Approval of 2017-18 Annual Accounts Delegated Authority · 2. The report sets out the context for the accounts approval and the wider process being undertaken by the Trust to deliver

Approval of 2017-18 Annual Accounts Delegated Authority

Meeting Board of Directors Date 2 May 2018 Agenda item 12 Lead Director Alison Hughes, Director of Corporate Affairs Author(s) Alison Hughes, Director of Corporate Affairs

To Approve

To Note

To Assure

Link to Principal Risks in the Board Assurance Framework - please mark against the principal risk(s) - does this paper constitute a mitigating control? Failure of organisations across the system to delegate appropriate authority to support the integrated care system (Healthy Wirral)

Failure to engage staff to secure ownership of the Trust’s vision and strategy

Increasing fragility of the social care market

The impact of the outcome of the Urgent Care Review compromising financial stability and the future model of care

Services fail to remain compliant with the CQC fundamentals of care leading to patient safety incidents and regulatory enforcement action and a loss of public and system confidence

Inability to implement the Trust’s clinical transformation strategy and preferred model of care - Neighbourhood care

Commissioning decisions do not promote integrated working across the health and care system

Link to strategic objectives & goals - 2017-19 Please mark against the strategic goal(s) applicable to this paper Our Patients and Community - To be an outstanding trust, providing the highest levels of safe and person-centred care We will deliver outstanding, safe care every time

We will provide more person-centred care

We will improve services through integration and better coordination Our People - To value and involve skilled and caring staff, liberated to innovate and improve services We will improve staff engagement

We will advance staff wellbeing

We will enhance staff development

Our Performance - To maintain financial sustainability and support our local system

We will grow community services across Wirral, Cheshire & Merseyside

We will increase efficiency of corporate and clinical services

We will deliver against contracts and financial requirements

Failure to build the workforce skills and infrastructure to transform services to meet the demographic needs of the workforce and population

Security of public health funding and subsequent contractual decisions impacting on the range of services provided to Wirral & Cheshire East

Failure to foster, establish and manage the right partnerships that enable a response to commissioning intentions

Development of place-based care outside of Wirral, limits the Trust’s ability to expand/retain services in these areas

Failure to deliver the efficiency programme

Failure to achieve all the relevant financial statutory duties

The impact of the outcome of the Carter Review on community services benchmarking on commissioning decisions

Impact of supporting the delivery of the 3-year financial plan and future sustainability of the Wirral system

Link to the Organisational Risk Register (Datix)

Has an Equality Impact Assessment been completed?

Yes No

Paper history Submitted to Date Brief Summary of Outcome

No previous reporting history.

Approval of 2017-18 Annual Accounts Delegated Authority

Introduction 1. The purpose of this paper is to request that the Board of Directors to formally delegate

authority to the trust’s Audit Committee to adopt and approve the trust’s Annual Accounts for 2017-18.

2. The report sets out the context for the accounts approval and the wider process being undertaken by the Trust to deliver a full set of audited accounts in line with the national guidance and timetable.

Rationale and Implications

3. The Foundation Trust is required to comply with the guidance in the Annual Reporting Manual for Foundation Trusts for 2017-18 and submit a set of audited annual accounts including an Annual Report by the national deadline of 29 May 2017.

4. The process for the completion of FT Annual Accounts is set out below:

Date

Action

24 April 2017 (noon) NHS FTs submit unaudited FTCs and accounts to NHS Improvement Completed

2 May 2017 Board of Directors delegates authority to Audit Committee to approve accounts

23 May 2017 Audit Committee receives audited accounts, certificates and audit opinion and approves accounts

29 May 2017 (12 noon) NHS FTs submit (electronically and post) audited FTCs and accounts, final annual report and quality report to NHS Improvement

21 June 2017 Parliament step 1: Preparation for laying before Parliament NHS FTs to check the format of the annual report with the DH Parliamentary Office.

25 June 2017 Parliament step 2: NHS FTs submit accounts to DH Parliamentary Office to be laid before Parliament

16 July 2017 NHS FTs submit laid full annual report including full statutory accounts to NHS Improvement

September - November 2018 Audited accounts presented at Trust AMM

Conclusion 5. The Trust requires the delegation of authority to approve its annual accounts to the Audit

Committee in order to ensure the delivery of accounts in line with the national timetable. Board Action 6. The Board of Directors is asked to approve the request to delegate authority to the Audit

Committee to sign-off the Foundation Trust annual accounts for 2017-18.

Alison Hughes Director of Corporate Affairs 20 April 2018

Charitable Funds - financial reporting 2016/17

Meeting Board of Directors Date 2 May 2018 Agenda item 13 Lead Director Mark Greatrex, Chief Finance Officer/Deputy Chief Executive Author(s) Claire Deegan, Head of Finance

To Approve

To Note

To Assure








Link to strategic objectives & goals - 2017-19

Please mark against the strategic goal(s) applicable to this paper Our Patients and Community - To be an outstanding trust, providing the highest levels of safe and person-centred care We will deliver outstanding, safe care every time









�










No specific risks identified.


Yes No


No history

Charitable Funds - financial reporting 2016/17 Purpose 1. The purpose of this paper is to provide the Board with assurance on the reporting and

governance arrangements regarding Wirral Community NHS Foundation Trust’s (WCT) charitable funds.

2. The Board is asked to note the attached latest published financial statements for WCT’s charitable funds (for the financial year ending 31 March 2017), which are included within the funds of the CWP charity.

Executive Summary 3. WCT hold charitable funds comprising donations and fundraising received from staff and

patients (and other stakeholders) of WCT and legacy funds passed over from Wirral PCT when WCT became a separate entity in 2013.

4. These funds are held and managed on behalf of WCT by Cheshire and Wirral Partnership (CWP) who administer and account for them through the CWP charity (charity number 1050046).

5. During 2017/18 MIAA undertook a review of charitable funds and made several recommendations. One of these was that the Charity and WCT should improve reporting protocols, including formally reporting the activities of the Charity to WCT’s Board.

6. The Board is asked to note the latest published financial statements for WCT’s charitable

funds (for the financial year ending 31 March 2017). Service Level Agreement with CWP

7. CWP account for our charitable funds within their own charity and provide accounting and

governance services in order to comply with Charity Commission and NHS charity guidance and legislation.

8. Donations are passed over to the Charity by the financial services team at WCT and applications for funds are sent to WCT finance team, signed off by the Chief Financial Officer and sent to the Charity to be reviewed against the Charity’s objectives and paid accordingly.

9. The fee for services in 2016/17 was £2,170, based on the value of the fund. WCT and CWP

are in the process of updating the SLA and revising the charging structure to reflect the volume of transactions as well as fund value. At present these costs are borne by the Trust rather than the charitable funds.

10. WCT have reviewed the arrangements with CWP and consider that they give good value for money. If the management of the charity was moved in-house, the administrative burden would be considerable including:

• Convening a Charity Committee comprising Non-Executive and Executive Directors

and appropriate representation from clinical and non-clinical services • Setting up a separate financial ledger for the Charity - and any associated costs

from our ledger provider to facilitate this • Preparing a separate annual report and financial statements for the charity and,

potentially, consolidating them into the NHS accounts submitted to NHSI • Independent Examination fees (the fee disclosed in the attached accounts was

£1,380) and • Additional administrative costs within the Executive Office and finance teams.

