Skip navigation
North West Ambulance Service (NWAS) logo
  • News
  • Events
  • Charity
  • Ambulance Academy
  • Publications
Use this link to enable the ReciteMe accessibility toolkit Enable ReciteMe accessibility tools
  • Home
  • Our service
    • Urgent and emergency care (999)
    • NHS 111 (non-emergency)
    • Patient Transport Service (PTS)
    • Major incidents
    • Emergency advice
    • Information for professionals
    • Other ways we can help
    • Help accessing our services
    Need to arrange transport using our Patient Transport Service (PTS)?
  • Get involved
    • Your Call Magazine
    • Volunteer with us
    • Support the North West Ambulance Charity
    • Support our campaigns
    • Children and young people
    • Lifesaving skills
    • Events
    • Share your experience
    • What happens with your feedback?
    • Talk to us on social media
    • Change NHS: Helping shape a health service fit for the future
    Need to arrange transport using our Patient Transport Service (PTS)?
  • About us
    • Our publications
    • Who we are
    • Our locations
    • Our strategy and values
    • How we are doing
    • Board of directors
    • Equality, diversity and inclusion
    • Research and development
    • Public Health
    Need to arrange transport using our Patient Transport Service (PTS)?
  • Careers
    • Current vacancies
    • Join our team
    • Why work with us
    • Explore roles
    • Applying for a job
    • Working with the Armed Forces
    Need to arrange transport using our Patient Transport Service (PTS)?
  • Contact us
    • Media
    • Request my information
    • FOI and EIR
    • General enquiries
    • Lost property
    • Make a complaint
    • External Patient Event Reporting Form
    • Point taken
    • Send a thank you
    • Tell us how we did
    Need to arrange transport using our Patient Transport Service (PTS)?
  • Home
  • Our service
    • Urgent and emergency care (999)
    • NHS 111 (non-emergency)
    • Patient Transport Service (PTS)
    • Major incidents
    • Emergency advice
    • Information for professionals
    • Other ways we can help
    • Help accessing our services
    Need to arrange transport using our Patient Transport Service (PTS)?
  • Get involved
    • Your Call Magazine
    • Volunteer with us
    • Support the North West Ambulance Charity
    • Support our campaigns
    • Children and young people
    • Lifesaving skills
    • Events
    • Share your experience
    • What happens with your feedback?
    • Talk to us on social media
    • Change NHS: Helping shape a health service fit for the future
    Need to arrange transport using our Patient Transport Service (PTS)?
  • About us
    • Our publications
    • Who we are
    • Our locations
    • Our strategy and values
    • How we are doing
    • Board of directors
    • Equality, diversity and inclusion
    • Research and development
    • Public Health
    Need to arrange transport using our Patient Transport Service (PTS)?
  • Careers
    • Current vacancies
    • Join our team
    • Why work with us
    • Explore roles
    • Applying for a job
    • Working with the Armed Forces
    Need to arrange transport using our Patient Transport Service (PTS)?
  • Contact us
    • Media
    • Request my information
    • FOI and EIR
    • General enquiries
    • Lost property
    • Make a complaint
    • External Patient Event Reporting Form
    • Point taken
    • Send a thank you
    • Tell us how we did
    Need to arrange transport using our Patient Transport Service (PTS)?

Search the site

  • Home
    • Urgent and emergency care (999)
    • NHS 111 (non-emergency)
    • Patient Transport Service (PTS)
    • Major incidents
    • Emergency advice
    • Information for professionals
    • Other ways we can help
    • Help accessing our services
    Need to arrange transport using our Patient Transport Service (PTS)?
    • Your Call Magazine
    • Volunteer with us
    • Support the North West Ambulance Charity
    • Support our campaigns
    • Children and young people
    • Lifesaving skills
    • Events
    • Share your experience
    • What happens with your feedback?
    • Talk to us on social media
    • Change NHS: Helping shape a health service fit for the future
    Need to arrange transport using our Patient Transport Service (PTS)?
    • Our publications
    • Who we are
    • Our locations
    • Our strategy and values
    • How we are doing
    • Board of directors
    • Equality, diversity and inclusion
    • Research and development
    • Public Health
    Need to arrange transport using our Patient Transport Service (PTS)?
    • Current vacancies
    • Join our team
    • Why work with us
    • Explore roles
    • Applying for a job
    • Working with the Armed Forces
    Need to arrange transport using our Patient Transport Service (PTS)?
    • Media
    • Request my information
    • FOI and EIR
    • General enquiries
    • Lost property
    • Make a complaint
    • External Patient Event Reporting Form
    • Point taken
    • Send a thank you
    • Tell us how we did
    Need to arrange transport using our Patient Transport Service (PTS)?
  • News
  • Events
  • Charity
  • Ambulance Academy
  • Publications
Home > Publications > Risk management policy

Risk management policy

Publication Type: Policies and procedures Published: 29th January 2021 Size: 826.9kB

The main objective of this policy is to establish the foundations for a culture of effective risk management throughout the organisation. It sets out clear definitions, responsibilities, and process requirements to enable the principles and techniques of risk management to be applied consistently throughout the organisation.

