a meeting of tayside nhs board audit and risk committee 9

1

Please note any items relating to Committee business are embargoed and should not be made public until after the meeting Tayside NHS Board A meeting of Tayside NHS Board Audit and Risk Committee will be held at 9:30am on Tuesday 22 June 2021 via Microsoft Teams Apologies/enquiries to: Lisa Green, Committee Support Officer, on telephone DD 01382 660111 or extension 36680 or email [email protected]

AGENDA

LEAD

REPORT NUMBER

1.

WELCOME AND APOLOGIES

R Erskine

At the start of the meeting ask if anything requires consideration by the meeting. The Chair to agree where this will be discussed

2. DECLARATION OF INTERESTS R Erskine 3.

MINUTES AND CHAIR’S ASSURANCE REPORT

3.1 Minute of the Audit and Risk Committee meeting of 20 May 2021 – for approval

R Erskine attached

3.2

Chair’s Assurance Report to the Board following the Audit and Risk Committee of 20 May 2021 – for noting

R Erskine attached

4.

ACTION POINTS UPDATE AND MATTERS ARISING

4.1 4.2

Action Points Update – for discussion Matters Arising

L Lyall

R Erskine

attached

5.

COMMITTEE ASSURANCE AND WORKPLAN 2021/22

5.1 Committee Assurance and Workplan 2021/22

L Lyall

attached

5.2

Record of Attendance

R Erskine attached

6 ITEMS FOR DECISION 6.1 Strategic Risk Management Group Annual Report 2020/21 and

Terms of Reference 2021/22 S Lyall/

H Walker

AUDIT29/2021

7.

REPORTS FOR ASSURANCE Any new items i.e. not included in the Committee’s Assurance Plan should be added

Risk Management 7.1 NHS Tayside Strategic Risk Profile S Lyall/

H Walker

AUDIT30/2021

7.2 Strategic Risk Management Group Minute - 8 April 2021 (unapproved)

S Lyall/ H Walker

attached

mailto:[email protected]

2

Internal Controls and Corporate Governance 7.3 Internal Audit Progress and Audit Follow Up Report B Hudson

AUDIT31/2021

7.4 Governance Review Group Action Note – 12 May 2021 (unapproved)

M Dunning

attached

Information Governance and Cyber Assurance

7.5 Information Governance and Cyber Assurance Committee Minute – 6 May 2021 (unapproved)

M Dunning attached

Annual Accounts for Exchequer Funds 7.6 Audit Scotland Interim Audit Report

B Crosbie AUDIT32/2021

Statutory Audit Materials 7.7 External Tracker – Recommendations Tracker

L Lyall

AUDIT33/2021

8. DATE OF NEXT MEETING The next meeting of the Audit and Risk Committee is at 9:30am on 17 August 2021 – Annual Accounts

9.

MEETING REFLECTIONS AND CONSIDERATION OF MATTERS FOR CHAIR’S ASSURANCE REPORT

R Erskine

RESERVED BUSINESS OF THE COMMITTEE IN ACCORDANCE WITH THE GUIDE TO THE EXEMPTION UNDER THE FREEDOM OF INFORMATION (SCOTLAND) ACT 2002

10.

MINUTES AND CHAIR’S ASSURANCE REPORT

10.1 Reserved Minute of the Audit and Risk Committee meeting of 20 May 2021 – for approval

R Erskine attached

11.

ACTION POINTS UPDATE AND MATTERS ARISING

11.1 11.2

Action Points Update – there are no actions Matters Arising

R Erskine

12. REPORTS FOR DECISION

Annual Reports and Accounts 12.1 Significant Issues that are Considered to be of Wider Interest

Report S Lyall AUDIT34/2021

13. ITEMS FOR DISCUSSION/AWARENESS 13.1 Draft Governance Statement S Lyall AUDIT35/2021 14. PRIVATE DISCUSSION

3

Ronnie Erskine Audit and Risk Committee 22 June 2021 Level of Assurance System Adequacy Controls

Comprehensive Assurance

Robust framework of key controls ensures objectives are likely to be achieved.

Controls are applied continuously or with only minor lapses.

Moderate Assurance

Adequate framework of key controls with minor weaknesses present.

Controls are applied frequently but with evidence of non-compliance.

Limited Assurance

Satisfactory framework of key controls but with significant weaknesses evident which are likely to undermine the achievement of objectives.

Controls are applied but with some significant lapses.

No Assurance

High risk of objectives not being achieved due to the absence of key internal controls.

Significant breakdown in the application of controls.

DISTRIBUTION MEMBERS

REGULAR ATTENDEES

FOR INFORMATION

R Erskine (Chair) B Crosbie G Archibald E J Wells (Vice Chair) M Dunning L Birse-Stewart P Davidson T Gaskin D Tosh B Hamilton B Hudson Communications Team P Kilpatrick J Lyall N Pratt L Lyall S Lyall AM Machan R MacKinnon R Marshall F Mitchell-Knight H Walker

1

Minute NHS Tayside TAYSIDE NHS BOARD AUDIT AND RISK COMMITTEE - OPEN BUSINESS Minute of the meeting of Tayside NHS Board Audit and Risk Committee held at 10:00 a.m. on Thursday 20 May 2021 via Microsoft Teams Present: Mr Peter Davidson, Non Executive Member, Tayside NHS Board Mr Ronnie Erskine, Non Executive Member, Tayside NHS Board (Chair) Ms Beth Hamilton, Non Executive Member, Tayside NHS Board Mrs Pat Kilpatrick, Non Executive Member, Tayside NHS Board Dr Norman Pratt, Non Executive Member & Chair of Area Clinical Forum, Tayside NHS Board Mrs Emma Jane Wells, Non Executive Member, Tayside NHS Board (Vice Chair) Chief Executives and Senior Officers Mr Stuart Lyall, Director of Finance, NHS Tayside Mr Robert MacKinnon, Associate Director of Finance - Financial Services /FLO, NHS Tayside Internal Audit – FTF Audit and Management Services Mr Tony Gaskin, Chief Internal Auditor, FTF Audit and Management Services Mrs Jocelyn Lyall, Regional Audit Manager, FTF Audit and Management Services External Audit Mr Bruce Crosbie, Senior Audit Manager, Audit Scotland Ms Anne Marie Machan, Audit Manager, Audit Scotland Other Attendees Mrs Alison Dailly, Head of Information Governance and Cyber Assurance, NHS Tayside (for item 7.8 to 7.10) Ms Margaret Dunning, Board Secretary, NHS Tayside Mr Ally Gentles, Head of Operations – Digital Directorate, NHS Tayside (for items 7.8 to 7.10) Mrs Lisa Green, Committee Support Officer, NHS Tayside Mrs Karen Kidd, Senior Finance Manager, NHS Tayside Mrs Louise Lyall, Head of Finance – Capital and Resources (Lead Officer) Mrs Jane Robbins, General Manager, Primary Care Services, NHS Tayside (for item 7.5) Mrs Hilary Walker, Head of Risk and Resilience, NHS Tayside Apologies Mr Barry Hudson, Regional Audit Manager, FTF Audit and Management Services Mr Raymond Marshall, Representative of Area Partnership Forum Ronnie Erskine in the Chair

1. WELCOME AND APOLOGIES

ACTION

Mr Ronnie Erskine welcomed all to the meeting, in particular the new Committee Members. It was noted that Ms Beth Hamilton and Mr Peter Davidson were new to the Committee and the organisation and that Mrs Emma Jane Wells and Dr Norman Pratt had joined the Committee following a review of Committee Membership. Mr Erskine noted that there was full Agenda for the meeting and asked for brief introductions from those presenting reports, highlighting salient points only.

ITEM NUMBER 3.1

2

There was a round of introductions for the benefit of those new to the Committee.

2. DECLARATION OF INTERESTS

There were no declarations of interests. 3. MINUTES AND CHAIR’S ASSURANCE REPORT

3.1 Minute of Audit and Risk Committee meeting of 21 January 2021

The Audit and Risk Committee Minute of 21 January 2021 was approved on the motion of Mr Ronnie Erskine and seconded by Mrs Pat Kilpatrick.

3.2 Chair’s Assurance Report to the Board following the Audit and Risk

Committee of 21 January 2021

Mr Ronnie Erskine advised that the Chairs Assurance Report highlighted the

key points raised at the meeting held on 21 January 2021 for reporting to Tayside NHS Board. The Committee noted the content of the Chair’s Assurance Report of the 21 January 2021

3.2 Chair’s Assurance Report to the Board following remote consideration of the reports for the Audit and Risk Committee of 18 March 2021

Mr Ronnie Erskine advised that Members had received reports electronically

for remote consideration and that key points were recorded in the Chairs Assurance Report for reporting to Tayside NHS Board. The Committee noted the content of the Chair’s Assurance Report of the 18 March 2021.

4. ACTION POINTS UDPATE AND MATTERS ARISING

Mrs Louise Lyall advised that all actions from the 21 January 2021 meeting had been completed.

The Committee • Noted the Action Points Update

4.2 MATTERS ARISING

There were no matters arising

5. COMMITTEE ASSURANCE AND WORKPLAN 2020/21 AND 2021/22


Mrs Louise Lyall presented the Committee Assurance and Workplan for 2020/21. It was noted that the audit year ran from May to June and that this was the final Committee Assurance and Workplan for 2020/21 which detailed all items considered by the Committee for year.

3

The Committee

• Noted the Committee Assurance and Workplan 2020/21


Mrs Louise Lyall presented the Committee Assurance and Workplan for 2021/22 which had been agreed as part of the Audit and Risk Committee Terms of Reference, approved by the Committee in March 2021. It was noted that the Committee Assurance and Workplan was an evolving document and would be updated following each meeting throughout the year. Mrs Lyall advised that updates to the NHS Tayside Code of Corporate Governance were an Agenda item for this meeting. It was noted that the Audit and Risk Committee Terms of Reference, Committee Assurance and Workplan would be updated accordingly following approval of these updates by Tayside NHS Board.

The Committee • Noted the Committee Assurance and Workplan 2021/22 • Noted the Audit and Risk Committee Terms of Reference,

Committee Assurance and Workplan 2021/22 would be updated to reflect updates to the NHS Tayside Code of Corporate Governance

5.3 Record of Attendance

The Audit and Risk Committee Record of Attendance for 2020/21 was presented to the Committee for noting.

The Committee • Noted the Audit and Risk Committee Record of Attendance

6. ITEMS FOR DECISION 6.1 Internal Control Evaluation (AUDIT09/2021)

Mr Tony Gaskin presented the report and highlighted that the Committee received a detailed presentation at its January 2021 Committee meeting. It was noted that the Internal Control Evaluation (ICE) was undertaken each year by Internal Audit to provide assurance on the overall systems of internal control that support the achievement of the Boards objectives. Mr Gaskin advised that the ICE report reflected the work undertaken, ongoing improvements being made, challenges faced due to the pandemic and how the organisation has faced these challenges. Mr Gaskin advised that, unsurprisingly Covid-19 had presented many challenges for the organisation however, in spite of these challenges improvements in governance had been seen. There had been a vast amount of work undertaken in relation to remobilisation and reconfiguration and recognition from the Board that all strategies required to be updated to reflect and build on this good work and the new environment. Mr Gaskin noted that

4

the visibility of the strategy process had understandably paused due to the latest resurgence of Covid, but highlighted the importance of informing and engaging with Board Members in this process. The ICE Report also highlighted the need for Covid-19 risks to be incorporated into the risk register and noted that some aspects of Staff Governance risk and assurance reporting were still in development with Internal Audit liaising with Staff Governance Committee colleagues to assist in this process. Mr Gaskin concluded by noting that due to the timing of the report being issued, not all aspects of the recommendations had been fully addressed within the management responses and, working with management, Internal Audit would further explore these areas as part of the internal audit annual report work and within the 2021/22 internal audit plan. Mr Stuart Lyall thanked Mr Gaskin and the Internal Audit Team for presenting a comprehensive report. Mr Lyall noted the management response to the recommendation set out at Action Point 1, in relation to Sustainability. He advised that the Remobilisation Plan for 2021/22 had not yet been considered by Tayside NHS Board due to election period and the plan being embargoed until after the 6 May 2021 election. It was noted that the plan would be presented to Tayside NHS Board at its meeting on 27 May 2021. Mr Lyall advised that Scottish Government have commended the Remobilisation Plan, submitted to them on 26 February 2021. In relation to Strategy and Transformation, and the management response to the recommendation set out in Action Point 2, Mr Lyall advised that the organisation had been adhering to guidance from Scottish Government (SG). Mr Lyall advised that SG had requested a remobilisation plan for one year only as there was a lot of uncertainty moving into future years, this was also the request for the financial plan. It was noted that following the 6 May 2021 Scottish election, a new Cabinet Secretary for Health would be appointed, who would have their own thoughts and plans for the direction of travel moving forward. Mr Lyall advised this along with other elements would be key in developing our strategy however, gave assurance there was a wide range of work being undertaken in the background. It was noted a further update would be given at the next Board meeting on 24 June 2021. Mr Lyall spoke in relation to Risk Management and advised that a comprehensive discussion was held at the April 2021 Board meeting and that it was the intention for regular reporting to Tayside NHS Board and that further Risk Management Sessions would follow. Mr Ronnie Erskine highlighted the importance of the Audit and Risk Committee being aware of key actions and responses and noted that overall the ICE highlighted a lot of positive areas of work that NHS Tayside had delivered considering the challenges faced over the year. Mr Erskine noted that a lot of the substantive work done as an organisation was done well.

5

Mrs Emma Jane Wells welcomed the report, which noted was useful for new/rejoining members. Mrs Wells noted the reference to a comprehensive evaluation of service changes made, on page 9 of the report noted that the management response did not sufficiently address this point, noting this required a whole system approach. Mrs Wells queried and sought assurance in relation to how NHS Tayside could prove this had been completed sufficiently. Mr Lyall agreed that this was an extremely important point and confirmed this was a whole system response including the Integration Joint Board’s, Local Authorities and partnerships. He advised that at times the management responses were focussed on the most pressing issues however, agreed this response should reflect a whole system approach being taken. Mr Lyall advised that Chief Officers attend Executive Leadership Team meetings, supporting Executives, and noted that there had been a step change with engagement with Chief Officers within the intention of formalising previously internal arrangements Mrs Pat Kilpatrick spoke in relation to performance management and gave assurance that she had been involved in positive meetings with the Performance Management Team. She noted that there was awareness of the gaps in the system, for example, there had been discussions in relation to Mental Health and advised that better reporting to the Board was being progressed. It was the intention to develop a sensible set of performance measures for reporting to the Performance and Resources and Audit and Risk Committees and Tayside NHS Board. Dr Norman Pratt acknowledged the support NHS Tayside had received from SG however, queried the risk to the organisation when financial resources were no longer available. Mr Lyall advised that only a one year plan had been developed and that this reflected the level of uncertainty moving forward. He advised that as an organisation this would continue to be monitored and every effort made to mitigate any risk which may arise. Mr Gaskin advised that there had been discussion with Ms Hazel Scott in relation to performance management and suggested discussions were aligned. It was noted that the organisation needed a strategic plan which was deliverable and that strategic discussions would help inform performance management discussions. Mr Erskine queried whether the expected date of completion, in relation to Action Point 2 Strategy and Transformation, could also reflect plans beyond 30 June 2021. Mr Erskine also noted the organisations resource constraints and highlighted that the option of utilising Internal Audit colleague’s knowledge and experience around strategy to help inform decisions may be useful. Mr Lyall advised that the first stage update to Tayside NHS Board would inform timelines going forward however, noted that milestones could be incorporated and that this would be reflected as an action at the June 2021 Board meeting. Mr Erskine noted the importance of Board discussions in relation to Strategic Risk and noted that Members looked forward to further in-depth discussions on Strategy on the Strategic Risk profile and risk appetite in September 2021.

6

The Committee commended the wide-ranging work undertaken in the report and positive progress in several areas seen over the last year. The Committee welcomed the actions detailed in the report including those on Strategy and Transformation, and Risk Management. The Committee agreed that a moderate level of assurance had been received.

The Committee • Noted and agreed that the ICE report proved moderate assurance • Noted the actions contained within the ICE report • Agreed that the ICE report be distributed to Standing Committees

for consideration, noting that some aspects may be relevant in the production of Standing Committee annual reports and assurance statements

6.2 Risk Management Annual Report and Workplan (AUDIT10/2021)

Mr Stuart Lyall advised that the Risk Management Annual Report and Workplan details the work undertaken during 2020/21, with a key focus being the Risk Management Short Life Working Group (SLWG). Mr Lyall advised, in relation to the Integration Joint Board (IJB) Policy and Strategy, that significant progress had been made in reviewing and updating the document and that the updated document had been presented to each of the Integration Joint Boards during April 2021. It was noted that next steps would see the IJB Policy and Strategy being shared with Corporate Partners. Mr Lyall advised that Appendix A of the Risk Management Annual Report and Workplan highlighted progress against the Risk Management Workplan 2020/21. It was noted that one action, in relation to reviewing and re-introducing a system for ensuring the quality of risks had been carried forward to 2021/22 however, Mr Lyall advised that there was no impact to the level of assurance as a result from this. It was noted that the Risk Management Workplan for 2021/22 was included at Appendix B. Mr Lyall also advised that the Strategic Risk Management Group, which was Executive led, had had the opportunity to review and comment on the Annual Report and Workplan and those comments had been incorporated into the report presented to the Committee. Mr Erskine welcomed the report and noted there had been significant improvements made in the management of risk.

The Committee • Reviewed the Risk Management Annual Report, in relation to Risk

Management activities undertaken during the period 1 April 2020 to 31 March 2021

• Noted progress and work undertaken during the period 1 April 2020 to 31 March 2021 in accordance with the 2020/21 Risk Management Workplan

7

• Endorsed the Risk Management Workplan for the financial year 2021/22 which was electronically approved by the Strategic Risk Management Group

6.3 Updates to Code of Corporate Governance (AUDIT11/2021)

Ms Margaret Dunning advised that the report was self explanatory and that the Committee were asked to recommend the approval by Tayside NHS Board of the updates to the NHS Tayside Code of Corporate Governance, as detailed in the appendix to the report. Mr Ronnie Erskine queried whether the most up to date remits of the Standing Committees were included within the appendix. Ms Dunning advised that some Committee’s were still in the process of reviewing their remits, for example the Public Health Committee had not yet met, therefore there may be further changes. It was noted that Standing Committee Chair’s and Committee Support Officers should regularly review their remits to ensure they were up to date. Mrs Pat Kilpatrick noted the request from Scottish Government to facilitate a Care Homes Group and queried whether this should be reflected as a change for the Care Governance Committee. Ms Dunning advised that this request had been made during the stepping down of all Standing Committee’s and confirmed that this additional request should be now be reflected in the Care Governance Committee Terms of Reference. Mrs Kilpatrick agreed, as Vice Chair of the Care Governance Committee, to take this forward. Mrs Louise Lyall noted the amendments to the Audit and Risk Committee remit in relation to Endowment Funds reporting arrangements and advised that the Audit and Risk Committee Terms of Reference, Committee Assurance and Workplan would be updated following approval by Tayside NHS Board at its meeting on 24 June 2021.

The Committee • Reviewed the updates to the NHS Tayside Code of Corporate

Governance • Recommended approval of these to the Board at its meeting on

24 June 2021

6.4 Committee Assurance Principles (AUDIT12/2021)

Mr Tony Gaskin presented the report and advised that the Committee Assurance Principles had arisen as a result of the work being undertaken with the Board Secretary’s Group in relation to assurance mapping. Mr Gaskin noted that these principles would assist Standing Committees in assessing the assurances they receive, to view and structure assurance in a way that is helpful and to reduce unnecessary work and duplication. The Committee was asked to review and endorse these principles as a way of helping all Standing Committees to formulate their assurance and recommend their use by all Standing Committees.

11:15 Mr Robert MacKinnon arrived

8

Ms Margaret Dunning noted she was supportive of the Committee Assurance

Principles and their use by all Standing Committees. It was noted that there were aspects of these principles in the Committee Support Standing Operating Procedures and that these principles would be incorporated into the Standing Operating Procedures for Tayside NHS Board and its Standing Committees. Ms Dunning advised that she would work with the Head of Committee Administration, Committee Support Officers and Internal Audit with the view to facilitating a workshop session followed by an update to the Audit and Risk Committee. Ms Dunning highlighted, following a query regarding the implementation of these principles, the importance of these principles being embedded into our current processes. It was noted that at this stage, the Committee was asked to endorse the principles however, note that further work was required prior to implementation by Tayside NHS Board and its Standing Committees. Mr Gaskin agreed with this approach, noting the importance of these principles being embedded into existing guidance.

The Committee • Endorsed the use of the Committee Assurance Principles by the

Audit and Risk Committee • Recommended the use of the Committee Assurance Principles by

all Standing Committees, noting however that further work was required to embed these principles into existing guidance prior to implementation

7. REPORTS FOR ASSURANCE 7.1 Performance Report on Strategic Risk Management (AUDIT13/2021)

Mrs Hilary Walker advised that the report reflected the revised Strategic Risk Profile approved by Tayside NHS Board at its meeting on 29 April 2021. Ms Walker advised two new strategic risks, Finance Annual Plan 2021/22 and Covid-19 Vaccination Programme, would be added to the Strategic Risk Profile. It was noted that work was ongoing for these additional risks to be added to the Datix system. It was noted that the EU Exit Risk had been archived and that the Finance Annual Plan 2020/21 would be archived following conclusion of the annual accounts process. The Mental Health Strategic Risk (395) had been closed and had been replaced by Strategic Risk 934 following a series of workshops with Mental Health colleagues. Mrs Walker advised that details of material changes were highlighted within the report, noting that many of these changes related to changes to Risk Owners and Managers. It was noted that at the time this report had been produced there were 4 risks overdue for review and 4 risks which did not have review dates set.

9

Mrs Walker advised that these had since been followed up with Risk Owners and Managers and that there was now 1 risk overdue for review and 2 risks where review dates were to be set. Mrs Walker also advised that she had been working with Mr Ronnie Erskine to review the format of this report and therefore, the next iteration of report would be in a different format. Ms Beth Hamilton queried, in relation to the archiving of the EU Risk, the staffing element of that risk had been transferred elsewhere, for example Nursing Workforce Risk. Mrs Walker advised that certain elements would be picked up and transferred where appropriate and gave assurance that whilst the EU Risk had been archived the Strategic Risk and Resilience Planning Team maintained communication with the EU Exit Readiness Group in relation to any emerging risks which may require the group to be involved. Mrs Emma Jane Wells noted that the Sustainable Primary Care Services Risk was reported to every second meeting of the Angus Integration Joint Board (AIJB) – Clinical, Care and Professional Governance Forum however, queried whether this related to Tayside and not just the AIJB. Mrs Walker advised that the decision to align risks to either a Standing Committee or an IJB was agreed though the Strategic Risk Management Group (SRMG) however, noted that she would review the reporting arrangements for this risk. Mr Gaskin noted the importance of a mechanism for assurance to flow through to Tayside NHS Board. Mrs Pat Kilpatrick reflected on the risk status of Amber Waiting Time and RTT Targets, noting that this risk may increase once the organisation began to treat more patients and the risk that the service may be overwhelmed. Mrs Kilpatrick acknowledged that the organisation had performed extremely well during the pandemic in treating those urgent patients and continuing with some elective surgeries however, noted that there could be a large number of patients still to be treated causing a sizeable risk. Mr Lyall acknowledged the point made by Mrs Kilpatrick however, noted the need to understand what performance was being measured against and agreed that this was an important point for further discussion. There was discussion regarding whether this was still a performance risk or whether it should be re-classified as a clinical risk. It was noted that this risk was aligned to the Performance and Resources Committee and that further discussion regarding the profile of this risk was required at their next meeting in June 2021. Dr Norman Pratt queried why the Mental Health Risk did not appear on the Heat Map. Mrs Walker advised that this risk was included on the heat map (395) however, noted that since the preparation of this report that this risk would be replaced with a new Strategic Risk following a series of proposals were submitted to the Strategic Risk Management Group in December 2020. Mrs Walker noted that this new risk had now been added to the Datix system however, was not included within this report due to the timing of preparing the report. Mr Peter Davidson sought clarity in relation to Effective Prescribing and whether this related to cost or stakeholder engagement. Mr Lyall advised that Effective Prescribing related to the realistic medicines agenda, the quality agenda but also the spending costs of the organisation. It was noted that the format of the presentation of information in the report was being updated and that future reporting would have further narrative.

10

Mrs Kilpatrick noted that polypharmacy was a key issue and that there had been a drive on generic prescribing to move away from the use of named drugs only. She advised that a lot of work in relation to effective prescribing had been undertaken with more engagement with patients and therefore more compliance. Mrs Kilpatrick noted the improvements which can be made using the Hospital Electronic Prescribing and Medicines Administration (HEPMA) system to which Mr Lyall agreed would be of great benefit to NHS Tayside. The Committee agreed that a moderate level of assurance had been provided.

