HazardIdentification,RiskAssessmentandManagementProcedure

DocumentationControl
Reference:

GG/CM/007

Dateapproved:
ApprovingBody:

TrustBoard

ImplementationDate:
Version:

Supersedes:

Version2(2September2009)

Consultation:

ClinicalandNonClinicalHospitalStaff
OrganisationalRiskCommittee
DirectorsGroup
TrustBoard
ExecutiveDirectors,DirectorateClinicalDirectors,
ClinicalLeads,DirectorateGeneralManagers,
HeadsofService
MembersoftheQuality AssuranceCommittee,
QualityOperationalGroupanditsSubCommittees
SpecialistsAdvisors,assetoutintheTrustsRisk
ManagementPolicy
RelevantExternalStakeholders
AllTruststaffandrelevantStakeholders

Distribution:

TargetAudience

SupportingPoliciesand NUHRiskManagementPolicy
Procedures
TrustAnnualPlan
BoardAssuranceFramework.
ReviewDate:
LeadExecutive(s):
Author/LeadManager:
Further
Guidance/Information

NUHRiskAssessmentToolV2Dec2011

December2012
MedicalDirector
HeadofOrganisationalQuality,RiskandSafety
HeadofOrganisationalQuality,RiskandSafety(ext
76018/62553)

Page 1of12

HAZARDIDENTIFICATION,RISKASSESSMENTAND
MANAGEMENTPROCEDURE
1.Introduction
This procedure sets out the Trust operational processes for Hazard Identification,
Risk Assessment and the Management of risk. This document should be read in
conjunctionwiththeRiskManagementPolicy.
ThisprocedurecoversalloftheTrustsactivitiesandshouldbeusedwhenassessing
any kind of hazard (e.g. clinical, strategic, organisational, financial and health &
safety).
ItcanbeusedbyanymemberoftheClinicalorNonClinicalteamsinallDirectorates
andDepartmentsoftheTrust.
The Hazard Identification, Risk Assessment and Management procedure supports
theprinciplethatriskswhichcanbereasonablymanagedlocallyshouldbemanaged
locally.Wherethisisnotpracticalorwheretheriskscoredictatestheproceduresets
outtheescalationprocesstoTrustCommitteesandFora.
Thetoolhasbeendesignedforawiderangeofpurposesi.e.
itcanbeusedtoreviewandmanageallknownrisks,
it can be used to assess potential risks from new activities, service
developmentandprojects
it can also inform business cases and development projects allowing
comparisonsandprioritisationtobemade.
2.RiskRegisters
The Trust requires that all risks are recorded on DATIX. No other systems are
permitted.
The Trust will maintain a Significant Risk Register which comprises of all 20 or 25
scoringrisks(asratifiedbytheQuality AssuranceCommittee).
TheSignificantRiskRegisterwillbereportedtotheTrustBoardeachmonth(except
thosemonthswheretheTrustBoardreceivestheBoardAssuranceFramework).
The Trust requires that all Directorates, Specialties and Departments undertake
systematic and proactive hazard identification and risk assessment to identify local
risks to service provision, service quality, legislative compliance, financial and
NUHRiskAssessmentToolV2Dec2011

Page 2of12

deliveryoftheTrustsobjectivesandoperationalrequirements.HeadsofServiceare
responsibleforensuringthishappens
AllRiskAssessments(irrespectiveofscore)mustberecordedontheDATIXsystem.
The system entry must include details of any mitigating actions required to further
mitigatetherisk(includingresponsibilitiesandtimescales).WhereRiskAssessment
formsaregeneratedthesemustbeuploadedintoDATIXinthedocumentsectionof
theelectronicrecordalongwithanysupportingemails,reportsanddocuments.
TheTrustsRiskRegisterisalive,continuallyevolvingdocument.
The Risk Register provides a focus for the work of the Trust Board and its
Committees by communicating risk information throughout the organisation, and
providingthenecessaryassurancesthatrisksarebeingeffectivelymanaged.
3.Definitions
Hazard is defined as a source of potential harm or a situation with a potential to
causeloss[Graham&Kaye2006]
Risk is definedasthepossibilityofsufferingsomeformoflossordamageand/or
the possibility that objectives will not be achieved or that opportunities will not be
taken. This can be opportunities / benefits (Upside risk) or threats to success
(DownsideRisk).
Risk Assessment is defined as the process of determining the level of risk that a
hazardposesincombinationwiththelikelihoodofitsoccurrence.
Risk Control is defined as the part of the risk management process that is
concernedwiththeimplementationofpolicies,processes,tools,andtechniquesthat
accept,eliminate,removeortransferriskorestablishbusinesscontinuityprocesses.
Controlsmaybepreventative,detectiveorpostevent.[Graham&Kaye2006]
Risk Treatment is defined as the selection and implementation of options for
managingrisks.[Graham&Kaye2006]
Risk Transfer is defined as the treatment or control of risk through sharing the
burdenoflossorbenefitfromariskwithanotherparty.[Graham&Kaye2006]
RiskRegisterisaformalrecordthatcapturesallknownTrustRisks.Foreachrisk,
Risk Registers capture the source, nature, existing controls,theconsequences and
likelihoodofariskbeingrealisedandtheactionsrequiredtofurthermitigatetherisk.