Share this page
FieldValue
Recommended byAudit Committee
Approved byBoard of Directors
Approval date24 April 2024
Version number0.5
Review dateApril 2027
Responsible DirectorDirector of Corporate Affairs
Responsible Manager (Sponsor)Head of Risk and Assurance
For use byAll our people

Change record form

VersionDate of ChangeDate of ReleaseChanged ByReason for Change
0.1December 2020–J TaylorNew Policy
0.2January 2021January 2021J TaylorAmendments from Audit Committee
0.31 April 2022April 2022J TaylorAnnual Review
0.4February 2023April 2023S WhiteAnnual Review
0.5February 2024April 2024J TaylorAnnual Review

On this page

  1. Change record form
  2. 1. Introduction
  3. 2. Purpose
  4. 3. Roles & Responsibilities
  5. 4. Risk Management Approach
  6. 5. Risk Management Process
  7. Risk Identification
  8. Resilience and Response
  9. Fraud Risk Management
  10. 5.3 Risk Analysis
  11. 5.4. Risk Evaluation
  12. 5.5. Risk Management
  13. Risk Treatment
  14. Corrective
  15. Directive
  16. Detective
  17. 6. Risk Registers
  18. 7. Risk Escalation
  19. 8. Executive Oversight
  20. 9. Risk Management Governance Structure
  21. 10. Risk Reporting and Assurance Diagram
  22. 11. Assurance 
  23. 12. Corporate and Commercially Sensitive Risk Register
  24. 13. The Board Assurance Framework (BAF) 
  25. 14. Annual Governance Statement (AGS)
  26. 15. Clinical Risk Management
  27. 16. Risk Governance and Internal Audit
  28. 17. Risk Awareness & Management Training and Support
  29. 18. Implementation
  30. 19. Equality, Diversity, and Inclusion
  31. 20. Monitoring Compliance
  32. 21. Consultation and Review
  33. 22. References
  34. Appendix 1: Risk Management Definitions
  35. NWAS Governance Structure: Levels of Assurance, Escalation and Risk

1. Introduction

Risk management is both a statutory requirement and a key element of good management and risk
management is everyone’s responsibility, with the principles of effective risk management forming an integral component of decision making at all levels.

The activities associated with caring for patients, recruiting our people (staff and volunteers), providing
facilities and services, and managing finances are all, by their nature, activities that involve risk. These risks are present on a day-to-day basis throughout the organisation and whilst it may not always be possible to eliminate these risks, they can be managed to an acceptable level by ensuring that risk management is embedded into day-to-day practice and the culture of the organisation so that appropriate risk-based
decisions are regularly made by managers and staff at all levels.

Effective risk management enables the Board of Directors to determine the extent of risk exposure it currently faces with regard to the achievement of its objectives. As a key component of the internal control framework, regular review and routine monitoring of this policy will also inform the Trust’s Annual Governance Statement.

2. Purpose

The purpose of this Risk Management Policy is to define the approach taken by North West Ambulance Service NHS Trust (the Trust) in applying risk management to its decision making at all levels and the main objective is to establish the foundations for a culture of effective risk management throughout the organisation.

This policy sets out clear definitions, responsibilities, and process requirements to enable the principles and techniques of risk management to be applied consistently throughout the organisation.

The principles and techniques of risk management as defined in this policy should be fully integrated within the formal governance arrangements and decision making processes of the organisation. All our people are responsible for making sure that they are aware of the organisation’s aims and objectives and are empowered to make decisions to manage risks as long as those decisions are within the scope of their role and level of authority.

Where a risk is identified but cannot be managed without some significant change to the way the organisation operates, it must be escalated through the relevant line management structure. The Risk Management Policy applies to all areas and levels of the Trust.

It defines the basic principles and techniques of risk management that the organisation has decided to adopt and forms the basis of all riskbased decision making. All risk management activities in the Trust will follow the process described within this document to ensure a common and robust approach is adopted to risk management.

3. Roles & Responsibilities

This section details those groups and individuals within the Trust that have specific responsibilities withregard to the Risk Management Policy.

The Board of Directors is responsible for providing strategic leadership to risk management throughout the organisation, which includes:

• Maintaining oversight of strategic risks through the Board Assurance Framework (BAF)

• Leading by example in creating a culture of risk awareness

The Audit Committee is responsible for reviewing the established and maintenance of an effective system of integrated governance, risk management and internal control across the whole of the organisations’ activities. The Committee will provide assurance to the Board of Directors that there are effective systems operating across the Trust.

The Chief Executive as the Accountable Officer is responsible for ensuring an effective system of internal control is maintained to support the achievement of the Trust’s strategic objectives. This includes:

• The establishment and maintenance of effective corporate governance arrangements

• Ensuring that this Risk Management Policy is applied consistently and effectively throughout the Trust

• Ensuring that the Trust is open and communicates effectively about its risks, both internally and externally

• Retaining sufficient professional risk management expertise to support the effective implementation of this Policy

The Director of Corporate Affairs is accountable to the Board of Directors and Chief Executive for the Trust’s Governance and Risk Management activities. With Executive responsibility for governance and risk management the Director of Corporate Affairs (with support from the Head of Risk and Assurance) provides a clear focus for the management of organisational risks and for coordinating and integrating all of the Trust’s risk management arrangements on behalf of the Board of Directors.

