Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Audit and Risk Assurance Committee Agenda
Date 08 February 2017
Time 10.30 am – 14.00 pm (Lunch will be provided at 12:30 pm to 13:00 pm)
Venue Boardrooms 1/2, 2nd floor, 151 Buckingham Palace Road
Private session for members only starts at 10.00am
Agenda items
10.00am ARAC Members private session
10.10am -10.30am Confidential meeting with Internal and External Auditors
10.30am-12.30pm ARAC Meeting
1. Welcome and apologies
2. Declarations of interest
3. Minutes of 10 November 2016 (AUD163-16) 4. Matters arising (RS) (Oral)
5. ARAC Chair’s update
6. Audit tracker report (MA) (AUD164-16)
7. Internal audit (PF/AB)
Progress report and plan for rest of year (AUD165-16)
People and Workforce Report (Annex A)
Board Effectiveness Report (Annex B)
Audit follow-up/closure of Living Donation Audit
Management response to Enquiries Management Audit (RS) (Annex C)
8. Risk update (RS) (AUD166-16)
Strategic risk register (Annex A)
Exploration of risk area: Sector risks and public confidence – HTA Inspection Rationale (HL) (Annex B)
Update on Risk Management policy and strategy (MA) (Annex C)
Department of Health Risk Interdependencies (Annex D)
2
9. External audit (NAO) (Oral)
Update on current audit work
10. Reserves policy and update on policy review (MA) (AUD167-16)
HTA-POL-49 Reserves Policy February 2016 (Annex A)
ARAC Policies and Procedures Summary (Annex B)
11. Review of ARAC performance (Oral)
12. Review of gifts and hospitality register (MA) (AUD168-16)
13. HTA’s arrangements to address the recommendations arising from the Caldicott Review (RS) (AUD 169-16)
14. Appointment of internal auditors (RS) (Oral)
15. Reports on grievances, disputes, fraud and other information (Oral) 16. Topics for future risk discussions (discussion) 17. Future ARAC training (discussion) 18. Any other business 12.30pm – 1.00pm Lunch 1pm - 2pm Joint ARAC/Management Training Session: Risk assurance mapping 2pm-2.30pm ARAC Members and RS Performance Discussion Next meeting – 18 May 2017.
1
Minutes of the Audit Risk and Assurance Committee
Date 10 November 2016 Paper AUD 163 -16
Venue 151 Buckingham Palace Road, Boardroom 1&2
Protective
Marking
OFFICIAL
Present
Members
Amanda Gibbon - Chair
William Horne
Glenn Houston
In attendance
Allan Marriott-Smith (CEO)
Richard Sydee (Director of Resources)
Morounke Akingbola (Head of Finance &
Governance)
Kevin Wellard (Quality and Corporate
Governance Manager)
Diane Galbraith (Head of Human Resources)
Apologies
Andrew Hall (Member)
Stuart Dollow (Member)
Karen Finlayson (PwC)
External Attendees
Patrick Irwin (DH)
George Smiles (NAO)
Sarah Edwards (NAO)
Paul Foreman (PwC)
Item 1 – Welcome and apologies
1. AG welcomed Richard Sydee (RS) and Kevin Wellard (KW) to their first HTA
ARAC meeting. There were apologies for absence from AH, KF and the newly
appointed, fifth member of ARAC, Stuart Dollow (SD).
Item 2 – Declaration of interest
2. There were no declarations of interest.
Item 3 – Minutes of 18 May 2016 ARAC meeting
2
3. The minutes of the 18 May 2016 meeting were agreed.
Item 4 – Matters arising
4. Action 4 from 11 February 2016: the business continuity and crisis
management response plan has been drafted and will be circulated to ARAC
Members.
5. Action 6 from 11 February 2016 (raise the risk within DH of IAs continuing to
operate without DBS checks) – is completed
6. Action 14 from 18 May 2016: (add to November ARAC agenda an item on
turnover in the Communications Team) – is completed. This item was revised
after the last ARAC meeting and the risk discussion will be widened to reflect
staff turnover across the HTA.
7. Item 18 from 18 May 2016: (add to November ARAC agenda the risks of
complaints to the HTA and the HTAs handling of complaints) - this issue was
discussed at the November Authority meeting so is now complete. AMS gave
the meeting a brief outline of some further background to this item.
Action 1 – RS to circulate a copy of the business continuity and crisis
management response plan to ARAC members.
Action 2 – ARAC members to receive an update on the risk of complaints
and complaints handling at the HTA at the ARAC meeting in November
2017.
Item 5 – ARAC Chair’s update
8. AG provided an update of meetings she has attended, including the ARAC
chairs’ event hosted by the National Audit Office. A key theme of this event
was the need for increased focus on risk interdependencies arising across the
DH health group. AG advised that she and AMS will be attending the DH Audit
Committee meeting on 16 November 2016.