11. WCT will review the SLA with CWP during 2018/19. Financial statements of the Charity 12. Attached is the latest set of signed accounts for the Charity covering the period 1 April 2016 to

31 March 2017 which were approved by CWP in December 2017 and subject to an independent examination. These accounts are also available to view on the Charity Commission website. They cover the total funds held by the charity, but split out the income, expenditure and opening and closing fund balances relating to WCT’s funds. This is shown most clearly in note 12 of the accounts (page 15) and summarised in the table below:

2016/17 2015/16 comparatives

Adjustment to funds (£227) 0 Opening WCT fund balance at 1 April £80,471 *£87,550 Income for the year £6,862 £6,323 Expenditure for the year (£5,279) *(£9,743) Investment gains/(losses) £7,354 *(£3,432) Closing WCT fund balance at 31 March £89,408 *£80,698 **Closing available funds **£80,264 **£74,115

*these comparative figures are not shown within the 2016/17 accounts and have been collated from the 2015/16 accounts which are available to view on the Charity Commission website via this link: http://apps.charitycommission.gov.uk/Accounts/Ends46/0001050046_AC_20160331_E_C.pdf **the total funds within the financial statements include unrealised gains and losses on investments. These are the difference between the market value and book value of investments. These would only be available to spend if the Charity’s investments were sold and converted to cash balances. The available funds value is taken from working documents provided by CWP which are provided to the Trust on a quarterly basis. 13. During the financial year 2018/19 WCT will continue to review activity on the fund and

encourage applications to benefit patients and staff. In March 2018 an ear-marked fund for Heart Support was set up. WCT will also continue to review the appropriateness of historic ear-marked funds (inherited from the PCT) and the benefits of setting up other ear-marked funds where there is particular fundraising activity and interest (for example End of Life fund and Community Nursing fund).

14. The CWP charity expect to finalise the 2017/18 financial statements in Autumn 2018 and these will be reported to the Board as soon as they have been approved and subjected to an independent examination.

Board action 15. The Board is asked to be assured on the financial reporting arrangements for the Trust’s

charitable funds. Mark Greatrex, Chief Finance Officer/Deputy Chief Executive Claire Deegan Head of Finance 03 April 2018

http://apps.charitycommission.gov.uk/Accounts/Ends46/0001050046_AC_20160331_E_C.pdf

Audit Committee Annual Report 2017-18

Meeting Board of Directors Date 2 May 2018 Agenda item 14 Lead Director Chair, Audit Committee Author(s) Alison Hughes, Director of Corporate Affairs

To Approve

To Note

To Assure








Link to strategic objectives & goals - 2017-19 Please mark against the strategic goal(s) applicable to this paper Our Patients and Community - To be an outstanding trust, providing the highest levels of safe and person-centred care

We will deliver outstanding, safe care every time



















Yes No


No previous reporting history.

Audit Committee Annual Report 2017-18

Purpose 1. This paper provides the Trust Board of Directors with an annual report from the Audit

Committee of Wirral Community NHS Foundation Trust. Executive Summary 2. The report summarises the activities of the Trust’s Audit Committee for the financial year

2017-18 setting out how it has met its terms of reference and key priorities.

3. The committee is a formal committee of the Board of Directors. It follows best practice guidance as set out in the NHS Audit Committee Handbook 2014 providing a form of independent check upon the management of the Trust.

Rationale and Implications 4. The annual report attached as Appendix 1 provides an overview and summary of the following

key points:

• Membership of the committee and frequency of meetings • Governance arrangements to support the committee • The work and achievements of the committee during the financial year 2017-18

including clinical audit, internal and external audit and counter fraud • The role of the committee in approving the Trust’s Annual Report and Annual Accounts

and the Quality Report Conclusion 5. The Audit Committee of Wirral Community NHS Foundation Trust is of the view that it has

taken appropriate steps to perform its duties as delegated by the Board of Directors and it has no cause to raise any issues of significant concern with the Board arising from its work during 2017-18.

Board Action 6. The Board of Directors is asked to endorse the Annual Report of the Audit Committee.

Brian Simmons Non-Executive Director Chair, Audit Committee Alison Hughes, Director of Corporate Affairs April 2018

Audit Committee Annual Report for the Financial Year 2017-18 1. Introduction This Annual Report to the Board of Directors and the Council of Governors summarises the activities of the Audit Committee (the Committee) of Wirral Community NHS Foundation Trust for the financial year 2017-18 setting out how it has met its terms of reference and key priorities. The Committee is a formal committee of the Board of Directors (the Board). It follows best practice guidance as set out in the NHS Audit Committee Handbook 2014 providing a form of independent check upon the management of the Trust. 2. Membership and Meetings The Committee comprises four Non-Executive Directors including the appointed Committee Chair, Brian Simmons. The Chair of the Audit Committee has significant financial experience; previously Assistant Chief Officer and Finance Director for the Cheshire Constabulary and is a fellow of the Chartered Institute of Management Accountants. Members of the Committee during 2017-18 were:

• Brian Simmons, Chair • Chris Allen, Member • Alan Wilson, Member (up to August 2017) • Murray Freeman, Member • Beverley Jordan, Member (from September 2017)

Brief CVs of members including any declared interests can be found on the Trust’s website. In addition to the members, the following trust officers attended the committee on a regular basis: Chief Finance Officer, Director of Corporate Affairs, Director of Nursing & Quality Improvement and Local Security Management Specialist. The Chief Executive attends annually and other Directors and Senior Managers attend by invitation and at the request of members. The Trust’s internal (MIAA) and external auditors attend all meetings to report on the matters they have investigated, to advise on a range of risk and control issues, and to formally report on the financial statements. The committee’s terms of reference for the financial year are attached at appendix 1 and were updated at the beginning of 2017-18 to reflect the role of the committee in relation to whistleblowing and the link to the Freedom to Speak up Policy, to clarify the role of the Council of Governors in appointing the Chair of the Audit Committee and to clarify the role and relationship to other committees of the Board of Directors.

Through the terms of reference, the committee is responsible on behalf of the Board for independently reviewing the systems of governance, control, risk management and assurance. Its activities cover the Trust’s governance agenda. It reviews (in summary);

• The adequacy and effectiveness of all risk and control related disclosure statements • The underlying assurance processes that indicate the degree of achievement of

corporate objectives and the effectiveness of the management of principal risks • The policies for ensuring compliance with relevant regulatory, legal and code of

conduct requirements and related reporting and self-certification • The Corporate Governance Manual, Standing Orders, Standing Financial Instructions

and Scheme of Delegation • The policies and procedures for all work related to fraud and corruption

The Committee met on four occasions during 2017-18; a schedule of attendance is included in the table below. Following each meeting of the committee a report is issued to the Board summarising the key topics discussed and any formal recommendations. The minutes of each meeting, once ratified are also presented to the following meeting of the Board. Table 1: Audit Committee members’ attendance information 2017-18

19 April 2017

30 May 2017

13 September 2017

29 November 2017

14 February 2018

Brian Simmons Chris Allen Alan Wilson Murray Freeman - - Beverley Jordan

3. Governance Arrangements The Board committee structures reporting through to Board are clearly defined and supported through a review of committee terms of reference and reporting arrangements. The Board has formally delegated specific responsibilities to the committees listed below, full minutes of which are provided to Board.

