Implementing Enterprise Risk Management across NHG Designated Risk

Implementing Enterprise Risk Management across NHG Designated Risk Lead Training 8 February 2010 Stuart Emslie, UK

Stuart Emslie BSc(Hons) MSc CEng FIHM MIMech. E • • Independent UK-based healthcare consultant specialising in corporate and clinical governance, board development, risk management and patient safety Formerly Department of Health head of controls assurance (governance/risk management) for the NHS in England World Health Organisation consultant to Malaysian Ministry of Health Adviser to Health Service Executive (Ireland), Hong Kong Hospital Authority and NHG, Singapore Honorary Fellow, Flinders University School of Medicine, Australia Visiting Fellow, Loughborough University Business School, England Fellow of the Institute of Healthcare Management (FIHM) and, by original profession (in the 1980’s), a chartered mechanical engineer Editor of www. healthcaregovernancereview. org

Learning and other objectives • Understand the concept of enterprise risk management (ERM) • Gain familiarity with ISO 31000: 2009 Risk management: Principles and guidelines • Be able to identify risk by a number of means • Be able to construct and maintain a Risk Register • Understand the principles underlying the setting of risk management priorities • Understand the difference between governing risk and managing risk • Contribute to the ongoing development of ERM in NHG

‘Designated person’ attributes • • • Thorough understanding of the organisation and management of NHG and, in particular, the hospital/facility within which they work. Preferably working at middle-senior management or clinician level with sufficient authority (or having direct access to authority) to help ensure successful implementation and maintenance of the ERM system. A genuine interest in helping manage risk. Preferably with an interest in quality management and patient safety. A working knowledge of Microsoft Office software, especially Word, Powerpoint and Excel.

Programme

Q 1 - What is risk?

31 March 2003

Q 2 - What is enterprise risk management?

Enterprise risk management (ERM) “[A] US term coined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004) and defined as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. ” The concept and practice of enterprise risk management is fully addressed by the requirements of ISO 31000: 2009 in all but name. ” Draft NHG Risk management policy

Senior Management/Board Risk Management Policy Board/Senior Management/board Risk Management Plan Designated risk leads Risk Register Guidelines

5. 3. 2 Risk management policy The risk management policy should clarify the organization's objectives for and commitment to risk management and should specify the following: • links between the risk management policy and the organization’s objectives and other policies; • the organization's rationale for managing risk; • accountabilities and responsibilities for managing risk; • the way in which conflicting interests are dealt with; • the organization’s risk appetite or risk aversion; • processes, methods and tools to be used for managing risk; • resources available to assist those accountable or responsible for managing risk; • the way in which risk management performance will be measured and reported; • commitment to the periodic review and verification of the risk management policy and framework and its continual improvement; and • the means by which the risk management policy will be communicated appropriately.

5. 3. 3 Integration into organizational processes [Risk management plan] • Risk management should be embedded in all the organization’s practices and business processes so that it is relevant, effective and efficient. The risk management process should become part of and not separate from those organizational processes. In particular, risk management should be embedded into the policy development, business and strategic planning and change management processes. • There should be an organization-wide risk management plan to ensure that the risk management policy is implemented and that risk management is embedded in all the organization’s practices and business processes.

NHG Board 7 Audit CEOs 4 M 1 M 2 Designated Risk Lead 3 2 Departments, etc. Staff 1 Risk 6 CEO 5 CRO M 3 etc. Board committees Mn Members/Institutions

ERM - A journey, not a destination.

Q 3 - In your opinion, what do you think the key BENEFITS might be of implementing ERM across NHG?

INTRODUCTION TO RISK MANAGEMENT IN HEALTHCARE Stuart Emslie

Risk management process AS/NZS 4360: 2004 - Risk management Analyse Risks Evaluate Risks Treat Risks Monitor and review Identify Risks RISK ASSESSMENT Communicate and Consult Establish Context

Aggregation Filtering/ Escalation Information Cluster Aggregation Hospital Aggregation Depts. ‘Front line’ Resources/Action/Improvement HORMC

RISK QUANTIFICATION MATRIX Consequence Likelihood Insignificant 1 Minor 2 Almost certain - 5 Likely - 4 Possible - 3 Unlikely - 2 Remote - 1 RISK Low Medium High Moderate 3 Major 4 Extreme 5

