Documente Academic
Documente Profesional
Documente Cultură
STANDARD
OVERVIEW
This standard is principally concerned with ensuring that all NHS organisations have the basic
building blocks in place for managing risk through development and implementation of a
comprehensive risk management system.
This standard builds upon, and replaces, the original Controls Assurance core Risk
1
Management System standard . The eight criteria contained in this standard are the same as
those used by the NHS Litigation Authority for the purposes of the Risk Pooling Schemes for
Trusts (RPST). In essence, there is now only one set of consolidated risk management
standards with which NHS organisations need to comply to meet the combined requirements
of Controls Assurance and the NHSLA’s risk pooling schemes. NHS organisation’s that are
not obliged to meet NHSLA requirements should, nevertheless, refer to the detailed guidance
contained in the NHSLA standards (www.nhsla.com) which contain ‘deemed to satisfy’
guidance for meeting the requirements of this standard. This standard, together with the
Governance and Financial Management controls assurance standards, provide the basis for
reporting against the statutory Statement on Internal Control (SIC) as set out by HM Treasury
in DAO(GEN) 13/00 and DAO(GEN) 09/03. Requirements for reporting on internal controls
for NHS organisations in 2003/2004 was issued to the service in September 2003 under
cover of Chief Executives Bulletin No 186.
Risk management should be recognised as an integral part of good practice and should be
part of the organisation’s culture. It should be integrated into its philosophy, practices and
business plans rather than be viewed or practised as a separate programme. When this is
achieved, risk management becomes the business of everyone in the organisation.
Whilst this standard does address key issues, it does not purport to be exhaustive. Boards
should satisfy themselves that all relevant internal control and risk management requirements
incumbent upon them, including those associated with the duty of quality, are properly
identified and suitably addressed. When addressing risks to the organisation, in particular
those which the organisation deems high/extreme to the achievement of key objectives, the
risk and actions identified across other organisational controls assurance standards need to
be considered.
The design of a risk management system will be influenced and tailored by the existing
structure of the NHS body, the services provided and the processes and specific practices
employed. Employment of a specific risk management approach for all organisations is,
therefore, difficult to achieve. However, common principles can be identified and these form
the basis for the standard. These common principles in large part originate from the
1
Although it has been replaced, organisations may, nevertheless, like to (cautiously) refer to the original
core Risk Management System standard (revision 01a, November 1999 – available at
www.controlsassurance.gov.uk and on CD-ROMs versions 3 & 4), which contains useful guidance,
much of it still pertinent to this standard.
Organisations should note that the results from this, together with those from the Governance
and Financial Management standards, contribute to an Internal Control/Controls Assurance
performance indicator for 2004. Acute/Specialist Trusts will also need to note the Infection
Control standard continues as an indicator in 2004 also.
Great Britain (1979) Social Security (Claims and Payment) Regulations 1979 (as
amended) The Stationery Office, London.
http://www.hmso.gov.uk/si/si1987/Uksi_19871968_en_1.htm#end
Health & Safety Executive (2003). 'Interventions to control stress at work in hospital
staff'. HSE, London
http://www.hse.gov.uk/research/crr_htm/2002/crr02435.htm.
Health at Work Key Indicators report on accidents in the NHS Health Services
Advisory Committee (1997) Management of health and safety at work in the health
services. ISBN 0717608441 HSE Books
http://www.hsedirect.com/
Lord Chancellors Department (2001) Pre-action protocol for the resolution of clinical
disputes
http://www.lcd.gov.uk/civil/procrules_fin/contents/protocols/prot_rcd.htm
Lord Woolf’s Report (1996) Access to Justice. The Stationery Office, London.
http://www.lcd.gov.uk/civil/final/contents.htm
NHS Appointments Commission (2003) Governing the NHS : A guide for NHS
Boards. The NHS Appointments Commission, London. 32291
http://www.doh.gov.uk/governingthenhs
NHS Chief Executives Bulletin 186 (2003) Statement on Internal Control 2003/04
Department of Health, London.
http://www.doh.gov.uk/cebulletin/internalcontrol0304.htm
National Patient Safety Agency (2003) The Patient Safety Journey: Seven Steps to
Patient Safety. The National Patient Safety Agency, London.
