business services organisation (bso)€¦ · web viewa full disaster recovery (dr) test was...

Paper BSO 24/2017

23 March 2017

Board

Corporate Risk and Assurance Report 2016-17

1. Purpose of this report2. The purpose of this report is to record changes to the Corporate Risk &

Assurance Report made between December 2016 and March 2017 and to

outline progress made to date on risk actions.

2 Changes to Corporate Risks

New Risks – The following new risk is proposed by the Director of

Operations.

12. Use of manual interventions and lack of automated reporting functionality

in dental system may lead to inaccurate payments resulting in financial and

reputational implications

Revised Risks – The following risks have been updated and/or re-numbered

with changes shown in red: 1, 2, 3, 5, 6, 7, 8, 10, 11 and 12.

Removed Risks – No risks are proposed for removal

1

Corporate Objective No 1: To Deliver Value for Money Services to our Customers

Report on Board Action PlanRisk Description(Include DATE ADDED)

CurrentRisk Score

Controls Assurances Action By WhomEndDate

Comment

L I S Rate1. Levels of savings in the overall environment for HSC are so great that BSO service provision to customers are negatively affected and/or we fail to breakeven.

The Leadership Centre may be particularly affected by a reduced level of client income e.g. HSCB

Risk Owner(s)DoFCX / Dirs

Type of risk:Economic & Financial

4 4 16 Highâ

Budgetary Process Breakeven Budget with specified savings programme

Latest Best Estimates

Service Offering

Meetings held with DHSSPS sponsor branch

Budgetary Monitoring (I) SMT Accountability to CX (I) External Audit - Report to those charged with Governance (E) Budgetary Control process (I) Directorate Service Team Meetings (I) Financial Accountability Reviews with Directors (I) Financial Management Standard (I) & (E) Risk Reporting & Review (I) CX Review of Dirs Objectives (I) Dept Accountability Review (E) MIPB Assessment

.

Develop 2017/18 service offering

DoF/ADFM

March 2017

BSO received a 2016/17 DHSSPSNI allocation letter on 16 March 2016, providing formal confirmation that a 15% cut to the BSO recurrent RRL had been applied, effective from April 2016. 2016/17 budget was approved at Board meeting on 26th May.

Monthly budgetary control process indicates that savings are being delivered in accordance with plans and a break even position is forecast.

At the request of the DoH, BSO have recently submitted scenarios for the 2017/18 financial year reflecting RRL reductions between 2% and 15%.

Work has commenced on the preparation of the 2017/18 service offering, including work to realign SLA charges for the 17/18 year onwards.

2Risk Score Legend: L for Likelihood / I for Impact / S for Score – Risk Trend: = â No Change / ã Risk Increasing / ä= Risk DecreasingAssurance Legend: I for Internal Assurance / E for External Assurance


Report on Board Action PlanRisk Description (Include DATE ADDED)

CurrentRisk Score


Comment

L I S Rate2. Inability to prove quality, productivityand VFM, and show that we are competitive and addressing customer expectations.

Risk Owner(s)DoCCPDirs

Type of risk: Financial, Customer/Citizen & Partnership Contractual

2 4 8 Highâ

Existing Processes to measure Quality Standards; SLA’S;KPI’s; Framework /Scorecard;Monthly report to Customers;Internal Audit programme;Audit Control Process;Annual Quality report.Benchmarking performance reported to Business Committee

Accredited Bodies - ISO/Lexcel (E) Monthly Reports to Customers (I) Scorecard monitoring SLA Monitoring (I) Financial Management Standard (I) & (E) Customer Survey (E) SMT Meetings (I) GAC Audit Control Review (I) Dept Accountability Review (E) MIPB Assessment

Further participation of BSO Services in Benchmarking programme for 2016-17.

Annual customer surveys

DoCCP

April 2017

March 2017

Further areas are undertaking benchmarking questionnaires and updates will be reported to Business and Development Committee April 2017

2016/17 SLAs have been issued. 17 of 18 have been signed and returned. DoH to be made aware of the position.

Reported to SMT on 18th January 2017. One survey was reopened and results due to be presented to Board end of March together with options for customer satisfaction measurement moving forward.



