Risk Management Guidelines - | Health€¦ · Web viewAnalysing (rating) the risk under ISO...

DGD16-016

Risk Management Guidelines

Doc Number Version Issued Review Date Area Responsible PageDGD16-016 1 July 2016 July 2018 Internal Audit &

Risk Management

1 of 27

Do not refer to a paper based copy of this policy document. The most current version can be found on the ACT Health Policy Register

DGD16-016

Version 4.5 5 Jan 2015

ContentsIntroduction.................................................................................................................3

The Risk Management Process....................................................................................3Communication and Consultation............................................................................4Establishing the context...........................................................................................4Identification, Analysis and Evaluation.....................................................................5

Identification........................................................................................................5Analysis.................................................................................................................5Evaluation.............................................................................................................6

Current Controls.......................................................................................................7Risk Treatment.........................................................................................................7Determining Treatment Options..............................................................................8Preparing and Implementing Treatment Action Plans..............................................9Assessing Treatment Options...................................................................................9Treatment Timeframe............................................................................................10Completed Treatment............................................................................................10Monitoring and Review..........................................................................................10Types of Review......................................................................................................11

Documenting Risks.................................................................................................... 11Recording & Escalating Risks..................................................................................12Closing Risks........................................................................................................... 12When is a risk re-opened?......................................................................................13Risk Escalation........................................................................................................13

Associated Documents..............................................................................................16

Appendix 1.................................................................................................................16Using the Risk Analysis Tables................................................................................16

Table 1 – Consequence Definition Table.............................................................18Table 2 – Likelihood Definition Table..................................................................20Table 3 - Risk Matrix...........................................................................................21

Appendix 2.................................................................................................................22Organisational Risk Escalation Procedure...................................................................22

Doc Number Version Issued Review Date Area Responsible PageDGD16-016 1 July 2016 July 2018 Internal Audit &

Risk Management

2 of 27

Do not refer to a paper based copy of this policy document. The most current version can be found on the ACT Health Policy Register

DGD16-016

IntroductionRisk management is regarded by ACT Health as essential for achieving business objectives. ACT Health is committed to establishing a risk culture that demonstrates the principles of risk management through proactive and timely identification and reporting of actual and perceived risks by staff, and through consistent application of risk management protocols to manage risks across the organisation.

The ACT Health risk management protocols comply with the International Risk Management Standard AS/NZS ISO 31000:2009. The international risk management standard defines risk as “the effect of uncertainty on objectives”. Risk Management is the practice of integrating consistent, proactive strategies that enable us to minimise negative consequences and to realise opportunities to our objectives.

It is important that as an organisation, we acknowledge: risks to our objectives and manage them to the best of our ability within the

given resources; the benefits of reporting risks and the effectiveness of recording the

developments of risks being managed.

All risk management documents including the policy & framework, processes, procedures and templates are available from the toolbox on the ACT Health’s risk management intranet page (Select Business Support from the side bar on the right > Risk Management).

The Risk Management ProcessThe ACT Health’s risk management process is made up of a number of stages which can be seen in Figure 1. This guide will step through each stage outlining its purpose, importance and how to complete each stage, associated tools and templates. This guideline and stages in the Risk Management process are supported by Quick Guides that offer very brief ‘how to’ guides when implementing risk management.

Figure 1: AS/NZS ISO 31000:2009 Risk Management Process

3

DGD16-016

Communication and Consultation

Communicate and consult with relevant internal and external stakeholders at each stage of the risk management process.Consultation ensures that all stakeholders:

Understand the risk(s); Work collaboratively to prevent or reduce consequences of the risk; Ensure treatments do not have an inadvertent negative impact on other

areas. A cooperative approach with other areas may also assist in identifying common or similar risks and in offering a collaborative approach to managing a common risk.

Establishing the context Establishing the context takes into consideration the circumstances in which the team, group, division or organisation as a whole is operating.

Things to consider may be:The internal context –

What objective is to be achieved? How does the objective influence your team / project / program? How are you planning to achieve it? At what tier should the objective be achieved? When should it be finished? What resources are available? And; What other limitations exist?

The external context – Who may be influenced; how and why? How do the objectives influence the division, ACT Health, the public and

other stakeholders?

4

DGD16-016

Identification, Analysis and Evaluation

IdentificationRisk identification is the process of identifying where, when, why, and how events could prevent, degrade, delay or enhance the achievement of objectives.