Members of the Executive and Directorate Senior Management Teams are responsible for the consistent application of this Policy within their areas of accountability, which includes:

• Maintaining an awareness of the overall level of risk within the organisation

• The management of specific risks that have been assigned to them, in accordance with the criteria set out in this policy

• Promoting a risk aware culture within their teams and in the course of their duties

Area Directors/ Assistant Directors/ Heads of Operations/ Service/ Area Consultant Paramedics are responsible for the consistent application of this Policy within their areas of accountability, which includes:

• Making active use of the Trust risk register and the processes described in this Policy to support the management of their service

• The management of specific risks that have been assigned to them in accordance with the criteria set out in this policy

• Promoting a risk aware culture within their teams and in the course of their duties

• Ensuring that as far as possible risk assessments carried out within their service are based on reliable evidence.

All of our people (staff and volunteers) are responsible for identifying and managing risks within their dayto-day work, which includes:

  • Maintaining an awareness of the primary risks within their service
  • The identification and as far as possible the management of risks that they identify in the course of
    their duties
  • Bringing to the attention of their line manager any risks that are beyond their ability or authority to
    manage

4. Risk Management Approach

The basic principle at the heart of the Trust’s risk management approach is that an awareness and
understanding of risk should be used to inform decision making at all levels.

This requires not only the active engagement of all our people with risk management activity in practice, but also the integration of risk management principles and techniques within the formal governance
arrangements of the organisation.

This will ensure that major strategic, policy and investment decisions are made with a full and reliable
appreciation of the risks associated with them as well as any existing risks that those decisions may serve to mitigate.

5. Risk Management Process

The risk management process, which can be seen in Figure 1 below, involves the identification, analysis,
evaluation and treatment of risks. More importantly, the process provides iterative steps, which when taken in a coordinated manner can support recognition of uncertain events which could lead to a negative outcome and therefore allows actions to be put in place to minimise the likelihood (how often) and consequence (how bad) of these risks occurring.

Figure 1: ISO 3100:2018 Risk Management Process

5.1 Scope, Context and Criteria

The Trust Strategy sets out our purpose to help people when they need us the most and a vision to deliver the right care, at the right time, in the right place; every time. This is broken down into 3 aims, these are:

  • Providing high-quality, inclusive care.
  • Be a brilliant place to work for all.
  • Work together to shape a better future.

Risks are linked to our aims because failing to control risks may lead to non-achievement of our strategic aims and/ or objectives.

5.2 Risk Assessment

Risk assessment is an objective process and where possible, staff should draw upon evidence or qualitative data to aid assessment of risk. Where evidence or data is not available, assessors will be required to make subjective judgement.

Risk vs Issue
It is important to understand the difference between a risk and an issue/ incident.

The fundamental difference between a risk and an issue/incident is that an issue/incident has already
happened,
there is no uncertainty, and it is a matter of fact.

A risk is an uncertain event that has not yet happened, but if it did, it could affect the achievement of an objective.

RiskIssue / Incident
An uncertain event that HAS NOT happenedAn unplanned event that HAS happened

Risk Articulation
In order to assist the risk management process, it is essential that risks are described in a way that allows
them to be understood by all who read them. Articulating a risk in this way will enable effective controls, assurances and action plans to be put in place to mitigate the risk.


There should be three components to the description of a risk:

Cause (Source of Risk)Risk (Uncertain Event)Consequence (Impact)
What has caused the risk?
Where has the risk originated
from?
The uncertain event (risk) that may happen if we do nothingWhat would be the impact if
the risk materialised?
Risk descriptions must tell a convincing story
There is a risk ‘as a result of/
due to/ because of’… existing
condition
Present Condition
An uncertain event… may occur
Uncertain Future
Which would lead to…
effect on objectives
Conditional Future

Risk Identification

New risks and factors which increase a known risk may be identified at any time and by anyone within the organisation and can take many different forms.

All our people play a vital role in the identification of risk. All new risks should be reported and discussed with your line manager in the first instance, who will consider the best approach to manage the risk; this could be actions to immediately eliminate the risk, signposting of the risk to the appropriate person to manage the risk or inclusion on a risk register with an action plan in place.

Some risks can be managed effectively by the person identifying them taking appropriate action themselves or within their immediate team. This is particularly true with types of safety risk, where identification and removal of the hazard will often be sufficient to manage the risk.

Our people should initially consider what their main areas of work are and how these relate to their local objectives, and the objectives of the Trust. Every work activity that has a significant hazard should be assessed for risk. Identification using a systematic approach is critical because a potential risk not identified at this stage will be excluded from further analysis.

All risks, whether under the control of the Trust or not, should be included at this stage. The aim is to generate an informed list of events that might occur. Key sources that will inform this exercise include (but are not limited to):

• Compliance requirements with regulators and stakeholders such as the CQC, HSE, NHSE etc

• Recommendations from recent internal / external audit reports

• Thematic and trend analysis of incidents, inquiries, complaints, claims and inquests

• Performance data

• Quality Assurance Audits

• Quality Impact Assessments

• Safety Alerts

• Trend and forecasting analysis

• Risks associated with the achievement of corporate objectives

• Other methods of horizon scanning.

