co-ordinating and managing activities relating to clinical, corporate and financial risks for the
CCG;
• monitoring risk management and patient safety within commissioned and corporate services for
the CCG;
• maintaining the Corporate Risk Register and Governing Body Assurance Framework through
engagement with the Directors and Directorate Risk Leads;
• the management of all Serious Incidents and Adverse Incidents.

6.11 The Patient Safety and Risk team (Patient Safety and Risk Manager, Patient Safety and Risk
Facilitator and Patient Safety and Risk Co-ordinator) are responsible for the day-to-day operational
management of the Corporate Risk Register and the production of reports for key meetings.

6.12 The Governing Body Secretary/General Counsel provides professional support and advice on
health and safety, litigation and insurance. The Governing Body Secretary is also the Senior
Information Risk Owner (SIRO) for the CCG and is responsible for the identification, scoping,
definition and implementation of the information security risk programme. The SIRO is supported by
the Information Governance Group, the Information Security Manager, Caldicott Guardian and the
Information Asset Owners (IAO’s).

4
6.13 The Chief Finance Officer is the designated Security Management Director within the statutory
instrument for the CCG. The Chief Finance Officer also has executive responsibility for the financial
governance arrangements throughout the organisation, including overseeing financial performance
management.

6.14 All Directors, Deputy Directors and Managers have delegated responsibility and authority with
regard to the management of risk within their specific areas of work, including compliance with the
Risk Management Framework and for ensuring that remedial action is taken wherever key risks are
identified within their area of responsibility, including:
• reporting of adverse incidents, together with actions to prevent or minimise a reoccurrence;
• identifying and adding risks to the Corporate Risk Register in a timely manner;
• co-ordinating the application of resources to minimise, manage and control the likelihood and/or
impact of the risk;
• undertaking risk assessments and actions implemented;
• ensuring staff undertake mandatory and statutory training.

6.15 The Head of Occupational Health and Wellbeing (Nurse Advisor) and Occupational Health
Physicians within Dorset Healthcare University NHS Foundation Trust provide professional support
and advice and assist in matters of occupational health risk via a Service Level Agreement.

6.16 The Internal Auditors (TIAA) are responsible for agreeing with the Audit and Quality Committee a
programme of audits which assess the exposures and adequacy of mitigation of the principal risks
affecting the organisation. The priorities contained in the audit programme reflect the risk evaluation
set out in the Governing Body Assurance Framework and other key organisational priorities. The
reports and advice produced by internal audit inform changes within organisational processes and
individual services.

6.17 Lay Members have a responsibility to scrutinise and, where necessary, challenge the robustness of
systems and processes in place for the management of risk.

6.18 All CCG staff are are responsible for their own and others’ health and safety within their immediate
workplace and for participating in the wider governance, quality and risk management activities, as
appropriate. Staff are also responsible for complying with the Risk Management Framework and
will assist the risk management process by:
• completing an adverse incident form every time an incident or potential incident occurs;
• reporting all complaints;
• communicating a dangerous situation to anyone who could be at risk;
• reporting both clinical and non-clinical adverse incidents;
• attending mandatory and statutory training;
• assessing risk;
• following CCG policies and guidelines;
• escalating issues up through their designated line management structures.

7. CORPORATE RISK REGISTER

7.1 A Corporate Risk Register is a risk management tool which acts as a central repository for all risks
identified by the organisation or project.

7.2 The register provides an overview of the risks that may directly impact on the CCG’s ability to
deliver on the organisations’ strategic objectives.

7.3 For each risk, the register includes the following information:
• Title;
• Details (a brief description to the background of the risk and the consequence of the risk being
realised);
• Governing Body member (GP) with overall responsibility for the risk;

5
 • Manager responsible for the management of the risk;
• Risk Assessment, including against NPSA risk matrix (Appendix C);
• Review frequency (based on risk score);
• Controls; these are regularly reviewed to ensure they are still effective;
• Identified gaps in controls (linked to action plan);
• Internal assurances;
• Action plan (and progress against actions).

7.4 Examples of the types of risk that the CCG might encounter and need to protect against include:
• Corporate risk: operating within powers, fulfilling responsibilities, accountability to the public;
• External risks: political, environmental, social, meteorological;
• Clinical risks: associated with service standards, competencies, complications, equipment,
medicines, staffing, patient information, quality of services, communication, patient experience;
• Health and safety risks: ensuring the well-being of staff and patients whilst providing or using
services;
• Business risks: associated with managing the affairs of the organisation, finance, human
resources, information, IT, internal management, fraud, achieving objectives;
• Risks to assets: security, protection, optimum use, maintenance, replacement.

7.5 Within the CCG, all risks are recorded and managed via the Ulysses software ‘Safeguard Risk
Management System’.

7.6 All risks on the Corporate Risk Register are mapped to the strategic objectives of the CCG.

7.7 The Corporate Risk Register is aligned to Clinical Delivery Groups, overarching risks and those
relevant to individual Directorates or Systems. Subject to the agreement of the Governing Body,
this may change following the Clinical Services Review when the risks will be mapped to a new
commissioning structure.

8. PROCESS FOR MANAGING THE CORPORATE RISK REGISTER

8.1 The Patient Safety and Risk team supports the consistent identification, assessment and
management of risk across the organisation and is central to the dissemination of best practice.

8.2 The team administer the key risk management systems and act as a central resource and advisory
function for the CCG.

Process for adding a new risk to the Corporate Risk Register

8.3 Within the CCG there are both internal and external methods of identifying new risks:

• Internal methods: incidents, complaints, claims and serious incident reporting, identification of
trends, audits, project risks, patient satisfaction surveys, risk assessments, surveys including
staff surveys, whistle-blowing, contract monitoring of commissioned services.
• External methods: HM coroners reports, media, national reports, new legislation, surveys,
reports from assessments/inspections by external bodies, reviews of partnership working.