To ensure the most comprehensive identification and definition of risks, staff should: be well informed about the business objectives, relevant policies, project

documentation or process, take an integrated approach by considering all categories of risk and impacts

on all parts of the ACT Health, identify each risk to each objective separately to ensure that a comprehensive

list is developed of all sources of risk and events that may have an impact on the achievement of the objectives in the set context.

When you are identifying risks, the initial lists may be very long. Make these draft lists as comprehensive as possible. Any unidentified risks can result in a major threat or unrecognised opportunities. Risks may be able to be amalgamated or aggregated as the assessment progresses.

AnalysisRisk analysis is defining and measuring the threats and opportunities to our objectives taking into account existing controls. Risk analysis includes identification of consequences and their likelihood of happening. It is important that ACT Health consequence and likelihood definitions (table 1 & 2) are always used to measure likelihood of consequences. Each risk is likely to include several consequences that fit into different categories (People, Clinical, Financial, etc). It is up to the objective leadership or the team to decide the primary consequence of a particular risk, usually the category where the consequence will have the biggest impact on the objective.

When identifying existing controls it is often best to review existing standards, procedures and processes that are already in place to reduce the risk. For example, there are many hazards in health and safety that are treated by legislative requirements or for which strict mitigating protocols are already mandated but are sometimes not being used or strictly adhered to.

The Risk Assessment Template (located on the Intranet under Business Processes > Risk Management) steps through each part of the risk management process (risk definition, causes, consequences, existing controls and treatments). Once the risk analysis has been completed the risk is rated and, usually at a team meeting, decided

5

DGD16-016

whether the risk poses enough of a threat to objectives to be accepted and included in the risk register.

EvaluationEach risk is given a likelihood and consequence rating that when plotted on the ACT Health matrix determines the risk rating in the given context. It is essential that ACT Health consequence and likelihood definitions and ratings are used exclusively. By using uniform risk measures across the organisation, managers and executives can objectively prioritise and justify decisions regarding competing goals and responsibilities.

The likelihood and consequence definitions in these guidelines support experience, expertise and good judgement. Having a totally risk free environment is not possible or reasonable. It’s normal to have to retain a degree of risk. Reasons to retain risk include:

The level of the risk is so low that specific treatment is not appropriate within available resources;

The cost of the treatment is so excessive compared to the benefit that acceptance is the only option; and

The opportunities presented outweigh the threats to such an extent that the risk is justified.

Managers, executives and the organisation accepting a totally risk free environment is unrealistic. The risk evaluation step should recognise that it is not usually possible to eliminate all risk and question whether the current level of risk is acceptable. If the risk is deemed:

Acceptable: the risk can be either closed or made inactive. An inactive risk may be reviewed in the future to ensure that the level of risk has not increased and that all controls still remain effective in maintaining an acceptable level of risk.

Not acceptable: implementation of treatments should be considered to reduce the level of risk until an acceptable level is established. The target acceptable risk rating should be realistic and achievable.

The following definitions also apply within ACT Health: Current level of risk: the current level of risk with all existing controls taken

into consideration but before any treatment or management. Target level of risk: the level of risk that the ACT Health would ideally like to

reduce the rating to for the risk to become acceptable.

Risks are given a rating for the Current level of risk and the Target level of risk. Both these scores should be recorded in the risk register.

If the risk is such that there is no feasible treatment available it is highly recommended that risk retention considerations, justification and monitoring programs be fully documented.

6

DGD16-016

The Likelihood and Consequence Tables along with the Risk Matrix can be found in Appendix 1 of this document. Current ControlsWhen analysing the likelihood and consequence of a risk, it is important to take into consideration the actions already in place that lessen the likelihood and / or consequence of the risk. These actions are known as current controls.

Current controls should be reviewed regularly to ensure ongoing effectiveness and relevance. The effectiveness of the control will impact the risk’s likelihood and / or consequence.

Ineffective controls may be costing the organisation valuable resources and may reflect an inaccurate rating on the risk.

Risk Treatment

Once risks have been analysed, evaluated and prioritised, we need to determine a strategy for the mitigation of each risk.

7

DGD16-016

Possible treatment options are:

Avoid the risk

In some cases, a different methodology can be sought or certain projects and tasks may not go ahead due to the level of risk. This avoids the risk entirely.

Reduce the likelihood, the consequence or both

Using a different approach for a task or project may reduce how likely a risk is to eventuate or it may alter the seriousness of the consequences therefore reducing the risk.

