Risk Management - Enterprise-Wide Risk Management ... - NSW Health [PDF]

Oct 13, 2015 - Risk Management - Enterprise-Wide Policy and Framework - NSW. Health [PD2009_039] ... Distributed to Publ

82 downloads 38 Views 679KB Size

Recommend Stories


Termite Risk Management PDF
Don’t grieve. Anything you lose comes round in another form. Rumi

[PDF] Download Risk Management
You can never cross the ocean unless you have the courage to lose sight of the shore. Andrè Gide

[PDF] Risk Management Essentials
If your life's work can be accomplished in your lifetime, you're not thinking big enough. Wes Jacks

Risk universe Risk appetite Risk management capabilities Risk management plan
Life is not meant to be easy, my child; but take courage: it can be delightful. George Bernard Shaw

Health, safety and risk management
Courage doesn't always roar. Sometimes courage is the quiet voice at the end of the day saying, "I will

Risk Management
We must be willing to let go of the life we have planned, so as to have the life that is waiting for

Risk Management
If you are irritated by every rub, how will your mirror be polished? Rumi

Risk Management
Be grateful for whoever comes, because each has been sent as a guide from beyond. Rumi

risk management
Seek knowledge from cradle to the grave. Prophet Muhammad (Peace be upon him)

Risk management
Keep your face always toward the sunshine - and shadows will fall behind you. Walt Whitman

Idea Transcript


Policy Directive Ministry of Health, NSW 73 Miller Street North Sydney NSW 2060 Locked Mail Bag 961 North Sydney NSW 2059 Telephone (02) 9391 9000 Fax (02) 9391 9101 http://www.health.nsw.gov.au/policies/

space space

Risk Management - Enterprise-Wide Risk Management Policy and Framework – NSW Health space Document Number PD2015_043 Publication date 13-Oct-2015 Functional Sub group Corporate Administration - Governance Summary This Policy Directive describes the requirements for NSW Health organisations to establish, maintain and monitor risk management practices in accord with the Australian/New Zealand Standard ISO 31000:2009, consistent with whole of Government policies. Replaces Doc. No. Risk Management - Enterprise-Wide Policy and Framework - NSW Health [PD2009_039] Author Branch Legal and Regulatory Services Branch contact Legal and Regulatory Services 02 9391 9654 Applies to Local Health Districts, Board Governed Statutory Health Corporations, Chief Executive Governed Statutory Health Corporations, Specialty Network Governed Statutory Health Corporations, Affiliated Health Organisations, Public Health System Support Division, Dental Schools and Clinics, NSW Ambulance Service, Ministry of Health, Public Health Units, Public Hospitals, NSW Health Pathology, Cancer Institute (NSW) Audience Boards, Chief Executives, Directors, Health Service Managers, Audit and Risk Committees Distributed to Public Health System, NSW Ambulance Service, Ministry of Health Review date 13-Oct-2020 Policy Manual Not applicable File No. H15/24603 Status Active

Director-General space This Policy Directive may be varied, withdrawn or replaced at any time. Compliance with this directive is mandatory for NSW Health and is a condition of subsidy for public health organisations.

POLICY STATEMENT

ENTERPRISE-WIDE RISK MANAGEMENT PURPOSE Risks and being risk aware are an integral part of organisational operations and must be identified and managed at the appropriate level for an organisation to be effective. Opportunities and threats should be addressed through a risk management process in order to maintain and improve performance and achieve identified objectives. NSW Health is committed to developing a risk management culture, where risk is seen as integral to the achievement of our aims at all levels of the organisation. This Policy Directive outlines the minimum mandatory requirements for NSW Health staff in complying with risk management standards, consistent with Principle 1 and Core Requirement 1.1 and 1.2 of the NSW Treasury Policy TPP15-03.

MANDATORY REQUIREMENTS Each Health organisation is required to implement a risk management approach in line with this Policy Directive and the attached Enterprise-Wide Risk Management Framework. In order to achieve this, health organisations must: •

Embed risk management into corporate governance, planning, financial, insurable, clinical, workforce management structures, operational service delivery, project management and support functions such as procurement and asset management



Include risk management as a part of the strategic, operational and annual business planning activities of the organisation, its facilities and/or networks



Have an up-to-date Risk Register in place



Have a Risk Management Plan that identifies how the organisation will manage, record, monitor and address risk, and includes processes to escalate and report on risk to the Chief Executive, Audit and Risk Committee and Board, as appropriate



Have in place processes to monitor and review the risk and governance system



Consider nominating a senior executive (other than the Chief Audit Executive) to be responsible for designing the agency’s risk management framework and coordinating, maintaining and embedding the framework in an agency.

IMPLEMENTATION Ministry of Health will: •

Champion a culture of risk awareness and monitoring systemic risk across NSW Health



Update and monitor compliance with this Policy Directive



Identify systemic risk issues in consultation with health organisations, central agencies and accountability bodies



Review quarterly risk register reports received from health organisations and provide regular feedback on system-wide trends

PD2015_043

Issue date: October-2015

Page 1 of 3

POLICY STATEMENT



Provide feedback to health organisations, based on quarterly reports received



Monitor compliance with NSW Health annual Audit and Risk Attestation Statements



Maintain the Ministry of Health Risk Register and formal reporting requirements.

Chief Executives will: •

Champion risk management culture within their organisation that includes a focus on continuous improvement and identifying opportunities as well as risks



Ensure the Risk Management Plan is implemented and the Risk Register is current



Ensure appropriate resources are allocated to managing and monitoring risk and to implementing risk mitigation strategies identified through risk planning activities



Allocate accountability for managing individual risks at an appropriately senior level to ensure risk mitigation strategies are implemented



Communicate risk management requirements to management and staff



Take appropriate action on risks reported or escalated



Provide the Audit and Risk Committee and Board with regular reports on risks and management actions being taken to mitigate these risks



Determine the level of management that will be delegated authority to accept risks



Provide quarterly reports to the Ministry of Health on the organisation’s top 10 risks inclusive of all extreme risks



Approve the annual Audit and Risk Management Attestation Statement.

Senior Managers have key responsibilities to: •

Promote risk management within their areas of responsibility, including communication of requirements to relevant staff



Be accountable for risks and mitigating controls within their area of responsibility and take appropriate action on risks reported or escalated



Report on changes and updates to the organisation Risk Register, including updates on risk management strategies, current risk ratings and emerging risks.

Risk Owners have key responsibilities to: •

Manage the risk, including designing, implementing and monitoring actions to address (or “risk treatments” for) a particular risk



Assess the effectiveness of existing controls and design improvements as required



Escalate the risk for effective management as appropriate to the level of the risk.

