NHS Scotland - blueprint for good governance: second edition

B. The Risk Management System

B.1 Risk management is an integral part of the active and collaborative approaches to delivering good governance. It enhances strategic planning and prioritisation, assists in achieving corporate objectives and strengthens the Board’s ability to be agile in response to the challenges faced by the NHS.

B.2 NHS Boards cannot be entirely risk averse, and having an effective and meaningful risk management system that systematically anticipates and prepares successful responses to the uncertainties faced by NHS Boards is critical to delivering the organisation’s purpose, aims, values, corporate objectives, operational priorities and targets.

B.3 When considering their approach to risk management, NHS Boards should recognise that it is often not possible to manage all risks at any point in time to the desirable tolerance level. Very often it is also not possible, and not financially affordable, to fully remove uncertainty from decisions. Therefore, Boards should encourage and support a risk culture that embraces openness, supports transparency, welcomes constructive challenge and promotes collaboration, consultation and co-operation.

B.4 The principles and concepts that support effective risk management are outlined in HM Government’s Orange Book^[41] and the Scottish Public Finance Manual^[42] provides guidance on best practice for risk management in the Scottish public sector.

B.5 Almost all processes, procedures and activities carried out by the NHS carry with them a degree of risk. So, it is necessary for the NHS Board to agree the level of risk with which it aims to operate, based on what it considers to be justifiable and proportionate to the impact on patients, service users, the public, the workforce and the Board. Consequently, understanding and communicating the Board’s risk appetite is the first step in constructing an effective risk management system.

B.6 Guidance on the development and use of a risk appetite statement is contained in HM Government’s Risk Appetite Guidance Notes^[43]. Having agreed their risk appetite, NHS Boards must then develop, maintain and continuously improve a risk management system that supports the achievement of the Board’s corporate objectives and operational priorities while remaining within its risk appetite.

B.7 The risk management approach adopted by the organisation must include activities and processes that facilitate the identification of corporate and operational risks and supports the assessment, mitigation, monitoring and reporting of these risks.

B.8 The risk management system should be utilised in a way that assists the NHS Board and the Executive Leadership Team to prioritise available resources to minimise risk to best effect and to provide assurance that progress is being made. This must include the maintenance of a tiered set of operational and corporate risk registers to quantify and prioritise risks which threaten the achievement of the organisation’s objectives and priorities.

B.9 The purpose of the risk registers is to achieve greater visibility of exposure to risk across the categories identified in the risk appetite statement and as a result reduce the likelihood that risks will occur or evoke an effective response when risks occur. Therefore, it is important that the risk registers are constantly updated to reflect the dynamic nature of delivering healthcare.

B.10 For the risk registers to be an effective tool for the management of risk it is important that they include an articulation of the risk event itself, details of the underlying causes (including internal and external factors), and the range of consequences should the risk event occur.

B.11 The risk registers should include an assessment of the combination of the consequences of the event (impact) and its probability (likelihood). The impact should be the estimated effect of the risk on the objectives in question. This assessment is focused on scale, scope and resource implications. Likelihood is the estimated chance of the risk occurring. This is focussed on probability.

B.12 Having assessed the risk, the response should be to either treat, tolerate, or terminate the risk. The mitigation actions already taken or proposed to respond to the risks to be treated, should also be described in the registers. This should include the owner of the action, the timescales involved and where the oversight and scrutiny of the delivery and outcome of the mitigation sits within the organisation’s hierarchy.

B.13 To highlight the expected changes to the impact and likelihood of the risk materialising, the assessment scores should be included pre and post the mitigation actions.

B.14 The development of business continuity plans are often used to mitigate some corporate risks, including those around the loss of IT systems, disruption to water, gas and electricity supplies, and other failures in the physical infrastructure. These plans are designed to ensure that the organisation can continue to operate and recover should a significant risk materialise. They aim to increase resilience across the healthcare system by responding to identified risks with an impact assessment and contingency plans that have been implemented and tested across the organisation.

B.15 Therefore, NHS Boards must ensure that appropriate business continuity plans are in place, regularly tested and reviewed, and widely communicated with the appropriate stakeholders.

B.16 Where the delivery of services provided by organisations outside of the NHS Board can introduce risk to the delivery of healthcare, it is important that the NHS approach to risk management and business continuity planning recognises this and responds appropriately. This is particularly important in the delivery of integrated health and social care systems and requires Board Members who also sit on the Integration Joint Boards to pay particular attention to the impact mitigating healthcare risks can have on social care services and vice versa.

B.17 The information presented in the risk registers and the business continuity plans should improve decision making and assist the NHS Board to assess whether or not management controls and resources deployed are adequate to effectively manage corporate and operational risks in healthcare.

B.18 Responsibility and accountability for the operation and the oversight of the risk management system should be clearly defined and responsibility for contributing to the management of risks should be included in the job descriptions of staff, the terms of reference of the governance committees and the Board’s Scheme of Delegation.

B.19 Not only do NHS Boards require assurance on the effectiveness of their approach to strategic planning and risk management, they need to commission an assurance information system that provides them with the necessary information to give Board Members assurance on the progress being made towards the delivery of the organisation’s strategic, operational and financial plans.