RISK MANAGEMENT

STANDARD

An independently assured risk management system is in

place that conforms to the principles contained in AS/NZS
4360:1999 and which meets NHS and other requirements in
respect of managing risks, hazards, incidents, complaints and
claims.

OVERVIEW
This standard is principally concerned with ensuring that all NHS organisations have the basic
building blocks in place for managing risk through development and implementation of a
comprehensive risk management system.

This standard builds upon, and replaces, the original Controls Assurance core Risk
1
Management System standard . The eight criteria contained in this standard are the same as
those used by the NHS Litigation Authority for the purposes of the Risk Pooling Schemes for
Trusts (RPST). In essence, there is now only one set of consolidated risk management
standards with which NHS organisations need to comply to meet the combined requirements
of Controls Assurance and the NHSLA’s risk pooling schemes. NHS organisation’s that are
not obliged to meet NHSLA requirements should, nevertheless, refer to the detailed guidance
contained in the NHSLA standards (www.nhsla.com) which contain ‘deemed to satisfy’
guidance for meeting the requirements of this standard. This standard, together with the
Governance and Financial Management controls assurance standards, provide the basis for
reporting against the statutory Statement on Internal Control (SIC) as set out by HM Treasury
in DAO(GEN) 13/00 and DAO(GEN) 09/03. Requirements for reporting on internal controls
for NHS organisations in 2003/2004 was issued to the service in September 2003 under
cover of Chief Executives Bulletin No 186.

Risk management should be recognised as an integral part of good practice and should be
part of the organisation’s culture. It should be integrated into its philosophy, practices and
business plans rather than be viewed or practised as a separate programme. When this is
achieved, risk management becomes the business of everyone in the organisation.

Whilst this standard does address key issues, it does not purport to be exhaustive. Boards
should satisfy themselves that all relevant internal control and risk management requirements
incumbent upon them, including those associated with the duty of quality, are properly
identified and suitably addressed. When addressing risks to the organisation, in particular
those which the organisation deems high/extreme to the achievement of key objectives, the
risk and actions identified across other organisational controls assurance standards need to
be considered.

The design of a risk management system will be influenced and tailored by the existing
structure of the NHS body, the services provided and the processes and specific practices
employed. Employment of a specific risk management approach for all organisations is,
therefore, difficult to achieve. However, common principles can be identified and these form
the basis for the standard. These common principles in large part originate from the

1
Although it has been replaced, organisations may, nevertheless, like to (cautiously) refer to the original
core Risk Management System standard (revision 01a, November 1999 – available at
www.controlsassurance.gov.uk and on CD-ROMs versions 3 & 4), which contains useful guidance,
much of it still pertinent to this standard.

© Crown Copyright 2003 Rev. 04 (October 2003) Page 1 of 22

Australian/New Zealand Standard on risk management, which defines a set of generic
principles for establishing a risk management system in any organisation. This standard has
been licensed for the NHS in England and the full standard is included on Controls Assurance
CD-ROMs volumes 1 to 5. Organisations are encouraged to make good use of the
information and guidance contained in AS/NZS 4360:1999.

Organisations should note that the results from this, together with those from the Governance
and Financial Management standards, contribute to an Internal Control/Controls Assurance
performance indicator for 2004. Acute/Specialist Trusts will also need to note the Infection
Control standard continues as an indicator in 2004 also.

© Crown Copyright 2003 Rev. 04 (October 2003) Page 2 of 22

 KEY REFERENCES

The majority of documents appearing on this page are downloadable in PDF

(Portable Document Format). Viewing these requires Adobe Acrobat Reader on
your computer. If you do not have this free software, you are advised to contact your
system administrator to arrange for a copy to be installed on your computer.
Alternatively Adobe Acrobat can be downloaded directly from Adobe's website
http://www.adobe.com/acrobat

The links below were all accurate at the time of publication

Association of Litigation and Risk Management (1999) A Protocol For The

Investigation And Analysis Of Clinical Incidents Association of Litigation and Risk
Management, London.
http://www.patientsafety.ucl.ac.uk/CRU-ALARMprotocol.pdf

Department of Health (2002). Assurance: The Board Agenda. Department of

Health, London
http://www.info.doh.gov.uk/doh/rm5.nsf/b7546ce4a0608579002565c4003bf709/4050
1688db18303680256bff003352af?OpenDocument

Department of Health (2003) Building the Assurance Framework: A Practical Guide

for NHS Boards. Department of Health, London
http://www.info.doh.gov.uk/doh/rm5.nsf/b7546ce4a0608579002565c4003bf709/ccee
8c7bab409a4d80256ced005cfabb?OpenDocument#Untitled%20Section