9. AG reminded ARAC members that the Internal audit contract is due for renewal
in March 2017 and received assurance from RS that members of ARAC would
be involved in the contract renewal process. The DH are currently finalising the
Invitation to Tender (ITT) which has had input from HTA.
Item 6 – Internal Audit
3
Progress report and plan for the remainder of the year
10. PF presented this report, which included reference to the enquiries
management audit and time allocated in the forward plan to review crisis
management. The committee discussed the feasibility of delivering the
remaining elements of the plan within budget. It was estimated that an
additional £2.5k will be required to deliver the crisis management audit
scheduled to occur once the HTA’s internal testing event has concluded. It was
agreed that Executive Officers should consider/identify the additional costs
required to implement the plan and if possible approve the plan and provide an
update/clarification to members of ARAC via email.
11. PF drew the committee’s attention to the section of the report reviewing
progress against the recommendations arising from the Living Donation
Internal Audit report and asked members of ARAC to consider whether they
were content to accept the remaining gaps in information/progress as
acceptable risks. It was agreed that management should seek clarification
from the relevant establishment and provide feedback to ARAC members on
the reasons for the one remaining IA without a completed DBS check.
Action 3 – RS to discuss the remainder of the 2016/17 internal audit plan
with the Exec and advise ARAC of any amendments via email
Action 4 - management should seek clarification from the relevant
establishment and provide feedback to ARAC members on the reasons
for the one remaining IA without a completed DBS check.
Action 5 – ARAC to reconsider the findings of the Living organ donation
follow-up audit once the item in Action 4 has been further clarified.
Enquiries management audit
12. PF presented the internal audit report into the handling of enquiries at the HTA.
PF gave an overview of the recommendations arising from the audit and
advised the meeting that an overall rating of moderate risk had been
concluded. Members concurred with the recommendation to reconfigure the
CRM system having experienced inconsistency within the CRM system in
terms of the email alerts/reminders set as prompts for ongoing actions.
13. Members of ARAC were assured that a proportionate, resource efficient,
project plan will be developed to address the recommendations arising from the
audit. This will include greater emphasis on quality measures and upgrades to
4
the CRM system. Members were further assured that both ARAC and the
Authority at large would be given appropriate oversight concerning the
monitoring of actions.
Item 7 Audit Tracker report
14. MA presented an overview of the Audit Tracker Report and members were
given updates on actions that remain in progress. There was discussion on the
need to improve the presentation of the tracker, and for the executive to
provide greater information on expected dates of completion for matters that
remain in progress.
15. Members were advised that the completion of item 4 in the business continuity
section of the tracker is subject to an exercise to test the revised Business
Continuity Plan but were assured that this item will be completed by the
deadline.
Item 8 Risk update
16. AMS presented an update on the HTA Strategic Risk Register. AMS advised
that while risk 3 remained amber, the risk likelihood was felt to be increasing as
a result of the continuing uncertainty around the timing of the implementation of
EU directives on coding and import. This work cannot be progressed by the
HTA until ministerial approval is received for DH to proceed with the
consultation on the draft Regulations and, as a result, the task of
implementation by the current April deadline is increasingly challenging. It is
estimated that implementation will require an absolute minimum of three
months but this timeframe carries considerable reputational risk given the
limitations this shortened period would place on providing proper stakeholder
consultation and delivery safeguards. PI advised that the DH is still awaiting
political guidance on this issue. AMS advised that amendments will be made to
this section of the register to further consider the mitigation of risks arising from
the HTA’s potential failure to implement the regulations by the April deadline.
Members were advised that AMS and the HTA Chair will be raising the HTA’s
concerns on this matter when they meet Lord Prior.
17. There was discussion on whether risk items assessed as green should remain
in the risk register. Members were advised that these items remain in the
register to enable ongoing sensitivity analysis and adjustment of identified risks.
RS advised that he will be considering a move to exception reporting for the
monitoring of risks with an opportunity for members to be given less frequent
oversight of the register in its entirety. Members were advised of the need to
refocus risk five to reflect its more stable status but this exercise will remain on
5
hold for the time being to allow for the implementation and bedding down of the
new fees structure.
18. Members noted the improved position in relation to risk 4 concerning the
retention and utilisation of staff.
HTA’s Approach to staff turnover
19. AMS and DG advised members that, despite positive staff attitudes to the HTA,
staff turnover continues to pose a strategic risk to the organisation. Analysis of
the exit interview results and more anecdotal evidence suggests that the root
causes of this are the organisation’s relatively flat organisational structure and
the public sector pay constraints, which together limit staff opportunities to
progress their careers or significantly increase their salaries within the HTA.
