NHS England Risk Management Framework — Structural Audit Report

risk management will become an integral part of NHSE’s culture

risk management will be integrated into activities across the organisation, including policy making, planning and decision making

Management of issues will either be through programme / project management reporting, or through existing local management reporting.

pre-identified risks that later become issues) will continue to be tracked via the risk reporting process to ensure adequate visibility and provide assurance that they are being controlled, however they may be managed separately.

Issues that may impact existing risks should be considered when undertaking risk review exercises.

2.1 Roles & responsibilities Each area of the organisation must undertake an ongoing robust assessment of risks and escalate risks through NHSE’s governance and escalation route, as set out in the NHSE Risk management process and procedures manual.

It is key to achieving effective risk management and should be considered before risks are addressed.

when considering threats, risk appetite sets the level of exposure which is considered acceptable should the risk be realised.

It balances the cost (financial or otherwise) of constraining the risk with the cost of the exposure should it become a reality.

All risks should be analysed with risk appetite in mind.

Where target scores remain outside the agreed appetite level, additional mitigations will need to be proposed, or a decision taken by the appropriate governance forum to tolerate a position of operating outside of appetite.

including portfolios Level 3 Sub teams, Risks that are related to the delivery of sub-team including operations and objectives and have the potential to programmes threaten delivery of a broader objective should they not be adequately mitigated.

Level 4 Individual teams, Risks that are related to the delivery of individual pieces of work and team operations and objectives and have the projects potential to threaten delivery of a sub-team objective should they not be adequately mitigated.

For each risk on our risk registers, we should determine:

All scores must be recorded in the relevant risk register in CoreStream.

The level and type of treatment will vary depending on the level of residual risk that has been determined and the tolerance for managing risk to within its risk appetite.

To change the risk’s likelihood and/or consequences, existing controls will need to be enhanced, or new controls implemented.

A risk action plan (also referred to as a risk mitigation plan) should be put in place to address any gap in controls.

If a risk is being accepted it still needs to be regularly monitored, as circumstances may change which could result in different treatment in the future.

4.2.3 Review Risk should be considered regularly as part of the normal flow of management information about the organisation’s activities and in significant decisions on strategy, business planning, 1 Risk sharing is the practice of distributing risks amongst several organisations, departments or teams to provide alternative approaches to mitigating the risk.

Evidence of such reviews may be required to assess compliance with the framework across the organisation.

Risk registers should be kept up to date and reviewed no less than quarterly.

New risks should be added as they are discovered.

Each directorate and region should consider and document how the second line will be enacted within their area of the organisation.

In addition to reviewing the Strategic and Operational risk registers at each meeting, they will get risk based deep dives of those risks where:

Each team is responsible for defining their internal risk review and reporting arrangements, which should be proportionate to its local needs.

Individual risks and risk registers should be reviewed no less than quarterly.

Where cross-organisation risks do not fit within the remit of the ECG, they will be raised to the relevant governance forum at the time.

The above is only a guide, and in general risks should be considered for escalation where:

Where a team believes a risk may require escalation, the process for doing this will be as follows:

from level 4 to level 3) must be endorsed by the risk register owner where the risk currently sits, as well as the receiving risk register owner and / or the forum at that level.

Escalation from level 1 risk register onto the SRR or ORR: escalation must be endorsed by the national director leading on the area that the risk is being escalated from.

Escalation of the risk must be approved by ERG.

Escalation of a cross-organisation risk either newly identified or from a level 1 risk register onto the ORR: escalation must be endorsed by the national director leading on the area that the risk is being escalated from.

Continued monitoring and reporting of the risk will sit with the ERG, other than where deep dives may be required.

Otherwise the risk will form part of established quarterly reporting.

Compliance reporting will be informed by the above activities and reported to ERG at least twice a year, and annually to ARAC.

When there are gaps in controls, a mitigation plan should be agreed.

Note: These risks will be specific to the corporate team/region in question and by their nature will include operational or project delivery risks over which the corporate team/region has full or partial control.

It risk criteria) is used to determine whether a specified level of risk is acceptable or tolerable; and should reflect organisational values, policies, and objectives, be based on external and internal context, should consider the views of stakeholders, and should be derived from standards, laws, policies, and other requirements such as delegations of authority and operating limits/thresholds.

Annex 2: Roles & responsibilities Role Responsibility All staff Responsible for:

Risk Responsible for: Register • participating (as appropriate) in the identification, assessment, Owners, e.g.

Executive Responsible for: Risk Group • oversight of NHSE’s risk exposure in the context of the risk appetite that has been agreed by the Board

They must ensure that risk management is integrated into all activities, and should demonstrate leadership and commitment by ensuring:

Risk The Risk Management team is the corporate team directly accountable Management to the Chief Risk Officer.

The team is responsible for: Team • maintaining a suitable risk management framework and any associated procedures and updating them every two years or following significant change