Department of Health. Building a safer NHS for Patients. Implementing an

Organisation with a Memory. April 2001
http://www.doh.gov.uk/buildsafenhs/buildsafenhs.pdf

Department of Health. (1999) Governance in the new NHS controls assurance

statements 1999/2000 Risk management and organisational controls. HSC
1999/123. 1999.
http://www.info.doh.gov.uk/doh/coin4.nsf/12d101b4f7b73d020025693c005488a9/8cb
87ab15a090349002567780031bbe3/$FILE/123HSC.PDF

Department of Health (1999) Insurance in the NHS: Employers'/public liability and

miscellaneous risk pooling. HSC 1999/021. 1999
http://www.info.doh.gov.uk/doh/coin4.nsf/12d101b4f7b73d020025693c005488a9/144
97017887113740025670d0034d268/$FILE/21HSC.PDF

Department of Health (2001) Reforming the NHS Complaints Procedure Department

of Health, London
http://www.doh.gov.uk/nhscomplaintsreform/reformingnhs.pdf

Department of Health (2000) An Organisation with a Memory. Report on an Expert

Group on Learning from Adverse Events in the NHS. The Stationery Office, London
http://www.doh.gov.uk/orgmemreport/

Department of Health (2001) Building a safer NHS for Patients. Implementing an

Organisation with a Memory. Department of Health, London.
http://www.doh.gov.uk/buildsafenhs/buildsafenhs.pdf

© Crown Copyright 2003 Rev. 04 (October 2003) Page 3 of 22

Department of Health (2002) Code of Conduct for NHS Managers. Department of
Health, London
http://www.doh.gov.uk/nhsmanagerscode/index.htm

Department of Health. (2001) Doing Less Harm. Department of Health, London.

http://www.doh.gov.uk/doinglessharm
Department of Health (2003). Making Amends: A consultation paper setting out
proposals for reforming the approach to clinical negligence in the NHS. A Report by
the Chief Medical Officer. Department of Health, London

Department of Health.(2003) Overview and Scrutiny of Health - Guidance.

Department of Health, London. July 2003.
http://www.doh.gov.uk/involvingpatients/oshguidance.pdf

Department of Health (2002). Supporting the implementation of a Patient Advice and

Liaison Service. Department of Health, London.
http://www.doh.gov.uk/patientadviceandliaisonservices/background.htm

Department of Health (2003) Priorities and Planning Framework. December 2001

http://www.doh.gov.uk/planning2003-2006/improvementexpansionreform.pdf

EPL(95)16 – Reporting of Incidents involving Buildings and Plant

www.knowledge.nhsestates.gov.uk

Financial Reporting Council (2003) The Combined Code on Corporate Governance.

Financial Reporting Council Limited, London
http://www.frc.org.uk/publications/content/CombinedCodeFinal.pdf

Great Britain (1979) Social Security (Claims and Payment) Regulations 1979 (as
amended) The Stationery Office, London.
http://www.hmso.gov.uk/si/si1987/Uksi_19871968_en_1.htm#end

Great Britain (1995) Reporting Injuries, Diseases and Dangerous Occurrences

Regulations 1995 The Stationery Office, London
http://www.hmso.gov.uk/si/si1995/Uksi_19953163_en_1.htm

Health & Safety Executive (2003). 'Interventions to control stress at work in hospital
staff'. HSE, London
http://www.hse.gov.uk/research/crr_htm/2002/crr02435.htm.

Health at Work Key Indicators report on accidents in the NHS Health Services
Advisory Committee (1997) Management of health and safety at work in the health
services. ISBN 0717608441 HSE Books
http://www.hsedirect.com/

HM Treasury (2000) Corporate Governance: Statement on internal control.

DAO(GEN)13/00.
http://www.hm-treasury.gov.uk (Document not publicly accessible)

HM Treasury (2003) Corporate Governance: Statement on Internal Control.

DAO(GEN) 9/03. HM Treasury, London.
http://www.hm-treasury.gov.uk (Document not publicly accessible)

HM Treasury (2001) Management of Risk a Strategic Overview. HM Treasury,

London.

