Skip to Content Skip to navigation
General Policy
Nurse Director
NHS Fife Risk Manager
NHS Fife Risk Manager
Director of Nursing
01 November 2009
01 December 2015
01 December 2018

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy/procedure statements and aims to review policies within the timescales set out.

New policies/procedures will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies/procedures will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy/procedure is past its review date then the content will remain extant until such time as the policy/procedure review is complete and the new version published, or there are national policy or legislative changes.


1.1 This policy is part of a suite of policies that enables the delivery of the NHS Fife Risk Management Framework.

1.2 It describes the current responsibilities and procedures to be followed in the process of risk identification and assessment and the development and maintenance of risk registers in NHS Fife. As part of the transition toward health & social care integration, by April 2016, the Parties will develop a shared risk management strategy and policy; these will describe the risk management arrangements to be implemented in relation to the delivery of integrated services, particularly any which are likely to affect the Integration Joint Board’s delivery of the Fife Strategic Plan.

1.3 The Board has a legal duty under the Health and Safety at Work Act 1974, to ensure, as far as is reasonably practicable, the health, safety and welfare of all employees. Compliance with the legislation includes duties towards patients, members of the public, contractors, and other people who use hospital premises. These duties, and the concept of risk management, are implicit in the Act and subsequent UK Health and Safety Regulations and are reflected in NHS Fife Policies

1.4 We recognise that by their very nature, healthcare provision and the activities associated with caring for patients, employing staff, providing premises and managing finances can be complex and involve a degree of risk. These risks are present on a day-to-day basis throughout the organisation and some risks of these may never be totally eliminated

1.5 Risks must not be seen merely as threats, but through informed decision making, as potential opportunities forsuccess, innovation and improved performance by identifying gaps in capacity or service delivery. Risks must, however, be properly managed. If not, they have the potential to cause harm to patients, staff and others and may affect the reputation and assets of the organisation.

1.6 Risk identification and risk assessment can help organisations, teams and individuals set their priorities and improve decision-making to reach an optimal balance of quality and efficiency - risk, benefit and cost. It enables us to:

  • Gather facts about activities and services and their associated hazards and risks;
  • Highlight the need to eliminate or manage identified hazards and risks, in order to protect the safety and well-being of patients, visitors, staff, and the organisation as a whole;
  • Assist in the identification of risks that are a threat to the achievement of strategic objectives;
  • Take corrective actions when new risks are identified or existing risks are not adequately controlled;
  • Assess the likelihood and consequence of risks causing harm or damage;
  • Gauge the consequence of non-compliance;
  • Consider the consequences of not meeting key objectives.

1.7 In line with NHS Fife’s aspirations to be: person centred, clinically excellent, an exemplar employer and a sustainable organisation, we are committed to a process of proactive risk assessment and management within all of our services and activities. Risk assessment will be a key element of business and project planning, including the establishment, restructuring or redesigning of services and in the development of risk registers.

1.8 A risk register is a management tool that provides an organisation with information on its risk profile and is a repository for risk information across all areas of activity. This repository is at the heart of the internal control system and contains details of the risks that threaten NHS Fife’s success in achieving its stated aims and objectives.

1.9 In NHS Fife, the registers are populated through the organisation’s risk assessment and evaluation process. This process enables risks to be quantified and ranked. It provides a structure for collecting information about risks that will assist both in the analysis of risk, and in decisions about whether or how these risks must be controlled, managed and monitored.

1.10 Risk registers can also support decision making on how resources should be allocated. Ideally, all decisions such as changes in policy, procedures or practices, service developments, enterprises such as new projects and all associated resource commitments should result in reductions to the organisation’s highest priority risks. At all levels, proposals to make changes or commit resources must include reference to the effect this may have on the organisation’s risk profile.

1.11 In NHS Fife, Risk Registers must be recorded in the Risk Register Module of the Datix Risk Management Information System*, from this point to be referred to as Datix.