The Committee • Reviewed, discussed and noted the NHS Tayside Strategic Risk

Profile, new, closed or emerging risks and material changes to existing risks

• Agreed moderate assurance had been received

It was agreed that item 7.5 would be taken next on the Agenda 7.5 Payment Verification Report: Family Health Services Contractors’

Report (AUDIT17/2021)

Mrs Jane Robbins was in attendance to present the report and advised that the purpose of the report was to provide assurance that payment verification processes were carried out. It was noted that this was an exception report and that had anything of concern arisen, this would have been highlighted in the report. Mrs Robbins advised that the payment verification process had, with the exception of Community Pharmacy, been stepped down during the Covid-19 pandemic. Mrs Robbins advised that in order to give the Committee as up to date information as possible, she had confirmed earlier this week with Practitioners Services Division, the Agency which undertakes much of the payment verification work on behalf of Tayside NHS Board, that as a result of Covid-19 there was very minimal payment to Dental and Ophthalmic Practitioners which was based on item of service claims. The level of claims was being reviewed for eligibility for the top-up payments, therefore there was currently no analysis of item of service trends and follow up on unusual trends as these did not affect payments. It was noted that once the future was known post Covid-19, Practitioner Services Division will reconsider what payment verification work was required. The Committee would be advised of any developments. Mrs Robbins highlighted Tayside NHS Board was proactively working to explore what help, if any, was required to assist General Medical Practices to remobilise services, such as Enhanced Services Delivery, as we emerge from the pandemic. The Committee agreed that a comprehensive level of assurance had been provided.

The Committee • Noted the content of the report

11

• Agreed comprehensive assurance had been received 7.2 Risk Management Self Assessment (AUDIT14/2021)

Mrs Hilary Walker presented the report and advised that the Risk Management Self Assessment had been completed in consultation with Mrs Jocelyn Lyall, Regional Audit Manager and engagement with relevant NHS Tayside Directors. It was noted that validation of the findings were reserved to Mr Tony Gaskin as Chief Internal Auditor who reviewed the findings. Mrs Walker advised that there were no significant areas of concerns identified however, the assessment of characteristics 5 and 15 by the Chief Internal Auditor differed from that of Mrs Walker and Mrs Lyall. Mrs Walker advised that the self assessment provided moderate assurance, in recognition of the further work required. It was noted that the Risk Management Self Assessment had been considered by the Strategic Risk Management Group. Mr Ronnie Erskine noted this was a good report which provided a lot of detail. The Committee agreed that a moderate level of assurance had been provided and recognised the work which was ongoing.

The Committee • Reviewed the assessment of the organisations risk maturity

(Appendix A) • Agreed a moderate assurance had been received

7.3 Internal Audit Progress and Audit Follow Up Report (AUDIT15/2021)

Mrs Jocelyn Lyall advised that the purpose of the report was to provide an update in relation to progress with the 2020/21 Internal Audit Plan, an update on the planning process to develop the 2021/22 Internal Audit Plan and an update in terms of Audit Follow Up. It was noted that the Internal Audit Progress Report was included at Appendix A to the report. Mrs Lyall noted that Mr Gaskin had previously spoken in relation to the 2021/22 Internal Audit Plan and advised that section 2.3 of the report described the changes to the planning process due to the impact of Covid-19 on the Strategic Risk Profile. It was noted that feedback from Executive Leads were currently being collated prior to the 2021/22 Internal Audit Plan being circulated and it was anticipated the plan would be submitted to the 17 August 2021 Committee meeting for formal approval. In terms of Audit Follow Up, Mrs Lyall advised the Audit Follow Up position was included at Appendix B to the report. It was noted that all actions remained on track, as highlighted in section 2.3.1 of the report. In relation to T25/14 – Property Management Strategy, management had confirmed that agreed actions remained on track for completion by end September 2021. The Internal Audit Report T24/21 – Property Management Strategy was issued recently and Mrs Lyall advised that a meeting had been arranged with the Director of Facilities and Head of Estates on 9 June 2021

12

to discuss all matters. It had also been agreed that the Director of Facilities would be invited to attend the September 2021 Audit and Risk Committee to provide assurance on actions to address Internal Audit recommendations. Mrs Lyall highlighted improvements made to Internal Audits recommendation priorities to include an additional category of ‘Moderate’ and slight amendments to the definitions. It was noted the new definitions would be included in audit reports from the 2021/22 Internal Audit Plan. It was noted that the Internal Audit Progress Report at Appendix A to the report detailed completed audit work, draft reports issued and work in progress and planned. Mrs Lyall advised that Internal Audit Report T27/21 – ePayroll Update had been finalised since the preparation of this report. Mrs Lyall advised that Mr Gaskin was assisting Integration Joint Boards with their review of integration schemes and that further audits would be reported to the June and August 2021 Committee meetings. Mrs Emma Jane Wells noted the outstanding action regarding the audit of space utilisation in GP practices, as noted in Appendix B, and sought assurance this would be completed within the set timeframe. Mrs Wells also noted there was no defined course of action or timescale against Internal Audit Report T36/19 – TrakCare Post Implementation. Mrs Lyall gave assurance that the Property Department had established the required criteria however, agreed to raise this at her meeting with the Director of Facilities and Head of Estates. In relation to T36/19 TrakCare Post Implementation, Mrs Lyall advised that responses were awaited however, she would seek an update and feedback an update to Mrs Lisa Green to advise the Committee. Mr Ronnie Erskine noted that the dates on page 8 of the report were later than planned and queried whether there were any concerns. Mrs Lyall advised that there had been slight delays with the Senior Leadership Team audit however the others were well advanced and she was confident these audits would be delivered on time. Mr Gaskin added that the NHS Tayside Internal Audit Team could be supplemented by staff based in the other FTF Client Health Boards to ensure delivery. The Committee agreed with the levels of assurance provided, as noted within the report.

JL

The Committee • Noted the progress on the delivery of the Internal Audit Progress

Report which provided comprehensive assurance on the progress of the revised 2020/21 Internal Audit Plan

• Approved the proposed 2021/22 Annual Internal Audit planning process

• Noted the status of the outstanding Internal Audit recommendations which provided comprehensive assurance that the Audit Follow up system was operating as intended and moderate assurance that timely action had been taken to address internal audit recommendations

• Noted the revised recommendation priorities and assurance definitions for use in all future Internal Audit reports

13

7.4 NHS Scotland Counter Fraud Services (AUDIT16/2021)

Mr Robert MacKinnon presented the report which he noted was self explanatory. It was noted that whilst there had been a material reduction year on year in relation to the level of frauds reported there had been an increase in the third quarter, largely attributed to fraud exploitation attempts during the pandemic. Mr MacKinnon advised that a rolling alert was regularly published on the Counter Fraud Services page on Staffnet. This alert provided information for all NHS staff and included a wide range of counter fraud measures. It was noted that details of NHS Tayside Counter Fraud Services cases to March 2021 were included under item 13.1 of the Agenda, under reserved business. The Committee agreed that a comprehensive level of assurance had been provided.

The Committee • Noted the content of the report • Agreed that comprehensive assurance had been received

7.6 Governance Review Group Action Note – 10 February 2021

Mrs Margaret Dunning presented the Action Note of the Governance Review Group meeting held on 10 February 2021. It was noted that a subsequent meeting was held on 12 May 2021. Mr Ronnie Erskine noted that the date of the next meeting of the Governance Review Group was 4 March 2021 and queried when the Action Note of this meeting would be presented to the Committee. Ms Dunning advised that the meeting scheduled for 4 March 2021 had been cancelled and that the Action Note of the meeting held on 12 May 2021 would be presented to the 22 June 2021 Audit and Risk Committee.

The Committee • Noted and was assured by the Governance Review Group Action

Note of the meeting held on 10 February 2021

7.7 Annual Report and Accounts – Regulatory and Accounting Policy

Update 2020/21 (AUDIT18/2021)

Mrs Karen Kidd presented the report and advised that the purpose of the report was two-fold, to provide the Committee with the draft Accounting Policies for inclusion in the 2020/21 Annual Accounts, subject to any further changes agreed with the Board’s external Auditors as part of the annual audit of the financial statements, and provide a note of the changes to the structure and content of the annual report and accounts required by the 2020/21 Government Financial Reporting Manual (FReM) and Scottish Government Guidance. It was noted that there were no material amendments to the accounting policies in 2020/21, compared with the last financial year and that it had been agreed that previous guidance should be used to complete the 2020/21

14

accounts. Mrs Kidd advised that there were therefore, no significant changes to the structure or contents of the annual report and accounts. Mrs Kidd advised there were some changes within section 29, key sources of judgement and estimation uncertainty, in the main reflecting a greater certainty around the valuation of the estate than in the prior year. In line with the annual accounts process and timetable the Annual Report and Accounts for 2020/21 would be presented to the Audit and Risk Committee at its meeting on 17 August 2021 with a Non Executive Member Briefing Session being held prior to this on 12 August 2021. Ms Anne Marie Machan wished to note that the Finance Team had provided a full set of the accounts this year, which had been very helpful. Mr Stuart Lyall also wished to extend his thanks to Mrs Kidd leading on the preparation of this year’s annual accounts in addition to her usual work commitments

The Committee • Approved the draft accounting policies, noting they were subject

to any further changes agreed with the Board’s External Auditors as part of the annual audit of the financial statements

• Noted the changes and updates to the structure of the annual reports and accounts

• Agreed comprehensive assurance had been received

Mrs Alison Dailly and Mr Ally Gentles were in attendance for items 7.8 to

7.10

7.8 Information Governance and Cyber Assurance Committee Annual

Report (AUDIT19/2021)

Ms Margaret Dunning advised that the Information Governance and Cyber Assurance (IG&CA) Committee Annual Report followed the same format as other Committees and was presented to the Committee for assurance. Ms Dunning highlighted that the IG&CA Committee had met a number of times during 2020/21 and had undertaken a lot of work in response to Covid-19. It was noted that the report outlined the main areas of work undertaken and progressed during the year. Mr Ronnie Erskine noted that sections 5 and 6 of the report, in particular provided a lot of information and assurance. The Committee agreed that a comprehensive level of assurance had been provided.

The Committee • Considered this assurance report which provided comprehensive

assurance that a robust framework of key controls ensured objectives were likely to be achieved and controls were applied continuously or with only minor lapses

15

7.9 Network and Information Security (NIS) – Audit Recommendations Workplan (AUDIT20/2021)

Ms Margaret Dunning advised that the purpose of the report was to provide an update on the development of an action plan in response to the Information Security Policy Framework (ISPF) implementation and Network and Information Systems (NIS) Regulations recent audit outturn. Ms Dunning advised that an action plan had been developed by the Information Governance and Cyber Assurance (IG&CA) Team to address the 108 recommendations. It was noted the action plan underpins these recommendations. Mrs Alison Dailly advised that a risk based approach had been taken in reviewing the actions to be addressed and these were then prioritised accordingly. It was the intention to re-visit the action plan to ensure the correct Management Leads had been identified. Mrs Dailly advised that responsibility for these actions was wider than just the IG&CA Team and Digital Directorate and that further engagement with the wider organisation was required. It was noted that the auditors were due to review progress against these actions in August 2021 and that evidence would be submitted 2 weeks prior to this. Mrs Emma Jane Wells queried the timescales for a number of red actions, noting that some of these actions had an action date of June 2021. Mrs Dailly acknowledged that it was unlikely that these actions would completed by 30 June 2021 and noted that these were the timescales initially set however, noted the need for ownership of actions to be reviewed and realigned. Ms Dunning noted that in reviewing ownership there was the need to identify an owner and a manager and review the timescales. Ms Dunning advised a presentation had been developed which provided a comparison across North of Scotland Health Boards. It was noted that NHS Tayside was in a good position in comparison with other Health Boards and that this presentation would be shared with the Committee at its next meeting. Mr Ronnie Erskine queried whether there was sufficient support from colleagues in order to meet target dates. Ms Dunning noted there was sufficient support however, noted there may not be full understanding of the depth of work required. She advised that she would liaise with colleagues to ensure full understanding. She advised that there was full support from the Digital Directorate however, noted that progress needed to dovetail with other work ongoing across the organisation. Mr Erskine suggested a review of all updates provided as the narrative for some updates did not fit with the actions. The Committee noted a limited level of assurance had been received however, acknowledged that there was a lot of work ongoing.

The Committee • Considered this assurance report and examined the state and

level of assurance provided

16

• Agreed limited assurance had been provided. A satisfactory framework of key controls existed but with significant weaknesses which were likely to undermine the achievement of objectives

• Noted the management response provided an indication of how the recommendation shall be addressed with a timescale for completion

• Received assurance that work was progressing and that NHS Tayside was putting plans in place to comply with the requirements of the NIS Audit Recommendations, supported with the work with the NoS

• Noted regular report on progress with the action plan would be provided to the Audit and Risk Committee

7.10 Information Governance and Cyber Assurance Committee Minute – 12

January 2021

Ms Margaret Dunning presented the Minute of the Information Governance and Cyber Assurance Committee meeting held on 12 January 2021. It was noted that the 5 March 2021 meeting had been cancelled and that the Minute of the most recent meeting would be presented to the 22 June 2021 Audit and Risk Committee.

The Committee • Noted and was assured by the Information Governance and

Cyber Assurance Committee Minute of 12 January 2021

7.14 External Tracker – Recommendations Tracker (AUDIT21/2021)

Mrs Louise Lyall advised that this was the regular report to the Committee which provided a progress update against actions being tracked through the External Reports Recommendations Tracker, details of which were included in the appendices to the report. It was noted that a comprehensive level of assurance was now being provided. Mrs Lyall highlighted that section 2.3 of the report provided an overview of the changes since the last report to the Committee in March 2021. It was noted that there were now three outstanding actions. Mrs Emma Jane Wells spoke in relation to Large Hospital Set Aside. She advised that this had been a key focus for Angus Integration Joint Board (AIJB) and queried the progress of Dundee (DIJB) and Perth & Kinross IJBs in their development of this. Mr Stuart Lyall acknowledged that AIJB were advanced in their plans and was aware that AIJB had been working with DIJB. Mr Lyall noted that the reality of releasing resource was dependant on the actions of more than one IJB. He advised there were a number of complexities however, noted for now the need for AIJB and DIJB to link their commissioning plans and to do a baseline review of the commissioning plans and determine the impact they would have. Mr Lyall advised that there were challenges across Scotland however, it was anticipated that tangible improvements would soon been seen in Tayside. It was noted that this was one recommendation that would roll over and continue in both Internal and External Audit Reports.

17

Mrs Pat Kilpatrick queried whether there were any opportunities to present options or incentives and the financial benefits. Mr Lyall advised there could be opportunities to present scenarios however, highlighted the importance of having clear commissioning plans, outcomes and measures. He advised there were many complex factors however, gave assurance that there was commitment to move forward and that this was key focus in discussions.

The Committee • Noted and reviewed the status of the actions being taken to

address the recommendation in reports in relation to the Board’s governance arrangements and internal systems of control undertaken by external parties

7.15 Review of Committee Effectiveness (AUDIT22/2021)

Mrs Louise Lyall advised that this was an annual report to the Committee in line with the recommendation in the Scottish Government Audit and Assurance Committee Handbook that the performance of the Committee be reviewed annually. Mrs Lyall advised that the Audit and Risk Committee Self Assessment Checklist 2020/21 had been completed and was included at Appendix 1 of the report. It was noted there were no significant areas of non compliance. It was also noted that the Annual Report and Accounts to the 17 August 2021 Committee meeting would provide further assurance.

The Committee • Agreed comprehensive assurance had been received • Considered whether the Committee was effective in achieving its

remit in 2020/21, and agreed that there were no significant areas of non compliance that would require disclosure in the Governance Statement of Committee Annual Report

8. ITEMS FOR AWARENESS 8.1 NHS in Scotland 2020 (AUDIT23/2021)

Mr Stuart Lyall advised the report was self explanatory. It was noted that the NHS in Scotland could be accessed via the link included within the covering paper and that the key messages from the report were detailed under section 2.3.


8.2 Audit Scotland Reports (AUDIT24/2021)

Mrs Louise Lyall advised that this was a regular report to the Committee and provided a link to access the Technical Bulletin 2021/1 – January to March 2021.

18


8.3 Property Transactions Monitoring (AUDIT25/2021)

Mrs Louise Lyall advised that as a requirement of the Property Transactions Handbook each year the Audit and Risk Committee were to be advised of all previous year transactions. It was noted that there were two property transactions in 2020/21, as detailed within the report. Mrs Lyall advised that Internal Audit would undertake a review of the completed property transactions and that a report would be submitted to the Committee at its meeting in September 2021. The Audit and Risk Committee’s approval of the transaction procedures would then be reported to Scottish Government by 30 October 2021. Mrs Pat Kilpatrick sought clarity in relation to the lease of a Portacabin at Errol General Practice. Mrs Lyall advised that this was a temporary solution to allow for further planning of THE Perth and Kinross Health and Social Care Partnership longer term requirements.


8.4 Risk Management Strategy (AUDIT26/2021)

Mr Stuart Lyall advised that the Committee was asked to note for awareness the Risk Management Strategy which was presented to Tayside NHS Board at its meeting on 29 April 2021. It was noted that Tayside NHS Board considered the report on Strategic Risk Management and that the outcomes of the Risk Management Short Life Working Group were welcomed and approved. Mr Ronnie Erskine noted the report was helpful, particularly for those new to the Committee.


9. DATE OF NEXT MEETING The next scheduled meeting of the Audit and Risk Committee would be held

on Tuesday 22 June 2021 at 9:30 am via Microsoft Teams. Mrs Pat Kilpatrick noted that the next Audit and Risk Committee was scheduled for the same date as the NHS Scotland Event. Ms Dunning advised that full details of the NHS Scotland Event were yet to be received however, it was assumed that the event would be held virtually. Mr Ronnie Erskine asked Members to advise as soon as possible if there were any availability issues. Mrs Emma Jane Wells wished to thank those who had prepared reports, noting these were helpful, particularly in her return to the Committee. Mr Erskine also extended his thanks to report authors.

19

10. MEETING REFLECTIONS AND CONSIDERATION OF MATTERS FOR

CHAIR’S ASSURANCE REPORT

It was agreed that Mr Ronnie Erskine, Mrs Emma Jane Wells and Mrs Lisa Green would prepare the Chairs Assurance Report, highlighting all key points outwith the meeting.

RESERVED BUSINESS OF THE COMMITTEE IN ACCORDANCE WITH

THE GUIDE TO THE EXEMPTION UNDER THE FREEDOM OF INFORMATION (SCOTLAND) ACT 2002

11. MINUTES AND CHAIR’S ASSURANCE REPORT 11.1 Reserved Minute of the Audit and Risk Committee meeting of 21

January 2021

The Committee • Approved the Audit and Risk Committee Minute of the 21 January

2021

12. ACTION POINTS UPDATE AND MATTERS ARISING 12.1 Action Points Update

The Committee • Noted there were no actions

12.2 Matters Arising

There were no matters arising. 13. REPORTS FOR ASSURANCE 13.1 NHS Scotland Counter Fraud Services (AUDIT27/2021)


14. ITEMS FOR DISCUSSION/AWARENESS 14.1 Draft Governance Statement (AUDIT28/2021)


15. PRIVATE DISCUSSION

Non Executive Members were invited to meet with Internal and External Auditors to allow for private discussions.

20

Meeting concluded at 13:03 Subject to any amendments recorded in the Minute of the subsequent meeting of the Committee, the foregoing Minute is a correct record of the business proceedings of the meeting of Tayside NHS Board Audit and Risk Committee held on 20 May 2021, and approved by the Committee at its meeting held on 22 June 2021 .............................................……..….... ................................................. CHAIR DATE

1

COMMITTEE CHAIR’S ASSURANCE REPORT AUDIT AND RISK COMMITTEE – 20 MAY 2021 Performance against workplan The Committee considered the final Committee Assurance and Workplan for 2020/21 which detailed all items considered by the Committee during 2020/21. The Committee considered the Committee Assurance and Workplan for 2021/22. It was noted the Committee Assurance and Workplan 2021/22 was an evolving document and would be updated following each meeting throughout 2021/22. The Committee considered the following items of business: The Committee received an update in relation to progress with the 2020/21 Internal Audit Plan, the planning process to develop the 2021/22 Internal Audit Plan and an update in terms of Audit Follow Up. There was discussion regarding Internal Audit Report T25/14 – Property Management Strategy and progress with actions. It was noted that actions remained on track for completion within the agreed timescales and that the Director of Facilities would attend the September 2021 Committee meeting to provide assurance around the progress of actions. The Committee noted the progress on the delivery of the Internal Audit Progress Report, comprehensive assurance on the progress of the revised 2020/21 Internal Audit Plan, comprehensive assurance that the Audit Follow Up system was operating as intended and moderate assurance that timely action had been taken to address Internal Audit recommendations. It was noted that Internal Audits recommendation priorities had been updated to include an additional category of Moderate and that slight amendments had been made to the definitions. It was noted the revised recommendation priorities and assurance definitions would be used in all future Internal Audit reports. The Committee considered the Annual Report and Accounts – Regulatory and Accounting Policy. It was noted that there were no material amendments to the accounting policies in 2020/21 and that there were therefore, no significant changes to the structure or contents of the annual report and accounts anticipated. The Committee approved the draft accounting policies, noting they were subject to any further changes agreed with the Board’s External Auditors as part of the annual

ITEM NUMBER 3.2

2

audit of the financial statements and agreed that comprehensive assurance had been received. The Committee received an update on the development of an action plan in response to the Information Security Policy Framework (ISPF) implementation and Network and Information Systems (NIS) Regulations recent audit outturn. The Committee noted a limited level of assurance however, received assurance that work was progressing and work was ongoing. The Committee noted the progress updated against actions being tracked through the External Reports Recommendations Tracker and noted there were now three outstanding actions. The Committee agreed that a comprehensive level of assurance had been provided. The Audit and Risk Committee Self Assessment Checklist 2020/21 had been completed and it was noted that there were no significant areas of non compliance. The Committee noted comprehensive assurance had been received. The Committee received comprehensive assurance in terms of Payment Verification, NHS Scotland Counter Fraud Services and the Information Governance and Cyber Assurance Annual Report 2020/21. The NHS in Scotland 2020, Audit Scotland Technical Bulletin 2021/1, Property Transactions Monitoring and Risk Management Strategy reports were also presented to the Committee for awareness Delegated Decisions taken by the Committee There was moderate assurance received in relation to the Internal Control Evaluation report and the Committee noted the actions required. The Committee commended the wide-ranging work undertaken in the report and positive progress in several areas seen over the last year. Members welcomed the actions detailed in the report including those on Strategy and Transformation, and Risk Management. Members look forward to further in-depth Board discussions on Strategy and in September on the Strategic Risk profile and risk appetite. The Committee agreed the distribution of the Internal Control Evaluation report for consideration by all Standing Committees. The Committee reviewed and endorsed the Risk Management Annual Report 2020/21 and Workplan 2021/22. The Committee reviewed the updates to the NHS Tayside Code of Corporate Governance and recommended the approval of these to the Board at its meeting on 24 June 2021. The Committee endorsed the use of the Committee Assurance Principles by the Audit and Risk Committee. The Committee recommended the use of the Committee Assurance Principles by all Standing Committees, noting however that further work was required to embed these principles into existing guidance prior to implementation.

3

Update on Risk Management The Committee considered the Performance Report on Strategic Risk Management and noted moderate assurance had been received. There were concerns raised regarding assurance reporting to Tayside NHS Board in respect of the Sustainable Primary Care Services Risk. It was noted that the alignment of this risk would be reviewed. There were also concerns raised regarding the Waiting Time and RTT Targets Risk, in that this risk could increase once the organisation began to treat more patients and that services may become overwhelmed. It was noted that this risk was aligned to the Performance and Resources Committee and would be discussed further at their next meeting in June 2021. The Committee considered the Risk Management Self Assessment. The Committee agreed moderate assurance had been received and acknowledge that work continued. The Committee noted for awareness the Risk Management Strategy which had been considered and approved by Tayside NHS Board at its meeting on 29 April 2021. Any Other Major Issues to highlight to the Board None Ronnie Erskine Audit and Risk Committee Chair 20 May 2021

Action Points Update NHS Tayside

1

Tayside Audit and Risk Committee 22 June 2021 – Open Business New actions arising from meeting on 20 May 2021 Meeting Date

Minute Ref Heading Action Point Responsibility Status

20 May 2021 7.3 Internal Audit Progress and Audit Follow Up Report

Jocelyn Lyall to seek an update in relation to a defined course of action and timescales being agreed for recommendations relating to Internal Audit Report T36/19 TrakCare Post Implementation

J Lyall Completed Update included in Agenda Item 7.3 Internal Audit Progress and Audit Follow Up Report to 22 June 2021 meeting.