© Crown Copyright 2003 Rev. 04 (October 2003) Page 4 of 22

http://www.cabinet-office.gov.uk/civilservice/publications/RISK.PDF

Lord Chancellors Department (2001) Pre-action protocol for the resolution of clinical
disputes
http://www.lcd.gov.uk/civil/procrules_fin/contents/protocols/prot_rcd.htm

Lord Chancellors Department (2001) Pre-action protocol for the resolution of

personal injury claims
http://www.lcd.gov.uk/civil/procrules_fin/contents/protocols/prot_pic.htm

Lord Woolf’s Report (1996) Access to Justice. The Stationery Office, London.
http://www.lcd.gov.uk/civil/final/contents.htm

Medicines Control Agency (2002) Rules for Pharmaceutical Manufacturers and

Distributors. The Stationery Office, London
http://www.mca.gov.uk/inforesources/publications/orangeguide.htm

Medical Devices Agency (2003) Reporting Adverse Incidents and Disseminating

Medical Device Alerts MDA /2003/001*. Medical Devices Agency, London
http://www.medicaldevices.gov.uk/mda/mdawebsitev2.nsf/0/80E7B814649252B6802
56C98003DFF59?OPEN

NHS Appointments Commission (2003) Governing the NHS : A guide for NHS
Boards. The NHS Appointments Commission, London. 32291
http://www.doh.gov.uk/governingthenhs

NHS Chief Executives Bulletin 186 (2003) Statement on Internal Control 2003/04
Department of Health, London.
http://www.doh.gov.uk/cebulletin/internalcontrol0304.htm

National Audit Office 2000, Supporting Innovation: Managing risk in government

departments. The Stationery Office, London, HC 86f4 Session 1999-2000.
http://www.nao.gov.uk/publications/nao_reports/9900864.pdf

National Patient Safety Agency (2003) The Patient Safety Journey: Seven Steps to
Patient Safety. The National Patient Safety Agency, London.
Draft http://www.npsa.nhs.uk (expected release November 2003)

NHS Estates (various) Firecode. The Stationery Office, London.

www.knowledge.nhsestates.gov.uk

NHS Executive (1992) Risk Management in the NHS NHS Management Executive,
London.
http://www.info.doh.gov.uk/doh/rm5.nsf/b7546ce4a0608579002565c4003bf709/e362
d9817a7b4a59002565d40036c450/$FILE/RISKMAN.PDF

NHS Executive (1996) Guidance on Implementation of the NHS Complaints

Procedure. NHS Executive, London
http://www.doh.gov.uk/complaints/finalguidance.PDF

NHS Executive (1996) Management of food hygiene and food services in the
National Health Service. HSG (96) 20. The Stationery Office, London.

NHS Executive (1998) Handling Clinical Negligence Claims HSC 1998/183. 1998
including Pre-action protocols for personal injuries and resolution of clinical disputes

© Crown Copyright 2003 Rev. 04 (October 2003) Page 5 of 22

http://www.info.doh.gov.uk/doh/coin4.nsf/12d101b4f7b73d020025693c005488a9/8c6
efda2c245622d0025669f00393877/$FILE/183HSC.PDF

NHS Executive (1999) Good Practice Guide for Convenors HSC 1999/193. 1999
http://www.info.doh.gov.uk/doh/coin4.nsf/12d101b4f7b73d020025693c005488a9/647
156fa5101e5fa0025681900354ad7/$FILE/193HSC.PDF

NHS Executive (1999) Governance in the New NHS. Controls Assurance

Statements 1999/2000 Risk Management and Organisational Controls. HSC
1999/123. 1999.
http://www.info.doh.gov.uk/doh/coin4.nsf/12d101b4f7b73d020025693c005488a9/8cb
87ab15a090349002567780031bbe3/$FILE/123HSC.PDF

NHS Executive (1999) Guidelines for Implementing Controls Assurance in the NHS:
Guidance for Directors. NHS Executive, London
http://www.info.doh.gov.uk/doh/rm5.nsf/b7546ce4a0608579002565c4003bf709/8358
dc1c3591459d0025681e0051fd00?OpenDocument#Untitled%20Section

NHS Executive (2001) Governance in the New NHS: Controls Assurance Statements
2000/2001 and Establishment of the Controls Assurance Support Unit. HSC
2001/005. 2001
http://www.info.doh.gov.uk/doh/coin4.nsf/12d101b4f7b73d020025693c005488a9/bb9
04a2b6cec1f39002569fb00363f3b/$FILE/005hsc2001.pdf

Standards Australia (1999) Risk Management AS / NZS 4360:1999. Standards

Association of Australia. Strathfield NSW.
http://www.info.doh.gov.uk/doh/rm5.nsf/e38b211034b364b500256735003e21ae/824f
30c511a06e8900256b1b005f9216?OpenDocument

The Internal Control Working Party of the Institute of Chartered Accountants in

England and Wales (1999) Internal Control: Guidance for Directors on the Combined
Code: The Turnbull Report, Institute of Chartered Accountants, London
http://www.icaew.co.uk/viewer/index.cfm?AUB=TB2I_6342&tb5=1

© Crown Copyright 2003 Rev. 04 (October 2003) Page 6 of 22

 INDEX OF RISK MANAGEMENT CRITERIA
Criterion 1
Board level responsibility for risk management is clearly defined and there are clear
lines of individual accountability for managing risk throughout the organisation,
leading to the board.

