Risk Management Policy and Strategy

Document control:

Document control information

Policy Name: Risk Management Policy and Strategy
Policy Number: C003
Version: 1.0
Status: Final – Approved
Author / lead: Associate Director of Governance
Responsible Executive Director: Executive Director of Corporate Services
Responsible Committee: Audit, Risk and Compliance Committee
Date ratified by Responsible Committee: 24 March 2026
Date approved by Board/Effective Date
: 1 April 2026
Next review date: April 2027
Target audience:
– Integrated Care Board (ICB) members and staff (including temporary/bank/agency/voluntary/work experience staff).
– Contractors engaged by the ICB.
– Staff from other organisations who are members of ICB Committees/Sub-Committees and other groups.
Stakeholders engaged in development of policy (internal and external):
– Governance Leads.
– Audit, Risk and Compliance Committee.
– Executive Committee
Impact assessments undertaken: Equality Impact Assessment

Version history:

Version: 0.1
Date: 21/03/26
Author (Name and title): Nicola Adams, Associate Director of Corporate Services
Summary of amendments made: First draft of ICB Risk Management Policy and Strategy

Version: 1.0
Date: 24/03/26
Author (Name and title): Helen Chasney, Governance Senior Officer
Summary of amendments made: Final – Approved version

Introduction

From 1 April 2026, the new Essex Integrated Care Board (‘the ICB’) assumes its role as the statutory strategic commissioning body for NHS services for the population of Essex.  The ICB is responsible for ensuring that risks which may impact the achievement of its corporate objectives (derived from and set out in greater detail in the Population Health Improvement Plan), statutory duties, or commissioning responsibilities are identified, assessed, managed in a consistent and transparent way and form the bedrock of decision-making and reporting across the ICB.  This policy and strategy set out how the ICB will establish and manage its risk framework to that end, across all areas of its work.

The ICB recognises that commissioning high-quality, sustainable healthcare services inherently involves risk.  Taking well-managed and informed risks can also create opportunities to innovate, improve outcomes and reduce inequalities.  The ICB does not seek to operate in a risk-free environment; rather, it aims to ensure that risk is routinely identified, understood and managed through proportionate and embedded structures, processes and behaviours.

Risk is defined as the effect of uncertainty on objectives, whether representing a potential opportunity or a threat.  Effective risk management involves identifying and assessing risks (including inherent risks), implementing controls and mitigations, monitoring their effectiveness, and taking action where further intervention is necessary.  A structured and systematic approach enables the ICB to avoid exposure to extreme or unmanaged risks, and to support efficient, evidence-based decision-making.

An effective framework must support continuous learning.  The ICB will ensure that risks are identified, analysed, prioritised, mitigated and reported at all appropriate levels, including through its committees and the Board.  Regular reporting enables the Board to understand changes in the ICB’s risk profile and provides assurance on whether internal control systems are operating effectively.

The way in which those accountable for risk engage with the risk management process reflects principles set out in HM Treasury’s Orange Book: Management of Risk – Principles and Concepts (2023), depicted below, and the NHS England Risk Management Framework (v4.0, 2025).  This framework underpins how the ICB balances strategic oversight with operational accountability and ensures a coherent approach to risk management across the organisation.

The Board Assurance Framework (BAF) and Corporate Risk Register (CRR) are central components of this approach.  The BAF focuses on strategic risks that may affect the delivery of the ICB’s objectives, while the CRR captures operational risks owned by Directorates.  A defined escalation process ensures that material risks that may affect strategic delivery are escalated to Board level.

This is a controlled document. Whilst this document may be printed (please consider if this is necessary), the electronic version posted on the intranet is the controlled copy. Any printed copies of this document are not controlled. As a controlled document, this document should not be saved onto local or network drives but should always be accessed from the website (or requested from the Governance Lead/Team) to ensure the most up-to-date version is used.

Purpose / Policy Statement 

Purpose

This policy sets out the overarching framework for identifying, assessing, managing, reporting and escalating risks across the Essex ICB.  It supports the Board, committees, staff and risk owners in fulfilling their roles and responsibilities in managing risk effectively.

The purpose of the strategy is twofold.  Firstly, to set the direction as to how the maturity of the risk framework will evolve over time, seeking consistent and continual improvement.  Secondly, once the framework has been established, it seeks to enact meaningful change that will better manage risk over time and thus support delivery of the Population Health Improvement Plan to make health services better in Essex, meaning that the ICB will:

• Establish a consistent service offer.
• Reduce long waits for care.
• Implement evidenced-based practice
• Improve public perception of NHS Services.
• Make the best use of public money.
• Act in cases of poor performance.

Policy Statement

The ICB acknowledges that commissioning NHS services is inherently risky and that well-managed risk-taking can enable innovation, improvement and better outcomes.  The ICB therefore aims to create an environment in which risk is identified and considered routinely and managed proportionately, not avoided.

Effective risk management supports the ICB in providing safer, more efficient commissioning environment in realising opportunities, and in achieving its strategic objectives and delivering the Population Health Improvement Plan.  The ICB is committed to embedding risk management into its organisational culture, governance processes and planning cycles, ensuring that responsibility for risk is understood and accepted at every level.

While the ICB engages constructively with partners and stakeholders, its risk management responsibilities relate to its own statutory functions as a strategic commissioner, rather than to whole-system or system-wide oversight.  Collaborative working remains important to understand shared risks, but the ICB will only hold and manage risks that fall within its defined scope of accountability.

The ICB’s specific objectives for embedding a mature and integrated approach to risk management include:

• Maintaining an up-to-date and effective Risk Management Policy and Strategy.
• Strengthening ownership of risks across Directorate and at Board level.
• Ensuring staff and Board members receive appropriate training and support.
• Routinely reviewing and improving the maturity of the ICB’s risk processes.
• Revisiting the Board Assurance Framework and Corporate Risk Register to establish the approach for Essex ICB.
• Ensuring that risks are regularly reviewed, updated and escalated where necessary and that risk is the primary driver of decision-making.
• Ensuring that assurances, internal and external, clearly align to risks and support the Annual Governance Statement.
• Supporting committees to discharge delegated risk-related responsibilities effectively.

Scope

The ICB’s risk management arrangements apply to all ICB staff (including temporary/agency/voluntary/work experience staff), Board members, and persons acting on behalf of the ICB, including contractors.  

While the ICB works collaboratively with NHS and non-NHS partners, its accountability for risk lies within its own statutory remit as strategic commissioner.  The ICB no longer holds system-wide responsibility for risk; however, it will remain an active participant in relevant partnership forums to ensure that shared risks affecting commissioning decisions are understood and appropriate reflected in ICB risk processes where required.

