Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1 of 5
AGENDA ITEM 10 – BOARD ASSURANCE FRAMEWORK
BOARD OF DIRECTORS 21 FEBRUARY 2018
Report title Board assurance framework and corporate risk register
Report from David Probert, chief executive
Prepared by Helen Essex, company secretary
Previously discussed at Management Executive 13 February and with individual risk owners
Attachments Board assurance framework and corporate risk register
Brief summary of report
The Board Assurance Framework (BAF) is the means by which the Board holds itself to account and defends its patients and staff as well as the trust. It helps to clarify what risks will compromise the trust’s strategic objectives and should assist the Board in driving its agenda and determining where to make the most efficient use of their resources in order to improve the quality and safety of care. The Board should also support the creation of a culture which allows the organisation to anticipate and respond to adverse events, unwelcome trends and significant business and clinical opportunities.
The Board previously agreed to see an updated report each quarter showing progress against risk mitigation
and a brief narrative report on the changes to, and risk flows between, the BAF and corporate risk register,
which is maintained by the Executive Team.
However, the audit and risk committee will undertake a more detailed review of the BAF and make a
recommendation as to the frequency of reporting to both the committee and the Board.
Action Required/Recommendation.
The Board is invited to discuss the updated board assurance framework and agree the process for future arrangements as described above.
For Assurance For decision For discussion To note
2 of 5
Board assurance framework report – Q3 2017/18
1. BAF analysis and summary of changes The top-rated risks (score of 15 or above) to achieving the strategic objectives are as follows:
Failure to retain a ‘good’ CQC rating Failure to deliver Project Oriel
Failure to achieve commercial growth Failure to meet statutory regulations in relation to fire safety (new)
Failure to achieve CIP
Increased commissioner turbulence
All have been identified as risks that will have a significant impact on the delivery of patient care, the patient and staff experience, the financial sustainability and reputation of the trust or a combination of these. The identified areas are those that require the most focus from the Board in terms of scrutiny and provision of assurance from the executive team. Particular attention is also being given to those risks that are not wholly within the trust’s control to mitigate and a strategy developed as to how to manage such external factors.
1.1 Amendments made this quarter:
Learning from incidents
A failure to learn the lessons from incidents has been reduced from a 15 (5x3) to a 10 (5x2). This is due to the
following mitigations:
The recommendations from the consultant job planning audit are almost completed and a re-audit is scheduled for March 2018. All job plans will have been reviewed by the end of March.
The recent clinical governance half days held for services were multi-disciplinary and agendas/outputs linked so that all services were receiving the same presentations and audits.
The World Health Organisation checklist is undergoing regular audits from quality partners and results are shared across divisions via the trust management board.
Emergency preparedness and resilience planning
A failure to have in place robust emergency preparedness and resilience plans has been reduced from a 15 (5x3)
to a 10 (5x2). This is due to the following mitigations:
As well as an external rating of ‘good’ for EPPR preparedness, the trust will be testing its evacuation plan imminently.
An annual schedule of divisional testing is in draft and implementation will start from April onwards.
A full command post exercise is taking place on 23 February. The aim of this exercise will be to improve the ability of MEH NHSFT to respond to disruption. This exercise will assess plan(s) and the trust’s preparedness to respond to internal business disruptions or major incidents (internal or external).
Cyber-security attack
The risk of suffering from a successful cyber-attack has been reduced from a 16 (4x4) to a 12 (4x3). This is due to
penetration testing being completed, development of action plans and further penetration testing scheduled.
The action plans will be monitored by the information governance committee which reports through to
management executive for senior management oversight.
Staff engagement
The risk score remains at a 12 but the impact has been increased (to 4) and the likelihood decreased (to 3). However, the score needs further revision when the staff survey results are published and impact better understood.
3 of 5
1.2 Additional risks added this quarter:
Fire safety (previously formed part of the risk relating to statutory obligations)
Fire safety has been added as a separate risk following the independent fire assessor’s report to the board. The score has been assessed as a 15 (5x3), although there are a number of mitigating factors:
In relation to the problem of too many cylinders unregulated or properly stored/signed within the required areas, estates have been working with resus, pharmacy and medical gas committee to undertake the following action:
1. Identified locations required reducing overall numbers 2. Removed all excess gas cylinders 3. Installed signage and storage 4. Introduced an agreed management strategy with pharmacy to control issue of cylinders 5. Updated policy to identify locations and management process agreed and published via Risk and
safety committee
The board requested a fire safety compliance plan which is being presented in February.