4.Theprocess
Step1

IDENTIFINGHAZARDS

NUHRiskAssessmentToolV2Dec2011

Page 3of12

At local level, there will be different people leading on different aspects of risk
management,e.g.,ClinicalGovernanceCoordinators,Health&Safetylinkpersons,
Directoratemanagers,riskassessors,infectioncontrollinkpersons,TrustSpecialist
Adviserstonameafew.
Itisnotintendedthattheseactivitiesaremergedintoasinglerole.Itismoreabout
people working together to integrate activityat alocal level andto work together in
theidentification,assessmentandmanagementofrisk.
Hazardidentificationcantakemanyformsincluding

ThroughthelocalreviewofIncident,ClaimsandComplaintsdata,
AsaresultofanHealth&Safetyaudit/inspection,
FollowingaPatientSafetyconversation,
InresponsetoanInternalAuditreport,
Inresponsetoanexternalreport/directive/Alert,
InresponsetoaDepartmentofHealthdirective,
TorespondtogapsidentifiedfromtheHealth&SafetyCompliancereview,
AccreditationStandardscompliance(CQC,NHSLAetc.)
To respond to Trust requirements such as CIPs, Essence of Care
Benchmarks,CQuins,HRincludingMandatoryTrainingperformance
Tomeetlegislativerequirements
Through review of service specific standards, service quality and service
delivery
InresponsetoadvicereceivedfromSpecialistAdvisers

Theabovelistisnotexhaustive.TheIntegratedGovernanceTeamcanhelpfacilitate
hazardidentificationsessionsifrequired.
Whenassessinganyserviceoractivity,youwillidentifyanumberofhazards.Youwill
need to decide if you are going to recordthese risks on asingleform or groupthe
issuesonmorethanoneform.Eitherwayisperfectlylegitimate.Whichevermethod
adoptedyouwillneedtoensurethattheactionplansaddressallcomponenthazards
andnotjustthehighestscoringone.Thehazardsidentifiedshouldberecordedinthe
Hazards, Controls and Assessment section on the Trust approved Generic Risk
AssessmentForm(seeAppendix2).Foreachhazardidentifiedyouwillalsoneedto
decidewhoorwhatcanbeharmed(andhow)anddocumentanycontrolsthatarein
place.Thenextstepwillbetodeterminetheconsequenceandlikelihoodscoresfor
eachi.e.therisk(seesteps2&3below).
Nootherriskassessmentformsarepermitted.
Step2

DETERMINETHECONSEQUENCE

Thetoolincorporates5consequencesfactorsagainstwhichahazardcouldimpact,
NUHRiskAssessmentToolV2Dec2011

Page 4of12

1.
2.
3.
4.
5.