The resources available for managing risks are finite.  The ICB will therefore prioritise its response to risk in accordance with its evaluation of likelihood and impact, striking a balance between cost and benefit.  Through the annual review of the ICBs risk appetite, the Board will determine the level of risk it is willing to accept and/or tolerate in pursuit of its strategic objectives.

Definitions

• Assurances – evidence relied upon by the organisation to provide it with a level of assurance that its controls are effective (positive assurance) or ineffective (negative assurance).   Sources of assurance can be internal or external, with the latter considered to provide a higher level of assurance.  Drawn from the Three Lines Model (management oversight, functional oversight and independent audit). 
• Board Assurance Framework (BAF) – the key document used to record and report to the Board significant risks (strategic risks) to achieving its strategic objectives.  It is used to support the Governance Statement that the Chief Executive is required to sign-off at the end of each financial year. 
• Controls – measures implemented to reduce risk and prevent harm.  These include systems and structures, processes, policies, guidelines, professional practice, and training. 
• Corporate Risk Register – contains the red rated risks of directorate risk registers that are then owned by the Executive Committee.
• Datix – is the system used by the ICB to record, categorise, assess and manage its risks and produce reports for committees and the Board.
• Directorate Risk Register – is the register of risks relating to a specific directorate, whereby risks can be escalated to the corporate risk register where they are deemed to be a red rated risk that could impact the achievement of corporate objectives.  Risks can also be downgraded to a team risk register where they no longer affect directorate objectives.
• Hazard – any source (incident/event/circumstances) of potential damage, harm or adverse effect on someone, something, the organisation or the environment.
• Inherent Risk – the level of exposure arising from a specific risk before any action has been taken to manage it.  This is often referred to as the ‘initial risk rating’ 
• Integrated Risk Management – the management of risk across the organisation at varying levels via a range of processes.  In addition to the maintenance of the risk register and BAF, this includes undertaking specific risk assessments, performance reporting and the management of incidents, complaints, and claims.  Taking an integrated risk management approach enables the triangulation of data/findings and the sharing of learning.  
• Operational Risks – a risk that is most likely to impact on an organisation’s ability to undertake its day-to-day internal functions in a safe and efficient manner.  These risks tend to affect one department or a specific area of business and are often held on a team risk register.  
• Project Risks – These are risks that relate specifically to an individual project and are unlikely to have an impact beyond the project’s scope of lifespan.  Risks and issues identified during the course of a project should be assessed in the context of that project.  As such, even where a project risk is scored as high, it may not warrant inclusion on the directorate or corporate risk register or BAF.  However, project managers must ensure that any significant risks which could compromise the successful delivery of the project are escalated to the Director accountable for that project.  The Director will determine whether the risk should be added to the corporate/directorate risk register, seeking advice from the Governance Lead as necessary.  
• Residual Risk – is the level of exposure arising from a specific risk after mitigating action has been taken to manage it.  
• Responsible Executive Director – the Executive Director with overall responsibility for managing risks within their remit.  These individuals will be identified on the risk register and BAF. 
• Risk – the potential of a situation or event to impact on the achievement of specific objectives.  Risks can arise in many ways and include clinical, non-clinical, financial, environmental, workforce, equality and diversity and reputational risks.  In the Orange Book, risk is defined as the “uncertainty of outcome, whether positive opportunity or negative threat, of actions and events”.

Risk is characterised by two factors, being a combination of the consequences/impact of a hazard and the likelihood of occurrence.

• Risk Appetite – the amount and type of risk the Board is willing accept in pursuit of its objectives.  This will also consequently define the ‘target risk rating’.  
• Risk Lead – the operational lead (i.e., a senior manager or workstream lead) who has been delegated responsibility for managing specific risks.   These individuals will be identified on the risk register and BAF and are responsible for ensuring action is taken to mitigate risks and for providing updates on their status for inclusion on the risk register and BAF.  
• Risk Management – a coordinated set of activities to identify, assess and control risks to support decision-making and achieve objectives. 
• Risk Materialisation – the time at which a hazard or adverse circumstances thought possible occur.  This may also trigger an ‘issue’ that needs urgent attention to address or mitigate.
• Risk Profile – the documented overall assessment of the range/type, number and rating of risks faced by the organisation. 
• Risk Rating – the level of risk at a particular point in time (i.e. initial, current or target risk rating) expressed by calculating the risk rating score by using the impact and likelihood assessment tables at Appendices C and D and the risk rating matrix at Appendix E.  Depending on the score, risks will be categorised as Red, Amber, or Green (often referred to as the ‘RAG’ rating).
• Risk Register – a document detailing all risks identified by the organisation.   The ICB will maintain a central repository/database of all risks, registered on the Datix system, to enable risk registers to be produced for directorates, committee and Board meetings. 
• Risk Tolerance – the acceptable level of variation from the risk appetite.
• Strategic Objectives – the main objectives (aims) agreed by the ICB as set out in the Population Health Improvement Plan, against which all risks are mapped.  The ICB’s current strategic objectives are set out in Appendix B and will be reviewed annually.  
• Strategic Risk – a risk with the potential to have significant impact upon the achievement of strategic objectives affecting the whole or several areas of the organisation (as opposed to one department). These risks have the highest potential for external impact.   Red rated/extreme risks will be recommended by the Responsible Director/Committee to the Board for consideration as strategic risks and inclusion on the BAF.  
• Team Risk Register – a register of risks to the achievement of team objectives, which are not considered to impact on directorate objectives.

Roles and Responsibilities

ICB Board

The Board is accountable and responsible for ensuring that the ICB has an effective risk framework in place for managing risks that might compromise the achievement of its strategic objectives and statutory duties.  

The Board reserves authority to set and review the ICB’s risk appetite annually and to approve and review the Board Assurance Framework.

The Board will seek regular assurance via the Board Assurance Framework (BAF), from its committees and other sources regarding the effectiveness of the risk framework and internal controls and will ensure further mitigating action is taken where necessary.   

All ICB Committees, Sub-Committees and Groups

All ICB committees, sub-committees or groups have responsibility for identifying, assessing, reviewing and monitoring specific risks within their remit, ensuring systems are established to mitigate/manage risks and for providing regular assurance to the ICB Board (or in the case of sub-committees, to the relevant committee) that systems of internal control to manage risks are effective, and for the escalation of significant risks where necessary. 

All risks will identify committees, sub-committees and/or groups who will be responsible for overseeing the risk, according to their remit.  Risk registers will be produced and presented to relevant Board sub-committees and groups as necessary to facilitate their review and enable scrutiny of the risks.  This will enable Board sub-committees to provide assurance to the Board accordingly. 

