Corporate

Risk Register: Standard Operating Procedure

Document Control Summary
New
Status:
v1.0 Date: December 2015
Version:
Sarah Hankey - Risk & Claims Manager
Author/Title:
Liz Lockett - Associate Director of Quality & Risk
Owner/Title:
Policy and Procedures Committee Date: 21/01/2016
Approved by:
Policy and Procedures Committee Date: 21/01/2016
Ratified:
Risk Management Strategy
Related Trust
Strategy and/or
Strategic Aims
February 2016
Implementation Date:
February 2019
Review Date:
Risk management, risk
Key Words:
Assurance Plan SOP
Associated Policy or
Standard Operating
Procedures

Contents

1. Introduction .............................................................................................................. 2
2. Purpose ..................................................................................................................... 2
3. Scope ........................................................................................................................ 2
4. Process for Managing the Risk Register .............................................................. 2
5. Process For Monitoring Compliance And Effectiveness ....................................... 6
6. References ................................................................................................................ 6
Appendix 1 - Risk Register Flowchart……………………………....................................6
Appendix 2 - Risk Grading Tool………………………………………..…………..………..6

Page 1 of 10
 Risk Register SOP/January 2016

Change Control – Amendment History

Version Dates Amendments

1. Introduction

South Staffordshire and Shropshire NHS Foundation Trust has identified priority
areas of delivery which are described in detail in the Trust Annual Report and Quality
Accounts. In order to maximise chances of successful delivery, the organisation must
review factors likely to increase or decrease chances of success and then put
processes in place to maximise the effects of the former and minimise the effects of
the latter. The factors likely to decrease the chances of success are risks.

A risk register is a prioritised log of risks faced by an organisation. It includes an

assessment of each risk: a description, as well as analysis and a summary of action
to be taken in respect of each identified risk. A risk register is used to help ensure
that appropriate action is taken to control, reduce or eliminate each risk. This policy
supports the Risk Management Strategy.

2. Purpose

This Standard Operating Procedure has been developed to ensure robust processes
in respect to the management of risk registers across the organisation.

3. Scope

A risk register is a management tool that enables an organisation, directorate and or

team to understand their comprehensive risk profile. It is a repository for all risk
information. This repository is the hub of the internal control system, given that it
should contain the objectives, risks and controls for the whole organisation. It is
through this process that the Trust will risk manage and is the process by which the
organisation identifies, assesses and takes action to manage their risks. It is the
responsibility of all staff throughout the Trust to ensure that they fulfil their role in risk
management

Page 2 of 10
 Risk Register SOP/January 2016

4. Process for Managing the Risk Register

4.1 Identification of Risks

It is a responsibility for all managers to identify and record appropriately any risks in
connection with their department and to report on those risks at the relevant meeting,
using the risk management process described in this document. It is important to ensure
clarity not only about how risks are reported, but also about how they are managed –
with the aims of enabling junior staff to be clear about how to raise issues where actions
go beyond their levels of authority, and ensuring senior staff are able to instigate
necessary and timely action.
Risks may be identified from a range of sources including:
 Audits (internal and external)
 Service shortfall
 Incident and near misses
 PALS/complaints
 Claims
 Service reviews (Internal and external)
 Assurance Plan
 Surveys
 Investigations (internal and external)

4.2 Definitions:
Risk
A risk is something that may impact upon the achievement of an objective or action.
Hazard
A hazard is considered anything that has the potential to cause harm.
Likelihood
Likelihood is a measure of the probability that the predicted harm, loss or damage will
occur.
Impact
Impact is a measure of the impact that the predicted harm, loss or damage would have
on the people, property or objectives affected.
Risk Score
The risk score is the combination of the likelihood and severity.
Risk Action
A risk action(s) is an action taken to remove or reduce the severity and/or likelihood of an
identified risk. A risk action can turn into a longer term control measure.
Control Measures
Control measures are the mechanism that can be put in place to reduce the likelihood or
a risk/hazard actually happening.
Gross Risk
The risk which currently exists prior to the implementation of further actions identified
using the Risk Rating Tool at the end of this section.
Residual Risk
This is the level of risk remaining after the relevant controls have been applied by
management to the gross (or 'absolute') risk. Residual risk represents the actual level
after the action description is in place of exposure that the organisation faces

Page 3 of 10
 Risk Register SOP/January 2016

4.3. Recording the Risk

Any one may identify a risk. Once a risk has been identified it is the responsibility of the
person identifying the risk to discuss it with the team leader at the earliest opportunity.
The team leader should log the risk on the risk register using the Safeguard system.
Further information on how use the risk registers on Safeguard can be found in the
Safeguard Handbook.