Share the risk

This is most commonly used for financial risk where insurance can be used to help reduce the consequence of a risk on ACT Health. It is important to remember that a risk cannot be transferred to another party.The ACT Health or teams remain ultimately accountable for achieving its objectives and not the third party.

Accept or retain the risk

It may be reasonable to accept the risk where the benefits of accepting the risk outweigh the benefits of treating the risk or where avoiding the risk is not possible and there are no alternative treatments.

It is important to keep risk treatments integrated into everyday business and not regard them as separate activities.

Determining Treatment OptionsRisk treatments need to be considered through discussion with key stakeholders who will address the direct cause of the risk. The root cause of the risk needs to be determined in order to effectively mitigate the risk. Once the root cause has been established, the best and most practical treatments can be considered, preferably in consultation with stakeholders. Assessment of each treatment should include the ability to implement within available resources, likely effectiveness and efficiency.

Note: Treatment design for some areas must follow legislated requirements and may require expert advice and possibly cooperation from subject specific areas for implementation. When assessing treatment options consider:

Reviewing, updating and retaining existing controls; and Develop new treatment methods with the unit objectives in mind to help

mitigate the cause of risk. Consideration for these should be that they are:o achievable and realistic;o monitored and measured for effectiveness (i.e. KPIs);o easily understood and communicated to others, especially those who

will be implementing and carrying out the treatment; and

8

DGD16-016

o resourced as required and within financial limitations.

Preparing and Implementing Treatment Action Plans A risk treatment action plan provides the detail of what the action is intended for, including how it will be implemented, links to documentation and a clear monitoring schedule. It is important that these plans are developed in conjunction with the staff responsible for implementing the treatment, managers responsible for approving the work and relevant stakeholders.

Each treatment action should outline: Proposed action(s) Resource requirements Responsibilities Timing Performance measures (KPIs) and Review timeframes – including reporting and monitoring requirements.

Assessing Treatment OptionsSelecting the most appropriate treatment option(s) involves consideration of:

Financial cost Resources Staffing Benefit of the treatment and Whether the treatment can be applied or have an impact on other areas.

Often implementing a combination of treatment options is the most effective management option.

It is important to consider that some risks may have root causes in established processes or procedures. Treatment options should address these root causes instead of attempting to address consequences that may arise from the risk eventuating.

For example: if a procedure has not been revised in many years, a risk is that the objective, dependencies and interrelationships become unclear. Staff will not understand, implement or comply with the correct relevant procedure to achieve the desired objective.

9

DGD16-016

Treatment TimeframeTable 4 below is a guide for completing treatments. The timeframes are a guide as they cannot take into consideration each risk context or each risk’s detail.

Table 4 – Action and Response Timeframe Rating Action Time Frame

Extreme For tier 1 and 2 risks, treatment should be brought to the attention of EDC. For tier 3 risks, treatment should be brought to the attention of relative EDs’ or DDGs’.All possible treatments must be put in place to reduce the risk to an acceptable level as soon as reasonably practical.

Immediate action

High Must be managed by senior management, with detailed planning, allocation of implementation responsibilities, resources and regular monitoring of progress by the relevant Risk Management Committee.

2 Weeks

Medium Set-up a treatment plan to ensure the risk is being appropriately managed. Identify management responsibility, monitor and review response action as necessary. Where the consequence is high ensure that appropriate contingency plans are in place and working, perhaps through independent review. If the likelihood is high ensure that day-to-day procedures make sure that appropriate management processes are in place, either through self-assessment or independent review.

4 Weeks

Low Manage through existing processes and procedures. Set-up an action plan to ensure the risk is managed appropriately.

8 Weeks

Completed TreatmentOnce treatments have been actioned, the completed treatments will stay as a ‘Completed Treatment’. If the risk is re-opened within 3 years of any action the completed treatments should continue to be recorded as completed treatments. They provide a record of the original risk and actions that have been undertaken to treat the risk.

Treatments only become current controls if a new and different risk is opened. It is at this point that they could be added to the totally new, different risk record as a current control if they actively control part of the risk.

Monitoring and ReviewMonitoring and review is a continual and essential activity in risk management. Each risk should be assigned a timeframe for regular review and monitoring to ensure risk information remains up to date, is relevant and that any treatments or controls perform as expected. It is necessary to regularly revise the likelihood and consequence rating of the risk and monitor improvements or declines in the management or the risk. Clearly documenting the review process will create a

10

DGD16-016

historical record that will inform others who may need to manage the same or similar risks of lessons learnt.