ICB committees will make recommendations regarding the management of risks and how they should be graded, downgraded or escalated.

Audit, Risk and Compliance Committee

The Audit, Risk and Compliance Committee provides independent oversight and scrutiny aligned to the third line model. It’s provides assurance on the effectiveness of internal control and the risk framework, as well as overseeing internal and external audit findings, and other independent sources of assurance on the ICB systems of internal control.  

The Audit, Risk and Compliance Committee has responsibility ‘as the sponsoring committee’ for monitoring the ICB’s compliance with this policy. 

The Audit, Risk and Compliance Committee will seek assurance that risks are being appropriately and robustly managed via receipt of a report on the BAF, the minutes of other ICB committee meetings and other reports on specific issues requested by the committee. 

The Audit, Risk and Compliance Committee will review the outcome of the annual internal audit of governance and risk management arrangements which, along with other assurances received, will enable the committee to recommend the Governance Statement is signed-off by the Chief Executive at the end of each financial year.    

The Audit, Risk and Compliance Committee also has responsibility for reviewing and monitoring any specific risks within its remit and for providing regular assurance to the ICB Board, including escalation of significant risks where necessary. 

The Executive Committee

The Executive Committee shall have oversight of the Corporate Risk Register, approving new risks and de-escalation of risks to directorate risk registers.  The Committee will ensure that corporate risks are appropriately managed and will have oversight of BAF reporting to the Board.

The Executives are collectively responsible for the delivery of actions to manage risks and ensure those actions are effective to reduce risks to their target level.  Providing ‘first and second lines of defence’ assurance to committees and the Board through reports and BAF updates.

Chief Executive

The Chief Executive has overall accountability for effective risk management within the ICB in line with legislation and guidance issued by NHS England, the Department for Health and Social Care and HM Treasury.

The Chief Executive will report annually to the ICB Board on the adequacy of internal control and risk management within the Governance Statement that forms part of the Annual Report and Accounts. 

Executive Director of Corporate Services

The Chief Executive has delegated overarching responsibility for risk management to the Executive Director of Corporate Services, supported by the Associate Director of Governance, with each Executive Director being responsible for risks aligned to their functions. 

Executive Director of Finance and Commercial

The Executive Director of Finance and Commercial has delegated responsibility for financial risk management and will ensure:  

• The effectiveness of the ICB’s financial control systems.
• Significant financial risks faced by the ICB are identified and managed effectively.
• Audit, Risk and Compliance Committee and Internal Audit effectively perform their roles in assuring the ICB’s system of internal control.
• Robust counter fraud arrangements are in place and comply with NHS standards in relation to counter fraud.

The Executive Director of Finance and Commercial also acts as the ICB Senior Information Risk Owner.

Executive Chief Nursing Officer

The Executive Chief Nursing Officer has lead responsibility for the safety and quality of services and is accountable for safeguarding children and adults, working in partnership with responsible local authorities and other key agencies to ensure that the ICB’s statutory safeguarding duties are met.

The Executive Chief Nursing Officer provides assurance to the Board within their remit and in line with local and national legislation and guidance and will ensure that any associated risks are appropriately captured on the risk register and escalated to the Board and BAF where necessary. 

The Executive Chief Nursing Officer also acts as the ICB Caldicott Guardian.  

All Executive Directors, and other Managers

All Executive Directors and other managers are responsible for ensuring that appropriate and effective risk management processes are in place within their designated areas and scope of responsibility and that they comply with the requirements of the ICB’s risk management arrangements, including regularly reviewing risks with their staff at directorate/departmental meetings and reporting risks to the appropriate Committee or Board, including making recommendations to add, close or re-categorise risks as appropriate.   

They are responsible for ensuring that all members of their staff are aware of risks relevant to their area of work and of their personal responsibilities as set out in section 5.13 of this policy.  They must ensure their staff receive appropriate information, instruction, and training to enable them to undertake their roles effectively and safely.

Responsible Executive Directors may delegate the management of some of the operational risk management processes to an appropriate senior manager, who will be named as the ‘Risk Lead’ on the risk register/BAF. 

Policy Author

The policy author will have responsibility for developing and updating the policy in line with Section 9.

Governance and Risk Manager

The Governance and Risk Manager, reporting to the Associate Director of Governance has responsibility for managing the risk management process, including liaising with risk leads for updates, production of the BAF and risk registers for Board/Committee meetings, provision of risk management training and having oversight of risks.  

Business Managers

Business Managers will ensure that their directorate risk registers are up to date and that risks are discussed monthly at senior team meetings.  Business Managers will provide administrative support updating risks recorded on Datix.

Business Managers will ensure that all staff within their directorate have undergone appropriate risk management training.

All Members of ICB Staff

All members of staff are individually responsible for:

• Familiarising themselves with the content of this policy and associated procedures and following these. 
• Identifying, assessing, and putting systems in place to mitigate any risks to the achievement of the ICB’s strategic objectives and those within their remit, to ensure risks are managed and escalated where appropriate through the risk register and associated processes.  
• Reporting incidents/accidents and near misses using the ICB incident reporting procedure.
• Being aware of their duty under legislation to maintain safe working practices and to take reasonable care of their own health, safety, and welfare and that of others by complying with all relevant ICB policies, procedures and guidance.
• Being aware of any emergency procedures relevant to their role and place of work, e.g., security/lockdown and fire safety procedures. 
• Completing their mandatory training and attending risk management training and development events relevant to their role.

Policy Detail

Overview of Risk Management Process

The ICB has adopted the Australia/New Zealand risk management model, advocated within the Orange Book, which sets out the following stages to manage risk: 

1. Establish the context
2. Identification of hazards 
3. Analyse risk
4. Prioritise risk
5. Treat risk
6. Monitor and review
7. Communicate and Consult. 
8. Each stage of the risk management process should be documented in order to:

• Demonstrate the process is conducted properly
• Provider evidence of systematic approach
• Provide a record of risk and develop the ICBs knowledge of risk
• Provide relevant decision makers with a risk management plan for approval etc.
• Provide an accountability mechanism and tool
• Facilitate review and monitoring
• Provide an audit trail
• Share and communicate information.

This will be achieved through recording risks and how we manage them on the Datix system.  The diagram below and paragraphs 6.2 – 6.11 summarises this model:

Establishing the Context

Establishing the context is the first step in the risk management process.  It defines the scope within which risks will be identified, assessed and managed, and ensures that all risk activity is anchored to the ICB’s purpose and strategic direction.

