An outstanding experience for every patient
Go to home page
For patients and visitors
About Us
Why choose us?
Keeping healthy

Risk Management Strategy 

Post Holder Responsible for Policy:
Head of Risk Management
Directorate Responsible for Policy:
Quality Directorate
Contact Details:

Salisbury District Hospital

01722 336262 X2496

Date Written:
September 2017
Date Revised:
December 2017
Approved By:
Trust Board
Date Approved:

December 2017

Next Due for Revision:
December 2020
Date Policy Becomes Live:
December 2017

Version Information

Version No. Author Review Date Description of Changes
Head of Risk Management
December 2020
All sections minor updates to reflect correct processes.
Section 6 – updated to reflect current practice with Board assurance Framework.
Section 7 – updated to reflect current practice including changes within the Executive Performance review process.
Section 9 – Risk management strategic objectives reviewed. KPIs updated to include Finance and Organisation and People
Section 10 – amendments to roles and responsibilities.
Appendices updated

Table Of Contents

Purpose of the Risk Management Strategy
Responsibility for Risk Management
Promoting a Fair and Open Culture
Strategic Goals
Compliance and Assurance
The Trust Risk Register
Risk Management Policy
Strategic Objectives 2016/17
Accountability and Responsibility Arrangements
Organisational Arrangements and Risk Management Structure
Ensuring Compliance with National Standards
Monitoring and Review



1.1 Risk Management is an integral part of Salisbury NHS Foundation Trust’s (SFT) management activity and is a fundamental pillar in embedding high quality, sustainable services for the people of Salisbury and the surrounding area. As a complex organisation delivering a range of services in a challenging financial environment   we accept that risks are inherent part of the everyday life of the trust. Effective risk management processes are central to providing Salisbury NHS Foundation Trust (SFT) Board with assurance on the framework for clinical quality and corporate governance.


1.2 The stated vision for Salisbury NHS Foundation Trust is to provide an outstanding experience for every patient, delivering health care services to the local community and those referred from further afield into specialist services. To ensure that the care provided at SFT is safe, effective, caring and responsive for patients, the board must be founded on and supported by a strong governance structure.


1.3      SFT is committed to developing and implementing a risk management strategy that will identify, analyse, evaluate and control the risks that threaten the delivery of its critical success factors. The board assurance framework (BAF) will be used by the Assuring Committees and Board to identify, monitor and evaluate risks to the achievement of the strategic objectives. It will be used alongside other key management tools, such as integrated performance reports, quality dashboards, and financial reports, to give the Board a comprehensive picture of the organisational risk profile.


1.4 The management of risk underpins the achievement of the Trust’s objectives. SFT believes that effective risk management is imperative to not only provide a safe environment and improved quality of care for service users and staff, it is also significant in the financial and business planning process where a successful and competitive edge and public accountability in delivering health services is required. This illustrates that risk management is the responsibility of all staff.


1.5 The risk management process involves the identification, evaluation and treatment of risk as part of a continuous process aimed at helping the Trust and individuals reduce the incidence and impacts of risks that they face. Risk management is therefore a fundamental part of both the operational and strategic thinking of every part of the service delivery within the organisation. This includes clinical, non clinical, corporate, business and financial risks.


1.6 The Trust is committed to working in partnership with staff to make risk management a core organisational process and to ensure that it becomes an integral part of the Trust philosophy and activities. The risk management strategy represents a developing and improving approach to risk management which will be achieved by building and sustaining an organisational culture, which encourages appropriate risk taking, effective performance management and accountability for organisational learning in order to continuously improve the quality of services.


1.7 The Trust Board recognises that complete risk control and/or avoidance is impossible, but the risks can be minimised by making sound judgments from a range of fully identified options and having a common understanding on risk appetite.


1.8 As part of the Annual Governance Statement, SFT will make a public declaration of compliance against meeting risk management standards. The Trust currently has good systems and process for risk management in place as evidenced by internal and external audit opinion.


