Risk Management
Introduction
Risk management is like the brain and the nervous system. When working well it provides clear direction, anticipates danger, communicates, is inclusive, moves and acts; all the while giving out and receiving information so that the directors, and staff can take remedial action.
All actions contain inherent risks. Risk management is central to the effective running of any company. At its simplest, risk management is good management practice. It should not be seen as an end in itself, but as part of an overall management approach.
The core of risk management is to assess the uncertainty of the future to make the best possible decisions today. This policy and procedure outlines the arrangements for reporting incidents, accidents, and near misses (hereafter referred to as incidents), managing, analysing and learning from incidents and complaints and assessing risk which arise from MyPain’s activities.
Reporting of accidents and incidents is not only a legal requirement but is also part of MyPain’s risk management arrangements. Incident reporting is part of a management system, which is aimed at reducing or eliminating incidents. Therefore, all incidents will involve management action to a greater or lesser extent. For the more serious incidents and complaints, it may be necessary to manage them formally as a notifiable serious incident.
Incidents and complaints are very often the result of how our work places are being managed (system errors). It is important blame is not automatically attributed to the person who may be directly involved in an incident or complaint.
The incident and complaint management process is summarised in a flow chart in Appendix 1. It is recommended that all staff print out the flow chart and keep it to hand.
Usually concerns are easily resolved through a number of routes such as this Risk Policy, the Complaints Policy, the Quality Policy and other Policies or escalating them via our line management routes. Staff can also raise concerns through our Whistleblowing Policy.
Finally, the benefits of risk management are the benefits of better decisions: fewer surprises, improved planning, performance and effectiveness and improved relationships with stakeholders.
Definitions
Risk
Risk is the chance that something will happen that will have an impact on achievement of MyPain’s aims and objectives. It is measured in terms of likelihood (frequency or probability of the risk occurring) and severity (impact or magnitude of the effect of the risk occurring). See Risk Grading Tool – Appendix 2
Risk Management
Risk Management describes the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.
Risk Management Process
Risk Management Process describes the systematic application of management policies, procedures and practices to the tasks of establishing the context; identifying, analysing, evaluating, treating, monitoring and communicating risk.
Serious Incidents
Serious incidents are events in health care where the potential for learning is so great, or the consequences to patients, families and carers, staff or organisations are so significant, that they warrant using additional resources to mount a comprehensive response. Serious incidents can extend beyond incidents which affect patients directly and include incidents which may indirectly impact patient safety or an organisation’s ability to deliver ongoing healthcare, or there is the perception that any of these has occurred.
Incident
Incident is any unintended or unexpected event which could have or did lead to harm for one or more patients receiving care. This may give rise to actual or possible personal injury, to patient dissatisfaction, a breach in confidentiality, or to property loss or damage. It includes adverse clinical events (an event or omission arising during the delivery of clinical care and causing physical or psychological injury to a patient).
This also includes an injury sustained by a staff member during the course of their work or an injury sustained as a result of a physical act of violence done to a person at work.
Hazard
Hazard is anything that has the potential to cause injury, damage or loss.
Work related illness
Work related illnesses are any disease or medical condition that may have resulted from a work-related activity. This is required to be supported by a certificate from a suitably qualified medical practitioner (i.e. a General Practitioner) or from an Occupational Health physician. e.g. for work related illnesses such as TB, MRSA, tenosynovitis, back injury, sharps injury.
Near miss
Near misses are incidents that did not cause harm but which may have had the potential to cause harm. These incidents provide valuable insight into areas of risk and where systems can be improved to prevent death or harm.
Complaints
Complaint is any expression of dissatisfaction requiring a response, communicated verbally, electronically or in writing.
Any patient, their carer, representative or a member of the public affected or likely to be affected by the actions, omissions or decisions taken by MyPain may make a complaint.
Whenever there is a statement that a person wishes their concern to be treated as a complaint, it must be treated as such.
Duty of candour
Duty of Candour is the duty to notify (in person /can be verbal) a service user (patient or person acting lawfully on their behalf if they lack capacity) and providing a truthful account of the facts known, about a significant patient safety incident.