• Quality & Safety Committee (Monthly) • Finance & Performance Committee (Monthly) • Education & Workforce Committee (Monthly) • Remuneration & Terms of Service Committee (at least annually) • Audit Committee (4-5 meetings per annum)

4. Work and achievements of the committee The committee meets its responsibilities through requesting assurances from management and by receiving reports from the internal auditors, the external auditors and other specialists and advisors. The committee also recognises the quality of the discussion, the scrutiny applied and the assurances given at the sub-committees of the Board which in turn provides significant assurance and where necessary timely and appropriate escalation of risks and issues to the Audit Committee.

During 2017-18, the committee gave attention to the following issues; 4.1 Governance The committee discussed the annual work plan for the financial year which included the review and approval of the Annual Governance Statement (AGS), the Annual Report and Accounts, and the Quality Report. The Board Assurance Framework (BAF) was reviewed by the committee at each meeting providing assurance on the systems and processes in place to manage strategic risks across the organisation. The committee was also kept updated on the work of the Board of Directors to complete an annual review of the principal risks.

The committee reviewed revised Standing Financial Instructions (SFIs) and Delegated Financial Limits following scrutiny by the Finance & Performance Committee.

The new NHS England guidance on Managing Conflicts of Interest were summarised to the committee through a revised Trust Policy on Managing Conflicts of Interest (GP7); this was reviewed by members of the committee prior to submitting to the Board of Directors for formal ratification. Tender Waiver Applications were reported to the committee to give assurance that processes had been followed which complied with local guidance, as described in the Trust’s Standing Financial Instructions (SFIs). 4.2 Clinical Audit

The Trust’s Quality Improvement Annual Programme - Clinical Audit & Continuous Quality Improvements for 2017-18 was formally approved by the Audit Committee at its meeting in April 2017. The report provided an overview of the planned clinical audit activity with the programme focusing on the organisations top three quality hotspots of Pressure Ulcers, Medication Incidents and Sepsis and the deteriorating patient. A six monthly update report was provided to the committee in September 2017 to provide assurance that all projects were on track to be completed as planned and to advise the committee of some changes and additions to the annual programme. This update to the committee also included details of successful applications to the Trust’s Innovation Fund. The key quality outcomes from the audits will be reported in the Trust’s Annual Quality Report 2017-18. 4.3 Independent Assurance - Internal Audit Mersey Internal Audit Agency (MIAA) has provided the internal service since the Trust’s establishment on 1 April 2011. In April 2017 the committee received the annual audit plan for approval and regular progress reports on the delivery of the plan at each of its meetings. The work of internal audit during 2017-18 included 8 assurance reviews, 1 advisory review on GDPR readiness, 2 reviews on Conflicts of Interest and Stakeholder Engagement that provided actions rather than an assurance level and a Security Standards Self-Assessment. Of the full reviews 6 received significant assurance, and 2 received limited assurance.

In relation to all audit reviews, the Trust provided a managerial response with action plans in place to deliver on the recommendations made. Each sub-committee of the Board receives audit reports relevant to its scope of responsibility and associated action plan where

required. The Audit Committee maintains oversight of all internal audit reviews via an audit tracker tool and regular progress reports from MIAA.

Table 2: Internal Audit Reviews 2017-17

Review Title Assurance Level Combined Financial Systems Significant Charitable Funds Limited IG Toolkit Significant Help Desk Significant Service Review - Sexual Health Limited Quality Spot Checks Significant Patient Safety Dashboard Significant Payroll/ESR Significant

MIAA also provided the Annual Assurance Framework Opinion and the Head of Internal Audit Opinion to assist in the production of the Annual Governance Statement and the Annual Report & Accounts 2017-18. The audit tracker was reviewed at each of the meetings and enabled members to track progress against the recommendations for each audit report. Any reviews receiving Limited Assurance were shared in full with the Audit Committee for oversight and assurance on progress against the action plans put in place. Any reports receiving Significant Assurance were reported to the committee through the MIAA progress report and the audit tracker. The individual (Significant Assurance) reports were not presented to the committee given they were reviewed in detail by the relevant committee of the board. 4.4 Independent Assurance - External Audit Grant Thornton (GT) was the appointed external auditor for the Trust until September 2017 when the Annual Audit Letter for the period ended April 2016 was presented to the committee. Following a procurement process led by the Council of Governors, Ernst & Young (EY) was appointed the external auditor for the Trust with effect from November 2017 for a period of 3 years. EY presented their Audit Planning Report for 2017-18 to the committee in February 2018 summarising their approach for a full and thorough audit of the Trust’s accounts for the financial year. At the meeting of the Audit Committee in May 2017 EY will provide their anticipated opinion. 4.5 Local Security Management The Local Security Management Annual Report 2017-18 was presented to the Audit Committee in April 2018 to demonstrate compliance with the requirements of the NHS Standard Contract to put in place and maintain appropriate counter fraud and security management arrangements. The report summarised security related incidents drawing comparisons where possible, with the previous financial years. The Local Security Management Specialist (LSMS) attended each meeting of the Audit Committee to provide an update report. In April 2017 the Audit Committee received notification that NHS Protect would cease to exist post July 2017 and quality and compliance work for security management functions

would no longer be undertaken by NHS Protect. Following the conclusion of NHS Protect activities, the Audit Committee commissioned the services of MIAA in December 2017 to conduct an audit of a sample (10) of the NHS security management standards for providers applicable to the Trust against a self-review process conducted by the LSMS. The Audit Committee received and supported the objectives for 2018-19 in relation to Local Security Management. 4.6 Counter Fraud The Local Counter Fraud Specialist provision for the Trust was provided by Mersey Internal Audit Agency during 2017-18. The Trust has established good processes in respect of fraud, all overseen by the Chief Finance Officer and reported to the Audit Committee. The LCFS annual work plan for 2017-18 was approved by the Audit Committee in April 2017. During 2017-18, the Local Counter Fraud Specialist completed a wide range of work across the main key areas of activity as outlined by NHS Protect and agreed within the workplan; the plan was delivered in full. The Audit Committee received a counter fraud update at each of its meetings providing information on current fraud enquiries and any other related issues. The Anti-Fraud Services Annual Report for 2017-18 was also presented to the committee in April 2018.

One fraud referral was closed during 2017-18; no further referrals were received that required investigating. 5. Annual Report and Year-end declarations The Audit Committee has requested delegated authority from the Trust Board of Directors at its meeting on 2 May 2018 to receive and approve the accounts and annual reports for the financial year 2017-18. The Chief Executive will be in attendance at the meeting of the Audit Committee in May 2018 to sign the necessary certificates and statutory declarations. A report from the meeting of the Audit Committee will be presented to the Board of Directors at its next meeting in July 2018 confirming that all the necessary requirements were met. 5.1 Annual Governance Statement The internal auditors performed a range of audits during the year (see Table 2) which supported the Head of Internal Audit Opinion on the effectiveness of the Trust’s internal control which the committee reviewed at its April 2018 meeting. The committee will support the development of the Annual Governance Statement based on NHSI requirements and Internal Audit Assurance and will review and approve it for inclusion in the Annual Report and Accounts at its meeting in May 2018. 5.2 Quality Report In May 2018, the committee reviewed and approved the Trust’s Annual Quality Report for 2017-18 which provided assurance on the provision of high quality, safe and effective services. The Audit Committee approved the Quality Report for submission as part of the Trust’s Annual Report & Accounts 2017-18.