The board received positive assurances about the top level fire system, the issue of escape routes (vertical and basement/ground floor) being addressed and compartmentalisation (where economically feasible) being in place.
The fire drill programme is in place and drills are repeated when not good enough. A full evacuation of City Road will be taking place by the end of February.
However, there are still cultural and behavioural issues that require additional focus and these are more
challenging to manage.
Overall
All dates and mitigating action plans have been updated to reflect the latest position.
Risk appetite It is suggested that the board consider adding a risk appetite factor to each risk which should assist the assessment of the levels of control and assurance applied to a risk and whether any additional mitigating action is required. This was suggested as part of the well led framework review and has been incorporated into the new risk management strategy. The matrix is included in the table below:
AVOID No appetite. Not prepared to accept any risks AVERSE Prepared to accept only the very lowest levels of risk , with the preference being for the ultra-
safe delivery options while recognising that these will have little or no potential for reward/return
CAUTIOUS Willing to accept some low risks, while maintaining an overall preference for safety options, despite the probability of these having mostly restricted potential for reward/return
MODERATE Tending always towards exposure to only modest levels of risk in order to achieve acceptable, but possibly unambitious outcomes.
OPEN Prepared to consider all delivery options and select those with the highest probability of productive outcomes, even when there are elevated levels of associated risk
HUNGRY Eager to seek original/creative/pioneering delivery options and to accept the associated substantial risk levels in order to secure successful outcomes and meaningful reward/return
The executive team has reviewed the BAF and the corporate risk register and is satisfied that there are no
additional risks that require escalation to the board in this quarter.
2. Summary of corporate risk register changes
4 of 5
Risk scores raised Growth in Moorfields private – increased from 8 (4x2) to 15 (5x3) to correlate with the BAF.
Risk scores reduced
Policies – reduced from 12 (4x3) to 9 (3x3). Impact unlikely to be major, majority of policies in place across the
trust and adhered to by all services.
Cyber-security attack – reduced from 16 (4x4) to 12 (4x3) (as per commentary on the BAF).
Major IT failure – reduced from 12 (4x3) to 8 (4x2) due to successful disaster recovery exercises and future DR
exercises planned for the summer.
Poor environment in outpatient clinics – reduced from 15 (3x5) to 12 (3x4) due to improvement programmes
taking place and being rolled out to more sites including Croydon and Mile End.
Risk to be added
No new risks were added this quarter (fire safety raised to the BAF).
Risks to be removed
Risk 20 – Delays to Project Oriel
This risk will form part of the more detailed Project Oriel risk register.
Risk 28 – Proactive consideration given to communications resource
This risk will form part of the strategy and business development risk register.
Risk 47 – Following the principles of the mental capacity act
All actions have been completed and the risk score is mitigated to a 6 – will form part of the safeguarding risk
register.
Risk 48 – Insufficiently trained paediatric staff
This risk related to a specific issue at SGH which has now been resolved. Risk reduced to a 4 and removed from
register.
Risk 49 – Inpatient wards breaching mixed sex accommodation standards
This risk has been resolved due to the decant to St Anthony’s and the refurbishment of Duke Elder ward.
Reduced to a 4 and removed from the register.
Risk 51 – Data warehouse failure
This risk will form part of the IT risk register.
Risk 76 – Determining the operational state of the hospital
This risk will form part of the more detailed Project Oriel risk register.
3. Other risk management activities (future reports to include progress updates) a. Review of risk management strategy and policy (partially completed, to be finalised March 2018) b. Electronic risk management system – plan for trust-wide roll out (for completion by December
2018)
5 of 5
c. Development of annual governance statement (AGS) (draft to audit and risk committee in April 2018 and final draft to the Board in May 2018)
d. Risk management training plan and roll out being developed as part of the well led action plan.
4. Conclusion It is anticipated that the changes made to the process of reviewing the corporate risk register and board assurance framework along with the planned activities listed above will provide robust assurance that risks are being managed in a more systematic way until the electronic system is fully implemented.