Completed Actions Meeting Date


21 January 2021

5.1 Committee Assurance and Workplan

Donald McPherson would liaise with the Chair of the Care Governance Committee regarding the sharing of information in relation to reporting arrangements in light of the deferment of Standing Committee meetings

Donald McPherson Completed

21 January 2021

6.2 Performance Report on Strategic Risk Management

Further information regarding the two overdue risk reviews would be circulated to the Committee

Hilary Walker/Lisa Green

Completed

ITEM NUMBER 4.1

Action Points Update NHS Tayside

2

Meeting Date


21 January 2021

6.10 External Tracker – Recommendations Tracker

Further narrative in the progress update relating to Patients’ Private Funds in future reporting

Louise Lyall Completed

21 January 2021

6.10 External Tracker – Recommendations Tracker

The wording in the progress update relating to Non Executive Member appraisals to be amended to reflect that Non Executive Member appraisals would be completed

Louise Lyall Completed

TAYSIDE NHS BOARD AUDIT AND RISK COMMITTEE ASSURANCE AND WORKPLAN 2021/22 The completion of this Audit and Risk Committee Assurance Plan will be used to inform the development of the Audit and Risk Committee’s Annual Work Plan. This can also be used as a checklist for the development of the Audit and Risk Committee’s Annual Report. The Workplan outlines the major items the Audit and Risk Committee has to consider as part of its schedule of work for the year. This should allow the Committee to fulfil its terms of reference. It will continue to be kept under review throughout the year

ITEM NUMBER 5.1

COMMITTEE ASSURANCE PLAN COMMITTEE: Audit and Risk Committee FINANCIAL YEAR: 2021/2022 ASSURANCE NEED (Consider the Terms of Reference and breakdown into the areas that require assurance to be provided to the Committee)

SOURCE / EVIDENCE OF ASSURANCE (Considering the component parts of the Terms of Reference what evidence is required to be demonstrated against each component part)

TYPE OF ASSURANCE (1st Line, 2nd Line or 3rd Line of Assurance)

FREQUENCY (When will the assurance be presented to the Committee)

DATE AT COMMITTEE

LEVEL OF ASSURANCE ACHIEVED To be completed after Committee Meeting (Comprehensive, Moderate, Limited, No Assurance)

Adequacy of Risk Management Arrangements

Risk Management Work Plan 2nd Line 1st Quarter AUDIT10/2021 - 20 May 2021

No level of assurance required – Item for endorsement

Risk Management Mid Year and Annual Report

2nd Line 1st Quarter and 3rd Quarter

AUDIT10/2021 - 20 May 2021

No level of assurance required – Item for endorsement

Risk Management Self Assessment 2nd Line 1st Quarter AUDIT14/2021 - 20 May 2021

Moderate

Risk Management Strategy 2nd Line 5 yearly document 3rd Quarter

AUDIT26/2021 – 20 May 2021

Item for awareness – Approved by Tayside NHS Board 29 April 2021

Performance Report on Strategic Risk Management

2nd Line Each meeting AUDIT13/2021 – 20 May 2021

Moderate

Terms of Reference of Strategic Risk Management Group for review and approval

2nd Line 1st Quarter

Annual Report of Strategic Risk Management Group


Minutes of Strategic Risk Management Group

2nd Line As & when available

Adopt Risk Management Policies

2nd line As required

To review the framework of Internal Control and Corporate Governance and review the system of Internal Financial Control

Internal Audit Progress Report

3rd Line Each meeting AUDIT15/2021 – 20 May 2021

Comprehensive

Internal Audit Internal Control Evaluation

3rd Line 4th Quarter AUDIT09/2021 – 20 May 2021

Moderate

The Chief Internal Auditor’s Annual Report and Assurance Statement

3rd Line 1st Quarter

Payment Verification Update 2nd Line 1st Quarter and 3rd Quarter (unless material exceptions)

AUDIT17/2021 – 20 May 2021

Comprehensive

Banking and Treasury Management 2nd Line 3rd Quarter

Governance Review Group Minutes 2nd Line As & when available 20 May 2021 Assured

Governance Review Group Annual Report


Adopt Governance policies 2nd line As required

Patient Exemption Checking (PECS) Counter Fraud Services Annual Report

2nd Line 1ST Quarter

Counter Fraud Services Update and National Fraud Initiative Progress Report

3rd Line 1st Quarter and 3rd Quarter (unless material exceptions)

AUDIT16/2021 & AUDIT27/2021 – 20 May 2021

Comprehensive Comprehensive

Property Transactions 2nd Line 1st Quarter and 2nd Quarter

AUDIT25/2021 – 20 May 2021

Item for awareness

Review of Committee Effectiveness – Audit Committee Handbook Checklist

3rd Line 1st Quarter AUDIT22/2021 – 20 May 2021

Comprehensive

Updates to Code of Corporate Governance

2nd Line As and when required

AUDIT63/2021 – 20 May 2021

No level of assurance required - Item for decision

Code of Corporate Governance – Tendering Waivering

2nd Line As and when required

The Committee shall monitor how the Board controls risk and possible litigation

Litigation Monitoring 2nd Line 1st and 3rd Quarters

Information Governance and Cyber Assurance

Information Governance and Cyber Assurance Mid Year and Annual Reports (incl FOISA Mid Year Compliance Report)

2nd Line 1st and 3rd Quarters AUDIT19/2021 – 20 May 2021

Comprehensive

Information Governance and Cyber Assurance Minutes

2nd Line As & when available 20 May 2021 Assured

Information Security Policy Framework (ISPF) Assurance Reporting Tool and Key Summary Control Dashboard


Limited

To review and approve the Internal Audit Strategic and Annual Plans

Internal Audit Annual Plan 3rd Line 1st Quarter

Internal Audit Framework 3rd Line 2nd Quarter

Independent Review of Internal Audit 3rd Line 3rd Quarter 5 yearly review (last presented Dec 2018)

The Committee shall agree the level of detail it wishes to receive from the Internal and External Auditors. Facility for Internal and External Auditors to meeting with Non Executive Members for private discussions

3rd Line Each meeting Item 15 - 20 May 2021

To receive and review management reports on action taken in response to audit recommendations in line with the agreed follow-up protocol

Audit Follow Up Report 3rd Line Each meeting AUDIT15/2021 – 20 May 2021

Comprehensive & Moderate

Audit Follow Up Protocol 3rd Line 3rd Quarter

To review the External annual Audit Plan including the Performance Audit programme

Audit Scotland External Audit Plan 3rd Line 4th Quarter

To review the terms of reference, appointment and remuneration of external auditors for the Board Endowment Funds

Appointment of External Auditors Endowment and approval of fees and scope of work

3rd Line As and when required

To review Audit Plan produced by the external auditors appointed in relation to the Board Endowment Funds

External Audit Report - Review of Audit Endowment Funds


To consider all statutory audit material for the Board

Review of Annual Accounts – Endowment Funds


Review of Annual Accounts – Patient Funds


External Reports – Recommendation Tracker


Comprehensive

Appointment of External Auditors Patients Funds and approval of fees and scope of work

3rd Line As and when required

Service Auditor Reports 3rd Line 1st Quarter

To review the Annual Report and Accounts, including the Governance Statement

Annual Accounts Guidance Update 2nd Line 1st quarter AUDIT18/2021 – 20 May 2021

Comprehensive

Governance Statement 2nd Line 1st Quarter AUDIT28/2021 - 20 May 2021

No level of assurance required as only Draft Governance Statement – Item for Awareness

Standing Committee, IJB and Board of Trustees Annual Assurance Reports


Notification from Sponsored Body Audit Committees – Significant issues of wider interest report


To review and recommend for approval the Annual Accounts for Exchequer Funds

Review of Annual Accounts – Exchequer Funds

2nd Line 1ST Quarter

Audit Scotland External Audit Interim Report


Audit Scotland External Audit Annual Report to Auditor General


the Chief Internal Auditor’s Annual Report and Assurance Statement


To review and recommend for approval the Annual Accounts for Endowment Funds to the Endowment Trustees of the Board

Review of Annual Accounts – Endowment Funds


To review and recommend for approval the Annual Accounts for Patients’ Funds

Review of Annual Accounts – Patients Funds


To review at least annually the accounting policies and approve any changes thereto

Annual Report and Accounts Regulatory and Accounting Policies Update

2nd Line 1st quarter AUDIT18/2021 – 20 May 2021

Comprehensive

To review schedules of losses and compensation payments

Losses and Compensation Report 2nd Line 1st Quarter

Other Matters

The Committee has a duty to review its own performance and effectiveness, including its running costs and terms of reference on an annual basis

Audit Committee Terms of Reference and Workplan

1st Line 4th Quarter and each meeting thereafter

Item 5.2 – 20 May 2021

Assured

Responsible

Officer Comment Meeting

20 May 2021 Meeting 22 Jun 2021

Meeting Ann Accs

17 Aug 2021

Meeting 16 Sept

2021

Meeting 18 Nov 2021

Meeting 20 Jan 2022

Meeting 17 Mar 2022

Meeting xx May 2022

Meeting xx June

2022

Assurance Reporting – First Line

Performance Report on Strategic Risk Management

Director of Finance

Standing Item 7.1 X X X X X X

Assurance Reporting – Second Line

Litigation Monitoring

K Kidd Bi-annual X X X

PV Update • General

Pharmaceutical Svs • General Ophthalmic

Svs • General Dental Svs • General Medical Svs

J Robbins Bi-annual 7.5 X X

PV update on process and procedures

J Robbins As & when available

Patient Exemption Checking (PECS) Counter Fraud Services Annual Report

R MacKinnon

Annual X X

Standing Committee, IJB and Board of Trustees Annual Assurance Reports

L Lyall Annual X X

Banking and Treasury Management

L Lyall Annual X

Responsible



Meeting Ann Accs

17 Aug 2021

Meeting 16 Sept

2021

Meeting 18 Nov 2021

Meeting 20 Jan 2022

Meeting 17 Mar 2022

Meeting xx May 2022

Meeting xx June

2022

Governance Review Group – Annual Report

M Dunning Annual X X

Risk Management Self Assessment and Audit Checklist

Director of Finance

Annual 7.2 X

Risk Management Mid Year Report including review of risk appetite

Director of Finance

6 Monthly X

Risk Management Annual Report

Director of Finance

Annual 6.2 X

Information Governance and Cyber Assurance Committee Mid Year Report (incl FIOSA Compliance Mid Year Report)

M Dunning Annual X

Information Governance and Cyber Assurance Committee Annual Report (incl FIOSA Compliance Annual Report)

M Dunning Annual 7.8 X

Information Security Policy Framework (ISPF) Assurance Reporting Tool and Key Summary Dashboard

M Dunning Standing Item 7.9 X X X X X X

Responsible



Meeting Ann Accs

17 Aug 2021

Meeting 16 Sept

2021

Meeting 18 Nov 2021

Meeting 20 Jan 2022

Meeting 17 Mar 2022

Meeting xx May 2022

Meeting xx June

2022

Information Governance and Cyber Assurance Committee Minutes

M Dunning As & when available

7.10 X X X X X X

Strategic Risk Management Group Annual Report

Director of Finance

Annual X X

Strategic Risk Management Group Terms of Reference, Committee Assurance and Workplan

Director of Finance

Annual X X

Strategic Risk Management Group – minutes for information and assurance

Director of Finance

Standing Item X X X X

Assurance Reporting – Third Line

Internal Audit

Internal Audit Annual Plan

T Gaskin Annual X X

Internal Audit Progress Report (incl KPIs and Summary of reports completed per reporting protocol)

B Hudson/ J Lyall


Responsible



Meeting Ann Accs

17 Aug 2021

Meeting 16 Sept

2021

Meeting 18 Nov 2021

Meeting 20 Jan 2022

Meeting 17 Mar 2022

Meeting xx May 2022

Meeting xx June

2022

Audit Follow Up Reports

B Hudson/ J Lyall


Internal Audit Annual Report

T Gaskin Annual X X

Internal Audit Internal Control Evaluation Review

T Gaskin Annual 6.1 X

X

Audit Follow Up Protocol

L Lyall Annual X

Internal Audit Framework

T Gaskin Annual X

Private Discussions Committee Chair

Standing Item 15 X X X X X X

Independent Review of Internal Audit

Independent Provider

Every Five Years

(last presented December 2018)

External Audit – Audit Scotland

Annual Audit Plan B Crosbie Annual X

External Audit Interim Report

B Crosbie Annual X X

External Audit – Annual Report to Board and Auditor General

F Mitchell-Knight

Annual X X

Private Discussions Committee Chair

Standing Item 15 X X X X X X

Responsible



Meeting Ann Accs

17 Aug 2021

Meeting 16 Sept

2021

Meeting 18 Nov 2021

Meeting 20 Jan 2022

Meeting 17 Mar 2022

Meeting xx May 2022

Meeting xx June

2022

External Reports Recommendations Tracker (incl External Audit Recommendations)

Progress Report

Director of Finance


Service Auditor Reports

Annual Reports

L Lyall Annual X X

External Audit - Other

Review with External Auditor Audit Planning Memorandum , Fees & Reporting Arrangements

Director of Finance

Annual X

Review of Audit of Endowment Funds – External Audit Report (MMG Archbold)

D Grant Annual X X

Review of Audit of Patients’ Funds – External Audit Report (Morris & Young)

S Fyfe Annual X X

Appointment of External Auditors Endowment & Patients Funds & approval of fees and scope of work

R MacKinnon

As & when required

Responsible



Meeting Ann Accs

17 Aug 2021

Meeting 16 Sept

2021

Meeting 18 Nov 2021

Meeting 20 Jan 2022

Meeting 17 Mar 2022

Meeting xx May 2022

Meeting xx June

2022

Annual Accounts Accounting Policies K Kidd Annual 7.7 X X

Annual Accounts Guidance Update

K Kidd Annual 7.7 X

Governance Statement Director of Finance

Annual 14.1 (Draft)

X (Draft)

X X (Draft)

X

Review of Annual Accounts – Exchequer Funds

Director of Finance

Annual

X X

Review of Annual Accounts - Endowments Funds

R Mackinnon

Annual X X

Review of Annual Accounts - Patient Funds

R Mackinnon

Annual X X

Losses and Compensation Payments

L Lyall Annual X X

Risk Management Risk Management Workplan

Director of Finance

Annual 6.2 X

Risk Management Strategy (last presented 20/05/2021)

Director of Finance

5 yr document (last presented

20/05/2021)

8.4 X

Responsible



Meeting Ann Accs

17 Aug 2021

Meeting 16 Sept

2021

Meeting 18 Nov 2021

Meeting 20 Jan 2022

Meeting 17 Mar 2022

Meeting xx May 2022

Meeting xx June

2022

Audit Committee Reporting

Meeting Reflection – Committee Consideration of issues to highlight to the Board

Committee Chair

Standing Item 10 X X X X X X X

Committee Annual Assurance Report

L Lyall Annual X X

Notification from Sponsored Body Audit Committees – Significant issues of wider interest

Director of Finance

Annual X X

Code of Corporate Governance

Updates to Code of Corporate Governance

M Dunning As & when required

6.3

Reporting Requirement – Code of Corporate Governance Tendering Waivers

Director of Finance

As & when required

External Audit – Audit Scotland - For Information

Audit Scotland Annual Report on NHS Scotland

Director of Finance

Annual 8.1 X

Audit Scotland Reports (incl Technical Bulletins)

Director of Finance

As & when available

8.2

Responsible



Meeting Ann Accs

17 Aug 2021

Meeting 16 Sept

2021

Meeting 18 Nov 2021

Meeting 20 Jan 2022

Meeting 17 Mar 2022

Meeting xx May 2022

Meeting xx June

2022

Counter Fraud Services

Counter Fraud Services Update

R MacKinnon

Bi-annual 7.4 & 13.1 X X

National Fraud Initiatives (& Bribery Act) Progress Report

R MacKinnon

Bi-annual

7.4 & 13.1 X X

Committee Organisation and Effectiveness

Audit Committee Terms of Reference, Committee Assurance and Work Plan

L Lyall Annual approval and then update workplan as

required during year

5.2

X X X X X (App of

Terms of Ref, Ass & Work plan)

X

Review of Committee Effectiveness - Audit Committee Handbook Checklist

L Lyall Annual 7.12 X

Other Reports Property Transactions Monitoring

L Lyall Bi-annual 8.3 X X

Other External Reports other than Audit Reports

L Lyall As & when available

Responsible



Meeting Ann Accs

17 Aug 2021

Meeting 16 Sept

2021

Meeting 18 Nov 2021

Meeting 20 Jan 2022

Meeting 17 Mar 2022

Meeting xx May 2022

Meeting xx June

2022

Minutes for Information

Governance Review Group

M Dunning As & when available

7.6

Policies to be endorsed by the Committee as and when required

Risk Policies Policy Managers

As & when required

Governance Policies Policy Managers

As & when required

Record of Attendance NHS Tayside

Audit and Risk Committee Record of Attendance 1 April 2021 – 31 March 2022

Name Designation Organisation Meeting

Date Meeting

Date Meeting

Date Meeting

Date Meeting

Date Meeting

Date Meeting

Date 20 May 2021 22 Jun 2021 17 Aug 2021 16 Sept 2021 18 Nov 2021 20 Jan 2022 17 Mar 2022 Members

Jenny Alexander Non Executive Member & Chair of Area Partnership Forum (until 30 April 2021)

NHS Tayside

Peter Davidson Non Executive Member (as of 1 May 2021)

NHS Tayside Present

Ronnie Erskine Non Executive Member (Chair as of 1 Jan 2021)

NHS Tayside Present

Beth Hamilton Non Executive Member (as of 1 May 2021)

NHS Tayside Present

Pat Kilpatrick Non Executive Member NHS Tayside Present Donald McPherson Non Executive Member (until

30 April 2021) NHS Tayside

Bob Myles Non Executive Member (until 30 April 2021

NHS Tayside

Norman Pratt Non Executive Member & Chair of the Area Clinical Forum (as of 1 May 2021)

NHS Tayside Present

Emma Jane Wells Non Executive Member (Vice Chair as of 1 May 2021)

NHS Tayside Present

In Attendance Margaret Dunning Board Secretary NHS Tayside Present Lisa Green Committee Support Officer NHS Tayside Present Louise Lyall Head of Finance – Capital and

Resources (Lead Officer)

NHS Tayside Present

Robert MacKinnon Interim Charity Chief Officer, Associate Director of Finance & Fraud Liaison Officer

NHS Tayside Present

ITEM NUMBER 5.2

Record of Attendance NHS Tayside

Attendees Bruce Crosbie Senior Audit Manager Audit Scotland Present Tony Gaskin Chief Internal Auditor FTF Audit &

Management Services

Present

Barry Hudson Regional Audit Manager FTF Audit & Management Services

Jocelyn Lyall Regional Audit Manager FTF Audit & Management Services

Present

Stuart Lyall Director of Finance NHS Tayside Present Anne Marie Machan Audit Manager Audit Scotland Present Raymond Marshall Representative Area

Partnership Forum NHS Tayside

Fiona Mitchell-Knight

Audit Director Audit Scotland

Donna Tosh Head of Committee Administration

NHS Tayside

Hilary Walker Head of Risk and Resilience NHS Tayside Present For Information Grant Archibald Chief Executive NHS Tayside Lorna Birse-Stewart Chair, Tayside NHS Board NHS Tayside

of 3

ITEM NUMBER 6.1 AUDIT29/2021

Audit and Risk Committee 22 June 2021 Strategic Risk Management Group Annual Report 2020/2021 and Terms of Reference 2021/2022 Responsible Executive: Stuart Lyall, Director of Finance Report Author: Hilary Walker, Head of Risk and Resilience Planning 1 Purpose

This is presented to the Audit and Risk Committee for: • Assurance • Decision

This report relates to a: • Tayside NHS Board governance matter This aligns to the following NHSScotland quality ambition(s): • Safe • Effective • Person Centred

2 Report summary 2.1 Situation

As requested under section 2.4 (Recommendation) the Audit and Risk Committee is asked to endorse the contents of the report, and to delegate to the Chair and Lead Officer, the power to provide any additional information that may be sought by the Audit and Risk Committee in reviewing the Board’s System of Internal Control.

2.2 Background Within Section A of the NHS Tayside Code of Corporate Governance, it is specified that the Audit and Risk Committee has a duty to approve the terms of reference and Committee Annual Report of the Strategic Risk Management Group.

2.3 Assessment To provide the Audit and Risk Committee with assurance regarding the work of the Strategic Risk Management Group an Annual Report is produced and this is attached at Appendix A.

of 3

The report offers comprehensive assurance to the Audit and Risk Committee on NHS Tayside’s Risk Management arrangements; Resilience and Business Continuity functions; and the management of organisational policies. The report describes the purpose and composition of the Group, and details:-

• membership of the Committee; • frequency of meetings; • schedule of business considered; and • outcomes and assurances. Annual reports are an essential part of the internal control process and the conclusions on assurance are considered in June each year by the Audit and Risk Committee as part of the Annual Accounts process. The Annual Reports also provide assurance to the Accountable Officer regarding the Governance Statement. Looking forward to 2021/2022 the Strategic Risk Management Group reviewed their Terms of Reference with minor amendment undertaken and this is attached at Appendix B.

2.3.1 Quality/Patient Care There is no direct impact on quality of care and services arising from this report.

2.3.2 Workforce There are no workforce implications directly associated with this report.

2.3.3 Financial There are no financial implications directly associated with this report.

2.3.4 Risk Assessment/Management Failure to produce an Annual Report and Terms of Reference for the Strategic Risk Management Group and have these approved by the Audit and Risk Committee, would contravene the Code of Corporate Governance. This may jeopardize the ability of the Audit and Risk Committee to complete an assessment of the organisations risk management arrangements, systems and processes and impact on the conclusions within the Governance Statement.

2.3.5 Equality and Diversity, including health inequalities The Strategic Risk Management Group conducts its business, mindful of its responsibilities to ensure that equality and diversity considerations are addressed.

2.3.6 Other impacts Not applicable.

2.3.7 Communication, involvement, engagement and consultation Not applicable.

of 3

2.3.8 Route to the Meeting

The Strategic Risk Management Group considered the documents attached to this report at its meeting on 8 April 2021.

2.4 Recommendation The Audit and Risk Committee is asked to note that this Report is provided to give comprehensive assurance about the work progressed by the Strategic Risk Management Group during the year 2020/2021 and approve the Annual Report 2020/2021 and the Terms of Reference (inclusive of the Workplan) for the financial year 2021/2022.

3 List of appendices

The following appendices are included with this report: • Appendix A: Strategic Risk Management Group Annual Report 2020/2021 • Appendix B: Strategic Risk Management Group Terms of Reference 2021/2022

Level of Assurance System Adequacy Controls




Moderate Assurance



Limited Assurance



No Assurance High risk of objectives not being achieved due to the absence of key internal controls.


1

APPENDIX A ANNUAL REPORT OF STRATEGIC RISK MANAGEMENT GROUP 1. PURPOSE

In order to assist the Audit and Risk Committee in conducting a regular review of the effectiveness of the systems of internal control, the Code of Corporate Governance requires that the Strategic Risk Management Group submits its annual report. This report is submitted in fulfilment of this requirement. This report is to provide an assurance to the Audit and Risk Committee on the work undertaken by the Strategic Risk Management Group during the year 1 April 2020 to 31 March 2021.

2. STRATEGIC RISK MANAGEMENT COMMITTEE 2.1 Purpose of Committee

The purpose of the Strategic Risk Management Group is to: • Ensure NHS Tayside’s Risk Management arrangements are robust and comply

with national policy are embedded into all aspects of service provision, planning and business management

• Ensure NHS Tayside’s resilience and business continuity functions comply with Civil Contingencies Act 2004 and associated legislation

• Maintain an overview of the management of organisational policies. During the financial year ended 31 March 2021 the Strategic Risk Management Group comprised: Membership: Mr G Archibald, Chief Executive (Chair) Mr S Lyall, Director of Finance Mrs H Walker, Head of Strategic Risk and Resilience Planning Ms M Dunning, Board Secretary Professor P Stonebridge, Medical Director Mrs C Pearce, Nurse Director Mr G Doherty, Director of Workforce Dr E Fletcher, Director of Public Health (from 1 December 2020) Mr L Khalique, Director of Digital Technology Mrs H Scott, Assistant Chief Executive Mr D Coulson, Interim Director of Pharmacy Mr B Nicoll, Director of Strategic Change Mrs K Anderson, Director of Allied Health Professions (AHPs) Mrs J Alexander, Employee Director Mrs G Smith, Interim Chief Officer, Angus Health and Social Care Partnership Mrs V Irons, Chief Officer, Dundee Health and Social Care Partnership

2

Mr G Paterson, Chief Officer, Perth and Kinross Health and Social Care Partnership Mrs K Bell, Interim Director of Mental Health Ms L Wiggin, Director of Acute Services In attendance: Mrs A Dailly, Head of Information Governance and Cyber Assurance/ Data Protection Officer Members who left during the Strategic Risk Management Group year ended 31 March 2021: Mrs J Bodie, Director of eHealth (1 April to 2 April 2020) Dr D Walker, Director of Public Health (1 April to 31 August 2020) The appointed Chair of the Strategic Risk Management Group (SRMG) is the Chief Executive of NHS Tayside who is the Accountable Officer. The Lead Officer of the SRMG is the Director of Finance. Support to the Committee is provided by Ms Margaret-Rose Campbell, Committee Support Officer, NHS Tayside.