8.4 The Head of Internal Audit sends a copy of all completed internal audits to the Patient Safety and
Risk Manager, highlighting any areas of particular concern. The Patient Safety and Risk Manager
will then discuss the finding with the responsible manager and add the audit-identified issue(s) to
the Corporate Risk Register.

8.5 Upon identification of a new risk, the Corporate Risk Register Assessment Form (Appendix D) must
be fully completed and submitted to the Patient Safety and Risk team.

8.6 All risks identified in the Corporate Risk Register require the formulation of an action plan detailing
actions, timeframes and those responsible for completing the action.
6
8.7 Information to support staff on how to complete the form will be sent when each new risk is added.

8.8 The level of risk associated with each risk is assessed in accordance with the NPSA risk matrix
(Appendix C). This matrix identifies both the severity of the risk and its likelihood.

8.9 Other risks will be addressed where this is possible at reasonable cost and limited effort or
inconvenience, proportionate to the risk.

8.10 The effort and resources spent on managing all risks must be proportionate to the risk itself.

8.11 A target risk rating is decided at the outset which indicates the level of risk that can be expected and
tolerated once all possible actions have been taken to mitigate the risk. This is an acknowledgment
that risk can rarely be eradicated entirely.

Process for updating and locally monitoring risks on the Corporate Risk Register

8.12 Members of the Patient Safety Team liaise with the allocated risk assessors and Directors on a
frequency determined by the current risk score to discuss progress against action plans and
document the effect these actions are having on the risk score.

8.13 All risks over 15 (‘red’) require monthly reviews. Risks graded 4-12 (‘orange’ and ‘yellow’) are
reviewed, as a minimum, quarterly and those 1-3 (‘green’), as a minimum, annually.

8.14 During these reviews, any further risks that have been identified for the CCG are formally raised
using the Risk Register Assessment Form in Appendix D.

Process for closing a risk on the corporate risk register

8.15 A risk can be closed on completion of mitigating actions, achievement of targets and/or when a
Director and Deputy Director are satisfied that there is no longer a risk to the organisation.

8.16 There is no fixed minimum risk score which indicates risk closure however it is considered good
practice to ensure the final risk is reviewed and acceptable upon closure.

8.17 Standard Operating Procedures are in place within the Patient Safety and Risk team to ensure that
these processes are consistently applied.

Process for deeming a risk register entry as ‘an acknowledged risk’

8.18 In addition to deeming the status of risks as ‘new’, ‘open’ or ‘closed’, a risk can also be determined
to have ‘acknowledged risk’ status.

8.19 This status can be used when risks have been deemed by the organisational Executive team (via
the monthly Directors meeting) to be risks where all available controls have been implemented and
there are no further controls which would reduce the risk level any further; but where risk to the
organisation still remains.

8.20 These risks are reviewed, as a minimum, annually although this can be more frequent if required by
the Executive team.

9. GOVERNING BODY ASSURANCE FRAMEWORK

9.1 The Governing Body Assurance Framework provides assurances against the key strategic risks and
controls that the Governing Body must consider when seeking internal and external assurance.

9.2 The first version of the Governing Body Assurance Framework was approved at the Governing
Body meeting on 19 November 2014, following endorsement by the Audit and Quality Committee.

7
9.3 The Governing Body Assurance Framework ensures that there is a streamlined approach to
assurance enabling the Governing Body and delegated committees to focus only on the strategic
issues of the organisation; the operational issues are captured in the Corporate Risk Register.

9.4 The Governing Body Assurance Framework is linked to the strategic objectives of the organisation
and serves as a source of external assurance for the NHS England quarterly assurance processes.

9.5 The Assurance Framework is linked directly to risks held on the Corporate Risk Register.

9.6 The Assurance Framework is submitted to Audit and Quality Committee, Director’s Meeting and
Governing Body meeting as per the pre-agreed timeframes.

9.7 The Governing Body Assurance Framework template attached Appendix E.

9.8 The Governing Body Assurance Framework is in the public domain and is published on the CCG
website ahead of each Governing Body meeting:
[Link]

Process for managing the Governing Body Assurance Framework

9.9 The Directors Performance Meeting has operational responsibility for maintaining the Governing
Body Assurance Framework with support from the Patient Safety and Risk team.

9.10 The Governing Body Assurance Framework is the responsibility of the Head of Patient and Safety
and Risk with day-to-day responsibility for managing and updating the framework delegated to the
Patient Safety and Risk Manager.

9.11 The framework is reviewed and updated ahead of each of the following meetings:
• Audit and Quality Committee;
• Director’s Performance Meeting;
• Governing Body meeting;
• Quality Group meeting.

9.12 Key controls for which assurance cannot be fully detailed are clearly highlighted on the framework.

9.13 The Patient Safety and Risk Manager looks ahead to ensure that there is a plan in place to for all
key controls for which assurance is sought in the next 0 – 12 weeks.

9.14 On a biannual basis, commencing in November 2017, the Chairs of the key groups and committees
will be sent a template to complete to confirm that the assurances for which their programmes have
delegated responsibility have been scrutinised and that there are:
• No significant lapses in assurance
• Lapses/gaps in assurance; details of the work being taken, including action plans, to resolve
the lapses/gaps will be requested.