Report on Board Action Plan

Risk Description (Include DATE ADDED)

CurrentRisk Score

Controls Assurances Action By WhomEnd

Dates

Comment

L I S Rate3. Risk of not achieving the agreed Shared Services business case outcomes for HR and Finance systems leading to financial and reputational damage.

Risk OwnerHead of SS

Type of risk: FinancialReputational

3 4 12 Highâ

Departmental oversight of BSF Fortnightly departmental meetingsMonthly AD forumMonthly Finance AD forumMonthly HR AD forumQuarterly regional orgs customer forumBSTP programme boardSEHSCT migration complete

Departmental oversight of BSFMonitoring of service delivery against KPIs

WHSCT migration

Execute BSF workplan

FPL upgrade

Head of Shared

ServicesMarch 2017

Head of Shared

ServicesMar 18

Head of Shared

ServicesSept 17

WHSCT deployment of eRec was completed March 2016.WHSCT commissioned an audit on migration readiness which has been completed in March 17. Recommendations have been submitted by Internal Audit to contribute to the migration planning. WHSCT have shared a provisional plan for deployment of shared services commencing April 2017.

Upgrade has been delayed by the supplier. Phase 1 is due to be completed June 2017 and Phase 2 by September 2017




CurrentRisk Score


Comment

L I S Rate4. HSC restructuring leads to a reduced level of SLA income from HSCB who are currently our largest customers. If HSCB functions are split across a range of organisations there is a risk to the stability of this income source, and therefore BSO’s ability to effectively deliver the services

Risk Owner(s)SMT

Type of risk: Financial, Customer/Citizen & Partnership Contractual

Risk added:9.12.2015

3 4 12 Highâ

CEx is a member of the HSC Restructuring Programme Board.

Engage as early as possible to identify to which organisation(s) current HSCB services will transfer to.

SLA/ funding realignment to be identified and progressed following clarity on redistribution of services.

DoCCP

March 2018

DoCCPDoF

2017/18- TBC

The CEx is a member of the HSC Restructuring Programme Board. The design phase is ongoing with further public consultation expected Autumn 2016.

Implementation of the programme plan is likely to commence during 2017/18 with completion planned for early 2018/19.


Corporate Objective No 2: To Grow our Services and Customer Base


CurrentRisk Score


Comment

L I S Rate5. There is a risk that BSO will be unable to implement the Social Care Procurement project resulting in slippage in procurement programme to address the new light-touch regime detailed in regulations 74-77 of the Public Contracts Regulations 2015

Risk OwnerDir of OpsType of risk:Partnership / Contractual;Legislative / regulatory;Risk Added:24/05/2016

3 4 12 High

PRINCE2 Project methodology and project structure in place including project control strategyOversight by Regional Procurement BoardGovernance structureStrategic PlanAccommodation arrangements confirmedTeam recruitment – senior procurement managers are now in post

Updates provided by Project Board Chairman to SMT

Complete works on accommodation

Support Other HSC Organisations including development of SCP manual

March 2017

September 2017

Accommodation arrangements confirmed. Work commenced on accommodation February 2017 and is due to be completed by March 2017. Assurance is being sought on the completion date.

Draft manual to be updated. In absence of mini code or equivalent, we are working to gain common agreement of the best approach to under-threshold social care procurement across 7 organisations. This will be shared with DLS, and once agreed, a manual can be drafted. Date changed from December 2016 to align with need for manual availability of etendersNI.


Corporate Objective No 3: To Pursue and Deliver Excellence through Continuous Improvement



CurrentRisk Score

Controls Assurances Action By WhomEnd

Date

Comment

L I S Rate6. Benefits of the new FPPS system fail to be realised due to:

(i) Contractors declining to use the web based portal, leading to an inability to reduce staff numbers in accordance with plan

(ii) Required system fixes for defects and/or change controls not being applied, leading to an inability to reduce staff numbers in accordance with plan;

Risk OwnerDir of Ops

3 4 12 Highâ

- Operational & Service Review Group to manage prioritisation and execution of fixes and change controls

- HSCB encouragement of contractors use of portal at project board

- b) Prioritised change list has been presented to ITS and is subject to weekly service review by FPS and ITS - Final Pharmacy Portal Infras delivered to FPS for testing.