Organisation Board will: • •

Ensure an effective risk management framework (including risk appetite and risk tolerance) is established and embedded into the clinical and corporate governance processes of the organisation Provide strategic oversight and monitoring of organisation’s risk management activities and performance

PD2015_043

Issue date: October-2015

Page 2 of 3

POLICY STATEMENT



Seek information from the Chief Executive as necessary to satisfy itself that risks are being identified and mitigation strategies are in place and effective.

Audit and Risk Committees, with support of the Internal Audit function, will: •

Operate in accordance with the Committee’s Charter as approved under the Internal Audit Policy Directive (PD2010_039 or current)



Monitor and review risk management attestation compliance and report to the Agency Head on risk management and control frameworks within the organisation



Ensure audit plans for the organisation include appropriate consideration of risk.

REVISION HISTORY Version PD2015_043 (October 2015) PD2009_003 (June 2009)

Approved by Deputy Secretary, Governance, Workforce and Corporate Director General

Amendment notes Updated policy directive

New policy directive

ATTACHMENTS 1. Risk Management – Enterprise-Wide Risk Management Policy and Framework – NSW Health: Procedures.

PD2015_043

Issue date: October-2015

Page 3 of 3

Risk Management – Enterprise-Wide Policy and Framework – NSW Health FRAMEWORK

Issue date: October 2015 PD2015_043

Risk Management – Enterprise-Wide Policy and Framework – NSW Health FRAMEWORK

CONTENTS 1. BACKGROUND AND DEFINITIONS ....................................................................................1 1.1 Key Definitions and Concepts........................................................................................1 1.2 The Australian Standard on Risk Management..............................................................3 2

KEY CONCEPTS AND OBLIGATIONS ................................................................................5 2.1 What is risk and risk management? ...............................................................................5 2.2 Why a risk management framework? ............................................................................5 2.3 How can you embed risk management within an organisation?.....................................6 2.4 Risk Management Tools in the Framework....................................................................7 2.4.1 NSW Health Risk Categories .............................................................................7 2.4.2 NSW Health Risk Matrix...................................................................................10 2.4.3 Risk Rating Types ............................................................................................12 2.4.4 Risk Escalation ................................................................................................12

3

THE RISK MANAGEMENT METHODOLOGY....................................................................14 3.1 Step 1 Communication and consultation......................................................................14 3.2 Step 2 Establish the context ........................................................................................15 3.3 Step 3 Identify Risks....................................................................................................15 3.4 Step 4 Analyse Risks...................................................................................................15 3.5 Step 5 Evaluate Risks .................................................................................................20 3.6 Step 6 Treat Risks ......................................................................................................21 3.7 Step 7 Monitor and review ..........................................................................................23

4

RISK REGISTER AND REPORTING ..................................................................................24 4.1 Organisation Risk Register ..........................................................................................24 4.2 Risk Reporting .............................................................................................................25 4.2.1 Organisation Level Reporting ...........................................................................25 4.2.2 State-wide Reporting........................................................................................25

5

LIST OF RISK MANAGEMENT TOOLS (Web Links) ........................................................26

6

REFERENCES....................................................................................................................27

PD2015_043

Issue date: October-2015

Contents page

Enterprise-Wide Risk Management Framework FRAMEWORK

1. BACKGROUND AND DEFINITIONS This document describes the structures and processes Heath organisations are required to use to manage risks. The systematic process described here applies to all services obtained or provided internally or externally, and takes into account both clinical and non-clinical (service) reporting structures. It can be applied to any risk, regardless of severity. TPP15-03 Internal Audit and Risk Management Policy for the NSW Public Sector issued by NSW Treasury (“the Treasury Policy”) establishes whole of Government standards to support effective corporate governance and risk management practices across the NSW public sector. To this end the Treasury Policy sets out “Core Principles and Core Requirements”, including Risk Management. This requires organisations to establish and maintain an enterprise risk management process appropriate to their operations and adopts the Australian New Zealand Standard on Risk Management, to ensure common and generally accepted risk management terminology and processes are applied across Government. The current standards are AS/NZS ISO 31000:2009 (Risk Management – Principles and Guidelines). NSW Health is committed to developing a risk management culture, where risk is seen as integral to the achievement of our aims at all levels of the organisation and where all staff are alert to risks, capable of an appropriate level of risk assessment and confident to report risk or opportunities perceived to be important in relation to each Health organisation’s priorities. The Framework complements other NSW Health policy directives (such as those for incident management and workplace health and safety) and other key programs or initiatives specifically designed for the identification and management of individual incidents. The Framework is structured in 6 parts: Part 1 – Background and Definitions Part 2 – Key Concepts and Obligations Part 3 – The Risk Management Methodology Part 4 – Risk Registers and Reporting Part 5 – List of Risk Management Tools (web links) Part 6 – References

1.1

Key Definitions and Concepts

The following definitions are used in this Framework: The Australian (AS/NZS ISO 31000:2009) means the Australian/New Zealand Standard

and International Standard on Risk Management.

Consequence

means the outcome of an event that has a positive or negative effect on objectives.

PD2015_043

Issue date: October-2015

Page 1 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

Current risk

is a level of risk at a point in time. Subsequent re-assessments of risk rating usually made as a part of the review of the actual effectiveness of any additional controls, is referred to as Current risk rating.

Health organisation means a Local Health District, Specialty Health Network, Statutory Health Corporation, Units of the Health Administration Corporation (including the NSW Ambulance Service, HealthShare NSW, eHealth NSW, Health Infrastructure and NSW Health Pathology), the Ministry of Health and health bodies established under their own statute, including the Cancer Institute of NSW and the NSW Institute of Psychiatry. Initial risk

is the first time the level of risk is assessed. The term is synonymous with the term ‘Inherent Risk Rating’.

Likelihood

is the chance of something happening (whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically).

Projected risk

is the level of risk assessed on the assumption that additional controls (additional treatments or mitigation) are in place. The term is synonymous with the terms ‘Targeted Risk’ and ‘Residual Risk’.

Risk

is the chance of something happening that will have an impact on an organisation’s objectives. May be a positive or negative impact, and is measured in terms of impact and likelihood. Risk is also defined in the Australian Standards as ‘the effect of uncertainty on objectives’.

Risk Management is generally understood as coordinated activities to direct and control an organisation, with regard to risk. The Australian Standards refer to risk management as including the “… the systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk”. Risk owner

is the officer designated as responsible for designing, implementing and monitoring actions to address (or “risk treatments” for) a particular risk.

Risk Management sets out the organisations strategies for implementing and Plan maintaining a robust risk management framework, including activities, resources, responsibilities and timeframes. Risk Matrix means the NSW Health Risk Matrix, set out in Table 3 of this Policy Directive. Risk Treatment means an action identified to address or mitigate a risk.

PD2015_043

Issue date: October-2015

Page 2 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

Stakeholder

is a person or an organisation that can affect or be affected by a decision or an activity and includes those who have the perception that a decision or an activity can affect them; can be internal or external.