1.12 The appendices attached to this policy cover the following:


Appendix 1

Glossary of Terms

Appendix 2

The Risk Assessment Process

Appendix 3

Record of General Risk Assessment

Appendix 4

Assessing the Risk Level

Appendix 5

Risk Escalation

Appendix 6

Recommended Risk Register Content



2.1 This policy and associated procedures are applicable to all staff and, by agreement, contractors working within NHS Fife. It can also be used by independent GP, Dental, Pharmacy and Orthoptic contractors. The accountability arrangements of these independent contractors differ from those of NHS Fife employees, and therefore this policy should be seen as good practice guidance, and used in conjunction with the requirements of their own professional body. The named contractors will not have access to Datix to add/update risks so must act through an intermediary to make updates.


3.1 Fife NHS Board

3.1.1 The Board is responsible for ensuring that there is a clear and appropriate management structure that enables risk to be identified and decisions to be taken at an appropriate level.

3.1.2 The Board will be informed of the risks associated with achieving its objectives and will actively re-assess and monitor them.

The Chief Executive is responsible for

  • Ensuring that there are arrangements in place for identifying, evaluating and managing risk;
  • Providing resources for putting the policy into practice.


3.2.1 In practice, this responsibility is delegated to the Board Director of Nursing who as the Executive Lead for Risk Management, is accountable to the Chief Executive for ensuring that policies and procedures are in place to support the effective management of risk.

3.3 NHS Fife Executive Directors’ Group

3.3.1 The NHS Fife Executive Directors’ Group (EDG) is responsible for maintaining the NHS Fife Corporate Risk Register.

3.3.2 The risk content of the Corporate Risk Register will be informed by the escalation procedures noted in Appendix 5, as well as the collective input of the NHS Fife EDG and Fife NHS Board. All corporate risks will be mapped to the Governance Committees of NHS Fife, which will be responsible for oversight and scrutiny of the management of the risks. Where applicable, these risks will also be aligned to HEAT targets and the Quality Ambitions.

3.3.3 The NHS Fife EDG will receive from the Community Services General Managers and Executive Directors, assurances on the management of risks in their respective areas of responsibility, including Groups and Committees under their jurisdiction. The evidence will be from minutes of meetings at operational delivery level where risks are discussed, performance reviews and other mechanisms to be agreed by said parties. These will demonstrate that risk is a standing agenda item at such meetings and show that discussion addresses:

  1. high level risks registered on the NHS Fife Corporate Risk Register;
  2. action plans associated with these high level risks or a summary of the key actions being taken to manage risks;
  3. high or moderate level risks managed within the area of responsibility which it is felt should be brought to the attention of the NHS Fife EDG ;
  4. confirmation that the Priorities and Risk Framework risks have been identified and managed;
  5. any other high and moderate level risks and control measures;
  6. adverse events / trends in adverse events that represent a significant risk within the area of responsibility or to NHS Fife and any resultant significant management action;
  7. the desired target levels for risks where this is appropriate and an assessment of the progress made by the Committee /Community Service / Division / Directorate / Service in achieving its risk management objectives as well as for example, highlighting any actions/action plans that have reduced risks;
  8. key actions required over the next six months.

3.3.4 The NHS Fife EDG will provide twice yearly reports to the NHS Fife Audit and Risk Committee and by extension Fife NHS Board, on the Corporate Risk Register. This will summarise key actions, changes and developments in relation to the risks therein and assure the Board that NHS Fife:

  • has complied with all relevant statutory requirements
  • has appropriate risk management processes and controls in place

3.4 NHS Fife Clinical Governance Committee

The Committee will:

  • Receive 6 monthly reports on the clinical governance risks in the high level risk registers of the Community Services , the Acute Services Division and the Corporate Risk Register, summarising key actions, changes and developments in relation to the risks
  • Monitor the management of clinical governance risks recorded on the Corporate Risk Register.

3.5 Director of Acute Services / Community Service General Managers /

Executive Directors

3.5.1 Management Teams in the Acute Services Division, the Community Services and Corporate Directorates are responsible for maintaining, regularly reviewing and updating their risk registers in Datix and making these accessible to all staff. Risk registers will be used to help inform local planning, management decisions and priorities.