20. The HTA response to the issue of staff turnover is contained within the People
Strategy which describes the offering we make to our people and what we
expect in return. It presents our view of what can be done to keep people for
longer and the limits on this Good progress has been achieved on the
deliverables from the Strategy (which runs until April 2017), with the most
significant facet still to be delivered being the structured Learning and
Development Framework, linked to the objectives of the corporate business
plan. This includes encouragement for staff to gain wider skills and experience
via secondments. Members were advised that there had been a reduction in
take-up for the organisation’s career investment scheme.
21. DG circulated a copy of the organisational structure detailing staff by length of
service. Discussion followed on the need for further refinement of the
presentation of this data to also identify the amount of time served by staff in
their current posts.
22. AMS noted that competition between internal candidates for recent vacancies
has provided promotion opportunities for some but has inevitably disappointed
others. AMS also noted that opportunities and different pay structures across
the wider Health Group creates further opportunities for individuals but also a
further threat to HTA staff retention.
23. In terms of stress management, DG advised that despite stretching workloads
there is limited evidence of staff working longer hours to cope with this. The
HTA has recently instituted a policy for payment of travel time outside of normal
working hours to address a particular concern expressed by regulation
managers. Members were advised that ‘work life balance’ scored high within
the staff survey.
6
24. Staff exit interviews are offered to gain an insight into staff perceptions at the
point of their leaving the HTA. Of the ten staff offered an exit interview in the
last year three declined the offer. An issue emerging from the exit interviews is
a perception of new regulation managers being paid higher salaries than
existing members of staff. It is very difficult to overcome any misperceptions in
this area as this would require the sharing of salary data for individuals, which
is not something that we would consider. A revised and updated remuneration
policy was recently circulated to staff to give greater transparency about the
HTA pay scale structure and the method for setting starting salary. This will
now be benchmarked annually with comparable agencies.
25. DG advised that most absence tends to be short-term (i.e. one or two days’
sickness) but there are currently five long-term absences. The committee
received assurance over the reasons for these absences.
26. Members were given an update on staffing within the Communications Team.
A new Head of Communication joined the team four months ago and has
experience in media enquiries. The current Stakeholder and Engagement
Manager has been in post for a year and with the HTA for two years. The
Communications Development Officer role was internally filled, approximately
six-months ago, although the Website and Communications Officer role
recently became vacant. The latter post is currently under review. There are
plans to provide training on fielding media enquiries for the Stakeholder and
Engagement Manager to augment the availability of two Regulatory Heads of
Service who have already undergone this training.
27. The meeting noted that internal auditors will be looking at staff retention later in
the current financial year.
Risk Management Policy and Strategy
28. MA presented a revised HTA Risk Management Policy and Strategy, containing
initial draft tracked changes, and asked those present to provide feedback and
comments.
29. MA was advised to:
give greater prominence to the sections on the HTA’s role within the
wider DH context and the alignment of the organisation’s risks with its
objectives by moving these to the start of the report;
add time-scales to “Type of risk” table to reflect current and next year.
make it clearer in paragraph 43 that risk owners need to reflect the
responsibilities identified, within the risk register;
7
reflect the HTA’s approach to addressing wider risk interdependencies
within the report.
30. Members noted that time has been set aside within the forward plan for the
committee to discuss risk interdependencies at its meeting on 18 May 2017.
31. The updated version of the Risk Management Policy and Strategy will be
brought to the next meeting
Action 6 – Add an agenda item to the agenda for the February ARAC
meeting for members to receive an update on the review of the Risk
Management Policy and Strategy.
Item 9 – Review of ARAC Handbook
32. MA presented the ARAC Handbook and took the committee through the
minimum amendments to it. The committee made one recommendation to
remove the extra “approach” from para 4 under section 7.
Item 10 – External Audit Planning Report
33. GS gave members an overview commentary of the lnternal Audit Planning
report. GS drew the committee’s attention to areas that the NAO consider to be
of risk and these were agreed.
Item 11 – Updates on the Training of Designated Individuals and using
inspection templates in the Post Mortem sector
34. AMS undertook to provide an email update to members on these issues after
the meeting. In the meantime, he advised that an initial pilot for the training of
Designated Individuals (DIs) will begin in quarter four, within the ongoing
project to implement the new codes and standards. AG suggested that
members might wish to consider this as a prospective topic for a future deep
dive session. The committee also discussed the possibility of charging for some
(non-core) training to establishments in future.
Action 7 - AMS to provide members of ARAC with an email update on the
training of DIs and using inspection templates in the Post Mortem sector.
Item 12 – Reports on grievances, disputes, fraud and other information
35. Members were assured that there were no matters to report under this agenda
item.
8
Item 13 – Topics for future risk discussions
36. AG advised members that a discussion on the timing and dates of future
meetings and possible topics for future deep dive sessions will follow
immediately after lunch.