10. INFORMATION SECURITY RISK ASSESSMENT AND MANAGEMENT PROGRAMME

10.1 To ensure that there is effective implementation of Information Risk processes, there is a
comprehensively scoped and formally documented plan and programme that considers the security
risks to Information Assets, including systems and media used in processing or storing that
information and include online / internet facing services. Considerations of the potential impact on
the continued delivery of services e.g. the protection of personal data and corporate data are all
essential elements of the plan and programme.

10.2 A formal information security risk assessment and management method is implemented for all
Information Assets of the organisation to ensure all threats, vulnerabilities and impacts are properly
assessed and included in an organisation-wide risk register, and acknowledged in the organisation’s

8
 IG assurance framework. A number of possible risk assessment methodologies and supporting
products are available including:

• IRAM - Information Security Forum (ISF)

• ISO 27005:2011 - Information technology - Security techniques - Information security risk

management

• The ISO 31000:2009 - risk management standard (already used by many organisations as
AS/NZS ISO 31000:2009)

10.3 The organisation has determined which methodology is best suited to its needs. Each risk
assessment is clearly scoped, systematic and seeks to identify, quantify and prioritise the
information risks to the organisation’s business functions.

10.4 Consideration is also given to information risks that may affect the organisation’s business partners.
Where appropriate, controls (countermeasures) are put in place and their effectiveness monitored to
ensure that the deployed controls are effective in treating the risks. System log files and incident
reports may identify ineffective or poorly deployed controls.

10.5 Periodic update reviews of existing risk assessments are undertaken, to take account of possible
changes. Consideration is given to the areas of risk analysis and risk treatment.

10.6 To assess risks relating to Information Governance and Cyber issues, each Information Asset
Owner completes a risk assessment using the CCG risk assessment tool (appendix G).

11. ORGANISATIONAL MONITORING OF THE CORPORATE RISK REGISTER AND GOVERNING

BODY ASSURANCE FRAMEWORK

11.1 The Risk Management structure is based on committees and groups which have key roles in the
management of risk. Appendix F demonstrates the organisational committee structure.

GOVERNING BODY

11.2 The CCG Governing Body is committed to providing the resources and support systems necessary
to support the Risk Management Framework and will ensure that action is taken to address all risks
that are identified and assessed as unacceptable.

11.3 The CCG Governing Body is made up of 13 Locality Chairs who are GP’s or retired GP’s, the GP
Chair, the Accountable Chief Officer, the Chief Finance Officer, two lay members, the Nurse
member and the Secondary Care Consultant member. The Governing Body meets on a bi-monthly
basis.

11.4 There are three non-voting Executive Directors; the Director of Quality, the Director of Service
Delivery and the Director of Engagement and Development that support the CCG Chief Officer. The
Governing Body is supported by the Chief Officer and Governing Body Secretary.

11.5 The CCG Governing Body has four committees that report to it. These are:
• Audit and Quality Committee;
• Clinical Commissioning Committee;
• Primary Care Commissioning Committee;
• Remuneration Committee.

11.6 The CCG has a duty to assure itself that the organisation has properly identified the risks it faces,
and that it has processes and controls in place to mitigate those risks and the impact they have on
the organisation and its stakeholders.

9
11.7 Corporate Risk Register: the CCG Governing Body (Part II) receives the full Corporate Risk
Register for review at every meeting.

11.8 Governing Body Assurance Framework: the CCG Governing Body (Part I) receives the
Governing Body Assurance Framework for review at every meeting.

AUDIT AND QUALITY COMMITTEE

11.9 The Audit and Quality Committee is a sub-committee of the Governing Body and has delegated
responsibility for the management, monitoring and oversight of risk and governance.

11.10 The Audit and Quality Committee monitors and provides overall assurance to the Governing Body
that the CCG is:
• delivering quality care that meets the standards laid out in statute;
• aligning strategic direction with local assurance mechanisms by monitoring the Governing Body
Assurance Framework and Corporate Risk Register on behalf of the Governing Body.

11.11 As part of this committee’s remit the Audit and Quality Committee also reviews internal audit reports
on the systems in place for risk management.

11.12 The Audit and Quality Committee membership consists of two lay members from the Governing
Body one of whom is the Chair of the committee, two non-Governing Body lay members, one GP
Governing Body member and the Lead Nurse Governing Body member. The Director of Nursing
and Quality, and the Chief Finance Officer also attend the meetings and support the committee.

11.13 The Audit and Quality Committee has patient representatives who attend the meetings regularly to
ensure there is a voice for patients and the public. They are integral to scrutinising the risks
identified and understanding what actions are taken to mitigate and reduce these risks.

11.14 The Audit and Quality Committee agenda covers all areas of financial accountability and governing
including the following reports made to every meeting:

• Customer care report;

• Changes to Governing Body Assurance Framework and Corporate Risk Register;
• Investigations following instigation of ‘Employee Whistleblowing Policy’;
• Updates on litigation, medical negligence, inquests and enquiries;
• Deep dive on significant risk issues;
• Review of Significant Providers Contracts report;
• Safeguarding adults report;
• Safeguarding children report;
• Information governance report;
• Dorset Medicines Advisory Group report;
• Internal audit reports;
• External audit reports;
• Counter fraud reports.

11.15 The Audit and Quality Committee meets on a quarterly basis.

11.16 Corporate Risk Register: the Audit and Quality Committee receives the complete Corporate Risk
Register for review at every meeting.

11.17 Governing Body Assurance Framework: the Audit and Quality Committee receives the
Governing Body Assurance Framework for review at every meeting.

QUALITY GROUP

11.18 The Quality Group is a working group reporting to the Audit and Quality Committee.
10
11.19 The Quality Group meeting is chaired by the Director of Quality. Membership consists of two patient
representatives (lay members), one GP Locality Lead, the Nurse Governing Body member, internal
audit representation, Public Health representation, Service, Delivery and Design representation and
the senior Quality Directorate team.