CQC Domain link Risk description Exec Lead Key controls Gaps in control Key assurances Gaps in assurance Mitigating actions Impact Likelihood Risk Score Target Score Previous score
All domains CQC Compliance
If the trust fails to comply with the
CQC fundamental standards and if
actions arising from the CQC visit
are not implemented at sufficient
pace then clinical standards may not
be met leading to significant patient
harm, deterioration in patient
outcomes, a failure to maintain a
CQC rating of 'good' and a serious
reputational risk to the trust.
TL Action plan process in place with
monthly review at Executive and
Board level
Widespread communication about
CQC report and actions arising
Quality summit
CQRG monitoring
More than 80% actions implemented
with clear timeline in place for
implementation of oustanding
actions
Evidence required that
actions arising from CQC
action plan have been
embedded and can be
sustained
Action plan to be 100%
complete
Outcome of internal
Moorfields Private
assessment not known
Divisional assessments not
yet planned
Quality & Safety
committee
Management Executive
Divisional Board and
performance review
meetings
Independent review
or audit of the CQC
action planning
process
Forward planning for
divisions to prepare
for future CQC
inspections
Engagement with
CQC inspectors
Action plan to be fully
implemented (IT, Mar 18)
Discussion with KPMG
about auditing the CQC
planning process and how
the actions have been
embedded - under way
(IT, Mar 18)
Formally agree monitoring
output of MP assessment
and action plan at QSC
(IT/TL, Mar 18)
CQC preparation -
divisional self-assessments
to be completed and
scrutinised by executive
panel (IT, Jul 18)
5 3 15
8 (4x2)
Robust planning will
allow the trust to
mitigate the impact
and likelihood
15
Safe, Effective, Well Led Fire safety
If the trust fails to comply with
statutory regulation in relation to
fire safety or meet targets for
mandatory training then this will
lead to regulatory intervention and
a significant impact on patient care
and outcomes, staff morale and the
trust's reputation. Potential increase
in likelihood of patient and staff
harm.
SD Fire Safety report from independent
fire assessor
Fire policy (recent review)
Fire risk assessment
Mandatory training figures
Fire drills
Fire drills programme behind
and evaluation from fire drills
to be analysed
Process of cultural change
needs to be embedded
Improvement in training
compliance in some areas
(specifically fire site cover).
Fire Safety group
(subgroup of Risk &
Safety committee)
Independent fire safety
advisor
Board of directors
Board requested
assurance on the
following areas:
Training attendance
Fire drills
Marshal returns
Filing room
Management of
cylinders
Acknowledged that
culture and
behavioural issues
continue to be
challenging.
Update on fire safety
compliance timescales to
be provided at the board
meeting in February (SD,
Feb 18)
Action already taken on
management of cylinders
(see narrative report) 5 3 15
10 (5x2)
Good controls and
processes in place,
but need to change
cultural and
behavioural issues
New risk
Caring, Safe, Responsive Patient and Carer Experience
If there is deterioration in patient
and carer experience then this will
lead to patients choosing to be
treated elsewhere and a significant
reputational risk to the trust plus a
corresponding loss of income.
TL Positive friends and family test scores
CQC patient surveys
Members week report and feedback
SIS programme (including patient
feedback)
Other service improvement projects
Evidence required that
actions arising from CQC
action plan have been
embedded and can be
sustained
Action plan to be 100%
complete
Outcome of internal
Moorfields Private
assessment not known
Divisional assessments not
yet planned
Regular contact with
patients through SIS
Programme Board
Patient surveys and
feedback reported
through various channels
including Board of
Directors
Management Executive
Bi-annual Q&S reports to
the Board.
Patient experience and
carer committee through
to clinical governance and
QSC
Patient experience
focus groups
Patient experience
reporting
Patient participation
strategy approved and
dates established for the
patient participation group.
