agenda item 10 board assurance framework board of ... tb item 10... · agenda item 10 – board...

1 of 5

AGENDA ITEM 10 – BOARD ASSURANCE FRAMEWORK

BOARD OF DIRECTORS 21 FEBRUARY 2018

Report title Board assurance framework and corporate risk register

Report from David Probert, chief executive

Prepared by Helen Essex, company secretary

Previously discussed at Management Executive 13 February and with individual risk owners

Attachments Board assurance framework and corporate risk register

Brief summary of report

The Board Assurance Framework (BAF) is the means by which the Board holds itself to account and defends its patients and staff as well as the trust. It helps to clarify what risks will compromise the trust’s strategic objectives and should assist the Board in driving its agenda and determining where to make the most efficient use of their resources in order to improve the quality and safety of care. The Board should also support the creation of a culture which allows the organisation to anticipate and respond to adverse events, unwelcome trends and significant business and clinical opportunities.

The Board previously agreed to see an updated report each quarter showing progress against risk mitigation

and a brief narrative report on the changes to, and risk flows between, the BAF and corporate risk register,

which is maintained by the Executive Team.

However, the audit and risk committee will undertake a more detailed review of the BAF and make a

recommendation as to the frequency of reporting to both the committee and the Board.

Action Required/Recommendation.

The Board is invited to discuss the updated board assurance framework and agree the process for future arrangements as described above.

For Assurance For decision For discussion To note

2 of 5

Board assurance framework report – Q3 2017/18

1. BAF analysis and summary of changes The top-rated risks (score of 15 or above) to achieving the strategic objectives are as follows:

Failure to retain a ‘good’ CQC rating Failure to deliver Project Oriel

Failure to achieve commercial growth Failure to meet statutory regulations in relation to fire safety (new)

Failure to achieve CIP

Increased commissioner turbulence

All have been identified as risks that will have a significant impact on the delivery of patient care, the patient and staff experience, the financial sustainability and reputation of the trust or a combination of these. The identified areas are those that require the most focus from the Board in terms of scrutiny and provision of assurance from the executive team. Particular attention is also being given to those risks that are not wholly within the trust’s control to mitigate and a strategy developed as to how to manage such external factors.

1.1 Amendments made this quarter:

Learning from incidents

A failure to learn the lessons from incidents has been reduced from a 15 (5x3) to a 10 (5x2). This is due to the

following mitigations:

The recommendations from the consultant job planning audit are almost completed and a re-audit is scheduled for March 2018. All job plans will have been reviewed by the end of March.

The recent clinical governance half days held for services were multi-disciplinary and agendas/outputs linked so that all services were receiving the same presentations and audits.

The World Health Organisation checklist is undergoing regular audits from quality partners and results are shared across divisions via the trust management board.

Emergency preparedness and resilience planning

A failure to have in place robust emergency preparedness and resilience plans has been reduced from a 15 (5x3)

to a 10 (5x2). This is due to the following mitigations:

As well as an external rating of ‘good’ for EPPR preparedness, the trust will be testing its evacuation plan imminently.

An annual schedule of divisional testing is in draft and implementation will start from April onwards.

A full command post exercise is taking place on 23 February. The aim of this exercise will be to improve the ability of MEH NHSFT to respond to disruption. This exercise will assess plan(s) and the trust’s preparedness to respond to internal business disruptions or major incidents (internal or external).

Cyber-security attack

The risk of suffering from a successful cyber-attack has been reduced from a 16 (4x4) to a 12 (4x3). This is due to

penetration testing being completed, development of action plans and further penetration testing scheduled.

The action plans will be monitored by the information governance committee which reports through to

management executive for senior management oversight.

Staff engagement

The risk score remains at a 12 but the impact has been increased (to 4) and the likelihood decreased (to 3). However, the score needs further revision when the staff survey results are published and impact better understood.

3 of 5

1.2 Additional risks added this quarter:

Fire safety (previously formed part of the risk relating to statutory obligations)

Fire safety has been added as a separate risk following the independent fire assessor’s report to the board. The score has been assessed as a 15 (5x3), although there are a number of mitigating factors:

In relation to the problem of too many cylinders unregulated or properly stored/signed within the required areas, estates have been working with resus, pharmacy and medical gas committee to undertake the following action:

1. Identified locations required reducing overall numbers 2. Removed all excess gas cylinders 3. Installed signage and storage 4. Introduced an agreed management strategy with pharmacy to control issue of cylinders 5. Updated policy to identify locations and management process agreed and published via Risk and

safety committee

The board requested a fire safety compliance plan which is being presented in February.