2.2 Meetings Throughout 2020/21 the Strategic Risk Management Group met on: • 17 June 2020 • 03 September 2020 • 08 December 2020 The meetings scheduled to take place on: • 23 April 2020 and 18 February 2021 were deferred due to the decision to stand

down all non-essential meetings of Tayside NHS Board due to the Covid-19 pandemic.

• 22 October 2020 was cancelled as a result of a business continuity issue. These deferments/cancellations had no detriment in relation to the business to be conducted as this was carried forward to the subsequent meeting of the group. All meetings within the financial year were undertaken through a blended approach of Microsoft Teams and limited staff attending in person observing socially distancing guidance put in place throughout the Covid-19 pandemic. The attendance schedule for the year 2020-2021 is attached at Appendix 1.

2.2 Business The workplan for the Strategic Risk Management Group, covering the items considered, is attached at Appendix 2. Minutes of each meeting of the Strategic Risk Management Group have been timeously submitted to the subsequent meeting of NHS Tayside Audit and Risk Committee.

3

3. OUTCOMES AND ASSURANCES Outcomes in relation to each item of business have been recorded in the Strategic Risk Management Group’s Minutes. Policy Management: Policy Management within NHS Tayside continues to be reported upon at each meeting and the Strategic Risk Management Group have been provided with assurance as to the process of addressing policy breaches; and the ongoing work to develop policy frameworks within the organisation, thereby rationalising the overall number of policies, for example, the rationalisation of the Information Governance suite of policies into an Information Governance Policy Framework. The “Once for Scotland” Workforce Policies Programme has been paused nationally until mid-2021 to allow for a focus to be on the response to the Covid-19 pandemic. Information Governance and Cyber Assurance: The NHS Tayside Information Governance & Cyber Assurance Report was added to the workplan in the year 2020/2021, with reports received initially at each meeting undertaken, however, the Strategic Risk Management Group agreed at its meeting on 8 December 2020 that future reporting would take place every second meeting. The reports are provided to assure the Strategic Risk Management Group that the Information Governance and Cyber Assurance Team duties across NHS Tayside are being discharged appropriately in line with current legislative requirements, and overall agreed level is one of Moderate Assurance, acknowledging that there are a number of weaknesses present within the current system, including compliance with the NHS Scotland Information Security Policy Framework and Freedom of Information (Scotland) Act 2002 requests. Short Life Working Group – Risk Management During the early part of 2020, following discussion involving the Chair, Vice-Chair and the Chief Executive, a Short Life Working Group was established in May 2020 under the leadership of the Director of Finance (the Executive Lead for Risk within NHS Tayside). Membership of the Group consists of four Non-Executive Members (including the Chair of the Audit and Risk Committee), the Board Secretary, the Head of Board Support, and the Head of Risk and Resilience. The Chief Internal Auditor attended meetings in an advisory capacity. The remit of the group was to review: the Risk Management Framework and Strategy documentation; the arrangements for identification, management and mitigation of strategic risks; and the reporting arrangements through governance pathways of Standing Committees through to Tayside NHS Board. The Short Life Working Group met on five occasions, with sub groups meetings occurring on two occasions. The Director of Finance provided an update on the progress of the work of the Short Life Working Group to the Board Development Session held on 25 June 2020, where the role and remit of the Group was outlined, and the necessity to fundamentally review and, as necessary and appropriate, revise and strengthen the risk management arrangements, recognising the changed operating environment within which the Board will be required to deliver its core functions going forward, was laid before Tayside NHS Board members.

4

A further Board Development Session was held on 26 November 2020, within which Strategic Direction; and Risk Management were topics. The Director of Finance provided a comprehensive update on the achievements of the Risk Management Short Life Working Group which met from June to September 2020. The next steps were outlined and highlighted as being: Combined Strategy and Framework to be signed off by Tayside NHS Board; Executive Leadership Team/Strategic Risk Management Group consideration of Strategic Risks for 2021/22; and Board engagement to agree strategic risk profile and risk appetite. A Risk Management Short Life Working Group Briefing was provided to Board Members within the Board Development Session on 25 March 2021. This summary outlined progress against the key areas of: Strategic Risk Profile; Revised Risk Management Strategy/Assurance Reporting Arrangements/Board Reporting; Integration Joint Board Strategy; and provided a proposed timeline of Risk Management Activity for the year 2021.

4. RISK ASSURANCE AND REPORTING NHS Tayside Strategic Risk Profile A review of the strategic risk profile was undertaken virtually during the months of March and April 2020 through email correspondence with Strategic Risk Management Group members, information was collated on: • Which risks the Group wished to be carried forward to 2020/2021 • Proposals for risks to be archived • Proposals for risks to be included within the risk profile 2020/2021 The proposal which was brought to the Strategic Risk Management Group on 17 June 2020 was for 24 strategic risks to be included within the strategic risk profile for the year 2020/2021: • 18 current strategic risks to be carried forward in to 2020/2021 • 4 strategic risks to be archived • 6 new strategic risks to be created The identified risks for archive included • Risk 280 Nursing and Midwifery Workforce, which will be replaced by two new

risks: one for Nursing Workforce (Risk 844) and one for Midwifery Workforce (Risk 845);

• Risk 619 EU Exit (Readiness), which will be replaced by new risk EU Exit, which will focus on the impact of the outcome of negotiations;

• Risk 724 Finance Annual Plan 2019/2020, which will be replaced by a new risk for 2020/2021; and

• Risk 745 Implementation of eESS.

In addition to the above replacement risks, new strategic risks to be developed included: • Covid-19 • Care Homes

5

One further strategic risk was archived during the financial year, Strategic Risk 737 Transforming Tayside. Following the meeting on 3 September 2020 agreement was reached with the Chief Executive to archive the strategic risk in light of the extensive work which had been taken forward in terms of review of structure and delivery of services through the period of the Covid-19 pandemic, and the remobilisation plans in place as Service activity through NHS Tayside increases as Covid-19 pandemic restrictions are eased. The strategic risk was archived on 4 November 2020. A strategic risk was identified, and added to the Strategic Risk Register, through “Horizon Scanning, Emerging Themes and New Risks” by the Property Department, relating to the emerging risk of Environmental Sustainability, and it was agreed by the Strategic Risk Management Group at its meeting on 17 June 2020 that a strategic risk to manage the Statutory Obligations in relation to Environmental Management be developed, within interim ownership and management arrangements in place, until the Director of Facilities role was appointed to. Covid-19 The Chief Executive requested that consideration be given, by the Director of Public Health and appropriate colleagues, to the development of a Covid-19 strategic risk, which would be underpinned by the Public Health Service risk register. The draft strategic risk was presented to the Strategic Risk Management Group at its meeting on 8 December 2020 and consideration given to its addition to the organisation’s strategic risk register. At the end of the financial year 2020/2021 work is continuing to ensure that risk owners/managers incorporate Covid-19 elements into all strategic risks, and their mitigating controls. Risk Management Proposal for Tayside Mental Health Services The Strategic Risk Management Group received a proposal at its meeting on 8 December 2020 which outlined three options for moving forward risk management arrangements for the Mental Health Services across Tayside. The proposal outlined the extensive exploration which had been undertaken by Mental Health Services and an option appraisal offered for consideration. The Strategic Risk Management Group identified Option 1 as the preferred option and this recommendation was taken to the Chief Executive who concurred with the decision (14 December 2020). Option 1 - The Strategic Risk for Mental Health and Learning Disabilities will be owned by the Director of Mental Health and Wellbeing, and the system wide service risks will be managed by members of the Mental Health Integrated Leadership Group (ILG) (recognising that one member of the group will need to be nominated to represent the Group as manager within Datix for each system wide service risk). The ILG will be tasked with the collective updating of the strategic risk via Datix and the completion of the required assurance report. Reporting and assurance will be through the NHS Tayside Care Governance Committee, with additional reporting through the partner organisations Governance groups as required. The agenda of the ILG will be orientated to the key risks, allowing regular risk reviews with the full participation of the membership.

6

At the close of the financial year 2020/2021 strategic risk 395 remains unchanged within the Datix system. A new strategic risk is in the early stages of development. Risk Management – Integration Joint Boards The Integration Joint Boards each reported on their extant Strategic Risk Registers at each meeting, and provided updates on the development of their Covid-19 risk registers, inclusive of mitigating actions, and remobilisation plans for their respective Health and Social Care Partnerships to ensure ongoing delivery of services throughout the Covid-19 pandemic and beyond. The Integration Joint Board Risk Management Strategy has been under review, during the year 2020/2021, with representation from NHS Tayside through the Head of Strategic Risk and Resilience Planning in the process. It is expected that the finalised strategy document will be presented for approval to the three Integration Joint Boards of Tayside in April 2021, with formal presentation to NHS Tayside Board in June 2021. Rolling Programme of Strategic Risk Peer Review The Strategic Risk Management Group continued with the rolling programme of strategic risk peer review (introduced during in September 2019) at which risk owners and/or managers provided exception updates and an opportunity for enquiry from members. The process allows peer to peer feedback from within the membership to ensure that levels of risks are correctly assessed; appropriate mitigation has been identified; assurance sought and received that the risk is effectively being treated, tolerated or eliminated. Ten peer reviews which were undertaken during the period 1 April 2020 to 31 March 2021: • 17 June 2020

a) Strategic Risk 312 NHS Tayside Estate Infrastructure Condition b) Strategic Risk 844 Nursing Workforce c) Strategic Risk 845 Midwifery Workforce d) Strategic Risk 16 Clinical Governance

• 3 September 2020

a) Strategic Risk 737 Transforming Tayside b) Strategic Risk 26 Waiting Time and RTT Targets c) Strategic Risk 615 Effective Prescribing

• 8 December 2020

a) Strategic Risk 619 EU Exit b) Strategic Risk 395 Mental Health Services c) Covid-19

The peer review schedule was updated in October 2020 to reschedule a number of risks following the cancellation of the Strategic Risk Management Group.

7

The Chair and Lead Officer did not reschedule the peer reviews not undertaken due to the deferment of the meeting on 18 February 2021 to the a future Strategic Risk Management Group, as full assurance reporting and scrutiny was to be carried out at the Care Governance Committee on 22 April 2021: • Strategic Risk 736 Public Protection • Strategic Risk 798 Corporate Parenting • Strategic Risk 880 Care Homes Further rearrangement of the peer review schedule would have delayed peer review of strategic risks further and increased the risk to the organisation in its achievement of effective risk management.

5. ISSUES FOR CONSIDERATION IN NHS TAYSIDE’S GOVERNANCE STATEMENT There are no exceptional issues that require to be reported in the governance statement.

6. CONCLUSION As Chair of the Strategic Risk Management Group during financial year 2020-2021, I am satisfied that the frequency of meetings, the breadth of the business undertaken, and the range of attendees at meetings has allowed us to fulfil our remit. Given the work undertaken and progressed during the year, I can confirm as Chair of the Strategic Risk Management Group that an adequate and effective framework and systems for risk management were in place within NHS Tayside and were demonstrated to this committee during the financial year ended 31 March 2021. I wish to acknowledge the contribution and continued commitment of Strategic Risk Management Group attendees, and to thank all those who have prepared high quality reports and attended meetings. In addition I wish to express my gratitude and thanks to Ms Margaret-Rose Campbell for undertaking the committee support role for the Strategic Risk Management Group during the year. Grant Archibald Chair Strategic Risk Management Group Considered and approved:

8

Appendix 1 Record of Attendance NHS Tayside Strategic Risk Management Group 1 April 2020 to 31 March 2021 Name Designation 23 Apr 2020 17 Jun 2020 03 Sept 2020 22 Oct 2020 08 Dec 2020 18 Feb 2021 Members Mr G Archibald Chief Executive (Chair) Deferred Covid-19 Apologies Present

CHAIR Cancelled Business Continuity Issue

Apologies Deferred Covid-19

Mr S Lyall Director of Finance (Lead Officer) Deferred Covid-19 Present CHAIR

L Lyall Cancelled Business Continuity Issue

L Lyall Deferred Covid-19

Mrs H Walker Head of Strategic Risk and Resilience Planning

Deferred Covid-19 Present Present Cancelled Business Continuity Issue

Present Deferred Covid-19

Ms M Dunning Board Secretary Deferred Covid-19 Present Present Cancelled Business Continuity Issue


Prof P Stonebridge Medical Director Deferred Covid-19 Present Present Cancelled Business Continuity Issue

Present CHAIR

Deferred Covid-19

Mrs C Pearce Director of Nursing and Midwifery Deferred Covid-19 Present Apologies Cancelled Business Continuity Issue


Mr G Doherty Director of Workforce Deferred Covid-19 Present Present Cancelled Business Continuity Issue


Dr D Walker 1 April-31 August 2020

Director of Public Health Deferred Covid-19 Apologies - Cancelled Business Continuity Issue

Deferred Covid-19

Dr E Fletcher 1 December 2020

Director of Public Health Deferred Covid-19 Cancelled Business Continuity Issue

A Eriksen Deferred Covid-19

Mr L Khalique Director of Digital Technology Deferred Covid-19 Apologies Apologies Cancelled Business Continuity Issue


Ms J Bodie 1 April-2 April 2020

Director of eHealth Deferred Covid-19 - - Cancelled Business Continuity Issue

- Deferred Covid-19

Ms H Scott Assistant Chief Executive Deferred Covid-19 Present Present Cancelled Business Continuity Issue


Mr D Coulson Director of Pharmacy



Mr B Nicoll Director of Strategic Change Deferred Covid-19 Apologies Present Cancelled Business Continuity Issue


9

Name Designation 23 Apr 2020 17 Jun 2020 03 Sept 2020 22 Oct 2020 08 Dec 2020 18 Feb 2021 Mrs K Anderson Director of Allied Health Partnerships

(AHPs) Deferred Covid-19 Apologies Apologies Cancelled

Business Continuity Issue


Mrs J Alexander Employee Director Deferred Covid-19 Present Apologies Cancelled Business Continuity Issue


Mrs G Smith Interim Chief Officer, Angus Health and Social Care Partnership



Mrs V Irons Chief Officer, Dundee Health and Social Care Partnership

Deferred Covid-19 D Berry Apologies Cancelled Business Continuity Issue

D Berry Deferred Covid-19

Mr G Paterson Chief Officer, Perth & Kinross Health and Social Care Partnership

Deferred Covid-19 Present Apologies Cancelled Business Continuity Issue

C Jolly Deferred Covid-19

Mrs K Bell Interim Director of Mental Health Deferred Covid-19 Apologies Apologies Cancelled Business Continuity Issue


Ms L Wiggin Chief Officer Acute Services Deferred Covid-19 Present Apologies Cancelled Business Continuity Issue


In Attendance Mrs A Dailly Head of Information Governance and

Cyber Assurance/Data Protection Officer Deferred Covid-19 Present Present Cancelled

Business Continuity Issue


Ms M Campbell Committee Support Officer Deferred Covid-19 Present Present Cancelled Business Continuity Issue


10

STRATEGIC RISK MANAGEMENT GROUP (SRMG) WORKPLAN 2020/2021 Appendix 2

Please note that this is an dynamic document.

23 April 2020 Meeting deferred due to

Covid-19 pandemic 17 June 2020 03 September 2020

22 October 2020 Meeting cancelled due to

a business continuity issue

08 December 2020 18 February 2021

Meeting deferred due to Covid-19 pandemic

8 April 2021

onward

Responsible Person Planned Actual Planned Actual Planned Actual Planned Actual Planned Actual Planned Actual Planned

Risk Management – Strategic Risk Peer Review – REVISED PEER REVIEW SCHEDULE FOLLOWING CANCELLATION OF SRMG 22 OCTOBER 2020 Risks aligned to Tayside NHS Board

737 Transforming Tayside ARCHIVED Chief Executive Item 3.1a

Risks aligned to the Performance and Resources Committee:

26 Waiting Times and RTT Targets Director of Acute Services

Item 3.1b 17/02/2022

312 NHS Tayside Estate infrastructure Condition Director of Operations

Item 4.3a 19/08/2121

615 Effective Prescribing Medical Director Item 3.1c 17/02/2022

636 Prioritisation and Management of Capital Funding Director of Finance 21/10/2021

679 eHealth Technical Infrastructure and Modernisation Programme Director of eHealth 19/08/2021

680 eHealth Cyber Attack Director of eHealth 19/08/2021 723 Long Term Financial Sustainability Director of Finance 21/10/2021 849 Financial Annual Plan 2020/2021 Director of Finance 21/10/2021 Risks aligned to the Staff Governance Committee: 58 Workforce Optimisation Director of Workforce 08/04/2021 863 Medical Workforce Medical Director 10/06/2021 734 Health and Safety Director of Workforce 08/04/2021

844 Nursing Workforce Director Nursing and Midwifery

Item 4.3b 09/12/2021

845 Midwifery Workforce Director Nursing and Midwifery

Item 4.3c 09/12/2021

Risks aligned to the Care Governance Committee: 14 Infection Prevention and Control Medical Director 10/06/2021

16 Clinical Governance Medical Director/ Nurse Director

Item 4.3d 19/12/2021

395 Mental Health Services Chief Officer, P&K HSCP

Item 3.1c 14/04/2022

637 Child and Adult Mental Health Services Medical Director 10/06/2021

736 Public Protection Director Nursing and Midwifery Rescheduled

to 18/02/2021 Deferred to 08/04/2021 /06/2022

798 Corporate Parenting Director Nursing and Midwifery Rescheduled

to 18/02/2021 Deferred to 08/04/2021 /06/2022

880 Care Homes Director of Nursing and Midwifery Rescheduled

to 18/02/2021 Deferred to 08/04/2021 /06/2022

Risks aligned to Angus Integration Joint Board

353 Sustainable Primary Care Services Chief Officer, Angus HSCP 08/04/2021

New Risks to be assigned to a Standing Committee

Covid-19 Chief Executive Item 3.1b 14/04/2022

11








8 April 2021

onward


619 EU Exit Board Secretary Item 3.1a 14/04/2022

807 Statutory Obligations in relation to Environmental Management Head of Property 17/02/2022

Strategic Risks Registers Integrated Joint Boards

Angus Integration Joint Board Chief Officer, Angus HSCP Deferred to

17/06/2020 Item 4.4a

Item 3.2a Deferred to 08/12/2020

Item 3.2a Deferred to 08/04/2021

Dundee Integration Joint Board Chief Officer, Dundee HSCP Deferred to

17/06/2020 Item 4.4b

Item 3.2b Deferred to 08/12/2020

Item 3.2b Deferred to 08/04/2021

Perth & Kinross Integration Joint Board

Chief Officer, P&K HSCP Deferred to

17/06/2020 Item 4.4c

Item 3.2c Deferred to 08/12/2020

Item 3.2c Deferred to 08/04/2021

Risk Management Risk Management Strategy Director of Finance

Risk Management Guidance Note Director of Finance

NHS Tayside Strategic Risk Profile Director of Finance Deferred to 17/06/2020

Item 4.1

Risk Management Workplan Director of Finance Deferred to 17/06/2020

Incl in Item 4.6

Risk Management Mid Year and Annual Report Director of Finance Deferred to

17/06/2020

Annual Report Item 4.6

Item 3.5 Virtual SRMG consultation undertaken to enable presentation at A&RC 19/11/20

Self Assessment and Audit Tool Director of Finance Deferred to 17/06/2020

Risk Appetite Statement Review Director of Finance

Defer until SLWG work is complete

Verbal Update

Item 3.4

Resilience Planning

Resilience Planning Report Board Secretary Item 5.1

Item 4.1 Item 4.1

Resilience Planning Annual Report (following approval at the Resilience Planning Advisory Group)

Board Secretary Item 5.2

Resilience Planning Framework (Review of) Board Secretary Deferred to 08/04/2021

Policy Management

Policy Management Update Report Board Secretary Deferred to 17/06/2020

Item 6.1 Item 5.1 Deferred to

08/12/2020 Item 5.1 Deferred to

08/04/2021

Governance

SRMG Annual Report Director of Finance Deferred to 17/06/2020

Item 7.2

12








8 April 2021

onward


SRMG Terms of Reference Director of Finance Deferred to 17/06/2020

Item 7.2

SRMG Work Plan Director of Finance Deferred to

17/06/2020 Item 7.2

Item 6.2 Deferred to 08/12/2020 Item 6.2 Deferred to

08/04/2021

Information Governance and Cyber Assurance Committee Update Quarterly Report – (April, Aug, Dec 2021)

Board Secretary Deferred to 17/06/2020

Item 7.1 Item 6.1 Deferred to

08/12/2020 Item 6.1 08/04/2021

Items for information

Datix Steering and Development Group Chair 24 February 2020

Item 8.2

28 May 2020

Item 7.1

10 September 2020

Deferred to 08/12/2020

10 September 2020

Item 7.3

5 November 2020


Resilience Planning Governance Group Board Secretary 17 March 2020

Item 8.3

18 June 2020

Item 7.2

15 September 2020


15 September 2020

Item 7.1

8 December 2020


Short Life Working Group Risk Management Action Note Chair 19 May

2020 Item 8.1

09 June 2020

Item 7.3

16 September 2020


16 September 2020

Item 7.2

3 November 2020


Additional Items

Datix Cloud IQ Ass Dir of PS, CG & RM Item 4.5 Updated

Report

Item 3.4 Report to be presented at ELT not SRMG

Short Life Working Group Risk Management Update Director of Finance

Verbal Item 4.2

Verbal Item 3.3


Item 3.3

Environmental Sustainability (Horizon Scanning)

Environmental and Quality Manager

Item 4.7

Strategic Risk Profile Peer Review Programme 2020/2021 Chair

Item 7.4

Flu Immunisation Programme Update Director of Public Health

Report no longer required as reported through other pathways

SRMG Schedule of Meetings 2021/20221 Chair Item 6.3

RISK MANAGEMENT

Strategic Risk Management Group Terms of Reference

Author: Tayside NHS Board Corporate Services

Review Group: Strategic Risk Management Group

Review Date: April 2022 Last Update: April 2021 Document No: 1 Issue No: 7.1

UNCONTROLLED WHEN PRINTED

Signed:

Executive Lead – Chief Executive

Appendix B

Version number: 7.1 Created by: M Campbell Date last updated: 31/03/2021 Updated by: M Campbell

Page 2

NHS TAYSIDE STRATEGIC RISK MANAGEMENT GROUP TERMS OF REFERENCE 1 Introduction

This paper outlines the Terms of Reference and Workplan for the Strategic Risk

Management Group.

2 Chair and Executive Lead Officer

The appointed Chair of the Strategic Risk Management Group (SRMG) is the Chief Executive of NHS Tayside who is the Accountable Officer. The Lead Officer of the SRMG is the Director of Finance.

3 Support Officer

Support to the group is provided by Margaret-Rose Campbell, Committee Support Officer.

Items for the agenda should be submitted to the Committee Support Officer who, in conjunction with the Director of Finance and the Head of Risk and Resilience are responsible for all communications in relation to the SRMG.

The Committee Support Officer is responsible for ensuring agendas and reports for the SRMG are sent electronically to the Group at least three clear days prior to the meeting.

4 Purpose of Group

The purpose of the SRMG is to:

• Ensure NHS Tayside’s Risk Management arrangements are robust and comply with national policy are embedded into all aspects of service provision, planning and business management

• Ensure NHS Tayside’s resilience and business continuity functions comply with Civil Contingencies Act 2004 and associated legislation

• Maintain an overview of the management of organisational policies.