Types of ReviewIt is important that the review of the risk management plan is scheduled. Review of the risk may include:

Scheduled and continued monitoring and review at regular team meetings. The risk, its rating and progress is discussed and documented. Where required, changes are made to the management plan including ‘closing’ the risk when satisfied that the risk is reduced to a level deemed acceptable to the relevant ED or DRM Committee. Usually review periods are set in Divisional risk management protocols, a full review should occur at least every 3 months.

Scheduled review of the whole risk or certain treatment options by the accountable or responsible person to confirm that treatments implemented are delivering the desired remedial action.

Management review as required to ensure adequate management of risks that may impact on objectives.

Audits or investigations that test the effectiveness of systems put in place for treating or controlling the risk.

All reviews conducted should be documented as a means of tracking the progress of treatments, re-evaluating the risk levels and detecting problems.

Documenting Risks Risks must be adequately documented to deliver the level of detail and clarity required by all parts of the organisation and by external stakeholders. Both the risk assessment template and the risk register template are available from the toolbox on the ACT Health risk management intranet page (via Business Support, Risk Management). ACT Health executives and nominated Divisional staff members have various levels of access to the ACT Health organisational electronic risk register. Divisional Risk Management Coordinators are primarily responsible for facilitating the management of Groups’ and Divisions’ risk data. Access to the ACT Health organisational electronic risk register is managed by the IA&RM Branch. Access can only be granted following completion of relevant training and approval IA&RM Branch.

11

DGD16-016

Recording & Escalating RisksThere are three main risk definition elements that should be documented. Identifying each and correctly documenting these enables a focus on objectives and actions necessary to achieve the desired objectives.

The three main elements are: Title – What objective will be impacted and how? (What is the risk?) Cause – What is the cause of impact on objectives? (What is the risk due to?) Consequence – What will the result be if the risk were to eventuate?

There are also a few other elements that need careful consideration given the context of the organisation for a quality risk analysis:

Where – Where is the risk likely to occur? When – When is the risk likely to occur? Who – Who is the risk likely to affect? Current Controls – What is currently preventing or reducing the risk from

eventuating?

Avoid the use of acronyms or technical terminology in the description of the risk as risk assessments must be clear to all parts of the organisation and to external stakeholders. External stakeholders include persons participating in legal proceedings and public scrutiny including Auditor General Reviews and Freedom of Information requests. Risk information should therefore be de-identified especially to protect individuals.

Documenting the risks clearly will , help support business cases, show evidence of continual improvement, provide a record for staff to refer to in the future if the risk increases and provide a record acknowledging recognition of the risk and evidence of management within the available resources. Keeping the risk record up to date throughout the management of the risk also ensures that the risk is not dependant on one person managing it and facilitates business continuity.

Closing RisksIn risk management, accurate and reliable records are important for ensuring that there is sufficient evidence that ACT Health’s risks are being effectively and efficiently managed. It is important that the records are accurate to facilitate ongoing review, monitoring and management. Closed (or inactive) records provide a historical source of information for the future management of risks.

12

DGD16-016

The importance of maintaining current and accurate risk management records remains even when a risk is no longer relevant, or where it has been sufficiently reduced.

Risks may be closed if they are no longer applicable or where they have been sufficiently reduced and the risk level is acceptable and sustainable. The decision to ‘close’ a risk should be made in line with the Divisional Risk Management Process. It is possible for a risk to be ‘re-opened’ at any point in time for further management. In some cases the risk may be closed if an objective has been changed.

When is a risk re-opened?If the same risk, with unchanged circumstances is identified as needing further management within 3 years of being closed the risk may be re-opened for further treatment. New treatments should be added to the list of completed treatments. Previously completed treatments remain and DO NOT become current controls. The risk history should remain available although additional treatment becomes necessary.

If a similar risk is identified that presents different circumstances (i.e. the risk itself is slightly different, has different causes or different consequences, different ratings etc) then a new risk should be opened. A new risk should also be opened if the previous risk was closed more than 3 years previously. This will ensure that there is an ongoing accurate record of the previously managed risks.

Risk EscalationAcross ACT Health, risks are managed across four tiers as defined in the risk management framework.

The tier system for risk management can be seen in Figure 2 together with risk management governance and jurisdictions (seen in Table 5).

Risk reviews should assess the need for risk escalation against the following criteria: Risks that impact several parts of the business at the current tier Risks that cannot be effectively managed at the current tier or High level risks that will affect core objectives at the higher tier.