Resilience and Response

The NWAS Resilience Team work with partners in the Local Resilience Forums and Local Health Resilience Partnerships to examine National and Community Risk Registers and plan for multiagency risk mitigation and response. This is reviewed for the potential impact on the Trust, anything identified is recorded in accordance with this Policy and highlighted to the Emergency Preparedness, Resilience and Response (EPRR) Group, chaired by the Accountable Emergency Officer.

Recommendations from critical, major, or business continuity incidents and exercises are captured within the risk management processes to ensure the delivery of actions to reduce the risk of failure in the event of an actual incident.

Fraud Risk Management

Recommendations from thematic exercises from NHS Counter Fraud Authority (CFA) are captured within the risk management process to ensure the delivery of actions to reduce risk of failure in the event of an actual fraud, bribery, theft, and corruption incident.

5.3 Risk Analysis

The purpose of analysing and scoring a risk is to estimate the level of exposure which will then help inform how the risk should be managed.

When analysing a risk, you will need to:

• Identify who is affected and what is the potential consequence/ impact should the risk occur

• Estimate the likelihood (how often) the risk may possibly occur

• Assess and score the level of exposure to that risk using the risk scoring process below.

Risk Analysis Process

Risks are analysed using the Trust Risk Matrix. The Trust has adopted a 5×5 matrix with the risk scores taking account of the consequence and likelihood of a risk occurring.

The scoring of a risk is a 3-step process:

Step 1: Evaluate the consequence of a risk occurring. The consequence score has five descriptors:

Table 1: Consequence Analysis
ScoreConsequence DescriptorConsequence Description
1Insignificant
2Minor
3Moderate
4Major
5CatastrophicPlease see Appendix 2 for Consequence Descriptions

Step 2: Analysing the likelihood (how often) a risk may occur. The table below gives the descriptions of the likelihood of a risk occurring:

Table 2: Likelihood Analysis
ScoreLikelihood DescriptorLikelihood Frequency
1RareNot expected to occur in years
2UnlikelyExpected to occur at least annually
3PossibleExpected to occur at least monthly
4LikelyExpected to occur at least weekly
5Almost CertainExpected to occur at least daily

Step 3: To calculate the risk score, multiply the consequence score with the likelihood score:
CONSEQUENCE score x LIKELIHOOD score = RISK score

Likelihood / Consequence1 Insignificant2 Minor3 Moderate4 Major5 Catastrophic
5 Almost Certain5 Low10 Moderate15 High20 High25 High
4 Likely4 Low8 Moderate12 Moderate16 High20 High
3 Possible3 Low6 Moderate9 Moderate12 Moderate15 High
2 Unlikely2 Low4 Low6 Moderate8 Moderate10 Moderate
1 Rare1 Low2 Low3 Low4 Low5 Low

5.4. Risk Evaluation

Once the risk analysis process has been completed, the risk score should now be compared with the level of risk criteria below which enables the Trust to measure the potential level of risk exposure and proceed to identify appropriate actions and management plans.

Level of RiskRangeClassification
Low1 – 5Low
Moderate6 – 12Moderate
High15 – 25High

Each risk will be assigned 3 risk scores: initial, current and target. The risk scoring process above will be carried out three times for each score using the guidance below.

1. Initial Risk Score

The initial risk score is when the risk is first identified, the risk analysis process for initial risk scores should be a measure of the consequence and likelihood before any controls/ mitigating actions are proposed. The initial risk score will not change for the lifetime of the risk.

2. Current Risk Score

The current risk score, the risk analysis process for current risks should be a measure of the

consequence and likelihood once controls and mitigating actions are in place, taking into account the effectiveness of the controls added.

3. Target Risk Score 

The target risk score, the risk analysis process for the target risk should be a realistic measure of the consequence and likelihood once improved mitigating actions have been achieved and improved controls added.

5.5. Risk Management

Effective risk management requires a reporting and review structure to ensure that risks are effectively identified, analysed and that appropriate controls and responses are in place.

Risk Treatment

Risk treatment is a process to modify risk and the selection and implementation of measures to treat the risk.

This includes as its major element, risk control/ mitigation, but extends further to the appropriate selection of a risk treatment option, these are outlined in the table below. 

Tolerate (Accept)

Can we accept the risk as it is i.e., without further controls? Would the
cost of controlling the risk outweigh the benefits to be gained?

Where the ability to do anything about certain risks may be limited or the cost
of taking any further action may be disproportionate to the potential benefit gained.

In these cases, the response is to manage the risk to as low as
reasonably practicable (ALARP) then tolerate the risk. This option can also be
supplemented by contingency planning for handling the consequences that
may arise if the risk is realised.

Where the status of the risk is to tolerate, the risk must be monitored and
reviewed by the risk owner at least annually. All risks tolerated, will be subject
to review by the Events and Risk Assurance Team and a decision made by the
Trust Management Committee if the risk should be tolerated or not.

Treat (Reduce or Remove)

Can we put controls in place to reduce the likelihood of the risk
occurring or its impact?

Treat is the most widely used approach and will be the course of action to take
for the majority of risks within the Trust before any other course of action is
considered.

Terminate (Suspend the risk situation/ activity)

Can we avoid or withdraw from the activity causing risk? Can we do
things differently?


A decision will be made by the Trust Management Committee if the risk should
be terminated or not.