Objectives/Financial,(AObjectives)
DegreeofHarm(toStaff,Patient,VisitororMemberofthePublic),(BHarm)
Claims&Complaints/PatientExperience,(CExperience)
ImpactonServices/BusinessInterruption/Projects,(DServiceDelivery)
AdversePublicity/Reputation/Inspection/Audit/EnforcementAction.(EExternal)

Appendix3,setsoutthe5consequencefactorsalongwithdescriptorsforeachthat
depictarangeofoutcomesfrom1to5.Foreachhazardidentified,youwillneedto
determine a consequence score for each of the factors, which will need to be
recorded on the form. You should look at the controls in place when deciding the
level.Ifanyofthefactorsdontapplytothehazardbeingassessedthenaddascore
of1intheappropriatecolumnontheGenericRiskAssessmentForm.
HelpfulProcessDefinitions
PrimaryObjective

TrustKeyTask

TemporaryNonCompliance

NonAchievement

ControlMeasures

NUHRiskAssessmentToolV2Dec2011

For 2011/12, the TrustsPrimary Objectives are detailed

in the Trusts Annual Plan. These are the major things
that the Trust has declared it want to achieve in year to
meetitsStrategicaims.
ForeachofthePrimaryObjectivestheAnnualPlanalso
describes a number of subobjectives that could impact
on the delivery of the primary objective. These are
important things the Trust wants to deliver onbutfailure
ofoneormorewouldnotnecessarilypreventthePrimary
Objectivebeingachieved.
This applies where you have an objective or key
task, which at the time of assessment is not being
complied with, but there is a plan in placethatwillbring
theobjectivebackintocompliancewithinyear.
Thisapplieswhentheobjectiveorkeytask,whichatthe
timeofassessmentisnotbeingcompliedwith,andthere
is no plan in place or possibility that compliance will be
achievedinyear.
These are the things that have already been put into
place to manage/ mitigate the risk. These can be things
such a Policies, training, safe systems of work, physical
safeguards etc.. These are only control measures once
they are in place. If things are planned but not in place,
they should be recorded as actions. Generally as action
arecompletedthesewillbecomecontrols.

Page 5of12

Step3

DETERMINETHELIKELIHOOD

Onceyouhavedeterminedtheconsequence(foreachofthehazardsyouidentified),
you will need to determine the likelihood of the level of consequence you have
identified being realised. Remember its the likelihood of the consequence
occurring,nothowoftentheactivitytakesplace.
It is also important that any existing control measures are taken into account when
determiningthelikelihoodscore.Thederivedscoreshouldalsoevaluatewhether:
thecontroladequatelyaddressesthehazard
thecontrolmeasureisdocumentedandcommunicated
thecontrolmeasureisinoperationandappliedconsistently.
Onceyouhavedeterminedthescoreenterthescore(s)intheLikelihoodboxonthe
GenericRiskAssessmentForm.
TIP: The worstcase scenariodoesntalwaysyieldthehighestrisk.Youcanhavea
catastrophic consequence such as a death (consequence = 5) which due to the
controlsinplacesgivesalikelihoodof1andthereforeariskscoreof5.Butthesame
hazardmaycauselesssevereharm(consequence=3)eachmonth(likelihood=4)
givingariskscoreof12.
Step4

ASSESSTHERISKS

The risk score is determined by multiplying the consequence and likelihood scores
youhaverecordedforeachhazard.
Ithasbeenrecognisedthatbyusinga5by5tooltherewillbelimitedstratificationof
risks within thepossiblescorebandings.(i.e. thepossiblescores(CxL) thatcanbe
achievedare1,2,3,4,5,6,8,9,10,12,15,16,20and25).Toaidprioritisationof
risks particularly within the higher scoring bandings (15, 16, 20 and 25) a second
scoreisdeterminedbyaddingtogetherthe5individualconsequencescorestogivea
uniquescoreforeachrisk.
This Priority Indicator Score will then be used to help stratify the risks recorded
against agivenscoring banding.The PI Scorefor eachrisk should be recordedon
theGenericRiskAssessmentForm.

NUHRiskAssessmentToolV2Dec2011

Page 6of12

Step5

MANAGETHERISK

BycomparingtheRiskScore(RiskRating)obtainedwiththetablebelow,youwillbe
ableto determine whether therisk you haveassessedisunacceptable,tolerable
oracceptable.Thetablealsoprescribeswheretheriskneedstobecommunicated
andthemanagementactionrequired.
Table1LevelsofRisk,ReportingandAccountability
RiskRating
Significant
(2025)
Unacceptable

Levelatwhichtherisk Who needs to be

mustbereported
informed
QualityAssurance
TrustBoard
Committee(QUAC)
andQuality
OperationalGroup
(QUOG)