11.20 The Quality Group has patient representatives who attend the meetings regularly to ensure there is
a voice for patients and the public. They are integral to scrutinising the risks identified and
understanding what actions are taken to mitigate and reduce these risks.

11.21 The Quality Group has delegated responsibility for the management, monitoring and reporting of
clinical governance, governance, risk, patient safety and quality.

11.22 There is a Quality Framework in place which details the structures and processes to ensure quality
is embedded throughout the commissioning cycle.

11.23 In relation to risk management, the Quality Group seeks to provide assurance to the Audit and
Quality Committee by:

• providing assurance that appropriate risk management arrangements are in place;

• monitoring all significant risks which may impact on the CCG business planning process;
• ensuring action to improve risk management processes and systems, to address all known and
previously unidentified risks;
• ensuring that patient safety is central to all services commissioned by the CCG including
safeguarding of adults and children, via contract and quality monitoring of secondary and tertiary
providers;
• monitoring the Corporate Risk Register and Governing Body Assurance Framework.

11.24 The Quality Group meets on a quarterly basis.

11.25 Corporate Risk Register: the Quality Group receives the Corporate Risk Register for review at
every meeting.

11.26 Governing Body Assurance Framework: the Quality Group receives the Governing Body
Assurance Framework for review at every meeting.

DIRECTORS PERFORMANCE MEETING

11.27 The Directors’ Performance Meeting has operational responsibility for maintaining the Governing
Body Assurance Framework with support from the Patient Safety and Risk Team.

11.28 Corporate Risk Register: the Directors Performance meeting receives the complete Corporate
Risk Register for review at every meeting.

11.29 Governing Body Assurance Framework: the Directors Performance meeting receives the
complete Governing Body Assurance Framework for review at every meeting, with a supporting
paper highlighting gaps in controls and/or assurance, and actions to be taken to reduce/remove the
gaps.

11.30 Corporate Risk Register: the Quality Group receives the complete Corporate Risk Register for
review at every meeting.

12. ADVERSE INCIDENT REPORTING

12.1 The CCG has in place a comprehensive Adverse Incident Reporting Database - ‘Ulysses’, that
supports the reporting of all incidents and near misses from internal staff and commissioning related
Serious Incidents.

11
12.2 Incident and serious incident reporting is openly encouraged from its staff, GP practices and the
provider organisations that it commissions. This information is analysed and used to identify the
risks which may impact in the business of the CCG.

12.3 The system provides full trend analysis of incidents and allows for detailed enquiry by users. It is
also used to produce reports for a wide variety of uses.

12.4 The CCG process for the management and reporting of incidents is detailed within the CCG ‘Policy
and Procedure for Recording, Reporting and Managing Adverse Incidents’.

13. TRAINING

13.1 As stated under the ‘key responsibilities’ section of this framework (Section 6), Directors, Deputy
Directors and key managers are responsible for compliance with the Risk Management Framework
in order to ensure that remedial action is taken wherever key risks are identified within their area of
responsibility.

13.2 Annual Risk Awareness Training for Governing Body Members, Executives and Directors for the
CCG is facilitated by the Head of Patient Safety and Risk.

13.3 Members of staff new to the organisation receive risk management training via induction.

13.4 Training for Directors, Deputy Directors and key managers is ongoing throughout the year via the
risk updating process.

13.5 Information Asset Owners receive annual information governance training to enable them to
manage the risks associated with their area of work. This training is treated as mandatory training,
and recording attendance, following up on non-attendance and monitoring compliance is carried out
in accordance with the Mandatory Training Policy.

13.6 Details of the Risk Management Framework will be incorporated into the following to ensure that it is
understood and communicated to all staff, the public and other stakeholders:
• induction programme;
• local induction (health and safety, adverse incidents, fire, risk and root cause analysis
awareness training);
• risk assessment, risk register, adverse incident training and delivered by the safety advisors;
• CCG Newsletter;
• risk reports to the CCG Governing Body.

14. APPROVAL PROCESS

14.1 The approval process for the CCG Risk Management Framework is via submission and subsequent
approval, by the CCG Directors at the CCG Performance meeting.

15. COMMUNICATION AND DISSEMINATION

15.1 This Framework will be available to the following organisations via the CCG internet site:

• All GP practices within boundaries of the CCG;

• Bournemouth Borough Council;
• Dorset County Council, Social Care and Health;
• Dorset County Hospital NHS Foundation Trust;
• Dorset Healthcare NHS University Foundation Trust;
• Internal and External Audit;
• Borough of Poole;
• Poole Hospital NHS Foundation Trust;
• Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust;
12
 • Salisbury NHS Foundation Trust;
• South Western Ambulance Service NHS Foundation Trust;
• Yeovil District Hospital NHS Foundation Trust.

15.2 The above stakeholders are informed, where appropriate, of any significant risks identified in
connection with the work of that stakeholder.

15.3 This document is published on the CCG website and on the CCG Intranet. Notice of issue of new
and revised policies will be communicated to all staff via the daily news bulletin.

16. MONITORING THE EFFECTIVENESS OF AND COMPLIANCE WITH THE RISK FRAMEWORK

16.1 The Government Financial Reporting Manual requires CCGs to prepare a Governance Statement
as part of their Annual Report and Accounts. Within the CCG, this is known as the ‘Annual
Governance Statement’.

16.2 The NHS England Chief Executive, in his capacity as Accounting Officer, requires CCG
Accountable Officers to give him assurance about the stewardship of the organisation.

