Author: Rob Kurau

Publication date: 17 April 2023
Last reviewed: 17 April 2023

In this chapter: 

1. Introduction
2. What is risk management?
3. Risk vision and strategy
4. Risk culture
5. Risk appetite 
6. Policy and governance 
7. Risk assessment and control
8. Incident management
9. Monitoring and assurance
10. Looking to the future
11. Appendices

Introduction

The effective management of risk is becoming both more complex and more important as we move into working as systems. Provider boards will need to be well sighted on system-wide risk, risks accruing from place-based and other collaborations and co-operative ventures in addition to managing risk within their own organisations. While it has always been the case that changes within a nearby provider presented both risk and opportunities, now the chance to plan together also presents the right set of circumstances to maximise opportunities collectively and to minimise the likelihood and impact of risks. However, system working will also mean increased complexity. It will make it more difficult for boards to be sufficiently well sighted on all of the ventures in which they are involved to be confident that they have adequate assurances of the right quality.

In this chapter Rob Kurau provides some fresh insights into the essentials of risk management that even experienced risk practitioners are likely to find useful.

What is risk management?

A risk is defined as "an uncertain event or set of circumstances that, should it occur, would have an impact on an organisation's objectives". More simply, a risk is something that could go wrong. Providers share exposure to similar risk types and risk categories. A standard set of definitions is set out in Appendix 1.

The principal benefits of effective risk management to providers are:

• it helps the provider maintain patient safety
• it ensures the provider can provide value to its communities
• it minimises harm and damage
• it drives organisational learning
• it helps the provider build credibility in the eyes of its stakeholders.

Clearly, provider boards need to recognise that for the organisation to meet its strategic objectives, effective risk management will be essential. For this reason, setting out an enterprise-wide risk management system or framework will be critical; broadly encompassing the activities relating to the identification, assessment, control, monitoring and reporting of risk. Each component of a good practice risk management framework in place at a leading provider has been summarised below:

• Risk vision and strategy – How we articulate our risk management priorities and how they are aligned to our strategy.
• Risk culture – How our risk decisions are shaped by culture.
• Risk appetite – How much risk we can take in order to deliver our strategy while ensuring we can provide safe and effective patient outcomes.
• Policy and governance – How we organise ourselves, make decisions and take approved risks.
• Risk assessment and control – How we understand risks and limit undesirable outcomes from occurring.
• Incident management – How we respond when things go wrong, how we learn and stop the same things happening again.
• Monitoring and assurance – How we check that controls are working and highlight when risks require attention.

An example of a risk management framework summary is set out at Appendix 2.

Risk vision and strategy

It is important that risk management considerations are properly reviewed as part of the provider board's strategy setting process. If a review of the provider's strategic risks is not properly undertaken, financial and non-financial resources to mitigate these risks may not be allocated, potentially leading to unacceptable clinical risks and poor patient outcomes. The mitigation of such risks part way through the strategic planning cycle could be more difficult to achieve, compared to when risk remediation plans are agreed and funded at the outset.

A risk management vision and strategic risk priorities should set out the themes of risk management activity that will be undertaken to contribute to the delivery of the provider's overall vision and strategy. In the current context, that will no doubt include capturing risks which impact the organisation derived from system working, provider collaboratives and partnerships including at place.

Developing this may also enhance the alignment between the provider's overall strategy and the supporting risk management priorities. These priorities should then be reflected within departmental plans and the provider’s longer-term strategy, with progress monitored by relevant management groups (for departmental plans) and assurance committees (for the strategy). We would expect the provider's strategy to feed into and align with the strategy (or strategies) of relevant ICSs.

Risk culture

Risk culture includes the values and behaviours that shape risk decisions. It is acknowledged that the risk management framework will only be truly effective if operating within an appropriate culture. When viewed through a 'risk lens', culture encompasses the values, beliefs, knowledge, understanding and practical application of risk management, which is embodied by the board and shared and adopted by all employees across the provider. Culture stems from the 'tone from the top' and is shaped by the influence of every employee in their daily interactions and specifically through the adoption and promotion of the provider's behaviours. Every employee therefore has a role to play in creating an appropriate culture. For more on organisational culture see our chapter on problem sensing and culture.