Significant includes moderate and severe harm incidents and death.
An investigation will be carried out and an apology provided. The apology should be “an expression of sorrow or regret in respect of the incident.”
Our Intent
MyPain directors are committed to leading the company in delivering a quality service, quality of care and safety for our patients, staff and visitors and to meet governance standards.
The key principles of MyPain’s Risk Policy are:
Essential provision of feedback to staff;
Effective implementation of the Risk Management Strategy;
Analysis of data to provide an overview of all incidents and complaints;
Effective reporting to statutory agencies, e.g. the Care Quality Commission, Health and Safety Executive, Medicines and Healthcare products Regulatory Agency etc.; (Appendix 3)
Mitigate loss of reputation or assets of MyPain and our staff;
Open and honest communication with patients;
An open and learning culture is fostered.
MyPain’s Duty of Care means that should the content or operation of this policy be challenged on any grounds, the impact on the past, present or future duty of care to patients will be taken to be a primary factor in deciding the outcome of that challenge.
Scope
This policy covers all types of incidents, near misses and complaints whether clinical, medical device related or non-clinical, serious or minor and no matter who or what is involved, conducted in all areas of our business; and is therefore intended for use by all staff, agency and contractors engaged on MyPain work in respect of any aspect of that work.
This policy also applies to patients and visitors and those relating to the company’s service relationships with partner organisations and third parties where these impact on MyPain’s objectives.
The way we work
All staff have an important role to play in identifying, assessing and managing risk. To support staff in this role MyPain seeks to provide a fair, consistent environment, encouraging a culture of openness and a willingness to admit mistakes. All staff are encouraged to report any situation where things have, or could have gone wrong. Balanced with this approach is the need for MyPain to provide information, counselling, support, and training for staff in response to any such situation.
At the heart of this policy is the desire to learn from events and situations to continuously improve management processes.
To effectively manage risks, MyPain is committed to the development of a culture of openness and honesty. As part of this culture, the directors encourages staff to learn from self-assessment, reviews and retrospective analysis of incidents and complaints.
MyPain does not want the fear of disciplinary action to deter staff from reporting incidents; therefore, it encourages a ‘just culture’ of ‘fair blame’. A safe culture is informed by learning.
In the interest of openness, ‘fair blame’ and the process of learning from mistakes, formal disciplinary action will not usually be taken as a result of an incident or complaint investigation. However, a serious breach of health and safety regulations and serious negligence causing loss or injury are examples of gross misconduct described in MyPain’s Disciplinary Policy. Disciplinary action may, therefore, be appropriate where it is found that an employee has acted:
Illegally - against the law; or
Maliciously - intending to cause harm which s/he knew was likely to result; or
Recklessly - deliberately taking an unjustifiable risk where s/he either knew of the risk or s/he deliberately closed his/her mind to its existence.
Should disciplinary action be appropriate, this will be made clear as soon as the possibility emerges. The investigation would then be modified to take account of Human Resources policies and with advice.
Duties and responsibilities
Directors
Ensure that corporate risk assessments are undertaken proactively for inclusion in the Assurance Framework and that preventative action is carried out.
Ensure all staff are informed of the need to report incidents which arise out of MyPain’s activities.
Ensure all directly employed staff understand the Risk Policy and procedure; and receive feedback from incidents reported and complaints in a timely way.
Ensure contractors and consultants are aware of the Risk Policy.
Initiate any investigations required following an incident or complaint.
Allocate sufficient resources (both financial and human) for incident and complaint investigation and follow up.
Ensure recommendations made as a result of investigations are put into place.
Managers
Ensure that risk assessments are carried out on all significant identified hazards and appropriate action plans put in place to reduce risks to an acceptable level. The results of those risk assessments must be recorded on the risk register and communicated to all those who may be at risk.
Ensure all staff and contractors understand and follow the Risk Policy and procedure.
Ensure staff attend mandatory incident reporting training annually.
Review the grading of all incidents.
Liaise with Occupational Health regarding any health issues related to the health of the injured person.