FPS Project Board (Benefits Realisation) will monitor the progress and consider means of increasing uptake if necessary-Quarterly report to SMT on use of portal

Reduction of staff in line with benefits realisation plan

FPS has planned training events for Dentists and will use roadshows and other meetings with contractor and their representatives to promote the benefits to contractor of using the portal;

FPS to develop an interim contingency plan to resource system impacts in the event of contractors not

Dir of Ops

June 2017

March 2017

SMT have agreed funding to release staff under VES from February to June 2017. Staff have been informed and FPS and HR have commenced relevant procedures. HSCPS have been notified.

Dental practices are currently registering for portal.


Type of risk:Technological; Performance Management

Risk Added: 17.06.2015

using the portal.





CurrentRisk Score


Comment

L I S Rate7. Failure of key ITS Applications & Infrastructure impacting delivery of Critical Services to Customers and resulting in reputational damage for BSO and our customers.

Risk OwnerDir of CCP

Type of risk:Technological & Customer / Citizen

3 4 12 Highâ

Security Procedures;Testing of Business Continuity Plan;Change Control Process;Testing and planning associated with significant change.

Engagement of professional report (Gartner).

Actions from Gartner report completed

Internal Audit (E) External Audit (E) SMT Review of ICT Programme (I) Systems Risk Assessment (I)

Additional assurances

Dir of Finance/ Dir

CCP

March 2017

A full Disaster Recovery (DR) test was completed in May 2015 based on a scenario of having to evacuate Centre House and carry on operations from the DR site at Boucher Crescent. This was successfully repeated on 19 May 2016. A further desktop DR/BC exercise is planned for later in 2016/2017.

The mobile DR Unit can be connected to the HSC.

Final Gartner actions have been marked as complete. Any further restructuring of ITS will take place in the context of business needs and the wider shared


HCL Axon resolution plan and contingencies in response to a lack of HRPTS service availability

.

Go live of new data centre facilities

Phase 1February 2017

Phase 2March 2017

Phase 3September 2017

August 2016 – March 2019

services project.

A range of options relating to enhanced out of hours cover have been developed and have been costed with finance. As per former CEO direction, these will be discussed further in a potential shared services context. A new draft of paper will be presented to BSO SMT.

Phase 1 is now complete and phase 2 is underway. A meeting with the BSO CEx and HCL Axon will take place March 2017 to provide assurance.





CurrentRisk Score

Controls AssurancesAction

By WhomEndDate

Comment

L I S Rate8. Fail to implementrobust information governance process.

Risk OwnerDir of HRCSDirs

Type of risk:Legislative / Regulatory & Performance Management

3 3 9 Mediumâ

Policy & ProceduresInformation Governance / Records MgtCA StandardAudit ControlRisk Register/ Action Plans

A range of IG policies renewed and agreed by Board over 2014/15 and 2015/16.

IGMG to maintain and progress action plan sub-group established to review the new standard and compare with the current standard.

Audits of local record management policies underway as part of IG Improvement Plan (on-going to March 2016).

CAS Assessment - Records Management /ICT/Governance (I) & (E) Information Governance Group Report (I) Service Risk Reporting & Review (I) GAC Audit Control Review (I) other CA Standards Assessment (I) & (E) Mid-Year Assurance Statement / GS (I) GAC Report (I) CX Review of Dirs Objectives (I)

SIRO annual assurance letter to Permanent Secretary

Regular progress reports to SMT/Board regarding action plans (I)IG update to Business Committee on a regular basis.

Ensure regular update on Data Protection and refresher training is available.

Action plan being implemented and evidence gathered on ongoing basis. Regular progress reports to SMT.

DoHRCSApr -Mar

2017

DoHRCSApr -Mar

2017

Action plan update reported to SMT February 2017





CurrentRisk Score


Comment

L I S Rate

9. Risk to Data Centres from unstable hospital power / environment may cause further outages.

Risk OwnerDir of CCP

Type of risk:Technological, Environmental, Physical & Partnership /Contractual

Risk Added: 12.12.12

4 5 20 Extremeâ

Security proceduresBusiness Continuity Plan.

SIB has appointed a Project Director for the Data Centres.

Surge Protectors have been installed and are operational.