For Essex ICB, the context for risk management is set by our Population Health Improvement Plan, which is the organisation’s primary strategy.  This plan establishes the ICB’s key objectives, outlines the outcomes we aim to achieve for our population, and provides the framework through which we discharge our statutory duties as a strategic commissioner.

The ICB’s strategic objectives for 2026/27 have been defined as:

• Health inequalities narrowing year on year.
• A decisive shift towards neighbourhood care delivery and prevention.
• Timely access and excellent outcomes across services.
• Financially and clinically sustainable services across Essex which are safe and high quality.
• An organisation that is up to the job, good to work for and good to partner with.

The ICB’s risk management arrangements provide the Board with assurance that these objectives are being delivered safely, effectively and within our defined risk appetite.  They also enable senior leaders to identify and manage threats or opportunities that could affect delivery of the Population Health Improvement Plan or the wider statutory responsibilities of the ICB.

The ICB’s strategic objectives are therefore derived directly from the Population Health Improvement Plan and reflect the organisation’s core commissioning responsibilities, financial duties, and governance requirements.  By setting a clear strategic context, the ICB ensures that all risks – whether strategic, operational, financial, performance-related or quality-related, are assessed consistently and managed in a way that supports the achievement of those objectives.

The risk management programme is the primary system by which the Board can gain assurance that the ICB is delivering its objectives, functions and duties.

Identifying Risks

Identifying risks is the first step in building the ICB’s risk profile. The purpose is to generate a clear, comprehensive view of events or conditions that could support or impede achievement of the ICB’s strategic objectives, particularly those set out in the Population Health Improvement Plan.

Essex ICB will use a combined top-down and bottom-up approach to ensure risk identification is thorough and embedded across the organisation. This aligns with Orange Book expectations for collaborative, informed, and structured risk processes.

Top-down identification – Senior leaders, through Executive discussions, Board development sessions and regular review of the Board Assurance Framework, identify strategic risks related to the ICB’s statutory functions, commissioning responsibilities and strategic objectives. This ensures emerging and horizon-scanned risks are recognised at the earliest opportunity.

Bottom-up identification – Directorates, teams and workstreams identify risks associated with their operational objectives, performance, quality, and delivery responsibilities. Staff are encouraged to raise risks that may affect delivery, patient experience, safety, or workforce wellbeing. This ensures that operational insight informs the overall risk picture.

Proactive and reactive identification – Risk identification will use:

• Reactive learning from past experience, incidents, complaints, audits and performance issues.
• Proactive horizon scanning, recognising potential future risks before they materialise. This is consistent with Orange Book guidance on anticipating uncertainty.

Recording risks – All identified risks must be recorded on Datix, using the ICB’s standard risk template. Risks are mapped to the relevant Directorate or strategic objective to ensure consistent ownership and alignment with the ICB’s organisational structure.

Once identified, each risk is assessed to understand its likelihood and impact, producing an inherent and residual risk score. Risks are then prioritised for escalation, mitigation and monitoring in line with the ICB’s risk management framework.

Assessing/Analysing Risks

Risk assessment helps the ICB understand the nature, scale and urgency of each risk so that appropriate decisions can be made about mitigation, escalation and monitoring. It is carried out consistently across the organisation and recorded on Datix.

Risk Analysis – Risk analysis involves understanding the causes, potential consequences and interdependencies of the risk. This includes identifying whether the risk could lead to multiple outcomes; positive or negative; and considering how it interacts with other risks or organisational priorities.

The following categories are included on Datix to classify the area potentially impacted by the risk:

• Acute Hospital Demand
• Claims & Complaints 
• Finance
• Health Inequality
• Patient Experience
• Patient Safety & Harm 
• Primary Care Demand
• Regulator Penalties
• Reputational Damage 
• Safeguarding
• Service Delivery
• Human Resources / Organisational Development capacity
• Data Quality / Information Governance
• Community Demand
• Workforce – Capacity / availability of staff

The analysis must also consider the effectiveness of existing controls, assessing whether they are adequate and operating as intended.

Defining the Risk – A clearly defined risk is essential for accurate assessment. Risks should be described using a simple Event / Cause / Impact structure, consistent with Orange Book guidance, to link:

• Event (There is a risk that…)
• Cause (This is caused by…)
• Impact on objectives (This could lead to…)

The following table provides an example to assist in the defining of risks:

Objective: to travel by train from A to B for a meeting at a certain time

Item 1

Statement: Failure to get from A to B on time for the meeting
Mark: X (incorrect)
Explanation: This is simply the converse of the objective

Item 2

Statement: Being late and missing the meeting
Mark: X (incorrect)
Explanation: This is a statement of the impact of the risk and not the risk itself

Item 3

Statement: There is no buffet on the train so I get hungry
Mark: X (incorrect)
Explanation: This does not impact on the achievement of the objective

Item 4

Statement: Missing the train (the event) causes me to be late (cause) and miss the meeting (impact)
Mark: ✔ (correct)
Explanation: This is a risk which can be controlled by making sure I allow plenty of time to get to the station

Item 5

Statement: Severe weather (cause) prevents the train from running (event) and me from getting to the meeting (impact)
Mark: ✔ (correct)
Explanation: This is a risk which I cannot control, but against which I can make a contingency plan

Source: The Orange Book: Management of Risk – Principles and Concepts, October 2004

1. Risks must always be expressed in relation to ICB objectives, particularly those set out in the Population Health Improvement Plan.
2. Risk Evaluation (Scoring) – Each risk is scored to determine its inherent and residual rating:

• Inherent rating: the level of risk before controls
• Residual rating: the level of risk after controls

Both impact and likelihood are assessed using the ICB’s standard 5×5 risk matrix, as set out in Appendices C and D. Impact (what the outcome would be should the risk materialise) is evaluated across relevant domains such as quality, performance, finance, workforce, reputation and delivery, whereas likelihood (how probable it is that the risk will materialise) considers inherent likelihood (naturally how it might occur), as well as the controls and resources in place to manage likelihood and key performance indicators that could signal where likelihood changes. Scoring must be:

• Structured
• Evidence-based
• Consistently applied across Directorates

Any changes to scores must be explained clearly in Datix and, for strategic risks, on the Board Assurance Framework (BAF). Governance Leads will support risk owners to apply the scoring approach consistently.