The board received positive assurances about the top level fire system, the issue of escape routes (vertical and basement/ground floor) being addressed and compartmentalisation (where economically feasible) being in place.

The fire drill programme is in place and drills are repeated when not good enough. A full evacuation of City Road will be taking place by the end of February.

However, there are still cultural and behavioural issues that require additional focus and these are more

challenging to manage.

Overall

All dates and mitigating action plans have been updated to reflect the latest position.

Risk appetite It is suggested that the board consider adding a risk appetite factor to each risk which should assist the assessment of the levels of control and assurance applied to a risk and whether any additional mitigating action is required. This was suggested as part of the well led framework review and has been incorporated into the new risk management strategy. The matrix is included in the table below:

AVOID No appetite. Not prepared to accept any risks AVERSE Prepared to accept only the very lowest levels of risk , with the preference being for the ultra-

safe delivery options while recognising that these will have little or no potential for reward/return

CAUTIOUS Willing to accept some low risks, while maintaining an overall preference for safety options, despite the probability of these having mostly restricted potential for reward/return

MODERATE Tending always towards exposure to only modest levels of risk in order to achieve acceptable, but possibly unambitious outcomes.

OPEN Prepared to consider all delivery options and select those with the highest probability of productive outcomes, even when there are elevated levels of associated risk

HUNGRY Eager to seek original/creative/pioneering delivery options and to accept the associated substantial risk levels in order to secure successful outcomes and meaningful reward/return

The executive team has reviewed the BAF and the corporate risk register and is satisfied that there are no

additional risks that require escalation to the board in this quarter.

2. Summary of corporate risk register changes

4 of 5

Risk scores raised Growth in Moorfields private – increased from 8 (4x2) to 15 (5x3) to correlate with the BAF.

Risk scores reduced

Policies – reduced from 12 (4x3) to 9 (3x3). Impact unlikely to be major, majority of policies in place across the

trust and adhered to by all services.

Cyber-security attack – reduced from 16 (4x4) to 12 (4x3) (as per commentary on the BAF).

Major IT failure – reduced from 12 (4x3) to 8 (4x2) due to successful disaster recovery exercises and future DR

exercises planned for the summer.

Poor environment in outpatient clinics – reduced from 15 (3x5) to 12 (3x4) due to improvement programmes

taking place and being rolled out to more sites including Croydon and Mile End.

Risk to be added

No new risks were added this quarter (fire safety raised to the BAF).

Risks to be removed

Risk 20 – Delays to Project Oriel

This risk will form part of the more detailed Project Oriel risk register.

Risk 28 – Proactive consideration given to communications resource

This risk will form part of the strategy and business development risk register.

Risk 47 – Following the principles of the mental capacity act

All actions have been completed and the risk score is mitigated to a 6 – will form part of the safeguarding risk

register.

Risk 48 – Insufficiently trained paediatric staff

This risk related to a specific issue at SGH which has now been resolved. Risk reduced to a 4 and removed from

register.

Risk 49 – Inpatient wards breaching mixed sex accommodation standards

This risk has been resolved due to the decant to St Anthony’s and the refurbishment of Duke Elder ward.

Reduced to a 4 and removed from the register.

Risk 51 – Data warehouse failure

This risk will form part of the IT risk register.

Risk 76 – Determining the operational state of the hospital

This risk will form part of the more detailed Project Oriel risk register.

3. Other risk management activities (future reports to include progress updates) a. Review of risk management strategy and policy (partially completed, to be finalised March 2018) b. Electronic risk management system – plan for trust-wide roll out (for completion by December

2018)

5 of 5

c. Development of annual governance statement (AGS) (draft to audit and risk committee in April 2018 and final draft to the Board in May 2018)

d. Risk management training plan and roll out being developed as part of the well led action plan.