16.3 The statement provides compliance information, or reference to existing reports, for the following
elements, as applicable:

1. Introduction and context

2. Scope of responsibility
3. Compliance with the UK Corporate Governance Code
4. The Clinical Commissioning Group Governance Framework
5. The Clinical Commissioning Group Risk Management Framework
6. The Clinical Commissioning Group Internal Control Framework
7. Information Governance
8. Pension obligations
9. Equality, Diversity and Human Rights obligations
10. Sustainable Development obligations
11. Risk Assessment in relation to governance, risk management and internal control
12. Review of economy, efficiency, and effective use of resources
13. Review of the effectiveness of governance, risk management and internal control
14. Capacity to handle risk
15. Review of effectiveness
16. Data quality
17. Business critical models
18. Data security
19. Discharge of statutory functions
20. Conclusion

16.4 The Annual Governance Statement, the Corporate Risk Register and Governing Body Assurance
Framework are intended to provide assurance that the Risk Management Framework is being
complied with; if appropriate, it includes any recommendations for improvement.

16.5 The Annual Governance Statement is reviewed and approved annually by the Audit and Quality
Committee; it is then submitted to the Governing Body as part of the Annual Report and Accounts.

16.6 Notwithstanding this, the Audit and Quality Committee will constantly monitor compliance with the
Risk Framework through the papers received throughout the year, and receipt of an annual report in
Q1 of the following financial year.

16.7 The Committee may commission internal audits or seek further assurance and action from CCG
Officers in areas where they may suspect a lack of compliance.

13
17. DOCUMENT REVIEW AND VERSION CONTROL

17.1 The Risk Management Framework is reviewed every two years to take account of any changes in
national guidance.

17.2 Necessary changes throughout the year will be issued as amendments to the framework. Such
amendments will be clearly identifiable to the section to which they refer and the date issued. These
will be clearly communicated via the CCG news bulletin.

14
 APPENDIX A

CCG POLICIES AND PROCEDURES LINKING TO RISK MANAGEMENT FRAMEWORK

Category Policy Title

Health and Moving and Handling policy
Safety Slips, trips and falls policy
Working at height policy
Contractors on site policy
Display screen equipment policy
Electrical safety policy
Fire safety policy
First aid at work policy
Legionella risk management policy
Management of asbestos policy
Lone worker policy
Information Information governance policy
Governance IT security policy
Confidentiality staff code of conduct
Customer care and complaints policy
Data protection and confidentiality policy
Freedom of Information policy and procedure
Operational Adverse Incidents Procedure for Recording Reporting
and Risk Business Conduct and Conflicts of Interest Policy
Management EPRR Framework
Fraud Response Plan
Major Incident plan
Management of claims handling and litigation procedures
Policy for the Development and Management of Procedural Documents
Partnership Care Home Closure Contingency Policy
Working Deprivation of Liberty Safeguarding guidance for managing authorities
Multi-Agency Safeguarding Adults Policy and Procedures
Multi-Agency Safeguarding Adults Policy and Procedures
Safeguarding Adults policy and procedure
Safeguarding Children policy
Quality and Medicines Code Chapter 1 Management and Storage of Prescriptions in Primary Care
Safety Medicines Code Chapter 2 Prescribing Policy
Medicines Code Chapter 3 Remote Prescribing
Medicines Code Chapter 4 Storage and Safe Custody of Medicines
Medicines Code Chapter 5 Reporting Adverse Drug Reactions
Medicines Code Chapter 6 Prescribing of unlicensed and off-label medicines
Medicines Code Chapter 7 Development and Implementation of SOPs
Medicines Code Chapter 8 Prescribing of Infant Formula
Medicines Code Chapter 9 Prescribing Methotrexate
Medicines Code Chapter 10 Lithium Prescribing
Medicines Code Chapter 11 Insulin Prescribing
Medicines Code Chapter 12 Oral Anticoagulant Therapy
Medicines Code Chapter 13 Oral Chemotherapy
Medicines Code Chapter 14 Medicines Reconciliation in GP practices
Medicines Code Chapter 15 Repeat Prescribing and Medicines Review
Medicines Code Chapter 16 Temperature Monitoring of Medicinal Products
Medicines Code Chapter 17 Working with the Pharmaceutical Industry
Medicines Code Chapter 18 Waste Medicines
Medicines Code Chapter 19 Destruction of Controlled Drugs
Medicines Code Chapter 20 Prescribing and Management of Controlled drugs

15
 Medicines Code Chapter 21 Prescribing of Injectable Medicines
Policy on Non-Medical Prescribers working in GP Practices in NHS Dorset
Safeguarding training framework including PREVENT
Being Open Policy Open Disclosure of Patient Safety Incidents
Dorset Multi-Agency strategy for the Prevention and Management of Pressure Ulcers
Strategy and Business Continuity Plan
Planning Organisational Development Framework
Quality Framework

16
 APPENDIX B

GLOSSARY

Terms highlighted in green are defined within the glossary.