Ensure that relevant accidents / incidents are reported to the Health and Safety Executive in accordance with RIDDOR and notify MyPain’s Health & Safety lead.
Ensure recommendations and actions are carried out as a result of any investigation to reduce risk and improve systems.
Monitor information reported on the incident forms for accuracy and completeness.
Make safe any area, equipment or medical device following an accident and retain equipment for inspection where required.
Provide feedback to directly employed staff on trends, serious incidents, results of investigations, recommendations and any learning opportunities.
Review risk management through objective-setting as well as development and appraisal methods to ensure continuous improvement.
Provide administrative support and facilitation where necessary of meetings
Ensure documentary evidence of the process is attached to the Incident Reporting Log
Senior clinical staff
Ensure that risk assessments are carried out on all significant identified hazards and appropriate action plans put in place to reduce risks to an acceptable level. The results of those risk assessments must be recorded on the risk register and communicated to all those who may be at risk.
Ensure all staff and contractors understand and follow the Risk Policy and procedure.
Ensure staff attend mandatory incident reporting training annually.
Review the grading of all incidents.
Liaise with Occupational Health regarding any health issues related to the health of the injured person.
Ensure that relevant accidents / incidents are reported to the Health and Safety Executive in accordance with RIDDOR and notify MyPain’s Health & Safety lead.
Ensure recommendations and actions are carried out as a result of any investigation to reduce risk and improve systems.
Monitor information reported on the incident forms for accuracy and completeness.
Make safe any area, equipment or medical device following an accident and retain equipment for inspection where required.
Provide feedback to directly employed staff on trends, serious incidents, results of investigations, recommendations and any learning opportunities.
Review risk management through objective-setting as well as development and appraisal methods to ensure continuous improvement.
Provide administrative support and facilitation where necessary of meetings
Ensure documentary evidence of the process is attached to the Incident Reporting Log
Health and Safety advisors
It is the responsibility of MyPain’s Health and Safety Lead to:
Review RIDDOR accidents / incidents reported to the Health and Safety Executive as appropriate.
Share all incidents of intentional assault and verbal abuse with the directors.
All Staff
All MyPain employees including contractors are responsible for:
Identifying and monitoring risk areas with senior staff and take appropriate preventative action. Staff should be reassured that MyPain adopts a ‘fair blame’ culture.
Using this policy and the Risk Log for reporting all incidents and complaints (either by themselves or if incapacitated, by a nominee within 24 working hours).
Verbally reporting all potential serious incidents (including violence and verbal abuse) to a MyPain director as soon as possible.
Bringing to the attention of senior staff any incidents and complaints which resulted in, or had the potential to result in injury, loss or damage (i.e. near misses).
Bringing to the attention of the appropriate director concerns that they cannot resolve on a local basis.
Co-operating in any investigation and providing relevant information to assist in identifying the cause of the harm.
Notify a director immediately should there be a potential Serious Incident (Level 1, grade 15+ incident), either by email or phone call.
All staff are required to be aware of the Risk Policy and have received training as part of their induction for working at MyPain.
All staff are responsible for providing a good patient experience, listening to and working to resolve concerns raised by patients (local resolution) and to inform the Registered Manager if they are unable to do so.
Types of Incidents to be Reported (Reactive Risk Management)
Reportable Injuries, Diseases or Dangerous Occurrences (RIDDOR) (1995).
These are defined in Schedules 1, 2 and 3 of The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR). Incidents relating to contractor workers being injured whilst working on MyPain property are not covered as these are reported by the contractor. RIDDOR incidents should be recorded online via MyPain’s Incident Log.
Events
The incident reporting process covers a wide range of events that require reporting online via MyPain’s Incident Log.
Accidents
Incidents (non-clinical)
Clinical Incident
Medical device incident
Security Incident
Fire Incident
Financial Incident
Violence / Assault Incident
Medical Device Incident
Information / confidentiality breach Incident
Drug Error Incident
Infection Control
Environmental
Safeguarding Issues (adults)
Safeguarding Issues (children)
Work related illness for staff.