3.5.2 All risks must be allocated a risk owner who is the lead person assigned the responsibility for ensuring that the risk is adequately controlled and monitored. If allocating risk ownership to another individual, this must be discussed and agreed in advance. All risks require a handler. It is their responsibility to ensure that the risk is accurately recorded within Datix, that review dates are monitored to allow timely reviews to be carried out, and that Datix is updated accordingly.

3.5 3 The review of Divisional / Community Service / Corporate Directorate Risk

Registers will be a standing management team agenda item at the clinical governance and risk management group meetings in the component parts of the organisation.

3.5.4 Risks will be reviewed to determine the adequacy and effectiveness of risk management arrangements; all actions and changes will be recorded in Datix.

3.5.5 Action must be taken as soon as possible, at the lowest possible level of the organisation, to eliminate, reduce or transfer the risk.

3.5.6 Any risk that cannot be managed at a Division / Community Service / Corporate Directorate Management Team level must be escalated by the Executive Lead for the area of risk to the NHS Fife EDG to be considered for inclusion on the Corporate Risk Register

3.6 NHS Fife Risk Management Team

The Risk Manager, NHS Fife is responsible for providing leadership and direction to the NHS Fife Risk Management Team. The Team works across NHS Fife as part of the Clinical Governance Support Team, and in partnership with colleagues in the delivery units to support the development and implementation of an effective risk management framework. The Team is responsible for the co-ordination and monitoring of organisation - wide risk management activity across NHS Fife. This includes:

  • Developing strategy, policy and procedures relating to risk management to ensure the organisation meets its legal and corporate governance requirements
  • Communicating the benefits of systematically identifying workplace risks, assessing the associated potential for risk or harm and putting in place measures to control the risk
  • Producing composite risk management reports for individuals, groups, Standing Committees and the Board
  • Promoting a positive attitude to risk management by sharing good practice, communicating lessons learned and celebrating success
  • Deliveringtraining and development to support effective risk management
  • Providing advice and support to individuals and teams on risk management including:
    • the development and implementation of risk registers
    • the management of adverse events and Significant Adverse Events and Reviews
  • Leading on the development and implementation of the Datix system (adverse events, risks, complaints and claims and actions modulesto:
    • improve knowledge and understanding of its use and potential
    • assist in the resolution of Datix user software problems

3.7 Service/Directorate/Departmental Managers

3.7.1 Senior and Line Managers are responsible for:

  • identifying, evaluating and managing risk within their areas of control;
  • ensuring risks are recorded in Datix, developing action plans and monitoring the plans until the risk has been reduced to its lowest reasonably practicable level;
  • ensuring that staff are consulted on matters relating to health and safety and other pertinent areas of risk;
  • ensuring that there are sufficient trained risk assessors/staff who have attended risk management training in their areas of responsibility;
  • allocating sufficient time for risk assessors to attend risk assessor/risk management training and to perform their risk assessment duties;
  • ensuring that staff do not carry out any work unless a suitable and sufficient assessment of the risks has been carried out and the necessary steps have been taken to adequately control the risk;
  • ensuring that all staff are aware of this policy, understand its content and those of local and associated procedures;
  • ensuring that employees are aware of their responsibilities with regard to risk assessment and risk management;
  • ensuring that risk assessments are reviewed at least annually, or immediately if in response to e.g. changes in procedures, equipment, location, personnel, legislation or other external requirements, new initiatives, technological developments, strategic change, adverse events, near misses, claims and complaints;
  • ensuring that staff groups and individuals identified as being at risk are given relevant information, instruction, training and supervision;
  • monitoring the effectiveness of risk control measures through an effective system of reporting, recording and investigating adverse events and near misses.

3.7.2 Managers must put into place systems at a local level to ensure that their Service/Directorate/Departmental risks recorded in Datix are accessible and available to all staff.

3.7.3 Managers at all levels must review action plans to ensure that actions have been implemented within preset timescales and monitor these to ensure that these actions are having the desired effect on the risks they are intended to address.

3.7.4 Service/Directorate/Departmental Management Teams will use Risk Registers to inform priorities for the local implementation and monitoring of agreed risk controls.

3.7.5 Management Teams are responsible for regularly reviewing and updating their Risk Registers in Datix with next review dates being set for all risks. Delays in completing reviews will be reported to the appropriate Divisional/Community Service clinical governance/risk management group/Management Team for consideration.