Strategic risks

are a source of uncertainty that may arise from a Health organisation’s pursuit of a strategic objective, performance indicator or health system/support outcome. For example, a strategic risk might arise from substandard execution of decisions, inadequate resource allocation, or a failure to respond well to changes in the business environment or to failure to take advantage of untapped opportunities.

1.2

The Australian Standard on Risk Management

The Australian Standard has been adopted by the NSW Government to ensure consistent terminology and to guide the approach of NSW public sector agencies. The Standard is not therefore a compliance standard, but provides a generic and flexible set of principles for risk management practice that can be applied to a wide range of activities and includes: •

An outline of the benefits to an organisation for adopting a consistent, systematic and integrated approach to managing risks and opportunities



Concepts to be adopted when designing and implementing a risk management framework



A focus on integrating risk management into organisation culture, creating continual improvement and best practice.

How an organisation applies the Standard will depend on its size, nature, complexity and objectives, and maturity in risk management. Common features should include: •

A commitment by the executive to risk management



A process which outlines how risks are to be managed



A process in how risks are to be monitored and reported



Clear accountabilities for the management of risks



A process to review and improve on the local risk management procedure/plan.

The Table 1 illustrates the relationships between the risk management principles, framework and process. Paragraph references are to the Australian Standards. The Standard forms the basis of the NSW Health Framework, as set out in the following Parts.

PD2015_043

Issue date: October-2015

Page 3 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

(Extract from AS/NZS ISO 31000: Risk management – Principles and guidelines) Table 1.

PD2015_043

Issue date: October-2015

Page 4 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

2 KEY CONCEPTS AND OBLIGATIONS 2.1

What is risk and risk management?

Risk is the effect of uncertainty on objectives with a likelihood and frequency that something will occur. Risk is expressed in terms of consequence or impact (How bad will an event be if it happens?) and likelihood (How likely is it that the event will happen?) As the outcomes of operational and business activities can be uncertain, they are said to have some element of risk. In the Health context, risks can contribute to strategic failures, operational failures, failures in quality and safety systems, financial failures, major environmental or public health incidents, deficiencies or ineffective plant or equipment, or failures in regulatory compliance. Risk management involves identifying the types of risk exposure within an organisation, measuring those potential risks and proposing means to mitigate them. While it is impossible to remove all risk, it is important for organisations to understand their risks and manage and identify the level of risk they are willing to accept in the overall context of effective operation and service provision. Risk management is essential to good management practice and effective corporate governance and ensures decisions are made with sufficient information about risks and opportunities.

2.2

Why a risk management framework?

Managing risks – identifying, assessing and controlling them – is part of everyday activity throughout the NSW public health system. By identifying risks, a Health organisation is identifying any threats or opportunities in achieving its goals and objectives, as outlined in the Service Agreement or Agency Compacts and organisation planning documents and at a public health system level in the State Plan NSW 2021 and the State Health Plan. A Risk Management Framework provides a structure for a consistent risk management approach and for embedding risk management across all operations. An effective framework involves the examination of all aspects of an organisation’s functions and responsibilities in order to identify and manage opportunities and threats. This includes, for example, consideration of risk and opportunities during: •

Strategic, business, service and workforce planning



Budget planning and monitoring



Planning, development and implementation of new service delivery methods, programs, clinics or projects



Planning, development, implementation and maintenance of new and existing information technology hardware and software systems

PD2015_043

Issue date: October-2015

Page 5 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK



Development and implementation of new or revised policies, procedures and guidelines



Changes to service delivery, projects or agreed levels of activity



Planning and implementing capital projects and programs



Procurement and acquisitions processes.

Applying the framework helps management to make decisions that impartially and systematically consider both opportunities and threats. The framework also helps management and staff to prepare for and deal with risks in a timely manner, and the process of reviewing risks will allow new risks to emerge.

2.3

How can you embed risk management within an organisation?

To integrate risk into everyday activities, it is essential to define responsibilities and accountabilities for staff in relation to risk management. Staff must understand what risks they are accountable for, and what activities and actions must be taken to manage those risks. Risk management must also be supported at the most senior level of the organisation, to ensure it is integrated into, and not viewed as separate from, core operational activities and to ensure accountabilities and responsibilities are clearly defined. Some ways of embedding risk in organisation operations and achieving greater engagement of staff across the organisation are: •

Including risk management accountabilities and expectations in internal performance management systems, both informal and formal, to support a culture where by risk and opportunities are proactively managed and learnings are shared



Including consideration of risk in the terms of reference of significant organisation committees (e.g. committees overseeing quality and safety, infection control, disaster management) to engage them in identifying, monitoring and reviewing risks relevant to their area of oversight



Ensuring risks identified by the organisation are allocated a “risk owner” to oversee the management of a risk. The risk owner should be sufficiently senior to properly direct and implement risk controls and assess their effectiveness. As such, while they should be knowledgeable about the risk, they will not generally be the person who implements the actions required to address the identified risk



Ensuring local processes focus on risks being managed at as low a level as reasonably practicable, but also ensure there are processes are in place for staff to identify and escalate risks as the need arises to a more senior management for consideration, review and appropriate management action and direction to be given



Ensuring senior executives and senior management accept responsibility for promoting risk management within the organisation, designing the organisations risk management framework and for the day-to-day activities associated with coordinating, maintaining and embedding the framework in day to day business. PD2015_043

Issue date: October-2015

Page 6 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

All staff are expected to manage risks in their own area, and within their capacity and delegation of authority. Risks that are beyond a staff member's capacity or delegation of authority need to be escalated to a higher level of management for review. Any subsequent mitigation should be communicated to the staff member who identified the risk. Reporting or communicating risks in this way will help to prevent errors, improve care and performance and achieve business objectives.

2.4

Risk Management Tools in the Framework

An effective risk management system requires the application of consistent processes for identifying and categorising risk. The Framework sets out four main tools in this regard in the following subsections.