4. Conclusion It is anticipated that the changes made to the process of reviewing the corporate risk register and board assurance framework along with the planned activities listed above will provide robust assurance that risks are being managed in a more systematic way until the electronic system is fully implemented.

CQC Domain link Risk description Exec Lead Key controls Gaps in control Key assurances Gaps in assurance Mitigating actions Impact Likelihood Risk Score Target Score Previous score

All domains CQC Compliance

If the trust fails to comply with the

CQC fundamental standards and if

actions arising from the CQC visit

are not implemented at sufficient

pace then clinical standards may not

be met leading to significant patient

harm, deterioration in patient

outcomes, a failure to maintain a

CQC rating of 'good' and a serious

reputational risk to the trust.

TL Action plan process in place with

monthly review at Executive and

Board level

Widespread communication about

CQC report and actions arising

Quality summit

CQRG monitoring

More than 80% actions implemented

with clear timeline in place for

implementation of oustanding

actions

Evidence required that

actions arising from CQC

action plan have been

embedded and can be

sustained

Action plan to be 100%

complete

Outcome of internal

Moorfields Private

assessment not known

Divisional assessments not

yet planned

Quality & Safety

committee

Management Executive

Divisional Board and

performance review

meetings

Independent review

or audit of the CQC

action planning

process

Forward planning for

divisions to prepare

for future CQC

inspections

Engagement with

CQC inspectors

Action plan to be fully

implemented (IT, Mar 18)

Discussion with KPMG

about auditing the CQC

planning process and how

the actions have been

embedded - under way

(IT, Mar 18)

Formally agree monitoring

output of MP assessment

and action plan at QSC

(IT/TL, Mar 18)

CQC preparation -

divisional self-assessments

to be completed and

scrutinised by executive

panel (IT, Jul 18)

5 3 15

8 (4x2)

Robust planning will

allow the trust to

mitigate the impact

and likelihood

15

Safe, Effective, Well Led Fire safety

If the trust fails to comply with

statutory regulation in relation to

fire safety or meet targets for

mandatory training then this will

lead to regulatory intervention and

a significant impact on patient care

and outcomes, staff morale and the

trust's reputation. Potential increase

in likelihood of patient and staff

harm.

SD Fire Safety report from independent

fire assessor

Fire policy (recent review)

Fire risk assessment

Mandatory training figures

Fire drills

Fire drills programme behind

and evaluation from fire drills

to be analysed

Process of cultural change

needs to be embedded

Improvement in training

compliance in some areas

(specifically fire site cover).

Fire Safety group

(subgroup of Risk &

Safety committee)

Independent fire safety

advisor

Board of directors

Board requested

assurance on the

following areas:

Training attendance

Fire drills

Marshal returns

Filing room

Management of

cylinders

Acknowledged that

culture and

behavioural issues

continue to be

challenging.

Update on fire safety

compliance timescales to

be provided at the board

meeting in February (SD,

Feb 18)

Action already taken on

management of cylinders

(see narrative report) 5 3 15

10 (5x2)

Good controls and

processes in place,

but need to change

cultural and

behavioural issues

New risk

Caring, Safe, Responsive Patient and Carer Experience

If there is deterioration in patient

and carer experience then this will

lead to patients choosing to be

treated elsewhere and a significant

reputational risk to the trust plus a

corresponding loss of income.

TL Positive friends and family test scores

CQC patient surveys

Members week report and feedback

SIS programme (including patient

feedback)

Other service improvement projects

Evidence required that

actions arising from CQC

action plan have been

embedded and can be

sustained

Action plan to be 100%

complete

Outcome of internal

Moorfields Private

assessment not known

Divisional assessments not

yet planned

Regular contact with

patients through SIS

Programme Board

Patient surveys and

feedback reported

through various channels

including Board of

Directors


Bi-annual Q&S reports to

the Board.

Patient experience and

carer committee through

to clinical governance and

QSC

Patient experience

focus groups

Patient experience

reporting

Patient participation

strategy approved and

dates established for the

patient participation group.