5 The membership of the SRMG:

Membership: Chief Executive (Chair) Director of Finance Board Secretary Medical Director Director of Nursing and Midwifery Director of Workforce Director of Public Health Director of Digital Technology Assistant Chief Executive


Page 3

Director of Pharmacy

Director of Allied Health Professions (AHPs) Employee Director or other relevant staff side representative Chief Officer, Angus Health and Social Care Partnership Chief Officer, Dundee Health and Social Care Partnership Chief Officer, Perth and Kinross Health and Social Care Partnership Director of Mental Health Services Director of Facilities Chief Officer Acute Services Head of Strategic Risk and Resilience Planning

In attendance: Head of Information Governance and Cyber Assurance/Data Protection Officer

Deputies: Members (Risk Owners) must ensure that the manager of their risk deputises for them in their absence.

The Group may establish working groups for activities such as the audit of particular practices or any other subject which members consider relevant to the objectives of the Group.

6 Quorum

No business shall be transacted at a meeting of the group unless the following are present:

• at least four Directors, including the Director of Finance and the Board Secretary. • Head of Strategic Risk and Resilience Planning.

7 Frequency of meetings

Six meetings are scheduled within the financial year. The Chair may decide to hold additional meetings or defer a meeting with the agreement of the Lead Officer.

8 Remit

Risk Management: • Agree and prioritise the strategic risks that will form the organisations Strategic

Risk Profile. This will be undertaken through exercises such as horizon scanning, receipt of legislation, journal articles to ensure NHS Tayside addresses new and emerging risk management issues.

• Monitor progress of risk control for all strategic risks through a rolling programme of peer review ensuring improvement over time.

• Ensure that the NHS Tayside Strategic Risk Profile is being adequately maintained and can be used as a driver for risk management through the appropriate allocation of resources and incorporation into strategic and operational plans as required.

• Review and approve the Risk Management Strategy; and Risk Management Framework ensuring roles and responsibilities relating to risk management are specified to support integration with all aspects of organisational management and that risk management is embedded at all levels of NHS Tayside including its


Page 4

governance structures. • Endorse a framework for risk appetite for onward approval at the Audit and Risk

Committee/Tayside NHS Board. • Undertake a self assessment during the year using an approved toolkit. • Approve, monitor and evaluate progress against an annual Risk Management

work plan. • Approve the risk management mid-year and annual reports for presentation to the

Audit and Risk Committee to provide assurance.

Resilience Planning: • Monitor and evaluate the progress against resilience planning through the receipt

of Resilience Planning Advisory Group Minutes, the Resilience Planning Advisory Group Annual Report, and the Resilience Planning Quarterly Report.

• Ensure that the Resilience Planning Advisory Group (RPAG) review and approve all NHS Tayside’s Resilience procedures and that the planning and executing of all components of NHS Tayside responses to major incidents, emergencies and outbreaks are carried out and lessons learned are embedded in future plans.

• Assign responsibility for any aspect of NHS Tayside’s emergency preparedness and business continuity functions as required ensuring Resilience Planning is embedded at all levels of NHS Tayside including its governance structures.

• Review and approve the Resilience Planning Policy every two years ensuring roles and responsibilities relating to Resilience Planning are specified to support their integration with all aspects of organisational management.

Information Governance:

• Receive, from the Information Governance and Cyber Assurance Committee, a bi-monthly assurance report, including an update on information and information security risks along with recommendations for any information and information security risks to be considered for inclusion on the Strategic Risk Register.

9 Authority

The SRMG is authorised by the Chief Executive to explore and implement any

activity within its Terms of Reference.

In order to fulfil its remit, the SRMG may obtain whatever professional, technical or other advice it requires, and may commission work to be delivered on its behalf and to seek any information it requires from any employee.

10 Reporting Arrangements

Minutes of the SRMG will be forwarded to the Audit and Risk Committee; and Internal Audit.

The SRMG should annually, either before or after the first meeting of the new financial year, prepare a Workplan.

The SRMG will produce an Annual Report for presentation to the Audit and Risk Committee. The Annual Report will describe the outcomes from the SRMG during the year and provide an assurance to the Audit and Risk Committee that the SRMG has met its remit during the financial year. The Annual Report must be approved by the SRMG before it is presented to the Audit and Risk Committee considering the Annual Accounts.


Page 5

11 Workplan

The Strategic Risk Management Group workplan is included at Appendix 1.

12 Timetable for submitting agenda items and papers

The meetings schedule and timetable for submitting agenda items and papers is

included as Appendix 2.

13 Version Control

Version control should be included as Appendix 3.

Appendix 1

STRATEGIC RISK MANAGEMENT GROUP (SRMG) WORKPLAN 2021-2022 Please note that this is an dynamic document. 08 April 2021 10 June 2021 19 August 2021 21 October 2021 09 December 2021 17 February 2022 14 April

2022 Responsible Person Planned Actual Planned Actual Planned Actual Planned Actual Planned Actual Planned Actual Planned

Risk Management – Strategic Risk Peer Review Risks aligned to Tayside NHS Board 619 EU Exit Board Secretary

Risks aligned to the Performance and Resources Committee (as per schedule): 26 Waiting Times and RTT Targets Director of Acute

Services

312 NHS Tayside Estate infrastructure Condition

Director of Operations

615 Effective Prescribing Medical Director

636 Prioritisation and Management of Capital Funding

Director of Finance

679 eHealth Technical Infrastructure and Modernisation Programme

Director of Digital Technology

680 eHealth Cyber Attack Director of Digital Technology

723 Long Term Financial Sustainability Director of Finance

849 Financial Annual Plan 2020/2021 Director of Finance

807 Statutory Obligations in relation to Environmental Management

Director of Facilities

Risks aligned to the Staff Governance Committee:

58 Workforce Optimisation Director of Workforce Item 3.2a

863 Medical Workforce Medical Director

734 Health and Safety Director of Workforce Defer: Full review of risk being undertaken

844 Nursing Workforce Director Nursing and Midwifery

845 Midwifery Workforce Director Nursing and Midwifery

Risks aligned to the Care Governance Committee: 14 Infection Prevention and Control Medical Director

16 Clinical Governance Medical Director/ Nurse Director

395 Mental Health Services Chief Officer, P&K HSCP

637 Child and Adult Mental Health Services

Medical Director

736 Public Protection Director Nursing and Midwifery

Due to the deferment of SRMG 18/02/2021, these risks to be reviewed through Assurance Reporting at the Standing Committee of

798 Corporate Parenting Director Nursing and Midwifery

880 Care Homes Director of Nursing and Midwifery

Please note that this is an dynamic document. 08 April 2021 10 June 2021 19 August 2021 21 October 2021 09 December 2021 17 February 2022 14 April


Care Governance 22/04/2021

Risks aligned to Angus Integration Joint Board 353 Sustainable Primary Care Services Chief Officer, Angus

HSCP Item 3.2b

New Risks to be assigned to a Standing Committee (New) Covid-19 Chief Executive 14/04/2022 Strategic Risks Registers Integrated Joint Boards Angus Integration Joint Board (every meeting)

Chief Officer, Angus HSCP

Item 3.3a

Dundee Integration Joint Board (every meeting)

Chief Officer, Dundee HSCP

Item 3.3b

Perth & Kinross Integration Joint Board (every meeting)

Chief Officer, P&K HSCP Item 3.3c

Risk Management Risk Management Strategy Director of Finance TBC

Risk Management Framework Director of Finance TBC

Risk Appetite Statement Review (annually) Director of Finance TBC

NHS Tayside Strategic Risk Profile (annually) Director of Finance Item 3.1

Risk Management Annual/Mid Year Report and Workplan (bi-annually)

Director of Finance Item 3.4

Self Assessment and Audit Tool (annually) Director of Finance Item 3.5

Resilience Planning Resilience Planning Update Report (Quarterly in line with the RPGG)


Resilience Planning Framework (annually) Board Secretary c/f from 18/02/21

Item 4.1

Resilience Planning Annual Report (following approval at the Resilience Planning Advisory Group) (annually)

Board Secretary

Policy Management Policy Management Update Report (every meeting)


Governance Information Governance and Cyber Assurance Committee Report (April, Aug, Dec)


SRMG Annual Report, Terms of Reference and Workplan (annually)

Director of Finance Item 6.2

SRMG Workplan 2021-2022 (updated every meeting)

Director of Finance

Items for information Resilience Planning Governance Group (RPGG) Minutes (following scheduled meeting)

Board Secretary c/f from 18/02/21 08/12/20

Item 7.1 16/03/21 17/06/21 14/09/21 14/12/21

SLWG Risk Management Action Note Director of Finance c/f from 18/02/21

Item 7.2

Please note that this is an dynamic document. 08 April 2021 10 June 2021 19 August 2021 21 October 2021 09 December 2021 17 February 2022 14 April


03/11/20

Datix Steering and Development Group Minutes (following scheduled meeting)

Director of Finance c/f from 18/02/21 05/11/21

Item 7.3

Additional Items SRMG Schedule of Meetings 2022/2023 (annually)

Director of Finance

Appendix 2

Meetings Schedule and Timetable for Submitting Agenda Items 2021-2022 Final reports to be

submitted by: Agenda and Papers to be issued:

Date of Committee Meeting

Time

Strategic Risk Management Group 25 March 2021 01 April 2021 08 April 2021 1400 hrs

Strategic Risk Management Group 27 May 2021 03 June 2021 10 June 2021 1400 hrs

Strategic Risk Management Group 05 August 2021 12 August 2021 19 August 2021 1400 hrs

Strategic Risk Management Group 07 October 2021 14 October 2021 21 October 2021 1400 hrs

Strategic Risk Management Group 25 November 2021 02 December 2021 09 December 2021 1400 hrs

Strategic Risk Management Group 03 February 2022 10 February 2022 17 February 2022 1400 hrs

Strategic Risk Management Group 31 March 2022 07 April 2022 14 April 2022 1400 hrs

Appendix 3

Version Control Table Key Information: Title Terms of Reference for Strategic Risk Management Group Date Published/Issued Date Effective From 1 April 2021 Date of Review 31 March 2021 Version/Issue Number Issue 7.1 Document Type: Corporate Document status: Draft Author: Name: Margaret-Rose Campbell

Role: Committee Support Officer Department: Chief Executive Department

Owner Mrs Hilary Walker, Head of Risk and Resilience Planning Approver Audit and Risk Committee Name of Committee/Group Audit and Risk Committee Membership of Committee/ Group

Approved by and Date Contact Name: Margaret-Rose Campbell

Tel: 01738 740761 Email: [email protected]

File Location/Doc store link:

Version History Version Date Updated by

mailto:[email protected]

of 14


Audit and Risk Committee 22 June 2021 NHS Tayside Strategic Risk Profile Responsible Officer Stuart Lyall, Director of Finance Report Author: Hilary Walker, Head of Strategic Risk and Resilience Planning 1 Purpose

Please select applicable item(s) in each section and delete the others. This is presented to the Audit and Risk Committee for: • Assurance • Awareness This report relates to: • Legal requirement • Local policy This aligns to the following NHSScotland quality ambition(s): • Safe • Effective • Person Centred


The Strategic Risk Profile aims to identify risks that could impact on the achievement of NHS Tayside’s objectives, particularly but not exclusively related to delivery of NHS Tayside’s Strategic Framework, Clinical Strategy and Health and Social Care Strategic Plans. This report has been designed to ensure that the Audit and Risk Committee is in a position to understand the organisations overall strategic risk profile; able to determine and continuously conduct a balanced assessment of the nature and extent of the principal risks to which the organisation is exposed and is willing to take in pursuit of its objectives. It also sets out for review, discussion and noting new, closed or emerging risks and material changes to existing risks and is designed to assist Members in reviewing the adequacy and effectiveness of the risk management systems and processes in place. The report provides a moderate level of assurance. There is an adequate framework/system in place with only minor weaknesses present.

of 14

NHS Tayside is required to assess on a regular basis the significant risks to which it is exposed and to be satisfied that appropriate systems are in place to mitigate exposure to these risks. As such, active management of risk takes place at:

• Strategic Risk Management Group, bimonthly • Standing Committees of the Board, as a minimum, at every second meeting • Audit and Risk Committee • Tayside NHS Board

2.2 Background

The Chief Executive, as Accountable Officer, has responsibility for maintaining a sound system of Internal Control and reviewing the effectiveness of the system within their organisation culminating in the preparation of an annual Governance Statement. The Audit and Risk Committee has delegated responsibility from Tayside NHS Board for reviewing the adequacy and effectiveness of the systems and process in place to manage risk within NHS Tayside. As part of the minimum requirements an annual assessment of the risk management arrangements in place should be conducted to assess and confirm whether adequate and effective risk management arrangements were in place throughout the financial year. In addition, each strategic risk is aligned to a standing committee of the Board and it is that committee’s responsibility to carry out deep dives of those risks to oversee the management of those individual risks and the effectiveness of the controls.

2.3 Assessment

The strategic risk register is attached in Appendix 1 and shows the current position. In reviewing the strategic risk register since the last reporting period, the following observations can be made:

• There are 24 risks in the current strategic risk profile, 22 of which are recorded within the electronic risk register.

• No risks have been archived. • No new risks have been added to the profile. • One strategic risk has been closed and replaced with a revised and updated

new risk. • The number of very high/red risks has decreased from 7 to 6; high/amber

risks has increased from 14 to 15 and medium/yellow has remained the same at 1.

• Of the current risk exposure ratings for the 22 recorded strategic risks – 0 have increased; 1 has decreased (Health and Safety) and 21 remain unchanged.

• Planned risk exposure ratings – There have been no changes made to the planned risk exposure ratings of the 22 recorded strategic risks.

of 14

• At the time of data extraction (21 May 2021) 1 risk was overdue for review and 3 risks did not have risk review dates set. These are being followed up with the relevant risk owners/managers and support offered where required.

2.3.1 Quality/ Patient Care

The strategic risk register covers 5 risks relating to this area.

2.3.2 Workforce


2.3.3 Financial


2.3.4 Risk Assessment/Management The annual Governance Statement should be informed by work undertaken

throughout the financial year to gain assurances about risk management.

2.3.5 Equality and Diversity, including health inequalities Not applicable.


2.3.7 Communication, involvement, engagement and consultation Not applicable.

2.3.8 Route to the Meeting Not applicable.

2.4 Recommendation This report is presented for: • Assurance – Examine and state level of assurance. • Awareness – For Members’ information and discussion as required

Members of the Audit Committee are asked to:

• Consider the Strategic Risk Profile (Appendix 1) and the assessment provided within section 2.3 of this report.

of 14





Moderate Assurance



Limited Assurance



No Assurance



3 List of appendices

The following appendices are included with this report:

Appendix No 1, NHS Tayside Strategic Risk Profile

STRATEGIC RISK PROFILE

21 May 2021

NHS TAYSIDE– STRATEGIC RISK PROFILE

Datix Ref

Risk Title and Description Risk Exposure (RE) – No Controls

Risk Exposure (RE)

– Current Controls

Planned Risk Exposure

(RE)

Current Risk Trend

Lead Director/ Risk Owner

and Standing

Committee L C RE L C RE L C RE

680 eHealth Cyber Security Attack As a result of the impact from Cyber Security threats such as malware, ransomware and virus exposure etc, there is a risk that NHS Tayside will be non-compliant in relation to Cyber Security and NISD regulations. Leading to an impact on patient care as a result of the risk to integrity/security of patient/personal /business data and disruption to services. The Cyber Security threat is the same across both our managed network and the medical devices network, known as the QVLAN. However, the vulnerability level is greater on the QVLAN, as we cannot apply the same level of cyber security protection to the devices contained within it.

5 5 25 4 4 16 3 3 9 → Director of

Digital

Performance and Resources

Committee

679 eHealth Technical Infrastructure and Modernisation Program A lack of an overarching application strategy, combined with lack of investment in staffing and technical skills within eHealth, has led to a lack of lifecycle management of the core applications environment, with an increasing risk of failure of IT services, with the potential of non-recovery. This could result in loss of patient/business data, together with non-compliance with Cyber Security regulations and inability to support future digital transformation/expectations of the organisation.

5 4 20 4 4 16 4 4 16 → Director of

Digital

Performance and Resources

Committee

723 Long Term Financial Sustainability As a result of failure to develop and implement the actions outlined in the Three Year Financial Plan 2020/21 to 2022/23 NHS Tayside does not return to balance by the end of financial year 2020/21, resulting in NHS Tayside not meeting its statutory financial targets.

5 4 20 4 5 20 3 4 12 → Director of Finance

Performance

and Resources Committee

849 Finance Annual Plan 2020/21 As a result of risks and uncertainties the projected outturn for Year 1 (2020/21) of the Strategic Financial Plan 2020/21 to 2022/23 is not achieved resulting in NHS Tayside not meeting the financial targets set by Scottish Government Health and Social Care Directorate (SGHSCD)


Performance


636 Prioritisation and Management of Capital funding Lack of prioritisation and control around the utilisation of limited capital resources, and staffing resources, available to deliver the Clinical Strategy and the Regional Asset Management Plan (RAMP) will lead to an inability to deliver safe and effective care in an appropriate healthcare environment which is fit for purpose which will result in damage to organisational reputation. All asset disposal proceeds will be re-invested in the Infrastructure Programme. As such, progress with the asset disposal programme needs to be monitored, with a clear understanding around the timing of receipt of asset disposal proceeds.


Performance


Datix Ref


Risk Exposure (RE)



(RE)

Current Risk Trend


and Standing

Committee 312 NHS Tayside Estate infrastructure condition

Failure to upgrade the existing infrastructure and improve the condition, capacity and resilience, considering the entire property portfolio of NHS Tayside will result in a lack of capacity and resilience therefore restricting future site expansion, non compliance with current technical standards and legislation, the inability to deliver the anticipated capital plan resulting in reputational loss and the ability to meet clinical demand.

5 4 20 4 4 16 2 3 6 → Director of Facilities

Performance


26 Waiting Times and RTT Targets Failure to deliver on the key national targets for waiting times and RTT targets

5 5 25 5 4 20 5 4 20 → Chief Officer, Acute Services

Performance


615 Effective Prescribing As a result of changes in market forces, national pricing policy and variation in prescribing practice, these variables may impact upon our ability to deliver financial targets with regards to prescribing (both primary care and secondary care) costs. As new medicines become increasingly complex and their costs continue to grow, it is imperative we have in place effective governance arrangements to ensure the safe, clinically effective and cost effective use of medicines.

4 4 16 4 3 12 3 3 9 → Medical Director

Performance


807 Statutory obligations in relation to environmental management NHS Tayside is required to identify all mandatory requirements necessary to underpin its statutory obligations in relation to environmental management and to promote the delivery of wider Government policies and strategies for the NHS in Scotland. The Sustainability and Environmental agenda is designed to support the reduction of carbon emissions. There is also a requirement for NHS Tayside to fulfil its public duties as defined in the Climate Change (Scotland) Act 2009, and comply with the Environmental Protection Act and all other Environmental Directives, Legislation and Regulations governing the Environment. At present NHS Tayside has no Executive Lead for Environmental Management and no Tayside wide Operational Lead for Environmental Management.

5 3 15 3 3 9 2 2 4 → Director of Facilities

Performance


Datix Ref


Risk Exposure (RE)



(RE)

Current Risk Trend


and Standing

Committee 734 Health and Safety

Failure to ensure compliance with the Health and Safety at Work etc. Act 1974 and pertaining regulations as a legal requirement, and to minimise the incidence of all workplace risks for our staff, contractors, visitors and the public at large. Failure to ensure regular risk assessment to identify hazards, the prioritisation, planning and implementation of associated effective control measures, that financial and physical resources necessary are in place to enable staff to work safely and effectively, and that line managers and staff are competent and confident in the discharge of their responsibilities in maintaining healthy and safe working arrangements

5 5 25 4 4 16 3 4 12 ↓ Director of Workforce

Staff

Governance Committee

844 Nursing Workforce As a result of a national shortage and local workforce demographics (ageing workforce), there is a risk that we will be unable to recruit and retain sufficient numbers of registered nurses which will result in a failure to maintain safe and effective nursing staffing levels.

5 4 20 4 4 16 4 1 4 → Director of

Nursing and Midwifery

Staff


845 Midwifery Workforce As a result of a national shortage and local workforce demographics (aging workforce and geographical spread of population) and a lack of the local delivery of Midwifery training, there is a risk there will be an inability to recruit and retain sufficient numbers of registered Midwives. Which would lead to a failure to maintain safe and effective Midwifery staffing levels and to deliver Scottish Government policy The Best Start; A Five Year Forward plan for Maternity and Neonatal care in Scotland.

5 4 20 4 3 12 4 2 8 → Director of


Staff


863 Medical Workforce As a result of national shortages of doctors within specific specialties and the inability to retrain and recruit doctors in training, there is a risk of an insufficient supply of doctors to training and career grade posts within the acute and community sectors. This may lead to a negative impact on the sustainability of service provision.


Staff


58 Workforce Optimisation As a result of a failure to create an environment that ensures the effective planning, recruitment, deployment and retention of workforce,the risk of insufficient staffing levels and skill mix may occur, which could lead to a negative impact on the quality of patient care, service delivery and financial balance.

5 5 25 5 4 20 4 3 12 → Director of Workforce

Staff


Datix Ref


Risk Exposure (RE)



(RE)

Current Risk Trend


and Standing

Committee 16 Clinical Governance

As a result of not having a robust set of clinical governance and risk management arrangements in place, there may be a failure to deliver reliable, safe, effective and person centred care in all health and care settings and unexpected adverse events may occur which would result in harm or deterioration to people. Evaluation and learning from adverse event management will reduce the risk of future harm.


Care


934 Mental Health and Learning Disabilities The Strategic Risk for Mental Health and Learning Disabilities is a result of two key components Patient Care Pathways and Workforce both of which have a focus on safety and improving the health and wellbeing outcomes for people with Mental Health problems and Learning Disabilities. 1. As a result of care pathways requiring review, development or implementation there is a risk that patients will experience unwarranted variation in person centred, safe and effective care with a detrimental impact on outcomes of care and treatment. 2. As a result of an inability to recruit and retain a sufficiently well trained and engaged workforce, we will be unable to deliver safe and effective person centred care within a culture of candour, organisational integrity and innovation; which may lead to poor mental health outcomes for people.

5 5 25 4 4 16 3 4 12 → (in

comparison to Risk

Exposure (RE) – Current

Controls of previous MH

Risk 395

Medical Director

Care


14 Infection Prevention and Control As a result of a failure to comply with consistent infection prevention and control measures or evolving microbial risks there will be an outbreak of infection or adverse event which will result in an inability to provide a safe clean environment which could affect patient safety, service delivery and organisational reputation.


Care


637 Child and Adolescent Mental Health Services (CAMHS) Child and Adolescent Mental Health Services (CAMHS) Outpatient performance in Tayside against the 18 week target is lower than 90%, the consequences impact on patients and their families and has resulted in adverse publicity for the Board.


Care


736 Public Protection As a result of insufficient infrastructure and resource in Adult Protection , NHS Tayside is unable to progress the development of a Public Protection Framework (encompassing Children and Adults) to provide effective protection of vulnerable people. As a consequence ineffective protection of vulnerable people (particularly adults) may occur which would lead to people being at risk of neglect, abuse or harm. This may result in NHS Tayside failing in its duty of care and responsibility to vulnerable people to protect them.

5 5 25 4 4 16 3 3 9 → Director of


Care


Datix Ref


Risk Exposure (RE)



(RE)

Current Risk Trend


and Standing

Committee 798 Corporate Parenting

As a result of the Children and Young People (Scotland) Act 2014, there is a risk that NHS Tayside will be unable to evidence its fulfillment of its responsibilities and duties related to Corporate Parenting (Part 9), resulting in NHS Tayside failing to deliver against its statutory duties and legislative requirements.

5 4 20 3 5 15 2 3 6 → Director of


Care


880 Care Home Oversight As a result of the requirement for arrangements to be implemented for the enhanced oversight of care homes, failure to do so may result in a lack of provision of clinical and professional oversight, analysis of issues and development and implementation of solutions which would lead to an inability to ensure Tayside's Care Homes remain as safe and as free from Covid-19 as possible and to sustain services during the Covid-19 Pandemic and have access to the best possible expert advice on and the implementation of infection prevention and control and secure clinical support when needed.

5 5 25 4 5 20 2 3 6 → Director of


Care


353 Sustainable Primary Care Services As a result of an increase in GP vacancies due to retirement and difficulties in relation to recruitment and retention, there is a risk that NHS Tayside will be unable to provide GP services. This risk recognises that failure to maintain sustainable Primary Care Services both in each locality across Tayside will result in a failure to achieve the 20/20 Vision, the National Clinical Strategy and local Primary Care Strategy. This would result in patients being unable to access Primary Care Services across the geographical location and in a failure to provide continuity of service. This would lead to adverse publicity, reputational damage and unsatisfactory patient experience Furthermore there is a risk to the ability to provide an adequate standard of healthcare to the population and the risk of pressures elsewhere in the healthcare system.

