This is an HTML version of an attachment to the Freedom of Information request 'Risk Management'.


NHS Greater Glasgow & Clyde Risk Management Strategy 
 
 
 
 
 
 
 
 
 
Risk Management 
Strategy 
 
 
 
 
 
 
Lead Manager:  
Head of Clinical Governance  
Responsible Director:  
Chair of RMSG  
Approved by:  
RMSG 
Date approved:  
Jan 2010  
Date for Review:  
3 years 
Replaces previous version:  
Feb 2007  
[if applicable]  
 
 
1 of 11 

NHS Greater Glasgow & Clyde Risk Management Strategy 
 
Contents 
 
Glossary of Terms 
1. Why is risk management so important to us? 
2. What is the purpose of the Risk Management Strategy? 
3. What do we want the strategy to achieve? 
4. Organisational Arrangements 
5. What is our approach to risk management? 
 
2 of 11 

NHS Greater Glasgow & Clyde Risk Management Strategy 
Glossary of Terms 
AssuranceStakeholder confidence in our service gained from evidence showing that risk is well 
managed. 
Corporate Risk Register. A Board level register, which spans all units on a Pan-Board basis. 
Healthcare Governance.  The system by which NHS Greater Glasgow & Clyde is directed and 
internally controlled to achieve objectives and meet the necessary standards of accountability, 
probity and openness in all three areas of clinical, corporate and staff governance. 
Internal Control. Corporate governance arrangements designed to manage the risk of failure to 
meet NHS Greater Glasgow & Clyde’s objectives. 
Likelihood. Chance of circumstances in question actually occurring. 
Near Miss. An undesirable incident that by chance or design did not result in harm or loss. 
Incident. An adverse event which causes or may have caused physical or psychological harm. 
Incident RecordingThe system of reporting adverse events or near misses. 
Partnership.  Way of working where staff at all levels and their representatives are involved in 
developing and putting into practice the decisions and policies which affect their working lives. 
Risk. The likelihood, high or low, that somebody or something will be harmed by an unwanted 
event or incident, multiplied by the severity of the potential harm. Risks are measured in terms of 
their likelihood and consequences. 
 
Risk AssessmentThe systematic process to identifying risk and evaluating their potential 
likelihood and consequences. 
Risk Control MeasureSomething done to minimise risk to an acceptable level either by reducing 
the likelihood of an adverse event or the severity of its consequences or both. 
Risk Register. A database of risks.  Always changing to reflect the dynamic nature of our risks and 
our management of them. Its purpose is to help managers prioritise available resources to 
minimise risk to best effect and provide assurances that progress is being made. 
Risk Escalation. The process of delegating upward, ultimately to the board, responsibility for the 
management of a risk deemed to be impossible or impractical to manage locally.  
Risk Management Principles. Ideology for the implementation of risk management. 
Risk ManagementThe culture, processes and structures that are directed towards realising 
potential opportunities whilst managing adverse effects. 
Root Cause Analysis. Structured techniques to establish the true systematic causes of an event 
as opposed to its apparent causes. 
Significant Risk.  Broadly, any risk that could adversely affect achievement of NHS Greater 
Glasgow & Clyde's objectives or present a large loss with no clear opportunity for control.  
Statement of Internal Control. A statement by the accountable officer within the published Annual 
Report, required by HDL(2002)11, on the effectiveness of NHS Greater Glasgow & Clyde's 
systems of internal control, for which risk management is a key component. 
3 of 11 

NHS Greater Glasgow & Clyde Risk Management Strategy 
1. Why is Risk Management so important to us? 
NHS Greater Glasgow & Clyde aims to provide high quality and safe services to the public it 
serves in an environment which is also safe for the staff it employs or contracts with to provide 
services. 
In fulfilling this aim, NHS Greater Glasgow & Clyde will establish a robust and effective framework 
for the management of risk, one that is proactive in understanding risk, builds upon existing good 
practice and is integral to all our decision making, planning, performance reporting and delivery 
processes.  
The framework is built on the belief that Risk Management is: 
ƒ 
An important activity to ensure the health / well being of patients, staff and visitors. 
ƒ 
An inclusive and integrative process covering all risks, set against a common set of 
principles. 