6. Conclusion The Audit Committee of Wirral Community NHS Foundation Trust is of the view that it has taken appropriate steps to perform its duties as delegated by the Board and it has no cause to raise any issues of significant concern with the Board arising from its work during 2017-18. In making this statement, the Committee members acknowledge the support given to it by management, in particular the Chief Finance Officer, the Director of Corporate Affairs and the Director of Nursing & Quality Improvement, and by the internal and external auditors. During 2018-19, the committee will keep under review its working arrangements and ensure it continues to develop its own practice to improve its own effectiveness. The Board is asked to endorse this Annual Report from the Audit Committee. Brian Simmons Chair, Audit Committee April 2018

Wirral Community NHS Foundation Trust - Audit Committee Terms of Reference - April 2018

Audit Committee - Terms of Reference Introduction 1. This document comprises the terms of reference, constitution and modus operandi of the Audit

Committee of Wirral Community NHS Foundation Trust. 2. The document conforms to best practice documentation procedure (NHS Litigation Authority Risk

Management Standards 2013/14 and NHS Audit Committee Handbook 2014) and sets out the principles by which the Audit Committee will transact its business with due diligence and regard for the population it serves, its strategic health economy partners and the general public.

Constitution 3. The Board hereby resolves to establish a Committee of the Board to be known as the Audit

Committee.

4. The Committee is a non-executive committee of the Board and has no executive powers, other than those specifically delegated in these terms of reference.

Membership 5. The committee is a non-executive sub-committee of the Board of Directors and will consist of not

less than three members. A quorum will be two members. The Chair of the organisation shall not be a member of the committee.

6. The composition of the committee will be given in Wirral Community NHS Foundation Trust’s Annual

Report. 7. One of the Non-Executive Directors, appointed by the Council of Governors, will be specifically

appointed as the Chair of the Audit Committee according to their skills and qualifications.

8. At least one member of the Audit Committee should have recent and relevant financial experience. Attendance 9. The Director of Finance & Resources and appropriate internal and external audit representatives

shall normally attend meetings. At least once a year the Committee will meet privately with the external and internal auditors.

10. The Chief Executive will be requested to attend annually to review the processes for assurance that

support the Annual Governance Statement and the approval of the year-end accounts and annual report.

11. All other Executive Directors should be invited to attend, particularly when the Committee is

discussing areas of risk or operation that are the responsibility of that Director. 12. The Director of Corporate Affairs shall provide support to the Chair and members and make

arrangements for the minutes of the meeting to be recorded.

13. Agendas and supporting documentation will be circulated at least 3 working days (or 2 working days plus a weekend) in advance of the meeting.


Frequency 14. The Committee will consider the frequency and timings of meetings to ensure it is able to discharge

all its responsibilities. A benchmark of five meetings per annum at appropriate times in the reporting and audit cycle will be considered. The external auditors or Head of Internal Audit may request a meeting if they consider that one is necessary and should have a right of access to the chair of the audit committee at any time.

15. Committee members will be expected to attend at least three quarters of scheduled meetings

annually. Authority 16. The committee is authorised by the Board to investigate any activity within its terms of reference.

17. It is authorised to seek any information it requires from any employee and all employees are directed

to co-operate with any request made by the committee.

18. Matters for consideration by the committee may be nominated by any member of the committee or Executive Director of Wirral Community NHS Foundation Trust.

19. The committee is authorised by the Board to obtain outside legal or other independent professional

advice and to secure the attendance of advisers with relevant experience and expertise if it considers this necessary. The sourcing of legal advice and other external services should be made in accordance with the standing financial instructions and table of delegated authority contained in the Corporate Governance Manual.

Duties 20. The committee will propose its terms of reference, specifying its composition and the arrangements

for reporting. 21. In performing its duties, the committee will have due regard to the Trust’s commitment to equality,

diversity and human rights as well as compliance with the Equalities Act 2010 and other legislation requirements.

22. In order to fulfil its role effectively, the committee will undertake the following: Governance, risk management and internal control 23. The committee shall seek an independent review of the work of the relevant committees to enable it

to review the establishment and maintenance of an effective system of integrated governance, risk management and internal control, across the whole of the organisation’s activities (both clinical and non-clinical), that supports the achievement of the organisation’s objectives.

24. The committee shall review and approve the Trust’s Annual Quality Report. 25. The committee will specifically review the adequacy and effectiveness of:


• All risk and control related disclosure statements (in particular the Annual Governance Statement), together with any accompanying Head of Internal Audit statement, external audit opinion or other appropriate independent assurances, prior to endorsement by the Board

• The underlying assurance processes that indicate the degree of achievement of corporate objectives, the effectiveness of the management of principal risks and the appropriateness of the above disclosure statements

• The policies for ensuring compliance with relevant regulatory, legal and code of conduct requirements and related reporting and self-certification

• The Corporate Governance Manual, Standing Orders, Standing Financial Instructions and Scheme of Delegation.

• The policies and procedures for all work related to fraud and corruption as set out in Secretary of State Directions and as required by the NHS Counter Fraud and Security Management Service.

26. In carrying out this work the committee will primarily utilise the work of internal audit, external audit

and other assurance functions, but will not be limited to these sources. It will also seek reports and assurances from directors and managers as appropriate, concentrating on the over-arching systems of integrated governance, risk management and internal control, together with indicators of their effectiveness.

Internal audit 27. The committee shall ensure that there is an effective internal function that meets mandatory Public

Sector Internal Audit Standards and provides appropriate independent assurance to the Audit Committee, Chief Executive and Board.

28. This will be achieved by:

• Consideration of the provision of the internal audit service, the cost of the audit and any questions of resignations and dismissal

• Review and approval of the internal audit strategy, operational plan and more detailed programme of work, ensuring that this is consistent with the Audit needs of the organisation

• Considering the major findings of internal audit work (and management’s response), and ensuring co-ordination between the internal and external auditors to optimise audit resources through the use of the audit tracker (the detail of the internal audit reports will be scrutinised at the relevant committees of the board)

• Ensuring that the internal audit function is adequately resourced and has appropriate standing within the organisation

• Conducting an annual review of the effectiveness of internal audit. External audit 29. The committee shall review the work and findings of the external auditors and consider the

implications and management’s responses to their work.

30. This will be achieved by:

• Considering of the appointment and the performance of the external auditors, as far as the rules governing the appointment permit

• Discussing and agreeing with the external auditors, before the audit commences, the nature and scope of the audit as set out in the annual plan, and ensuring co-ordination, as appropriate, with other external auditors in the local health economy


• Discussing with the external auditors their local evaluation of audit risks and assessment of the Trust and associated impact on the audit fee

• Reviewing all external audit reports, including the report to those charged with governance, agreement of the annual audit letter before submission to the Board and any work undertaken outside the annual audit plan, together with the appropriateness of management responses.

Other assurance functions 31. The Audit Committee shall review the findings of other significant assurance functions, both internal

and external to the organisation, and consider the implications for the governance of the organisation.

32. These will include, but will not be limited to, any reviews by the Department of Health arm’s length

bodies or regulators/inspectors (for example, the Care Quality Commission, NHS Litigation Authority, etc.) and professional bodies with responsibility for the performance of staff functions (for example, Royal Colleges, accreditation bodies, etc)

33. In addition, the committee will review the work of other committees within the organisation, whose

work can provide relevant assurance to the Audit Committee’s own scope of work 34. In reviewing the work of the Quality & Safety Committee, and issues around clinical risk

management, the Audit Committee will wish to satisfy itself on the assurance that can be gained from the clinical audit function.

Counter Fraud 35. The committee shall satisfy itself that the organisation has adequate arrangements in place for

countering fraud and shall approve the counter fraud plan and review the outcomes of counter fraud work.