Next steps to develop and
agree formal monitoring of
the patient participation
implementation plan (TL,
Mar 18)
4 3 12
6 (3x2)
Both impact and
likelihood can be
effectively mitigated
12
Strategic Objective 1. Care - We will pioneer patient-centred care with exceptional clinical outcomes and excellent patient experience
Board Assurance Framework - V1.0 (Care)
Statutory obligations
If the trust does not meet its
statutory obligations in relation to
health & safety, infection control,
etc. then there could be breaches in
standards and other failures leading
to significant patient harm, financial
penalties and regulatory
intervention. See specific controls
and assurances below:
DP Controls exist through management
oversight groups
Policies are generally up to date and a
detailed review mechanism is in place
Scrutiny and challenge is undertaken
by the Board subcommittees
CQC rating of 'good' achieved
Permanent head of legal services in
post
Policy rationalisation review
Backlog maintenance
although this is covered
through the Estates
department who have a
detailed programme in place
Audit and risk committee
Quality and safety
committee
Subgroup structures that
sit under Trust
Management Board and
Management Executive
including Clinical
Governance Committee
Governance structure
for reporting requires
review and clarity
Regular reporting of
mandatory and
statutory training
figures
More robust
reporting of issues at
divisional level
Review of governance
structures for each
statutory function
(responsible exec, Mar 18)
F ormal structure for
reporting statutory issues
through to divisional board
meetings to be considered
(JQ, Mar 18)
5 2 10
10 (5x2)
Impact will always be
high, robust controls
in place
10
Health & Safety TL (IT) Health & Safety Annual Report
Health & Safety policies
Mandatory training figures and
targets (being revised)
Review health & safety
provision
Health & Safety group
(subgroup of the Risk &
Safety Committee)
Infection Control TL Infection Control Annual Report
Infection Control policies
Mandatory training figures
None identified Infection Control
Committee (subgroup of
Clinical Governance and
QSC)
Safe, Responsive, Well
Led
Learning the lessons
If the trust fails to identify or
address poor clinical practice then
there could be multiple serious
incidents leading to significant
patient harm, regulatory
intervention or damage to
reputation.
DF Robust incidents and complaints
systems in place
Mandatory annual appraisal and
revalidation for medics and nurses in
place
Clinical supervision policy
Sub-specialty structure with each
monitoring against outcome
measures
WHO Checklist reporting
Deanery review in 2015 confirmed
excellent SPR medical training in CR
and North London sites
Positive quality review done by the
GMC in July 2017 on trainees
Pathways to other hospitals
need to be more robust and
joined up
Challenge to mitigate against
human error
Audit of the WHO checklist
process
Business meetings at
service level with
management support
Divisional Board meetings
Progress and reporting on
SIs done via the Quality &
Safety and Clinical
Governance committees
Clinical audit plan
approved through QSC
Trust Management Board
Systemic process for
disseminating lessons
learned to be
established
Consultant supervision and
job planning -
recommendations from
audit nearing completion,
re-audit due.All job plans
will be reviewed by end of
March. (DF/HR, Mar 18)
Outputs from learning the
lessons sessions and
thematic reviews
disseminated via CG MDT
half day events (7
February). Agendas linked
and audit results shared
across services
5 2 10
8 (4x2)
Both consequence
and likelihood can be
mitigated but always
need to factor in
human error
15
All domains Compliance with national targets
If the trust fails to comply with or
meet national targets then this will
lead to regulatory intervention and
a significant impact on patient care
and outcomes, staff morale and the
trust's reputation.
JQ Divisional performance reviews
Divisional Board meetings reviewing
national targets
Monthly IPR to Board meeting
showing trend data and individual
targets for each domain
Remedial action plans in place for
each red or amber indicator
None identified Detailed performance
information reviewed
through divisional
performance meetings
and divisional boards. IPR
reviewed through
Management executive,
TMB and Board of
Directors
None identified Regular review of the
process along with a
project to develop process
improvement required (JQ,
Mar 18)4 2 8
8 (4x2)
Good controls and
processes in place,
unlikely to be able to
mitigate this risk
down further
8
Safeguarding TL Safeguarding Annual Report
Safeguarding policies in place
Mandatory training figures
(including PREVENT and Mental
Capacity Act)
None identified Safeguarding Adults and
Children's groups
(subgroups of Clinical
Governance and QSC)
Safe, Effective, Well Led
As above As above
CQC Domain link Risk description Exec Lead Key controls Gaps in control Key assurances Gaps in assurance Mitigating actions Impact Likelihood Risk Score Target score Previous
score
Effective, Well Led Research Funding
If the trust cannot attract sufficient
funding to maintain its position then
its capacity to conduct appropriate
research will diminish leading to an
inability to compete effectively for
funding and a significant risk in
terms of the trust brand and
reputation in the field.