5 4 20 5 5 25 3 3 9 → Chief Officer, Angus HSCP

Angus

Integrated Joint Board

Finance Annual Plan 2021/22

Director of Finance

Performance


Covid-19 Vaccination Programme

Director of Public Health

Standing

Committee TBC

Summary of the Material Changes within the NHST Strategic Risk Register The Strategic Risk Performance Report was last presented to the Audit and Risk Committee on 20 May 2021. The following material changes have been agreed to the strategic risk register:

New Corporate Risks Identified No new strategic risks have been added to the Strategic Risk Profile. The following risks have still to be added to the electronic risk register, Datix:

• Finance Annual Plan 2021/22 • Covid-19 Vaccination Programme

Material Note of Change for Risks Reviewed within this Reporting Period Risk ID

Title of the Risk and Note of Change Risk Owner

734 Title: Health and Safety Summary of Changes (including changes to controls): Current risk exposure rating reduced from 20 (Red/Very High) to 16 (Amber/High). The risk score has decreased as a number of significant interventions and controls have been agreed and progressed which has altered the risk profile. These include:

• Health and Safety Passport – issued to all current and new staff throughout 2020 and into 2021

• Health and Safety Website Documentation Review – review complete and website updated

• Smartsheet – launched in May 2021 with all managers requested to create an account by 30 June 2021

• Health and Safety Star Awards – agreement reached on 2 categories for when the 2021 Star Award programme is launched.

• Health and Safety Accreditation Scheme - agreed to launch this in September 2021. Agreed by HSMC, Staff Governance Committee and Exec. Leadership Team.

• Health and Safety Management Manual for Managers - currently being finalised - to be launched October 2021.

Director of Workforce

Archived Risks There has been no agreement to archive/remove any risks from the Strategic Risk Profile. However since the Strategic Risk Performance report was last presented to the Audit and Risk Committee, the current Mental Health Strategic Risk (395) has been closed and replaced with 934. This is following a series of workshops and agreement on proposal paper presented to SRMG in December 2020.

Reporting of Risk to Standing Committees of Tayside NHS Board Each risk contained within the Strategic Risk Profile of the organisation is aligned to a Standing Committee of the Board or Tayside NHS Board itself. Committee Support Officers in conjunction with Lead Officers of these Committees ensure that Strategic Risk Owners provide a detailed report, as a minimum, to every second meeting of the Committee via the risk assurance report template to allow discussion and agreement to take place in relation to the likelihood, consequences and mitigation measures recorded. Since the last reporting period all risks have been reported as timetabled and there are no breaches that require to be reported by exception.

ANNEX A Risk Definitions

• Risk Exposure – No Controls: The level of risk without any controls in place • Risk Exposure – Current Controls: The effect of the current controls in place • Planned Risk Exposure: The anticipated level of risk after all planned/proposed controls have been implemented

Risk Exposure Scoring

Likelihood Descriptors

CONSEQUENCE (C) 1 2 3 4 5 Negligible Minor Moderate Major Extreme

LIKE

LIHO

OD

(L)

5 Almost Certain

5 Medium

10 High

15 High

20 Very High

25 Very High

4 Likely 4 Medium

8 Medium

12 High

16 High

20 Very High

3 Possible 3 Low

6 Medium

9 Medium

12 High

15 High

2 Unlikely 2 Low

4 Medium

6 Medium

8 Medium

10 High

1 Rare 1 Low

2 Low

3 Low

4 Medium

5 Medium

Descriptor Frequency of event occurring Timescales (Guide Only) 1 Rare Can’t believe this event would happen –

will only happen in exceptional circumstances

5-10 years or more

2 Unlikely Not expected to happen but definite potential exists - unlikely to occur

2-5 years

3 Possible May occur occasionally, has happened before on occasions - reasonable chance of occurring

Annually

4 Likely Strong possibility that this could occur - could occur several times

Quarterly

5 Almost certain

This is expected to happen frequently / in most circumstances - more likely to occur than not

Daily / Weekly / Monthly

Consequence Descriptors

Descriptor 1 – Negligible (Green) 2 – Minor (Yellow) 3 – Moderate (Amber) 4 – Major (Red) 5 – Extreme (Red)Patient Experience Reduced quality of patient

experience/clinical outcome not directly relative to delivery of clinical care

Unsatisfactory patient experience/clinical outcome directly related to care provision – readily resolvable

Unsatisfactory patient experience/clinical outcome; short term effects – expect recovery <1 week

Unsatisfactory patient experience/clinical outcome; long term effects – expect recovery >1 week

Unsatisfactory patient experience/clinical outcome; continued ongoing long term effects

Objectives/Project Barely noticeable reduction in scope, quality or schedule

Minor reduction in scope, quality or schedule

Reduction in scope of quality of project; project objectives or schedule

Significant project over-run Inability to meet project objectives; reputation of the organisation is seriously damaged

Injury (Physical and psychological to patient/visitor/staff)

Adverse event leading to minor

Minor injury or illness, first aid treatment required

Agency reportable, e.g. Police (violent and aggressive acts) Significant injury requiring medical treatment and/or counselling

Major injuries/long term incapacity or disability (loss of limb) requiring medical treatment and/or counselling

Adverse event leading to death or major permanent injury

Complaints/Claims Locally resolved verbal complaint

Justified written complaint peripheral to clinical care

Below excess claim. Justified complaint involving lack of appropriate care

Claim above excess level. Multiple justified complaints.

Multiple claims or single major claim. Complex justified complaint.

Service/Business Interruption

Interruption in a service which does not impact on the delivery of patient care or the ability to continue to provide service.

Short term disruption to service with minor impact on patient care

Some disruption in service with unacceptable impact on patent care. Temporary loss of ability to provide service.

Sustained loss of service which has serious impact on delivery of patient care resulting in major contingency plans being involved

Permanent loss of core service or facility. Disruption to facility leading to significant ‘knock on’ effect

Staffing and Competence

Short term low staffing level temporarily reduces service quality (<1day). Short term low staffing level (<1day), where there is no disruption to patient care.

Ongoing low staffing level reduces service quality. Minor error due to ineffective training/implementation of training.

Late delivery of key objective/service due to lack of staff. Moderate error due to ineffective training/ implementation of training. Ongoing problems with staffing levels

Uncertain delivery of key objective/service due to lack of staff. Major error due to ineffective training/ implementation of training

Non-delivery of key objectives/ service due to lack of staff. Lack of key staff. Critical error due to ineffective training/ implementation of training

Financial (including damage/loss/fraud)

Negligible organisational/personal financial loss (<£5k)

Minor organisational/personal financial loss (£5-50k)

Significant organisational/personal financial loss (£50-500k)

Major organisational/personal financial loss (£500k-5m)

Severe organisational/ personal financial loss (£>5m)

Inspection/Audit Small number of recommendations which focus on minor quality improvement issues

Recommendations made which can be addressed by low level of management action

Challenging recommendations that can be addressed with appropriate action plan

Enforcement action. Low rating. Critical report.

Prosecution. Zero rating.Severely critical report.

Adverse Publicity/Reputation

Rumours, no media coverage. Little effect on staff morale.

Local media coverage – short term. Some public embarrassment. Minor effect on staff morale/public attitude.

Local medial – long term adverse publicity Significant effect on staff morale and public perception of the organisation

National media/adverse publicity, less than 3 days. Public confidence in the organisation undermined. Use of services affected.

National/International medical/adverse publicity, more than 3 days. MSP/MP concern (Questions in Parliament), Court Enforcement. Public Inquiry/FAI

Minutes NHS Tayside STRATEGIC RISK MANAGEMENT GROUP (SRMG) Minute of the above meeting held at 1400 hours on Tuesday, 8 April 2021 via Microsoft Teams. Present Members Mrs Jenny Alexander Employee Director Mr Grant Archibald Chief Executive Mr George Doherty Director of Workforce Ms Margaret Dunning Board Secretary Mr Laic Khalique Director of Digital Technology Mr Stuart Lyall Director of Finance Mr John Paterson Director of Facilities Mrs Claire Pearce Nurse Director Mrs Nicola Richardson Interim Director of Allied Health Professions Mrs Hazel Scott Assistant Chief Executive Ms Gail Smith Interim Chief Officer Angus Health and Social Care

Partnership Mrs Hilary Walker Head of Strategic Risk and Resilience Planning Ms Lorna Wiggin Chief Officer, Acute Services In Attendance Ms Margaret-Rose Campbell Committee Support Officer Mrs Alison Dailly Head of Information Governance and Cyber

Assurance/Data Protection Officer Attendees Mr Christopher Jolly Programme Manager, Perth and Kinross Health and

Social Care Partnership (attending on behalf of Gordon Paterson)

Mrs Clare Lewis-Robertson Senor Officer (Business Planning and Information Governance), Dundee Health and Social Care Partnership (attending on behalf of Dave Berry/Vicky Irons)

Apologies Mr David Coulson Director of Pharmacy Mr Dave Berry Chief Finance Officer, Dundee Health and Social Care

Partnership (attending on behalf of Vicky Irons) Dr Emma Fletcher Director of Public Health Mr Ally Gentles Head of Operations, Digital Directorate Mrs Vicky Irons Chief Officer, Dundee Health and Social Care

Partnership Mr Gordon Paterson Chief Officer, Perth & Kinross Health and Social Care

Partnership Mrs Jane Smith Chief Financial Officer, Perth and Kinross Health and

Social Care Partnership Professor Peter Stonebridge Medical Director

ITEM NUMBER 7.2

Mr Grant Archibald, Chief Executive in the Chair 1 WELCOME AND APOLOGIES

ACTION

Mr Archibald, Chair welcomed all those present to the meeting, noting that there had been a few changes within the membership since the last meeting:

• Mrs Karen Anderson, Director of Allied Health Professions (AHPs) retired on 31 March 2021 and Mrs Nicola Richardson joined the Strategic Risk Management Group as the Interim Director of AHPs.

• Mr Bill Nicoll, Director of Strategic Change retired on 18 March 2021.

• Mr John Paterson joined the Strategic Risk Management Group in his role as Director of Facilities.

Apologies were accepted and noted within the minute as above.

2 MINUTES OF PREVIOUS MEETING

2.1 Minutes of the Strategic Risk Management Group 8 December 2020

Members reviewed the minutes of the Strategic Risk Management Group held on 8 December 2020 and accepted these as an accurate record of the meeting.

SRMG: • Approved the Minute of the Strategic Risk Management Group

held on 8 December 2020.

2.2 Action Points Update Strategic Risk Management Group All actions on the action points updated were noted to be complete.

2.3 Matters Arising No matters were notified to the Chair.

3 RISK MANAGEMENT

3.1 Strategic Risk Profile 2021/2022 Review Mr Stuart Lyall, Director of Finance presented the report which had

been prepared following consultation with strategic risk owners and managers who had been requested to review the strategic risks and identify those which could be archived; downgraded to a service level risk; amalgamated with another strategic risk; or carried forward to the year 2021/2022. Risk owners and managers were also asked if there were any areas where a new strategic risk should be considered by the organisation.

A list of proposed strategic risks for the organisation has been drawn up and will be presented to Tayside NHS Board at its meeting on 29 April 2021.

This proposed list currently consists of: • 17 strategic risks • 2 risks proposed for archive • 2 proposed new risks

It should be noted that there are four risks which have not yet been reviewed, and this is a matter of urgency for the risk owner/manager.

Mrs Hilary Walker, Head of Strategic Risk and Resilience Planning advised that the two strategic risks which were proposed for archive were: • EU Exit – as this has now been achieved, however a watching

brief is being maintained and if an emerging risk is identified this will be considered for inclusion in the strategic risk register.

• Financial Annual Plan 2020/2021 – this strategic risk is proposed for archive once the annual accounts process has been concluded, and it is proposed that this is replaced with one of the new strategic risks:- Financial Annual Plan 2021/2022.

Mrs Walker gave an update on the progress of Strategic Risk 395, for which a proposal was brought to the December 2020 meeting of the Strategic Risk Management Group. The Group agreed that Mental Health Services create a new strategic risk, underpinned by eight service level risks. To date the creation of the new strategic risk has not been completed, and the existing Strategic Risk 395 will be carried forward to the financial year 2021/2022, until such time as the new strategic risk is completed.

Mrs Walker advised that the proposed new Strategic Risks for 2021/2022 were:

• Financial Annual Plan 2021/2022 (as referred to above) • Covid-19 Vaccination Programme – Following regular

presentation of the Silver Command Risk Register to Gold Command during the pandemic, when the Command Structure was in place, a recommendation was made that Covid-19 vaccination programme was escalated and be recorded as a strategic risk for the organisation.

Discussion took place around the Risk Strategy for the Integrated Joint Boards, with Mrs Gail Smith, Chief Officer Angus Health and Social Care Partnership (HSCP) advising that this has now been revised and will be signed off through the three Integration Joint Board meetings during April 2021. The Strategy will be presented thereafter to Tayside NHS Board. The Chair, as the Accountable Officer, indicated that he required to have a common understanding and assurance of consistent reporting of risk across both NHS Tayside and the three Integration Joint Boards (IJBs). Mrs Smith advised that the development of the Risk Strategy within the IJB is a significant step forward, and regular assurance reporting into the Care Governance Committee, Lead Officers of

which are the Medical Director and the Director of Nursing and Midwifery, will ensure regular review of strategic risks within the Health and Social Care Partnerships.

SRMG: • Supported the proposals contained within the report, subject to

the completion of the four outstanding strategic risk reviews, and the presentation of the proposed Strategic Risks 2021/2022 for approval at Tayside NHS Board on 29 April 2021.

3.2 Strategic Risk Profile Peer Review 3.2a Risk 58 Workforce Optimisation Mr George Doherty, Director of Workforce advised that the

workforce optimisation strategic risk has been in place for a number of years with regular reviews undertaken. The strategic risk was created originally to mitigate against the result of a failure to create an environment that ensures the effective planning, recruitment, deployment and retention of workforce, the risk of insufficient staffing levels and skill mix may occur, which could lead to a negative impact on the quality of patient care, service delivery and financial balance. However, it is has been acknowledged that the strategic risk has not managed to fulfil its controls and reduce the risk exposure.

Further to an Internal Audit review, a full review of the strategic risk is being undertaken in terms of workforce planning data gathering and development of clear corporate position and workforce plans, clarification of controls to ensure that risk reduction is achieved.

Mrs Jenny Alexander, Employee Director requested further discussion around this strategic risk, and was content with the Chair’s suggesting that a separate meeting be convened to take this forward. Mr Doherty to convene a meeting with Mr Archibald, Mrs Alexander and Mr Lyall relating to workforce issues by end June 2021.

GD

3.2b Risk 353 Sustainability of Primary Care Services Mrs Smith advised that Primary Care Services are hosted within

Angus Health and Social Care Partnership, and risk that NHS Tayside may be unable to provide GP services is considered to be the greatest risk on the strategic risk register. The risk recognises that a failure to maintain sustainable Primary Care Services, both in each locality and across Tayside, will result in a failure to achieve the 20/20 Vision, the National Clinical Strategy and the local Primary Care Strategy.

Mrs Smith advised that areas recognised within the risk include: • Closure of one General Practice within the last 12 months. • An increasing number of General Practices being managed

under the 2C arrangements. • Recruitment and retention of General Practitioners is not only a

local problem, but a recognised national problem.

• Recruitment and retention is not just challenge in terms of General Practitioners, as there are challenges across all staff groupings who support Primary Care Services.

• Premises: provision and maintenance of is an ongoing challenge.

• IT infrastructure.

In response to Mr Lyall querying what Strategies were being taken into consideration to help Angus Health and Social Care Partnership anticipate future needs, Mrs Smith advised that the Workforce Strategy and Premises Strategy for Angus were being implemented in seeking long term solutions.

Mr Christopher Jolly, Programme Manager, Perth and Kinross Health and Social Care Partnership reported that the HSCP have been redesigning roles and skill mix models, making more use of medical, nursing and allied health profession practitioners across services. Mrs Nicola Richardson, Interim Director of Allied Health Professions (AHPs) supported the use of alternative workforce modelling advising that national models for AHPs were available and staff were keen to be part of the change conversation.

John Paterson intimated that a programmed approach to the management of premises within Tayside was being taken, linking prioritised projects with workstreams.

Mr Laic Khalique, Director of Digital Technology opined that there required to be a cultural shift within Primary Care Services, to the extent that there has been a shift within Acute Services, in how services are delivered to patients.

The Chair supported the discussions around workforce and acknowledged that whilst local to NHS Tayside conversations and meetings will take place, there requires to be escalation of the recruitment and retention challenges to the Director of Workforce at the Scottish Government (through George Doherty, NHS Tayside Director of Workforce) and to the Chief Medical Officer (through the NHS Tayside Medical Director) with a request to seek long term solutions.

It was agreed that the Chair and Mrs Smith would pursue a further conversation around sustainability of primary care services out with the SRMG.

GS

SRMG: Noted the updates provided on the Strategic Risks for Workforce

Optimisation (58) and Sustainable Primary Care Services (353).

3.3 Integration Joint Board Strategic Risk Register Exception Reports

3.3a Angus Integration Joint Board Mrs Smith presented the Angus Integration Joint Board Report for

consideration, highlighting:

• Scrutiny and management of risks is devolved to the Angus HSCP Clinical, Care and Professional Governance (CCPG) Forum chaired by the Angus HSCP Clinical Director.

• The CCPG Review 11 risks , Top five strategic risks: o Sustainability of Primary Care Services o Financial Management o Performance Management o Workforce Optimisation o Storage of Paper Records

• The Risk Management Strategy within the IJBs is currently under review, looking at the process of updating risk management arrangements in relation to processes for ownership, identification and escalation of risk between the IJBs and partners. The final documentation will be presented to the Angus Integration Joint Board in April 2021 for approval, and to Tayside NHS Board in June 2021 for awareness. The Risk Management Strategy within NHS Tayside is also under review, being presented to Tayside NHS Board in April 2021 for approval and thereafter to the IJBs for awareness.

The Chair thanked Mrs Smith for her briefing. There were no questions raised from SRMG members.

SRMG: • Considered the Exception Report provided by Angus Integration

Joint Board which provided an update in relation to the management of risk management activities.

3.2b Dundee Integration Joint Board Mrs Clare Lewis-Robertson, Senior Officer, Dundee Health and

Social Care Partnership presented the Dundee Integration Joint Board Report for consideration, highlighting:

• The Dundee Clinical, Care and Professional Governance forum has identified an emerging risk as the sustainability of the workforce within the Integrated Substance Misuse Service.

Mr Lyall observed that the extract from the Strategic Risk Register which was represented within the exception report reflected out dated assessments and could confirmation be provided that the strategic risks are contemporaneous. Mrs Lewis-Robertson confirmed that the strategic risks are under continuous review, however accepted that the screen shot within the exception report does not reflect this. It is a known issue with the risk system Pentana that the most current assessment date is not reflected within a search.

Mrs Claire Pearce, Director of Nursing and Midwifery raised a query regarding the review of the strategic risk associated with staff shortages and the number of patients not appointed, along with an assessment date of August 2020, advising that this is a concern to the SRMG with the significant number of drug deaths occurring. Mrs Lewis-Robertson advised that a new strategic risk is being

considered specifically around the drug death numbers within the Integrated Substance Misuse Service. Mrs Lewis-Robertson would ensure that the current risk is updated within the Pentana system.

Mrs Alexander requested clarity on the term “Employment Terms” which describes Strategic risk HSCR00b3. Mrs Lewis-Robertson advised that this strategic risk refers to the alignment of NHS and Council contacts for staff. This risk has been on the register for a number of years and requires to be have a full review undertaken as there has been little progress, with consideration that there is less risk attached to this than originally thought when the risk was put into effect.

The Chair thanked Mrs Lewis-Robertson for the briefing.

SRMG: • Considered the Exception Report provided by Dundee

Integration Joint Board which provided an update in relation to the management of risk management activities.

3.2c Perth and Kinross Integration Joint Board Mr Jolly presented the Perth and Kinross Integration Joint Board

Report for consideration, highlighting:

• The Strategic Risk Register has been redeveloped and reflects the inclusion of Covid-19 parameters. Each risk has been identified, assessed and scored, with clearly articulated controls in place to manage/mitigate the risk.

• To support the Strategic Risk Register, a strategic risk improvement plan will be created for each risk which will assist risk owners identify their course of action for managing the risk.

• The new Strategic Risk Register has been presented to the Perth and Kinross IJB Audit and Performance Committee where it was received well and supported.

• Perth and Kinross IJB are developing a risk framework setting out the risk appetite, and this framework will sit within the overall risk strategy which is being finalised.

Mr Khalique, referencing Strategic Risk SR05 Sustainable Digital Solutions, opined that in terms of Digital Partnership, there needs to be greater engagement from the IJBs driving forward what their vision is for Health and Social Care Partnerships, and the Digital Strategy needs to a have a view of what their future goal looks like and work towards this. Mr Jolly thanked Mr Khalique for his observation and acknowledged that this gap had been previously articulated within the Partnership and would appreciate linking with Mr Khalique to discuss this further out with the SRMG.

The Chair requested that consideration be given to the development of a common reporting template for the reporting of Integration Joint Board strategic risks to the NHS Tayside SRMG. Test of change will be undertaken at the next SRMG meeting in June 2021.

HW (Tayside Risk Management Group)

SRMG: • Considered the Exception Report provided by Perth and Kinross

Integration Joint Board which provided an update in relation to the management of risk management activities.

• Agreed test of change of reporting template.

3.4 Risk Management Annual Report and Workplan Mrs Walker advised that the Risk Management Annual Report and

Workplan was being prepared for presentation to the Audit and Risk Committee scheduled for 20 May 2021 for assurance and endorsement. The document would be circulated to SRMG members for consultation prior to submission to the Audit and Risk Committee.

SRMG: • Noted that the Risk Management Annual Report and Workplan

was being drafted and would be circulated for comment prior to submission to the Audit and Risk Committee.

3.5 Self Assessment and Audit Tool Mrs Walker advised that the self assessment audit tool had been

completed and a meeting with Internal Audit was scheduled to review the submission prior to sign off by Mr Lyall. The document would be circulated to SRMG members for consultation prior to submission to the Audit and Risk Committee scheduled for 20 May 2021.

SRMG: • Noted that the Self Assessment and Audit Tool was being

completed and would be circulated for comment prior to submission to the Audit and Risk Committee once agreed.

3.6 Horizon Scanning, Emerging Themes and New Risks The Chair advised that SRMG members should take this

opportunity to raise any emerging themes or risks which they are aware of or think may arise as a consequence of events occurring within their areas of expertise.

Areas which the Chair and members wished to allude to: • Nursing workforce: 25% of the nursing workforce is expected to

retire within the next five years; need to have confidence in the retention processes for existing staff; recruitment to posts; making roles attractive to new staff, impact of European Union exit and those staff who need to be supported to remain.

• Workforce optimisation: support Services to work differently; use of Locums; 2C Practices within Primary Care Services.

• Impact of Long Covid: stretched Services; significant number of patients with physical and mental health concerns; levels of key workers who are affected by Long Covid; how patients and staff live with Long Covid; what Services will be involved in the care and treatment of these staff and patients.

• Increase of quantum of the demand of the oldest population in Scotland for medical care. This rate is growing at a much faster rate in Perth and Kinross, added to the fact that it is the 8th most rural place in Scotland. Together with the aging/reducing workforce, Long Covid.

• Impact of European Union exit, in terms of workforce and procurement.

The Chair wished to encourage SRMG members to consider areas of concern that they may wish to raise at SRMG which may or may not progress to strategic risks, but which may be causing concern.

Mrs Hazel Scott, Assistant Chief Executive advised that the Business Unit within NHS Tayside are excellent at providing business and health intelligence and can provide assistance where redesign of services is being considered.

4 RESILIENCE PLANNING

4.1 Resilience Planning Framework Ms Margaret Dunning, Board Secretary advised that the

Framework, previously a policy, described the landscape of Resilience Planning. The Framework describes the systems and processes that are in place within NHS Tayside to support a high level of preparedness to any significant business-disrupting event or major incident, regardless of source.

Ms Dunning requested confirmation that SRMG were satisfied with documentation and were content that publication occurred.

The Chair requested that if SRMG members have any comment, to review these with Ms Dunning or Mrs Walker out with the meeting.

Mrs Walker advised that the previous Resilience Planning process had been subject of an Internal Audit report, and all recommendations had been taken cognisance of and incorporated into the new Framework.

The Chair thanked Mrs Walker for providing the Resilience Planning Framework, which offered additional value and insight into the complexity of resilience planning both in terms of processes and documentation.

SRMG: • Considered and noted the new Resilience Planning Framework.

4.2 Resilience Planning Update Report Ms Dunning presented the Update Report advising that an Internal

Audit on Resilience Planning is scheduled to be undertaken. The Assignment Plan from Internal Audit is currently awaited for Executive Lead sign off.