2.4.1 NSW Health Risk Categories Categorising risks supports identification of risks across all key aspects of a health organisation’s business. They also assist in reporting and allow comparison and assessment across the wider health system. To this end a set of NSW Health Risk Categories has been developed (Table 2), including relevant examples. Table 2 NSW Health risk category

Clinical Care and Patient Safety

Health of the Population

PD2015_043

Examples of areas to consider within category • Clinical KPIs in organisation Service Agreement • Access appropriate to needs and prioritised according to clinical need • Care evaluation, clinical handover, clinical ethics, clinical pathways and variance analysis • Clinical quality improvement and clinical practice improvement • Decision making at end of life and mortality management • Discharge and transfer of care and recognition and management of deteriorating patients • Ongoing care and management of chronic disease • Patient safety, including infection control, medication safety and response to complaints and concerns about clinicians and near miss or incident trends • Protection of children and others who are unable to care for themselves while accessing health services • Monitor the continuum of care and clinical performance across the State • • • • •

Community health Disease prevention and control Human behaviour and demographics Health protection and surveillance Clinical strategic direction, planning, monitoring and performance of population health services across the State

Issue date: October-2015

Page 7 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

NSW Health risk category

Workforce

Communication and Information

Facilities and Assets

Security

Emergency Management

PD2015_043

Examples of areas to consider within category • • • • •

Continuing education, learning and professional development Human resources performance management Claims (including general insurance) Organisational culture, Recruitment selection, credentialing, retention and appointment, including internationally trained medical officers • Succession planning • Workplace relations, including grievances • Visiting medical officers, contracts and volunteers • • • • • • • • • • • • • •

Hardware infrastructure (switchboards, pager systems, etc.) Information and data management system Informed consent Privacy and confidentiality Knowledge management Records management Risk communication Alerts Software Staff communication Technology and technical issues Release of information Digital Information Security eg. electronic medical record Social Media

• Assets management, including buildings, equipment, land, plant, vehicles, supplies and utilities • Catering and food hygiene • Preventative, repairs and maintenance • Minor & Capital works • Procurement • • • • • •

Access and controls Identification Surveillance/CCTV Personal threat Security management Security monitoring

• Business continuity planning, management and resilience • Infectious disease outbreaks, including emerging infectious diseases, and other biological threats • Drinking water, pharmaceutical, food or other contamination • Natural disasters, (eg. Extreme weather event) • Man-made disasters (eg widespread power failure, explosion) • Chemical, radiation or hazardous material incident

Issue date: October-2015

Page 8 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

NSW Health risk category

Legal

Finance

Work Health & Safety

Environmental

Leadership and Management

Community Expectations

PD2015_043

Examples of areas to consider within category • • • • •

Litigation Commercial and legal management Contract management Intellectual property Regulatory Compliance

• Fraud • Medical indemnity insurance and Treasury managed fund • Operational budgets and financial performance requirements under Service Agreements • Public liability • Administration, including accommodation, payroll and transport and travel • Commercial income • Procurement of goods and services, maintenance and contracts management • Workplace health and safety • Workers compensation and injury management • Contractor non compliance • • • • •

Air quality, heating, noise, lighting and radiation Hazardous substances and dangerous good Waste management Cleaning services Infection control

• • • • • • • • • • • • • • • • •

Complaints and compliments management Credentialing and delineation of clinical privileges Economic circumstances Effective Leadership Enquiries and ministerials External and internal auditing Governance structures, delegations and financial management Legislative compliance Monitoring performance Performance Management Political circumstances Professional development and Mentoring Reputation and image Resource accountability Service Agreement requirements Strategic and operational planning Succession planning

• Access to services • Consumer engagement and empowerment, and stakeholders expectations • Consumer feedback, cultural and special needs, planned and delivered in partnership with patient rights and responsibilities • The right care and services – including the protection of children – provided in the right setting within appropriate timeframes

Issue date: October-2015

Page 9 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

2.4.2 NSW Health Risk Matrix The Risk Matrix (Table 3) was developed in 2009 to support classification of risks across the public health system with specific reference to the indicia relevant to health service providers. The Matrix provides a tool to apply a severity rating to each risk, by assessing the potential consequence of the risk and its likelihood of occurring. The Risk Matrix is required to be used for assessment and management of Health organisation risks, development of organisation Risk Registers, and forms the basis for reporting at the local, Chief Executive, Board (where applicable), Audit and Risk Committee and to the Ministry of Health (State-wide level). Rating the risk The Consequence and Likelihood descriptors are used to determine the possible outcome if the risk were to occur, which in turn provides the overall risk rating. The ‘Risk Matrix’ should be used to determine the initial, current and projected risk ratings. In rating risks, it is important to use the matrix and follow these steps: •

Step 1 – rank the consequence



Step 2 – rank the likelihood (probability/frequency)



Step 3 – classify the level of risk

Step 1 – Rank the consequence For each identified risk, determine the consequence of the event occurring (from catastrophic to minimal), using the examples contained within the NSW Health Risk Matrix, as a guide. Step 2 – Rank the likelihood (probability / frequency) For each identified risk, determine the likelihood that the event will occur. Step 3 – Classify the level of risk Once the consequence and likelihood of each risk has been determined, the position on the NSW Health Risk Matrix is represented alphabetically, from A to Y. The alphabetical representation highlights the risk position in relation to its consequence and likelihood, in doing this it clarifies the context of the risk position (risk rating).

PD2015_043

Issue date: October-2015

Page 10 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

C O N S E Q U E N C E E X AM P L E S

NSW Health Risk Matrix

Escalate to CE or Head of Health service or Secretary, MoH A detailed action plan must be implemented to reduce risk rating with at least monthly monitoring and reporting.

Red = Extreme (A – E)

Escalate to Senior Management A detailed action plan must be implemented to reduce risk rating.

Orange = High (F – K)

Specify Management Accountability and Responsibility Monitor trends and put in place improvement plans.

Yellow = Medium (L – T)

Green = Low

NSW HEALTH RISK CATEGORIES

Action required

Risk rating

Major

Moderate

Minor

Minimal

Clinical Care & Patient Safety

Unexpected multiple patient deaths unrelated to the natural course of the illness.

Unexpected patient death or permanent loss/reduction of bodily function unrelated to the natural course of the illness.

Patient’s care level has increased unrelated to the natural course of the illness.

First Aid provided to patient unrelated to the natural course of the illness.

Health of the Population

An increase in the prevalence of known conditions contributing to chronic diseases across the state-wide population health KPI categories currently measured by NSW Health and or an increase of more than 10% in one or more category.

Unexpected temporary reduction of patient’s bodily function unrelated to the natural course of the illness which differs from the expected outcome.

Failure to materially reduce the prevalence of known conditions contributing to chronic disease across the majority of the state-wide population health KPI categories measured by NSW Health and or an increase of more than 5% up to 10% in one or more category.

Failure to materially reduce the prevalence of more than one of the known conditions contributing to chronic disease from the statewide population KPI categories measured by NSW Health and or an increase of more than 2% and up to 5% in one or more category.

Failure to reduce the prevalence of one of the known conditions contributing to chronic disease from the state-wide population health KPI categories measured by NSW Health or an increase of up to 2% in one or more category.

A preventative Health program has not demonstrably met planned objectives but the prevalence of known condition is continuing to decrease in line with KPI targets.

Workforce

Unplanned cessation of a critical statewide program or service or multiple programs and services.

Unplanned cessation of a service or program availability within a Service Area with possible flow on to other locations.

Unplanned restrictions to services and programs in multiple locations or a whole hospital or community service.