Management 36. The committee shall request and review reports and positive assurances from directors and

managers on the overall arrangements for governance, risk management and internal control. 37. The committee may also request specific reports from individual functions within the organisation (for

example, clinical audit) as they may be appropriate to the overall arrangements. Financial Reporting 38. The Audit Committee shall monitor the integrity of the financial statements of the Trust and any

formal announcements relating to the Trust’s financial performance. 39. The committee should ensure that the systems for financial reporting to the Board, including those of

budgetary control, are subject to review as to completeness and accuracy of the information provided to the Board.

40. The Audit Committee shall review the Annual Report (including the Quality Report) and financial

statements before submission to the Board of Directors, focusing particularly on:

• The wording in the Annual Governance Statement and other disclosures relevant to the terms of reference of the committee

• Changes in, and compliance with, accounting policies, practices and estimation techniques


• Unadjusted mis-statements in the financial statements • Significant judgements in preparation of the financial statements • Significant adjustments resulting from the audit • Letter of representation • Qualitative aspects of financial reporting.

In performing its duties, the committee will have due regard to the Trust’s commitment to equality, diversity and human rights as well as compliance with the Equality Act 2010 and other legislation requirements. Freedom To Speak Up (Whistleblowing) 41. In accordance with the UK Code, the Audit Committee shall remain aware of the arrangements and

processes in place by which staff of the organisation may in confidence, raise concerns about possible improprieties in matters of financial reporting or others matters.

42. The Audit Committee shall acknowledge the work and oversight of the Board of Directors and the

Quality & Safety Committee in the application of the Trust’s Raising Concerns Policy (GP51). This will be facilitated through the Audit Committee’s review of the minutes from the Quality & Safety Committee where quarterly assurance reports are presented.

43. The Audit Committee will receive a quarterly report presenting the quarterly benchmarking data on

the Freedom To Speak Up activity across all NHS Trusts and the annual report on Raising Concerns.

Relationship with and reporting to the Board 44. The minutes of the Audit Committee will be formally recorded by the Director of Corporate Affairs

and submitted to the Board. The Chair of the Committee will draw to the attention of the Board any issues that require disclosure to the full Board, or require Executive action.

45. The minutes of the meeting and action points arising shall be issued to the Committee within two

weeks for comment and agreement. The minutes will be formally approved at the next available meeting of the Audit Committee.

46. The Committee will report to the Board at least annually on its work in support of Annual Governance

Statement, specifically commenting on the fitness for purpose of the Assurance Framework, the completeness and integration of risk management in the organisation, the integration of governance arrangements, the appropriateness of the evidence compiled to demonstrate fitness to register with the CQC and the robustness of the processes behind the quality accounts.

47. The Committee shall be supported by the Director of Corporate Affairs, whose duties in this respect

will include:

• Agreement of agendas with Chair and attendees and collation of papers • Arranging for minutes of the meeting to be recorded • Keeping a record of matters arising and issues to be carried forward • Advising the Committee on pertinent issues/areas • Enabling the development and training of committee members.

Links with other committees 48. The Audit Committee will receive the minutes of the Quality & Safety Committee, the Finance &

Performance Committee and the Education & Workforce Committee for noting.


Review 49. The Terms of Reference will be reviewed annually by the Audit Committee with recommendations

made to Wirral Community NHS Foundation Trust’s Board for any amendments. 50. Thereafter, the Terms of Reference will be reviewed annually by the Board to ensure they are still

appropriate. Audit Committee Chair Approval Name: Date: April 2018 Signature: Review Date: April 2019

NHS Provider Licence Self-Certification 2017-18

Meeting Board of Directors Date 2 May 2018 Agenda item 15 Lead Director Alison Hughes, Director of Corporate Affairs Author(s) Alison Hughes, Director of Corporate Affairs

To Approve

To Note

To Assure


























None identified.


Yes No


No previous reporting history. Annual self-certification required by NHS Improvement.

NHS Provider Licence Self-Certification 2017-18

Purpose

1. The purpose of this paper is to provide evidence of compliance against the Provider Licence to support a decision by the Board of Directors.

Background

2. NHS Improvement (NHSI) oversees an NHS Foundation Trust’s compliance with its licence conditions.

3. NHS Providers are required to self-certify the following after the financial year-end:

Condition G6(3) The provider has taken all precautions necessary to comply with the licence, NHS Acts and NHS constitution

Condition CoS7(3) If providing commissioner requested services, the provider has a reasonable expectation that required resources will be available to deliver the designated services

Condition FT4(8) The provider has complied with required governance arrangements (this includes the training of governors)

4. The process for 2017-18 has changed with NHS Improvement no longer requiring Trusts to

return completed provider licence self-certifications. Instead from July 2018 NHS Improvement will contact a select number of NHS Trusts and Foundation Trusts to ask for evidence that they have self-certified.

5. There is no set process for assurance on how conditions are met; Boards need to understand the reported position and sign off on compliance.

6. NHSI has provided templates to assist with the return but they do not need to be returned or submitted.

7. Condition CoS7(3) is not applicable to the Trust as the Trust is not a designated CRS provider; this has been confirmed with the CCG.

Self-certification returns deadlines 8. Condition G6(3) - Systems for compliance with licence

• Deadline for Board sign off 31 May 2018 • The G6 self-certification must be published (on the Trust’s website) within one month

following Board sign off 9. Condition FT4 - Corporate Governance Statement and Training of governors

• Deadline for Board sign off 30 June 2018 Proposed position 10. The Director of Corporate Affairs has reviewed the statements and considered the evidence

against each and is recommending that the Board of Directors self-certifies ‘Confirmed’ for all elements.

11. The evidence to support the proposed position is outlined in appendix 1 for further Board discussion.

Board action

12. The Board of Directors is asked to:

• Consider the responses and evidence aligned to each element of the provider licence conditions in appendix 1, which the Board is required to self-certify against, and confirm/approve the proposed response

• Note that the templates issued by NHSI will be completed confirming the self-certification position and provided to the Board at its next meeting on 4 July 2018

• Note that the agreed return in relation to G6 will be published no later than 29 June 2018

Alison Hughes Director of Corporate Affairs

23 April 2017

Appendix 1

G6 (3) - Systems for compliance with licence (deadline for board sign off - 31 May 2018) The board are required to respond ‘Confirmed’ or ‘Not confirmed’ to the following statement. Explanatory information should be provided where required. Statement

Response (& supporting information/evidence for board assurance)

Risks/Mitigations

1 Following a review for the purpose of paragraph 2(b) of licence condition G6, the Directors of the Licensee are satisfied that, in the Financial Year most recently ended, the Licensee took all such precautions as were necessary in order to comply with the conditions of the licence, any requirements imposed on it under the NHS Acts and have had regard to the NHS Constitution.

CONFIRMED At the meeting of the Audit Committee on 18 April 2018 the Trust’s internal auditors Mersey Internal Audit Agency (MIAA) presented their Head of Internal Audit Opinion providing overall Substantial Assurance confirming that “there is a good system of internal control designed to meet the organisation’s objectives, and that controls are generally being applied consistently”. This is a key piece of evidence to support compliance with this condition of the provider licence. Further evidence to support this condition include the refreshed Risk Management Strategy, approved by the Board in March 2018, the Risk Reports presented to each committee of the Board, the Board Assurance Framework supported by the Annual Assurance Framework Opinion from MIAA, the Quality & Patient Experience Report received by the Quality & Safety Committee and the Integrated Performance Reporting arrangements to the Board of Directors.