4.4 Allocating actions

When allocating actions on the risk it is important that the person to whom the action has
been allocated has agreed to undertake the action.

4.5 Reviewing the risk

All risks must be given a review date and the risks reviewed by this date. When a
risk is reviewed this must be recorded in the “Reviews” section of the risk and a
revised due date identified.

Teams should review their risk registers at their team meetings.

Divisions should review risks at their governance group all risks scoring 8 or above
on the gross risk score which:
 Have been updated
 Are new
 Are to be removed or
 Are overdue
Trust level risks are risks which score 15 or above on the gross risk score. These
risks are monitored at Trust Board level. The details of the Trust Board
responsibilities are identified within the Trust Risk Strategy.
Trust Management team reviews the Trust level risks monthly which:
 Have been updated
 Are new
 Are to be removed or
 Are overdue

5. Process for Monitoring Compliance and Effectiveness

Monitoring of the implementation of this Standard Operating procedure will be through
Internal Audit processes.

6. References
 The Risk Management Process, Federation of European Risk Management
Associations (FERMA), 2005
 A Risk Management Standard, The Association of Insurance and Risk Managers,
(AIRMIC), 2002
 International Organisation for Standardisation (ISO)/IEC Guide 73:2002 Risk
Management
 Risk Management Model (HSG65), Successful Health & Safety Management,
HSE Books, 1997
 Australia New Zealand Standard 4360:2004 Risk Management Five Steps to Risk
Assessment, HSE, 2006

Page 4 of 10
 Risk Register SOP/January 2016

Appendix 1
Flow Chart for Managing Risk Registers

Risk identified by Risk discussed at team/ward meeting- Meeting

individual or team chair to place risk on risk register

Do not score at 15 or Score risk using Risk Rating Tool and Area or locality
over until agreed with complete as “add Risk” on Safeguard system manager to quality
lead Director assure risks on a
monthly basis
Allocated lead must Gross risk scores
All risks
agree to be lead before “moderate” i.e. 12 or
reviewed
being allocated below
quarterly at
Ops Forum
Where other divisions Gross risk scores "high”
input is required i.e. 15 or above
Review at monthly
discussion with
identified leads must
Divisional
take place before an Governance Forum TMT agree scoring allocate
action is allocated to Director and Committee,
them agree wording with lead
Changes to scoring are Gross risk director and update in
the responsibility of the scores “high” “Review” box
identified lead in i.e. 15 or above
consultation with the
Risk Risk fully
committee/team
reduces to mitigated
responsible Divisional Senior team
below 15
agree scoring allocate
Director and Committee Gross risk Manage risk
and update in “Review” scores at team level
box “moderate” i.e. or close risk
12 or below on Risk
Trust Management Team review all register write
new, updated, and overdue risks Remain at Divisional level - update in
monthly review on review date at “Review” box
Divisional Governance
Meeting
Risk not Risk
mitigated reduces Risk fully
by review to 12 or mitigated
date below

Close risk on Risk register write update

Committee reviews in “Review” box
action plan to
mitigate risk

N.B. “Risk fully mitigated” means that the lead is satisfied that the risk is effectively
managed.

Page 5 of 10
 Risk Register SOP/January 2016

Appendix 2

Risk Grading Tool

1. Introduction

This annex sets out the means by which risks identified across the organisation are
graded.

2. Statement of Intent

This document is intended to support the application of a common grading system to all
risks, ensuring organisational consistency for the prioritisation of required actions.

3. Scope

The same grading tool is used by South Staffordshire and Shropshire NHS
Foundation Trust for all risk processes, including risk assessment and associated
risk registers, incident and near miss reports.

4. Procedure

Risks are measured according to the following formula:

Likelihood x Impact = Risk

Likelihood

Risks are first judged on the likelihood of the risk being realised - for example, how
likely it is that someone is going to injure their back lifting heavy equipment.
Categories of likelihood available for grading, set out within the Risk Grading Matrix
(Appendix 1), are: rare, unlikely, likely, highly likely and certain.

Impact

Situations are then judged to evaluate what, if the risk were to be realised, the
severity of the outcome would most likely be. Categories of severity available for
grading, set out within the Risk Grading Matrix (Appendix 1), are: insignificant, minor,
moderate, major and catastrophic.

Risk

Based on the above judgements, use the Risk Grading Matrix (Appendix 1) to cross-
reference the selected likelihood with the selected severity and assign a risk grade,
either: Very Low, Low, Moderate or High.

Page 6 of 10
 Risk Register SOP/January 2016

Risk Treatment Options

Risks to the organisation can be:

Accepted: very low and low risks can be accepted as requiring no further action.
These are termed ‘acceptable risks’. On reviewing this type of risk it may, however,
be decided that some cost effective action would reduce the risk still further. Action
on such risks is generally a low priority.