1.9 The strategy is subject to annual review and approval by the Trust Board.


Purpose of the Risk Management Strategy


2.1 The purpose of the Risk Management Strategy is to detail the Trust’s framework within which the Trust leads, directs and controls the risks to its key functions in order to comply with Health and Safety legislation, NHS Improvement (NHSI) compliance requirements, key regulatory requirements such as Care Quality Commission, and its strategic objectives. The risk management strategy underpins the Trust’s performance and reputation, and is fully endorsed by the Trust Board.


Responsibility for Risk Management


The success of the risk management programme is dependent on the defined and demonstrated support and leadership offered by the Trust Board as a whole.


However, the day-to-day management of risk is the responsibility of everyone in our organisation at every level, and the identification and management of risks requires the active engagement and involvement of staff at all levels.   Our staff are best placed to understand the risks relevant to their areas of work and must be enabled to manage these risks, within a structured risk management framework.  



Promoting a Fair and Open Culture



4.1 All members of staff have an important role to play in identifying, assessing and managing risk. To support staff the Trust provides a fair, open and consistent environment which does not seek to apportion blame. In turn, this will encourage a culture and willingness to be open and honest to report any situation where things have, or could go wrong. Exceptional cases may arise where this is clear evidence of wilful or gross neglect contravening the Trust’s policies and procedures and/or gross breaches of professional codes of conduct which will be managed and referred accordingly.


Strategic Goals


5.1 To ensure that the Trust remains within its licensing authorisation as defined by NHSI and to deliver a risk management framework which highlights to the Executive Team and Trust Board any risks which may prevent the Trust from complying with its provider licence.


5.2 Continued development of the Board Assurance Framework (BAF) to ensure that organisation wide strategic risks are identified. The BAF enables the Board to demonstrate how it has identified and met its assurance needs and is also the vehicle for informing the Annual Governance Statement.


5.3 To ensure that Risk Management policies are implemented ensuring that:


Ø  All risks, including business risks, service development risks, and project risks, are being identified through a comprehensive and informed Risk Register and risk assessment process.

Ø  The open reporting of adverse events/incidents is encouraged and learning is shared throughout the organisation


5.4 To monitor the effectiveness of Risk Management Policies and procedures via the monitoring of agreed Key Performance Indicators.


5.5 To further develop the organisational safety culture and its effectiveness through implementation of local, regional and national  Patient Safety interventions.


5.6 To ensure that the Trust can demonstrate compliance with the statutory Duty of Candour ensuring that it maintains a consistent open and honest culture, involving patients and families in investigations where appropriate.


5.7 To ensure that all individuals within the organisation are aware of their role, responsibilities and accountability with regard to Risk Management.


5.8 To ensure that the structure and process for managing risk across the organisation is reviewed and monitored annually.


5.9 To ensure compliance with NHSI, Care Quality Commission registration requirements, and Health and Safety Standards.


Compliance and Assurance


6.1 NHSI have implemented a ‘Single Oversight Framework’ to ensure there is a clear compliance framework which ensures that all Trusts are able to demonstrate that they are remaining within their agreed provider licence. It is therefore imperative that the Trust is aware of any risks (e.g. associated with new business or service changes) which may impact on its ability to adhere to this framework.


6.2 The Board Assurance Framework provides the Trust Board with a vehicle for satisfying itself that its responsibilities are being discharged effectively. It identifies through assurance where aspects of service delivery are being met to satisfy internal and external requirements. In turn it will inform the Board where the delivery of principal objectives is at risk due to a gap in control and/or assurance.  This allows the organisation to respond rapidly.


6.3 All NHS bodies are required to sign a full Annual Governance Statement (AGS) and must have the evidence to support this Statement.  The Assurance Framework brings together this evidence.


6.4 In order to identify the risks against delivery of principal objectives and gaps in control/assurance the Trust Board must have a comprehensive Performance Management Reporting framework. The Trust Board must agree its own indicators for Performance Reports which will act as assurance on service delivery and quality. Any significant gaps in assurance or control within the Performance reports must be identified, translated onto the Board Assurance Framework and remedial action agreed.