PK TBC TBC Research Governance
Committee
JVIS
Research finance report at
Strategy & Investment
committee
Board of Directors
Research finance report being
reintroduced as per Board request.
First report to come to SIC in
January/March 2018 (SD, Mar
18)
5 2 10
10 (5x2)
Impact will remain
high and likelihood is
mitigated as far as it
can be.
10
Effective, Well Led Research staff
IF high quality research staff cannot
be engaged and retained then
research activities will not be
fulfilled leading to withdrawal of
funding or damage to reputation
PK Programme underway led by Dep
CD of Clinical Research Facility, Dr
Richard Lee and Mr Praveen Patel
to work with peers to champion
research involvement.
Strategic approach to
encouraging staff to be
engaged in research
Joint Vision and Strategy
Committee
Research Governance
Committee
Quality & Safety Committee
Management Executive &
Board of Directors (through
IPR)
Some external factors beyond trust
control (e.g. staff leaving for larger
research organisations)
Review incentives, reward and
recognition for this endeavour.
(PK, Jan 18)
Assess effectiveness of revised
incentives on engagement
(MH, Jan 18)
Engage SIS programme to align
operational and research
activity (MH, Jan 18)
3 4 12
6 (2x3)
May be able to
mitigate both impact
and likelihood
through revised
process
12
Effective, Well Led Research Governance
If research governance is not robust
then there may be clinical or
operational risks that are not
managed or escalated appropriately
leading to patient harm, withdrawal
of funding or damage to reputation.
PK National and external oversight
processes
Joint governance and
management processes between
MEH and UCL
Research adheres to all MEH
policies
All research goes through the
same process and structure
Research quality management
system
Research governance summary
report.
Research KPIs
Non-research doctor to
chair Research
governance committee
Research Governance
Committee
Research Quality Review
group
Data Management
committee
Regular RG report to the
Quality & Safety Committee
New Joint Vision & Strategy
Committee
More formal, regular reporting from
RG to QSC
More robust trust Management
oversight to be considered
Medical director to chair (DF,
Dec 17)
Report to QSC to be
considered (PK, Dec 17)
Cycle of business to be
established with more formal
subgroup reporting cycle (IT,
Mar 18 )4 2 8
4 (4x1)
Impact will remain
high but can mitigate
likelihood through
improved
governance process
8
Board Assurance Framework - V1.0 (Research)
Strategic Objective 2. Research - We will be at the leading edge of research making new discoveries with our partners and patients
CQC Domain link Risk description Exec Lead Key controls Gaps in control Key assurances Gaps in assurance Mitigating actions Impact Likelihood Risk Score Risk Appetite Previous
score
Effective, Responsive,
Well Led
Innovation
If there is a failure to provide
sustainable innovation or lead the
way nationally in transforming
services then the trust will not be
able to respond to changes in
commissioning demand or
competition from other
organisations, attract and retain the
best staff and meet increasingly
challenging targets.
JQ Service improvement &
sustainability programme board
has been established
Governance struture in place
and operational
Programmes of work identified
and teams with SROs agreed
Work with partners on
innovation in services
CCG and provider
financial challenge leads
to tensions in
commissioning
provision and more
regular tendering for
services within a
reduced financial
envelope
Trust Management
Board
Board of Directors
Membership Council
Clinical workshops
Systematic approach to
developing and leading national
strategy to be defined.
New models of care and service
improvement identified as two
of the five key strategic
priorities. Development of a
plan for Q1 and the end of
2018/19 to be considered by
the board in March (JQ, Mar
18)
4 3 12
6 (3x2)
Impact and
likelihood can be
mitigated
12
Board Assurance Framework - V1.0 (Knowledge)
Strategic Objective 3. Knowledge sharing - We will innovate by sharing our knowledge and developing tomorrow's experts
CQC Domain link Risk description Exec Lead Key controls Gaps in control Key assurances Gaps in assurance Mitigating actions Impact Likelihood Risk Score Target Score Previous
score
Responsive, Well Led Relationships
If the trust fails to establish and
maintain effective relationships with
internal and external stakeholders
then there will be an adverse impact
on the trust's reputation and ability
to influence the local and national
agenda.
DP Commitment to STP partnership and
membership of national networks
Representation on key bodies, e.g.