ƒ 
Best implemented where good practice is acknowledged and built upon. 
ƒ 
A major corporate responsibility requiring strong leadership and regular review. 
 
We believe that the provision of high standards of health, safety and welfare within a risk 
management framework is fundamental to the provision of high standards of health care.   
To fulfil this requirement we will: 
•  Develop a culture, which secures the involvement and participation of all - staff, patients and 
the public - in risk assessment and incident reporting. 
•  Implement measures to systematically identify and control risk as an effective approach to the 
prevention of injury, ill health and loss. 
•  Secure the commitment of management at all levels to promote risk management and provide 
the necessary leadership and direction. 
•  Adopt common standards throughout NHS Greater Glasgow & Clyde to provide and maintain 
robust systems to ensure compliance with relevant statutory requirements. 
•  Monitor and review risk management performance at all levels against agreed standards to 
ensure that corrective action is taken where necessary. 
•  Ensure that there are processes to facilitate the systematic recording and reporting of 
incidents and 'near misses' to minimise the risk of recurrence.  The reporting mechanism will 
focus on systems more than individuals and cover clinical and non-clinical incidents. 
•  Recognise the contribution of all key stakeholders, including patients and the public, to ensure 
their involvement and participation in the overall risk management process. 
•  Have in place effective systems of communication to ensure the dissemination of information 
on risk management matters across NHS Greater Glasgow & Clyde.  
•  Secure the provision of resources, facilities, information, training, instruction and supervision to 
meet these objectives. 
4 of 11 

NHS Greater Glasgow & Clyde Risk Management Strategy 
 
2. What is the Purpose of the Risk Management Strategy? 
NHSGG&C’s strategy affirms the Board’s commitment to improve its capability to manage risk in a 
systematic way.  By doing this  we can drive continuous improvement and have a positive impact 
on the quality of care, our staff and the efficiency of NHS Greater Glasgow & Clyde. 
The  strategy formalises risk management responsibilities and sets out how the public can be 
assured that our risks are managed effectively and accordingly represents a major element of NHS 
Greater Glasgow & Clyde 's healthcare governance arrangements. 
The following principles underpin NHS Greater Glasgow & Clyde’s risk management strategy.  
Table 1: Guiding Risk Management Principles  
1.  Founded on adopting a pan Health Board approach 
2.  Incorporates clinical and non clinical risk 
3.  Is comprehensive and integrated 
4.  Supported by clear processes for escalation of risk 
5.  Only exceptional risks advance to the Corporate Register 
6.  Integral to the business agenda and informs performance  
7.  Provides assurance that effective systems are in place 
3. What do we want the Strategy to Achieve? 
The overall goal of risk management is to create an environment where we analyse and 
understand the risks we face and eliminate or control them to an acceptable level, by creating a 
culture founded upon assessment and prevention of risk. The strategy seeks to achieve the 
following objectives. 
Table 2: Key Strategic Risk Management Objectives 
1.  Be integral to all our decision making, planning, performance reporting and delivery processes. 
2.  Be devolved to Division/Directorates/Partnerships within a supportive common framework. 
3.  Improve the quality of patient care by preventing or reducing harm or potential harm to patients. 
4.  Minimise liabilities in the event of harm to a patient, visitor or member of staff. 
5.  Improve the safety and quality of the working environment for the benefit of all staff 
6.  Ensure stakeholders are kept informed of the developing Risk Management process. 
 