Next steps to develop and

agree formal monitoring of

the patient participation

implementation plan (TL,

Mar 18)

4 3 12

6 (3x2)

Both impact and

likelihood can be

effectively mitigated

12

Strategic Objective 1. Care - We will pioneer patient-centred care with exceptional clinical outcomes and excellent patient experience

Board Assurance Framework - V1.0 (Care)

Statutory obligations

If the trust does not meet its

statutory obligations in relation to

health & safety, infection control,

etc. then there could be breaches in

standards and other failures leading

to significant patient harm, financial

penalties and regulatory

intervention. See specific controls

and assurances below:

DP Controls exist through management

oversight groups

Policies are generally up to date and a

detailed review mechanism is in place

Scrutiny and challenge is undertaken

by the Board subcommittees

CQC rating of 'good' achieved

Permanent head of legal services in

post

Policy rationalisation review

Backlog maintenance

although this is covered

through the Estates

department who have a

detailed programme in place

Audit and risk committee

Quality and safety

committee

Subgroup structures that

sit under Trust

Management Board and


including Clinical

Governance Committee

Governance structure

for reporting requires

review and clarity

Regular reporting of

mandatory and

statutory training

figures

More robust

reporting of issues at

divisional level

Review of governance

structures for each

statutory function

(responsible exec, Mar 18)

F ormal structure for

reporting statutory issues

through to divisional board

meetings to be considered

(JQ, Mar 18)

5 2 10

10 (5x2)

Impact will always be

high, robust controls

in place

10

Health & Safety TL (IT) Health & Safety Annual Report

Health & Safety policies

Mandatory training figures and

targets (being revised)

Review health & safety

provision

Health & Safety group

(subgroup of the Risk &

Safety Committee)

Infection Control TL Infection Control Annual Report

Infection Control policies


None identified Infection Control

Committee (subgroup of

Clinical Governance and

QSC)

Safe, Responsive, Well

Led

Learning the lessons

If the trust fails to identify or

address poor clinical practice then

there could be multiple serious

incidents leading to significant

patient harm, regulatory

intervention or damage to

reputation.

DF Robust incidents and complaints

systems in place

Mandatory annual appraisal and

revalidation for medics and nurses in

place

Clinical supervision policy

Sub-specialty structure with each

monitoring against outcome

measures

WHO Checklist reporting

Deanery review in 2015 confirmed

excellent SPR medical training in CR

and North London sites

Positive quality review done by the

GMC in July 2017 on trainees

Pathways to other hospitals

need to be more robust and

joined up

Challenge to mitigate against

human error

Audit of the WHO checklist

process

Business meetings at

service level with

management support

Divisional Board meetings

Progress and reporting on

SIs done via the Quality &

Safety and Clinical

Governance committees

Clinical audit plan

approved through QSC

Trust Management Board

Systemic process for

disseminating lessons

learned to be

established

Consultant supervision and

job planning -

recommendations from

audit nearing completion,

re-audit due.All job plans

will be reviewed by end of

March. (DF/HR, Mar 18)

Outputs from learning the

lessons sessions and

thematic reviews

disseminated via CG MDT

half day events (7

February). Agendas linked

and audit results shared

across services

5 2 10

8 (4x2)

Both consequence

and likelihood can be

mitigated but always

need to factor in

human error

15

All domains Compliance with national targets

If the trust fails to comply with or

meet national targets then this will

lead to regulatory intervention and

a significant impact on patient care

and outcomes, staff morale and the

trust's reputation.

JQ Divisional performance reviews

Divisional Board meetings reviewing

national targets

Monthly IPR to Board meeting

showing trend data and individual

targets for each domain

Remedial action plans in place for

each red or amber indicator

None identified Detailed performance

information reviewed

through divisional

performance meetings

and divisional boards. IPR

reviewed through

Management executive,

TMB and Board of

Directors

None identified Regular review of the

process along with a

project to develop process

improvement required (JQ,

Mar 18)4 2 8

8 (4x2)

Good controls and

processes in place,

unlikely to be able to

mitigate this risk

down further

8

Safeguarding TL Safeguarding Annual Report

Safeguarding policies in place


(including PREVENT and Mental

Capacity Act)

None identified Safeguarding Adults and

Children's groups

(subgroups of Clinical

Governance and QSC)

Safe, Effective, Well Led

As above As above

CQC Domain link Risk description Exec Lead Key controls Gaps in control Key assurances Gaps in assurance Mitigating actions Impact Likelihood Risk Score Target score Previous

score

Effective, Well Led Research Funding

If the trust cannot attract sufficient

funding to maintain its position then

its capacity to conduct appropriate

research will diminish leading to an

inability to compete effectively for

funding and a significant risk in

terms of the trust brand and

reputation in the field.

