Risk Assessment Tool and Guidance (Including guidance on application) / 5 x 5 Matrix - HSE (Health Service Executive) - Ireland
ID 20501 | 03.10.2023 / Documenti allegati
Risk assessment is an essential part of risk management and is the overall process of risk identification, risk analysis and risk evaluation (ISO 31000: 2009).
- Risk Assessment Tool
- Risk Assessment Tool and Guidance (Including guidance on application)
The management of risk is integral to the business process of all levels in the HSE.
This is not only a HSE Board requirement as set out in the HSE’s Integrated Risk
Management Policy but is also central to the HSE’s system of internal control.
For management to ensure that the time spent on managing risks is proportionate to the risk itself, services should have in place efficient assessment processes covering all areas of risk. The HSE has developed a Risk Assessment Tool to support this process. This tool should be applied uniformly to all processes where risk assessment is required e.g. health and safety risk assessment, risk assessment for the purpose of developing and populating risk registers, project management etc. It is not intended that this tool replace the risk assessment process used in specific clinical or care situations e.g. falls, tissue viability etc.
Guidance on Risk Assessment and the use of the HSE’s Risk Assessment Tool
1. Risk Identification
Risk can be defined as “the chance of something happening that will have an impact on the achievement of organisational stated objectives” (HSE 2008) or “the effect of
uncertainty on objectives” (ISO 31000:2009)
This step in the risk assessment process seeks to identify the risks to be managed. A risk assessment may concentrate on one or more area of impact relevant to the organisation or activity i.e. it may be specific to a particular project or hazard area e.g. biological hazards or it may be conducted on a more general basis e.g. for the purpose of developing a service or organisational risk register. It is essential that the employees identifying risks are knowledgeable about the policy, service area, process or activity being reviewed.
When areas of risk have been identified it is important that these are described in a manner that accurately and comprehensively ensures that the exact nature and magnitude of the risk is captured. To assist with this the following approach should be used.
The ‘ICC approach’ to risk description (Impact, Cause, Context)
- Risk is inherently negative, implying the possibility of adverse impacts. Describe the potential Impact if the risk were to materialise.
- Describe the Causal Factors that could result in the risk materialising.
- Ensure that the Context of the risk is clear, e.g. is the risk ‘target’ well defined (e.g. staff, patient, department, hospital, etc.) and is the ‘nature’ of the risk clear (e.g. financial, safety, physical loss, perception, etc.)
Injury to staff and service users (Impact) due to poor maintenance of flooring (Causal Factor) in the reception area (Context).
Project overruns resulting in financial loss (Impact) due to the unavailability of key project staff (Causal factor) within Procurement (Context).
2. Risk Analysis
Risk analysis is about developing an understanding of the risks identified. In subjecting a risk to analysis it is essential that account is taken of the existing control measures.
2.1 Describe of the existing control measures
These include all measures put in place to eliminate or reduce the risk and include processes, policies, procedures, guidelines and engineering controls, training, emergency arrangements, preventative maintenance controls, protocols, team working, etc.
2.2 Make a judgement on the adequacy of the existing control measures.
When examining the existing control measures, consideration should be given to their adequacy, method of implementation and level of effectiveness in minimising risk to the lowest reasonably practicable level.
2.3. Rate the risk in terms of determining the likelihood and the impact of the risk occurring.
Risk is measured in terms of likelihood and impact i.e. the likelihood of an event occurring combined with its impact (consequence). The methodology for measuring risk in this way plots a single ascribed value of likelihood against a single ascribed value of impact and therefore reduces risk to a single, easily comparable value.
This process, except in the relatively rare case where statistical data are available, uses informed but subjective judgement in assigning the values for likelihood and impact. If different risks are to be compared across the HSE, it is necessary to minimise the variation in the judgement applied to the values of likelihood and impact assigned to a risk.
This requires the adoption of a HSE-wide, standardised approach to the assignment of likelihood and impact.
Rare/Remote (1) Unlikely (2) Possible (3) Likely (4) Almost Certain (5)
Two elements are determined when assessing the level of risk posed by the risk that has been identified;
(i) The likelihood that a risk may occur or reoccur.
(ii) The impact of harm to service users, staff, services, environment or the organisation.
The likelihood table (table 1) is used to assess the likelihood of the risk occurring
TABLE 1: LIKELIHOOD SCORING
Likelihood scoring is based on the expertise, knowledge and actual experience of the group scoring the likelihood. In assessing likelihood, it is important to consider the
nature of the risk. Risks are assessed on the probability of future occurrence; how likely is the risk to occur? How frequently has this occurred?