6.5 The Board Assurance Framework is reviewed bi-monthly, in its entirety, by the Trust Board. The Framework identifies the principal risks facing delivery of the Trust’s strategic objectives and informs the Trust Board how each of these risks is being managed and monitored effectively. Every risk on the BAF is assigned to an Executive Director who is responsible for reporting on progress to the Board of Directors. An Assurance Committee is also identified for each principal risk to assure the Trust Board that it is being monitored, gaps in control and assurance are identified, and processes put into to place to minimise the risk to the organisation.


6.6 The designated Assurance Committees of the Trust Board are the Clinical Governance Committee (Clinical Risk), the Finance and Performance Committee (Financial and Performance Risk), and the Executive Workforce Committee (Workforce and Health and Safety Risk). The Audit Committee monitors the Assurance Framework process overall biannually.


6.7 It is the responsibility of the Assurance Committees to report to the Trust Board, any new risks identified and gaps in assurance/control, as well as positive assurance on an exception basis. If a significant risk to the Trust’s service delivery or gap in control/assurance is identified then this should be reported immediately via the Executive Directors (see Appendix C).



6.8 The Board Secretary shall work closely with the Executive Lead for Risk (Director of Nursing), Medical Director, Chief Operating Officer, Director of Finance, Director of Organisational Development and People, Director of Corporate Development and Head of Corporate Governance to ensure that the BAF remains dynamic and is integral to the Business Planning cycle.


6.9 If at any time performance reporting and risk management processes indicate that the Trust will not meet a current or future regulatory requirement/target then the Board must notify NHSI via an Exception Report.


The Trust Risk Register


7.1 Each Department will continue to carry out risk assessments which are held on Datix.   A single framework for the assessment, rating, and management of risk is to be used throughout the Trust; this process is described in detail within the Risk Management Policy and Procedure (intranet), alongside how department risk registers are escalated, where appropriate to the directorate risk register.


7.2 Each Directorate will continue to maintain a comprehensive risk register, which will be formally reviewed in full at quarterly intervals, with key headlines and top risks presented monthly, through the Executive Performance Meetings.  At these meetings the directorates will be expected to report on their directorate risk register (risks scoring 12 or above that require executive knowledge and support), highlight any new or emerging risks that threaten their service delivery or Directorate objectives and present action plans for minimising and managing these risks. The performance meeting should identify those departmental risks which also pose a corporate threat and so require escalation to the Trust’s Corporate Risk Register. The risk register should be seen as a dynamic process as ranking/prioritisation of risks that will change as risk reduction practices take place. The Directorate Management Committee (DMC) has responsibility for ensuring that all risks within the Directorate are appropriately graded and have sufficient actions in plan to mitigate/reduce the risk.


7.3 The departmental and directorate risks identified at the performance meetings which impact on the corporate objectives are combined with the corporate risks on the Trust’s Corporate Risk Register, thus allowing for a bottom up top down approach to identifying the Trust’s principal risks and informing the Board Assurance Framework. Risks can move up and down between risk registers depending on control measures being implemented and their success. This proactive approach to risk management should be holistic and identify all risks to the organisation, including clinical, organisational, health and safety, business, marketing and financial.


 7.4 There is a requirement to detail for every risk on the risk register the plan for the ongoing management of the risk i.e. accept, tolerate or mitigate the risk. Where a decision is made to accept or tolerate the risk it needs to be documented where the decision was made and agreed. Risks that require mitigation must have an action plan.



Risk Management Policy


8.1 Risk assessments carried out across the Trust must utilise the format as set out in the Risk Management Policy and Procedure (available on the intranet). This process for submission and review must be adhered to.


8.2 This strategy should also be read in conjunction with the following Risk Management Policies which are all available on the intranet:

·         Risk Management Policy and Procedure

·         Adverse Events Reporting Policy  

·         Serious Incidents Requiring Investigation Policy

·         Duty of Candour and Being Open Policy


Strategic Objectives 2016/17


9.1 To monitor the effectiveness of the Risk Management processes and policies the following a strategic objectives have been set and will be monitored via the Clinical Risk Group, directorate Executive Performance Meetings and Assurance Committees.