PK TBC TBC Research Governance

Committee

JVIS

Research finance report at

Strategy & Investment

committee

Board of Directors

Research finance report being

reintroduced as per Board request.

First report to come to SIC in

January/March 2018 (SD, Mar

18)

5 2 10

10 (5x2)

Impact will remain

high and likelihood is

mitigated as far as it

can be.

10

Effective, Well Led Research staff

IF high quality research staff cannot

be engaged and retained then

research activities will not be

fulfilled leading to withdrawal of

funding or damage to reputation

PK Programme underway led by Dep

CD of Clinical Research Facility, Dr

Richard Lee and Mr Praveen Patel

to work with peers to champion

research involvement.

Strategic approach to

encouraging staff to be

engaged in research

Joint Vision and Strategy

Committee

Research Governance

Committee

Quality & Safety Committee

Management Executive &

Board of Directors (through

IPR)

Some external factors beyond trust

control (e.g. staff leaving for larger

research organisations)

Review incentives, reward and

recognition for this endeavour.

(PK, Jan 18)

Assess effectiveness of revised

incentives on engagement

(MH, Jan 18)

Engage SIS programme to align

operational and research

activity (MH, Jan 18)

3 4 12

6 (2x3)

May be able to

mitigate both impact

and likelihood

through revised

process

12

Effective, Well Led Research Governance

If research governance is not robust

then there may be clinical or

operational risks that are not

managed or escalated appropriately

leading to patient harm, withdrawal

of funding or damage to reputation.

PK National and external oversight

processes

Joint governance and

management processes between

MEH and UCL

Research adheres to all MEH

policies

All research goes through the

same process and structure

Research quality management

system

Research governance summary

report.

Research KPIs

Non-research doctor to

chair Research

governance committee

Research Governance

Committee

Research Quality Review

group

Data Management

committee

Regular RG report to the


New Joint Vision & Strategy

Committee

More formal, regular reporting from

RG to QSC

More robust trust Management

oversight to be considered

Medical director to chair (DF,

Dec 17)

Report to QSC to be

considered (PK, Dec 17)

Cycle of business to be

established with more formal

subgroup reporting cycle (IT,

Mar 18 )4 2 8

4 (4x1)

Impact will remain

high but can mitigate

likelihood through

improved

governance process

8

Board Assurance Framework - V1.0 (Research)

Strategic Objective 2. Research - We will be at the leading edge of research making new discoveries with our partners and patients

CQC Domain link Risk description Exec Lead Key controls Gaps in control Key assurances Gaps in assurance Mitigating actions Impact Likelihood Risk Score Risk Appetite Previous

score

Effective, Responsive,

Well Led

Innovation

If there is a failure to provide

sustainable innovation or lead the

way nationally in transforming

services then the trust will not be

able to respond to changes in

commissioning demand or

competition from other

organisations, attract and retain the

best staff and meet increasingly

challenging targets.

JQ Service improvement &

sustainability programme board

has been established

Governance struture in place

and operational

Programmes of work identified

and teams with SROs agreed

Work with partners on

innovation in services

CCG and provider

financial challenge leads

to tensions in

commissioning

provision and more

regular tendering for

services within a

reduced financial

envelope

Trust Management

Board

Board of Directors

Membership Council

Clinical workshops

Systematic approach to

developing and leading national

strategy to be defined.

New models of care and service

improvement identified as two

of the five key strategic

priorities. Development of a

plan for Q1 and the end of

2018/19 to be considered by

the board in March (JQ, Mar

18)

4 3 12

6 (3x2)

Impact and

likelihood can be

mitigated

12

Board Assurance Framework - V1.0 (Knowledge)

Strategic Objective 3. Knowledge sharing - We will innovate by sharing our knowledge and developing tomorrow's experts

CQC Domain link Risk description Exec Lead Key controls Gaps in control Key assurances Gaps in assurance Mitigating actions Impact Likelihood Risk Score Target Score Previous

score

Responsive, Well Led Relationships

If the trust fails to establish and

maintain effective relationships with

internal and external stakeholders

then there will be an adverse impact

on the trust's reputation and ability

to influence the local and national

agenda.