FT4 Declaration - Corporate Governance Statement & Training of Governors (deadline for board sign off - 30 June 2018) The Board are required to respond ‘Confirmed’ or ‘Not confirmed’ to the following statements, setting out any risks and mitigating actions planned for each one. Statement

Response (& supporting information/evidence for board assurance)

Risks/Mitigations

1 The Board is satisfied that the Licensee applies those principles, systems and standards of good corporate governance which reasonably would be regarded as appropriate for a supplier of health care services to the NHS.

CONFIRMED The Annual Governance Statement 2017-18 (to be approved by the Audit Committee on 23 May 2017) outlines the main arrangements in place to ensure the trust applies the principles, systems and standards of good corporate governance expected of it as a provider of health and social care services. There is an internal audit programme in place, under the direction of the Audit Committee to ensure systems and processes are appropriately tested. The external auditors were appointed by the Council of Governors in 2017-18 and deliver a robust annual audit plan reporting to the Audit Committee.

No risks identified

2 The Board has regard to such guidance on good corporate governance as may be issued by NHS Improvement from time to time

CONFIRMED The Board retains oversight of new guidance issued by regulatory bodies including NHSI and CQC.

No risks identified.

3 The Board is satisfied that the Licensee implements: (a) Effective board and committee structures (b) Clear responsibilities for its Board, for

committees reporting to the Board and for staff reporting to the Board and those committees; and

(c) Clear reporting lines and accountabilities throughout its organisation.

CONFIRMED a) The Board has a well-established governance structure

that provides for effective review, scrutiny and decision making on the priority areas of the Board’s business and in accordance with the delegated authority of each committee and those matters reserved to the Board.

b) All Board committees are supported by terms of reference which are reviewed annually or more regularly


if required.

c) The accountability arrangements between Board and Committees are clearly set out in the Annual Governance Statement 2017-8 which will be received by the Audit Committee in May 2018 and included the Foundation Trust Annual Report.

4 The Board is satisfied that the Licensee effectively implements systems and/or processes: (a) To ensure compliance with the Licensee’s

duty to operate efficiently, economically and effectively;

(b) For timely and effective scrutiny and oversight by the Board of the Licensee’s operations;

(c) To ensure compliance with health care standards binding on the Licensee including but not restricted to standards specified by the Secretary of State, the Care Quality Commission, the NHS Commissioning Board and statutory regulators of health care professions;

(d) For effective financial decision-making, management and control (including but not restricted to appropriate systems and/or processes to ensure the Licensee’s ability to continue as a going concern);

(e) To obtain and disseminate accurate, comprehensive, timely and up to date information for Board and Committee decision-making;

(f) To identify and manage (including but not restricted to manage through forward plans) material risks to compliance with the

CONFIRMED a) The Board’s infrastructure including the committees of

the Board together with various operational groups, ensure that the Board of Directors is assured that the organisation’s decisions and business are monitored effectively and efficiently. There are clear escalation routes up to the Board of Directors.

b) The relevant committees scrutinise key areas of performance including quality, workforce, finance and contractual. The committees review such matters at each meeting and subsequently provide assurance to the Board of Directors through a regular committee report highlighting any key recommendations or key risks identified. The Trust has launched a performance dashboard during 2017-18 which supports more granular and timely review of performance across the organisation.

c) The Quality & Safety Committee reviews in detail (on a monthly basis) the patient experience and quality report, including a trust-wide patient safety dashboard. The committee receives quarterly assurance reports on compliance with the CQC fundamental standards. An approved Quality Improvement and Audit Programme is in place, overseen by the Audit Committee. The Trust’s Quality Report 2017-18 highlights the quality improvements made during the period and outlining the


Conditions of its Licence

(g) To generate and monitor NHS Improvement delivery of business plans (including any changes to such plans) and to receive internal and where appropriate external assurance on such plans and their delivery; and

(h) To ensure compliance with all applicable legal requirements.

priorities for 2018-19. The Trust has launched an Outstanding Care Accreditation within clinical divisions which sets the benchmark for exceptional care, is based on the CQCs fundamental standards of care and framed around the 5 domains of Safe, Effective, Caring, Responsive and Well-Led.

d) The Trust reviewed its Standing Financial Instructions (SFIs) and Scheme of Reservation and Delegation of Powers (SoRD) in 2017-18 as part of a detailed review of the Corporate Governance Manual; this determines the agreed framework for financial decision making, management and control. Systems of internal control are in place and are subject to regular audit on an annual basis through the trust’s internal audit programme and by external auditors. The Finance & Performance Committee and Audit Committee are the principal committees that maintain oversight. There are robust systems and processes in place to monitor and oversee all CIP schemes. The trust has a good track record of effective financial management and of achieving all statutory financial duties.

e) The Board and committee meeting dates are scheduled to allow the most up-to-date information is provided to meetings for scrutiny and assurance. The Standing Orders for the Practice and Procedure of the Board of Directors (Para 3.1) also provide for the Chairman to call a meeting of the Board at any time.

f) The trust has an approved Risk Strategy in place. The

Board Assurance Framework and Risk Register provide the framework through which risks are considered, reviewed and managed. These are managed through the committee structure with each committee of the

board receiving monthly Risk Reports highlighting risks relevant to the committee’s area of responsibility. The trust’s risk management arrangements and Board Assurance Framework are subject to an internal audit on an annual basis

g) The Trust has an annual planning process that ensures

future business plans are developed and supported by appropriate engagement and approvals.

h) The governance, risk and control processes in place

ensure that the trust remains compliant with all the legal requirements.

5 The Board is satisfied that the systems and/or processes referred to in paragraph 4 (above) should include but not be restricted to systems and/or processes to ensure: (a) That there is sufficient capability at Board level to provide effective organisational leadership on the quality of care provided; (b) That the Board’s planning and decision-making processes take timely and appropriate account of quality of care considerations; (c) The collection of accurate, comprehensive, timely and up to date information on quality of care; (d) That the Board receives and takes into account accurate, comprehensive, timely and up to date information on quality of care; (e) That the Licensee, including its Board, actively engages on quality of care with patients, staff and other relevant stakeholders and takes into account as appropriate views and

CONFIRMED a) There are effective appraisal processes in place to

support the Board members individually and collectively. The Board of Directors receive a quarterly report providing an overview of board composition. There were changes to Executive portfolios during 2017-18 and a new Chairman and new Non-Executive Director recruited; all of this is described in the Annual Report.

b) There are robust QIA and EIA processes in place to support decision making processes for any service development or changes and any impact on the quality of care is carefully considered.

c) The Quality & Safety Committee meets monthly and

considers a detailed patient experience and quality report. The committee chair reports any key decisions and recommendations to the next meeting of the board.

d) As above - the board receives a report from the QSC.


information from these sources; and (f) That there is clear accountability for quality of care throughout the Licensee including but not restricted to systems and/or processes for escalating and resolving quality issues including escalating them to the Board where appropriate.

The board also receives the Quality Strategy annually.

e) Members of the board are actively engaged in quality initiatives, specifically Leadership Walkrounds and there is an active Freedom to Speak Up group with over 40 champions identified from across the organisation. One of the NEDs has been appointed the ‘Freedom to Speak up Guardian’ for the Trust.

f) As above - ‘Freedom To Speak Up Guardian’. The Performance Management Framework and the groups meeting sub-committee level have clear escalation routes to ensure quality issues are raised appropriately and dealt with accordingly.

