WIXLIB

RoleResponsibilityHeads ofService/TeamLeadersResponsible for:All Staff participating (as appropriate) in the identification, assessment, planning andmanagement of threats and opportunities; keeping a record of the identified risks in a risk register; undertaking a regular review of the risks on the risk register; and escalating risks as appropriate and in accordance with risk management governanceand escalation as set out in the risk procedure.Responsible for:Internal Audit participating (as appropriate) in the identification, assessment, planning andmanagement of threats and opportunities; ensuring that they familiarise themselves and comply with the policies andprocedures of NHS Resolution; and undertaking and / or attending mandatory and other relevant training courses.The internal auditors are responsible for agreeing (with the Audit Committee) a programme of audits which assess theexposures and adequacy of mitigation of the principal risks affecting the organisation. the priorities contained in the internal audit programme should reflect the riskevaluation set out in the Strategic Risk Register. ensuring the reports and advice produced inform the management of risk bydirectorates although responsibility remains with the relevant risk owners.6. Risk appetite6.1. ISO 31000 states Risk appetite is the amount and type of risk that an organisation isprepared to seek, accept or tolerate in pursuit of its objectives.6.2. The Board has developed a risk appetite statement which forms part of NHSResolution’s overall risk management strategy and will guide staff in their actions andability to accept and manage risks.6.3. The statement is reviewed at least annually by the Board8

7. Risk Management framework7.1. The organisational structure is supported by the Risk Management Framework. Thisenables NHS Resolution to monitor and address the strategic risks that would preventthe organisation achieving its strategic aims and business plan objectives, it sets out thecontrols (or ways the risks are being mitigated), and sources of assurance that thosecontrols are effective. As well as setting out the treatment plans for those risks thatrequire action to bring them within risk appetite where possible7.2. Risks are linked to objectives and strategic aims, which exist at different levels:7.2.1. Strategic risks – risks that affect NHS Resolution’s ability to deliver the strategy orfunction as an organisation as a whole;7.2.2. Corporate Operational Risks – risks that affect the delivery of NHS Resolution’sbusiness plan or common team risks that require a corporate response7.2.3. Team risks - risks that are related to the delivery of departmental operations andobjectives7.2.4. Programmes and their project outcomes – risks associated with, usually, timelimited activities and medium- to long-term delivery of benefits.7.3. NHS Resolution maintains a strategic risk, corporate operational and local team riskregisters. These registers record non-project risks.7.4. All projects risks will be managed through the appropriate project boards with reportingand escalation through the change management governance process8. Assuring implementation of this policy8.1. The corporate governance team will be responsible for assuring the implementation ofthe policy and procedure. This will be through discussions with Directors, DeputyDirectors and Heads of Service to consider the risk management processes and riskregisters from their business areas on a quarterly basis.8.2. The outcomes of the reviews will be reported to the Senior Management Team,Information Governance Group and Operations Risk Review Group for considerationand where required, further action taken to improve embedding risk management atNHS Resolution.8.3. Internal audit will conduct audits as required to provide an independent assessment ofthe design of the risk management policy, processes and procedures and the extent towhich they are applied across the organisation. The recommendations of the review willbe reported to SMT and the Audit and Risk Committee.9

8.4. The Audit and Risk Committee oversee the establishment and maintenance of aneffective system of assurance on risk management through approval of the riskmanagement policy, regular reporting on the management of strategic and risks andprogress updates against audit recommendations.9. Equality impact assessmentAs part of its development, this policy and its impact on equality have been reviewed inconsultation with trade union and other employee representatives in line with NHSResolution’s Equal Opportunities Policy and the public sector equality duty. The purpose ofthe assessment is to minimise and if possible remove any disproportionate impact onemployees and service users in relation to the protected characteristics: race, sex, disability,age, sexual orientation, religious or other belief, marriage and civil partnership, genderreassignment and pregnancy and maternity. No detriment was identified.10. Risk Management ProcedureRisk management is central to the strategic management of NHS Resolution. It provides asystematic process for identifying risks attached to new and current business activities.The next few pages aims to describe the steps in the risk process of identifying, assessingand managing risks in the Risk Process10