Prioritising Risks – Risk prioritisation ensures that the most significant risks receive appropriate attention and resource. Prioritisation is based primarily on the risk rating, but also considers:

• Legal and regulatory requirements
• Alignment with strategic objectives
• Dependencies with other risks or programmes
• Potential impact on patient outcomes, financial performance or organisational resilience

Based on the impact and likelihood assessment, risks will be rated as follows:

• Extreme risk (red), those rated 15 or above:  Immediate action is required.  The Responsible Executive Director and Risk Lead must take responsibility for development and implementation of an appropriate risk action plan and ensure progress against this is reported to the relevant committee and ICB Board.  Risks rated ‘red/extreme’ will be recommended by the Responsible Executive Director/Committee for inclusion on the corporate risk register or potentially to the ICB Board for inclusion on the BAF where appropriate, noting that strategic risks on the BAF may cover one or more risk on the risk register.     
• High risk (amber), those rated between 8 and 12: Within one month an appropriate action plan must be agreed, usually with a deadline for completion within 6 months.  To be reported to the relevant committee. However, if within the ICB risk appetite / target risk score, monitoring action and some adjustment of controls to improve management of the risk if possible, are required.
• Medium risk (yellow), those rated between 4 and 6: If within the ICB risk appetite / target risk score, monitoring action only is required.  In addition, the risk could be recommended for removal from Datix or downgraded to a ‘team’ risk.
• Low risk (green), those rated between 1 and 3: Acceptable risk.  Periodic monitoring and review to be undertaken at Directorate/Departmental level to ensure that risk has not escalated, and controls remain effective.  Alternatively, risk could be recommended for removal from Datix.

Highly rated risks are escalated in line with the ICB’s governance structure:

• Strategic risks → BAF and Board
• Operational risks → Corporate Risk Register and Directorate oversight

Lower-level risks may still be addressed promptly where quick mitigation is possible or where inaction could allow escalation.

Continuous Review – Risk scores, controls and improvement actions must be reviewed regularly to ensure they reflect the current operating environment. As recommended by the Orange Book, risk assessment is a dynamic process, supporting timely decisions and providing assurance that risks are being managed effectively.

Treatment of Risks

Once a risk has been assessed, the ICB will determine the most appropriate response to reduce the likelihood and/or impact of the risk, or to take advantage of potential opportunities. Decisions about risk treatment must align with the ICB’s risk appetite, statutory responsibilities and the strategic aims set out in the Population Health Improvement Plan.  Essex ICB will use the following four recognised approaches to managing risk:

Tolerate – The ICB may decide to accept a risk where:

• it falls within the ICB’s agreed risk appetite,
• further mitigation is not feasible or proportionate, or
• the cost of additional controls outweighs the benefits.

Where a risk is tolerated, contingency plans must be in place to manage the consequences should the risk materialise.

Treat – Most risks will be treated by introducing new controls or strengthening existing ones to reduce the risk to an acceptable level. Controls may relate to:

• governance and decision-making,
• workforce capability and supervision,
• policies and procedures,
• performance monitoring,
• contracting and financial controls, or
• improvements in processes, data quality or oversight.

Treatment plans must be proportionate, achievable and recorded clearly in Datix, with designated owners and target completion dates.

Transfer – Some risks may be shared or transferred to another organisation (e.g., through insurance, commissioning arrangements, or contractual mechanisms).

However, certain risks—such as those linked to statutory duties, governance responsibilities or reputational harm—cannot be fully transferred. Where risks are transferred, the ICB must:

• maintain effective oversight of the receiving organisation, and
• ensure that accountability, performance and assurance arrangements are clearly defined.

Terminate – where appropriate, the ICB may seek to eliminate a risk entirely by stopping or changing the activity that gives rise to it (e.g., decommissioning a service or discontinuing a specific function).

Given the NHS context, termination is often a last resort and must be considered carefully, with full assessment of the impact on patients, finances and statutory duties.  Actions to terminate a risk will generally also require consultation or engagement with stakeholders and members of the public (refer to ICB policy on communications and engagement).

Action planning and documentation – once the treatment option is agreed a clear action plan must be developed, implemented and monitored.  This could involve the need to complete one or more impact assessments e.g., a quality, or health inequalities impact assessment.  This must be carried out in accordance with the ICB policy on undertaking impact assessments.

Progress and changes in implementing actions must be updated in Datix and reflected in the corporate risk register or BAF where relevant.  Documentation must demonstrate a systematic and auditable approach, supporting learning, assurance and decision-making.

Controls and Assurances

Controls and assurances are central to understanding how effectively risks are being managed across the ICB. Each risk recorded on Datix must include a clear description of the controls currently in place, along with the sources of assurance that demonstrate whether those controls are operating as intended.

Managers and risk owners are responsible for routinely assessing control effectiveness as part of the ICB’s monitoring and review processes. This includes identifying any gaps, weaknesses or overdue actions, and determining whether new or strengthened controls are required, taking into account the ICB’s risk appetite and the cost–benefit of further mitigation. Where gaps are identified, appropriate improvement actions must be recorded in Datix with named owners and delivery timescales.

Assurance over controls is provided through the ICB’s application of the Three Lines Model. Operational management provides first-line assurance that controls are implemented and effective; corporate functions provide second-line oversight, challenge and triangulated testing; and Internal Audit and other external reviews provide independent third-line assurance. Data plays an important role in this process, offering evidence of performance, quality, workforce or financial trends that can confirm the operation of controls or indicate a change in risk likelihood or impact.

Where a risk does not reach its target score and remains static over three consecutive review cycles on the Corporate Risk Register or the Board Assurance Framework, the relevant Director or risk owner may be required to attend the appropriate committee or the Board. They will be asked to explain the barriers to progress and provide assurance on the actions being taken to address outstanding gaps.

Together, these arrangements ensure that the ICB maintains a consistent and evidence-based approach to evaluating control effectiveness, securing appropriate assurance, and taking timely corrective action where needed.

Risk Escalation

Risk escalation ensures that risks are managed at the appropriate organisational level and that significant threats to the ICB’s objectives are visible to senior leaders. Escalation follows a structured process, beginning at team level and progressing through directorate, corporate and Board oversight as required. All risks at any stage of escalation must be recorded and updated within Datix.

Team-Level Risk Registers – Team or service-level risk registers capture operational risks relating to day-to-day activities, processes or local objectives. These risks are owned and monitored by team managers.

A risk should remain at team level where:

• it can be managed locally with available controls and resources,
• the impact is limited to the team or service area, and
• the likelihood and consequence remain within the ICB’s defined risk appetite for operational activities.

A risk must be considered for escalation to the Directorate Risk Register if:

• its potential impact extends beyond the team,
• it requires intervention or resources from the wider Directorate,
• controls at team level are insufficient or cannot be strengthened locally,
• the risk score increases and approaches agreed escalation thresholds, or
• the risk relates to recurrent or systemic issues.