RISK QUANTIFICATION MATRIX Consequence Insignificant 1 Minor 2 Moderate 3 Major 4 Extreme 5 Almost certain - 5 5 10 15 20 25 Likely - 4 4 8 12 16 20 Possible - 3 3 6 9 12 15 Unlikely - 2 2 4 6 8 10 Remote - 1 1 2 3 4 5 Likelihood RISK Low Medium High

Risk perception

Risk perception

Risk perception

The healthcare risk ‘universe’ Environment Financial Legal Patient care and safety Human Resource Integrity IT Occupational safety & health Physical resources Information for decision making etc.

Some common sources of information used to populate a healthcare risk register REACTIVE Staff adverse incidents Complaints INTERNAL Other adverse incidents Root cause analyses Internal audits and inspections Patient Staff consultation General risk assessments Suggestion scheme Specialist risk assessments Claims Risk Register Hazard warnings Coroners reports Inquiry reports Safety alerts Incidents etc. occurring ‘elsewhere’ PROACTIVE Patient adverse incidents Accreditation standards Conferences, Seminars, etc. Facilitated workshops FMEA External audits, reviews etc. Benchmarking External stakeholder consultation EXTERNAL Books

Some common sources of information used to populate a healthcare risk register REACTIVE Staff adverse incidents Complaints INTERNAL Other adverse incidents Root cause analyses Internal audits and inspections Patient Staff consultation General risk assessments Suggestion scheme Specialist risk assessments Claims Risk Register Hazard warnings Coroners reports Inquiry reports PROACTIVE Patient adverse incidents Safety alerts Accreditation standards Incidents etc. occurring ‘elsewhere’ Conferences, Seminars, etc. Facilitated workshops FMEA External audits, reviews etc. Benchmarking External stakeholder consultation EXTERNAL Books

A common risk language Government funding / policy. Laws and Regulations. Economy. Demographics. Technology. Market share. Other providers. Customer needs and expectations. Public awareness. Suppliers. External disasters. External relations. Labour market Environment risk Process risk Empowerment risk Integrity risk Fraud Corruption Unauthorised use Unethical practice Illegal acts Reputation Conflict of interest Legal risk Regulatory compliance Litigation Contractual Financial risk Cash flow Budget control Cash collection Bad debts Payment Investment Insurance Currency Misappropriation Value for money IT risk: Purpose. Structure. Leadership. Accountability. Authority. Boundary. Compliance. Resource allocation. Communication. Rate of change. Performance measurement Patient Care and Safety Risk Patient and family rights Information & Consent Confidentiality Security Satisfaction/complaints Privacy Participation Comfort / Convenience Access and continuity Availability / Access Appropriateness Timeliness / delay Continuity Over / under utilisation Volume / capacity Interfaces Assessment of patients Adequacy of assessment Error (laboratory / reporting / interpretation) Appropriateness Physical resource risk System failure / Availability Technology Integrity Unauth. access/use Loss of data Cost / time overruns User needs not met Facilities / Equipment Capacity Availability Breakdown / Interruption Utilisation Performance Efficiency / Economy Compatibility Misuse / Impairment Loss Operator Technology Utilities failure Environmental Impact Conservation Waste Human resource risk Care planning Care of patients Standard of care/Bolam Competence Safety Care/Treatment accident Prescribing accident Drug admin. accident Efficacy Nosocomial Infection Clinical trial / new treatment Patient /family Educ. Clear Communication Patient compliance Other Documentation / recording Service development Supplies Defective products Product /service failure Economy Supplier Stock-out Obsolescence /shrinkage Health and safety Act of God Buildings / Equipment / Grounds Fire / Explosion /Flooding Hazardous substances/ Radiation Medical equipment and supplies Food hygiene Security Infectious Disease Insects and rodents Contractor Information for decision making risk Access. Availability. Accuracy. Timeliness. Completeness. Usability. Utilisation Staff capabilities and education Qualifications /registration Proficiency Professional development Maintaining a quality workforce Loss of key staff Turnover Recruitment Remuneration Industrial relations Workforce planning Performance Productivity Efficiency Teamwork Performance Incentives Coverage / skill-mix Absence / attendance Staff morale Occupational safety and health Safe systems of work Instructions / training /supervision Security / Violence Stress Hazardous exposure Clinical. Operational. Financial. Strategic P. 15