DP Commitment to STP partnership and

membership of national networks

Representation on key bodies, e.g.

WAEH (CE)

UCLP (CE)

NCL STP (Chair, CE and CFO)

Designated roles and

responsibilities for

agency relationships at

strategic and locality

level


Board of Directors

Formal horizon scanning

and reporting

from external groups and

meetings required

Stakeholder mapping being

done via the communications

strategy. Once approved the

relationship owners will be

mapped out and designated

(JM, Mar 18)

STP reporting to be included as

a standing item on the

management executive agenda

(HE, Feb 18)

4 2 8

6 (3x2)

Will be able to

mitigate both

impact and

likelihood

8

Board Assurance Framework - V1.0 (Policy)

Strategic Objective 4. Policy - We will collaborate to shape national policy

CQC Domain link Risk description Exec Lead Key controls Gaps in control Key assurances Gaps in assurance Mitigating actions Impact Likelihood Risk Score Target score Previous

score

Safe, Responsive, Well

Led

Recruitment and retention

If the trust does not have a robust

plan in place for recruitment and

retention then there will be staff

shortages and skill gaps leading to

insufficient numbers of staff

available in key areas and a

subsequent impact on quality of

patient care, pressure on staff, staff

and financial planning.

HR KPIs reported monthly to

directorates and departments

Local action plans in place

Nursing recruitment and retention

work including capital nurse

programme

Recruitment open days and

presence at recruitment fairs

Detailed understanding of drivers of

high turnover

Weekly staff bulletin showing

current vacancies

Staff development through job

planning process and personal

development plans

Actions arising from

retention report

Audit report on consultant

job planning and appraisal

figures


(through IPR)

Board (through IPR)

People committee

Nursing retention paper

through TMB

HR scorecards being

developed for review

at the divisional board

meetings.

Action plan in place and being

reviewed by the people

committee (HR, Feb 18)

Improved on-boarding

processes (HR, Mar 18)

Career clinics for staff wanting

to develop and progress (HR,

Mar 18)

Improved apprenticeship

schemes (HR, Mar 18)

Recommendations from audit

on consultant job planning in

progress (HR, DF Mar 18 )

4 3 12

9 (3x3)

Currently the

largest risk facing

the NHS, some

mitigation can be

done but facing

national problems

12

Safe, Well Led Staff competence

If mandatory training and appraisal

standards are not met then staff

may not be competent to carry out

their functions and managers will

not fully understand the

development needs of the workforce

leading to potential patient harm,

poor patient care and outcomes,

increases in serious incidents and

intervention by professional bodies

and the regulator.

HR Oversight by mandatory training

group

Insight system now embedded

across the organisation

Reports continually produced to

hold departments/managers to

account

Ten core high-volume mandatory

training subjects have been

converted to online programmes

From Jan 2017 new starters have

been required to complete the core

subjects prior to starting.

Strengthen the

accountability of divisional

management

Strengthen accountability

of corporate management

Divisional Board

meetings

Management executive

People committee

Appraisal paper to

management executive,

currently at 83%

None identified Managers authorised to reject

annual leave requests until

mandatory training has been

completed - need to raise

awareness (HR, Mar 18)

Corporate performance

reporting in place but

escalations up to management

exec need to be more robust, to

be addressed through the MAST

group (HR, Mar 18)

4 3 12

8 (4x2)

Impact will always

be high but

likelihood can be

mitigated

12

Responsive, Well Led Staff engagement

If engagement with staff is

ineffective and inconsistent then

they will have a lack of confidence in

the organisation's approach to

workforce issues leading to poort

staff retention and morale,

deterioration in the quality of

patient care and a risk to the trust's

reputation as an employer of choice.

HR Staff Survey results

Local action plans in place to

address specific staff survey

concerns

Leadership development

programme has commenced

following clinical restructure

Lack of consistent

application of the dealing

with breaches in

behaviours


People committee

Divisional Board

meetings

HR scorecards being

developed for review

at the divisional board

meetings.