Unplanned service delivery or program delays localised to department or community service.

Minimal effect on service delivery.

Cessation of services due to loss, damage or unauthorised access to property, assets, records and information.

Prolonged service disruption or suspension of services due to the loss, damage or unauthorised access to property, assets, records and information.

Temporary suspension of services due to the loss, damage or unauthorised access to property, assets, records and information.

Localised disruption to services. Minor loss, damage or unauthorised access to property, assets, records and information.

Minimal effect on services. No loss or damage to property, assets, records or information.

Emergency Management

State-wide system dysfunction resulting in total shutdown of service delivery or operations.

Services compromised as service providers are unable to provide effective support and other areas of NSW Health are known to be affected.

Disruption of a number of services within a location with possible flow on to other locations in the area.

Some disruption within a location but manageable by altering operational routine.

No interruption to services.

Legal

Legal judgement, claim, non compliance with legislation resulting in indeterminate or prolonged suspension of service delivery.

Legal judgement, claim, non compliance with legislation resulting in medium term suspension of service delivery.

Legal judgement, claim, non-compliance with legislation resulting in medium term but temporary suspension to services.

Legal judgement, claim, noncompliance with legislation resulting in short term disruption to services.

Finance

More than 5% over budget NOT recoverable within the current or following financial year. Unable to pay staff or finance critical services.

Up to 5% over budget or a material overrun NOT recoverable within the current financial year. Unable to pay creditors within MOH benchmark.

Up to 5% over budget but recoverable within current financial year.

Up to 1% temporarily over budget and recoverable within current financial year

Work Health & Safety

Multiple deaths or life threatening injuries or illness to non-patients.

Death or life threatening injury or illness causing hospitalisation of non-patients.

Environmental

Permanent effect on the environment or is unlikely to recover.

Long term effect on the environment. The environment will only recover through external assistance / intervention (EPA)

Serious harm, injury or illness causing hospitalisation or multiple medical treatment cases for non-patients. Short term effect on the environment. Environment likely to make a full recovery through local planning and response measures.

Minor harm, injury or illness to a nonpatient where treatment or First Aid is required. Minor effect on the environment. Environment to make a full recovery by routine procedures

Failure to meet critical priority KPI’s included in the service’s performance agreement. Sustained adverse national publicity. Significant loss of public confidence, loss of reputation and/or media interest across NSW in services.

Failure to meet a significant number of priority KPI’s included in the service’s performance agreement. Sustained adverse publicity at a state-wide level leading to the requirement for external intervention. Systemic and sustained loss of public support/opinion across a service.

Failure to meet a number of priority KPI’s included in the services’ performance agreement. Increasing and broadening adverse publicity at a local level, loss of consumer confidence, escalating patient/consumer complaints. Extended loss of public support/opinion for a Facility/Service.

Failure to meet one or more of the KPI’s (excluding priority KPI’s) included in the service’s performance agreement. Periodic loss of public support.

Minimal impact on local operations, local management review and occasional adverse local publicity.

Catastrophic

Major

Moderate

Minor

Minimal

Almost certain

A

D

J

P

S

Likely

B

E

K

Q

T

Possible

C

H

M

R

W

Communication & Information Facilities & Assets Security

Leadership and Management

Manage by routine procedures Monitor trends.

(U – Y)

Catastrophic

Probability

Frequency

> 95% to 100%

Several times a week

> 70% to 95 %

Monthly or several times a year

> 30% to 70%

Once every 1 -2 years

> 5% to 30%

Once every 2 – 5 years

< 5%

Greater than once every 5 years

LIKELIHOOD

Community Expectations

C O N S E Q U E NC E R A TI N G S

Less than 1% over budget. Temporary loss of or unplanned expenditure related to individual program or project but no net impact on budget. Harm, injury or illness not requiring immediate medical treatment. No lasting effect on the environment.

Unlikely

F

I

N

U

X

Rare

G

L

O

V

Y

Table 3

PD2015_043

Legal judgement, claim or legislative change but no impact on service delivery.

Issue date: October-2015

Page 11 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

2.4.3 Risk Rating Types The Risk Matrix should also be used to monitor progress through allocating a risk rating to each risk. These Risk Ratings form a key element of the organisation Risk Register as follows: Initial Risk Rating This is the initial risk, in the absence of any controls or mitigation strategies. The Initial Risk Rating will assist determining the importance of existing controls and the extent to which place are relied on to control the risk. Current Risk Rating Once an Initial Risk Rating is determined, identification of any existing controls in place will establish the Current Risk Rating. The Current Risk Rating will vary from time to time, depending on the effectiveness of those controls. The Current Risk Rating should be assessed regularly, as part of internal and external reporting and to check effectiveness of control strategies or identify any further strategies which may need to be employed. Being a progressive rating of the risk, the Current Risk Rating is usually based on partial implementation of the additional controls at a point in time. It should be noted that when a new risk is identified it is possible that the initial and Current Risk Rating will be the same, until such time as controls/treatments identified begin to be implemented. Projected Risk Rating The Projected Risk Rating will reflect the Current Risk Rating after any additional mitigation strategies are put in place. The Target Risk Rating therefore reflects the expected future level of the risk if and when all treatments (including those currently in train) are successfully implemented.

2.4.4 Risk Escalation All staff are responsible for identifying risks and reporting those risks to their managers for assessment. External stakeholders can also raise awareness of risks in health services. Once a risk has been identified, managers are responsible for assessing the risk using the NSW Health Risk Matrix. If a risk is beyond the manager’s control or delegation to effectively control or mitigate the risk, the manager should escalate the risk to an appropriate, more senior level of management. This process should follow the governance and reporting structure that exist within the Health organisation. There is a direct link between the severity of a risk and the management level to which it should be escalated for action. The greater the risk, the more attention is required from senior management and the executive. The NSW Health risk escalator (Table 4) shows the communication flow to the appropriate authority, consistent with the NSW Health Risk Matrix.

PD2015_043

Issue date: October-2015

Page 12 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

Risk rating

Action required

Red = extreme (A – E)

Escalate to Chief Executive or head of health service Implement a detailed action plan to reduce risk rating Escalate to senior management Implement a detailed action plan to reduce risk rating Specify management accountability and responsibility Monitor trends and plan for improvement Manage by routine procedures

Orange = high (F – K) Yellow = medium (L – T) Green = low (U – Y)

Monitor trends Table 4

PD2015_043

Issue date: October-2015

Page 13 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

3 THE RISK MANAGEMENT METHODOLOGY The following 7 steps provide a methodology for identifying, assessing, and (where appropriate) addressing organisation risks, and for determining matters which should be recorded in the health organisation Risk Register. The methodology is based on the Australian Standard. The main elements of the methodology, set out in detail in the following paragraphs are as follows:

Step 1 – Communication and consultation Step 2 – Establish the context Step 3 – Identify risks Step 4 – Analyse risks Step 5 – Evaluate risks Step 6 – Treat risks Step 7 – Monitor and review risks (Steps 3–5 taken together are described as ‘risk assessment’).