10.1. Identify - Risk identificationWhen identifying a risk consideration should be given to what could pose a potentialthreat (or opportunity) to assets of the organisation.Assets can be considered as: Information assets as identified on the asset registerBusiness processes, objectives and KPI’sOur staffRisk, incidents and issues can often get confused and a useful way of remembering thedifference is; Risks are things that might happen and stop us achieving objectives, or otherwiseimpact on the success of the organisation Incidents/issues are things that have happened, were not planned and requiremanagement action, must be reported as appropriate and where required in line withthe Incident Reporting Policy and Procedure- Once identified, the risk needs to be described clearly to ensure the risk isunderstood.- Once identified and described the risk should be added to the risk registerand scored.- Guidance on how to write a risk to identify the cause, the event and theeffect can be found in Appendix A.Recording risks - The risk register The risk register provides a framework where risks that may be a threat (oropportunity) to the achievement of objectives are to be recorded.NHS Resolution has in place registers for team, corporate operational and strategicrisks.The team and corporate operational risk registers must contain:Risk IDRisk titleRisk responseDate raisedRisk descriptionTreatment planBusiness areaRisk ownerTreatment ownerRisk categoryInherent riskDate byRisk typeKey controlsTarget riskRaised byCurrent riskGuidance for completing the risk register can be found at Appendix A.11

10.2. Assess and evaluate - Risk assessment and evaluationA risk assessment is a qualitative or quantitative evaluation of the nature and magnitudeof the risk. The assessment is completed by scoring the likelihood of the risk occurringand the impact should it occur Appendix B sets out NHS Resolution’s scoring matrixwhich are based on a scale of 1 - 5 and the risk rating matrix which gives the scoring aRAG status. The risk evaluation involves making a decision about what should be donewith the risk.It includes determining appropriate controls and or treatments for the risk, and what levelof risk can be tolerated within the organisations risk appetite. A Control is an existing strategy and process currently in place such as systems,policies, procedures, standard business processes, practices. A Treatment is an additional strategy/activity we need to develop and implementshould the risk level be unacceptable after controls are applied.Following the evaluation consideration on what to do with the risk is taken; this is the riskresponse;Risk ResponseTerminateWhere an activity or system gives rise to significant risk to NHSResolution the activity will be carried out differently or ended hencerisk is no longer relevant.TolerateWhere it is considered that nothing more can be done at a reasonablecost to reduce the risk or the risk is low.TreatThis is where action can be taken to reduce the impact or thelikelihood of the risk identifiedTransferNHS Resolution is a member of the Liabilities to Third Parties Schemeand Property Expenses Scheme administered by NHS Resolution.This membership transfers some financial risk to these risk poolingschemes.10.3. Plan – Treatment planWhere it has been considered the risk requires further action to reduce the likelihoodand/or impact of a threat or maximize the likelihood of opportunities a risk treatment planshould be devised.The treatment plan must have an owner; it should be specific to the risk and SMART(specific, measurable, attainable, relevant and time bound) to evidence how the riskscore can be reduced.12

10.4. Monitor and reviewThe implementation of the risk treatment plan must be kept under review along with therisk score to measure its effectiveness; if the treatment is not reducing the risk a newtreatment plan should be considered.Once a treatment plan has been implemented the risk will be re-assessed and rescoredand that treatment plan will become a controlReviews of the risk registers and the treatment plans will be carried out in discussionwith Directors and Heads of Service as well as at the Information Governance andOperational review groups. Escalated risks and associated will be treatments reportedand reviewed by Senior Management team at least quarterly10.5. Report and escalateReportingThe Corporate operational and strategic risk registers are an integral part of the systemof internal control and define the highest priority risks which may impact on NHSResolution’s ability to deliver its objectivesSMT will receive updates on the team risk registers through sub group reports andDirector updates, and will review the corporate operational and strategic risk registers atleast quarterly.The Strategic risk register and reports from the corporate operational risk registerenables the Board and the Audit and Risk committee to be assured of management ofthe risks.SMT with support from the Corporate Governance team will manage the Strategic andCorporate Operational risks on behalf of the Board.EscalatingThe table Risk Escalation and Responsibilities in Appendix D sets out the process forhow risks can be escalated for inclusion on the Corporate Operational and Strategic riskregisters. It is recommended that at each level Amber and Red risks are escalated.11. Other relevant approved documentsAll documents listed within the Policy Register are relevant to the risk management process,as these are in themselves risk management mechanisms; those of particular relevance are:HR10Disciplinary Policy and ProcedureCG11Incident Reporting Policy and ProcedureITFA04Health, Safety & Wellbeing Policy13