Leadership develoment next

steps being discussed via

management exec

Internal audit review on

equalities and diversity is under

way (HR, Mar 18)

Robust action planning and

feedback required following

results of staff survey (HR, Apr

18)

Risk score to be revised

following results of staff survey

(HR, Apr 18)

4 3 12

6 (3x2)

Both impact and

likelihood can be

mitigated with

improved

engagement and

communication

12 (3x4)

Board Assurance Framework - V1.0 (Workforce)

Strategic Objective 5. Workforce - We will attract, retain and develop great people


Effective, Well Led Project Oriel

If the key assumptions behind

Project Oriel are not achieved then

there may be insufficient capital and

resources available leading to a

failure to deliver the project

objectives and a significant

reputational risk to the trust.

DP

(JM)

Active engagement with current

owner of preferred site as part of

NCL STP

Influencing strategy for key

individuals across the system is in

operation

Optimism bias built into business

case

Land purchase business case agreed

by the Board

Development advisor appointed

Securing land at St Pancras

Certainty of sales proceeds from

City Road

Board of Directors

Strategy & Investment

Committee

Project Oriel joint advisory

committee

None identified at this

stage

Agreeing Heads of Terms with

MEC (SD, Mar 18)

Implementation of joint project

governance (JM, Apr 18)

Delivery of OBC (spring/summer

2019)5 3 15

10 (5x2)

Impact will always

be high, likelihood

can be mitigated

15


Well Led

Cyber Security

If there is a successful cyber attack

then the trust may suffer from a loss

of service and lead to staff being

unable to access patient records

leading to a significant impact on

patient care and outcomes and

reputational damage to the trust.

SD IT Security policy

Annual penetration tests

Disaster recovery plan in place

including cyber-security action cards

NHS Cybert alerts actions

Annual cyber-security assessment

Robust patching policy and

procedures

17/18 penetration test and

completion of action plan

17/18 cyber security

assessment and action plan

Additional toolsets to support

cyber-security

Information Governance

Committee

Audit and risk committee

Independent review Additional penetration testing

complete. Ongoing action plan

and further pen testing to be

undertaken throughout the year.

Updates to be provided through

Information Governance and

ManEx. (AD, Apr 18)

4 3 12

9 (3x3)

Both likelihood and

impact need to be

minimised

16

Safe, Well Led Emergency preparedness

If there are insufficient emergency

and resilience plans in place to

respond to a major incident then the

Trust will not be able to effectively

respond to urgent and emergency

situations leading to patients and

staff being at risk of significant harm.

JQ Emergency Response policy

Business continuity plans in place

and subject to regular multi-

disciplinary exercise programme

Senior leader briefings

Building maintenance programme

Regular inspections

Trust externally audited and rated

'good' for EPRR preparedness

Annual testing of BCP/DR plans

within divisions

Emergency Planning group



stage

Evacuation testing to be done by

end of Feb (JQ, Feb 18)

Divisional plan to start

implementation from April (JQ,

Apr 18)

Command post exercise taking

place February to test resilience

plans (JQ, Feb 18)

5 2 10

10 (5x2)

Impact will always

be high, likelihood

can be mitigated

15

Effective, Well Led Accommodation

If services are provided from poor

standard accommodation that is not

fit for purpose then this will have an

adverse impact on the patient

experience and staff morale and

could also lead to regulatory action

in relation to breaches of health &

safety or fire legislation.

SD System in place for recording

statutory and mandatory

compliance and identifying where

areas of non-compliance exist

Some leases are in place

Compliance assurance sought

regularly from host trusts

Interim compliance officer

appointed

Project Oriel

Backlog maintenance programme

and other works embedded in

Estates system

Effective and enforceable leases

in place across the whole

network

As per Project Oriel control gaps

relating to St Pancras and

clarification of City Road

timeline

Capital project and oversight

group


Strategy & Investment committee

Quality & safety committee

Estates Compliance Assurance

Manager

Lease monitoring systems


stage

Convert existing agreements to

leases (update: leases not yet

agreed in some areas (e.g. SGH)

(SD, Mar 18)

4 3 12

8 (4x2)

Impact and

likelihood can be

mitigated although

reliant on Project

Oriel to achieve

12

Board Assurance Framework - V1.0 (Infrastructure)

Strategic Objective 6. Infrastructure - We will have an infrastructure and culture that supports innovation


Well Led


If there is a failure to comply with

information governance procedures

(including new GDPR legislation)

leading to a breach then there is a

risk of a significant fine from the ICO

and a reputational risk to the trust.