Daily Telegraph 20 August 2002

Failure Mode and Effects Analysis (in the context of wider risk management and quality improvement activity) FMEA FMECA HFMEATM SFMEA Failure Mode and Effect Analysis Failure Modes and Effects Analysis Failure Modes, Effects and Criticality Analysis

FMEA Steps… 1. 2. 3. Select a process (topic) Assemble your team Describe the process steps

2 a 1 4 a 3 a 2 b 5 3 c 3 b 4 b

FMEA Steps… 1. 2. 3. 4. Select a process (topic) Assemble your team Describe the process steps Identify the ways in which each process step can fail (failure modes – e. g. drug maladministration; performing wrong site surgery; clinical mis-diagnosis; etc. ) 5. Identify the root cause(s) of failure (Why? ) 6. Identify the most likely effect(s) (i. e. consequence of failure) of each identified failure mode 7. Assess risk associated with each failure mode (consequence and likelihood – from risk matrix) 8. Identify additional controls required (actions to effect improvement) 9. Implement additional controls 10. Test process improvements

Risk Management Experience Sharing from KWC Dr Joseph Lui CCC (Risk Management), KWC

Medical Stream Clinicians • Premature discharge of patients leading to death or poor outcome due to bed shortage

Surgeons • Delay or missed diagnosis/treatment resulting in increased mortality & morbidity • Risk of harming patients associated with invasive procedures • Long waiting lists resulting in increased morbidity & complaints • Medication error • Harm to staff due to violent patients

Anaesthetists (1) • Risk associated with equipment failure • Risk associated with inadequate supervision of trainees • Risk of giving the wrong drug to patient due to mislabeling • Risk of overdosing patient due to malfunctioning of PCA • Risk of making unsound judgement after long hours of duty

Anaesthetists (2) • Risk of malfunctioning of resuscitation equipment due to lack of maintenance • Risk of improper use of Level I rapid transfuser in emergency due to inadequate training • Risk of staff injury and equipment failure due to cables & power cords lying on the OT floor • Risk of injury to staff – Bumping of head against theatre light – Slip & fall after mopping of OR

Radiology/Pathology • Risk associated with missing specimen or X ray films • Patient Identification – Medication, Xray & Path reports – Miss labeling of specimen • Risk associated with Equipment Maintenance & Validation • Risk associated with Manual handling • Risk associated with chemical waste handling • Risk associated with understaffing

1. Risk type: 2. Risk description: 3. Existing controls: 4. Initial consequences: 5. Initial likelihood: 6. Additional controls: 7. Residual consequences: 8. Residual likelihood:

Describing risk – the ‘ 3 C’s’ 1. Risk is inherently negative, implying the possibility of adverse consequences. Describe the potential consequences if the risk were to materialise 2. Describe the causal factors that could make the risk materialise 3. Ensure that the context of the risk is clear, e. g. is the risk ‘target’ well defined (e. g. staff, patient, department, hospital, etc. ) and is the ‘nature’ of the risk clear (e. g. financial, safety, physical loss, perception, etc. )

Which of the following are adequate descriptions of risk? • Risk to patients due to errors and unsafe clinical practice caused by reduced skill base and competence of junior and middle grade medical staff • Needlestick injury • OSH • Reduced staff retention and increased sickness absence due to reduction in morale caused by increased workload, pressure and stress to achieve targets • Inadequate patient transfer • Budget overrun and financial deficit due to cost of introducing new technologies/medicines as required by NICE guidance • Medication error

1. Risk type: Patient care and safety. 2. Risk description: Patient falling off a trolley causing harm to patient or a member of staff. 3. Existing controls: Occasional maintenance work carried out, but very inadequate. AIRS figures show that this type of incident happens at least once per week. There Have been some reports of staff injury when a trolley breaks down. 4. Initial consequences: 5. Initial likelihood: 6. Additional controls: 7. Residual consequences: 8. Residual likelihood:

RISK QUANTIFICATION MATRIX Consequence Likelihood Insignificant 1 Minor 2 Almost certain - 5 Likely - 4 Possible - 3 Unlikely - 2 Remote - 1 RISK Low Medium High Moderate 3 Major 4 Extreme 5