Directorate Risk Registers – Directorate Risk Registers hold risks that affect the wider Directorate or require senior oversight to mitigate effectively. Directorate leads are responsible for ensuring risks are reviewed, challenged and updated regularly.

A risk should be escalated from directorate level to the Corporate Risk Register where:

• it has cross-directorate implications,
• it may impact delivery of the Population Health Improvement Plan objectives,
• the Directorate cannot reasonably manage or mitigate the risk alone,
• the risk score is high or increasing despite controls,
• additional organisational-level actions, investment or decisions are required, or
• there is a potential impact on quality, safety, financial sustainability or ICB statutory duties.

Directorate leads must review risks regularly and identify those requiring Executive consideration.

Corporate Risk Register (CRR) – The Corporate Risk Register holds organisation-wide operational risks that require Executive oversight. Escalation to the CRR occurs via the Executive Team, who review proposed escalations submitted through Directorate leads and the Governance Team.

The Executive Team will accept a risk onto the CRR where:

• the risk may significantly affect organisational performance, finances, workforce, reputation or legal compliance,
• coordinated, cross-Directorate action is required,
• the risk could impact delivery against NHS England oversight frameworks or statutory duties, or
• the risk score meets corporate escalation thresholds.

Once accepted, an Executive lead is assigned as the risk owner, with clear expectations for monitoring, mitigation and reporting.

Board Assurance Framework (BAF) – Risks are escalated from the CRR to the Board Assurance Framework when they represent threats to the ICB’s strategic objectives or delivery of the Population Health Improvement Plan.

Only strategic risks sit on the BAF. These are risks that:

• could materially impact achievement of the ICB’s strategic objectives,
• remain highly rated even after controls,
• require Board-level visibility, assurance and oversight, or
• relate to statutory functions, governance, system partnerships or strategic commissioning.

Executive risk owners present BAF risks to the Board and its committees, ensuring there is a clear articulation of:

• the risk,
• the controls in place,
• sources of assurance,
• gaps in assurance, and
• required actions.

Continuous Review and De-escalation – All risks must be reviewed regularly. As controls become effective or the risk profile changes, risks may be de-escalated to a lower level of oversight.  De-escalation follows the same pathway in reverse:

BAF → CRR → Directorate Register → Team Register

This ensures ongoing ownership while promoting proportionate, responsive risk management.

Monitor and Review

Monitoring and review ensure that risks, controls and assurances remain accurate, effective and aligned with the ICB’s strategic objectives. All risks must be kept up to date in Datix so that the organisation has a reliable and current risk profile.

Directorates are expected to review their Directorate Risk Registers monthly as part of their Senior Leadership Team meetings, ensuring that risk scores, controls and actions remain appropriate and that any risks requiring escalation are identified promptly. The Executive Team will review the Corporate Risk Register on a monthly basis to provide organisational oversight, ensure consistency of scoring, and determine whether any risks warrant escalation to the Board Assurance Framework. In addition, sponsoring committees will review their relevant risks on a quarterly basis, for example, finance and quality risks will be overseen by the Commissioning, Quality and Resource Committee, so that risks within their remit receive focused scrutiny and assurance at appropriate intervals. All risks can be updated on an ad hoc basis whenever new information, incidents, performance data or changes in context indicate that the likelihood, impact or control effectiveness has changed.

Monitoring includes reviewing the effectiveness of controls and ensuring that assurances are credible, timely and proportionate. The ICB’s approach follows the Three Lines Model: operational teams provide day-to-day management and control of risks; corporate oversight functions such as Governance, Quality, Finance and Workforce provide support, challenge and triangulation; and Internal Audit and other independent reviewers provide third-line assurance on the robustness of the overall system of internal control.

Data plays a central role in risk monitoring and assurance across all three lines. Relevant performance, workforce, quality or financial data may be uploaded or referenced within Datix, enabling risk owners to demonstrate the effectiveness of controls and to identify whether the likelihood or impact of a risk is increasing or decreasing. Where data indicates a change in exposure, risk owners must update the risk promptly and consider whether escalation is required.

Risk management will continue to be embedded in governance processes across the ICB by ensuring that meeting agendas routinely include consideration of relevant risks, and by ensuring that reporting templates used across committees and programme boards are risk-driven. Embedding these approaches strengthens risk culture across the organisation, supports effective decision-making, and reinforces the expectation that risk management is an integral part of everyday practice.

Reporting

Risk reporting is delivered through the processes described in the Risk Escalation and Monitoring and Review sections, ensuring that risks recorded on Datix flow from teams to Directorate SLTs, the Executive Team, oversight committees and the Board via the Corporate Risk Register and the Board Assurance Framework. Reports draw on the controls, assurances and data described in earlier sections, providing senior leaders with timely and accurate insight into the organisation’s risk profile. These reporting arrangements ensure that decision-making remains informed, transparent and aligned with the ICB’s strategic objectives and governance requirements.

Communicate and Consult

Effective communication and consultation are essential components of the ICB’s risk management approach. They ensure that risks are understood, shared and managed collaboratively across all levels of the organisation. Communication supports informed decision-making, while consultation ensures that those involved in or affected by risks contribute their knowledge, experience and insight to the process.

The ICB will communicate risk information clearly and consistently through established reporting mechanisms, including Directorate Senior Leadership Teams, the Executive Team, committees, and the Board. Risk-related discussions will form a routine part of governance business, enabling leaders to understand the organisation’s risk profile, emerging issues and the effectiveness of current controls and assurances. Risk reports will be produced in an accessible and meaningful format so that decision-makers can quickly identify significant risks, understand their implications, and determine whether further action is required.

Consultation is equally important. Staff at all levels are encouraged to raise and discuss risks openly within their teams and with senior leaders. Directorates will engage with their teams to gather intelligence, test assumptions, and identify changes in risk exposure. Corporate functions—such as Governance, Quality, Finance, Workforce and Digital—will provide expert advice to support risk owners in refining risk definitions, analysing controls and interpreting assurance information. This collaborative approach ensures that risks are assessed using the best available information and from multiple perspectives.

The ICB will also ensure that relevant external partners, regulators or providers are engaged where their insight or actions are necessary to manage a risk effectively. This may include sharing risk information where appropriate, seeking clarification on control arrangements, or working jointly on mitigations that require cooperation across organisational boundaries. Although the ICB is not accountable for system-wide risks, engagement with partners remains important where external factors influence the ICB’s commissioning responsibilities or strategic objectives.