Gartner sub-group to reconvene with revised remit to include strategic direction for transfer of data to 3rd data copy.

Board presentation on project

Gartner technical work streams.

An SLA has been agreed with BHSCT Estates for support of the regional data centre.

Disaster Recovery Plan

Review of all other elements of SLA to be carried out.

Go live of new data

Head of Infrastructure

and Architecture

May 2013To approval

date

August 2016

This Annual Review is underway.

Work with Belfast Trust Estates to implement UPS back-up for the air con units has been cancelled due to inability to acquire space in BCH and RVH sufficient to house required equipment.

Work is completed to transfer 350 Terabytes of data to secure 3rd data copy for retention in Centre House.

Subscription to HP Mobile Data Centre solution has been implemented on a 2 year contract. A full recovery test from third site copy has been completed and a repeat test was successfully carried


centre facilities - Mar 2019 out on 19 May 2016.

Contracts for 2 Tier 3 Data Centres have been signed. The centres were acquired August 2016. The plan for technical set up is agreed and the migration project has commenced. Migration due to be completed mid-2018.

This may be delayed by 9 months or more if Centre House lease is not renewed beyond Nov-17 and resources need to be re-directed to re-location project and premises configuration. An Accommodation Requirement Template is with DoH for consideration by DoF – this indicates a preference to extend lease for short term in light of this risk.


Corporate Objective No 3: To Pursue and Deliver Excellence through Continuous ImprovementReport on Board Action Plan


CurrentRisk Score


Comment

L I S Rate

10. There is a risk that delays in the recruitment and selection process leads to failure to meet performance targets and significant reputational damage.

Risk OwnerHead of SS

Type of risk:Partnership / Contractual; Customer/Citizen; Performance Management

Risk Added:16.03.2016

4 4 16 High

Recovery team established

Review of processes, systems and organisational structures completed

Task and finish group established to deliver the recovery and stabilisation of recruitment shared services.

Weekly reports of progress against recovery plan to SMT and BSTP programme board.

Reports also sent to BSF AD forum and the regional Directors forum chaired by Michael McBride.

Delivery of full stabilisation plan

HoSSJanuary

2017

Broadly achieved stabilisation in general recruitment.Waiting list recruitment remains a complex and multi-faceted process and reasons for failing to meet performance targets are largely outside of BSO control however BSO continues to influence, support and participate in resolution where possible.


Corporate Objective No 3: To Pursue and Deliver Excellence through Continuous Improvement Report on Board Action Plan


CurrentRisk Score


Comment

L I S Rate

11. Inability to complete the Guaranteed Minimum Payment reconciliation exercise due to limited resources results in a reputational impact on the BSO

Risk OwnerDir of Ops

Type of risk:Partnership / Contractual; Customer/Citizen;

Risk Added:30.11.2016

3 3 9 Medium

Letter sent to the DoH August 2016 requesting funding.

Issue raised at Ground Clearing meeting Nov 2016.

Initial matching analysis completed

Issue raised at ground clearing

Raised with Pension Board

Outcome of initial scoping work to be reported to SMT

End March 2017

Pending response from Department on funding for a two year period.



Report on Board Action PlanRisk Description(Include DATE ADDED)

CurrentRisk Score


Comment

L I S Rate12. Use of manual interventions and lack of automated reporting functionality in dental system may lead to inaccurate payments resulting in financial and reputational implications

Risk Owner(s)Dir of Ops

Type of risk:FinancialReputational

4 4 16 Highâ

Consistency checks on payments issued

Monthly reports to Dir of OpsRegular ITS and FPS meetings

Phase 1 of agreed stabilisation plan

Phase 2 of agreed stabilisation plan

.

AD ITS/ AD FPS

March 2017

AD ITS/ AD FPS

June 2017


Corporate Objective No 4: To Enhance the Contribution and Development of our People



CurrentRisk Score


Comment

L I S Rate13. BSO current skill mix does not meet future business needs.

Risk OwnerDir of HRCSDirs

Type of risk:Managerial / Professional

3 3 9 Mediumâ

Revised Workforce Strategy approved by Board February 2014.

Job Description/Personal SpecificationStaff Survey

Review PaLS Skills gaps.

Staff development / strong commitment to training.