Transfer (Responsibility)

Can we transfer or share, either totally or in part, by way of partnership,
insurance or contract?


This course of action should only be taken following consideration and
decision by the Trust Management Committee.

Identifying Controls and Gaps

Controls are arrangements that are already in place to mitigate or manage the risk and these can include policies and procedures, monitoring, and audit.

Every control should be relevant to the risk that has been described, it should be clear that the control directly impacts on managing the risk and the strength of the control should be considered when deciding the influence this will have on the risk score.

Despite having identified controls, where the service has established a risk exists, it is the uncontrolled issues that are articulated as gaps. Gaps are issues which are not controlled and directly affect our mitigation of the risk. Gaps require clear and proportionate actions to address them.

Preventative

Designed to limit the possibility of an undesirable outcome being realised. They
are important to stop an undesired outcome. It is crucial to implement these
types of controls.

For example, elimination of the hazard/ physically remove the hazard if
possible/ substitute with hazard with something less risky

Corrective

Designed to limit the scope for loss and reduce any undesired outcomes that
have been realised. These may also provide a route of recourse to achieve
recovery against loss or damage.
For example, isolating people from the hazard, the use of guards, or barriers,
or reducing the exposure of the hazard

Directive

Designed to ensure that a particular outcome is achieved. This is based on
giving directions to people on how to ensure that losses do not occur. These
are important but depend on people following established safe systems of work.
For example, administrative controls such as changing the way people work,
training and supervision to enforce policies, procedures, processes, pathways,
use of Personal Protective Equipment (PPE)

Detective

Designed to identify occasions when undesirable outcomes have been realised.
Their definition, ‘after the event’ they are only appropriate when loss or damage
has occurred.

For example, monitoring and surveillance, such as closed-circuit television
(CCTV), smoke detectors, fire alarms.

Risk Mitigating Action Plans
The purpose of risk action plans is to document how the chosen treatment options will be implemented.

Information should include:

  • A description of what the planned action is
  • Expected benefit(s) gained
  • Responsibilities (risk owners and action owners)
  • Reporting and monitoring requirements
  • Resourcing requirements
  • Timing and scheduling

Differentiating between Controls, Gaps and Actions
To summarise:

  • Controls are things that are already in place to manage or monitor the risk
  • Gaps are the issues that we need to address to control the risk fully
  • Actions describe how you will address the gaps to reduce the risk identified.

Contributory Factors
Contributory factors are the influencing and casual factors that contribute to the identified risk.

These factors affect the chain of events and can be positive as well as negative, and they may have mitigated or minimised the outcome of the risk materialising. More than one contributory factor can be selected.

Risk Monitoring and Review
The monitoring process should provide assurance that there are appropriate controls and risk mitigating
actions in place. The frequency of ongoing monitoring and review depends upon the seriousness of the risk.

As a minimum, this must be:

Current Risk ScoreReview Timescales
1 – 5 (Low)Bi-Annually
6 – 12 (Moderate)Quarterly
15 – 25 (High)Monthly
Consequence ScoreReview Timescales
5Monthly

6. Risk Registers


A risk register is a centralised repository of identified risks that may threaten the delivery of services. A risk register should be live, dynamic, and populated through the risk assessment and evaluation process. The Datix Cloud IQ (DCIQ) Enterprise Risk Management (ERM) system is used by the Trust to record, manage and monitor risks throughout the organisation. Where risks cannot be immediately resolved, these risks should be recorded onto the Departmental/ Team Risk Register.

The purpose of the risk register is to:

  • Provide a summary and overview of potential risks to each Directorate
  • Evaluate the level of existing internal control in place to manage the risk
  • Be an active live system to record and report risks using the risk management process.
    Risk registers must:
  • Be fully complete
  • Be updated and reviewed regularly
  • Have measurable controls added for all live risks
  • Have action plans in place
  • Be discussed and reported to Directorate SMT Meetings at least quarterly.

7. Risk Escalation

The Trust aims to support staff throughout the organisation to manage risk at the most appropriate level in the organisation whilst ensuring that there is a clear process for risk to be escalated when necessary to ensure discussion, action, advice, and support can be provided.

All risk owners can escalate a risk for discussion, action, advice, and support via the risk record in the DCIQ system. The risk owner must clearly articulate the reasons for the risk escalation. The table below shows the team to Board escalation route.

  • Directorate Senior Management
  • Team Trust Management Committee
  • Trust Management Committee
  • Board of Directors

The diagram below defines the ‘Assurance and Escalation Pyramid’ and demonstrates the route of
assurance and escalation takes.

Figure 2: NWAS Assurance and Escalation Pyramid

8. Executive Oversight

All risks held in the ERM Module in DCIQ scored 15 and above are automatically reviewed by the Events
and Risk Assurance Team. The below steps are followed to ensure the Trust Management Committee haveoversight of all high risks to the organisation.

  • All new risks scored 15 and above are reviewed and analysed by the Events and Risk Assurance
    Team
  • Risks are discussed with Risk Owners and Executive Lead to explore the risk in further detail and
    ensure risk scoring is accurate
  • Corporate & Commercially Sensitive Risk Register is submitted to Trust Management Committee
    monthly for review, discussion, and approval of risks for inclusion onto the Corporate & Commercially
    Sensitive Risk Register.

