Risk Management Strategy 2025 to 2028

In line with the NHS 24 Strategy 2023 to 2028, we are looking to the future in terms of our risk management processes. The Strategy outlines that there are potential challenges ahead, including growing financial and resources constraints, developing an agile workforce to meet future demand, and development of service provision to meet the changing health needs of the public. The aim of the Risk Management Strategy is to support and facilitate discussions on how NHS 24 can manage and navigate our way through these risks and opportunities by contributing to the Corporate Delivery Plan and overall Strategy.

The purpose of this document is to outline how NHS 24 will continue to embed its risk management processes to support the organisation to achieve its strategic aims and ambitions. The Risk Management Strategy drives risk management and integrates it within the culture and values of the organisation.

Our overall mission is to improve the quality of risk management processes to ensure they are meaningful and support NHS 24 in achieving its overall objectives and ambitions.

Strategic aims

We will focus on securing the capacity and capability to continuously improve NHS 24’s current services whilst developing the technology requirements and the plans for how we will deliver innovative new services and ways of working across the organisation.

We will secure and implement a new technology solution and have the right people in place to deliver our plans and drive the transformation of services and new ways of working.

We will deliver major strategic change initiatives that innovate and take NHS 24 to the next level.

Risk is defined as the ‘effect of uncertainty on objectives’, whether positive opportunity or negative threat, or a deviation from what is expected. It is vital that NHS 24 has a clear direction through the Corporate Delivery Plan and Strategy to understand its risk profile.

Our overarching objective is to realise our mission and help people to access the right care at the right place. We will deliver this through our three strategic aims and our commitment to deliver excellence:

  • deliver sustainable high-quality services
  • provide a workplace in which our people can thrive
  • be a collaborative forward-thinking partner

To do this we will focus on providing the best possible experience and outcomes for people that use and deliver our services, whilst demonstrating quality, value and sustainability with a positive impact on society and the environment.

Risk management objectives

Risk management is an essential part of governance and leadership, and fundamental to how an organisation is directed, managed and controlled at all levels. This supports effective strategic planning and decision-making which strengthens NHS 24’s ability to be agile to respond to the challenges faced.

Following a positive internal audit report on risk management processes in 2024, the next stage in NHS 24’s maturity journey is to look at ways of supporting the bedding in of risk management to everyday planning and decision-making. With that objective in mind, the risk management objectives are set out below.

The NHS 24 risk management objectives align with all three of the strategic aims set out in Our Strategy, and are as follows:

  • Develop and embed a risk management culture by increasing staff awareness through education and training.
  • Align risk management with NHS 24’s culture of openness and honesty to enable safe services, and learning from events and decisions, to promote a quality improvement culture.
  • Ensure risk reporting and management information is timely, accurate and meaningful to enhance reporting and business intelligence.
  • Continue to develop and embed risk appetite and tolerance into reporting, planning and decision-making.
  • Develop risk reporting to enhance business intelligence, provide assurance to governance and management structures and support intelligence-led decision-making in line with risk appetite and tolerance.
  • Ensure risk monitoring and review is integrated, insightful and consistent.
  • Ensure risk management approach, culture and processes are consistently applied across all levels of organisational risk including strategic, operational and programme risks.
  • Consider how we assess and measure organisational risk management maturity.
  • Engage in the development of our workforce, through leadership and management opportunities.
  • Engage with risk leads across the wider NHS Scotland to share intelligence, good practice and learning.

NHS 24

A consistent risk management approach supports and provides assurance throughout the organisation. The NHS 24 Our Strategy, Corporate Delivery Plan, Finance Plan and Workforce Strategy will support the development of risk management by providing a clear purpose and direction to better understand the risks to delivering our objectives and key deliverables.

As the NHS 24 Strategy outlines, the values of NHS 24 underpin the mission, vision and purpose of the organisation. Risk management is the responsibility of all staff with values and ethics required to ensure decision-making is conducted with integrity, compliant with regulations, and transparent. We will embed these values by ensuring strategic leadership and risk leads influence identification and sharing of risk to inform decision-making.

One way to embed the integration of values with risk management is through the training plan. The requirements of staff are considered in the risk management training priorities to provide the key skills and capabilities to NHS 24 staff. Training will be supported by the Operational Risk Management Group. The purpose of the training is to drive the development and awareness of risk management. This is a blended approach of using online learning to provide a baseline, with targeted training for specific roles and decision-making requirements.

The Quality Framework outlines NHS 24’s commitment to a culture of continuous improvement. NHS 24 aims to deliver the highest standards of health and care services for the people of Scotland in an inclusive and equitable way. There are clear links between risk management processes and quality management processes to ensure risks and benefits are understood and analysed. We will continue to develop the links between quality management and risk management.