Serious Incidents
These could include any of the above categories and be of a more serious nature. Examples of Serious Incidents (SIs/Level 1) to be reported online via MyPain’s Electronic Incident Log include:
Patient committing or attempting to commit suicide.
Allegation of sexual assault.
Errors in medication/treatment/diagnosis or care causing serious harm.
Serious unexpected or unwanted outcomes to treatment.
Failure of medical devices used to help, prevent, treat or monitor a person’s condition or illness.
Certain diseases contracted in the course of employment.
Occurrence of any major health risk e.g. outbreak of infection such as Legionella; MRSA bacteraemia resulting in a death.
Events which affect a number of service users e.g. series of screening errors.
An incident which causes, or could cause, serious damage to MyPain’s property, or disruption to services.
Serious financial loss to MyPain e.g. large-scale fraud, theft or major litigation.
Any large-scale loss of Personal Identifiable Data (PID) from MyPain databases or via lost or stolen records/ portable media etc. that would represent a serious breach in confidentiality or the Data Protection Act 1998. Appendix 3
Any incident that could be defined as Corporate Manslaughter under the 2005 Act.
Any allegation or occurrence that could be considered to be institutional abuse or racism/ discriminatory to a group of patients or staff.
Child Protection issues.
Adult Protection issues.
Other Incidents
This includes any other issues that may adversely affect activities within the MyPain and which are not covered by any of the other headings to be reported online via MyPain’s Electronic Incident Log.
Managing Incidents and Complaints
In the event of an incident occurring or a complaint being received, MyPain must respond quickly and positively. Each member of staff has a part to play whatever their position in our company. It is essential that all members of staff understand how to identify a serious incident and the procedures for notifying directors. Please refer to Appendix 1.
Confidentiality must be respected at all times when reporting an incident relating to patients, carers, staff or visitors. Person identifiable information sent electronically must be password protected. Refer to MyPain’s Information Governance Policy for more information.
Completing an incident and complaint log
This is completed online via MyPain’s Electronic Incident Log. The log should be completed by the staff member directly involved in the incident or the staff member who has received the complaint. The completed log is seen by a MyPain director who will allocate an Investigation Officer and may ask for clarification of details and for more information on the investigation / actions / recommendations / outcomes.
Validating Information
The person reporting the incident or complaint is expected to check the following:
Accuracy, clarity and completeness of the information.
Evaluate the risks using MyPain’s risk grading tool.
Decide on immediate remedial actions to be taken.
Inform others who need to know and record this information.
Identify complaints separately in the log.
Suspected Serious Incidents
In the case of a suspected Serious Incident the incident and complaint log should be completed and a director notified immediately by email and phone. The director will ensure that relevant staff and external agencies as appropriate are informed. If any incident involves a sudden, unexpected death or risk of death or a crime has been potentially committed then the following people may also need to be made aware:
Information Commissioner (if a serious breach in information security).
The Care Quality Commission through their notification procedure.
Health Protection Agency if the incident relates to an outbreak/ serious contamination/public health risks, 020 7759 2860 (health protection) or 07623 541 417 for out of hours Public Health doctor on call.
Grading Incidents and Complaints and Investigation
Grading
Incidents and complaints must be graded by the person involved or in control of the area, in terms of severity and likelihood prior to submitting the incident and complaint log. This needs to be done as soon as possible after the incident or complaint receipt. Grading needs to be based on the severity at the time of the incident. (See Appendix 2). The incident should be graded according to severity of outcome and potential future risks to patients and / or the MyPain using the same criteria outlined in our Risk Management Strategy. If there is doubt as to whether an incident is a level 1 (graded 15 and above) or level 2 (graded 8 to 12), a director should make the decision. Other levels can be adjusted in discussion amongst senior clinical staff.
Following the incident or complaint investigation it may be necessary to review existing risk assessments and grading or to produce new ones where none existed. Old assessments must be retained as these may be required as evidence that action was taken. Also they may be required should a civil action be brought against MyPain.
Timescales for reporting.
These are shown in Appendix 4.