Acknowledged An identified risk that:

risk • is small enough to have an immaterial effect of the achievement of
organisational objectives;
• is a significant risk that has been mitigated by the establishment of effective
controls to minimise the likelihood of the risk occurring or to minimise the
adverse consequences should the risk identified occur;
• the exposure to the risk has been deemed tolerable within the organisational
risk appetite, the ability to reduce the risk further is not possible and/or the cost
of taking action may be disproportionate to the benefit gained.
Assurance An approach for evaluating performance and seeking guarantees that required
processes are being followed.
Consequence A measure of the effect that the predicted harm, loss or damage would have on the
(severity) people, property or objectives affected.
Control A control is an activity (action) which reduces the consequence and/or likelihood of
a risk.
Corporate Risk A tool which acts as a central repository for all risks identified by the organisation or
Register project.
Current risk Risks are regularly reviewed and assessed to give a current score.
Governing Body An integral part of the CCG system of internal control which summarises the
Assurance controls and assurances in place to ensure that each of the organisation’s key
Framework objectives are achieved.
Inherent risk When a risk is first identified, the initial risk NPSA score is known as the ‘inherent’
risk rating. This is the risk in the absence of any controls or actions that might alter
mitigate or reduce the likelihood or impact of the risk.
Internal control A systematic process for assuring achievement of an organisational objectives in
operational effectiveness and efficiency, reliable financial reporting, and compliance
with laws, regulations and policies.
Likelihood A measure of the probability that the predicted harm, loss or damage will occur.
NPSA National Patient Safety Agency
Risk The combination of likelihood and consequence of an event/set of events being
realised and the effect of this on the achievement of strategic objectives.
Risk appetite The ‘threshold’ of risk that an organisation is prepared to accept, tolerate or be
exposed to before it takes action.
Risk A systematic process of determining the level of risk that an event/set of events
assessment poses in combination with the likelihood of its occurrence.
Risk matrix A graphical representation of the risk severity, following the risk assessment.
Risk mitigation The process by which an organisation introduces specific measures (controls) to
minimise or eliminate risks. Risk mitigation measures can be directed towards
reducing the severity of risk consequences, reducing the likelihood of the risk
occurring, or reducing the organisations’ exposure to the risk.
Risk rating The ‘risk score’ that a risk is given following risk assessment (via a risk matrix)
Target Risk Is the point (likelihood/severity rating) at which the risk would become acceptably
mitigated. It is rare for risk to be wholly eradicated. Target risk is the point at which
the risk would no longer represent a significant threat, or the point at which
everything possible will have been done to mitigate the risk.

17
 APPENDIX C
NPSA RISK MATRIX
Consequence scores: choose the most appropriate domain for the identified risk from the left hand side
of the table. Then work along the columns in same row to assess the severity of the risk on the scale of 1
to 5 to determine the consequence score, which is the number given at the top of the column.

Consequence score (severity levels) and examples of descriptors

1 2 3 4 5
Domains Negligible Minor Serious Major Catastrophic
Impact on the safety of Minimal injury Minor injury or Moderate injury Major injury leading Incident leading to
patients, staff or public requiring illness, requiring requiring to long-term death
(physical/psychological no/minimal minor intervention professional incapacity/disability
harm) intervention or intervention Multiple permanent
treatment. Requiring time off Requiring time off injuries or
work for >3 days Requiring time off work for >14 days irreversible health
No time off work work for 4-14 days effects
Increase in length Increase in length of
of hospital stay by Increase in length hospital stay by >15 An event which
1-3 days of hospital stay by days impacts on a large
4-15 days number of patients
Mismanagement of
RIDDOR/agency patient care with
reportable incident long-term effects

An event which
impacts on a small
number of patients

Quality/complaints/audit Peripheral Overall treatment Treatment or Non-compliance Totally

element of or service service has with national unacceptable level
treatment or suboptimal significantly standards with or quality of
service reduced significant risk to treatment/service
suboptimal Formal complaint effectiveness patients if
(stage 1) unresolved Gross failure of
Informal Formal complaint patient safety if
complaint/inquiry Local resolution (stage 2) complaint Multiple complaints/ findings not acted
independent review on
Single failure to Local resolution
meet internal (with potential to go Low performance Inquest/ombudsman
standards to independent rating inquiry
review)
Minor implications Critical report Gross failure to
for patient safety if Repeated failure to meet national
unresolved meet internal standards
standards
Reduced
performance rating Major patient safety
if unresolved implications if
findings are not
acted on
Human resources/ Short-term low Low staffing level Late delivery of key Uncertain delivery Non-delivery of key
organisational staffing level that that reduces the objective/ service of key objective/service
development/staffing/ temporarily service quality due to lack of staff objective/service due to lack of staff
competence reduces service due to lack of staff
quality (< 1 day) Unsafe staffing Ongoing unsafe
level or Unsafe staffing level staffing levels or
competence (>1 or competence (>5 competence
day) days)
Loss of several key
Low staff morale Loss of key staff staff

Poor staff Very low staff No staff attending

attendance for morale mandatory training
mandatory/key /key training on an
training No staff attending ongoing basis
mandatory/ key
training

18
Statutory duty/ No or minimal Breech of statutory Single breech in Enforcement action Multiple breeches in
inspections impact or breech legislation statutory duty statutory duty
of guidance/ Multiple breeches in
statutory duty Reduced Challenging statutory duty Prosecution
performance rating external
if unresolved recommendations/ Improvement Complete systems
improvement notice notices change required