Ms Dunning highlighted Resilience Planning activities:

• Adverse weather planning • CBRN Plan reviewed and updated in consultation with

Emergency Department Consultant and Major Incident Lead.

• Workshops are to be held with the Regional Resilience Partnership around potential event of damage to the national grid.

• Operation Unicorn meetings have been stepped up.

The Chair thanked Ms Dunning for her update.

SRMG: • Considered and noted the Resilience Planning Update Report.

5 POLICY MANAGEMENT

5.1 Policy Management Update Ms Dunning presented the Policy Management Update Report

highlighting that:

• 149 Policies were currently in place within NHS Tayside and work is being undertaken to reduce this number.

• The next Policy Review and Development Group was scheduled for 14 April 2021, having not met since the meeting on 9 February 2020.

The Chair thanked Ms Dunning for her update.

SRMG: • Noted the Policy Management Update Report and was assured

of the ongoing process of policy management within NHS Tayside.

6 GOVERNANCE

6.1 Information Governance and Cyber Assurance Update Alison Dailly presented the Information Governance and Cyber

Assurance Report highlighting that:

• The work that the Information Governance and Cyber Assurance Team has been involved in has seen a return to the majority of protect work being classed as “business as usual” and the number of Covid-19 related projects reducing. Since October 2020, this ratio has been 42 non-Covid related projects to six Covid related projects.

• The risk assessment, which was reviewed in light of the Covid-19 pandemic to facilitate a rapid approval approach, will be revisited to ensure that data protection assessments and/or information/data sharing agreements are completed.

• A Network and Information Systems Regulations audit report indicated a 50% compliance for NHS Tayside, and an action plan has been developed and will be actioned and monitored through the Cyber Resilience Governance Group.

The Chair thanked Mrs Dailly for her update on the work of the

Information Governance and Cyber Assurance Team.

SRMG: • Considered the report provided, noting the detailed updates

provided, and accepted the moderate level of assurance offered.

6.2 Strategic Risk Management Group Annual Report, Terms of Reference and Workplan

Mr Lyall apologised for the late circulation of the documentation, advising:

• The Annual Report had been compiled, in the standard format, for submission to the Audit and Risk Committee as per the NHS Tayside internal control processes. The Chair requested that any amendments to the Annual Report be provided to Mr Lyall or Mrs Walker by Thursday, 15 April 2021. Following this consultation the Annual Report will be submitted to the Audit and Risk Committee for approval.

• The Terms of Reference had been reviewed and only minor amendment had been undertaken to the document.

• The Workplan had been prepared in line with the Terms of Reference and the current agreement of the strategic risk reporting.

SRMG: • Considered the Annual Report for the Strategic Risk

Management Group for the year 2020/2021 and noted the request to provide comment by 15 April 2021 to allow for sign off.

• Received and approved the Terms of Reference and Workplan for the year 2021/2022.

6.3 Strategic Risk Management Group Attendance Record The Record of Attendance was provided for information.

SRMG: • Considered and noted the Record of Attendance.

7 ITEMS FOR INFORMATION

7.1 Resilience Planning Advisory Group Minutes 8 December 2020 • The SRMG received and noted the minutes of the meeting of

the Resilience Planning Advisory Group on 8 December 2020.

7.2 Short Life Working Group Risk Management Action Note 3 November 2020

• The SRMG received and noted the minutes of the meeting of the Short Life Working Group Risk Management on 3 November 2020.

7.3 Datix Steering and Development Group Minutes 5 November 2020

• The SRMG received and noted the minutes of the meeting of

the Datix Steering and Development Group on 5 November 2020.

9 ANY OTHER COMPETENT BUSINESS

No further business was introduced for discussion.

10 DATE OF NEXT MEETING

The next meeting will take place on 10 June 2021, 1400 hours via Microsoft Teams.

1


Audit and Risk Committee

22 June 2021

Internal Audit Progress and Audit Follow Up Report

Responsible Executive/Non-Executive: Stuart Lyall, Director of Finance

Report Author: Barry Hudson and Jocelyn Lyall – Regional Audit

Managers 1 Purpose

This is presented to the Audit and Risk Committee for: • Assurance • Discussion • Decision This report relates to a: • Local policy This aligns to the following NHSScotland quality ambition(s): • Safe • Effective • Person Centred


The purpose of this report is to: • provide the Audit and Risk Committee with Comprehensive Assurance on the

progress of the 2020/21 Internal Audit Plan • provide an update on the 2021/22 annual internal audit planning process • provide an exception report on action to address previous internal audit

recommendations. This provides Moderate Assurance that timely action has been taken to address internal audit recommendations.

2.2 Background

The Internal Audit year runs from May to April. The Internal Audit team is nearing the completion of the 2020/21 plan under the supervision of the Chief Internal Auditor. Audit work completed allows the Chief Internal Auditor to provide the necessary assurances prior to the signing of the annual accounts.

2

A large element of our year-end assurance work has been delivered through the Internal Control Evaluation and Sustainability audit; final assurance will be derived from the 2020/21 Annual Internal Audit Report to be reported to the Audit and Risk Committee in August 2021. The work of Internal Audit and the assurances provided by the Chief Internal Auditor in relation to internal control are key assurance sources taken into account when the Chief Executive undertakes the annual review of internal controls and forms part of the consideration of the Audit and Risk Committee and the Board prior to finalising the Governance Statement which is included and published in the Board’s Annual Accounts.

2.3 Assessment

Where applicable, each audit report includes an action plan that contains prioritised recommendations, associated lead officers and timescales for completion. Progress on implementation of agreed actions is monitored through the Audit Follow-up System, which is maintained by Internal Audit, and is reported regularly to the Audit and Risk Committee. 2021/22 Annual Internal Audit Plan We have sought the views of the Executive Leadership Team (ELT) on the 2021/22 annual internal audit plan prior to circulating the draft plan to the Audit and Risk Committee Chair and members for input, before being presented to the August 2021 Audit and Risk Committee for approval. However, we know that the organisational risk profile is changing rapidly, as is organisational understanding of those risks and we will present an updated plan later in the audit year.

2.3.1 Audit Follow Up

An Audit Follow Up report was provided to the 20 May 2021 Audit & Risk Committee. In order to minimise the demands on Responsible Officers time, this report provides an update on outstanding recommendations by exception only:

• T25/15 - Property Management Strategy: The previous report reflected the position

reported by the Responsible Manager that ‘the audit of space utilisation in GP practices, which will reflect changes due to Covid-19, will commence in June 2021 and will include an assessment of both usage of space and the quality of accommodation. Working with practices and Health & Social Care Partnerships, by the end of September 2021, the Property department will document both the current utilisation of GP accommodation and the practices’ medium term property requirements’. Following discussion at the last Audit & Risk Committee, Management have further updated that ‘The national template for the space quality function in GP buildings is still under development by Health Facilities Scotland, which we had expected to be completed by this time. There is a risk that this will delay completion into October, although we will seek to minimise the delay’. The audit follow up database has been updated accordingly.

• T36/19 – Trakcare: Digital Directorate colleagues reviewed the original issues identified and provided a summary of outstanding points which were reported to the 3 May 2021 Operational Leadership Team for progression. The Associate Medical Director, Access & Assurance, has informed internal audit that issues relating to Trakcare are now being progressed by the appointed digital champions and the Clinical Services Director for Planned Care. The requested evidence to confirm completion had not been provided at the time of this report.

3

2.3.2 Quality/ Patient Care The Triple Aim is a core consideration in planning all internal audit reviews.

2.3.2 Workforce Management responsibilities, skill sets and structures are a core consideration in planning all internal audit reviews. Delivery of the Internal Audit Annual Plan has been impacted by a Principal Auditor vacancy, now filled and the long term absence of a staff member due to illness, which we expect to end shortly. A Principal Auditor will commence on 21 June 2021. To mitigate the risk to delivery of sufficient work by year end, the Tayside team is being supplemented by staff based in the other FTF Client Health Boards.

2.3.3 Financial Financial Governance is a key pillar of the Annual Internal Audit Plan and value for money is a core consideration in planning all internal audit reviews.

2.3.4 Risk Assessment/Management The internal audit planning process which produces the Annual Internal Audit Plan takes into account inherent and control risk for all aspects of the Internal Audit Universe. Individual internal audit assignments identify the key risks at the planning stage and our work is designed to evaluate whether appropriate systems are in place and operating effectively to mitigate the risks identified. Legislative requirements are a core consideration in planning all internal audit reviews.

2.3.5 Equality and Diversity, including health inequalities All internal audit reviews which involve review of policies and procedures will examine the way in which equality and diversity is incorporated within Board documentation.

2.3.6 Other impacts N/A

2.3.7 Communication, involvement, engagement and consultation All papers have been produced by Internal Audit and shared with the Director of Finance.

2.3.8 Route to the Meeting

This paper has been produced by the Regional Audit Managers and reviewed by the Chief Internal Auditor and the Lead Officer for the Audit and Risk Committee.

4

2.4 Recommendation

The Audit and Risk Committee is asked to:

• NOTE the progress on the delivery of the Internal Audit Progress Report (Appendix A) which provides Comprehensive Assurance on the progress of the revised 2020/21 Internal Audit Plan

• NOTE the update on the 2021/22 internal audit planning process • NOTE the exception report on the status of outstanding internal audit

recommendations. 3 List of appendices

The following appendices are included with this report:

• Appendix A – Internal Audit Progress Report

5

Appendix A - Internal Audit Progress Report – 22 June 2021

Introduction This report presents the progress of internal audit activity up to 10 June 2021. The graph below shows the current status of all 2020/21 audits: 2020/21 Internal Audit Plan

NHS Tayside Completed Audit Work

The following audit products, with the audit opinion shown and sorted by governance strand, have been issued since the last progress report to the Audit and Risk Committee meeting on 20 May 2021. A summary of each report is included for information within the ‘Summary of Audit Findings’ section. Completed Audit Work:

Audits Opinion on Assurance Recommendations Draft issued Finalised

Corporate Governance

T13/21 – Risk Management Strategy, Standards & Operation

N/A N/A N/A Year end statement

Financial Governance

T27/21 – ePayroll update

Comprehensive assurance

N/A 12 May 2021 17 May 2021

0% 20% 40% 60% 80% 100%

Not Started

Planning Stage

Assignment Plan Issued

Fieldwork

Draft Report/Awaiting Responses

Final Report

Deferred

6

NHS Tayside Draft Reports Issued:

Audit Draft issued Target Audit and Risk Committee

T12/21 – Assurance mapping 14 June 2021 June 2021

¹T24/21 – Property Management Strategy 24 March 2021 May 2021

¹A meeting with the Director of Facilities was held on 9 June 2021 to discuss this report in detail. It is proposed that given the importance of the report, it is presented in full to the September 2021 Audit & Risk Committee when the Director of Facilities will be invited attend to provide assurance on property related matters.

IJB completed audit work:

Audits Opinion on Assurance Recommendations Draft issued Finalised


AN04/21 – Governance and Assurance

Various N/A 16 April 2021 31 May 2021

IJB Draft Reports Issued:

Audit Draft issued Target IJB Audit and Risk Committee

AN05/21 – Charging Process 22 April 2021 August 2021

PK09/19 – Financial risks 30 April 2021 August 2021

NHS Tayside Work in Progress and Planned:

Audits 2021/22 & 2020/21 Status (in progress/ planning)

Original target - Audit and Risk Committee

Revised target -

Audit and Risk Committee


T01/22 – Audit Risk Assessment & Planning In progress Aug 2021 -

T15/21 – Resilience, Business Continuity & Emergency Planning

In progress Mar 2021 ²Aug 2021

7

T17/21 – CAMHS improvement plan In progress Jan 2021 May 2021

²Aug 2021

T19/21 – Health & Social Care Integration In progress Throughout year

-

T22/21 – Senior Leadership Team In progress Jan 2021 ²Aug 2021

T29/21 – Endowment Funds In progress Sept 2021 -

Information Governance 3T32/21 – eHealth strategic planning & governance Planning Aug 2021 tbc

²Completion of audit fieldwork delayed due to staff member’s long term sickness absence and Principal Auditor vacancy. 3Draft Digital Strategy has not been made available to internal audit. Internal audit will comment on Strategy as part of 2021/22 internal audit plan.

IJB Work in Progress and Planned.

When finalised these reports will be available in full within the Audit and Risk Committee members’ library. Summaries will be included in the next progress report once they have been presented to the relevant IJB Board/Audit Committee.

Audits Status (in progress/ planning)

Target Audit and Risk Committee


A03-21 Angus IJB Annual Report In progress June 2021

D03-21 Dundee IJB Annual Report In progress June 2021 (IJB)

P03-21 – Perth & Kinross IJB Annual Report In progress Aug 2021

D05/21 – Performance Management In progress September 2021

D06-21 – Dundee IJB Audit follow Up In progress September 2021

8

Summary of Audit Findings

The following section provides a summary of the findings of internal audit reviews concluded since the previous Audit and Risk Committee meeting.

T13/21 - Risk Management Strategy, Standards & Operation

Year end summary:

During the year, internal audit liaised with Risk Management colleagues to provide input to improvements to the risk management framework including;

• Independent evaluation of the risk management framework through the Internal Control Evaluation and Internal Audit Annual Report 2019/20. This work was undertaken in parallel with the Internal Audit contribution to and evaluation of the Board’s Assurance Mapping exercise which will be reported separately.

• Commentary on the revised combined Risk Management Strategy and Framework.

• Commentary on the revised IJB Risk Management Policy and Strategy.

• Chief Internal Auditor validation of Boards completion of the IIA (Institute of Internal Auditors) Risk Maturity self-assessment.

T27/21: NHS Scotland National Payroll System - ePayroll Updates

Audit opinion – Comprehensive assurance

• Throughout the year updates to the Whitley Council Pay Scale Master / Agenda for Change Pay Band file are

required to reflect guidance issued by the Scottish Government. Local payroll managers can also request supplementary payscale updates in respect of staff on national “K” and "T" scales and those on protected scales. Additionally, the national team make changes to allowance/deduction codes upon receipt of an authorised request form.

• To confirm accuracy, the amendments to the national salary scales for medical and dental staff and amendments to Agenda for Change Pay Band files were confirmed to the national ePayroll system, as were the amendments to Executive and Senior Management Pay.

• Additionally, we tested the input details for Amendment to Agenda for Change Pay Bands Files, ePayroll Pay Awards, ePayroll Allowance/Deduction Code File Amendments and amendments to ePayroll pay scale master/job description files and confirmed accuracy.

9

Definitions of Assurance To assist management in assessing the overall opinion of the area under review, we have assessed the system adequacy and control application, and categorised the opinion based on the following criteria:


Substantial Assurance

A sound system of governance, risk management and control exists, with internal controls operating effectively and being consistently applied to support the achievement of objectives in the area audited.


Reasonable Assurance

There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited.


Limited Assurance

Significant gaps, weaknesses or non-compliance were identified. Improvement is required to the system of governance, risk management and control to effectively manage risks to the achievement of objectives in the area audited.


No Assurance

Immediate action is required to address fundamental gaps, weaknesses or non-compliance identified. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of objectives in the area audited.


10

Assessment of Risk To assist management in assessing each audit finding and recommendation, we have assessed the risk of each of the weaknesses identified and categorised each finding according to the following criteria:

Fundamental

Non Compliance with key controls or evidence of material loss or error. Action is imperative to ensure that the objectives for the area under review are met.

Significant

Weaknesses in design or implementation of key controls i.e. those which individually reduce the risk scores. Requires action to avoid exposure to significant risks to achieving the objectives for area under review.

Moderate

Weaknesses in design or implementation of controls which contribute to risk mitigation.

Requires action to avoid exposure to moderate risks to achieving the objectives for area under review.

Merits attention

There are generally areas of good practice. Action may be advised to enhance control or improve operational efficiency.

Action Note NHS Tayside

L Green Governance Review Group Meeting 12 May 2021

1

CORPORATE GOVERNANCE REVIEW MEETING Action note from above meeting held at 10:00am on Wednesday 12 May 2021 via Microsoft Teams Present Margaret-Rose Campbell, Committee Support Officer Margaret Dunning, Board Secretary Lisa Green, Committee Support Officer Phil Jerrard, Governance and Risk Coordinator, Perth & Kinross HSCP Alison Johnston, Programme Manager Pauline Ireland, Committee Support Officer Louise Lyall, Head of Finance – Capital and Resources Victoria Sullivan, Committee Support Officer Donna Tosh, Head of Committee Administration Judith Triebs, Principal Auditor, FTF Audit Services Apologies Heather Ford, Committee Support Officer Alison Inglis, PA – to Associate Director of Finance – Financial Services/FLO Donna Tosh/Margaret Dunning in the Chair

ACTION 1. Welcome and Apologies

Donna Tosh welcomed all to the meeting and the apologies were noted as above.

2. Action Note of last meeting held on 10 February 2020

The Group approved the Action Note of the meeting held on 10 February 2020

3. Action Points Update

Year End Report – Judith Triebs had queried the Annual Internal Audit Report reporting requirements for 2020/21. It was noted that Lisa Green responded to the query via email on 10 February 2021. All completed actions were noted.

4. Matters Arising

There were no matters arising.

5. Year End Reporting

a. Governance Review Group Annual Report 2020/21

Donna Tosh advised the Governance Review Group Annual Report 2020/21 was presented to the Group for review and approval.

ITEM NUMBER 7.4



2

Louise Lyall noted that her surname had not been recorded under the membership at section 2.1 of the report. It was noted that the Annual Report would be updated accordingly. The Group approved the Governance Review Group Annual Report 2020/21.

LG

b. Draft Internal Audit Report T08/21 – Internal Control Evaluation 2020/21

Donna Tosh advised that the Internal Control Evaluation 2020/21 had been updated following circulation to the Group. It was noted that there had been a change in a management response to Action Point Reference 2 in relation to strategy and transformation. The final version of the Internal Control Evaluation 2020/21 had been issued on 11 May 2021. The Group was asked to note the content of the report, in particular those actions relevant to Tayside NHS Board and its Standing Committees. It was noted that progress in relation action points 1 and 2 of the recommendation relating to Sustainability and Transformation would be monitored and reported through Tayside NHS Board and its Standing Committee’s throughout 2021/22. Louise Lyall advised that the report had also been updated within the Risk Management section to reflect that it was the Chief Finance Officer who had led on work to develop a Risk Management Strategy for the Tayside HSCPs. The Group noted the Internal Control Evaluation 2020/21.

6. Updates to the NHS Tayside Code of Corporate Governance

Donna Tosh presented the Updates to NHS Tayside Code of Corporate Governance report being presented to the Audit and Risk Committee on 20 May 2021. The Audit and Risk Committee are asked to review the updates to the NHS Tayside Code of Corporate Governance and recommend approval of these by Tayside NHS Board at its meeting on 24 June 2021. It was noted that the main updates were changes to Standing Committee remits following the review of Committee Assurance and Workplans, in particular the references to Endowment Funds Annual Accounts in the Audit and Risk Committee remit. Louise Lyall advised that through discussions with Robert MacKinnon, Interim Charity Chief Officer & Associate Director of Finance and in line with the Office of the Scottish Charity Regulator (OSCR) Report and the intention to separate Endowment Funds and Exchequer Funds, the Endowment Funds Annual Accounts would now be approved through the Board of Trustees. It was noted that a report would be presented to the Audit and Risk Committee on the auditors opinion and approval status of the Endowment Funds Annual Accounts and that the Audit and Risk Committee Terms of Reference would be updated to reflect this change. The Group noted the Updates to the NHS Tayside Code of Corporate Governance.



3

7. Internal Audit Report T11/21 – Committee Assurance Plans

Margaret Dunning presented the report and advised that this had been a topic of discussion within the Standing Committees. It was noted that this was the first full year Committees had Committee Assurance Plans in place. It was noted that not all items reported to Committee were items for assurance. The development of the Committee Assurance Plans was to help in identifying those items for assurance and for Committees to have a framework for determining their assurance needs. Margaret Dunning advised that there had been discussion, in reserved business, at the Care Governance Committee regarding the Clinical Governance reports from each of the three Integration Joint Boards (IJBs) and the assurances provided. It was noted that the Chief Internal Auditor had participated in a meeting with Care Governance Committee colleagues and reinforced that not all items were items for assurance. He had highlighted that risks were one key area where the Committee should be assured. The Chief Internal Auditor had also noted the length of agendas and the need for shorter, more focussed reports. Judith Triebs noted that there may be the need to review the format of each of the IJB care and clinical governance reports that were submitted to the Care Governance Committee. Margaret Dunning advised that Committee Support Officers need to review the remits of their Committees in the Code of Corporate Governance and ensure they were reflected in the Committees Terms of Reference to Workplans. In relation to the action point regarding the review of Standing Operating Procedures (SOPs), Margaret Dunning advised that there were regular meetings with Committee Support Officers. It was noted that there would be a complete review of all SOPs and a report would be presented to the Audit and Risk Committee later in the year. Margaret Dunning noted, in relation to Standing Committee Annual Reports that the Committees should be reflecting on the Assurance Plans, looking at the totality of assurance received and provide a view of that within Annual Reports, for example areas where improvement has been seen. Judith Triebs advised that she had seen the draft Staff Governance Committee Annual Report and this process had been there, setting out where there had been limited assurance and where further work was required. It was agreed that Committee Support Officers would share their Committees Annual Reports, noting that some of these were still in development, and that in the meantime the Staff Governance Annual Report would be shared to Committee Support Officers. The Group noted the Internal Audit Report T11/21 – Committee Assurance Plans

ALL



4

8. Strategic Risk Management – BOARD23/2021

Margaret Dunning advised that the Strategic Risk Management Report had been considered and approved by the Board at its meeting on 29 April 2021. It was noted that the report had been well received and there would be further risk management session at an upcoming Board Development Event in the second half of the year (July – September 2021). The report highlighted that the frequency of the reporting of strategic risks to the Standing Committees would be every second meeting unless the risk score was high/red or the Committee sought more information. The Group noted the Strategic Risk Management Report.

9. Publication of community engagement and participation guidance for

health and social care

Margaret Dunning presented the letter received from Scottish Government which was issued as a Directors Letter (DL). It was noted this DL replaced CEL 4 – Guidance in relation to Major Service Change. Margaret Dunning advised that Jane Duncan as Director of Communications and Engagement, would take action in response to the DL to ensure there is organisational understanding. It was noted that there was also an Equality and Diversity element within the DL. The Group noted the DL - Publication of community engagement and participation guidance for health and social care.

10. Record of Attendance

The Group noted the record of attendance. 11. Any Other Competent Business

Standing Committee Annual Reports 2020/21 Louise Lyall requested early drafts of all Standing Committee Annual Reports for 2020/21 so that these could be reviewed and used to inform the narrative in the Governance Statement. It was noted that Committee Support Officers would forward Draft Annual Reports 2020/21 to Louise Lyall. Standard Operating Procedures Margaret Dunning advised that the draft reviewed Standing Operating Procedures would be reviewed at the next Governance Review Group meeting on 14 July 2021. These would then be shared with Non Executive Members and a paper prepared for submission to the Audit and Risk Committee. Strategic Risk Management Phil Jerrard welcomed sight of the NHS Tayside Risk Management Strategy, which he noted was very comprehensive. He advised that the Integration Joint Boards (IJBs) were following the same route and had development sessions planned. It was noted that the Perth & Kinross IJB strategic risks

ALL



5

had been refreshed and a Risk Improvement Plan was also in development. Margaret Dunning spoke in relation to the different mechanisms for recording risks in NHS Tayside and the local authorities. It was noted that NHS Tayside used the Datix system and the IJBs used the Pentana system. Judith Triebs highlighted that the next focus for NHS Tayside was to link risk to performance management. Margaret Dunning advised this linked to the national Active Governance work and an update was awaited on this work. Margaret Dunning thanked everyone for their participation and the support the Committee Support Officers received from Judith Triebs and Louise Lyall.

12. Date of Next Meeting

The next meeting of the Governance Review Group was scheduled for Wednesday 14 July 2021 at 10:00am via Microsoft Teams.

MINUTE NHS Tayside INFORMATION GOVERNANCE AND CYBER ASSURANCE COMMITTEE Minute of the meeting of the Information Governance and Cyber Assurance Committee held on Thursday 6 May 2021 at 10am via Microsoft Teams.