Tier 4 to tier 3 and tier 3 through to tier 2 escalation processes are defined in individual Group and Divisional Risk Management Processes. Tier 2 through to tier 1 escalation is defined in the ACT Health Risk Escalation Process that is “Appendix 2” (pages 22 – 26).

Risks can be escalated to tier 3 by the team manager requesting approval in line with the Divisions individual protocols. Escalation should occur in consultation with the DRMC to ensure adherence to protocols and best outcomes. Although some flexibility is permitted to cater for the different size and functions of divisions across ACT Health, generally proposed escalation consideration occurs at the tier 3 committee meetings. Proposed risk escalation may be declined and management should continue at tier 4 level.

13

DGD16-016

A similar process applies for risks proposed to escalate from tier 3 to tier 2. The Division’s Executive Director is responsible for proposing escalation to the relevant Deputy Director General (DDG). Risks may be proposed by DDGs to the Executive Directors Council where risk escalation to tier 1 may be accepted and appropriate management is decided. Escalation can be declined and the risk’s management will remain at the original tier.

Figure 2 – Risk management governance, Risk Escalation tiers and jurisdictions

14

DGD16-016

Table 5: Risk Management Governance in ACT Health

The above table shows how risk management governance fits within the organisational governance and applies especially when escalating risks both upwards and downwards for appropriate management.

15

DGD16-016

Associated DocumentsRisk Management Quick Guides:

Risk Management Process Risk Management How To… Commonly Misunderstood Terms & Definitions Frequently Asked Questions (FAQ) Audit & Risk Management Committee (ARMC)

For a copy of the most up to date quick guides go to the Risk Management intranet site by going to Business Support > Risk Management. The quick guides are located in the Tool Kit at the bottom of the page.

Appendix 1

Using the Risk Analysis TablesThe following tables are designed to provide consistency and guidance for assessing risks in various categories. Operational knowledge and good judgement should be applied when using the tables.

Analysing (rating) the risk under ISO 31000:2009 (rating) the risk under ISO 31000:20091. No longer accepted practice to rate “Raw risk”.

“Consequences, likelihoods and levels of risk will depend on the controls that are in place and their effectiveness. “ (SA/SNZ HB 89:2013).

Do not arrive at the risk level prior to treatment or inclusion of risk mitigation strategies

Must consider the current controls before rating the risk where a Control is a measure in place to manage risk. (ISO Guide 73:2009)

2. Must rate the consequence prior to the likelihood “Risk is analysed by determining consequences and their likelihood.” (ISO

31000:2009)

3. The consequence should be defined in its most normal form and not an extreme version of the risk.

For example a personal injury as a result of a paper cut would result in a minor injury not requiring medical treatment.

It would not in the normal form result in blood poisoning and death.

4. Following the process of ISO 31000:2009 there are three questions to ask: 1) What is the consequence that the risk would take in its “most normal form” (not an

extreme form) should the risk occur?2) What is the likelihood of that consequence? (How likely it the consequence to

occur?)3) How good are the existing controls at managing the risk?

5. Make an assessment as to the effectiveness of current controls Adequate – doing everything we can Room for improvement – more that could be done Inadequate – controls do not treat the root cause of the risk.

16

DGD16-016

Step 1 – Consequence Definition Table (see Table 1) Identify your key business objectives and the consequences that are associated with

your ability to achieve these objectives. Consider all categories (i.e. People, Clinical, Financial, Reputation etc.)

Apply the most normal level of consequence from an ‘insignificant’ rating through to the ‘catastrophic’ rating to each consequence.

Risks normally present different categories of consequence; it is up to the risk owner to determine the most critical category that should apply.

Step 2 – Likelihood Definition Table (see Table 2) Apply the most suitable likelihood of each consequence definition from rare to almost

certain. It is important that the measure applied reflects the context of the risk (especially level of risk).

It is important to use all operational knowledge when assessing the likelihood. Taking into account the context within ACT Health and previous experience.

Step 3 – Risk Matrix (see Table 3) Plotting the likelihood of consequence analysis onto the Risk Matrix will determine the

overall rating for each consequence. Individual risks normally present several consequences that fall into different

categories. It is up to the risk owner to use experience, expertise and good judgement to determine:

o the most critical category that should apply, and o the overall risk rating.

NOTE: The qualitative and quantitative descriptions in the consequence and likelihood tables are a guideline to support experience, expertise and good judgement.