WAEH (CE)
UCLP (CE)
NCL STP (Chair, CE and CFO)
Designated roles and
responsibilities for
agency relationships at
strategic and locality
level
Management Executive
Board of Directors
Formal horizon scanning
and reporting
from external groups and
meetings required
Stakeholder mapping being
done via the communications
strategy. Once approved the
relationship owners will be
mapped out and designated
(JM, Mar 18)
STP reporting to be included as
a standing item on the
management executive agenda
(HE, Feb 18)
4 2 8
6 (3x2)
Will be able to
mitigate both
impact and
likelihood
8
Board Assurance Framework - V1.0 (Policy)
Strategic Objective 4. Policy - We will collaborate to shape national policy
CQC Domain link Risk description Exec Lead Key controls Gaps in control Key assurances Gaps in assurance Mitigating actions Impact Likelihood Risk Score Target score Previous
score
Safe, Responsive, Well
Led
Recruitment and retention
If the trust does not have a robust
plan in place for recruitment and
retention then there will be staff
shortages and skill gaps leading to
insufficient numbers of staff
available in key areas and a
subsequent impact on quality of
patient care, pressure on staff, staff
and financial planning.
HR KPIs reported monthly to
directorates and departments
Local action plans in place
Nursing recruitment and retention
work including capital nurse
programme
Recruitment open days and
presence at recruitment fairs
Detailed understanding of drivers of
high turnover
Weekly staff bulletin showing
current vacancies
Staff development through job
planning process and personal
development plans
Actions arising from
retention report
Audit report on consultant
job planning and appraisal
figures
Management Executive
(through IPR)
Board (through IPR)
People committee
Nursing retention paper
through TMB
HR scorecards being
developed for review
at the divisional board
meetings.
Action plan in place and being
reviewed by the people
committee (HR, Feb 18)
Improved on-boarding
processes (HR, Mar 18)
Career clinics for staff wanting
to develop and progress (HR,
Mar 18)
Improved apprenticeship
schemes (HR, Mar 18)
Recommendations from audit
on consultant job planning in
progress (HR, DF Mar 18 )
4 3 12
9 (3x3)
Currently the
largest risk facing
the NHS, some
mitigation can be
done but facing
national problems
12
Safe, Well Led Staff competence
If mandatory training and appraisal
standards are not met then staff
may not be competent to carry out
their functions and managers will
not fully understand the
development needs of the workforce
leading to potential patient harm,
poor patient care and outcomes,
increases in serious incidents and
intervention by professional bodies
and the regulator.
HR Oversight by mandatory training
group
Insight system now embedded
across the organisation
Reports continually produced to
hold departments/managers to
account
Ten core high-volume mandatory
training subjects have been
converted to online programmes
From Jan 2017 new starters have
been required to complete the core
subjects prior to starting.
Strengthen the
accountability of divisional
management
Strengthen accountability
of corporate management
Divisional Board
meetings
Management executive
People committee
Appraisal paper to
management executive,
currently at 83%
None identified Managers authorised to reject
annual leave requests until
mandatory training has been
completed - need to raise
awareness (HR, Mar 18)
Corporate performance
reporting in place but
escalations up to management
exec need to be more robust, to
be addressed through the MAST
group (HR, Mar 18)
4 3 12
8 (4x2)
Impact will always
be high but
likelihood can be
mitigated
12
Responsive, Well Led Staff engagement
If engagement with staff is
ineffective and inconsistent then
they will have a lack of confidence in
the organisation's approach to
workforce issues leading to poort
staff retention and morale,
deterioration in the quality of
patient care and a risk to the trust's
reputation as an employer of choice.
HR Staff Survey results
Local action plans in place to
address specific staff survey
concerns
Leadership development
programme has commenced
following clinical restructure
Lack of consistent
application of the dealing
with breaches in
behaviours
Management Executive
People committee
Divisional Board
meetings
HR scorecards being
developed for review
at the divisional board
meetings.