1. Risk type: Patient care and safety. 2. Risk description: Patient falling off a trolley causing harm to patient or a member of staff. 3. Existing controls: Occasional maintenance work carried out, but very inadequate. AIRS figures show that this type of incident happens at least once per week. There Have been some reports of staff injury when a trolley breaks down. 4. Initial consequences: Major (4) 5. Initial likelihood: Almost certain (5) 6. Additional controls: Need a proper system of planned maintenance carried out on the trolleys to ensure they don’t break down and accidentally harm patients or staff. 7. Residual consequences: Major (4) 8. Residual likelihood: Unlikely (2)

Operational risks identified by Clusters for 2004/05 1. 2. 3. 4. 5. 6. Infection control OSH Medication error Resuscitation Transfer of patients Documentation of medical records, including consent 7. Patient identification (during consultation, blood sampling, operation & for investigations) 8. Wrong site surgery 9. Proper use of infusion pumps 10. Medico-legal risk (open disclosure)

Strategic Vs Operational risk? Strategic Operational

Strategic ‘challenges’ for Hospital Authority 2004/05 • • SARS and review reports Resources availability • • Funding Beds Staffing People capacity Service expansion/demand New technology Evolution of cluster management

Aggregation Filtering/ Escalation Information Cluster Aggregation Hospital Aggregation Depts. ‘Front line’ Resources/Action/Improvement HORMC

RISK QUANTIFICATION MATRIX Consequence Insignificant 1 Likelihood Minor 2 Almost certain - 5 Likely - 4 Possible - 3 Unlikely - 2 Remote - 1 RISK Low Medium High Moderate 3 Major 4 Extreme 5

RISK QUANTIFICATION MATRIX Consequence Insignificant 1 Minor 2 Moderate 3 Major 4 Extreme 5 Almost certain - 5 5 10 15 20 25 Likely - 4 4 8 12 16 20 Possible - 3 3 6 9 12 15 Unlikely - 2 2 4 6 8 10 Remote - 1 1 2 3 4 5 Likelihood RISK Low Medium High

1. Risk type: 2. Risk description: 3. Existing controls: 4. Initial consequences: 5. Initial likelihood: 6. Additional controls: 7. Residual consequences: 8. Residual likelihood:

1. Risk type: Patient care and safety. 2. Risk description: Patient falling off a trolley causing harm to patient or a member of staff. 3. Existing controls: Occasional maintenance work carried out, but very inadequate. AIRS figures show that this type of incident happens at least once per week. There Have been some reports of staff injury when a trolley breaks down. 4. Initial consequences: Major (4) 5. Initial likelihood: Almost certain (5) 6. Additional controls: Need a proper system of planned maintenance carried out on the trolleys to ensure they don’t break down and accidentally harm patients or staff. 7. Residual consequences: Major (4) 8. Residual likelihood: Unlikely (2)

1. Risk type: OSH 2. Risk description: Staff sustaining needlestick injuries when resheating due to time pressures, unpredictable patients, etc. 3. Existing controls: -Staff induction training -Ongoing training -Reminders at team meetings 4. Initial consequences: Major (4) 5. Initial likelihood: Likely (4) 6. Additional controls: -Improved induction and ongoing training -Promotion of greater awareness at team meetings and notices on noticeboards -Purchase ‘safe’ needles for sole use by all staff 7. Residual consequences: Major (4) 8. Residual likelihood: Unikely (2)

RISK QUANTIFICATION MATRIX Consequence Likelihood Insignificant 1 Minor 2 Almost certain - 5 Likely - 4 Possible - 3 Unlikely - 2 Remote - 1 RISK Low Medium High Moderate 3 Major 4 Extreme 5

Q 4 - What are the issues or concerns that ‘keep you awake at night’? 1. Think about yourself and your colleagues – list 1 issue or concern you have at work. 2. Now think about patients – list 1 issue or concern you might have in relation to the safety or quality of care provided to patients in your department, hospital etc. 3. Finally, think about your organisation– list 1 issue or concern………. .

NHG Risk Register

Aggregating risks……

Aggregation of risk registers

Escalation of risks

Setting Risk Management Priorities

Q 5 - In your opinion, what are the potential ISSUES that need to be addressed in moving forward with implementing ERM across NHG?