Draft http://www.npsa.nhs.uk (expected release November 2003)
NHS Executive (1992) Risk Management in the NHS NHS Management Executive,
London.
http://www.info.doh.gov.uk/doh/rm5.nsf/b7546ce4a0608579002565c4003bf709/e362
d9817a7b4a59002565d40036c450/$FILE/RISKMAN.PDF
NHS Executive (1996) Management of food hygiene and food services in the
National Health Service. HSG (96) 20. The Stationery Office, London.
NHS Executive (1998) Handling Clinical Negligence Claims HSC 1998/183. 1998
including Pre-action protocols for personal injuries and resolution of clinical disputes
NHS Executive (1999) Good Practice Guide for Convenors HSC 1999/193. 1999
http://www.info.doh.gov.uk/doh/coin4.nsf/12d101b4f7b73d020025693c005488a9/647
156fa5101e5fa0025681900354ad7/$FILE/193HSC.PDF
NHS Executive (1999) Guidelines for Implementing Controls Assurance in the NHS:
Guidance for Directors. NHS Executive, London
http://www.info.doh.gov.uk/doh/rm5.nsf/b7546ce4a0608579002565c4003bf709/8358
dc1c3591459d0025681e0051fd00?OpenDocument#Untitled%20Section
NHS Executive (2001) Governance in the New NHS: Controls Assurance Statements
2000/2001 and Establishment of the Controls Assurance Support Unit. HSC
2001/005. 2001
http://www.info.doh.gov.uk/doh/coin4.nsf/12d101b4f7b73d020025693c005488a9/bb9
04a2b6cec1f39002569fb00363f3b/$FILE/005hsc2001.pdf
Criterion 2
The organisation’s senior management has defined and documented its strategy for
managing risks, including objectives for, and its commitment to, risk management.
The risk management strategy is relevant to the organisation’s strategic context and
its goals, objectives and the nature of its business. Management ensures that the
strategy is understood, implemented and maintained at all levels of the organisation.
Criterion 3
A committee structure is in place, which supports the risk management accountability
arrangements within the organisation and ensures that all significant risks are
properly considered and communicated to the Board.
Criterion 4
An agreed process for reporting, managing, analysing and learning from adverse
incidents is in place, in accordance with NHS guidance.
Criterion 5
An agreed process for reporting, managing, analysing and learning from complaints
and claims is in place, in accordance with NHS guidance.
Criterion 6
A risk management process, based on the requirements of AS/NZS 4360:1999 and
covering all risks, is embedded throughout the organisation at all levels, including the
board, with key indicators being used to demonstrate performance. The whole
system of risk management is continuously monitored and reviewed by management
and the board in order to learn and make improvements to the system.
Criterion 7
All employees, including members of the Board, clinicians, managers, bank, locum
and agency staff, together with, where relevant, contractors and volunteers are
provided with appropriate risk management training.
Criterion 8
The board receives independent assurance(s) that a risk management system is in
place that meets the requirements of this standard.
CRITERION 1 RESPONSE %
Board level responsibility for risk management is clearly defined and there are
clear lines of individual accountability for managing risk throughout the
organisation, leading to the Board.
INFORMATION COMMENTS
Source
• Department of Health (2002). Code of
Conduct for NHS Managers
• NHS Chief Executive Bulletin 186 (2003).
Statement on Internal Control 2003/2004.
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW
Guidance
Implementation of risk management programmes
at all levels, especially at the corporate level, is a
challenge for all managers. Its success will
depend largely on the support of the Chief
Executive and senior management team. Critical
to this process is the involvement of clinicians –
nursing, medical and allied health professionals.
Examples of Verification
• Risk management strategy has been
approved by the Board
• Job descriptions for executive directors and
senior managers
INFORMATION COMMENTS
• Job descriptions for specialist risk
management advisers
• Risk management organisational chart
• Assurance Framework in place
• Terms of reference for the audit committee
• Minutes of the audit committee
• Terms of reference of the Board sub-
committee(s) responsible for overseeing risk
management
• Minutes of the Board sub-committee(s)
responsible for overseeing risk management
• Minutes of the Board
• Copies of correspondence or minutes of
meetings of the executive directors with
responsibility for risk management
• Audits/checks of compliance with risk
management objectives, clinical and non-
clinical
RESPONSE %
CRITERION 2
INFORMATION COMMENTS
Source
• NHS Chief Executive Bulletin 186 (2003).
Statement on Internal Control 2003/2004.
• Department of Health (2003) Building the
Assurance Framework
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW
Guidance
Management of risk should be integrated into the
philosophy of an organisation. A risk management
strategy should be developed, which provides the
organisation with strategic direction.