3.7.6 Managers must escalate any risk that cannot be managed at a Service/Directorate/Departmentlevel to the relevant Divisional/ Community Service clinical governance/risk management group/management Team for consideration and appropriate action.

3.6.7 Managers at all levels must review risks and monitor action plans at appropriate intervals to ensure that the risks remain current, and that relevant and appropriate actions have been recorded , implemented within timescale and are targeted towards eradicating the risk or effectively reducing the risk to an acceptable level.

3.7.8 Managers are responsible for recording and taking appropriate actions on risks identified through various sources including the following:

  • adverse events, complaints and claims
  • internal or external reviews and
  • internal / external audits
  • leadership walkrounds

3.8 All employees are responsible for:

  • taking reasonable care of themselves and others who may be affected by their actions;
  • taking part in training and implementing learning to manage risk co-operating by following rules and procedures identified through the risk assessment process, designed to enable working in a manner which controls risk to as low a level as is reasonably practicable;
  • reporting all adverse events and near misses;
  • informing managers/colleagues/risk assessors of any new risks/hazards encountered during the course of their daily work ;and
  • informing their managers if they believe that systems in place for the assessment or control of risks are ineffective or inadequate.


4. A risk assessment must be completed for risks that would prevent NHS Fife from achieving its objectives. This forms part of the Board Assurance process. Such risks will form part of the Corporate Risk Register and will be monitored, maintained and held by NHS Fife EDG and will be subject to review at its meetings.These meetings will provide for discussion about new and emerging risks.

4.2 The Acute Services Division, the Community Services and Corporate Directorates must, in the first instance, undertake baseline risk assessments to identify all their significant risks and develop a Risk Action Plan to manage these risks. Risks which have not been eliminated or satisfactorily reduced will form part of the Divisional/Community Service /Directorate Risk Register and will be the responsibility of the Director of Acute Services /Community Service General Manager/Executive Director.

4.3 NHS Fife will adopt a measured approach to solving a problem or a perceived risk. This will involve consideration of the impact of the proposed solution on all key stakeholders and/or services. If a comprehensive risk evaluation is carried out before taking action, the best and most cost effective option should emerge.

4.4 The Risk Register will enable NHS Fife to understand:

  • Risks that may prevent the organisation from achieving its objectives;
  • The highest priority risks;
  • The options for managing these risks;
  • The most cost effective options;
  • How, when, and if these options can be put in place;
  • If existing risk action plans (already in place) have been effective;
  • If risk action plans are being monitored appropriate to the risk level;
  • How the organisation will respond to the new risks

4.5 Sources of Potential Risks

4.5.1 Risk is inherent in all aspects of healthcare including:

  • care, treatment and service delivery;
  • organisational strategy and business planning;
  • design of services;
  • financial planning and purchasing;
  • health & safety
  • information governance e.g. data protection
  • projects and service developments
  • workforce arrangements

4.5.2 NHS Fife recognises that its risk registers will be populated with information from a range of internal and external sources. These may include the following:

  • Adverse Events and Reviews
  • Business Cases & Plans
  • Business Continuity Plans
  • Care Commission Reviews
  • Changes in Statute/regulatory guidance
  • Claims
  • Clinical Audit Reviews
  • Complaints
  • Confidential Enquiries
  • Environmental Health
  • External Audit Reports
  • External Review e.g. NHS Healthcare Improvement Scotland (HIS) including Healthcare Environment Inspectorate (HEI) / Scottish Public Service Ombudsman (SPSO) Health and Safety Executive (HSE) Reviews / Mental Welfare Commission (MWC)
  • Failure Modes and Effects Analysis (FMEA)
  • Fife Fire Authority
  • Fire Safety Reviews
  • Guidelines ( e.g. SIGN NICE/ NPSA)
  • Health & Safety Reviews
  • Horizon Scanning
  • Internal Audit Reports
  • Losses and Compensation Register
  • Patient Feedback
  • Performance/Activity Reports
  • Professional Bodies
  • Recruitment /Retention/Absenteeism data
  • Risk Assessment Process (see Appendices 2,3 and 4);
  • Safety Action Notices/ /Product Recalls
  • Scenario-based exercises
  • Scottish Environment Protection Agency
  • Senior Leadership Walk Rounds/ other Walk Rounds e.g. HAI
  • Staff Surveys
  • Training Needs Analyses
  • Other legal or regulatory reviews.