Determining causes and the investigation
An important part of the role of the Investigation Officer in dealing with the incident is in determining the cause. Such a determination should help MyPain in determining the types of actions that would prevent repetition. In some cases, cause or factors may be obvious and straightforward. In other cases, the situation may be more complex and require the use of the NPSA’s Root Cause Analysis (RCA) tools. This type of investigation should provide valuable information for either reviewing an existing risk assessment or taking steps in creating a new assessment. Serious incidents should be investigated by a director or an appointed deputy.
Record Keeping
It is important that records are kept on actions taken and information given. The Investigation Officer is responsible for ensuring that records are copied to relevant parties, collating witness statements and ensuring the witness statements are signed, dated, timed and are legible. In addition, all incidents involving patients must be recorded in the appropriate clinical record and uploaded onto MyPain’s Electronic Incident Log.
Letters of complaint must not be placed in the patient’s clinical record and should be filed separately.
Copies of all forms will be treated as confidential and securely retained by the relevant director or senior clinical staff and Occupational Health as required.
Information on the incident and complaint logs will be entered onto MyPain’s Electronic Incident Log. All such information will be kept in accordance with the Data Protection Act 1998.
Patients, staff and their appointed representatives have the right to see any records relating to them.
A clear, contemporaneous record of the handling of the incident must be kept.
Feedback and Learning from Incidents and Complaints
It is essential for MyPain that it learns and develops from any incident that occurs and complaints received. This means that whenever there is an incident or complaint that is investigated, the report must contain details of actions that need to be taken in future, with person assigned to the action and timescale for completion, to manage and reduce the risk of the issue happening again. This information should be entered onto MyPain’s Electronic Incident Log.
Incidents and complaints will not be closed by MyPain until the learning and actions have been logged and included in the Audit programme and MyPain staff are updated on the learning points and actions from the incident or complaint. The relationship of the learning feedback loop can be seen in Appendix 5.
Planned and actual action as a result of complaints should be recorded using MyPain’s Electronic Incident Log. The senior clinical staff will be responsible for implementing actions and feeding back to other MyPain staff.
When an incident or complaint investigation reveals actual or potential risks, and where significant risks are identified or remain following implementation of action plans, these will be considered for inclusion on to the MyPain’s Electronic Incident Log.
The Investigation Officer needs to give feedback to the staff who either reported or were directly involved in the incident or complaint and indicate on the database that this has taken place. This requirement may also apply to patients, relatives and members of the public, depending on seriousness.
Feedback to staff and where appropriate, patients, must be given before the media may become involved.
Staff Welfare and Support
Some incidents and complaints may invoke unusually strong emotions causing staff to feel overwhelmed or very anxious. Although not an exhaustive list, these types of incidents and complaints may include themes such as:
Serious medication errors
Severe harm or injury of a patient
The death of a patient
Allegations of gross negligence or abuse threats of aggression or violence from the complainant, the patient or their representative
Excessive verbal aggression or use of inappropriate or abusive language
The Registered Managers is responsible for providing support immediately an incident occurs or a complaint is received relating to a member of staff’s actions or omissions, and offering advice about what additional support is available.
Risk Assessments (Proactive Risk Management)
Risk assessment is the method where hazards are identified, quantified and managed. It is a proactive process focused on “the risks that really matter” – the ones with the potential to cause real harm. Please refer to MyPain’s Risk Assessment and Profiling Guidance for further information and tools to carry out risk assessments. Risks identified and assessed will be entered onto MyPain’s Risk Register.
Effective risk assessments and mitigation of the risks is the best method to reduce the likelihood of incidents and complaints and make MyPain a safe environment for patients, carer, staff and contractors.
The objective of carrying out risk assessments is to reduce, where reasonably practicable, the significant risks associated with hazards in work tasks and workplaces to tolerable levels, in terms of potential human suffering, legal requirements and economic effects on MyPain.
A risk assessment should identify how risks arise and how they impact on those affected. This information is needed to make decisions on how to manage those risks so that the decisions are made in an informed, rational and structured way and the action taken is proportionate.