9. Risk Management Governance Structure

Risks are overseen at various levels throughout the Trust as per the table below:

MeetingType of RiskReport TypeRisk Cycle
Board of DirectorsRisks identified against delivery of strategic objectivesQuarterly Board Assurance FrameworkAs per Terms of Reference
Board CommitteesRisks identified against delivery of strategic objectives relevant to their area of focusCommittee Board Assurance Framework ReportAs per Terms of Reference
Audit CommitteeRisks identified against delivery of strategic objectivesQuarterly Board Assurance FrameworkAs per Terms of Reference
Trust Management CommitteeNew & existing risk(s) scored 15 and above which indicate a high level of risk or where support is requested by the Directorates in the management of riskQuarterly Board Assurance Framework Corporate & Commercially Sensitive Risk RegisterAs per Terms of Reference
Executive Led GroupsVisibility of risks scored 12 and above relating to the executive groups area of focusGroup Risk ReportAs per Terms of Reference
Directorate Senior Management Team MeetingsRisks identified on the Directorate Risk RegisterDirectorate Risk RegisterAt least quarterly

Directorate Senior Management Teams are responsible for exporting their own risk registers and ensuring risks on team/ departmental risk registers are being managed and reviewed in accordance with this Policy.

10. Risk Reporting and Assurance Diagram

The risk reporting and assurance diagram highlights how the Trust aims to assure, scrutinise, escalate, and alert on risk management from front line to Board:

North West Ambulance Service NHS Trust; Risk Reporting and Assurance Diagram

11. Assurance 

A key element of the Trust’s risk management system is providing assurance. Assurance provides evidence that risks are effectively managed by ensuring the effectiveness of controls and actions being put in place are making a positive impact and mitigating risks appropriately. 

12. Corporate and Commercially Sensitive Risk Register

The Corporate Risk Register allows the Trust Management Committee to have oversight of risks where:

  • Risk owners have communicated the need for additional support;
  • The risk has a current risk score of 15 and above; and/or;
  • The risk indicates a significant/ increased risk;
  • The risk has the potential to significantly impact a strategic objective

    Risks held on the Corporate and Commercially Sensitive Risk Register must continue to be managed at their current level, with input and support from the Trust Management Committee where appropriate.

13. The Board Assurance Framework (BAF) 

The Board Assurance Framework is a key document used to record and report the Trust’s key strategic objectives, risks, controls, and assurances to the Board of Directors. The Board Assurance Framework takes into account the recommendations from Audit, Executive Leads and Committees of the Board as to what should be included, amended, or removed. The Board Assurance Framework is updated and approved by the Board of Directors four times per year. 

13.1. Audit Committee

As outlined in the HFMA Audit Committee Handbook, the Audit Committee’s primary role in relation to the BAF is to provide assurance that the BAF itself is valid. The role of the Audit Committee is not to manage the processes of populating the BAF but to satisfy itself that the systems and processes surrounding the BAF are working as they should. This includes whether:

• The format of the BAF is appropriate and fit for purpose

• The way in which the BAF is developed is robust

• The objectives in the BAF reflects the Boards’ priorities

• Key risks are identified

• Adequate controls are in place and assurance are reliable

• Actions are in place to address gaps in controls and assurances.

13.2. Board Assurance Committees

Board Assurance Committees have the following responsibilities pertaining to the BAF risks pertaining to their areas of focus:

• Review of the BAF to ensure the Board of Directors receive assurance that effective controls are in

place to manage strategic risk;

• Report to the Audit Committee/ Board of Directors on any significant risk management and assurance Issues.

13.3. Executive Led Groups

Executive Led Groups have the following roles regarding the operational risks pertaining to their areas of focus:

• Review the management of the operational risks (risks scored 12+) pertaining to their areas of focus;

• Report to the Trust Management Committee any significant risk management and assurance issues.

14. Annual Governance Statement (AGS)

The Chief Executive is responsible for ‘signing off’ the Annual Governance Statement, which forms part of the statutory Annual Report and Accounts.

The organisation’s Board Assurance Framework gathers all the evidence required to support the Annual Governance Statement alongside the Head of Internal Audit’s annual opinion on the overall adequacy andeffectiveness of the organisation’s risk management, control, and governance processes.

15. Clinical Risk Management

Clinical risk management can be defined as:

“The continuous improvement of the quality and safety of healthcare services by identifying the factors that put patients at risk of harm and then acting to control/ prevent those risks.”

Clinical risk is identified through the analysis of patient safety incidents, clinical negligence claims, and complaints, identified areas of sub-optimal care, clinical audit and non-compliance with clinical policies, guidance, and training

16. Risk Governance and Internal Audit

The Executive Led Groups and the Audit Committee continually review and monitor all aspects of the Trust’s risk management system and play a key role in the standardisation and moderation of risks that are added to the Trust-wide risk register.

The Head of Internal Audit (HoIA) provides an annual opinion, based upon, and limited to the work carriedout to assess the overall adequacy and effectiveness of the organisations’ risk management, control, andgovernance processes.

17. Risk Awareness & Management Training and Support

Risk management guidance and advice are provided through the Corporate Risk and Assurance Team. Risk

management training is made available for staff, via MyESR as per the below table.