Members Present Ms Lucy Archer, System and Performance Manager, Soft Facilities Dr Cliff Barthram, IT Clinical Lead (Acute) Mrs Alison Dailly, Head of Information Governance and Cyber Assurance Ms Margaret Dunning, Board Secretary/SIRO Mr Ally Gentles, Head of Operations, Digital Directorate Mr Gerry Grant, Cyber Security Manager, Digital Directorate Mr Chris Hind, Clinical Laboratory Manager Access Laboratories Mr Chris Jolly, Perth & Kinross Health & Social Care Partnership Representative Ms Gail McClure, Primary Care Services Representative Mr Jean Ngoie, Head of Instrumentation and Clinical Engineering/Principal Equipment Dr Beena Raschkes, IT Clinical Lead (Primary Care) Mr Keith Whitefield, Angus Health & Social Care Partnership Representative

Apologies Ms Jenny Alexander, Employee Director Mrs Ruth Anderson, Head of Health Records Ms Elizabeth Henderson, Clinical Care Group Manager Ms Clare Lewis-Robertson, Dundee Health & Social Care Partnership Representative Dr Richard Humble, Chair of LMC/GP Sub Committee Mr Charlie Quipp, Technical Infrastructure Manger, Digital Directorate Mr Christopher Smith, HR Representative Mr Peter Stonebridge, Medical Director

In Attendance Mr Pollycarp Batwaula, Information Governance and Officer Mr Joseph Donnelly, Information Governance Officer Mrs Gillian Martin, Information Governance Officer Miss Lisa Milne, Assistant Information Governance Officer Mrs Lynda Petrie, Corporate Records Manager Miss Gemma Rooney, Assistant Information Governance Officer Miss Kellyanne Tosh, Information Governance Officer Ms Margaret Dunning in the Chair

ITEM NUMBER 7.5

MINUTE NHS Tayside ACTION 1. Apologies and Welcome

Apologies were noted as above.

2. Minutes of Previous Meeting The minutes of the previous meeting of the Information Governance and Cyber Assurance (IG & CA) Committee of 12 January 2021 were approved as an accurate record.

3. Action Point Update The action points were discussed and updated. Decommissioning Report – Mrs Dailly will contact Mrs Caithness and Mrs Soave and invite them to the next committee meeting to provide a further report on the decommissioning work. Terms of Reference – Ms Dunning agreed to liaise with the Director of Finance to identify a representative from Finance to join the committee.

4 GOVERNANCE

4.1 Information Governance and Cyber Assurance Committee Annual Report 2020-2021 Ms Dunning highlighted the Information Governance and Cyber Assurance (IG & CA) Annual Report to the Committee. This paper will be presented to the Audit and Risk Committee. The Information Governance and Cyber Assurance Committee noted the report.

4.2 Terms of Reference Ms Dunning presented the Committee with an updated Terms of Reference for discussion. Ms Dunning queried if FairWarning should be kept on the Terms of Reference. Mrs Dailly advised that Fair Warning was being rolled out this year, with the program managed by NSS. It is anticipated that NHS Tayside’s FairWarning rollout will take place during the middle of the program, expected to be late summer 2021. Ms Dunning advised that prior to FairWarning being rolled out NHS Tayside staff need to be made aware of this. In response to a comment by Dr Bartharm, it was agreed that a report will be presented to the Operational Leadership Team, with wider communication being disseminated to staff before the system goes live.

AD

MINUTE NHS Tayside 4.3

Information Governance and Cyber Assurance Committee Work Plan 2021-2022 Ms Dunning presented the work plan to the committee for the forthcoming year. Ms Dunning highlighted the requirement to comply with the revised Information Security Policy Framework (ISPF)/Cyber Resilience Public Sector Action Plan. Mrs Dailly and Mr Gentles agreed to revisit these requirements to confirm assurances are being captured and map out processes for compliance. Ms Dunning advised the committee that she would revisit the work plan with a view to mapping out the landscape and linking work streams that both IG and the Digital Directorate have responsibility for complying with.

AD/AG MD/AD

4.4 Cyber Resilience Governance Group Minutes January 2021 The committee noted the minute of the meeting of the Cyber Resilience Governance Group (CRGG) of 14 January 2021.

4.5 Data Quality Policy Mrs Dailly provided an update of the data quality policy to the Committee and stated that there were no major changes to the policy. The committee were advised that the Information Asset Register would be updated to reflect the data quality questions included within the data quality policy. Mr Whitefield commended the policy and advised that he would adapt and create a similar policy for Angus Health and Social Care Partnership. He referred to the previous issues with Adastra and national CHI. Mr Donnelly advised that Adastra users had been provided access to CHI to resolve inconsistencies between the systems and training was available to Adastra users if required. Mrs Dailly informed the Committee that a new Data Quality Manager has been appointed and will sit within the Health Records Service. There was discussion around the possibility of a Data Quality Short Life Working Group (SLWG) being established and this will look at all the data quality issues being raised. Mrs Dailly agreed to contact Mrs Scott to discuss membership of the data quality group. The Information Governance and Cyber Assurance Committee agreed the content of the policy presented to them.

AD

MINUTE NHS Tayside 5 ASSURANCE

5.1 NIS Regulation Audit – Draft Action Plan Mr Batwaula advised of the outcome of the NIS Regulation Audit that took place in late 2020. It was noted that the compliance score was 50% and there were 108 recommendations. The full audit will be undertaken in August 2021. It should be noted that due to the interrelated controls, addressing the Black (Critical) and Red (Urgent) recommendations may subsequently also address the Amber (Important) and Yellow (Attention) recommendations. Mr Gentles confirmed that this would be a collaborative effort between IG & CA, Digital Directorate, Estates, Procurement, HR & OD and Finance. The two black category risks were discussed in detail. There was discussion around mitigating the risks. It was noted that cyber risk was not a standing item on the Board agenda. It was proposed by Mr Batwaula to test the online procurement tool. It was agreed that IG & CA and the Digital Directorate would work together to test the tool with a proposed project. There was discussion around the membership of the Cyber Resilience Governance Group (CRGG). It was agreed that Mrs Dailly and Mr Batwaula would review the membership of the CRGG to ensure the membership included all leads/contributors identified within the NIS Action Plan.

PB/GG AD/PB

5.2 Digital Directorate Update Mr Gentles provided an update of work that has been undertaken within Digital Directorate. This included the digital strategy, Covid-19 response, infrastructure upgrades, QVLAN and patient monitoring system. Mr Gentles advised the digital strategy is awaiting approval from the Chief Executive, prior to being shared with the Committee. Mr Grant updated the committee on the Cyber Incident Response Plan and Playbooks. These would be presented to the CRGG for discussion before being shared more widely across NHS Tayside. The Information Governance and Cyber Assurance Committee noted the contents of the Digital Directorate Update report.

MINUTE NHS Tayside 5.3 Information Governance and Cyber Assurance Team Compliance

Assurance Update Report Mrs Dailly updated the Committee on the work undertaken by the Information Governance and Cyber Assurance team, which included an update on the outstanding actions following the recommendations from the Information and Cyber Security Review commissioned in 2018. Mrs Dailly noted there had been a shift in the focus of the work as there were less Covid-19 projects. There was discussion around business continuity and resilience and it was agreed that Mrs Walker would be invited to a future meeting to give an update. The committee considered the requirement for a representative from Hard Facilities to join. Ms Archer agreed that she would discuss with the new Director of Facilities, John Parsons, and report back at the next meeting. The Committee noted the contents of the IG&CA Team Compliance Assurance Report.

KT LA

6 Reflection and consideration of any issues to be escalated to Audit and Risk Committee No issues were noted.

7 AOCB No AOCB was discussed.

8 Date and Time of next meeting The next meeting will take place on Thursday 8 July 2021, 10am – 12pm via Microsoft Teams.

of 3


Audit and Resources Committee 22 June 2021 Audit Scotland Interim Audit Report Responsible Officer Stuart Lyall, Director of Finance Report Author: Karen Kidd, Senior Finance Manager Louise Lyall, Head of Finance - Capital and Resources 1 Purpose

This is presented to the Board for:- • Assurance • Awareness This report relates to:- • Government policy/directive • Legal requirement This aligns to the following NHSScotland quality ambition(s): • Safe • Effective • Person Centred


Audit Scotland have provided the attached Management Report as part of their annual audit. It is presented to the Committee for awareness and to provide a comprehensive level of assurance.

2.2 Background

NHS Tayside’s Annual Report and Accounts are audited by Audit Scotland. Audit Scotland’s Annual Audit Plan, was presented to the Committee remotely, via email, in March 2021. The plan outlined that a Management Report would be issued as part of the annual audit process. The report has been issued in the format of the attached Interim Management Letter.

of 3

2.3 Assessment The Interim Management Letter reports on the findings of the interim audit work undertaken, which assesses the systems of internal controls in place. The key findings of the interim work has resulted in two recommendations, for which management responses have been provided for both, and necessary actions have begun to be implemented locally.

2.3.1 Quality/Patient Care Not applicable.

2.3.2 Workforce There are no direct workforce implications arising from this paper.

2.3.3 Financial There are no direct financial implications arising from this paper.

2.3.4 Risk Assessment/Management Not applicable.

2.3.5 Equality and Diversity, including health inequalities An impact assessment has not been completed because there are no direct equality and diversity issues arising from this paper.


2.3.7 Communication, involvement, engagement and consultation Audit Scotland has liaised with key members of the finance team in agreeing the management responses to the recommendations.

2.3.8 Route to the Meeting Not applicable

2.4 Recommendation The Committee is asked to note this report for awareness and a comprehensive level of assurance.

3 List of appendices The following appendices are included with this report: Appendix No 1 NHS Tayside – Interim Management Letter 2020/21

of 3





Moderate Assurance



Limited Assurance



No Assurance



4th Floor 102 Westport Edinburgh EH3 9DN

T: 0131 625 1500 E: [email protected] www.audit-scotland.gov.uk

Stuart Lyall Director of Finance NHS Tayside Floor 9 Ninewells Hospital Dundee DD2 1UB

15 June 2021

Dear Stuart

NHS Tayside – Interim management letter 2020/21

1. Audit Scotland’s Code of Audit Practice requires us to assess the systems of internal control put in placeby management. In carrying out this work, we seek to gain assurance that the board:

• has systems for recording and processing transactions which provide a sound basis for thepreparation of financial statements and the effective management of its assets and interests

• has systems of internal control which provide an adequate means of preventing or detecting materialmisstatement, error, fraud or corruption

• complies with established policies, procedures, laws and regulation.

2. Our interim work is used to inform our approach to the audit of the annual accounts. Interim audit workincludes controls testing, income and expenditure verification and aspects of wider dimension audit work. We set out our programme of work in our annual audit plan (AAP) considered by the Audit and Risk Committee remotely in March 2021 under the revised governance arrangements approved by the Board in February 2021, where standing committees were stood down until further notice due to the Covid-19 pandemic.

3. Our interim audit work has progressed reasonably well but, as expected, more slowly compared to thetraditional pre-Covid-19 audit timetable. This is due to the impact of undertaking the audit remotely and from some delays in responses to audit queries. Consequently, we were unable to complete all of our interim testing within the timescale originally planned. We will complete any remaining programmed work alongside our annual accounts audit work.

4. Our AAP noted a target date for the management report for consideration by officers as the end of Aprilbut the date for consideration by the Audit and Risk Committee was not agreed, as the dates for future Audit and Risk Committee meetings had not been determined at the time the AAP was finalised due to the revised governance arrangements being in place. Similar to our 2019/20 management report we have elected to produce a shorter output, a management letter, concluding on work completed to date, which can be considered at the next meeting of the Audit and Risk Committee in June 2021.

Conclusions

5. Weaknesses identified represent those that have come to our attention during the audit work completed todate and are therefore not necessarily all of the weaknesses which may exist. It is the responsibility of management to decide on the nature and extent of the internal control system appropriate to the board.

6. We are reporting solely on those elements of interim work completed to date. On the basis of this auditwork, we concluded that system controls are operating as specified but some areas have been identified where controls could be strengthened.

7. We have also provided an update on the board’s participation in the National Fraud Initiative (NFI), acounter-fraud exercise coordinated by Audit Scotland which uses computerised techniques to compare information about individuals held by different public bodies, and on different financial systems, to identify 'matches' that might suggest the existence of fraud or irregularity. Work by the board is ongoing.

Appendix 1

Financial system coverage

8. The financial key systems that were tested at the interim audit stage were as follows:

• General ledger • Accounts receivable

• Payroll • Accounts payable

• Cash and banking • Family Health Services

• Budgetary control

Key findings

Key Financial Controls

Payroll validation

9. We have previously reported that there was no independent formal verification process to confirm theexistence of employees listed on ePayroll. Management advised that various measures were in place which they considered partly mitigated the risk of payments being made to individuals who are not genuine employees of the board but also advised that the introduction of the eESS system in 2019/20 would ensure that there is a reconciliation between employees on eESS and Payroll.

10. A validation exercise was carried out in 2019/20, however we have now been advised that this was a‘one off’ exercise for the introduction of eESS and this internal control has not been replicated in 2020/21. As a result, we will need to carry out additional work to test the existence of employees included on the payroll as part of our annual accounts audit work.

Recommendation

Payroll controls would be strengthened if the board established a regular process to confirm the existence of employees listed on the payroll system

Management response

Existing processes provide a level of assurance to confirm the existence of employees on the payroll system.

Managers confirm rosters and authorise required payment on the SSTS on a weekly/ monthly basis, which provides the direct link to the payroll system for payments to staff being made. Managers are reminded each pay period by email of the need to authorise rosters by a certain date, and receive a personal reminder where authorisation is still outstanding. A quarterly check of confirmed rosters will be re-introduced by the SSTS team, with Managers receiving a report of “unconfirmed” rosters for action. A bi-annual communication from the SSTS team to remind SSTS managers of the good practice of confirming rosters will be implemented.

Employment changes in the Payroll system can only be made via the eESS system e.g. new start payroll record cannot be set up on ePayroll independently or without an eESS transaction. There are also reconciliation reports between the eESS system and payroll. In order to respond to the recommendation, the workforce directorate will enhance the reconciliations and checks between eESS and payroll systems. This will include a monthly reconciliation report between eESS and payroll, identifying and resolving any differences. A bi-annual communication from the eESS system team to the supervisors roles within the eESS system to ensure all employees are correct will be implemented and a data quality report ensuring all employees are allocated a supervisor will be checked.

Action date: June 2021

Responsible Officers: Lorraine Hunter (Head of HR Service Centre) and Daniel Courtney (Head of Workforce Planning)

Journal authorisation control 11. Journals processed by management accountants should be prepared by one officer and checked andinput into the ledger by a second officer. Our audit testing of all relevant journals for periods 1 to 10 identified 15 which had been prepared and input to the ledger by the same user. Financial services undertake a bi-monthly secondary control to identify journals prepared and input by the same officer. Although this process identified these 15 journals, which were passed to the relevant manager for follow up, evidence of the follow up action taken has not been retained.

12. We plan to follow up these 15 journals to ensure their validity and carry out further testing of‘management accountant’ journals in periods 11-13 as part of our annual accounts audit work.

Recommendation

The bi-monthly review control could be strengthened if financial services retained evidence of the follow up action undertaken by managers.

Management response

All journals identified by the secondary control check in 2020/21 will be reviewed and confirmed by the appropriate manager. All actions will be taken moving forward to ensure that management accountants do not prepare and input the same entry; and that they are checked and input by another. Should the bi-monthly secondary control check identify any further entries moving forward, the teams will be asked to provide the check of the entry retrospectively and it will be recorded and held within financial services.

Action date: June 2021

Responsible Officer: Karen Kidd (Senior Finance Manager)

National Fraud Initiative

13. NFI matches were sent to NHS bodies in January/February of this year. Work by the board is ongoing toinvestigate the matches and our colleagues in Audit Scotland, who are centrally responsible for the NFI exercise, are monitoring the board’s progress with the investigation of the NFI matches. We will provide an update in our annual audit report on the board’s progress with the current NFI exercise.

Acknowledgement

14. The contents of this letter have been discussed with relevant officers to confirm factual accuracy. The co-operation and assistance we received during the course of our audit is gratefully acknowledged.

Yours sincerely

Bruce Crosbie (Senior Audit Manager)

of 7


Audit and Risk Committee 22 June, 2021 External Reports – Recommendations Tracker Responsible Executive: Stuart Lyall, Director of Finance Report Author: Louise Lyall, Head of Finance – Capital and Resources 1. Purpose

This is presented to the Committee for:- • Awareness • Discussion • Assurance This report relates to a:- • Legal requirement (statutory audit) • Board strategy (improvement through independent review) This aligns to the following NHSScotland quality ambition(s):- • Effective

2. Report summary 2.1 Situation

This report provides a progress update against the open items being tracked through the External Reports Recommendations Tracker. A comprehensive level of assurance has been reported in respect of progress with agreed actions.

2.2 Background

The then Audit Committee established a tracker report mechanism to monitor progress with the implementation of the agreed recommendations arising from reports undertaken by external parties in September 2018, following a series of reviews that were undertaken in relation to the Board’s governance arrangements and internal systems of control.

The update was last presented to the Audit and Risk Committee Members in May 2021. All actions reported as complete at that meeting have now been removed from the tracker, leaving only four actions remaining.

of 7

2.3 Assessment The reports from which recommendations are being tracked are:- i. Annual Report on the 2019/20 Audit – Audit Scotland, and ii. the Independent Review of Internal Audit undertaken by the Institute of Internal

Auditors. Detail of the progress towards implementation of these actions is included in Appendices 1 to 2. Since the report considered at the May meeting, action number b/f 10 (eHealth) has been advised as being complete. Action number 7 (Best Value) is noted as complete in respect of the action for the Performance and Resources Committee to consider value for money, however work continues around the wider Best Value framework. There is no change to action number 6 (Holding to account – committee governance arrangements: Member training), or the remaining action from the Independent Review of Internal Audit, as a result of Covid-19 related priorities for the NHS Fife Communications Team. Both actions are on track to be completed within the revised timescales advised.

2.3.1 Quality/Patient Care No direct impact.

2.3.2 Workforce No direct impact.

2.3.3 Financial No direct impact.

2.3.4 Risk Assessment/Management This process aims to mitigate risk.

2.3.5 Equality and Diversity, including health inequalities

N/A.

2.3.6 Other impacts N/A.

2.3.7 Communication, involvement, engagement and consultation Relevant Directors/Senior Managers have been consulted in preparing this update.

2.3.8 Route to the Meeting Engagement with Directors/Senior Managers.

of 7

2.4 Recommendation The Committee is asked to note awareness and review by discussion the status of the actions being taken to address the recommendations in reports in relation to the Board’s governance arrangements and internal systems of control undertaken by external parties.

A comprehensive level of assurance has been reported. 3. List of appendices

The following appendices are included with this report:- • Appendix 1 - Action Plan - Audit Scotland - Annual Report (2019/20); • Appendix 2 - Action Plan - IIA - Review of Internal Audit, and



Robust framework of key controls ensure objectives are likely to be achieved.


Moderate Assurance



Limited Assurance



No Assurance



of 7

Appendix 1: External Audit – Audit Scotland 2019/20 Annual Audit Report – Audit Scotland

No. Recommendation Supporting action / action plan Progress Comment 6 Holding to account – committee

governance arrangements: Member training The board should develop Board Member training needs analyses and personal development plans, linked to the Board’s corporate objectives, as soon as practicable.

The Non Executive Board Members training needs analysis will be developed on the basis of individual Non Executive Members training needs which are identified through discussions between the Chair and the Non Executive Members around their objectives and their personal input to the Board’s business. These discussions are ongoing. Responsible officer: Chair/Board Secretary Action date: 31 December 2020

In progress. This action referred to the appraisal year 2019/2020, however the Non Executive Board Members’ appraisals for 2020/2021 will now commence in April 2021. A training plan, therefore, will be developed by the Chair and Board Secretary following the completion of the appraisals. If training opportunities arise the Non Executive Members discuss these opportunities with the Chair and/or Board Secretary to ensure they are relevant and applicable. Non-Executive training arranged through the Chair and Board Secretary’s office is recorded. Responsible officer: Chair/Board Secretary Action date: 31 July 2021

7 Best Value A formal review of the BV assurance framework and an assessment of the board’s BV arrangements should be completed in 2020/21. The outcome of the assessment should be reported to the Board.

The Board will consider the issue of value for money through Performance and Resources Committee during 2020/21 and will also map the Best Value Framework to the Board’s response to the Good Governance Blueprint. Responsible officer: Director of Finance Action date: 31 March 2021

Action for Performance and Resources complete for 2020/21. Work on mapping wider Best Value Framework to be taken forward in 2021/22. Discussions with internal and external audit are ongoing to support the development of a Best Value Framework, however progress was impacted by the Covid-19 pandemic. Performance and Resources Committee considered a Best Value Review 2020/21 report at its meeting of 8 April, 2021, with a comprehensive level of assurance provided on Best Value - Use of Resources.

of 7

No. Recommendation Supporting action / action plan Progress Comment B/f 6

Holding to account – committee governance arrangements: Member training The board should complete its review of Board Member training and development and develop training needs analyses and personal development plans, linked to the Board’s corporate objectives as soon as practicable. Progress with the new leadership programme should also be reported to the Staff Governance Committee as planned.

Outstanding Progress with the new leadership programme was reported to the Board in October 2019. The review of Board Member training needs analyses and personal development plans, linked to the Board’s corporate objectives, has yet to be undertaken. This action is covered at point 6 in the 2019/20 action plan above.

See action point 6 above.


eHealth The board should complete its action plan on the eHealth service to ensure it has the capacity and capability to support transformation and the delivery of eHealth systems and structures. The action plan should include an assessment of the eHealth delivery plan to ensure that investment is appropriately targeted to ensure that it is well aligned with Transforming Tayside.

Partly completed The Director of Digital Technology presented the Digital Annual Operating Plan to the Performance and Resources Committee on 11 June 2020. The director continues to prioritise a comprehensive digital strategy and progress is to be reported to the Digital Transformation Board, which will hold its initial meeting prior to 31 August 2020. Responsible officer: Director of Digital Technology Revised date: 31 August 2020.

Completed Director of Digital Technology has presented a comprehensive Digital Infrastructure Investment document that details the infrastructure and resource requirement to support the operating plan. Digital Transformation Partnership has met twice and is now fully operational. Completed This investment requirement continues to be considered by the Chief Executive and Director of Finance in the context of a challenging financial environment and competing priorities. Positive news has been received from the Director of Finance and an initial boost of recurring staffing budget as per requirement within the investment document phase 1 proposal is to be provided to allow for an increase in headcount. contd. on page 6

of 7


contd. from page 5 The Digital Strategy continues to be developed through extensive consultation and has already considered its alignment to the review of Transforming Tayside and other strategies including Mental Health. This strategy further supports the requirements detailed in the investment document. First draft Digital Strategy now complete. This draft now requires to go through a governance and approval process with a further period of consultation with clinical and social care colleague as well as patient representatives. The document will be further reviewed after this input is received and reviewed for final sign off in May 2021. The draft strategy was presented to the Board in May 2021, with positive feedback and approval of the approach received. NHS Tayside will now enter a final opportunity for consultation and then proceed with circulation of the document.

B/f 11

Best Value (BV) A formal review of the BV framework should be carried out in 2019/20.

Outstanding In their January 2020 Internal Control Evaluation report, internal audit internal audit noted that for 2019/20, the work on the Blueprint for Good Governance provides sufficient evidence of Best Value. Management has taken the view that this provides sufficient assurance to the accountable officer that arrangements are in place to secure BV. In our view further work is required in this area and this is covered at point 7 in the 2019/20 action plan above.

See action point 7 above.

of 7

Appendix 2: Independent Review of Internal Audit Recommendation Supporting action / action plan Progress Comment The updated IA Charter clearly sets out the purpose, authority and responsibility of internal audit.

To reinforce the key messages and raise internal audit’s profile we recommend the Chief Internal Auditor (CIA) should organise a series of short meetings across the organisation to explain the role of internal audit in the governance process. Emphasis should be placed upon how internal audit provides assurance on the management of strategic risks and other ways internal audit adds value to the organisation.

Action The Chief Internal Auditor and Director of Finance will organise a series of briefings across the organisation to explain the role of internal audit and promote the Board’s governance arrangements. The Chief Internal Auditor has also agreed to develop an electronic briefing to be made available on the Intranet for managers, with particular reference to internal audit’s role in relation to risk management and added value. Deadline: 30 November 2018

Development of an electronic page on Staffnet is in progress. The best option appears to be an FTF web-site hosted by NHS Fife with links to Staffnet. Discussion with NHS Fife Communications team has taken place, and an update to their website is awaited, and due soon. Status: Partially implemented. Agreement reached with NHS Fife IT colleagues that the FTF website will be hosted on the NHS Fife internet site and appropriate web support secured. Discussions with FTF client organisation's web masters to take place to allow links from intranet sites. Further action required: Format and approach has been agreed with NHS Fife colleagues and it is expected that the pages will be placed on a digital platform by end April. Links to the NHS Tayside intranet to be in place by end June as agreed.

Revised date: 30 June 2021

a meeting of tayside nhs board audit and risk committee 9

Documents