5 of 11 

NHS Greater Glasgow & Clyde Risk Management Strategy 
4. Organisational Arrangements 
4.1 Overview 
Governance 
The Board is a board of governance and is corporately responsible for NHS Greater Glasgow 
& Clyde’s risk management strategy and for ensuring that significant risks are adequately 
controlled.  To support the Board a number of formal committees have been established and  
carry specific responsibilities for overseeing  risk management in NHS Greater Glasgow & 
Clyde– principally these are the Performance Review, Audit, Staff and Clinical Governance 
Committees. Their respective risk management roles are described in the diagram in section 
4.5 below.  A Risk Management Steering Group (RMSG) – for role and remit, see section 4.5 
below – exists to ensure a co-ordinated approach to Risk Management reporting to the 
Planning Policy Performance Group. 
In addition each Division, Directorates, Partnerships and other significant service groups within 
NHS GG&C organisational structure will, individually and through their support to the Risk 
Management Steering Group, regularly review the Risk Management arrangements to give 
assurance/status reports to the Board and the aforementioned formal committees. 
The combination of these arrangements ensures that there is a clear focus on both the 
corporate and risk management processes within the Acute Services Division and Partnership 
organisations. 
Executive and Divisional Management 
While the Chief Executive has overall accountability for risk management across NHS Greater 
Glasgow & Clyde, general management have been delegated leadership responsibility to co-
ordinate, integrate, oversee and support the risk management agenda and provide assurances 
to the Board (and its Committees) that all significant risks are adequately managed and the 
risk management principles are embedded across NHS Greater Glasgow & Clyde. 
It will be the responsibility of each Director, and their senior Management Team, to implement 
local arrangements, which accord with the principles, and objectives set out within  this 
strategy. 
The RMSG supports general managers in the development of risk management arrangements 
within NHS Greater Glasgow & Clyde, by providing technical and professional advice.   The 
Chair of the RMSG reports to the Chief Executive. 
4.2 Roles and Responsibilities 
All  managers have risk management responsibilities defined in their job descriptions and 
personal objectives.  This will include the identification, assessment and analysis of risks and 
action plans to eliminate or minimise the impact of known risks. 
Within each Management Team individuals may also be nominated to lead and co-ordinate 
particular elements of the risk management process and to work with colleagues and the local 
risk management advisors to develop and implement agreed actions.  
All managers across NHS Greater Glasgow & Clyde have a responsibility to ensure that their 
staff are familiar with the latest risk management arrangements, guidance and controls. 
 
6 of 11 

NHS Greater Glasgow & Clyde Risk Management Strategy 
 
 
4.2  Roles and Responsibilities (continued) 
All staff have a part to play in identifying and assessing risk. Staff are actively encouraged to 
report all incidents, including ‘near misses’.  In order to ensure full reporting of incidents, a ‘just 
culture’ will be operated within which staff are free to report on incidents and concerns in the 
knowledge that they will be supported.  
The delivery of NHS Greater Glasgow & Clyde's objectives increasingly relies upon effective 
co-operation, partnerships and joint working with partner agencies such as Local Authorities, 
Universities and the Voluntary Sector and independent contractors such as GP's, Dentists, 
Community Pharmacists and Opticians. NHS Greater Glasgow & Clyde seeks to minimise  risk 
by ensuring where necessary that: 
ƒ  All areas manage risk in partnership with partner agencies and contractors; 
ƒ  An adequate risk management framework is incorporated as part of the governance 
arrangements for joint management and partnership agreements; 
ƒ  Common objectives are agreed with partner agencies, contractors and the voluntary 
sector. 
4.3 Learning and Development  
Implementation of the strategy is underpinned by focused and effective learning and 
development interventions aimed at achieving: 
ƒ 
A workforce with the competence and capacity to manage risk and handle risk judgements 
with confidence 
ƒ 
An organisational focus on identifying malfunctioning systems rather than people 
ƒ 
Organisational learning from adverse events. 
Learning and development plans are subject to continuous development to ensure that they 
continue to be effective in supporting the achievement of these objectives. 
 
4.4 Provision of Support and Information 
The availability of timely and accurate risk information is necessary for the implementation of 
this strategy. Accordingly, NHS Greater Glasgow & Clyde will: 
ƒ  Support the development of systems to support risk assessment, identification and the 
sharing of lessons as an integral part of performance monitoring; 
ƒ  Develop relevant policy and guidance and ensure that it is kept up to date and remains 
easily accessible; 
ƒ  Put in place effective systems of communication to make sure everyone in the 
organisation is sufficiently informed about risk management; 
Promote continuous improvement and the sharing of good practice. 
 