Low performance Zero performance

rating rating

Critical report Severely critical

report
Adverse publicity/ Rumours Local media Local media National media National media
reputation coverage – coverage – coverage with <3 coverage with >3
Potential for short-term long-term reduction days service well days service well
public concern reduction in public in public confidence below reasonable below reasonable
confidence public expectation public expectation.
MP concerned
Elements of public (questions in the
expectation not House)
being met
Total loss of public
confidence
Business objectives/ Insignificant cost <5 per cent over 5–10 per cent over Non-compliance Incident leading >25
projects increase/ project budget project budget with national 10–25 per cent over
schedule per cent over project budget
slippage Schedule slippage Schedule slippage project budget
Schedule slippage
Schedule slippage
Key objectives not
Key objectives not met
met
Finance including Small loss Risk Loss of 0.1–0.25 Loss of 0.25–0.5 Uncertain delivery Non-delivery of key
claims of claim remote per cent of budget per cent of budget of key objective/ Loss of
objective/Loss of >1 per cent of
Claim less than Claim(s) between 0.5–1.0 per cent of budget
£10,000 £10,000 and budget
£100,000 Failure to meet
Claim(s) between specification/
£100,000 and £1 slippage
million
Loss of contract /
Purchasers failing payment by results
to pay on time
Claim(s) >£1 million
Service/business Loss/interruption Loss/interruption Loss/interruption of Loss/interruption of Permanent loss of
interruption of >1 hour of >8 hours >1 day >1 week service or facility
Environmental impact
Minimal or no Minor impact on Moderate impact on Major impact on Catastrophic impact
impact on the environment environment environment on environment
environment

Likelihood score : What is the likelihood of the consequence occurring? The frequency-based score is
appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to
identify a frequency.
Likelihood score 1 2 3 4 5
Descriptor Rare Unlikely Possible Likely Almost certain
Frequency This will probably Do not expect it to Might happen or Will probably Will undoubtedly
How often might never happen/recur happen/recur but it recur occasionally happen/recur but it happen/recur,
it/does it happen is possible it may do is not a persisting possibly frequently
so issue

Some organisations may want to use probability for scoring likelihood, especially for specific areas of risk
which are time limited. For a detailed discussion about frequency and probability see the guidance notes.

19
Risk scoring = severity of consequence x likelihood

Likelihood
1 2 3 4 5
Consequence Almost
Rare Unlikely Possible Likely
(Severity) Certain
1 Negligible 1 2 3 4 5
2 Minor 2 4 6 8 10
3 Serious 3 6 9 12 15
4 Major 4 8 12 16 20
5 Catastrophic 5 10 15 20 25

For grading risk, the scores obtained from the risk matrix are assigned grades as follows

Low Risk Moderate Risk Significant Risk High Risk

Green 0-3 Yellow 4-6 Orange 8-12 Red 15-25

Instructions for use:

1 Define the risk explicitly in terms of what the risk event is followed by the adverse consequence that
might arise from the risk, choosing a title which starts with the word “If” and proceeds to identify the
consequences using the term “then” for example:- IF shared photocopiers and printers are used, THEN
serious information governance breaches may occur.
2 Determine the severity of consequence score for the potential adverse outcome relevant to the risk
being evaluated.
3 Determine the likelihood score prior to applying any mitigating actions.
4 Calculate the unmitigated risk score by multiplying the consequence by the likelihood.
5 Identify the level at which the risk will be managed in the organisation, assign priorities for remedial
action and develop an action plan without delay.
6 Determine whether risks are to be accepted on the basis of the colour bandings and risk ratings, and the
organisation’s risk management system. Include the risk in the organisation risk register at the
appropriate level.
7 Establish what the revised current risk rating is using the same process as above, taking account of the
immediate mitigating actions having been implemented.
8 Determine a target risk rating using the process above at which point all mitigating actions will have
been taken and the risk will be accepted by the organisation without further interventions.

20
 APPENDIX D
CORPORATE RISK REGISTER ASSESSMENT FORM
Please read Appendix 1 before completing this form. Each
section is important and relates to an essential part of the Risk
system: incomplete forms will be returned.
NO ACRONYMS PLEASE.

Risk title If…….

Directorate Director *

Department Responsible Manager **

Location Area
(if applicable) (e.g. Primary Care)
Please describe
the risk

What was the

source of the risk?

What are the

consequences of
the risk being
realised?

What controls are

already in place to
reduce the risk?

Are there any gaps

in the controls?

Assurances: What
is being done to
manage the gaps
in the controls and
manage the risk?

CCG Strategic Care closer to home

Objectives Preventing ill health and reducing inequalities
(if the risk relates to Services designed around patients
more than one, please Sustainable healthcare services
identify them in
number order)

*The Director has overall responsibility for all risks within their Directorate
**The Responsible Manager has responsibility for the management of the risk

21
Risk Matrix Likelihood

Severity 1 2 3 4 5
Rare Unlikely Possible Likely Certain
1 Negligible 1 2 3 4 5

2 Minor 2 4 6 8 10

3 Serious 3 6 9 12 15

4 Major 4 8 12 16 20

5 Catastrophic 5 10 15 20 25

Key to Risk Register rating:

Low Risk Moderate Risk Significant Risk High Risk

Green 0-3 Yellow 4-6 Orange 8-12 Red 15-25
Likelihood Rare Unlikely Possible Likely Certain

Severity Negligible Minor Serious Major Catastrophic

Initial risk rating (e.g. Major/Certain) Current risk rating (e.g. Serious/Likely)
(before any (At time of writing, taking
mitigating actions account of existing controls
have been and mitigating actions)
implemented
TARGET risk [using the matrix above] (e.g. Serious/Rare)
(the point which the risk would become acceptably
mitigated)
Submission date

Signed

Job title Date

Director
signature
Job title Date

To be completed by the Patient Safety and Risk Following review at the weekly Risk Review
Team: meeting
Received by Date reviewed

Received date Initial risk rating –

comment
Risk Register Reference Date added to Risk
Register

22
Action Plan template

Risk title IF
THEN
Responsible Date of current Version
Manager version
Required action (specific, measureable, achievable, realistic, time- Involvement Responsible Due date Progress so far
bound) of others Person