17

DGD16-016

Table 1 – Consequence Definition Table INSIGNIFICANT MINOR MODERATE MAJOR CATASTROPHIC

People(Staff, Patients, Clients,

Contractors, OH&S)

Injuries or ailments not requiring medical treatment

Minor injury or First Aid Treatment required

Serious injury causing hospitalisation or multiple medical treatment cases.

Life threatening injury or multiple serious injuries causing hospitalisation or long term treatment.

A hostage situation.

Death or multiple life threatening injuries.

Clinical No injury No review required No increased level of

care

Minor injury requiring: Review and evaluation Additional observations First aid treatment

Temporary loss of function (sensory, motor, physiologic or intellectual) unrelated to the natural course of the underlying illness and differing from the expected outcome of patient management.

Major or permanent loss of function (sensory, motor, physiological or intellectual) unrelated to the natural course of the underlying illness and differing from the expected outcome of patient management.

Patient death unrelated to the natural course of the underlying illness and/or differing from the immediate expected outcome of the patient management.

All national sentinel events.

Property and Services

(Business services and continuity)

Minimal or no destruction or damage to property.

No loss of service Event that may have

resulted in the disruption of services but did not on this occasion.

Destruction or damage to property requiring some unbudgeted expenditure.

Closure or disruption of a service for less than 4 hours- managed by alternative routine procedures.

Reduced efficiency or disruption of some aspects of an essential service.

Destruction or damage to property requiring minor unbudgeted expenditure

Disruption to one service or department for 4 to 24 hours - managed by alternative routine procedures

Cancellation of appointments or admissions for a number of patients.

Cancellation of surgery or procedure more than twice for one patient.

Destruction or damage to property requiring major unbudgeted expenditure

Major damage to services or departments affecting the whole facility – unable to be managed by alternative routine procedures.

Service evacuation causing disruption of greater than 24 hours, e.g. Fire/ flood requiring evacuation of staff and patients/clients (no injury); or

Bomb threat procedure activation, potential bomb, partial or full evacuation required (+/- injury).

Destruction or damage to property requiring significant unbudgeted expenditure.

Loss of an essential service resulting in shut down of a service unit or facility

Disaster plan activation

Finance and 1% of budget or <$5K 2.5% of budget or <$50K 5% of budget or <$500K 10% of budget or <$10M 25% of budget or >$10M

18

DGD16-016

Performance

Information / Records

Management

Interruption to records / data access less than ½ day.

Interruption to records / data access ½ to 1day

Significant interruption (but not permanent loss) to data / records access, lasting 1 day to 1 week

Complete loss of some ACT Health or Divisional records and / or data, or loss of access greater than 1 week.

Inappropriate storage or exposure of records or a significant breach of confidentiality

Complete permanent loss of all key ACT Health or Divisional/service records and data.

Business Systems and Processes

Minor errors in systems or processes requiring corrective action, or minor delay without impact on overall schedule.

Policy procedural rule occasionally not met or services do not fully meet needs.

One or more key accountability requirements not met. Inconvenient but not client welfare threatening.

Strategies not consistent with ACT Health and Government’s agenda. Trends show service is degraded

Critical system failure, bad policy advice or ongoing non-compliance. Business severely affected.

Reputation Internal review. Scrutiny required by internal committees or internal audit to prevent escalation.

Scrutiny required by external committees or ACT Auditor General’s Office or inquest, etc.

Intense public, political and media scrutiny. E.g. front page headlines, TV stories, etc.

Assembly inquiry or Commission of inquiry or adverse national media.

Environment Broadly defined as the

surroundings in which ACT Health operates, including

air, water, land, natural resources, flora, fauna,

humans and their interrelation.

Some minor adverse effects to few species / ecosystem parts that are short term and immediately reversible.

Slight, quickly reversible damage to few species / ecosystem parts, animals forced to change living patterns, full, natural range of plants unable to grow, air quality creates local nuisance, water pollution exceeds background limits for short period.

Temporary, reversible damage, loss of habitat and migration of animal population, plants unable to survive, air quality constitutes potential long term health hazard, potential for damage to aquatic life, pollution requires physical removal, land contamination localised and can be quickly remediated.

Death of individual people / animals, large scale injury, loss of keystone species and habitat destruction, air quality ‘safe haven’ / evacuation decision, remediation of contaminated soil only possible by long term programme, e.g. off-site toxic release requiring assistance of emergency services.