  •   Monitoring of incidents to highlight trends and areas requiring further investigation/action
  • Provision of monthly incident report card at Clinical Risk Group to support theming of all incidents and monitoring of high harm incidents.
  • Support to Directorates to enable them to monitor themes and trends in reporting within their directorate, departments and specialties’ and take remedial action, evidence learning and support enable wider sharing.
  • Working with departments to evidence learning from incidents and feedback to team. Linking with complaints and Litigation team to look at broader themes and learning.


  •  Embedding risk management at all levels of the organisation – creating a safety culture
  •   Greater ownership of risks at a local level
  •   Enhance the use of risk registers at Departmental and Directorate level.
  •   Evidence that dynamic risk registers are held within all departments covering key risks
  •   Ensuring a transparent system for aggregation and escalation between departmental and Directorate risk registers with the Corporate Risk Register and Assurance Framework.
  •   Undertake review of Datix functionality with view to enhance reporting of risk, analysis of reporting trends and culture.


  •   Leading and supporting staff and promoting reporting
  •   Ensure all staff are aware of their responsibility for reporting incidents.
  •   Utilise both formal and informal opportunities with staff for teaching.
  •   Participation in local meetings, M&M meetings, Clinical Governance Sessions.
  •   Monitor reporting patterns to identify areas/groups of staff who may not be reporting and investigate whether reporting patterns are reflective of risk activity.
  •   Introduction of ‘Patient Safety Drop-in Sessions’ and wall mounted ‘Comments Boxes’ to support feedback from staff about safety concerns and potential resolutions.
  •   Board Safety Walkrounds to focus on staff safety concerns and seeking resolution.


  •   Ensuring there is appropriate provision of training
  •   Review existing in-house training provision in relation to risk management to identify gaps in training provision.
  •   Review current availability of training opportunities both internal and external
  •   Continued development of bi-monthly case study based RCA training with Customer Care for staff at all levels of the organisation.
  •   Delivery of Department/Directorate specific training to enhance the user experience of Datix and showcase functionality.


  •   Ensuring compliance with ‘Duty of Candour’ requirements
  •   Ensure all staff are aware of their responsibilities through cascade of the Duty of Candour and Being Open Policy.
  •   Appropriate and responsive training as required in liaison with the Head of Legal Services.
  •   Monitoring of incidents to ensure that graded appropriately
  •   Where Duty of Candour triggered liaise with clinicians to ensure  they are aware of the  correct notification and follow up procedures, feeding back to DMC’s and teams where gaps identified.
  •   Monitoring of duty of Candour compliance at directorate Executive Performance Meetings


The following KPI’s are also in place:

  •        Achieve compliance with regulations and requirements as determined by NHSI
  •        Maintain full registration with the Care Quality Commission, aiming for good;
  •       To be above average reporters of incidents when benchmarked against Trusts of a similar size (NRLS Report);
  •        Participation in the national and regional patient safety campaigns;
  •       Maintain a culture where staff feel risk management processes are fair and responsive, evidenced through the annual Staff Survey;
  •       Compliance with contractual requirements associated with the reporting and management of Serious Incidents;
  •       Evidence of shared learning from incidents through newsletters, departmental feedback, Executive Performance Meetings etc.
  •       Clear identification and mitigation of risks associated with delivery of the Workforce Strategy Key Performance Indicators via the Risk Register and Board Assurance Framework.
  •       Clear identification and mitigation of risks associated with financial recovery plan via the Risk Register and Board Assurance Framework.



Accountability and Responsibility Arrangements


10.1 The Chief Executive


The Chief Executive is the Accountable Officer and has overall responsibility for Risk Management.  The Chief Executive has delegated this responsibility to an Executive Lead for Risk (Director of Nursing).  The Executive Lead for Risk is responsible for reporting to the Trust Board on the development and progress of Risk Management, and for ensuring that the Risk Management Strategy is implemented and evaluated effectively.