Criterion 2
The organisation’s senior management has defined and documented its strategy for
managing risks, including objectives for, and its commitment to, risk management.
The risk management strategy is relevant to the organisation’s strategic context and
its goals, objectives and the nature of its business. Management ensures that the
strategy is understood, implemented and maintained at all levels of the organisation.

Criterion 3
A committee structure is in place, which supports the risk management accountability
arrangements within the organisation and ensures that all significant risks are
properly considered and communicated to the Board.

Criterion 4
An agreed process for reporting, managing, analysing and learning from adverse
incidents is in place, in accordance with NHS guidance.

Criterion 5
An agreed process for reporting, managing, analysing and learning from complaints
and claims is in place, in accordance with NHS guidance.

Criterion 6
A risk management process, based on the requirements of AS/NZS 4360:1999 and
covering all risks, is embedded throughout the organisation at all levels, including the
board, with key indicators being used to demonstrate performance. The whole
system of risk management is continuously monitored and reviewed by management
and the board in order to learn and make improvements to the system.

Criterion 7
All employees, including members of the Board, clinicians, managers, bank, locum
and agency staff, together with, where relevant, contractors and volunteers are
provided with appropriate risk management training.

Criterion 8
The board receives independent assurance(s) that a risk management system is in
place that meets the requirements of this standard.

© Crown Copyright 2003 Rev. 04 (October 2003) Page 7 of 22

Accountability Risk Management Accountability arrangements

CRITERION 1 RESPONSE %

Board level responsibility for risk management is clearly defined and there are
clear lines of individual accountability for managing risk throughout the
organisation, leading to the Board.

INFORMATION COMMENTS

Source
• Department of Health (2002). Code of
Conduct for NHS Managers
• NHS Chief Executive Bulletin 186 (2003).
Statement on Internal Control 2003/2004.
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW

Guidance
Implementation of risk management programmes
at all levels, especially at the corporate level, is a
challenge for all managers. Its success will
depend largely on the support of the Chief
Executive and senior management team. Critical
to this process is the involvement of clinicians –
nursing, medical and allied health professionals.

The ultimate goal of any risk management

programme is to make the effective management
of risk an integral part of everyday practice. This
can only be achieved if there is a comprehensive
and cohesive risk management system in place,
underpinned by clear accountability arrangements
throughout the organisational structure.

The following sub-criteria will help in deciding

whether the key requirements of the main criterion
are being met:

• The Chief Executive has overall responsibility

for risk management.
• An Executive Director(s) has been designated
accountable for implementation of risk
management/Controls Assurance.
• A Risk Management strategy has been
approved by and is owned by the Board.
• Clear lines of accountability for risk
management have been established
throughout the organisation.
• One or more persons are charged with the
responsibility for advising on and coordinating
risk management activities.

Refer to the NHS Litigation Authority RPST

Assessment Tool(s) for additional guidance.

Examples of Verification
• Risk management strategy has been
approved by the Board
• Job descriptions for executive directors and
senior managers

© Crown Copyright 2003 Rev. 04 (October 2003) Page 8 of 22

Accountability Risk Management Accountability arrangements

INFORMATION COMMENTS
• Job descriptions for specialist risk
management advisers
• Risk management organisational chart
• Assurance Framework in place
• Terms of reference for the audit committee
• Minutes of the audit committee
• Terms of reference of the Board sub-
committee(s) responsible for overseeing risk
management
• Minutes of the Board sub-committee(s)
responsible for overseeing risk management
• Minutes of the Board
• Copies of correspondence or minutes of
meetings of the executive directors with
responsibility for risk management
• Audits/checks of compliance with risk
management objectives, clinical and non-
clinical

© Crown Copyright 2003 Rev. 04 (October 2003) Page 9 of 22

Processes Risk Management Risk management strategy

RESPONSE %
CRITERION 2

The organisation’s senior management has defined and documented its

strategy for managing risks, including objectives for, and its commitment to,
risk management. The risk management strategy is relevant to the
organisation’s strategic context and its goals, objectives and the nature of its
business. Management ensures that the strategy is understood, implemented
and maintained at all levels of the organisation.