Leadership develoment next
steps being discussed via
management exec
Internal audit review on
equalities and diversity is under
way (HR, Mar 18)
Robust action planning and
feedback required following
results of staff survey (HR, Apr
18)
Risk score to be revised
following results of staff survey
(HR, Apr 18)
4 3 12
6 (3x2)
Both impact and
likelihood can be
mitigated with
improved
engagement and
communication
12 (3x4)
Board Assurance Framework - V1.0 (Workforce)
Strategic Objective 5. Workforce - We will attract, retain and develop great people
CQC Domain link Risk description Exec Lead Key controls Gaps in control Key assurances Gaps in assurance Mitigating actions Impact Likelihood Risk Score Target Score Previous score
Effective, Well Led Project Oriel
If the key assumptions behind
Project Oriel are not achieved then
there may be insufficient capital and
resources available leading to a
failure to deliver the project
objectives and a significant
reputational risk to the trust.
DP
(JM)
Active engagement with current
owner of preferred site as part of
NCL STP
Influencing strategy for key
individuals across the system is in
operation
Optimism bias built into business
case
Land purchase business case agreed
by the Board
Development advisor appointed
Securing land at St Pancras
Certainty of sales proceeds from
City Road
Board of Directors
Strategy & Investment
Committee
Project Oriel joint advisory
committee
None identified at this
stage
Agreeing Heads of Terms with
MEC (SD, Mar 18)
Implementation of joint project
governance (JM, Apr 18)
Delivery of OBC (spring/summer
2019)5 3 15
10 (5x2)
Impact will always
be high, likelihood
can be mitigated
15
Effective, Responsive,
Well Led
Cyber Security
If there is a successful cyber attack
then the trust may suffer from a loss
of service and lead to staff being
unable to access patient records
leading to a significant impact on
patient care and outcomes and
reputational damage to the trust.
SD IT Security policy
Annual penetration tests
Disaster recovery plan in place
including cyber-security action cards
NHS Cybert alerts actions
Annual cyber-security assessment
Robust patching policy and
procedures
17/18 penetration test and
completion of action plan
17/18 cyber security
assessment and action plan
Additional toolsets to support
cyber-security
Information Governance
Committee
Audit and risk committee
Independent review Additional penetration testing
complete. Ongoing action plan
and further pen testing to be
undertaken throughout the year.
Updates to be provided through
Information Governance and
ManEx. (AD, Apr 18)
4 3 12
9 (3x3)
Both likelihood and
impact need to be
minimised
16
Safe, Well Led Emergency preparedness
If there are insufficient emergency
and resilience plans in place to
respond to a major incident then the
Trust will not be able to effectively
respond to urgent and emergency
situations leading to patients and
staff being at risk of significant harm.
JQ Emergency Response policy
Business continuity plans in place
and subject to regular multi-
disciplinary exercise programme
Senior leader briefings
Building maintenance programme
Regular inspections
Trust externally audited and rated
'good' for EPRR preparedness
Annual testing of BCP/DR plans
within divisions
Emergency Planning group
Management Executive
None identified at this
stage
Evacuation testing to be done by
end of Feb (JQ, Feb 18)
Divisional plan to start
implementation from April (JQ,
Apr 18)
Command post exercise taking
place February to test resilience
plans (JQ, Feb 18)
5 2 10
10 (5x2)
Impact will always
be high, likelihood
can be mitigated
15
Effective, Well Led Accommodation
If services are provided from poor
standard accommodation that is not
fit for purpose then this will have an
adverse impact on the patient
experience and staff morale and
could also lead to regulatory action
in relation to breaches of health &
safety or fire legislation.
SD System in place for recording
statutory and mandatory
compliance and identifying where
areas of non-compliance exist
Some leases are in place
Compliance assurance sought
regularly from host trusts
Interim compliance officer
appointed
Project Oriel
Backlog maintenance programme
and other works embedded in
Estates system
Effective and enforceable leases
in place across the whole
network
As per Project Oriel control gaps
relating to St Pancras and
clarification of City Road
timeline
Capital project and oversight
group
Management executive
Strategy & Investment committee
Quality & safety committee
Estates Compliance Assurance
Manager
Lease monitoring systems
None identified at this
stage
Convert existing agreements to
leases (update: leases not yet
agreed in some areas (e.g. SGH)
(SD, Mar 18)
4 3 12
8 (4x2)
Impact and
likelihood can be
mitigated although
reliant on Project
Oriel to achieve
12
Board Assurance Framework - V1.0 (Infrastructure)
Strategic Objective 6. Infrastructure - We will have an infrastructure and culture that supports innovation
Effective, Responsive,
Well Led
Information Governance
If there is a failure to comply with
information governance procedures
(including new GDPR legislation)
leading to a breach then there is a
risk of a significant fine from the ICO
and a reputational risk to the trust.