10.2 Executive and Non-Executive Directors


The Executive and Non Executive Directors have a collective responsibility as a Trust Board to ensure that the Risk Management processes are providing them with adequate and appropriate information and assurances relating to risks against the Trust’s objectives.


The Executive and Non Executive Directors are responsible for ensuring that they are adequately equipped with the knowledge and skills to fulfil this role. Risk Management training sessions can be accessed via the Risk Department but as a minimum the Risk Manager and Executive Lead for Risk will co-ordinate an annual workshop and update for Trust Board members.

The Executive Directors are accountable and responsible for ensuring that the Corporate Directorates are implementing the Risk Management Strategy and related policies. They also have specific responsibility for managing the Trust’s principal risks, which relate to their Directorates. For example:


  •       The Director of Finance for managing the Trust’s principal risks relating to ensuring financial balance,
  •       Director of Nursing for managing the principal risks relating to clinical quality, nursing workforce and infection control as DIPC.
  •       Director of Organisational Development and People is responsible for managing the Trust’s principal risks relating to Health and Safety and Workforce planning.
  •       The Medical Director is responsible for managing risks associated with Medical Workforce planning and clinical effectiveness.
  •       Chief Operating Officer for operational performance related risks.


These designated Directors sit on the appropriate Assurance Committees which cover their area of risk.


The Non-Executive Directors have a responsibility to scrutinise and, where necessary, challenge the robustness of systems and processes in place for the management of risk.


10.3 Head of Risk Management


The Head of Risk Management is responsible for:

  •       Maintaining and updating appropriate Risk Management Policies and procedures;
  •       Working with the Board Secretary to ensure there is a clear and dynamic link between the Board Assurance Framework and Corporate Risk Register;
  •       Ensuring the Trust has a comprehensive and dynamic Risk Register and working with Directorate Management Teams to ensure that they understand their accountability and responsibilities for managing risks in their areas;
  •        Ensuring that Directorates know how to access their incident data;
  •        Ensuring information is provided on incident data to the Clinical Governance Committee, and  Trust Board;
  •        Presenting risk reports at the  CCG Clinical Quality Review Meeting (CQRM) in line with contract requirements;
  •        Producing and coordinating Risk Management training programmes in conjunction with the Patient Safety Facilitator and other departments such as Customer Care.
  •       Collaborating with external stakeholders’ key to Risk Management e.g. Commissioners, CQC, NHSI and other Trusts.
  •       Ensuring that there is an appropriate and named point of contact for patients and families during the Serious Incident review process.


10.4 Board Secretary


The Board secretary is responsible for:

  • Co-ordinating the update of the Board Assurance Framework with the Executive Team to ensure that it is reviewed at the Assuring Committees and Trust Board.


10.5 Specialist Areas


The Head of Facilities has delegated responsibility for ensuring that safe systems of work are in place for the management of catering, transport, decontamination, security, and waste management risks.


10.6 Directorate Management Committees


Directorate Management Committees (DMC) are accountable and have authority to ensure appropriate risk management processes are implemented within their respective directorates and areas of authority. Each member of the DMC should be aware of their clear lines of accountability for risk. Each Directorate Management Committee is required to:

  • Work proactively to achieve the Trusts Key Performance Indicators for Risk Management.
  • Understand and implement the Risk Management Strategy and related policies.
  • Ensure that appropriate and effective risk management processes are in place within their delegated areas.
  • Ensure Directorate activity is compliant with national risk management standards and safe practices, alerts etc.
  • Develop specific objectives within their service plans which reflect their own risk profile and the management of risk.
  • Risk assesses all business plans/service developments including changes to service delivery.
  • Ensure that risk assessments, both clinical and non-clinical, are undertaken throughout their areas of responsibility. The risks identified will be prioritised and action plans formulated. These action plans will be monitored through the performance meetings.
  • Maintain a directorate risk register (clinical, non-clinical and financial). Formally reporting high and extreme risks via the performance meetings.
  • Report all incidents, including near misses, in accordance with the Adverse Events Reporting Policy and identify action taken to reduce or eliminate further incidents.
  • Undertake investigation into all serious incidents, in accordance with the Adverse Event Reporting policy providing evidence of local resolution and learning.
  • Disseminate learning and recommendations made as a result of incident investigations, clinical reviews, and serious incident inquiries within their areas of responsibility, ensuring recommendation outcomes are fed back to the Head of Risk Management.
  • Monitor and report on the implementation and progress of any recommendations made which fall within their area of responsibility i.e. within the Directorate
  • Ensure that all staff are made aware of risks within their working environment and their personal responsibilities within the risk management framework.
  • Identify own training needs to fulfil the function of managing risk as a senior manager. As a minimum ‘Risk’ updates will be provided via the Directorate performance meetings. Further training can be accessed via the Risk Department