INFORMATION COMMENTS

Source
• NHS Chief Executive Bulletin 186 (2003).
Statement on Internal Control 2003/2004.
• Department of Health (2003) Building the
Assurance Framework
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW

Guidance
Management of risk should be integrated into the
philosophy of an organisation. A risk management
strategy should be developed, which provides the
organisation with strategic direction.

The following sub-criteria will help in deciding

whether the key requirements of the main criterion
are being met:

• There is a Board-approved strategy for risk

management, which is reviewed annually.
• The risk management strategy includes a list
of key objectives for managing risk and is
relevant to the organisation’s strategic aims
and objectives and the nature of its services.
• The strategy takes a holistic approach to the
management of risk across the organisation
and sets out the organisation’s attitude to risk.
• The strategy clearly describes the process for
reviewing the organisation’s performance with
regard to the management of risk.
• The strategy contains guidance on
acceptable risk and for the management of
situations in which control failure leads to
material realisation of risk.
• The strategy includes reference to other risk
management policies/procedures.
• Individual directorates/departments maintain
local strategies that reflect their individual risk
profile.
• The strategy specifies how new activities
should be assessed for risk and incorporated
into risk management structures.
• The strategy takes full account of shared risks
and those owned elsewhere (eg independent
contractors).

Refer to the NHS Litigation Authority RPST

© Crown Copyright 2003 Rev. 04 (October 2003) Page 10 of 22

Processes Risk Management Risk management strategy

INFORMATION COMMENTS
Assessment Tool(s) for additional guidance.

Examples of Verification
• Risk management strategy
• Minutes of the Board
• Assurance Framework in place
• List of internal and external stakeholders
• Evidence of the risk management strategy
being linked to the strategic/corporate plan
• Specialist risk management policies and
procedures
• Risk management organisational chart
• Evidence of strategy distribution to staff and
availability to other stakeholders
• Local risk management strategies

© Crown Copyright 2003 Rev. 04 (October 2003) Page 11 of 22

Accountability Risk Management Risk management committee

CRITERION 3 RESPONSE %

A committee structure is in place, which supports the risk management

accountability arrangements within the organisation and ensures that all
significant risks are properly considered and communicated to the Board.

INFORMATION COMMENTS

Source
• Department of Health (2002). Code of
Conduct for NHS Managers
• NHS Chief Executive Bulletin 186 (2003).
Statement on Internal Control 2003/2004.
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW
• Department of Health (2001). Audit
Committee Handbook
• Department of Health (1999) Guidelines for
Implementing Controls Assurance: Guidance
for Directors

Guidance
The full benefit of risk management will only be
achieved if there is a comprehensive and
cohesive system in place, underpinned by an
organisation-wide risk management organisational
structure.

To ensure that all significant risks are properly

considered and communicated to the Board,
Boards of NHS Trusts should ensure they have
sub-committee(s) for overseeing risk management
within their organisations.

The following sub-criteria will help in deciding

whether the key requirements of the main criterion
are being met:

• There is a Board sub-committee(s) with

responsibility for overseeing all aspects of risk
management.
• The role and responsibilities of the
committee(s) responsible for overseeing risk
management activities is/are clearly defined
to ensure that any separations of clinical,
financial and organisational risks are kept
under review.
• The Chief Executive and the designated
Executive Director(s) with responsibility for
specific aspects of risk management are
members of the committee.
• There is at least one Non-Executive Director
as a member of the committee.
• The committee’s responsibility includes
organisation wide co-ordination and
prioritisation of risk management issues.
• The committee(s) responsible for risk
management issues oversee the work of any
specialist risk management groups, and these

© Crown Copyright 2003 Rev. 04 (October 2003) Page 12 of 22

Accountability Risk Management Risk management committee

INFORMATION COMMENTS
specialist groups report directly to it.
• The role of the Audit Committee in reviewing
and providing assurance on the systems in
place to manage risk is clearly defined.

Refer to the NHS Litigation Authority RPST

Assessment Tool(s) for additional guidance.

Examples of Verification
• Risk management strategy
• Terms of reference for committees
• Risk management organisational chart
• Minutes of meetings
• Annual risk management reports
• Schemes of delegation
• Annual report
• Committee objectives
• Agendas and supporting documentation

© Crown Copyright 2003 Rev. 04 (October 2003) Page 13 of 22

Processes Risk Management Adverse incident procedures

CRITERION 4 RESPONSE %

An agreed process for reporting, managing, analysing and learning from

adverse incidents is in place, in accordance with NHS guidance.