12. Document ControlDateAuthorVersionReason for ChangeUpdated aims to align to strategyUpdated Board Assurance section17.04.18Catherine O’SullivanDraft V1.0Updated roles and responsibilities as agreed withChair and ARC chairChanged the risk framework illustration to matchthat in the ARAUpdated risk categories to reflect GDPR.25.04.18Catherine O’SullivanDraft V2.0Merged the Risk policy and Procedure into onedocument25.04.18Catherine O’SullivanDraft V2.0Approved by SMT10.05.18ARCDraft V2.0Approved by ARCJuly 2018BoardFinal V3.0Approved by BoardUpdated:Removed strategic aims and inserted link tostrategyInserted link to business planRemoved assurance framework to reflect the riskmanagement framework18.09.20Catherine O’SullivanDraft V4.0Added the explanation on strategic, corporateoperational, team and project risksIncluded statement on how project risks will bemanagedUpdated impact table of the risk matrix to removePESTLE following feedback from colleaguesstating it was difficult to followUpdated escalation table to include project riskprocessUpdated escalation table to include ARC reportingto the Board14

ARC reviewed and made suggested changes14.10.20ARCDraft V4.2ARC endorsed for Board approvalIncorporated ARC suggestions: 15.10.20Catherine O’SullivanDraft V4.310.11.20Board ReviewDraft V4.4Moved the roles and responsibilities tableup to section 5 of the policy, so it is nolonger an appendix Included a statement in the table on RiskOwner Updated the risk appetite statement toreflect ARC’s point ‘ ISO 31000 states Riskappetite is the amount and type of risk thatan organisation is prepared to seek,accept or tolerate in pursuit of itsobjectives’Board Review16.11.20Catherine O’SullivanFinal V4.0Approved for publication15

2020 Changes to the Policy and ProcedureSectionPageChanges3. Statement ofIntent4Removed strategic aims and inserted link to our 2022 strategyApproval date updated3. Statement ofIntent4Inserted link to business plan risk management supports thedelivery of our objectives set out in the document5. Roles andResponsibilities5Moved the roles and responsibilities table up to section 5 of thepolicy, so it is no longer an appendix. (ARC request)Added a statement in the table on Risk Owner responsibilities(ARC request)6. RiskAppetite9Updated the risk appetite statement to reflect ARC’s suggestionthat of adding the words ‘In pursuit of its objectives: ‘ ISO 31000states Risk appetite is the amount and type of risk that anorganisation is prepared to seek, accept or tolerate in pursuit ofits objectives’7. RiskManagementFramework10Removed the assurance framework diagram and updated the textto reflect the risk management framework7. RiskManagementFramework10Added an explanation on strategic, corporate operational, teamand project risks as they form the risk management framework7. RiskManagementFramework10Included statement on how project risks will be managedAppendix BRisk matrix andrisk categories20Updated impact table of the risk matrix to remove PESTLEfollowing feedback from colleagues stating it was difficult to follow.The list is more concise now, but note as stated in the documentthey are illustrative examples and not intended to be acomprehensive list.Appendix D –risk escalation22Updated escalation table to include project risk process22Updated escalation table to include ARC reporting to the BoardAppendix D –risk escalation16

Appendix ARisk register guidanceRisk registerheadingRisk IDGuideDate raisedA unique identifier in a numbering system assigned to a risk. Theidentifier should be used for reference or for cross-referenceEnables us to see how long a risk has been on the risk register for.Business areaIdentifies the team the risk affectsRisk categoryThis allows us to identify sources of risk. Further guidance can be foundin Appendix CRisk typeThis will be Strategic, Corporate Operational or Team; this field enablesrisks to be filtered and reported through the internal processesRaised byIt is good practice to have a name of who raised the risk to enablefurther clarification or discussionRisk titleShort title/description of the risk - No more than 10 wordsRisk descriptionDescribe the risk event, the cause and the effect. The risk should bearticulated clearly and concisely. When wording the risk it is helpful tothink about it in three parts and write it using the following phrasing:There is a risk that This is caused by Which w/could lead toan impact/effect on Should include initials of the person who owns the risk.Risk ownerInherent riskKey controlsCurrent riskRisk responseTreatment planTreatment ownerRisk impact, likelihood and total score if there were no controls in placeto manage the riskExisting strategy and process currently in place such as systems,policies, procedures, standard business processes, practices.A risk may have more than one controlRisk impact, likelihood and total score with the controls in place tomanage the riskTerminate, tolerate, treat or transfer the riskAdditional strategy/activity needed to develop and implement should therisk level be unacceptable after controls are applied.There may be more than one treatment plan for a riskShould include the names of those responsible for completing thetreatment plan(s)Date byEach Treatment plan should have a completion date setTarget riskThe risk we aim to get to with cont

1.2. Good risk management awareness and practice at all levels is a critical success factor for an organisation such as NHS Resolution. Risk is inherent in everything that we do. NHS Resolution will ensure that decisions made on behalf of the organisation are taken with consideration to the effective management of risks.