Strategic and other risks challenging MyPain, and associated action plans, are recorded using the Assurance Framework (corporate risk register). Through this, an up to date position is provided to the directors, for all risks graded as ‘High’ (15 and above using MyPain’s Risk Grading Tool).
When carrying out a risk assessment, existing control measures or treatments should be taken into consideration. Providing the suitability and effectiveness of the control measure is also assessed.
A risk assessment should:
Identify the risks arising from or in connection with work
Have a level of detail proportionate to the risks identified
Identify the length of time for which it remains valid
Call on examples of good practice from within the field of operation
Be practical and take into account the views of staff, safety representatives and managers.
A risk assessment is simply a careful examination of what, in your work, could cause harm to people, so that you can weigh up whether you have taken enough precautions or should do more to prevent harm. It is a simple, practical but systematic thought process involving five steps:
i. Identify the hazards
ii. Decide who could be harmed
iii. Evaluate the risks and decide on precautions (control measures)
iv. Record your findings and implement them
v. Review your assessment and update if necessary.
Identified risks are recorded in MyPain’s Assurance Framework (corporate risks that could undermine our company’s objectives); and Risk Register, My Pain’s log of operational and clinical risks. Each Senior Clinical member of staff is responsible for maintaining this register, ensuring the risk information it contains is up-to-date and review dates have not expired.
Senior Clinical staff must identify and bring to the attention of a director, any high or very high level risks that are:
impossible or impractical to manage at operational level; or
any risk that could adversely affect achievement of MyPain’s objectives;
Such risks will then be considered by the Directors for inclusion in the Assurance Framework (a log of the strategic risks facing MyPain).
Through the Assurance Framework and audit, MyPain directors’ gain assurance from others that risks are being appropriately managed throughout our company. The Framework is built around MyPain’s Risk Register. The process for creating and maintaining the Assurance Framework and Risk Register is described in MyPain’s Assurance Framework spreadsheet.
All risks that have been graded as high or medium risk must be reviewed by the directors.
Equality Impact Assessment
As part of its development, this policy and its impact on equality have been reviewed. The purpose of the assessment is to minimise and if possible remove any disproportionate impact on staff on the grounds of race, sex, disability, age, sexual orientation or religious belief. No detriment was identified.
Other Relevant Procedural Documents
All documents listed within MyPain’s Policies and Procedures Register are relevant to the risk management process, as these are in themselves risk management mechanisms; those of particular relevance are:
Health & Safety Policy
Complaints Policy
Claims Handling Policy
Duty of Candour Policy
Information Governance Policy
Whistle Blowing Policy
Disciplinary Procedure
Safeguarding Policy
Quality Policy
Records Management Policy
References
The Risk Management Process, Federation of European Risk Management Associations (FERMA), 2005
A Risk Management Standard, The Association of Insurance and Risk Managers, (AIRMIC), 2002
International Organisation for Standardisation (ISO)/IEC Guide 73:2002 Risk Management
International Organisation for Standardisation (ISO) 14971:2012 Risk management for medical devices
Medical devices. Quality management systems. Requirements for regulatory purposes BS EN ISO 13485:2016
Risk Management Model (HSG65), Successful Health & Safety Management, HSE Books, 1997
Australia New Zealand Standard 4360:2004 Risk Management
Five Steps to Risk Assessment, HSE, 2006
Care Quality Commission (Registration) Regulations 2009
Corporate Manslaughter and Corporate Homicide Act, 2007
Health and Social Care Act 2008 (Regulated Activities) Regulations 2010
Health and Safety at Work Act 1974.
Management of Health and Safety at Work Regulations 1999
Workplace (Health, Safety and Welfare) Regulations 1992 (As Amended 2002)
Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995
Data Protection Act 1998
Consumer Protection Act 1987
General Product Safety Regulations 2005 (SI 2005 No 1803)
Medical Devices Regulations 2002 (SI 2002 No 618, as amended)
Medical Devices Directive (93/42/EEC)
Contact us.
contact@mypain.uk
+44 7747429753