INFORMATION COMMENTS

Source
• Department of Health. Doing Less Harm . A
consultation document. August 2001
• NHS Chief Executive Bulletin 186 (2003).
Statement on Internal Control 2003/2004.
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW
• National Patient Safety Agency (2003) Seven
Steps to Patient Safety [expected November
2003]

Guidance
Incident reporting is a fundamental tool of risk
management, the aim of which is to collect
information about patient safety incidents,
including near misses and hazards, which help to
facilitate wider organisational learning.

Incidents, if not properly managed, may result in

loss of public confidence in the organisation, loss
of assets and unnecessary proliferation of loss.

This criterion introduces terms for patient safety

incidents to be promulgated by the NPSA from
November 2003.

The following sub-criteria will help in deciding

whether the key requirements of the main criterion
are being met:

• There is a Board-approved policy/procedure

for recording, reporting, analysing and
managing incidents in line with national
guidance.
• The policy/procedure is based upon a
standard definition of patient safety incidents.
The new NPSA definitions should be
introduced to local policies.
• The policy/procedure promotes a ‘just and fair
blame’ approach towards incident reporting.
• All reported incidents and causal factors are
classified and categorised in accordance with
the standardised classification for the
National Reporting and Learning System and
the NPSA root cause analysis toolkit.
• The policy/procedure states that all incidents
must be reported promptly and a patient
safety incident form completed and submitted
to the risk manager (or equivalent) and
then/or directly to the NPSA.
• The policy/procedure states that management
actions and preventative measures taken
must be recorded
• All reported incidents are graded according to

© Crown Copyright 2003 Rev. 04 (October 2003) Page 14 of 22

Processes Risk Management Adverse incident procedures

INFORMATION COMMENTS
severity of outcome and potential future risk
to patients and/or the organisation
• A policy/procedure on incident investigation
and root cause analysis conforming to the
NPSA toolkit is in place that contains a clear
protocol to be followed.
• For serious/high-impact patient safety
incidents that could have an adverse effect
upon staff, patients or the public the
policy/procedure requires a mechanism in
place to inform the Board and the NPSA.
• All incidents are reported on a standard
form(s), which may be paper-based or
electronic, and which captures the NPSA
NRLS dataset as a minimum.

Refer to the NHS Litigation Authority RPST

Assessment Tool(s) for additional guidance.

Examples of Verification
• Incident reporting policy/procedure
• Incident report form and guidelines for
completion
• Use of NPSA dataset mapped or locally
configured
• Incident investigation reports
• Trend analysis reports
• Minutes of the committee(s) responsible for
overseeing risk management
• Copies of reports to NPSA and other relevant
external bodies and stakeholders
• Induction training programmes
• Completed incident report forms
• Relevant correspondence
• Action plans and follow up reports
• Major incident policy

© Crown Copyright 2003 Rev. 04 (October 2003) Page 15 of 22

Processes Risk Management Complaints and claims procedures

CRITERION 5 RESPONSE %

An agreed process for reporting, managing, analysing and learning from

complaints and claims is in place, in accordance with NHS guidance.

INFORMATION COMMENTS

Source
• Department of Health (2001) Building a safer
NHS for Patients. Implementing an
Organisation with a Memory Department of
Health, London
• Department of Health (2001) Reforming the
NHS Complaints Procedure Department of
Health, London
• Department of Health (2002) Supporting the
implementation of a Patient Advice and
Liaison Service
• Lord Chancellors Department (2001) Pre-
action protocol for the resolution of clinical
disputes
• Lord Chancellors Department (2001) Pre-
action protocol for the resolution of personal
injury claims
• NHS Executive (1996) Guidance on
Implementation of the NHS Complaints
Procedure. NHS Executive, London
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW
• National Patient Safety Agency (2003) Seven
Steps to Patient Safety [expected November
2003]

Guidance
Competent handling of complaints can assist in
improving the quality of care and minimising
claims by listening to the voice of service users
and using this as an opportunity for the
organisation to learn from complainants.
Complaints and claims when examined in
conjunction with reported incidents, accidents and
near misses allow trends to be identified at both a
local and strategic level. This leads to prevention
of recurrence or more serious incidents and
complaints occurring.

The following sub-criteria will help in deciding

whether the key requirements of the main criterion
are being met:

• There is a documented complaints procedure,

which meets NHS requirements and is
approved by the Board.
• There is a designated ‘complaints manager’
responsible for handling all complaints.
• A Patients Advice and Liaison Service (PALS)
in line with the core national standards and
evaluation framework for PALS is in place
and publicised to patients, users and visitors
• The arrangements for making complaints are
publicised to service users.