Risk appetite

Since we wrote the third edition of this compendium, we have noted an increased emphasis on provider boards engaging with the topic of risk appetite. As set out within the 'Orange Book – Risk Appetite guidance note', Government Finance Function (October 2020), risk appetite is defined as the level of risk within which the organisation aims to operate. By defining a risk appetite, the provider board will be able to clearly set the optimal position in pursuit of its strategy and vision. The benefits of adopting a risk appetite include:

• supporting informed decision-making
• reducing uncertainty
• improving consistency across governance mechanisms and decision-making
• supporting performance management
• enabling the board to focus and prioritise resources.

If one of the key roles of the board is to ensure that the organisation is taking the right level of risk within which to meet its strategic objectives, then the risk appetite is a significant tool in helping boards to understand the organisation's risk management boundaries within which to deliver the overall strategy and vision. The risk appetite approach should set out:

• the principles within which the risk appetite has been set
• the common risk language to be used, against which risk appetite levels should be set
• the risk appetite methodology, including the appetite levels and how these are defined
• a set of qualitative risk appetite statements and quantitative exposure limits for each risk type and category
• the controls and reporting mechanisms that have been put in place to enable the board to track management's adherence to risk appetite.

Once the board has approved the risk appetite, it is essential that management considers the best way to embed their approach into day-to-day planning and management. Key processes, where it is important for risk appetite to be taken into account, include within the strategy setting process, board decision making and risk appetite adherence reporting. For illustration purposes, Appendix 3 sets out a case study with an example Board-level risk appetite, aligned to each risk type and category, as well as risk appetite statements. This information has been derived from The Leeds Teaching Hospitals NHS Trust – Risk Appetite 2021/22. 

The board may of course find itself in a position where its risk appetite differs to that of neighbouring trusts, partners, regulators or indeed its ICS. This publication focuses primarily on the roles and responsibilities of the trust board, which are of course to determine risk appetite for the organisation – however we can assist in facilitating wider discussions through the NHS Providers' Board development programme where more tailored conversations are appropriate.

Policy and governance

Providers are expected to have appropriate systems of risk management and internal control in place. This manifests itself through a board and committees, a set of policies, board assurance reporting mechanisms and an annual control statement, as part of the provider's Annual Report.

Risk management committees are now more commonplace in NHS providers. We have observed the role of a risk management committee is to consider the provider's most material risks and receive updates to its risk profile, progress with risk remediation plans and key risk escalations from clinical service units and corporate functions or equivalent. Typically risk management committees should also provide periodic updates to the board. Where providers have not established a dedicated risk management committee, we have observed that some providers deal with risk management matters through an Audit & Risk Committee or directly at the Board. Any of these approaches may be suitable, though should be considered within the context of the provider's circumstances.

A policy is a document that articulates what must be done (or is permitted within prescribed boundaries) and, where appropriate, what must not be done by employees in their day-to-day activities and in pursuit of their strategic objectives. The attributes of a policy are that it directs and limits the actions of employees in pursuit of their strategic objectives and that it defines the scope within which decisions can be taken.

The board assurance framework (BAF) is a significant tool in helping provider boards to understand the implementation of strategy in the context of risk management. The BAF sets out the provider's strategic objectives, the risks to achieving them and the controls and assurance mechanisms that have been put in place to manage risk and deliver the objectives. An industry good practice example of a BAF template as well as a review by PwC across a range of NHS sector BAF documents can be found on the NHS Providers website .

The annual governance statement (AGS) is a key section within the provider's annual report, signed by the provider's chief executive. The AGS includes the system of internal control across the provider and includes its capacity to handle risk; risk and control framework; resourcing levels; any data governance serious incidents and key controls; and overall effectiveness of internal control.

Risk assessment and control

A risk assessment is the process for estimating the amount of risk and is important to the provider as it enables management to understand the nature and extent of the risks that the organisation faces and to prioritise actions where appropriate. Risks should be assessed based upon a combination of the likelihood of the risk occurring and the potential impact upon the organisation and its patients should the risk occur. Such risks can sometimes be categorised based on whether they are near-term risks versus those that are longer-term, horizon risks.

All risks should be assessed on an inherent (without controls) and residual (with controls) basis using the provider's risk scoring matrix. Controls are repeatable actions taken to reduce risks and they are important as they should reduce the likelihood of risks occurring and/or their impact should they occur. Risk assessment should not be a one-off exercise but one which is repeated to take account of the progress of mitigating actions and any change in circumstances. For illustration purposes, Appendix 4 sets out a good practice risk scoring matrix from a leading provider.