TL
(IT)
Suite of IG policies in place including
confidentiality of information,
management of records, privacy and
FOI
New Health records destruction and
retention policy undergoing
consultation
Information Governance Toolkit
Data flow mapping
GDPR project plan
Awaiting national GDPR
guidance which may not be
available until April 2018
Some areas rela
Information Governance
Committee
Management executive
Quality & Safety Committee
Unable to assure in some
areas relating to GDPR
such as:
Information Asset
management
Data portability
Consent
Data breaches
Third party contracts
Individual rights
Privacy impact
GDPR - Task/finish work streams
have been established for each
named area and additional
controls and mitigating actions
have been identified for each
task/finish group to complete.
Briefing to March board and
management exec (IT, Mar 18)
IG toolkit compliance - reported
through annual governance
statement and board. Minimum
level 2 required (IT, Mar 18)
4 3 12
8 (4 x2)
Impact will always
be high but the
likelihood can be
mitigated
12
CQC Domain link Risk description Exec Lead Key controls Gaps in control Key assurances Gaps in assurance Mitigating actions Impact Likelihood Risk Score Target Score Previous score
Effective, Well Led Cost improvement programmes
If the trust fails to achieve cost
improvement targets then this leads
to pressure on budgets affecting
staff morale, patient care and
inviting increased scrutiny from
regulators and commissioners.
SD Monthly financial reporting and
finance dashboards
Divisional performance and board
review
Corporate CIP challenge sessions
Challenging targets set and
acknowledged
A certain level of CIP
remains unidentified
Assessment of budget
impact on planning for next
year
Finance committee
Management Executive
Board
Divisional meetings
None identified Increased challenge sessions
in later months of the year
(SD, Mar 18)
Robust planning and
achievable targets for 18/19
(SD, Mar 18)
Assessment of budget impact
to be included in planning
(SD, Mar 18)
Currently in planning round
process.
4 4 16
8 (4x2)
Impact will
always be high,
mitigations can
be effected
through
planning and
compliance
process
16
Effective, Well Led Commissioner turbulence
If there is continued or increased
turbulence in the commissioning
landscape then this will lead to
increasing pressure on services,
more notices of termination and
tendering of services leading to loss
of contracts and income, a significant
impact on staff and serious
reputational risk.
SD Signed contracts with
commissioners
Engagement with commissioners
in order to give notice of future
funding pressures
Negotiations that form the
regular contracting round
Awareness and being
sighted on forthcoming
funding requests
Lack of influence over
commissioner decisions
made to address their
internal funding issues
Commissioner meetings
Management executive
Robust commissioner
relationships at division level
Stakeholder mapping and
customer relationship
management review taking
place as part of the
communications strategy
(JM, Mar 18)
Regular meetings with
commissioners and move
towards implementing service
change. Regular updates to
board.
5 3 15
8 (4x2)
Impact and
likelihood can
both be
mitigated
15
Effective, Well Led Financial Plan
If the trust fails to meet its financial
plan then this may result in a
reduction in STP funding,
cancellation of major projects, an
adverse impact on NHSI metrics and
an increasingly challenged financial
position impacting staff, patients
and the trust's reputation.
SD Financial plan/budget
development, including CIPs
Major capital expenditure and
funding sources identified
Short term capital investment
commenced to maintain and
increase capacity of services and
improve environment
Active engagement by CFO with
the local health system
SFIs reviewed
Divisional performance
management meetings in place
Costing project initiated
Confirmation of financial
commitments
Better understanding and
tighter control of costs
External audit
Finance Committee
Monthly board reporting
Monthly budget
statements to budget
holders
None identified Reporting to the finance
committee on longer term
financial planning. Financial
plan has been met for 17/18.
Draw up engagement plan for
engagement of wider trust
leadership team with local
health systems (JM, Mar 18)
Patient level costing to be put
in place and embedded (SD,
Mar 18)
5 2 10
10 (5x2)
Good controls in
place, no further
mitigations likely
10
Board Assurance Framework - V1.0 (Financial)
Strategic Objective 7. Financial - We are able to deliver a sustainable financial model