© Crown Copyright 2003 Rev. 04 (October 2003) Page 16 of 22

Processes Risk Management Complaints and claims procedures

INFORMATION COMMENTS
• Front line staff receive training and guidance
on the complaints procedure to enable them
to deal with complaints on the spot.
• The organisation has an effective system for
the recording of formal and informal
complaints.
• Independent review panels, when they are
required, are established in full accordance
with the NHS complaints procedure.
• All reported complaints are graded according
to severity as well as potential future risk to
patients and/or to the organisation.
• A policy/procedure on complaints
investigation and root cause analysis is in
place that contains a clear protocol to be
followed
• One or more persons are charged with the
responsibility for the management and co-
ordination of claims.

Refer to the NHS Litigation Authority RPST

Assessment Tool(s) for additional guidance.

Examples of Verification
• Complaints policy/procedure
• Claims handling policy/procedure
• Job descriptions
• Board reports
• Risk management (or equivalent) committee
reports
• Complaints committee reports
• Training needs analyses
• Training programmes
• Training evaluation forms
• Induction programme
• Complaints leaflets and posters
• PALS publicity leaflets and posters
• Complaints files
• Independent review reports
• Evidence of claims management training
• Quarterly claims reports from solicitors and
the NHS Litigation Authority
• Evidence of claim settlement negotiations

© Crown Copyright 2003 Rev. 04 (October 2003) Page 17 of 22

Monitoring and review Risk Management Risk management process

CRITERION 6 RESPONSE %

A risk management process, based on the requirements of AS/NZS 4360:1999

and covering all risks, is embedded throughout the organisation at all levels,
including the Board, with key indicators being used to demonstrate
performance. The whole system of risk management is continuously monitored
and reviewed by management and the Board in order to learn and make
improvements to the system.

INFORMATION COMMENTS

Source
• NHS Chief Executive Bulletin 186 (2003)
Statement on Internal Control 2003/2004
• Department of Health (2003) Building the
Assurance Framework
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW

Guidance
The organisation must be aware of its risk profile
across its entire range of activities. Specific risk
assessments will have been undertaken but in
order to prioritise action an organisation-wide
review is necessary to ensure that all exposures
are duly considered.

“Key risks”, sometimes termed “principal risks”,

are those which have significant potential to impair
or affect the operational or financial ability of the
organisation to deliver services/meet objectives,
and may be strategic or operational in nature. A
comprehensive assessment of risks must be
carried out, creating a continuum of risk
assessments across the length and the breadth of
the organisation encompassing all risks.

The following sub-criteria will help in deciding

whether the key requirements of the main criterion
are being met:

• Risks are systematically identified, recorded,

assessed and analysed on a continuous
basis.
• A comprehensive risk register is maintained
on an ongoing basis for all units (e.g.
directorates, departments, functions or sites)
for significant projects, and for the
organisation as a whole. The
corporate/organisation-wide risk register is
‘owned’ and regularly reviewed by the Board.
• The risk register should identify risks in a
consistent and structured way, show
dependencies, and ensure linkage between
principal and other key risks.
• There should be a mechanism for managing
relationship risk, ie service partners/key
suppliers taking into account the behaviour
and risk priorities of those partners.
• Common terminology for risk activities, taking

© Crown Copyright 2003 Rev. 04 (October 2003) Page 18 of 22

Monitoring and review Risk Management Risk management process

INFORMATION COMMENTS
into account national guidelines, is applied
throughout the organisation.
• For all risks identified as requiring treatment,
actions are determined, appropriately
recorded and implemented in order of priority
using appropriate decision-making tools (e.g.
risk ranking or cost-benefit analysis) where
relevant
• The Board is informed of and, where
necessary, consulted on all
principal/significant risks and associated risk
treatment plans on a continuous basis. Any
risk exposure should be recorded and
exposure justified. Adequate contingency
plans should be in place.
• All relevant stakeholders, including staff, are
kept informed of the management of
significant risks faced by the organisation.
• Key indicators capable of showing
improvements in management of risk and/or
providing early warning of risk are used at all
levels of the organisation, including the board,
and the efficacy and usefulness of the
indicators is reviewed regularly.
• An annual report is produced for the board to
demonstrate the risk management system’s
continuing suitability and, effectiveness in
satisfying the organisations risk management
policy and strategy.