 
7 of 11 

NHS Greater Glasgow & Clyde Risk Management Strategy 
 
 
 
4.5 Schematic of Reporting Structure and Responsibilities 
  
 
ƒ 
 
NHS Board 
Responsible for ensuring that all significant risks are adequately managed 
 
   Performance Review 
 
 
Chief Executive 
Audit 
 
Group 
 
 
/Headquarters   
  Committee 
  Review Board operational and 
Scrutinise effectiveness of Financial 
 
financial performance including risk 
Governance and risk management 
 
management activities, 
arrangements 
 
communicate to CEO, the Board and 
 
 
other Board Committees 
Responsible for leading 
Clinical 
implementation, resourcing 
Governance 
 
 
and performance 
 
Risk Management 
management of risk 
Scrutinise effectiveness of clinical risk 
 
Steering Group 
management system. 
and patient safety matters 
 
 
 
 
Provision of technical and 
Staff 
 
operational advice to Chief 
  Governance 
Executive and Management Teams. 
  Maintaining Corporate Risk register 
 
and dealing with escalated risks. 
 
Review staff matters, occupational safety, 
Ensuring governance standards met 
H&S, environmental matters 
 
Development and consultation of 
NHSGG risk management strategy 
 
and practice and corporate risk 
 
register 
 
 
ACUTE 
MENTAL 
COMMUNITY 
BOARD HQ 
HEALTH 
HEALTH 
Operational 
 
SERVICES 
PARTNERSHIP 
PARTNERSHIP 
Functions 
DIVISION 
(10) 
 
 
Locally 
Locally 
Locally 
Locally 
 
determined 
determined 
determined 
determined 
arrangements 
arrangements 
arrangements 
arrangements 
 
in line with 
in line with 
in line with 
in line with 
 
Risk 
Risk 
Risk 
Risk 
Management 
Management 
Management 
Management 
 
Strategy 
Strategy 
Strategy 
Strategy 
 
 
Line 
Line 
Line 
Line 
 
Management 
Management 
Management 
Management 
 
 
Default responsibility for implementation of the risk management framework and application of risk 
management principles. I.e. risk assessment, incident recording and investigation, implementing risk 
registers and ensuring risk competencies
 
8 of 11 

NHS Greater Glasgow & Clyde Risk Management Strategy 
5. What is our Approach to Risk Management? 
NHS Greater Glasgow & Clyde is 
Risk 
Risk 
 Risk 
a large, diverse and complex 
Identification 
Assessment 
Registers  
organisation where our 
Management Teams and staff 
already manage risk as an 
integral part of what they do 
Risk Action 
Plans  
Risk  
Assurance on 
every day.  A universal 
Escalation 
Internal control 
prescriptive method to manage 
 
 
risk would therefore be 
inappropriate. Instead, Divisional Management Teams managing risk in a way that best suits their 
existing style and arrangements should be able to demonstrate that they are managing risk in a 
consistent manner through the adoption of the guiding principles and general approach described 
in this strategy.  This will ensure that common standards for the management of risk apply across 
NHS Greater Glasgow & Clyde and support the assurance and business requirements of the NHS 
Greater Glasgow & Clyde Board and its corporate management.  The key components of the risk 
management framework are noted below: 
 
5.1 Risk Identification 
NHS Greater Glasgow & Clyde aims to minimise the likelihood 
Risk 
and severity of risk events by the recording of all incidents or 
identification 
near misses through Incident Recording systems. It is the 
responsibility of management to encourage staff to report 
incidents that could pose a hazard or threat to people or the 
provision of services and thus enable improvements to be identified, prioritised and implemented. 
Recording and analysis processes will be available to support local data entry, with the overall aim 
of shared learning across NHS Greater Glasgow & Clyde. In addition to risks identified through the 
Incident Recording systems the Directors and the Management Teams will also be required to 
regularly ‘horizon scan’ to identify risks by looking forward to tomorrow’s threats as part of the 
development of their Risk Register.   
 