3.1

Step 1 Communication and consultation

Communication and consultation are continual or iterative processes undertaken to provide, share or obtain information and to engage stakeholders about the management of risk. They are vital aspects of good risk management, and should be used in each step of the risk management process. A consultative approach to the risk process will: • • • • • • •

Help establish the risk context appropriately Help ensure that the interests of stakeholders are understood and considered Help ensure that risks are adequately identified and defined Ensure a common understanding across the organisation of the risks and strategies to address them Bring different areas of expertise together for analysing risks Help ensure that different views are appropriately considered when defining risk criteria and in evaluating risks Secure endorsement and support for a treatment plan

PD2015_043

Issue date: October-2015

Page 14 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK



Enhance appropriate change management during the risk management process.

Some actions to take include: •

Develop a communication strategy for Enterprise-Wide Risk Management. Ensure that the strategy highlights the relevance of risk management to planning, performance, quality and safety, so that risk management becomes part of everyday business



Review planning and reporting arrangements to ensure risk and risk management is embedded in the core business and reporting processes of the organisation.



If a risk is assessed as having reached its projected rating, ensure that the risk is regularly monitored and reviewed, for example, by the owner of the risk or through team meetings and risk workshops.

3.2

Step 2 Establish the context Defines the context and scope for the organisation risk assessment. To establish the context, it is necessary to consider the strategic, organisational and risk management context in which risks will be managed. This means considering both the internal and external environment.

First, consider the following three contexts for the organisation: Strategic

consider the relationship between the organisation and its environment including reputational risk; identify the organisation’s strengths, weaknesses, opportunities and threats; consider elements that might support or impair the organisation’s ability to successfully manage risks.

Organisational

consider the organisation and its capabilities, including goals and objectives, and the strategies in place to achieve them; align risk management with the organisation’s Service Agreement or Compact and consider NSW Health strategic and corporate plans

Risk management consider the goals, objectives, strategies, scope and parameters of the risk management process, including the benefits, costs and opportunities of risk management activities and the required

PD2015_043

Issue date: October-2015

Page 15 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

resources. Once the context has been considered: Develop / Use criteria

Use criteria in the Risk Matrix to evaluate the risk having regard to:

evaluating risk

organisations objectives outlined in key strategic and the operational documents such as LHD/SHN Service Agreements/Agency Compacts and plans linked to system wide and state-wide plans (such as the State Health Plan and NSW 2021);

Decide structure

to be used to establish context, to ensure that it does not overlook any significant risks.

Questions that may assist in establishing the context include: • • • • •

• • • •

What is the policy, program, process or activity? What are the KPIs? Who are the stakeholders? What are the major outcomes expected? What are the significant factors in the organisation that have an impact on this area (for example: operational, environmental, social, community expectations, and technological)? What were the issues identified by previous reviews? What is the best way of structuring risk identification? What risk criteria should be established? What are the cost and revenue considerations?

PD2015_043

Issue date: October-2015

Page 16 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

3.3

Step 3 Identify Risks Identifying risks involves asking: “What can happen?” and “how can it happen?” To determine what can happen, it is necessary to compile a comprehensive list of events that might affect the organisation, including sources of risk and areas affected. The aim is to identify all risks, regardless of whether they are within the control of the organisation. The process needs to be systematic and structured, to ensure all potential risks have been identified and considered.

The identification of risk can be by an individual or through structured group process, as described below in Table 5. Methods for identifying risks and opportunities Table 5 Risk identification group Structured risk and opportunity identification process

Risk identification through normal organisation activities

Examples Department/Unit planning process Risk workshops Risk profiling Techniques such as ‘strengths, weaknesses, opportunities, threats’ (SWOT) analysis; brainstorming; analysis of systems or scenarios Team meetings Managers forums Briefings Informal ad hoc meetings Routine data collection and in-patient data sets Stakeholder feedback

Assessment against standards

Clinical quality reviews and audits Internal or external audits Accreditation reviews or other external reviews Workplace Health and Safety (WHS) and injury management (IM) profile audits Observation Professional judgement (from knowledge of standards)

Incident or complaint

Adverse events and incident reporting Patient complaints Health Care Complaints Commission Independent Commission Against Corruption Ombudsman Coroners

PD2015_043

Issue date: October-2015

Page 17 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

Internal Investigation processes

Root cause analysis conduct investigations

Generic sources of risk might include commercial and legal relationships, budgetary issues, human behaviour, clinical issues, natural events, political circumstances, technological issues or management activities. The categories of risk adopted for NSW Health are set out in Table 2. Questions that may assist in identifying risks: •

What are we trying to achieve?



What are our KPIs or performance criteria?



What is going to stop us from achieving our KPIs or performance?



What could help us to achieve it & how?



What is in our way of getting there & why?



How likely – what impact?



What has to be done?



How much will / may it cost?



When should it be done?



How quickly do we need to respond to prevent/reduce the impact if it does go wrong / realise the opportunities?



Who is the Risk Owner accountable for mitigation?



What could go wrong and how it could go wrong?



What opportunities exist and how can they be realised?



What resources do we already have to enable our actions to succeed?



If required, can we obtain additional resources?



Who else (internal / external stakeholders) needs to know or be involved?

Once a risk is identified the risk needs to be described concisely, setting out what the risk is, what it is affecting, and how it impacts on objective(s). This description is important as it is where the risk story is told. It must make a reader understand the impact the risk has on the objectives. It should stand on its own, and be able to be understood by those not necessarily familiar with the background detail. This in turn ensures a common understanding across different operational and management levels as to the nature and consequences of the particular risks.

PD2015_043

Issue date: October-2015

Page 18 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

3.4

Step 4 Analyse Risks

Involves understanding the risks requiring action, and then ranking those risks so that resources to treat risks can be allocated to those of greater priority.

Risks are analysed by combining estimates of likelihood and consequences, using the NSW Health Risk Matrix Table 3. The aim is to understand the nature of risk, and determine the risk before treatment. Analysis can be qualitative or quantitative, or a combination of both. Questions that may assist when using the Matrix include: • • •

What are the potential adverse (threats) consequences of each risk if they occur? What is the potential likelihood (probability) or frequency of the risks happening? What current controls exist to prevent, detect or correct the consequences or likelihood of the risk?