INFORMATION COMMENTS
Assessment Tool(s) for additional guidance.
Examples of Verification
• Risk management strategy
• Minutes of the Board
• Assurance Framework in place
• List of internal and external stakeholders
• Evidence of the risk management strategy
being linked to the strategic/corporate plan
• Specialist risk management policies and
procedures
• Risk management organisational chart
• Evidence of strategy distribution to staff and
availability to other stakeholders
• Local risk management strategies
CRITERION 3 RESPONSE %
INFORMATION COMMENTS
Source
• Department of Health (2002). Code of
Conduct for NHS Managers
• NHS Chief Executive Bulletin 186 (2003).
Statement on Internal Control 2003/2004.
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW
• Department of Health (2001). Audit
Committee Handbook
• Department of Health (1999) Guidelines for
Implementing Controls Assurance: Guidance
for Directors
Guidance
The full benefit of risk management will only be
achieved if there is a comprehensive and
cohesive system in place, underpinned by an
organisation-wide risk management organisational
structure.
INFORMATION COMMENTS
specialist groups report directly to it.
• The role of the Audit Committee in reviewing
and providing assurance on the systems in
place to manage risk is clearly defined.
Examples of Verification
• Risk management strategy
• Terms of reference for committees
• Risk management organisational chart
• Minutes of meetings
• Annual risk management reports
• Schemes of delegation
• Annual report
• Committee objectives
• Agendas and supporting documentation
CRITERION 4 RESPONSE %
INFORMATION COMMENTS
Source
• Department of Health. Doing Less Harm . A
consultation document. August 2001
• NHS Chief Executive Bulletin 186 (2003).
Statement on Internal Control 2003/2004.
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW
• National Patient Safety Agency (2003) Seven
Steps to Patient Safety [expected November
2003]
Guidance
Incident reporting is a fundamental tool of risk
management, the aim of which is to collect
information about patient safety incidents,
including near misses and hazards, which help to
facilitate wider organisational learning.
INFORMATION COMMENTS
severity of outcome and potential future risk
to patients and/or the organisation
• A policy/procedure on incident investigation
and root cause analysis conforming to the
NPSA toolkit is in place that contains a clear
protocol to be followed.
• For serious/high-impact patient safety
incidents that could have an adverse effect
upon staff, patients or the public the
policy/procedure requires a mechanism in
place to inform the Board and the NPSA.
• All incidents are reported on a standard
form(s), which may be paper-based or
electronic, and which captures the NPSA
NRLS dataset as a minimum.
Examples of Verification
• Incident reporting policy/procedure
• Incident report form and guidelines for
completion
• Use of NPSA dataset mapped or locally
configured
• Incident investigation reports
• Trend analysis reports
• Minutes of the committee(s) responsible for
overseeing risk management
• Copies of reports to NPSA and other relevant
external bodies and stakeholders
• Induction training programmes
• Completed incident report forms
• Relevant correspondence
• Action plans and follow up reports
• Major incident policy
CRITERION 5 RESPONSE %
INFORMATION COMMENTS
Source
• Department of Health (2001) Building a safer
NHS for Patients. Implementing an
Organisation with a Memory Department of
Health, London
• Department of Health (2001) Reforming the
NHS Complaints Procedure Department of
Health, London
• Department of Health (2002) Supporting the
implementation of a Patient Advice and
Liaison Service
• Lord Chancellors Department (2001) Pre-
action protocol for the resolution of clinical
disputes
• Lord Chancellors Department (2001) Pre-
action protocol for the resolution of personal
injury claims
• NHS Executive (1996) Guidance on
Implementation of the NHS Complaints
Procedure. NHS Executive, London
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW
• National Patient Safety Agency (2003) Seven
Steps to Patient Safety [expected November
2003]
Guidance
Competent handling of complaints can assist in
improving the quality of care and minimising
claims by listening to the voice of service users
and using this as an opportunity for the
organisation to learn from complainants.
Complaints and claims when examined in
conjunction with reported incidents, accidents and
near misses allow trends to be identified at both a
local and strategic level. This leads to prevention
of recurrence or more serious incidents and
complaints occurring.
INFORMATION COMMENTS
• Front line staff receive training and guidance
on the complaints procedure to enable them
to deal with complaints on the spot.
• The organisation has an effective system for
the recording of formal and informal
complaints.