Communication and consultation are continuous activities that occur throughout the life of a risk. They support transparency, foster a culture of openness, and help embed good risk management across the organisation. By ensuring that risks are well-understood, clearly articulated and openly discussed, the ICB can make informed decisions, allocate resources effectively and maintain confidence in its systems of internal control.

Risk Appetite and Tolerance 

The ICB’s risk appetite describes the level of risk that the organisation is willing to accept in pursuit of its strategic objectives. It provides a framework for making informed decisions, prioritising risks, and ensuring that the ICB’s approach to uncertainty is consistent with its strategic ambitions and responsibilities. Risk tolerance represents the degree of variation from this appetite that the organisation is willing to operate within during the management of a risk.

The ICB will adopt the Good Governance Institute (GGI) Risk Appetite Maturity Model and Risk Appetite Matrix as the basis for defining its appetite across key domains. The GGI model sets out six appetite levels:  None, Minimal, Cautious, Open, Seek, and Significant, each describing the extent to which the organisation is willing to accept uncertainty, variation or potential impact. These appetite levels provide a shared language to support decision-making and enable alignment between the Board, Executive Team, and the wider organisation.

The ICB will determine its risk appetite through a structured annual process, including a Board seminar, Board survey and facilitated Executive discussion. These activities will consider strategic priorities, statutory responsibilities, risk maturity, operational capacity, external context and learning from audit and assurance. The outcome of this process will be a formally agreed Risk Appetite Statement that sets out the appetite for each risk category used within the organisation. The GGI appetite levels will then be translated into corresponding target risk scores within the ICB’s 5×5 risk matrix, enabling risk appetite to be applied directly through the Corporate Risk Register and the Board Assurance Framework.

Each risk recorded in Datix will include a target score that reflects the agreed appetite for its category. Risk owners will be expected to develop mitigation plans aimed at reducing the residual risk to within the agreed appetite. Once a risk reaches its target score, the responsible committee and Executive lead will determine whether it should be closed, de-escalated or retained for continued monitoring. Where a risk remains above the agreed appetite, additional controls or assurance may be required, and progress will be monitored through the governance processes set out in this policy.

Risk tolerance will guide judgements about short-term fluctuations in risk ratings. Temporary movements above or below appetite may occur due to external pressures, changes in performance data, or evolving operational conditions. Tolerance provides the flexibility needed to operate safely while still maintaining a clear boundary for unacceptable risk exposure.

The ICB’s agreed risk appetite levels across each category will be set out in Appendix F and reviewed annually or sooner if significant changes in strategy, national policy or risk exposure occur. This ensures that Essex ICB maintains a dynamic, informed and mature approach to risk-taking that supports delivery of its Population Health Improvement Plan and statutory duties.

Risk Management Strategy – Risk Management Maturity Assessment and strategic improvement

Purpose and Strategic Intent 

As part of its Risk Management Strategy, Essex ICB is committed to developing a mature, consistent and transparent approach to managing risk, creating a positive risk culture that underpins all aspects of the ICBs approach to risk management. 

To support the development of a robust and continuously improving risk management system, Essex ICB will adopt a three-strand approach to assessing its current level of risk maturity. This approach comprises: 

(1) an internal self-assessment using the HM Treasury Risk Management Assessment Framework; 

(2) an independent maturity review undertaken by Internal Audit using the Institute of Internal Auditors (IIA) Risk Maturity Model; and 

(3) an annual assessment of the ICB’s overall risk profile. 

Together, these strands provide a comprehensive picture of the ICB’s current maturity and risk exposure and form the basis for targeted improvement actions designed to strengthen risk capability, enhance the organisation’s risk profile over time, and support effective delivery of the Population Health Improvement Plan.

Primary Maturity Assessment Method – HM Treasury RMAF

The ICB will undertake an annual assessment of its risk management maturity using the HM Treasury Risk Management Assessment Framework (RMAF), a model derived from the European Foundation for Quality Management (EFQM) Excellence Framework and designed to evaluate the effectiveness of risk systems across public bodies.

This assessment forms a central component of the ICB’s strategy to continually strengthen organisational risk capability and improve its risk profile year on year, in line with the ICB’s statutory responsibilities and the ambitions set out in the Population Health Improvement Plan. 

This framework evaluates capability across seven key domains: Leadership, Strategy and Policies, People, Partnerships, Processes, Risk Handling and Outcomes. The RMAF uses a five-level maturity scale, where Level 1 represents early awareness and Level 5 represents a fully embedded, high-performing and continuously improving risk management system. 

Each year, the ICB will conduct a structured assessment using the RMAF, drawing on evidence from Datix, the Corporate Risk Register, the Board Assurance Framework, performance and quality data, committee scrutiny, and staff input. This will establish the ICB’s current maturity position and define the improvement trajectory for the year ahead.

The results will be used to update the ICB’s Risk Management Improvement Plan, which outlines clear actions designed to strengthen maturity across the seven domains, embed best practice, and enhance how the organisation anticipates, manages and learns from risk.

Independent Maturity Opinion – IIA Risk Maturity Model

While the RMAF provides the ICB with an internal, capability-focused assessment, the ICB also recognises the importance of independent scrutiny. Therefore, the ICB’s Internal Auditors will undertake an annual review using the Institute of Internal Auditors (IIA) Risk Maturity Model, which is widely adopted across the NHS and used by Internal Audit to benchmark organisational risk maturity.

This model assesses governance, culture and assurance arrangements across five levels (Risk Naïve to Risk Enabled) and provides an external viewpoint on how well the organisation is embedding risk processes and applying risk information in decision-making. The Internal Audit maturity opinion is presented to the Audit Committee, offering objective assurance that supports Board oversight and the continuous improvement cycle. 

Together, the RMAF and IIA models provide a comprehensive and balanced maturity picture:

• RMAF → assesses organisational capability and integration of risk across functions
• IIA → independently evaluates governance, behaviour and assurance maturity

Annual Review of the ICB’s Risk Profile

In addition to assessing maturity, the ICB will annually review its overall risk profile. Once established, this profile will be analysed to identify themes, patterns and areas of strategic exposure across the Corporate Risk Register and Board Assurance Framework. The review will consider the external environment, performance data, emerging national policy, regulatory intelligence, and internal learning.

This risk profile analysis will then be used to determine strategic actions required to improve the organisation’s exposure to risk over time, such as:

• strengthening internal controls and assurance patterns
• improving commissioning oversight
• addressing cross-cutting risks impacting multiple directorates
• refining risk appetite and tolerance
• enhancing capability and training
• improving the quality and consistency of risk information

These actions will be integrated into the annual Risk Management Improvement Plan, monitored through the Executive Team and Audit Committee, ensuring the ICB systematically improves both its risk maturity and its overall risk exposure.