10.6 Departmental Managers/ Clinical Leads


Departmental Managers/Clinical Leads are accountable and have authority for the following:


  • Ensuring that appropriate and effective risk management processes are in place within their designated area(s) and scope of responsibility as per this Strategy and related Risk Management Policies.
  • Adverse Events are reported, reviewed and investigated thoroughly and in a timely way.
  • Staff receive feedback about incidents reported, remedial actions put in place, are encouraged to engage in the resolution of problems and sharing learning wider.
  • Ensuring that the grading of incidents are appropriate and regulated actions taken where Duty of Candour is triggered
  • Disseminating learning and implementing recommendations made as a result of incident investigations, clinical reviews, and serious incident inquiries within their area of responsibility.
  • Monitor and report on the implementation and progress of any recommendations made which fall directly within their area of responsibility i.e. within the Department.
  • Maintaining a dynamic departmental  risk register
  • Ensuring that where high or extreme risks are identified these are brought to the attention of the Directorate Management Team for inclusion onto the Directorate Risk Register.
  • Ensuring that all staff are made aware of these risks within their work environment and are aware of their individual responsibilities for raising concerns.
  • Ensuring that all staff have appropriate information, instruction, and training to enable them to work safely.
  • Ensuring that all new staff attend Trust Induction, receive a departmental induction and are released for mandatory training.


10.7 All Staff


All Staff are required to:


  •       Be conversant with the Risk Management Strategy and have a working knowledge of all related risk polices.
  •       Comply with Trust policies, procedures and guidelines to protect the health, safety, and welfare of any individuals affected by Trust activity
  •        Acknowledge that risk management is integral to their working practice within the Trust.
  •        Report all incidents and near misses in accordance with the Adverse Events Reporting Policy and take action to reduce or eliminate further incidents.
  •        Report any risk issues to their line manager
  •        Participate in the investigation of any adverse events as requested.
  •        Attend mandatory training appropriate to role.



Organisational Arrangements and Risk Management Structure


11.1 A diagram illustrating the committee structure is given in Appendix B.  A summary of the Assurance Committee’s terms of reference can be found in Appendix A.


11.2 The Risk Management Team supports and co-ordinates risk management activity; the Risk Management Team structure is detailed in Appendix C.


Ensuring Compliance with National Standards


12.1 The Risk Team is responsible for facilitating and ensuring compliance with core risk standards.


12.2 The Head of Risk Management works in collaboration with the Head of Clinical Effectiveness and the Chief Executive's Offices to ensure compliance with the Care Quality Commission outcomes, and formulates and monitors action plans pertinent to risk


12.3 The Patient Safety Facilitator works in collaboration with the Health and Safety Committee to ensure compliance with Health and Safety Standards


Monitoring and Review


This strategy shall be reviewed annually by the Trust Board.

The Head of Risk shall monitor that the process for managing risk locally is being complied with as per this Strategy and the Risk Management Policy and Procedure; this shall be reported at the Directorate performance meetings and within the annual report.

 The overall implementation of this strategy shall be monitored through the annual internal audit review.









Organisational Chart of Risk Management Committees

RMS Appendix A.pdf



Organisation Chart for Risk Management Team

RMS Appendix B.pdf




Assurance Framework Report to Trust Board

RMS Appendix C.docx



Page Last Updated: 19/12/2017 12:19 
Printed from Salisbury NHS Foundation Website