• Independent review panels, when they are
required, are established in full accordance
with the NHS complaints procedure.
• All reported complaints are graded according
to severity as well as potential future risk to
patients and/or to the organisation.
• A policy/procedure on complaints
investigation and root cause analysis is in
place that contains a clear protocol to be
followed
• One or more persons are charged with the
responsibility for the management and co-
ordination of claims.
Examples of Verification
• Complaints policy/procedure
• Claims handling policy/procedure
• Job descriptions
• Board reports
• Risk management (or equivalent) committee
reports
• Complaints committee reports
• Training needs analyses
• Training programmes
• Training evaluation forms
• Induction programme
• Complaints leaflets and posters
• PALS publicity leaflets and posters
• Complaints files
• Independent review reports
• Evidence of claims management training
• Quarterly claims reports from solicitors and
the NHS Litigation Authority
• Evidence of claim settlement negotiations
CRITERION 6 RESPONSE %
INFORMATION COMMENTS
Source
• NHS Chief Executive Bulletin 186 (2003)
Statement on Internal Control 2003/2004
• Department of Health (2003) Building the
Assurance Framework
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW
Guidance
The organisation must be aware of its risk profile
across its entire range of activities. Specific risk
assessments will have been undertaken but in
order to prioritise action an organisation-wide
review is necessary to ensure that all exposures
are duly considered.
INFORMATION COMMENTS
into account national guidelines, is applied
throughout the organisation.
• For all risks identified as requiring treatment,
actions are determined, appropriately
recorded and implemented in order of priority
using appropriate decision-making tools (e.g.
risk ranking or cost-benefit analysis) where
relevant
• The Board is informed of and, where
necessary, consulted on all
principal/significant risks and associated risk
treatment plans on a continuous basis. Any
risk exposure should be recorded and
exposure justified. Adequate contingency
plans should be in place.
• All relevant stakeholders, including staff, are
kept informed of the management of
significant risks faced by the organisation.
• Key indicators capable of showing
improvements in management of risk and/or
providing early warning of risk are used at all
levels of the organisation, including the board,
and the efficacy and usefulness of the
indicators is reviewed regularly.
• An annual report is produced for the board to
demonstrate the risk management system’s
continuing suitability and, effectiveness in
satisfying the organisations risk management
policy and strategy.
Examples of Verification
• Risk management strategy
• Risk identification tools
• Hazard reporting policy and forms
• Risk assessment tools and forms
• Completed risk assessments
• Risk treatment options
• Evidence of risk treatment
• Business plans
• Annual report
• Risk registers
• Minutes of committees
• Job descriptions
• Training programmes
• Action plans
• Evidence of communication with stakeholders
• Evidence of communication with staff
• Assurance Framework in place
• Monitoring and review procedure
• Performance indicators
• Evidence of monitoring and review
• Board minutes
• Patient surveys
• Incident, complaints and claims analysis
RESPONSE %
CRITERION 7
INFORMATION COMMENTS
Source
• NHS Chief Executive Bulletin 186 (2003).
Statement on Internal Control 2003/2004.
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW
Guidance
This contributes to the organisation’s risk
management culture, which needs to be
embedded at all levels throughout the
organisation.
Examples of Verification
• Training needs assessment
• Training prospectus
• Local training needs assessment
• Training records
• Reports on attendance levels
• Induction programme
• Local induction procedures
• Training objectives
• Evidence of review of training objectives
• Training course evaluations
CRITERION 8 RESPONSE %
INFORMATION COMMENTS
Source
• Department of Health (2002) Assurance: The
Board Agenda
• Department of Health (2003) Building the
Assurance Framework
• NHS Chief Executive Bulletin 186 (2003)
Statement on Internal Control 2003/2004.
• NHS Executive (1999) Governance in the
New NHS. Controls Assurance Statements
1999/2000 Risk Management and
Organisational Controls. HSC 1999/123.
1999.
Guidance
Reviews by independent bodies will assist
organisations in demonstrating performance, and
also in highlighting areas that need to be
addressed. This will give the organisation
assurance that controls are working satisfactorily
and that local and national targets are being met.
A number of review bodies have direct access to
controls assurance information and reports on
performance produced by these bodies should be
given due consideration.
Examples of Verification
• Assurance Framework is in place
• Audit Committee minutes
• Internal audit report(s)
• Internal audit statement to Chief Executive
• Risk Management Committee minutes
• Clinical Governance Committee minutes