PD2015_043

Issue date: October-2015

Page 19 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

3.5 Step 5 Evaluate Risks

Develop a prioritised list of risks requiring attention. When the risk has been rated, the risk level needs to be compared with the Health organisation’s management’s acceptable level of risk or risk tolerance. Evaluating risks involves comparing the level of risk determined at Step 4 (Risk Analysis) against predetermined criteria, to decide if a level of risk is acceptable as is (referred to as “within the tolerance level”), or action is needed to mitigate the risk (ie “it needs to be treated”). This requires “risk tolerance”, which simply means the risk owners review the risk information in their area of responsibility to ensure the information, assessment and actions are reasonable and whether the risk is within the tolerance level. A range of issues arise in determining at what point to classify a risk as acceptable. Appetite for taking on a particular risk will vary from one manager or clinician to another: a risk that is acceptable to one person may be unacceptable to someone else. There is also likely to be different perspectives of risk at different levels of management from unit to department to executive level. Some key issues to consider in risk evaluation are: • • • •

A decision must be taken on whether to accept or reject the risk, and if the latter to identify controls (see Step 6) Failure to make this decision means the risk has been accepted by default. A risk owner may decide to accept the risk with the current treatments / controls, and this is acceptable if it is within their delegation of authority. Organisations should neverthless have processes in place for review and oversight of risk evaluation to ensure consistency across the organisation and consideration and acceptance of tolerance levels/evaluations at Chief Executive / Board level.

PD2015_043

Issue date: October-2015

Page 20 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

3.6 Step 6 Treat Risks

“Risk treatment” involves identifying the most appropriate actions or treatments to modify risks that are at an unacceptable level. It controls risk by developing a treatment addressing the underlying causes, and assesses how effective the treatment is. If the projected/residual risk remains unacceptable, generates an alternative treatment.

Risk treatments should be developed by, or under the direction of, a risk owner, preferably with the support of a team. Review the risk assessment (Step 4) as part of deciding risk treatment options, as well as the existing controls, to decide if they require modification as well as considering “new” treatments. The aim is to create a balance between minimising the risk and creating potential benefits or opportunities. For example, if an extreme risk can be addressed within existing or minimal resource allocations, then treating that risk should be a priority. Options to consider include: •

Strategies to change the likelihood: implement strategies to change the likelihood of the risk occurring, either to reduce the chance of negative outcomes or increase the chance of positive outcomes



Strategies to change the consequence: implement strategies to reduce the extent or size of negative outcomes or increase the magnitude of positive outcomes



Taking the opportunity: consider strategies that can also exploit potential benefits while mitigating threats



Sharing the risk: Shared or transferred the risk to other parties. Contracting arrangements or other arrangements with a third party can be a good option to reduce exposure to financial, asset or other risk. The risks that may arise from a third party arrangement will however also need to be assessed and addressed



Accepting or tolerating the risk based on informed decision: This will be appropriate where the remaining risk levels are insufficient to justify potential treatment options or where it is not possible or cost-effective to

PD2015_043

Issue date: October-2015

Page 21 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

treat the projected / residual risk. •

Avoiding the risk: Is it possible to avoid the risk, for instance, by not proceeding with an activity or part of the activity that could generate the risk?

Once treatments are in place, the risk rating is reviewed and a revised current risk rating recorded. Existing Plans and Strategies In developing risk treatments, health organisations should have regard to existing local, organisation and state-wide plans and strategies, particularly in relation to finance and budget, internal audit and fraud prevention, incident management and quality assurance, workforce and capital management. These will provide vehicles for developing and progressing up to date and appropriate responses to risks and treatments of risk, and are another means of embedding risk considerations in to the day to day business of the organisation. ALARP When considering the right risk treatment or control the concept of “As Low As Reasonably Practicable (or ALARP)” should be considered (Table 6). ALARP is the point where the risk is negligible, or at least at a level where it can be managed by routine procedures. ALARP is the level of risk that is tolerable and cannot be reduced further without expenditure of resources, time and effort being disproportionate to the benefit gained or where the solution is impractical to implement. Table 6

Risk Owners should consider establishing a risk tolerance table for the organisation, using the ALARP (as low as responsibly practicable) model as a basis.

PD2015_043

Issue date: October-2015

Page 22 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

3.7 Step 7 Monitor and review Step 7 Monitor and Review Regular and careful monitoring is essential to ensure the effectiveness of any risk treatment. An integral step in the risk management process that enables organisations to proactively identify changes on the risk profile and adjust the organisational response as required. It also enables an organisation to understand the effectiveness (impacts, benefits and costs) of implementing risk management strategies. Risk priorities and risk management plans need to be continually monitored and reviewed. This ensures that: • • • • •

The overall management plans remain relevant to the organisation and in the changing Health and government environment The risk treatment plans remain appropriate and effective The risk ratings and exposure remain current New risks are identified and added, including appropriate controls and treatments Existing risks that have been fully addressed are closed or removed the Risk Register, with an appropriate record of the outcomes.

Questions that may assist in a risk review: •

Are the additional controls effective in minimising the risks?



Are the additional controls comparatively efficient in minimising the risks?



Do the performance indicators address the key elements for the additional controls?



Can further improvements be made?

PD2015_043

Issue date: October-2015

Page 23 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

4 RISK REGISTER AND REPORTING 4.1

Organisation Risk Register

All Health organisations are to maintain a Risk Register which provides an accurate and complete record of risk assessment and management activities. The Risk Register is to be a “living document”, subject to regular review and update as risks are addressed and new risks identified, and strategies for current risks updated. An effective Risk Register should include the following core information Table 7 Data Item

Data field explanation

Organisation Name Risk ID Date Risk Created Risk category

Name of Local Health District, Pillar or Division Unique identifier which identifies the risk Date Risk was created Relevant to the risk, using the risk categories listed in the Risk Matrix, each risk is to be categorised. A description of the risk, possible causes and impacts. Risk owner by position not name (only one risk owner for each risk) Before controls or mitigating action; risk rating, as per Risk Matrix

Risk Description Risk Owner Initial Risk Assessment Current Controls Control Type Control Effectiveness

Existing controls that are in place Type of controls is Proactive/Reactive Level of effectiveness of current controls Substantial/Partial/Ineffective Current Risk Rating Risk rating after controls Additional Controls/Action items to mitigate risks Additional Identify and capture any further actions that need to be Description carried out to further reduce risk from “current risk rating” in order to manage the risk to an acceptable level. Due Date Stipulate when the actions are due to be completed. Responsible Position Risk owner by position not name responsible for implementation Target Risk Proposed risk rating after the implementation of mitigating actions Trend / Risk Status Current trend for the risk ( ) Decreasing ( )Increasing ( )No Change, Active or Not Active

The Risk Register should include, for each risk: •

An initial risk review date within an appropriate timeframe for example three (3) months of the date a new risk was identified



Subsequent risk review dates which reflect local management procedure timeframes and at minimum three (3) month intervals



Current control(s) which clearly define actions / controls that are currently in place



Additional control(s) which clearly define actions intended to be taken and a specific officer assigned to implement each additional control

PD2015_043

Issue date: October-2015

Page 24 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK



A risk assessment to determine the level of risk rating (initial, current and projected) in accordance with Risk Matrix



Risk review date updated with each risk review



Any additional comments, actions or notes relevant to mitigate the risk.