It should be noted that in assessing risk, the likelihood of a particular risk materialising depends upon the effectiveness of existing controls. In assessing the likelihood, consideration should be given to the number and robustness of existing controls in place, with evidence available to support this assessment. Generally the higher the degree of controls in place, the lower the likelihood.
The assessment of likelihood of a risk occurring is assigned a number from 1-5, with 1 indicating that there is a remote possibility of its occurring and 5 indicating that it
is almost certain to occur.
In developing a single risk matrix the HSE considered a range of types of harm that can occur across the organisation. The following areas of risk must be managed to prevent or minimise harm occurring.
Injury to Service User/Staff/Public Risks
Risks which may contribute to the physical or psychological harm of an individual.
Service User Experience Risks
Risks which threaten the delivery of service to service users in terms of quality, in a comfortable, caring and safe environment, delivered in a calm and reassuring way; having information to make choices, to feel confident and to feel in control; being listened to and talked to as an equal; being treated with honesty, respect and dignity.
Compliance with Standards (Statutory, Clinical, Professional and Management) Risks
Risks associated with compliance with requirements in relation to the standards set out in relation to the organisation and delivery of high quality services i.e. Statutory, Clinical, Professional and Management Standards.
Objectives and Project Risks
Risks relating to the procedures/technologies etc employed to achieve particular objectives and projects.
Business Continuity Risks
Risks which threaten the organisation’s ability to deliver its services and serve the community.
Adverse Publicity/Reputation Risks
Risks to the public reputation of the organisation and their effects.
Financial Loss Risks
Risks relating to procedures/systems/accounting records which expose the organisation to financial risks, including risks to assets.
Risks which threaten the prevention, limitation, elimination, abatement or reduction of environmental pollution and the preservation of a quality environment.
To determine the impact of this harm should it occur, each risk area has been assigned descriptors over 5 levels ranging from negligible to extreme harm. In
scoring impact, the anticipated outcome of the risk is grade from 1-5, with 5 indicating a more serious Impact, as defined in the table 2 below.
TABLE 2: IMPACT SCORING
Each area of risk, in relation to the impact scoring, is outlined in table 3.
How to use the Impact scoring table
Choose the most appropriate Risk Category(s) into which the risk identified falls e.g. Injury to patient, staff or public. In many instances, you will be able to score the risk under a number of categories (e.g. the risk of a serious medication incident may result in injury to a patient, be a result of non-compliance with an internal clinical standard and have the potential to attract adverse media attention). All areas should be considered when scoring.
Assess the impact of that risk being realised for each risk area. Working along the table, select the Impact that most closely matches each e.g. minor. In instances where several of the risk categories are appropriate, all of these risks should be scored separately and the highest impact category score is the score given to that risk e.g. if it scored moderate for injury and minor for compliance with standards, the overall impact assigned should be moderate (being the higher of the two)
Assign an impact score. This is the number assigned to the impact chosen and appears at the top of the selected column i.e. in the case of a moderate impact the scoring is 3.
Guidance on the Initial Risk Rating
Having established the likelihood and impact scores, the scores should be plotted on the Risk Matrix (see table 4 on the next page) and to determine the rating of the risk being assessed in terms of a colour and a numerical score for the risk (e.g. a moderate impact 3 and a possible likelihood 3 will result in a rating of an amber 9).
- The high risks are scored between 15 and 25 and are coloured Red.
- Medium risk are scored between 6 and 12 and are coloured Amber.
- Low risks are scored between 1 and 5 and are coloured Green.
TABLE 4: HSE RISK MATRIX (COMBINING IMPACT AND LIKELIHOOD)
Example 1: Likelihood of 3 (Possible) x Impact of 2 (Minor) = 2 x 3 = 6 (Amber)
Example 2: Likelihood of 2 (Unlikely) x Impact of 3 (Moderate) = 3 x 2 = 6 (Amber).
add in attachment
HSE Health Service Executive - Ireland
IWA 31:2020 Risk management - Guidelines ISO 31000
Matrice del rischio conforme EN ISO 12100
Stima del rischio: scelta delle matrici del rischio
EN ISO 12100 e ISO/TR 14121-2: Esempio Valutazione del rischio
Tags: Abbonati Full Plus