Staff/ GroupType of TrainingType of DeliveryFrequency of Training
All staffLevel 1 Risk Awareness TrainingE-Learning3 Yearly
All staff who require access DCIQ Enterprise Risk Manager ModuleDCIQ ERM Module TrainingVirtuallyOnce
First line, Middle & Senior ManagersLevel 2 Risk Management TrainingE-Learning3 Yearly
Board of DirectorsLevel 3 – Risk Management and Assurance TrainingE-LearningAnnually

18. Implementation

Taking into consideration the implications associated with this policy, it is considered that a target date of 01 April 2024 is achievable for communications about changes in this Policy, with any specific training being implemented on an ongoing basis. This will be monitored by the Trust Management Committee and the Audit Committee through the review process. If at any stage there is an indication that the target date cannot be met, then the Policy author will implement an action plan.

19. Equality, Diversity, and Inclusion

The Trust is committed to ensuring that, as far as is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on any grounds. The Equality Impact Assessment can be viewed in Appendix 3.

20. Monitoring Compliance

Monitoring of compliance with this policy will be undertaken on a day-to-day basis by the Events and Risk Assurance Team, discussing any issues with the relevant team/ department/ Directorate and, if necessary, reporting to the Director of Corporate Affairs and relevant Executive Director Leads. The monitoring matrix can be viewed in Appendix 4 for further information. 

21. Consultation and Review

This is an existing policy which has had moderate changes that relate to operational and/ or clinical practice and therefore requires a consultation process. The Head of Risk and Assurance has consulted with the Director of Corporate Affairs, Internal Audit and Local Counter Fraud to invite any comments or suggestions regarding this policy. The policy will be presented to the Trust Management Committee, Audit Committee and to the Board of Directors for approval.

22. References

Baker, T (2015). Board Assurance: A toolkit for health sector organisations. England: LLP

CQC (2010), Guidance about compliance; Essential standards of quality and safety. England: Care Quality Commission (CQC).

CQC (2023), Enforcement Decision Tree. England: Care Quality Commission (CQC).

Deloitte, Enterprise Risk Management Approach, A ‘risk-intelligent’ approach.

Good Governance Institute, Risk Appetite for NHS Organisations.

HMFA (2014). NHS Audit Committee Handbook. (3rd ed.). England: Healthcare Financial Management Association (MHFA).

Health Act 1999, Ch 8

Health and Social Care Act 2008, Ch 14

Health and Social Care Act 2012, Ch 7

Health and Social Care Act (Safety and Quality) Act 2015, Ch 28

Hopkin, P (2018). Fundamentals of Risk Management: Understanding, Evaluating and Implementing

Effective Risk Management. 5th ed. London: IRM.

Lark, J (2015). ISO 31000 Risk Management. (1st Ed). Switzerland: ISO

Moeller, R 2011). COSO Enterprise Risk Management: Establishing Effective Governance, Risk, and Compliance Processes. 2nd ed. New Jersey: Wiley & Sons.

NHS Providers (2018). Enterprise Risk Management.

PwC (2017). Delivering system wide sustainability: Managing risk in healthcare transformation. England: LLP.

The Orange Book: Management of Risk – Principles and Concepts, (2023). HM Treasury. London.

Vincent, C (2005). Clinical Risk Management. 2nd ed. London: BMJ Books. 