Death of people / animals in large numbers, destruction of flora species, air quality requires evacuation, permanent and wide spread land contamination, e.g. caused by toxic release on-site; chemical, biological or radiological spillage or release on-site.

19

DGD16-016

Table 2 – Likelihood Definition Table

DESCRIPTOR PROBABILITY OF OCCURRENCE INDICATIVE FREQUENCY(EXPECTED TO OCCUR)

Almost certain Occurs more frequently than 1 in 10 tasks

Is expected to occur in most circumstances

Likely 1 in 10 - 100 Will probably occur

Possible 1 in 100 – 1,000 Might occur at some time in the future

Unlikely 1 in 1,000 – 10,000 Could occur but doubtful

Rare 1 in 10,000 – 100,000 May occur but only in exceptional circumstances

20

DGD16-016

Table 3 - Risk Matrix The risk matrix is used for determining the level of risk and is derived from the Consequence and Likelihood Tables, providing a qualitative outcome. In order to derive a quantitative outcome, the numbers and letters in the outer columns may be combined to give a ‘weighting’ to the risk, with 10 being the most extreme rating and 2 being the lowest rating.

Consequence

Insignificant Minor Moderate Major Catastrophic

1 2 3 4 5

Li

kelih

ood

Almost Certain 5 Medium

(5)High(15)

High(20)

Extreme(35)

Extreme(65)

Likely 4 Medium(4)

Medium(12)

High(16)

High(28)

Extreme(52)

Possible 3 Low(3)

Medium(9)

Medium(12)

High(21)

Extreme(39)

Unlikely 2 Low(2)

Medium(6)

Medium(8)

High(14)

High(26)

Rare 1 Low(1)

Low(3)

Medium(4)

Medium(7)

High(13)

Adapted from Australian/New Zealand Standards AS/NZS 31000:2009 Risk Management

21

DGD16-016

Appendix 2Organisational Risk Escalation Procedure

Contents

Contents......................................................................................................................................1Purpose........................................................................................................................................2Scope...........................................................................................................................................2Procedure....................................................................................................................................2Implementation...........................................................................................................................3Evaluation...................................................................................................................................3Related Policies, Procedures, Guidelines, Frameworks, Standards and Legislation..................4Definition of Terms.....................................................................................................................4References...................................................................................................................................4Search Terms..............................................................................................................................4Attachments................................................................................................................................4

Doc Number Version Issued Review Date Area Responsible PageDGD16-016 1 July 2016 July 2018 Workplace

Safety22 of 27

DGD16-016

Purpose

To provide a clear, consistent procedure for ACT Health Executives and Senior Managers/Directors to escalate a Group/Divisional risk to the Tier 1 Organisational level.

Scope

The procedure applies to all groups within ACT Health. This procedure focuses on the escalation of risks from the group level (Tier 2) to organisational level (Tier 1). The procedure starts when a group executive (DG or DDG) presents a risk for possible escalation to organisational level. The procedure ends when the potential risk is either declined or accepted. And, if accepted, after treatment, the risk is declared effectively managed by the Chair of the Executive Director’s Council (EDC) and removed from the active (open) Organisational Risk Register (ORR). The escalation of risks from Division level (Tier 3) to the Groups level (Tier 2) should be managed in line with each group’s individual procedures.

Procedure

1. A Group executive (DG or DDG) proposes a risk to Executive Director’s Council (EDC); providing a full risk description, in line with the Risk Assessment Template and how the risk could: impact on several business areas and therefore should be addressed collaboratively

and uniformly; or present unique features and consequences that could threaten core objectives of the

organisation; and Detail the need for EDC oversight and support.

Note 1: Sudden, unique occurrences may require immediate escalation and action. On these rare occurrences DDGs should refer the risks to the DG for urgent escalation. Risk details and decisions made must be submitted to the subsequent EDC meeting for information and formal acceptance.

2. EDC considers the proposal to determine whether the risk should be accepted at Organisational Level.

3. If accepted; EDC appoints an Accountable Executive from among the members of EDC. The Accountable Executive is responsible for appointing the risk’s Responsible Manager and implementation of the management plan.


Safety23 of 27

DGD16-016

Note 2: If the proposal is not accepted by the EDC the procedure is finalised. The risk remains Group Level and subject to ongoing monitoring, reporting and review per Group and Divisional risk management protocols.