10
 APPENDIX E
GOVERNING BODY ASSURANCE FRAMEWORK - TEMPLATE
 STP Delivery Governance – (organisational governance CCG Governing Body
APPENDIX F
remains in place and that the diagram shows the groups and
5 X Dorset NHS Foundation
interactions for transformation programme management) Assurance Groups
Trusts Boards

3 Council cabinets

System Partnership Board Governance and

Transformation Services 3 x LA Cabinets
Senior Leadership Team Strategic level
- Assurance
- Oversight & reporting
- Design
- Portfolio Office services
- Methodology West HWB Oversight and decision making as required East HWB Delivery &
Implementation level

STP Planning and Implementation Group – Portfolio Directors Reference Groups

Managing integration check points and interdependencies across portfolios Finance

Portfolio plans and
blueprints delivered Prevention at ICS&PCS One Acute Digitally Leading and Place based Comms
through Programme Scale Network enabled working
Programme Programme differently Accountable
boards who memberships Patient
Programme Board Including Board care setup
consists of providers, Board clinical Programme
commissioners, SMEs networks and Board (Single care Clinical
(which could be just be Vanguards providers
based upon a
through Accountable Programme locality)
Care Partnership in Board A & E Delivery board
future) Setup group
CORE STP PORTFOLIOS STP ENABLERS

Current providers
 Group Role Who is on this group How often do they meet?

System Partnership Board To provide senior oversight on behalf of The Chairs/Leaders of the CCGs, 5 NHS Once every 3 months
partner boards of the STP delivery Foundation Trusts and Local Authorities.
process.
Senior Leadership team – SLT The accountable group of senior system The Chief Executives of system Monthly
leaders accountable for the delivery of the organisations who have a dual role in
STP. undertaking senior sponsor roles in a
delivery area (these delivery areas shown
in the planning and implementation
group). This group provides oversight on
the delivery of the STP.
STP Planning and This group is the group who is responsible There are 5 portfolios of work which can Monthly
Implementation group for designing, planning and delivering the be seen in the diagram, each portfolio has
STP. Through portfolios of work they co- a leader responsible for this work – by
ordinate their activity to ensure a single coming together this group manages the
system plan is delivered to close the three complex delivery elements between the
gaps. Their membership may also include portfolios.
current provider – hence the band of
providers at the bottom of the graphic.
Reference Groups There are a number of reference groups These groups will contain members from Monthly
who are subject matter experts and providers, CCG, GPs and clinical experts
provide input to decision making of the depending upon their expertise.
portfolios.
A&E Delivery Board To develop and deliver system wide NHS England, CCG and provider experts Monthly
improvements to the Urgent Care network from the wider Acute network.
– this group feeds into the work of our
portfolios.
Health and Wellbeing boards Statutory bodies who oversee and advise Members include experts in public health, Bi-monthly
on strategic policy for a locality in terms of local authorities, health providers and lay
its health policy. members.
Transformation services Provides Portfolio Management and NA NA
Transformation support services to the
various STP groups.
 Appendix G

Information Governance Risk Assessment Form

Please consider all applicable threats and vulnerabilities when completing this risk assessment:

Threats Vulnerabilities
Disposal of equipment without proper erasure
Inadequate or careless use of physical access Inadequate or careless use of physical access
control to buildings, rooms and offices control to buildings, rooms and offices
Extremes of temperature and humidity Insufficient security training
Failure of communications services Lack of audit trail
Failure of network components Lack of documentation
Failure of power supply Lack of physical protection for the building doors
and windows
Failure of water supply Lack of identification and authentication
mechanisms
Fire No logout when leaving work station
Flooding Poor password management
Hardware failure Wrong allocation of access rights’
Illegal import or export of software
Unauthorised use of software / malicious software
Maintenance error
Masquerading of a user identity
Network access by unauthorised persons
Software failure
Staff shortages
Theft
Transmission errors
Unauthorised use of storage media
User error
Wilful damage

Name of
Information Asset

Directorate Director *

Department Responsible Manager **

Location
(if applicable)
Please describe
the Information
Asset

What are the

identified risks?
What are the
consequences of
the risks being
realised?

What controls are

in place to reduce,
and/or remove the
risks?

Are there any gaps

in the controls?

Assurances: What
is being done to
manage the gaps
in the controls and
manage the risk?

*The Director has overall responsibility for all risks within their Directorate
**The Responsible Manager has responsibility for the management of the risk

Risk Matrix Likelihood

Severity 1 2 3 4 5
Rare Unlikely Possible Likely Certain
1 Negligible 1 2 3 4 5

2 Minor 2 4 6 8 10

3 Serious 3 6 9 12 15

4 Major 4 8 12 16 20

5 Catastrophic 5 10 15 20 25

Key to Risk Register rating:

Low Risk Moderate Risk Significant Risk High Risk

Green 0-3 Yellow 4-6 Orange 8-12 Red 15-25
Likelihood Rare Unlikely Possible Likely Certain

Severity Negligible Minor Serious Major Catastrophic

Initial risk rating (e.g. Major/Certain) Current risk rating (e.g. Serious/Likely)
(before any (At time of writing, taking
mitigating actions account of existing controls
have been and mitigating actions)
implemented
TARGET risk [using the matrix above] (e.g. Serious/Rare)
(the point which the risk would become acceptably
mitigated)
 Submission date

Signed

Job title Date

Director
signature
Job title Date

To be completed by the Patient Safety and Risk Following review at the weekly Risk Review
Team: meeting
Received by Date reviewed

Received date Initial risk rating –

comment
Risk Register Reference Date added to Risk
Register
Action Plan template

Risk title Version Date of current Responsible

version Manager
Required action (specific, measureable, achievable Date of Involvement Responsible Due date Progress
and realistic) action of other Person
teams
1

10