Appendix 1: Risk Management Definitions

TermDefinition
ActionA response to control or mitigate risk
Action PlanA collection of actions that are specific, measurable, achievable, realistic and targeted
AssessmentMeans by which risks are evaluated and prioritised by undertaking the 4 stage risk assessment processes
AssuranceConfidence based on sufficient evidence that internal controls are in place, operating effectively and objectives are achieved
Board Assurance FrameworkA document setting out the organisation’s strategic objectives, the risks to achieving them, the controls in place to manage them and the assurance that is available
Consequence (Impact)The effect on the Trust if a risk materialises
ControlAction taken to reduce the likelihood and or consequence of a risk
Gaps in ControlAction to be put in place to manage risk and achieve objectives
FrequencyA measure of rate of occurrence of an event
Internal AuditAn independent, objective assurance and consulting activity designed to add value and improve organisations’ operations
Initial RiskThe score on identification before any controls are added
LikelihoodEvaluation of judgement regarding the changes of a risk materialising, established as probability or frequency
MitigationActions taken to reduce the risk or the negative impact of the risk
Current Risk ScoreThe score with controls/ actions in place
Risk AppetiteThe total amount of risk an organisation is prepared to accept in pursuit of its strategic objectives
Risk MatrixA grid that cross references consequence against likelihood to assist in assessing risk
Risk OwnerThe person responsible for the management and control of all aspects of individual risks
Risk RatingThe total risk score worked out by multiplying the consequence and likelihood scores on the risk matrix
Risk RegisterThe tool for recording identified risks and monitoring action plans against them
Risk ToleranceThe degree of variance from the Risk Appetite that the Trust is willing to tolerate
Strategic RiskRisks that represent a threat to achieving the Trusts’ Strategic Objectives
Operational RiskRisks which are a by-product of the day to day running of the Trust
DomainInsignificantMinorModerateMajorCatastrophic
12345
Compliance: Legislative & RegulatoryNo or minimal impact or breach of guidance/ statutory dutyBreach of statutory legislationSingle breach in statutory dutyEnforcement action, multiple breaches in statutory dutyMultiple breaches in statutory duty Inabolity to meet legislative requirements Breach of law Prosecution
Quality OutcomesNo/ minimal disruption/ impact to the provision of timely and accurate quality care Near-miss, no harm (physical and psychological) causedMinor disruption/ impact to the provision of timely and accurate quality care Low physical/ psychological harmModerate disruption/ impact to the provision of timely and accurate quality care Moderate physical/ psychological harmSevere disruption/ impact to the provision of timely and accurate quality care Severe physical/ psychological harmPermanent loss/ inability to provide timely and accurate quality care Fatal
PeopleNo injury or minor injury with no treatment required Aggression/ verbal abuse with minimal impact No staff sickness/ absence Temporary short term low staffing levels (less than 1 day)Minor physical injury, illness or mental health illness requiring minor treatment Physical violence, assault, or verbal abuse with minor impact Short term staff sickness/ absence (less than 3 days) Insignificant staff attendance at mandatory/ key training (5%) Low staffing levels reducing service quality (1-5 days)Moderate physical injury, illness, or mental health illness requiring hospital treatment Physical violence, assault, or verbal abuse causing moderate distress Staff sickness/ absence (more than 7 days) and/or RIDDOR reportable Poor staff attendance at mandatory/ key training (6-10%) Unsafe staffing levels (1-2 weeks)Major physical injury, illness, or mental health illness requiring long term treatment or community care intervention Serious physical violence, assault, or verbal abuse leading to psychological harm Long term staff sickness/ absence Frequent poor staff attendance at mandatory/key training (11-20%) Unsafe staffing levels (> 1 month), loss of key staffFatality of staff member, life threatening injury, illness, or harm. Permanent injury, harm/ incapacity/ disability. Significant/ persistent low uptake of staff attendance at mandatory/ key training (>21% or 2 months+) Prolonged unsafe staffing levels, loss of several key staff, including industrial action
FinanceSmall budget loss or claim between £0-£5kBudget loss of 0.1- 0.25% or a claim between £5k-£10kBudget loss of 0.25- 0.5% or a claim between £10k-£100kBudget loss of 0.5- 1.0% or a claim between £100k-£1m Uncertain delivery of key objective Purchase failing to pay on timeBudget loss of >1% or a claim >£1m Loss of significant contract/ income. Non-delivery/ failu to meet key objective/ specification.
ReputationLocalised issue, ad- hoc public or political concernShort term local media interest, reduction in public confidence and/or local political concernSustained local media interest, extending to regional interest, regional public and/or political concern with reduction in public confidenceRegional and/or national media interest with significant public and/or political concern and reputational damageNational media interest, parliamentary interest, public inquiry with loss of public confidence and credibility in NWAS
DomainInsignificantMinorModerateMajorCatastrophic
12345
InnovationMinimal or no loss of information containing identifiable data Cyber threat is expected to have negligible impactLoss/ compromised security of one record containing identifiable data Cyber threat is expected to have limited impactLoss/ compromised security of 2-100 records containing confidential/ identifiable data Cyber threat is expected to have serious impactLoss/ compromised security of 101+ records containing identifiable data Cyber threat is expected to have severe or catastrophic impactSerious breach with potential for identity theft/ compromised security of an application/ system/ facility containing identifiable data Cyber threat is expected to have multiple severe or catastrophic impact
Business/ ServiceInterruption to provide NWAS services >1 hourInterruption to provide NWAS services >4 hoursInterruption to provide NWAS services >6 hours Small-scale CBRN attackInterruption to provide NWAS services >1 day Medium-scale CBRN attack Accidental fire Outbreak of emerging infectious diseaseProlonged/ permanent loss of NWAS service or facility Loss of critical system Terrorism Large-scale CBRN attack Major fire Pandemic
Programmes/ ProjectsTemporary performance defects causing minor short- term consequences to time and qualityProject expectations not being metPoor project performance shortfall in area(s) of secondary importancePoor performance in area(s) of critical or primary objectiveSignificant failure of the project to meet its critical or primary objective

NWAS Governance Structure: Levels of Assurance, Escalation and Risk

Download

Download Risk management policy (826.9kB pdf)

Contact us

General enquiries

0345 112 0999 To call general enquiries, click this link or dial 0345 112 0999

This number should NOT be used to contact us in an emergency. In an emergency dial 999 immediately or for non-urgent medical advice call NHS 111.

How to find us

Directions to our offices

Alternative formats

Please contact us if you require any information on our website in an alternative format, such as easy read of large print.

CQC Good rating widget

  • Help
  • Privacy policy
  • Accessibility
  • Freedom of Information
  • Contact us
  • Green Room
  • Cookies

© Copyright 2025 North West Ambulance Service NHS Trust. Lovingly crafted by Mixd

Cookie settings

We use some essential cookies to make this website work. We’d like to set additional cookies to understand how you use nwas.nhs.uk, remember your settings and improve our services. We also use cookies set by other sites to help us deliver content from their services.
View cookies
You have accepted additional cookies. You can change your cookie settings at any time.
You have rejected additional cookies. You can change your cookie settings at any time.