Risk Management and Integrated Governance

We have a responsibility for maintaining a sound system of internal control that supports the achievement of the NHS Foundation Trust’s policies, aims and objectives, whilst safeguarding the public funds and departmental assets.

We have in place:

A system of internal control

This is designed to manage risk to a reasonable level rather than to eliminate all risk. The system of internal control is based on an ongoing process designed to identify and prioritise the risks to the achievement of the policies, aims and objectives of Tameside and Glossop Integrated Care NHS Foundation Trust, to evaluate the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively and economically.

Capacity to handle risk

The effective management of risk, and its reduction where possible, is a key priority at all levels of the Foundation Trust. It is a key component of all governance discussions, with the Board Assurance Framework and high-level entries on the Corporate Risk Register being reviewed and challenged at meetings of the Board of Directors and of Board Committees. The Audit Committee regularly reviews and challenges the control systems underlying the management of risk in the Foundation Trust.

Operationally, risk management is led by the Executive Directors, who have responsibility for the overall management and mitigation of risks within their areas of responsibility. There is a Risk Management group for the Foundation Trust, which has an operational overview of risk across the Trust to support the Board and its Committees. All staff have both the opportunity and expectation of reporting all perceived risks within their area of operation, which are then subject to a process of review, validation and (if appropriate) scoring and management. Management of risk is undertaken at a level appropriate to the potential impact of the risk, including departments, divisions and on a cross-Trust basis. Additionally, the Board maintains a Board Assurance Framework, reflecting the risks identified to the achievement of the Trust’s strategic objectives and how they are managed.

Risk management is a key part of the Trust’s training for all staff, to ensure that all staff can identify and address risk within their area. Managers receive training appropriate to their grade, in order to have an appropriate oversight of risks and their management within their area, and to support more junior colleagues. Overall responsibility for ensuring that appropriate training and guidance is available sits within the Integrated Governance Unit, who are also responsible for ensuring that reporting to the Board and Board Committees is appropriate and complies with the conditions of the NHS Improvement Licence related to risk management.

Our risk and control framework

The Trust has adopted a formal risk management strategy, which sets out how the Trust will seek to identify, control and manage risk. The aim of the risk management strategy is to support the Board, Board Committees and operational management to identify risk, evaluate its potential effect, and then manage that down to a level that is either acceptable or irreducible. The strategy recognises that, for some risks, it may not be possible to reduce the risk to a level that the Board would regard as acceptable, and therefore recognises that some irreducible risk levels must be taken, given the services provided by the Trust.

The Board has appointed a Quality and Governance Committee, which is responsible to the Board for detailed oversight of management actions to ensure the quality of services; and for recommending to the Board strategic actions to improve service quality.

The Board has also appointed a Workforce Committee to ensure that there is a key focus on ensuring the workforce is sufficient in numbers and skills to provide safe and quality care. The Committee regularly reviews performance and future strategy on workforce matters, and during the year has updated the strategy taking into account the national guidance in Developing Workforce Safeguards and the national NHS People Plan.

Financial and Resource Risk is overseen and managed by the Finance committee and as part of its responsibility to have oversight of relevant control systems, the Audit Committee reviews both the governance systems in place and the various data reporting systems: in order to give assurance that they are reliable and provide the necessary information, in a timely way, to comply with the Trust’s obligations under the NHS Improvement Licence. The Committee is supported in this by the Internal Audit service, who undertake arms-length reviews to a programme agreed by the Committee: and which indicate both available levels of assurance, and actions to increase assurance. Management are required to formally respond to the recommendations, and the Audit Committee regularly reviews progress to ensure that actions are delivered by management to the agreed timetable.

Performance information is subject to regular review, to ensure that it is reliable and continues to meet the requirements of the Trust. Performance information produced through data systems is regularly triangulated against the ‘lived experience’ of care, using qualitative information from sources such as complaints and complements, national and local surveys of patients experience (including the ‘Friends and Family’ test), and triangulation visits from Directors and senior managers. Mismatches are challenged in a variety of forums, and the performance reporting systems are also subject to regular review by both the Internal and External Audit services.

Compliance with the Care Quality Commission’s requirements, within the limits set by the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, is a statutory requirement on the Trust as a provider of healthcare services. The Quality and Governance Committee regularly reviews the Trust’s compliance with these requirements.

Management of risk to the security of the data held by the Trust, both on patients and staff colleagues, is a key activity. Data risks are included within the overall risk management process, and regularly reviewed.