High
(1519)
Unacceptable

AppropriateSub
Committeeofthe
QualityOperational
Group

Moderate
(1014)
Unacceptable

Directorate

Low
Specialty/Directorate
(49) Tolerable,
manageable
VeryLow
Specialty/Directorate
(13)Acceptable

ManagementActionsRequired

Immediate action required to eliminate or manage

risk. Report to Directorate Clinical Director / Head
of Department & The Quality, Risk and Safety
Committee / Trust Board. Risks scoring 20 or 25
will be routinely monitored and actions
performance managed via the Quality Operational
Group.Operationalmanagementoftheseriskswill
be apportioned to the relevant governance
committee/forum,forexampleclinicalriskswillbe
forwarded to the Clinical Risk Committee for
monitoringdeliveryofagreedactions.
Quality
Urgent action/senior management attention
OperationalGroup required to eliminate or reduce the risk. Report to
Directorate Clinical Director/HeadofDepartment.
Risks scoring between 15 and 19 will be reviewed
by the Organisational Risk Committee who will
agreeatwhatleveltheriskandsubsequentactions
shouldbemanaged.
Organisational
Action/senior management attention required to
RiskCommittee
eliminate or reduce the risk. Report to Directorate
ClinicalDirector/HeadofDepartment.Riskcanbe
managedatDirectorateLevelifappropriate.Report
upwardstorelevantRiskCommittee.
Directorate
Action if cost efficient to reduce or manage risk.
Local actions. Delivery against any plans will be
monitored via the Directorate Governance
arrangements.
Directorate
Manage situation with routine procedures at a
Specialty or Department Level. Action if easy to
implement and inexpensive. Delivery against any
plans will be monitored via the Directorate
Governancearrangements.

If any actions / controls are required to further mitigate the risk these should be
recordedintheActionPlanning&Monitoringsectionoftheformalongwithnamed
personsresponsibleforundertakingtheactionandthetimescaleforcompletion.The
responsibility for ensuring that any actions identified are taken forward will be
dependantupon theriskscore.Forexampleariskscoring8(fromthetableabove)
wouldbereported/managedbytheSpecialty/Departmentwhereasariskscoring
12wouldbereported/managedbytheDirectorate.

NUHRiskAssessmentToolV2Dec2011

Page 7of12

Step6

IFRISKCANTORSHOULDNTBEMANAGEDLOCALLY

Wherepossible,risksshouldbemanagedatthelowestpracticallevel.
However where this is not possible (e.g. due to the resources required) the risk
should be escalated to the next level. i.e. if a Department cant manage a risk it
should pass to the Directorate / Corporate Function. If the Directorate / Corporate
FunctionitshouldbepassedtotheORC.
Itisalsoacknowledgedthatcertainrisksshouldntbemanagedlocally,i.e.wherethe
issue impacts across the Trust. In these instances it is appropriate to escalate the
risksothataTrustwideresponsecanbeactionedandimplemented.Akeypartof
the process within the Organisational Risk Committeewill be to agree theroute for
handling those issues that cant or shouldnt be handled at Directorate level. The
OrganisationalRisk Committeewilloverseetheserisksandensurethatappropriate
committees/groupsaretakingaction.
Risks may have to be accepted or, in the case of significant risks, shared with the
commissioners of services, members of the health care community and other
stakeholders.
If you are unsure what to do please seek advice from a member of the
Directorate Team or the Integrated Governance Team who will advise you on
actiontobetaken.
Step7

UPDATETHERISKREGISTER

All risks identified, along with the risk score, controls and actions, need to be
recorded on the DATIX Risk Management System in order to form the Trusts Risk
Register. Each Directorate and Corporate Function has a named lead who will be
able to assist with this process. All relevant information to support the risk
assessmentshouldbeimportedintotherecord.StaffaddingriskstoDATIXwillneed
to access the training provided. Data can be copied and pasted from the Generic
RiskAssessmentFormintotheDATIX riskentry.
Allrisksscoring20ormorewillbeaddedtotheTrustsSignificantRiskRegisterand
BoardAssuranceFramework.Thiswillhelptofacilitatethemanagementofrisks,the
identification of trends and significant risks, as well as the monitoring of risk
management.
AllriskregistersneedtobeformallyreviewedatleastquarterlyatTrust,Directorate,
Speciality and Departmental Governance Forums. At each review the risk register
needstobeupdatedtoreflectprogressonactionsandtoreviewriskscores.