5.2 Risk Assessment 
All risks shall be assessed using a standard classification matrix 
Risk  
which will be applied consistently across NHS Greater Glasgow & 
Assessment  
Clyde (See NHS GG&C Risk Register Policy). This will involve the 
assessment of risk in terms of the consequences and the likelihood 
of occurrence.  
9 of 11 

NHS Greater Glasgow & Clyde Risk Management Strategy 
 
5.3 
Risk Registers  
Each Division, Directorate or Partnership will be responsible for 
Risk 
maintaining its own Risk Register.  The risk register will be used by 
Registers  
each Management Team to inform priorities for the local implementation 
and monitoring of agreed mitigating controls.  Each risk will be allocated 
a risk owner(s) who will be responsible for taking appropriate action to 
minimise its impact. Review of the risk register will be a standing 
Management Team agenda item that will help inform planning, 
management decisions and priorities.  Management Teams will be expected to regularly review 
and update their risk registers.   
The NHS Greater Glasgow & Clyde corporate management will be responsible for maintaining a 
Corporate Risk Register which  will record and report on action being taken to manage the 
strategic risks facing NHS Greater Glasgow & Clyde.  The risks included on the Corporate Risk 
Register will be informed by the escalation procedures noted below, as well the collective input of 
Headquarters and the NHS Greater Glasgow & Clyde Board.   
 
5.4  
Risk Action Plans 
All risks identified and prioritised for action within the Risk Register will 
require a supporting action plan, which will ensure that the risk is managed 
Risk 
to an acceptable level.  It will be the responsibility of the Management 
Action 
Teams and Headquarters to determine the most appropriate form of action 
Plans 
and to allocate responsibility for implementation to an appropriate 
individual(s). 
 
5.5 
Risk escalation  
If significant risks have been identified that are deemed impossible 
or impractical to manage at a local  Management Team level, then 
they should be reported for review by the Director, or COO, for 
Risk 
Escalation 
reporting to Headquarters. Assessment and improvement should 
 
then be monitored through inclusion in the NHS Greater Glasgow & 
Clyde Corporate Risk register.   
In the absence of such escalation, the responsibility for the management of risks remains with the 
Management Teams.  Within Directorates or Partnerships similar escalation arrangements will be 
implemented to ensure that significant risks are highlighted for inclusion within local Risk Registers 
where this is deemed appropriate. 
Table 3: Nature of Risks which may need to be Escalated  
• 
Significant threat to achievement of health plan objectives or targets 
• 
Assessed to be a substantial or intolerable risk 
• 
Widespread beyond local area 
• 
Significant cost of control far beyond the scope of budget holders 
• 
Potential for significant adverse publicity 
10 of 11 

NHS Greater Glasgow & Clyde Risk Management Strategy 
 
5.6  Assurance on the Effectiveness of Key Controls 
As a result of the devolved accountability for all operational matters 
within NHS Greater Glasgow & Clyde, the Board requires assurance 
that local systems are capable of identifying their objectives and 
Assurance on 
internal control 
managing the risk to their achievement.  To assist the Board meet its 
 
governance requirements in respect of the management of risk, the 
Management Team’s will assess the effectiveness of the risk 
management processes and link to the Risk Management Steering Group to provide assurance 
to the NHS Greater Glasgow & Clyde Audit, Staff and Clinical Governance Committees.   
The Chief Executive and the Performance Review Group will evaluate assurances for the most 
significant and widespread risks contained within the NHS Greater Glasgow & Clyde corporate 
risk register and regularly report their findings to the Board. This would include a view on NHS 
Greater Glasgow's ability to meet its objectives.  This will ensure that risk management 
becomes firmly embedded as a Board responsibility and that assurances can be provided at all 
levels on the overall effectiveness of the risk management processes across NHS Greater 
Glasgow. 
To provide confidence to patients, staff and the public that this is the case, NHS Greater 
Glasgow & Clyde will publish within it’s annual financial accounts a Statement of Internal Control 
commenting on the effectiveness of the risk management arrangements. 
.  
11 of 11 

Document Outline