Following periodic risk assessments, risk registers should be used for recording and tracking risks and associated action plans. They are important as they enable management to understand the nature and extent of the risks that the organisation faces and supports the progress of actions to address them. Once the risk assessment has been undertaken, it is good practice for management ownership to be assigned, a risk mitigation plan to be documented, a review to be held by the executive team, with subsequent escalation via the risk management committee to the board, if necessary. An industry good practice risk register template is available on the NHS Providers Board Development resources webpage. 

Incident management

As part of the NHS England emergency preparedness, resilience and response (EPRR) framework, providers must show they can effectively respond to major, critical and business continuity incidents whilst maintaining services to patients. Providers are usually required to undertake an annual self-assessment against the full set of core EPRR standards. The introduction of the integrated care board (ICB) has resulted in a change to the process in that the self-assessment is submitted to the ICB who provide local assurance prior to submission to NHS England and the Local Heath Resilience Partnership.

Providers are also expected to have a whistleblowing process (also known as 'Freedom to Speak Up') to enable their employees to be able to raise concerns about any wrongdoing that could affect others. This is important as it lets the provider know if things are going wrong, which otherwise it might not have found out about. All concerns raised through the whistleblowing channel should then be subject to review and investigation. Where concerns are substantiated, appropriate action should be taken to address the concern and where possible to seek to prevent a re-occurrence.

Monitoring and assurance

The three lines of defence model is an accepted regulated framework designed to facilitate an effective risk management system. This model is used across the public and private sector because it provides a standardised and comprehensive risk management process that clarifies roles, and reduces cost and effort. Different departments play a distinct role within this model.

The first line of defence is responsible for the ongoing management of risks within the provider. In managing these risks, departments will adopt a variety of operational level risk and control monitoring mechanisms, such as holding risk workshops, maintaining risk registers and tracking key performance indicators. Examples include clinical service units and other front-line patient services.

The second line of defence is responsible for oversight of day-to-day management of risk by the first line. These activities should include supporting, coaching, facilitating, monitoring, challenging, reporting and instructing on first line risk management practices. Examples include departments such as quality, finance and human resources.

The third line of defence is responsible for providing an independent and objective opinion to the board on the adequacy and functioning of the system of internal control. Given the size and complexity of some providers, it is commonplace for providers to use a third-party firm to deliver internal audit services to the board.

Looking to the future

It is clear that risk management across the NHS must go beyond compliance and support the delivery of outcomes for the benefit of patients and other key stakeholders. Since we wrote the third edition of this compendium, we have observed providers taking forward initiatives to further mature their own and the wider system's risk management capabilities. We hope that this section will make a further contribution with this work and provide some practical assistance.

Appendices 

Appendix 1 – Risk Types and Risk Categories
Appendix 2 – Risk Management Framework Summary
Appendix 3 – Risk Appetite Case Study
Appendix 4 – Risk Scoring Matrix

________________________________________________________________________________________________________________________

About Rob Kurau 

Rob Kurau CFIRM FICA PgDip (GRC) Int.Dip (AML)
Board risk advisor at The Leeds Teaching Hospitals NHS Trust and director of enterprise risk management at Yorkshire Building Society.

Rob has worked with senior levels of staff across multiple sectors from critical national infrastructures to finance to the national health service. This has led to a rare blend of experience, skills and knowledge capable of influencing and improving enterprise-wide risk management performance.

In his current role, a major focus of Rob's experience has been around developing and embedding enterprise-wide risk management frameworks, upgrading operational risk management capabilities, increasing the efficiency and effectiveness of risk management target operating models and enhancing relationships with regulators and key market stakeholders.

Rob has worked closely with Leeds Teaching Hospitals NHS Trust (LTHT) to help LTHT mature its Board-level risk management capabilities. In support of the LTHT's Board, he worked on upgrading LTHT's risk management framework, including helping them develop a common risk language, setting a Board risk appetite and embedding the risk appetite into Board-level decision making.

By way of his continuing professional development, Rob is a certified fellow with the Institute of Risk Management and International Compliance Association.

Back to guide