NUHRiskAssessmentToolV2Dec2011

Page 8of12

Appendix1
HAZARDIDENTIFICATION,RISKASSESSMENTANDMANAGEMENT
PROCEDUREFLOWCHART
Directoratesand
Departments
supportedwhere
appropriate,bythe
Integrated
GovernanceTeam

STEP1Recordthedetailsoftheactivity
beingassessedontheGenericRisk
AssessmentForm.Usethetoolsand
techniquesavailabletoidentifyandrecord
thekeyhazardtotheactivity,processortask
beingassessed.

STEP2Foreachhazardidentified
determinetheConsequences

RefertoGovernance
Checklists,Policiesand
Guidancetoidentifyrisks.
(Checkliststoincorporate
legislation,external
accreditationstandards,
bestpractice,etc.)
Incident,Claimsand
Complaintsdata

SeeGenericRisk
AssessmentForm

STEP3Determinethecorresponding
Likelihood(forthehighestscoring
Consequence)
STEP4DeterminetheRiskRatingand
PriorityIndicatorscore

AddtoDirectorate,Specialty,Department
GovernanceActionPlan

PerformanceManagedby
Directorate

STEP5Managetherisk

STEP6Issuesthatcant/shouldntbe
managedbytheSpecialty/Department,OR
cantbeaccepted,astheyscore10ormore

AddtoDirectorateGovernanceActionPlan
Managetherisk

PerformanceManagedby
OrganisationalRisk
Committee

STEP6Issuesthatcant/shouldntbe
managedbyDirectorateORcantbe
accepted,astheyscore15ormore

STEP7
UpdateRisk
Register

FilteredbyOrganisationalRiskCommittee
andreferredtorelevant
Committee/group/individualforaction,e.g.,
toClinicalRiskCommitteetobeaddedto
TrustGovernanceActionPlan

PerformanceManagedby
the QualityOperation
GrouporrelevantTrust
BoardCommittee

STEP6IssuesthatcantbemanagedOR
cantbeaccepted,astheyscore20ormore

Anyrisksscoring
20ormore

NUHRiskAssessmentToolV2Dec2011

RaiseattheBoard

Page 9of12

Appendix2

GENERICRISKASSESSMENT
FORM

AssessmentNo.

Campus:
Directorate:

Speciality/Department:

Location:

Assessor:

JobTitle:

Date:

Descriptionofactivity

Supportinginformation(forexample,caseofneed,explanationofactivity)

1
2
3
4
5

10

RiskScore
(HighestScore AE
xLikelihood)

Likelihood

EExternal

DServiceDelivery

Controlsinplace

CExperience

HazardIdentified

BHarm

No.

AObjectives

Hazards,ControlsandRiskAssessment
Priority
Indicator
Score
(A+B+C+
D+E)

Doesthe
control
adequately
addressthe
risk?
Yes/No

Isthecontrol
Isthecontrol
measure
Measurein
documentedand operationand
communicated?
applied
Yes/No
consistently?
Yes/No

Summaryofactiontakentodate

ActionPlanningandmonitoring(dependantuponscore)

HazardRef
No.

Actionrequired

Cost()
(Ifknown)

OfficialUseOnly
ApprovalGroup
AddedtotheRiskRegisterY/N

ByWhom

DueDate

ReviewDate

DateScoreApproved
Dateaddedtothe
Register
11

Revised
RiskScore

ConsequenceandLikelihoodMatrixAppendix3

1
Minor

2
Moderate

Objectives*/
Financial

DegreeofHarm(to
Staff,Patients,
VisitorsorMembers
ofthePublic)

Claims&Complaints/
PatientExperience/
Outcomes

ImpactonService
Delivery/Business
Interruption/
Projects

AdversePublicity/Reputation/
Inspection/Audit/Enforcement
Action

MinorimpactonTrust
objective.
AND/OR
Barelynoticeablereduction
inscopeorquality
AND/ORSmallloss.

Minorinjurynotrequiring
firstaidornoapparent
injury/adverseoutcome,
NearMiss.