Refer to the NHS Litigation Authority RPST

Assessment Tool(s) for additional guidance.

Examples of Verification
• Risk management strategy
• Risk identification tools
• Hazard reporting policy and forms
• Risk assessment tools and forms
• Completed risk assessments
• Risk treatment options
• Evidence of risk treatment
• Business plans
• Annual report
• Risk registers
• Minutes of committees
• Job descriptions
• Training programmes
• Action plans
• Evidence of communication with stakeholders
• Evidence of communication with staff
• Assurance Framework in place
• Monitoring and review procedure
• Performance indicators
• Evidence of monitoring and review
• Board minutes
• Patient surveys
• Incident, complaints and claims analysis

© Crown Copyright 2003 Rev. 04 (October 2003) Page 19 of 22

Capability Risk Management Staff training

RESPONSE %
CRITERION 7

All employees, including members of the Board, clinicians, managers, bank,

locum and agency staff, together with, where relevant, contractors and
volunteers are provided with appropriate risk management training.

INFORMATION COMMENTS

Source
• NHS Chief Executive Bulletin 186 (2003).
Statement on Internal Control 2003/2004.
• Standards Australia (1999) Risk Management
AS / NZS 4360:1999. Standards Association
of Australia. Strathfield NSW

Guidance
This contributes to the organisation’s risk
management culture, which needs to be
embedded at all levels throughout the
organisation.

An appropriate training programme is an important

means of achieving competence and helps to
ensure compliance with safe working practices.

The following sub-criteria will help in deciding

whether the key requirements of the main criterion
are being met:

• The organisation has assessed and delivered

the level of risk management training that is
needed throughout.
• Training records are kept, monitored and
reviewed and inadequate attendance
rectified.
• Induction for all new starters includes risk
management training.
• The organisation can demonstrate that risk
management training is effective through
monitoring and review.
• Employees with responsibility for co-
ordinating and advising on aspects of risk
management have adequate training and
development to fulfil their role.

Refer to the NHS Litigation Authority RPST

Assessment Tool(s) for additional guidance.

Examples of Verification
• Training needs assessment
• Training prospectus
• Local training needs assessment
• Training records
• Reports on attendance levels
• Induction programme
• Local induction procedures
• Training objectives
• Evidence of review of training objectives
• Training course evaluations

© Crown Copyright 2003 Rev. 04 (October 2003) Page 20 of 22

Audit Risk Management Independent assurance

CRITERION 8 RESPONSE %

The Board receives independent assurance(s) that a risk management system

is in place that meets the requirements of this standard.

INFORMATION COMMENTS

Source
• Department of Health (2002) Assurance: The
Board Agenda
• Department of Health (2003) Building the
Assurance Framework
• NHS Chief Executive Bulletin 186 (2003)
Statement on Internal Control 2003/2004.
• NHS Executive (1999) Governance in the
New NHS. Controls Assurance Statements
1999/2000 Risk Management and
Organisational Controls. HSC 1999/123.
1999.

Guidance
Reviews by independent bodies will assist
organisations in demonstrating performance, and
also in highlighting areas that need to be
addressed. This will give the organisation
assurance that controls are working satisfactorily
and that local and national targets are being met.
A number of review bodies have direct access to
controls assurance information and reports on
performance produced by these bodies should be
given due consideration.

The following sub-criteria will help in deciding

whether the key requirements of the main criterion
are being met:

• The role of the Audit Committee in reviewing

and providing assurance on the risk
management systems in place is clearly
defined.
• The role of the internal audit function in
reviewing and providing verification on the
systems in place for risk management is
clearly defined.
• The internal audit function, aided as
necessary by relevant technical specialists,
carries out periodic reviews to provide
assurances to the organisation that a suitable
risk management system is in place and
working properly taking into consideration
reviews by other review bodies.
• The organisation has a system in place to
ensure that reviews carried out by external
agencies are effectively coordinated and any
recommendations implemented.
• Reports are presented to the Audit Committee
and copied to the overarching committee(s)
responsible for risk and any other relevant
committee/group.

Refer to the NHS Litigation Authority RPST

Assessment Tool(s) for additional guidance.

© Crown Copyright 2003 Rev. 04 (October 2003) Page 21 of 22

Audit Risk Management Independent assurance

Examples of Verification
• Assurance Framework is in place
• Audit Committee minutes
• Internal audit report(s)
• Internal audit statement to Chief Executive
• Risk Management Committee minutes
• Clinical Governance Committee minutes

© Crown Copyright 2003 Rev. 04 (October 2003) Page 22 of 22