4. EDC Secretariat minutes considerations, discussions and determinations.

5. EDC Secretariat formally advises the Risk Management Coordinator in the Internal Audit & Risk Management team, and all other relevant persons of EDC decisions and delegations following each meeting.

6. The Accountable Executive (or delegate) will ensure ongoing update of the risk register details to record the EDC determination, risk review, treatment plan, developments, and responsibilities.

Note 3: ACT Health risk registers (RR) including the Organisational RR are managed using the electronic RiskMan risk management software module.

Note 4: The Riskman record should provide an ongoing, up-to-date, chronological record and status of each risk.

7. The Manager, Internal Audit & Risk Management will provide status reports to EDC and to the Audit and Risk Management Committee as directed.

8. EDC oversights timely, effective implementation of actions, objectively evaluates action outcomes, reviews risk rating and, if necessary, delegates additional improvements.

Note 5: If, after objective evaluation, the Accountable Executive is satisfied that the risk is reduced to an acceptable level a recommendation to close the risk should be made to the EDC.

Back to Table of ContentsImplementation

EDC Secretariat minutes EDC considerations, discussions and determinations. In addition, EDC Secretariat formally advises the Risk Management Coordinator in the Internal Audit & Risk Management team, and all other relevant persons, who are not EDC members, of EDC decisions and delegations following each meeting.

Evaluation


Safety24 of 27

DGD16-016

Outcome Measures EDC feedback will be requested by IA&RM within six months of endorsement and

updates will be implemented as necessary.

Related Policies, Procedures, Guidelines, Frameworks, Standards and Legislation

Policies Risk Management Policy DGD 15-012

Guidelines Risk Management Guidelines

Frameworks Risk Management Framework

Standards AS/NZS 31000:2009

Definition of Terms

Groups –Director-General’s Office and the Deputy Directors Generals of Canberra Hospital & Health Services, Strategy & Corporate, Health Planning & Infrastructure and Population Health.Divisional Risk Management Coordinator (DRMC) – The main point of contact within a Group, Division or Branch for Risk Management matters.Quality Officers (QO) - fulfil the role of Divisional Risk Management Coordinators (DRMC) within the CHHS Group.Risk Management Committee (RM Committee) –The Group or Division’s regular executive meeting where Risk Management is an agenda item for regular discussion and consideration. Examples include Clinical Governance Committees, Leadership Committees and Quality & Safety.

The Divisional & Group Risk Management Coordinator responsibilities are defined in the risk management policy. References

1. Nil

Search Terms

Organisational Risk Escalation ProcessAttachments


Safety25 of 27

DGD16-016

Organisational Risk Escalation Process (flow chart) – Attachment 1

Disclaimer: This document has been developed by ACT Health, IA&RM Branch specifically for its own use. Use of this document and any reliance on the information contained therein by any third party is at his or her own risk and Health Directorate assumes no responsibility whatsoever.

Date Amended Section Amended Approved By20 July 2015 All IA&R Manager


Safety26 of 27

Accepts proposal to escalate risk

DGD16-016

Attachment 1

Organisational Risk Escalation Process


Safety27 of 27

Group Executive (DG or DDG) proposes a risk to Executive Director’s Council (EDC); providing a full risk description, in line with the Risk Assessment Template and details how the risk could:

impact on several business areas and therefore should be addressed collaboratively and uniformly; or

presents unique features and consequences that could threaten core objectives of the organisation; and

details the need for EDC oversight and support.

Note: Quality Officers (QO) - fulfil the role of Divisional Risk Management Coordinators (DRMC) within the CHHS Group.

Accountable Executive: Regularly reviews action plan & responsibilities. Regularly reviews effective & timely implementation of actions.

EDC Secretariat: comprehensively minutes considerations, discussions and determinations, and formally advises the Risk Management Coordinator (Internal Audit & Risk Management

Branch) and all other relevant persons of EDC decisions and delegations.

The process is finalised. The risk remains at group level or is addressed as

determined by EDC.

EDC: Formally accepts the proposed risk Nominates Accountable Executive Oversights effective & timely

implementation of treatment plan.

Declines proposal to escalate risk EDC determines whether the

risk should be managed at Organisational Level.

EDC considers the proposal for risk escalation, reviews the completeness of information, evaluates the risk & assesses the risk at Organisational Level.

Risk Management Guidelines - | Health€¦ · Web viewAnalysing (rating) the risk under ISO...

Documents

Transcript of Risk Management Guidelines - | Health€¦ · Web viewAnalysing (rating) the risk under ISO...