6 The Board is satisfied that there are systems to ensure that the Licensee has in place personnel on the Board, reporting to the Board and within the rest of the organisation who are sufficient in number and appropriately qualified to ensure compliance with the conditions of its NHS provider licence.

CONFIRMED The Board considers its capacity and composition on a quarterly basis. The Executive Leadership Team has been established supported by the Senior Leadership Team and these two groups come together on a monthly basis. The annual appraisal process supports effective succession planning through talent conversations and a number of senior managers are engaged in national programmes to support their development to Director level, as appropriate. The Council of Governors fulfil their duty to appoint the Non-Executive Directors of the Board and led the process to recruit a new Chairman and Non-Executive Director for the organisation in 2017-18.


Cyber Security Awareness

Meeting Board of Directors Date 2 May 2018 Agenda item 16 Lead Director Mark Greatrex, Chief Finance Officer/ Deputy Chief Executive Author(s) Ian Hogan, Deputy Director of IM&T

To Approve

To Note

To Assure



























Yes No


No history

Cyber Security Awareness

Purpose 1. The purpose of this paper is to provide an update on Cyber security. Executive Summary 2. There is an increase in the potential for a cyber-attack with the Wannacry Ransomware Cyber

Attack in May 2017 acting as a warning to the NHS.

3. NHS England has taken this opportunity to contact all NHS Trusts to remind organisations of the key recommendations for NHS providers set out after the WannaCry event.

4. This paper provides a trust position statement against each of the recommendations.

5. Also included is a position statement in response to NHS improvement’s 2017/18 Data Security and Protection Requirements for NHS Providers which requires a Board approved return for submission by 11 May 2018.

Cyber security awareness notification 6. The trust recently received a Cyber security awareness notification from NHS England, the

notice was raised on the back of national media reporting an increase in the potential for targeted cyber-attacks from hostile sources.

7. The Cyber security awareness notification included seven key recommendations, the table below lists the recommendations and the trusts current position against each:

Key Recommendations Trust Position

Leadership - All NHS organisations should ensure that every board has an executive director as data security lead, and cyber security risks should be regularly reviewed by the board.

Chief Finance Officer is the trusts SIRO

Capability - Boards should assure themselves that they have sufficient quality and capable IT technical resources to manage and support their local IT infrastructure, systems and services

IT department currently consists of 3 service desk staff, 4 senior IT technicians, 1 senior infrastructure technician, 2 Infrastructure and 2 Network technicians, 3 clinical system staff, 1 IT services manager and a deputy director of IM&T. An external review of the department capability and capacity will be undertaken by the end of Q2 2018/19 subject to MIAA availability.

Training - In addition to mandatory and statutory training, organisations should ensure that their staff receive regular and targeted cyber and information security awareness training appropriate to their job role. Further, boards for NHS organisations should undertake annual cyber awareness training.

Currently only mandated IG training is undertaken but this programme has recently been updated with a greater focus on cyber security and will replace the existing IG training programme on ESR. Wider communication is provided through staff bulletins. The IG group has discussed regular focused communications plan for cyber and information security. Communications plan to be created May 2018.

Intelligence - NHS providers should ensure the relevant parties in their organisation receive CareCERT Threat Intelligence alerts and review the Information Sharing Portal2 for information on emerging threats. Where they exist, NHS providers

The trust SIRO, Deputy Director of IM&T and 2 members of the IT infrastructure team receive CareCERT Alerts. All high priority notices are applied as a priority. 3 members of the IM&T department now have access to the CareCERT

can join and collaborate with local Warning Advice and Reporting Point groups to share trusted up-to-date advice on information security, cyber threats, incidents and solutions

portal to update when high priority alerts have been actioned.

Improvement - All NHS organisations are to develop local action plans to achieve compliance with the Cyber Essentials Plus standard by June 2021.

The trust is currently engaged with MIAA regarding cyber security maturity assessments. These are acting as a precursor to planning for Cyber essentials Plus and the trust plan to be compliant to the standard within 2020. The trust is an active member of the Cheshire and Merseyside Cyber Security group, a key aspect of the Cheshire and Merseyside digital programme.

Contract Management - Health and social care organisations should ensure that local contracts, processes and controls are in place to manage and monitor third party contracts for local IT systems, and that the provisions for software updates and business continuity are understood

This piece of work has just started and is also associated with our MIAA GDPR readiness action plan and will be reported to the trust’s IM&T Programme Board, IG Group and Q&S Committee.

Response - Local organisations’ business continuity and disaster recovery plans should include the necessary detail around response to cyber incidents, and must include a clear assessment of the impact of the loss of services on other parts of the health and social care system

This is managed through the EPRR group and certain aspects of disaster recovery are currently under review. This is also being incorporated into the trust information asset register as part of the IG Toolkit.

8. Further to the seven recommendations listed above, the awareness notice also included a

further appendix with more specific information for consideration and review.

9. The appendix highlighted technical guidance that has been formulated by the Department of Health and Social Care, NHS Digital, NHS England and NHS Improvement to help our network, ICT and security teams to be more cyber resilient in a heightened threat landscape.

Technical advice and resources to help protect your data

10. A range of threat actors (those seeking to breach an organisation’s security) may seek to gain unauthorised access to your information held on both official and personal IT systems. Building simple security practices into your work will help to mitigate these threats and avoid unintended disclosure. The following table shows the 10 steps to cyber security and the trusts position against each.

Cyber Security Step Trust Position

Risk Management Regime - Embed an appropriate risk management regime across the organisation. This should be supported by an empowered governance structure, which is actively supported by the board and senior managers. Clearly communicate your approach to risk management with the development of applicable policies and practices. These should aim to ensure that all employees, contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries.

The trust has a robust Risk management framework. All risks are reported on Datix. All IT risks are reviewed at IM&T programme board. Process in place regarding escalation of risks to appropriate board committees for review.

Secure configuration - Having an approach to identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. You should develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities, usually via patching. Failure to do so is likely to result in increased risk of compromise of systems and information.

MIAA cyber security maturity review and associated action plan covers secure configuration – standard builds in use and relevant quarterly reviews planned. Patch Wednesdays were introduced following Wannacry and severe threat alerts from CareCERT are actioned immediately.

Network security - The connections from your networks to the Internet, and other partner networks, expose your systems and technologies to attack. By creating and implementing some simple policies and

MIAA cyber security maturity review and associated action plan covers Network Security - Appropriate firewalls and boundary devices in place. Penetration testing is planned as part of MIAA cyber

appropriate architectural and technical responses, you can reduce the chances of these attacks succeeding (or causing harm to your organisation). Your organisation's networks almost certainly span many sites and the use of mobile or remote working, and cloud services, makes defining a fixed network boundary difficult. Rather than focusing purely on physical connections, think about where your data is stored and processed, and where an attacker would have the opportunity to interfere with it.

security maturity review action plan.

Managing user privileges - If users are provided with unnecessary system privileges or data access rights, then the impact of misuse or compromise of that users account will be more severe than it need be. All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed. This principle is sometimes referred to as ‘least privilege’.

MIAA cyber security maturity review and associated action plan covers managing user privileges - access to systems is role driven, all clinical systems have role based access. Administrative privileges are under review as part of active directory migration.

User education and awareness - Users have a critical role to play in their organisation’s security and so it's important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. This can be supported by a systematic delivery of awareness programmes and training that deliver security expertise as well as helping to establish a security-conscious culture.