Managed: in many cases action can be taken to change the way activities are carried
out in order to reduce the risk identified. South Staffordshire and Shropshire NHS
Foundation Trust is committed to using a systematic/holistic approach to risk
management.

Avoided: in some cases risk cannot be accepted, transferred or managed. Then the
Board may decide that a particular risk should be avoided altogether, which may
involve ceasing the activity giving rise to the risk, or not taking on a new activity.

Where risk treatment plans require significant additional funding, or changes to the
working pattern of the organisation, these decisions will be made by the Board.
Decisions with less significant implications will be taken by the Chief Executive
and/or responsible Executive Director.

Action Required According to Risk Grading

Very Low and Low risks

Most risks will be graded into these less serious categories and either require no
action or can normally be managed through local action by an appropriate person or
department as identified in the relevant Policy.

Moderate risks

Of the rest, most risks will be addressed by the responsible senior manager within
the organisation. For this type of risk an option appraisal needs to be carried out to
identify the most appropriate way of dealing with the risk, which should be added to
the appropriate team Risk Register.

High risks

A systems approach will be used to identify the root causes of the risk and thereby
help choose an appropriate risk treatment plan. All high risks i.e. those scoring 15
and above will be reported to each meeting of the Board via the Risk Register which
will approve treatment plans and monitor progress.

Page 7 of 10

Risk Grading:
Consider 2 aspects:
1. Likelihood of the risk
and the
2. Severity of the risk
Once you have decided
upon the likelihood and
severity of the risk, use
the Risk Grading Matrix to
cross-reference these and
determine the Risk Grade.
e.g. If you decide that the
likelihood of the risk
occurring is ‘Unlikely’ (2)
and the severity is ‘Major’
(4), then the Risk Grade is
Moderate (8)
It is important to record
how you arrive at your
score,
e.g. 2 x 4 = 8.
Risk Register SOP/January 2016
Risk Grading Matrix
Most likely impact (if in doubt grade up, not down):
Insignificant Minor Moderate Major Catastrophic
1 2 3 4 5
No injury or identifiable Mild injury (will probably Some injury (emotional, Serious injury (emotional, Death or significant
damage resolve in less than 1 psychological or psychological or physical), ill permanent disability
month) physical), ill health, health, damage or loss of
No disruption to service damage or loss of function possibly with Organisation unable to
or the organisation The impact would function
function likely to resolve prolonged disability
threaten the efficiency of within a few months
Financial implications some aspects of the Serious disruption to the Very high financial
are negligible organisation Disruption to organisation organisation implications (>£1million)
could be managed
e.g. spills of non- Some financial High financial implications e.g. large scale fraudulent
hazardous liquids, implications Moderate financial (>£500K) claims management,
paper cuts implications (>£50K) international adverse
e.g. absence from work e.g. large section of roof falling publicity, bomb threat,
<3 days, incorrectly filed e.g. RIDDOR reportable in, national adverse publicity, anything untoward that
documents injury, local adverse computer network failure >3 involves >50 people
publicity, lost claim file working days, prolonged time
off work (>15 days), theft of
claim file
Page 8 of 10
 Risk Register SOP/January 2016

Likelihood:

Rare:
Cannot believe that an
event of this type will VERY LOW VERY LOW LOW LOW LOW
occur in the foreseeable
future 1 2 3 4 5
1

Unlikely:
Unlikely that this type of
event will happen VERY LOW LOW LOW MODERATE MODERATE
2
2 4 6 8 10

Likely:
This type of event may
well happen (e.g. 50/50 LOW LOW MODERATE MODERATE HIGH
chance)
3 3 6 9 12 15

Highly Likely:
This type of event will
happen but it is not a LOW MODERATE MODERATE HIGH HIGH
persistent concern
4 8 12 16 20
4

Certain:
This type of event will
happen frequently LOW MODERATE HIGH HIGH HIGH
5
5 10 15 20 25

Page 9 of 10
 Action Required According to Risk Grading and Assignment of
Responsibility

Risk Further Action By Whom

Very Low Acceptable Risk. All employees

 Take action to reduce risk

where necessary

Low  Acceptable Risk. As above Team Leaders

plus: Consider whether any
further action should be taken
to reduce future risk

Moderate Unacceptable Risk. As above plus: Senior Managers

 Report to the Risk

Management Committee
identifying treatment options
 Quarterly report to Risk
Management Committee
Meeting monitoring progress
on treatment action plans

High Significant Risk. As above plus: Identified Committee to

Trust Board
 Report to Board identifying
treatment options, and
periodic monitoring
 Report to each meeting of
identified Board committees
monitoring progress on
treatment action plans

Page 10 of 10