The improvement plan will identify areas of risk where the ICB will need to focus to improve its risk profile.  It is accepted that these will generally be areas of risk that span across multiple NHS and other organisations.  In order to address such risks, the ICB will implement the National Quality Board Principles for Assessing and Managing Risks across Integrated Care Systems.  This will foster the National Quality Board shared commitments for care that is safe, effective and provides a personalised experience, delivered in a way that is well-led, sustainable and addresses inequalitie

The approach will incorporate the 12 Principles for assessing risks as shown below.

To achieve this the ICB will arrange a multi-disciplinary risk summit of all key partners and stakeholders to assess risks, it will ensure:

• The patient voice is at the centre of the assessment, so all partners understand patient experience.
• Accurate, visible and timely data will enable partners to understand current performance, in the context of patient experience.
• The patient pathway will be mapped to understand the full patient experience and where performance weakens and gaps in service provision, access or quality exist.
• All partners will work together to own and implement clear action plans to enact a step change in the existing and emerging risks.

Commitment to Continuous Improvement

By combining the HM Treasury RMAF for internal assessment, the IIA model for independent assurance, and annual strategic review of the ICB’s risk profile, Essex ICB commits to a continuous cycle of evaluation, learning and improvement. This ensures that risk management remains an enabler of effective strategic commissioning, robust governance, and the delivery of improved outcomes for the population

Risk Culture

A positive risk culture underpins all aspects of the ICB’s Risk Management Strategy and reflects the attitudes, behaviours and values that shape how individuals and teams identify, discuss and manage risk. 

The ICB is committed to fostering a culture in which staff at every level are encouraged to raise risks early, speak openly about uncertainty, and engage constructively in actions to mitigate or escalate risks as required and there is a collaborative approach to addressing risks among its staff and with its partners.

This culture is supported by clear leadership expectations, transparent reporting processes, and an emphasis on learning rather than blame. Through regular communication, training, committee scrutiny and reinforcement of the Three Lines Model, the ICB aims to embed risk awareness into everyday decision-making so that risks are understood, well-managed and aligned to the organisation’s strategic objectives. Developing and maintaining a mature risk culture is therefore a core part of the ICB’s continuous improvement journey and fundamental to achieving an effective, proactive and resilient risk management system.

Monitoring Compliance

The Governance Lead is responsible for monitoring the ongoing compliance with this policy and ensuring that an appropriate risk management culture is embedded across the ICB.

The Audit, Risk and Compliance Committee is accountable to the Board for ensuring that the risk management process is effective and will ensure that the Annual Internal Audit Plan incorporates yearly assurance to the Board on the robustness of the ICB’s risk management arrangements to support completion of the Governance Statement.

Implementation and Staff Training

All staff will be made aware of the Risk Management Policy as part of their local induction by their line manager including their role and the forms of support available to them.  Line managers will be responsible for ensuring that employees’ ongoing risk management training needs are assessed during induction and reviewed annually via the staff appraisal process.  The ICB risk management training needs assessment has been included in Appendix G.

The Governance Lead will provide ongoing risk management support to relevant staff and will offer one-to-one meetings with all Risk Leads or attendance at team meetings to assist in the review of their risks prior to each Board or Committee meeting.  

Arrangements For Review

This policy will be reviewed annually.  Additional reviews will be carried out in the event of any relevant changes in legislation, national or local policy/guidance, organisational change or other circumstances which mean the policy needs to be reviewed.

If only minor changes are required, the responsible Committee has authority to make these changes without referral to the Integrated Care Board. If more significant or substantial changes are required, the policy will need to be ratified by the relevant committee before final approval by the Integrated Care Board.

Associated Policies, Guidance and Documents

Associated Documents

• Board Assurance Framework  
• Risk Registers
• Risk Management Training Slides
• General Risk Assessment Template

Associated Policies

• Anti-Fraud, Bribery and Corruption Policy
• Health & Safety Policy
• Information Governance Policy
• Management of Conflicts of Interest Policy (including Gifts and Hospitality, Commercial Sponsorship and Outside Employment)
• Raising Concerns Policy
• Standards of Business Conduct Policy
• Impact Assessments Policy

References and Sources of Further Information

• The Orange Book: Management of Risk – Principles and Concepts; HM Treasury, October 2004.
• Risk Management Assessment Framework: a tool for departments: HM Treasury, July 2009
• NHS England: Risk Management Policy and Process Guide
• National Patient Safety Agency: Risk Assessment Programme Overview
• Department of Finance and Personnel: Policy and Framework for Risk Management
• HM Treasury: Managing Risks with Delivery Partners
• HM Treasury: Thinking about Risk (Managing your risk appetite: A Practitioner’s Guide)
• COSO: Enterprise Risk Management – Integrated Framework
• COSO: ERM Risk Assessment in Practice
• COSO: Enterprise Risk Management – Understanding and Communicating Risk Appetite
• COSO: Internal Control – Integrated Framework.

Equality Impact Assessment

The EIA has identified a positive impact and is included at Appendix A.

Appendix A – Equality Impact Assessment

Initial Information

Name of policy and version number: Risk Management Policy
Version: 1.0
Directorate/Service: Corporate Services
Assessor’s Name and Job Title: Nicola Adams, Associate Director of Governance
Date: 23 March 2026

Outcomes

Evidence

Analysis of impact on equality

The Public Sector Equality Duty requires us to eliminate discrimination, advance equality of opportunity and foster good relations with protected groups.   Consider how this policy / service will achieve these aims.  

N.B. In some cases it is legal to treat people differently (objective justification).

• Positive outcome – the policy/service eliminates discrimination, advances equality of opportunity and fosters good relations with protected groups
• Negative outcome – protected group(s) could be disadvantaged or discriminated against
• Neutral outcome – there is no effect currently on protected groups

Please tick to show if outcome is likely to be positive, negative, or neutral.  Consider direct and indirect discrimination, harassment, and victimisation.

Monitoring outcomes

Monitoring is an ongoing process to check outcomes.  It is different from a formal review which takes place at pre-agreed intervals.

Review

Appendix B – Strategic Objectives 

1. Health inequalities narrowing year on year
2. A decisive shift towards neighbourhood care delivery and prevention
3. Timely access and excellent outcomes across services
4. Financially and clinically sustainable services across Essex which are safe and high quality
5. An organisation that is up to the job, good to work for and good to partner with

Appendix D – Likelihood Assessment Table

Appendix E – Risk Rating Matrix

Appendix F –Risk Appetite

To be completed

Appendix G –Risk Training Needs Analysis

To be inserted