VerballocallyresolvedComplaint.
Reducedqualityofpatient
experiencenotdirectlyrelatedto
thedeliveryofpatientcare Small
claims(upto25,000)

Negligibleimpact,brief
loss/interruption>1
hourofservice.
Insignificantcost
increase /schedule
slippage.<1%)

Localinterest,rumourswithinTrust.Littleeffect
uponstaffmorale.
Smallnumberofminorrecommendations,which
focusonminorqualityimprovementissues.
MinornoncompliancewithCQC

Notexpectedtooccurfor
years
Probability<1%

Temporarynoncompliance
withTrustKeyTasks*
AND/OR
Minorreductioninquality/
scope
AND/OR
Loss>0.1%ofTrust
budget

Temporary MinorInjury/
Illness/Effect.Firstaid
treatmentneeded,referral
toA&E/OH/GP

JustifiedformalCompliant.
Unsatisfactorypatientexperience
directlyrelatedtopatientcare
readilyresolvable

Localonly.Someloss/
interruptiondelaysin
serviceprovision(>8
hours)
<5%overbudget/
scheduleslippage.

Localadversepublicity,localmediacoverage,
adversepublicityfor<3days.Minoreffecton
staffmorale/publicattitudes.
Internalinquiryreportedtolocalcommittee
structure.Recommendationsmadewhichcan
beaddressedbylowlevelmanagementaction.
NoncompliancewiththeDevelopmental
requirementsofthe CQC

Expectedtooccur
annuallyintheUKor15
yearsintheTrust
Probability15%
Theeventmayonlyoccur
inexceptional
circumstances

Temporarynoncompliance
withTrustPrimary
Objective*
AND/OR
Reductioninscopeor
quality.
AND/OR
Loss>0.25%ofTrust
budget

SemipermanentInjury,
Over3dayreportable
injury.RIDDOR/Agency
reportable

Independentreview.
Mismanagementofpatientcare,
shorttermeffects(<1week)
Justifiedcomplaintinvolvinglack
ofappropriatecare.Significant
claim(upto250,000)

CriticalServiceloss/
interruption,minordelays
>1day.
510%overbudget/
scheduleslippage.

Localmediacoverage,adversepublicityfor>3
days.Significanteffectonstaffmorale/public
perceptionoforganisation.
Internalinquiryreportedtoexternalagency.
Challengingrecommendationsthatcanbe
addressedwithappropriateactionplan.
Reducedrating.
Noncompliancewithcorerequirementsofthe
CQC

Expectedtooccurat
leastannually
Probability620%
Theeventmayoccurat
sometime

NonachievementofTrusts
KeyTasks*
AND/OR
Loss>0.5%ofTrust
budget

Majorinjuries,orlong
termincapacity/
disability,MajorSpecified
Injury(RIDDOR)

OngoingNationalpublicity.
Regionalinquiry.Ombudsman.
Seriousmismanagementof
patientcare,longtermeffects
(>1week)
Multiplejustifiedcomplaints.
Multipleclaimsorsinglemajor
claim(over250,000).

CriticalServiceloss,
majorreductioninservice
>1week
1025%overbudget/
scheduleslippage.

Nationalmediacoverage,adversepublicityfor<
3days.Regionalinquiry.Severeeffectonstaff
morale,publicconfidenceinorganisation
undermined.
Enforcementaction
Lowrating/Criticalreport
Majornoncompliancewithcorerequirementsof
the CQC

Expectedtooccur
monthly
Probability2150%
Theeventwilloccurat
sometime

NonachievementofTrust
PrimaryObjective(s)*
AND/OR
Loss>1%ofTrustbudget

Deathormajor
permanentincapacity

FullNationalInquiry.Select
Committee.PublicAccounts
Committee.Totallyunsatisfactory
patientoutcomeorexperience

TotallossofCritical
Serviceorfacility.
>25%overbudget/
scheduleslippage.

National/internationalmediacoveragewith
adversepublicityfor>3days.Lossofkeystaff.
Publicinquiry/MPConcernsraisedin
Parliament.Courtenforcement.
Noncompliancewithlegalrequirement,which
mayresultinProsecution,Zerorating.
Severelycriticalreport

Expectedtooccurat
leastweekly
Probability>50%
Theeventisexpectedto
occurinmost
circumstances

Likelihood

3
Serious

4
Major

5
Catastrophic

*FORCURRENTYEAROBJECTIVESPLEASEREFERTOTHETRUSTANNUALPLAN.

12