All staff required to undertake mandatory IG training which has been updated to reflect more cyber security awareness. Quarterly communications planned though staff bulletin to reinforce user education and awareness.

Incident management - All organisations will experience security incidents at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact. You should identify recognised sources (internal or external) of specialist incident management expertise.

IT related incidents are regularly reported through Datix. All IT incidents are reviewed by Deputy Director of IM&T and IT Services Manager.

Malware prevention - Malicious software or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. Any exchange of information carries with it a degree of risk that malware might be exchanged, which could seriously impact your systems and services. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall 'defence in depth' approach.

The trust Anti-virus and malware protection system is automatically updated with the latest security signatures as soon as they are available. These updates are them installed across all devices. Local PC and laptop clients regularly check for any new updates to be downloaded.

Monitoring - System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Good monitoring is essential in order to effectively respond to attacks. In addition, monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory requirements.

MIAA cyber security maturity review and associated action plan covers Monitoring – firewalls, internet proxies and border devices are installed and monitoring all activity.

Removable media controls - Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data. You should be clear about the business need to use removable media and apply appropriate security controls to its use.

The trusts current policy allows read only access to non-trust devices, the trusts anti-virus solution scans any file before it is opened and suspect files are quarantined, logged and prevented from opening and running any known malicious programmes. Anti-virus software is automatically updated to ensure the latest protection is available.

This access will be discussed at the may IG group. Home and mobile working - Mobile working and remote system access offers great benefits, but exposes new risks that need to be managed. You should establish risk based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers. Train users on the secure use of their mobile devices in the environments they are likely to be working in.

Controls are in place to enable home and mobile working and all necessary encryption process are in place. All laptops are encrypted and access to the trust network is secured via encrypted 2 factor VPN authentication. All mobile staff receives training and information regarding to using the devices in a mobile environment.

NHS Improvement Data and Cyber Security Return 11. The trust has also recently received notification regarding a Data and cyber security return

required by NHS Improvement and is targeted to all NHS providers.

12. To improve data security and protection for health and care organisations, the Department of Health and Social Care, NHS England and NHS Improvement published a set of 10 data and cyber security standards called the 2017/18 data security protection requirements (DSPR) that all providers of health and care must comply with.

13. The trust has to confirm whether we have fully, partially or not implemented the 10 standards by Friday 11 May 2018. The table below outlines the 10 standards and the trusts current position.

Standard Trust response Senior Level Responsibility: There must be a named senior executive to be responsible for data and cyber security in your organisation. Ideally this person will also be your Senior Information Risk Owner (SIRO), and where applicable a member of your organisation’s board.

Fully implemented - The organisation has a named senior executive who reports to the board who is responsible for data and cyber security and this person is also the SIRO

Completing the Information Governance Toolkit v14.1: In 2017/18, organisations are still required to achieve at least level two on the current IG Toolkit before it is replaced with a new approach (the new DSP Toolkit), from 2018/19 onwards, to measuring progress against the ten data security standards.

Fully implemented - The organisation has completed the IG toolkit, submitted its results to NHS Digital and obtained either level 2 or 3 across all domains

Prepare for the introduction of the General Data Protection Regulation (GDPR) in May 2018: The Beta version of the Data Security and Protection Toolkit, to go live in February 2018, will help organisations understand what actions they will need to take to implement GDPR, which comes into effect in May 2018

Fully Implemented – the Trust has had an external assessment of its GDPR readiness and the Board has been briefed separately on the requirements of GDPR. The organisation has an approved plan in place to detail how it will achieve compliance with the GDPR.

Training Staff: All staff must complete appropriate annual data security and protection training. This training replaces the previous IG training whilst retaining key elements of it: https://www.e-lfh.org.uk/programmes/data-security-awareness/

Fully implemented - At least 95% of staff have completed either the previous IG training or the new training in the last twelve months.

Acting on CareCERT advisories: Organisations must: • Act on CareCERT advisories where relevant to

your organisation;

• Confirm within 48 hours that plans are in place to act on High Severity CareCERT advisories, and evidence this through CareCERT Collect; and

• Identify a primary point of contact for your organisation to receive and co-ordinate your

Fully implemented - The organisation has registered for CareCERT Collect Fully implemented - The organisation has clear processes in place that allow it to confirm within 48 hours of a High Severity CareCERT advisory being issued that a plan is in place. Yes - The organisation has plans in place for all CareCERT advisories up to 31/3/2018 that

https://www.e-lfh.org.uk/programmes/data-security-awareness/

https://www.e-lfh.org.uk/programmes/data-security-awareness/

organisation’s response to CareCERT advisories, and provide this information through CareCERT Collect.

are applicable to the organization (Note: the plan could be that the board accepts the residual risk) Fully implemented - The organisation has in post a primary point of contact who is responsible for receiving and co-ordinating CareCERT advisories

Continuity planning: A comprehensive business continuity plan must be in place to respond to data and cyber security incidents Has the business continuity plan been tested in 2017/18?

Partially implemented - The organisation is developing a business continuity plan(s) for data and cyber security incidents. The plan(s) will take into account the potential impact of any loss of services on external organisations in the health and care system. No - The business continuity plan for data and cyber security incidents has not been tested in 2017/18

Reporting incidents: Staff across the organisation report data security incidents and near misses, and incidents are reported to CareCERT in line with reporting guidelines

Fully implemented - The organisation has a process or working procedure in place for staff to report data security incidents and near misses

Unsupported systems: Your organisation must: • Identify unsupported systems (including

software, hardware and applications); and

• Have a plan in place by April 2018 to remove, replace or actively mitigate or manage the risks associated with unsupported systems.

Fully implemented - The organisation has reviewed all its systems and any unsupported systems have been identified and logged on the organisation’s relevant risk register Fully implemented - By May 2018 the organisation will have developed a plan to remove, replace or actively mitigate or manage the risks associated with unsupported systems

On-Site Assessments: Your organisation must: • Undertake an on-site cyber and data security

assessment if you are invited to do so by NHS Digital; and

• Act on the outcome of that assessment, including any recommendations, and share the outcome of the assessment with your commissioner.

Not implemented - Prior to 30 March 2018 the organisation has not signed up to an NHS Digital on-site cyber and data security assessment. Not implemented - The organisation does not yet have an improvement plan in place on the basis of the findings of the assessment, and has not yet shared the outcome with the relevant commissioner(s) Yes - The organisation has used an external vendor to audit the organisation’s data and cyber security risks (MIAA)

Checking Supplier Certification: Your organisation should ensure that any supplier of IT systems (including other heath and care organisations) and the system(s) provided have the appropriate certification. A list of certification frameworks is provided below.

Not implemented - The organisation has not yet checked whether its suppliers of IT systems have appropriate certification.

Conclusion 14. This paper summarises the trusts position in response to the cyber security awareness

notification and the key recommendations contained within.

15. The paper includes the trusts response to the NHS Improvement Data and Cyber Security Return.

Board action 16. The Board of Directors is asked to note the recommendations and be assured of the continued

progress to implement all necessary cyber security processes as directed by NHS England and NHS Digital.

17. The Board of Directors is asked to approve the response to the NHS Improvement Data and Cyber Security Return to enable submission by 11 May 2018.

Ian Hogan Deputy Director of Information Management & Technology 27 April 2018

Documents

Approval of 2017-18 Annual Accounts Delegated Authority · 2. The report sets out the context for the accounts approval and the wider process being undertaken by the Trust to deliver