NHS 24 has embedded a Risk Management Framework to enable an integrated and consistent approach to risk management, outline the governance arrangements, and explain how risks are identified, managed and escalated. This can be defined as:

‘Enterprise Risk Management (ERM) is a framework implemented to embed the board’s response towards risk. ERM allows the organisation to measure and respond to issues and risks as they arise.’

NHS 24 has aimed to continually improve the quality of the information within its risk registers, through increased ownership of risks within risk registers, and greater challenge and scrutiny from Risk Leads, Executive Owners and Non-Executive Directors.

Our risk management processes are supported by the governance model in NHS 24. It is important to recognise that appropriate management controls are central to risk management.

Assurance is a key component of risk management. The first level of management controls include local business processes and policies to manage the initial risks. Risk management allows a structured process that will support the uncertainties out with the daily management controls.

The second line of control provides oversight and challenge to management processes used in the first line. This is supported by appropriate governance and reporting mechanisms. The Audit & Risk Committee is a key element in the process that is provided with risk management information in order to seek assurance over the risk management process. The following section outlines the Governance and Accountability responsibilities.

A third control of assurance includes the internal and external audit process. The Audit & Risk Committee should advise the Board on the appointment of the internal audit, and the Board may delegate to the Audit & Risk Committee oversight of the process which leads to a recommendation for appointment.

The internal audit service also provides the NHS 24 Board with independent assurance on:

  •  management processes
  •  management of operational risks, including the effectiveness of the controls and other responses to these.

It also provides NHS 24 with the opportunity to improve. Risk management has a key role in supporting the internal audit recommendations as a quality improvement mechanism.

External audit will focus review of financial statements to ensure they are a ‘true and fair’ account of past financial performance and current financial position. External audit will also focus beyond the financial aspects and ensure the organisation is discharging its regulatory obligations and internal guidelines. The risk management contribution will be to enable the external auditors to have the appropriate information on management of specific threats to NHS 24.

Governance and accountability

Within NHS 24, the following governance arrangements apply in relation to risk management. Detailed responsibilities are outlined within the NHS 24 ERM Framework. A key focus for improvement of risk governance is to enhance the risk management information which is presented to the appropriate committee for assurance.

The above graphic shows the governance arrangements in NHS 24 and how they are organised from the Operational Risk Management Group that will focus on the NHS 24 directorate responsibilities, through the EMT sub-group that manages the strategy development. The Board and the Committees are responsible for governance and overall assurance to all stakeholders. The framework document outlines the responsibilities of the committees and groups.

Procedures

The following documented procedures are in place to provide a consistent understanding, approach and deployment of the risk management principles within NHS 24.

The purpose of the ERM Framework is to provide the methodology, structure and approach that NHS 24 will follow when managing risks.

The Risk Appetite Statement outlines the level of risk the Board is willing to accept, in order to achieve its objectives.

Identifies specific challenges, roles and responsibilities to respond, recover and maintain business continuity by setting out levels of escalation, taking into account organisation-wide pressure and triggers, as well as communication and actions required.

Defines the responsibilities of the EMT in relation to strategic risks and opportunities and how this links into the wider organisation, the committees, and the Board.

Defines how the operational aspect of risk management within NHS 24 is governed and how this links into the rest of the organisation, the Committees, and the Board.

Review and reporting

The following are the main reports regularly produced by the organisation relating to risk. Appropriate trend analysis and presentation of risk management information will be developed and monitored for improvement to best illustrate the Board risk profile.

The reporting requirements vary dependent on the type of risk. Risk will be a key focus of each governance committee and will be reflected in the terms of reference of each committee.

Operational risks to the objectives of the organisation that score 10 and above will be reported to the Board on a quarterly basis. On an annual basis, all operational risk, regardless of score, will be reported for additional assurance. Strategic risks are reported to the Board twice a year.

The Audit & Risk Committee has oversight of all types of risk within the organisation and assurance over the risk management process. All risks that score 10 or more will be reported to each Audit & Risk Committee for their consideration and review and comment. On an annual basis, all operational risks, regardless of score, will be reported for additional assurance. Strategic risks are reported to the Committee twice a year.

Relevant risks are reported to the relevant governance committee on a quarterly basis. A risk may be referred to more than one governance Committee dependent on the primary and secondary category of risk. The ERM Framework outlines the reporting requirements. On an annual basis, all operational risk, regardless of score, will be reported for additional assurance.

The Risk Management Annual Report will be presented to the Audit & Risk Committee and Board annually.

Related information

NHS 24 board

The NHS 24 board is responsible for setting our strategic direction. Read about what it does, who the members are, and what their roles are.

Audit and risk committee

Find out about the audit and risk committee at NHS 24. Includes information on what it’s responsible for and who is a member.

About NHS 24

NHS 24 is Scotland’s provider of digital health and care services. Find out about our services, including 111, and how we can help.