4.6 Risks will be identified through the routes highlighted above and by the Division, Community Services, Corporate Directorates, Wards and Departments of the organisation. The risk rating will determine the degree and detail of monitoring within the documented action plan.

4.7 The Risk Register and Risk Action Plans should be flexible enough to allow the organisation to respond to unforeseen risks, serious adverse events, external events or changes in national policy. Appendix 6provides guidance to the field names and their description when using Datix to record risks and action plans.

4.8 All risks must be categorised by risk type and subtype. The options are continually evolving and are available via drop down boxes in Datix.


5.1 Appendices 2, 3, and 4 detail the steps for conducting a risk assessment and formulating risk action plans.

5.2 It is recommended that risk assessments are initially scoped out on the NHS Fife ‘Record of Risk Assessment’ form (see Appendix 3 prior to entering in Datix).The person assessing the risk and the manager or head of department must sign this. Managers are advised to keep a copy of the assessment form and attach to the documents section in the Datix.

5.3 The risk rating will determine the level of risk and the degree and detail of monitoring within the documented action plan.

5.4 If the current risk level is assessed as moderate or high, a risk action plan should be developed. Actions should be recorded in the Datix Actions module which is linked to the risk register module. The action plan must be implemented and/or escalated as necessary (see Appendix 5) and entered into Datix (see Appendix 6).

5.5 All risk assessments must identify a review date and be regularly reviewed.

5.6 Assessments must be reviewed immediately if:

  • there is reason to suspect it has become invalid;
  • there has been a significant change in the previously assessed work / task / project / equipment;
  • there has been a change in the law or guidance concerning the work/task/project;
  • there has been a change in the staff undertaking the task assessed; or
  • An adverse event or near miss has been reported and subsequent investigation recommends a review.

5.7 Managers must review plans as necessary to ensure that objectives are current and achievable.

5.8 Managers must review risk action plans regularly to ensure that time-bound objectives identified in the plans have been achieved.

5.9 Reviews/revisions should continue until all objectives identified have been achieved.

5.10 The manager, through a process of consultation, will nominate staff members for appropriate risk management training, dependent on the nature of the work and the location(s) of the work place.

5.11 The manager or supervisor must inform staff:

  • of the findings of a risk assessment for any work/task/activity in which they are involved;
  • about the dangers and risks to themselves or anyone affected by the activity arising from their work;
  • of any precautions to be taken;
  • what to do in the event of an emergency; and
  • how and when to report adverse events and near misses


Managers must ensure all unplanned events that did result in, or could have resulted, in harm, loss or damage are reported in line with the NHS Fife Adverse Events Policy GP/I9.

Managers must report events e.g. release of a dangerous substance, a failure of medical equipment or certain defined injuries or diseases associated with work, to external agencies in line with guidance in the NHS Fife Adverse Events Policy GP/I9.


This policy is a key part of NHS Fife’s system for managing risk the principlesof which are described in the NHS Fife Risk Management Framework.


NHS Fife Adverse Events Policy GP/I9 and Management of Significant Adverse Events and Reviews: Supporting Guidance & Resources (2015)

NHS Fife Risk Management Framework 2014

NHS Fife Strategic Framework (2015)


Australian/New Zealand Standard: Risk Management (AS/NZS4360:2004) Risk Management Standard), (2004) Standards Australia/Standards New Zealand

Clinical Governance and Risk Management Standards (2005), NHS Quality Improvement Scotland

First Consultation Draft Health & Social Care Integration in Fife - Strategic Plan for Fife 2016-19 (2015)

National Patient Safety Agency -Healthcare risk assessment made easy (2006)

NHS Scotland Quality Strategy (2010)

Priorities and Risks Framework National Audit Planning Tool for Local Government,Audit Scotland (2011/12)

Related Publications

Related Policies