Outcome of HSC Staff Survey (E) Customer Surveys (E) SMT/Board Review of Surveys (I) Staff Appraisal - PDPs (I) CX Review of Dirs Objectives (I)

A Sub-group has been established to consider a range of issues in PaLS including workforce issues.

Business Case skills.

Moving Forward Programme launched.

Re-accreditation of IIP complete

Further work to identify recruitment issues.

Workforce Planning ongoing in a number of Directorates. Scoping the direction of several Service Areas on behalf of DHSSPS.

Profiling with directorates regarding skills requirements is underway. The outcomes will feed into the appraisal and PDP process and drafting the BSO training plan for 2016/17.

DoHRCS

March 2017

Discussions underway with Directors in respect of strategic work plans for the next 3 years.

Workforce Plan for ITS has been completed

Action plans in place for Shared Services alongside Corporate action plan.

PaLS workforce plan has been drafted


BSO Corporate Risk Score Matrix

Total Impact

Catastrophic 59

Major 4 2 3,4,5,6, 7, 1, 10,12

Moderate 3 8, 11,13

Minor 2

Insignificant 11 2 3 4 5

Rare Unlikely Possible LikelyAlmost Certain

LIKELIHOOD

*Risk Classification / NumbersLOW

0MEDIUM 3 Risks

HIGH 9 Risks

EXTREME1 Risks

*in accordance with AS/NZS 4360:2004 guidance


Appendix A

Archive Report of risks removed from Corporate Register 2016-2017

CorporateObjective

Risk Description Risk Score CommentL I S Rate

3. 13. Delays in payroll responding to pension queries may result in fines from the Pensions Regulator. There is also a wider reputational risk associated with delays in the ability to provide estimates.

2 4 8 High Interface has been implemented – risk to be managed through appropriate service risk registers

3. 11. There is a risk that delay in providing information to HSC employees on Choice 2 following introduction of new Pension arrangements

2 3 6 Medium

Information has been provided to HSC employees.


Appendix BArchive Report of Completed Risk Actions 2016-17

CorporateObjective

Risk No / Description Actions Completed

1 1. Levels of savings in the overall environment for HSC are so great that BSO service provision to customers are negatively affected and/or we fail to breakeven.

The Leadership Centre may be particularly affected by a reduced level of client income.

Develop Service Offering

The actions to achieve both these elements of savings have been factored into the BSO Budget for 2015/16 and a balanced budget has been achieved. The BSO 2015/16 budget was approved by Board on 28 May 2015.

Re-submit savings plans to DHSSPS prior to final business plan approval - complete

The Leadership Centre is currently engaging with HSCB to identify the impact of any change in requirements/funding - The Leadership Centre has discussed the income received from the HSCB with the Board SLA Co-coordinator and Chief Executive. Implementation of the programme plan is likely to commence during 2017/18 and as such this action will remain on the service risk register.

Approval of 2016/17 budget – budget was approved May 2016

2. 5. Shared Services may not achieve business case outcomes.

7. There is a risk that BSO will be unable to implement the Social Care Procurement project resulting in slippage in procurement programme to address the new light-touch regime detailed in regulations 74-77 of the Public Contracts Regulations 2015

Meeting with DoF, HoSS and SSRO to discuss 2016/17 plan – complete

Governance structure established and first board meeting heldHigh level strategic plan developedAccommodation arrangements confirmedTeam recruitment – senior procurement managers are now in post

3 6. Benefits of the new FPPS system fail to be realized

10. Fail to implement robust information governance process

12. Risk to data centres from unstable hospital power/environment may cause further outages

FPS to gain commitment from HSCB to continue to encourage contractors to use the portal; - compelte, moved to control

BSO to communicate with Info Owners to advise that all medical files to be checked before forwarding to BSO – completed

Develop action plan – developed and submitted to SMT

Outline Business Case for new Data Centre


14. There is a risk that delays in the recruitment and selection process leads to failure to meet performance targets and significant reputational damage.

Detailed recovery plan to be presented to SMT – moved to assurance.

Complete review of processes, systems and organisational structures – review completed – move to control

Present review to HR directors forum - complete


business services organisation (bso)€¦ · web viewa full disaster recovery (dr) test was...

Documents