Risk Owners shall review and moderate risks within their area of responsibility and accountability at minimum three (3) monthly intervals to ensure that the assessment and actions taken are reasonable, acceptable and within the tolerance and level of delegated accountabilities and responsibilities of the risk owner.

4.2

Risk Reporting

4.2.1 Organisation Level Reporting Risk reporting supports discussion and decision making on major risk and business priorities. The Chief Executive and/or Board should have policies in place for local reporting. The regularity and level of reporting will vary depending on the complexity and size of the organisation.

4.2.2 State-wide Reporting Statewide Reporting to the Ministry of Health assists identification of statewide trends and issues that can inform statewide initiatives and also be reported back to the System. Information in the reports is also used as part of the Performance Framework. Health organisations are required to report quarterly on their top 10 risks (inclusive of extreme risks) and opportunities recorded in their Risk Register” as follows: •

3rd Friday of the month of April, (January to March quarter)



3rd Friday of the month of July (April to June quarter)



3rd Friday of the month of October (July to September quarter)



3rd Friday of the month January (October to December quarter).

The template for the Quarterly Risk Report can be found in Part 5 as a weblink in this policy directive. The Report should be approved by the Chief Executive and forwarded by the due date to the Ministry of Health via email: [email protected].

PD2015_043

Issue date: October-2015

Page 25 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

5 LIST OF RISK MANAGEMENT TOOLS (Web Links) NSW Health Risk Matrix http://internal.health.nsw.gov.au/cgrm/rmra/risk_management/1_risk_matrix.pdf NSW Health Risk Register Quarterly Report to Ministry of Health Template http://internal.health.nsw.gov.au/cgrm Glossary http://internal.health.nsw.gov.au/cgrm/rmra/risk_management/8_glossary.pdf NSW Health Enterprise Risk Management Better Practice Portal www.health.nsw.gov.au/cgrm

PD2015_043

Issue date: October-2015

Page 26 of 29

Enterprise-Wide Risk Management Framework FRAMEWORK

6 REFERENCES NSW Health Policy Directives / Manuals: • NSW State Health Plan – Towards 2021 http://www.health.nsw.gov.au/statehealthplan/Pages/NSW-State-Health-Plan-Towards2021.aspx •

Incident Management PD2014_004 http://www.health.nsw.gov.au/policies/pd/2014/PD2014_004.html



Patient Safety and Clinical Quality Program http://www.health.nsw.gov.au/policies/pd/2005/pdf/PD2005_608.pdf



Correct Patient, Correct Procedure, Correct Site http://www.health.nsw.gov.au/policies/pd/2007/pdf/PD2007_079.pdf



Code of Conduct PD 2015_035 http://www.health.nsw.gov.au/policies/pd/2015/PD2015_035.html



Internal Audit PD2010_039 http://www.health.nsw.gov.au/policies/pd2010/PD2010_039.html



Work, Health and Safety: Better Practice Procedures http://www.health.nsw.gov.au/policies/pd/2013/PD2013_005.html



Work, Health and Safety – Other Workers Engagement http://www.health.nsw.gov.au/policies/gl/2013/GL2013_011.html



Corporate Governance and Accountability Compendium for NSW Health http://www.health.nsw.gov.au/policies/manuals/Pages/corporate-governancecompendium.aspx



Protecting People and Property - NSW Health Policy and Standards for Security Risk Management in NSW Health Agencies http://www.health.nsw.gov.au/policies/manuals/Pages/protecting-peopleproperty.aspx



Combined Delegations Manual http://www.health.nsw.gov.au/policies/manuals/Pages/combined-delegations.aspx



Performance Framework http://www.health.nsw.gov.au/Performance/Pages/frameworks.aspx

Other resources: •

NSW Treasury, TPP 15-03 Internal Audit and Risk Management for the NSW Public Sector July 2015 http://www.treasury.nsw.gov.au/__data/assets/pdf_file/0020/15077/tpp1503_dnd.pdf



NSW Treasury, TPP 12-03 Risk Management Toolkit for NSW Public Sector Agencies, 2012. http://www.treasury.nsw.gov.au/Publications/treasury_policy_papers/2012TPP/tpp_12-03/tpp_12-03_risk_management_toolkit



AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines, http://infostore.saiglobal.com/store/Details.aspx?productID=1378670

PD2015_043

Issue date: October-2015

Page 27 of 29

Attachment 1: Implementation Checklist LHD/Facility: Assessed by:

Date of Assessment:

IMPLEMENTATION REQUIREMENTS 1.

2.

3.

4.

A local risk management procedure / plan in line with the NSW Health Risk Management Policy Directive Framework is established and maintained approved by the organisation Chief Executive Local risk management procedure / plan must outline how the organisation will identify, assess, manage and monitor risks, including a process for escalating risks and risk reports to their local Chief Executive, Audit and Risk Committee and / or governing Board (where applicable). The local risk management approach is integrated into: 3.1. local governance process for senior management meetings, boards and committees 3.2. development or review of strategic and operational plans 3.3. new or revised project plans or submissions 3.4. new or revised allocation of significant resources 3.5. review of significant issues or events 3.6. performance reporting 3.7. processes to review or comply with legislation and Government policy. The local risk management procedure / plan has been communicated to management and staff within the organisation to make them aware of their risk management and control responsibilities.

5.

A risk register for the organisation is established and maintained which contains the minimum risk information as outlined in Section (4) of this procedure.

6.

Risk information recorded in the enitity risk registers or in reports containing risk ratings must use and refer to the “NSW Health Risk Matrix”

7.

Risks in the organisation risk register are reviewed and moderated every quarter or

PD2015_043

Not commenced

Partial compliance

Full compliance











































Notes:

Notes:

Notes:

Notes:

Notes:

Notes:

Issue date: October-2015

Page 28 of 29

LHD/Facility: Assessed by:

Date of Assessment:

IMPLEMENTATION REQUIREMENTS when the profile of the risk changes.

8.

Establish a process for monitoring and review of risks and there controls through to the organisation Board and Audit and Risk Committee

9.

Evaluate the local risk management procedure/ plan using recognised audit or self-assessment tools

10. Shall attest to their level of compliance

through the provisions of their Audit and Risk Management Attestation Statement each year.

PD2015_043

Not commenced Notes:

Partial compliance

Full compliance



















Notes:

Notes:

Notes:

Issue date: October-2015

Page 29 of 29

Smile Life

When life gives you a hundred reasons to cry, show life that you have a thousand reasons to smile

Get in touch

© Copyright 2015 - 2024 PDFFOX.COM - All rights reserved.