TL

(IT)

Suite of IG policies in place including

confidentiality of information,

management of records, privacy and

FOI

New Health records destruction and

retention policy undergoing

consultation

Information Governance Toolkit

Data flow mapping

GDPR project plan

Awaiting national GDPR

guidance which may not be

available until April 2018

Some areas rela


Committee



Unable to assure in some

areas relating to GDPR

such as:

Information Asset

management

Data portability

Consent

Data breaches

Third party contracts

Individual rights

Privacy impact

GDPR - Task/finish work streams

have been established for each

named area and additional

controls and mitigating actions

have been identified for each

task/finish group to complete.

Briefing to March board and

management exec (IT, Mar 18)

IG toolkit compliance - reported

through annual governance

statement and board. Minimum

level 2 required (IT, Mar 18)

4 3 12

8 (4 x2)

Impact will always

be high but the

likelihood can be

mitigated

12


Effective, Well Led Cost improvement programmes

If the trust fails to achieve cost

improvement targets then this leads

to pressure on budgets affecting

staff morale, patient care and

inviting increased scrutiny from

regulators and commissioners.

SD Monthly financial reporting and

finance dashboards

Divisional performance and board

review

Corporate CIP challenge sessions

Challenging targets set and

acknowledged

A certain level of CIP

remains unidentified

Assessment of budget

impact on planning for next

year

Finance committee


Board

Divisional meetings

None identified Increased challenge sessions

in later months of the year

(SD, Mar 18)

Robust planning and

achievable targets for 18/19

(SD, Mar 18)

Assessment of budget impact

to be included in planning

(SD, Mar 18)

Currently in planning round

process.

4 4 16

8 (4x2)

Impact will

always be high,

mitigations can

be effected

through

planning and

compliance

process

16

Effective, Well Led Commissioner turbulence

If there is continued or increased

turbulence in the commissioning

landscape then this will lead to

increasing pressure on services,

more notices of termination and

tendering of services leading to loss

of contracts and income, a significant

impact on staff and serious

reputational risk.

SD Signed contracts with

commissioners

Engagement with commissioners

in order to give notice of future

funding pressures

Negotiations that form the

regular contracting round

Awareness and being

sighted on forthcoming

funding requests

Lack of influence over

commissioner decisions

made to address their

internal funding issues

Commissioner meetings


Robust commissioner

relationships at division level

Stakeholder mapping and

customer relationship

management review taking

place as part of the

communications strategy

(JM, Mar 18)

Regular meetings with

commissioners and move

towards implementing service

change. Regular updates to

board.

5 3 15

8 (4x2)

Impact and

likelihood can

both be

mitigated

15

Effective, Well Led Financial Plan

If the trust fails to meet its financial

plan then this may result in a

reduction in STP funding,

cancellation of major projects, an

adverse impact on NHSI metrics and

an increasingly challenged financial

position impacting staff, patients

and the trust's reputation.

SD Financial plan/budget

development, including CIPs

Major capital expenditure and

funding sources identified

Short term capital investment

commenced to maintain and

increase capacity of services and

improve environment

Active engagement by CFO with

the local health system

SFIs reviewed

Divisional performance

management meetings in place

Costing project initiated

Confirmation of financial

commitments

Better understanding and

tighter control of costs

External audit

Finance Committee

Monthly board reporting

Monthly budget

statements to budget

holders

None identified Reporting to the finance

committee on longer term

financial planning. Financial

plan has been met for 17/18.

Draw up engagement plan for

engagement of wider trust

leadership team with local

health systems (JM, Mar 18)

Patient level costing to be put

in place and embedded (SD,

Mar 18)

5 2 10

10 (5x2)

Good controls in

place, no further

mitigations likely

10

Board Assurance Framework - V1.0 (Financial)

Strategic Objective 7. Financial - We are able to deliver a sustainable financial model

agenda item 10 board assurance framework board of ... tb item 10... · agenda item 10 – board...

Documents