The agreed Deep dive risk sessions are as follows:
37. February - ARAC to look at the risks posed by the sectors regulated by the
HTA and the regulatory/inspection approach it takes to protect public
confidence in the face of those risks. The starting point will be Caroline
Browne’s paper on the HTA’s inspection rationale.
38. May - Following the Authority’s seminar on the Human Application sector at its
February meeting ARAC will look in more detail at the HA sector - its breadth of
activity, the HTA’s regulatory approach and risk assessments for various
aspects of the sector. Rob Watson will lead on this. We may refine our
approach to this session following the Authority’s session.
Item 14 – Future ARAC training
39. It was agreed that there should be a joint member/management team training
seminar following the February 2017 ARAC meeting on what to consider and
be aware of when undertaking risk assurance mapping and bearing in mind risk
interdependency across the wider health group. AG suggested that the May
2017 training might cover value for money auditing and how to think about the
optimal deployment of HTA resources.
Item 15 – A.O.B.
40. AG asked that a report addressing the HTA’s compliance with the
recommendations of the July 2016 National Data Guardian report (Review of
Data Security, Consent and Opt-outs) be brought to the ARAC meeting in
February 2017.
Action 8 - Add an agenda item to the agenda for the February ARAC
meeting for members to consider the HTA’s arrangements to address the
recommendations emerging from the Caldicott review.
41. AG noted that this was the last HTA ARAC meeting to be attended by PI. PI is
due to retire from his post at the DH in the new year. Colleagues expressed
9
their best wishes and a note of gratitude and appreciation to PI for all of his
help and support to the HTA and ARAC.
42. The next ARAC meeting is scheduled for 8 February 2017. Future meetings
were scheduled for 18 May 2017 and 2 November 2017.
1
Audit and Risk Assurance Committee Paper
Date 23 January 2017 Paper reference AUD 164-16
Agenda item 6 Author Nicola Fookes
Protective Marking
PROTECT
Audit Tracker Purpose of paper
1. The purpose of this paper is to update the Audit and Risk Assurance Committee on the progress made in response to external and internal audit recommendations.
Decisions made to date 2. As detailed in the progress sections of this paper
Actions required 3. That the Committee notes progress.
1
Summary of all recommendations Recommendation Source Total Completed as
planned Completed later than
expected In progress as
planned In progress with
some delay Not started
IA – Data Retention 2 1 0 0 1 0
IA – Living Organ Donation 11 4 5 0 2 0
IA – Business Continuity 4 0 4 0 0 0
IA – Enquiries 8 0 0 0 0 8
IA – Board Effectiveness 4 0 0 0 0 4
IA – People and Workforce 4 0 0 3 0 1
COUNT 33 5 9 3 3 13
IA – Internal Audit - PwC EA – External Audit - NAO
2
Completed since last meeting
Year Audit Category Rec # Recommendation Manager Status 2015-16 PwC – Business
Continuity Medium 4 Provide training to all staff on the BCP Martin Cranefield Completed
Later than planned
Total 1
3
Summary of outstanding recommendations
Year Audit Category Rec # Recommendation Manager Status 2015-16 PwC – Data retention Medium 1 Review the Information Asset Register - ensure
compliance with the Data Protection Act 1998 and align with the Department of Health Records Management Code of Practice and The national Archives best practice guidance.
Jamie Munro In progress with some delay
PwC – Living Organ Donation
Low 6 Update the re-accreditation process for IA’s with high numbers of red or amber reports
Jessica Porter In progress with some delay
Low 9 To record time taken for case decisions to be made after receipt by HTA
Jessica Porter In progress with some delay
2016/17 PwC – Enquiries Medium 1 a) To reconfigure the notification workflow Richard Sydee Not started
1 b) To make ‘category’ and ‘channel’ fields mandatory Richard Sydee Not started
Medium 2 a) Update enquiries SOP regarding time scale for passing an enquiry to a RM, the definition of an enquiry, the relevant stages of dealing with and communicating an enquiry and including a reference number on all enquiries
Victoria Marshment
Not started
2 b) To regularly review the enquiries SOP Victoria Marshment
Not started
Medium 3 a) To reconfigure CRM to include mandatory fields to record if enquiries are from a licenced provider
Richard Sydee Not started
3 b) To monitor and manage deletion dates for enquiries on an automated basis
Richard Sydee Not started
Medium 4 a) To consider further KPI’s for more effective monitoring Victoria Marshment
Not started
4 b) To improve custom report for KPI% Victoria Marshment
Not started
Low 5 a) To agree a method of collecting FAQ’s efficiently to reduce workload
Victoria Marshment
Not started
5 b) Consider separating enquiries from license holders Richard Sydee Not started
4
Low 6 a) Consider QA checks on enquiry responses Sarah Bedwell Not started
6 b) Consider a standard format for enquiry responses Victoria Marshment
Not started
6 c) Create a clear process by which RM’s become sufficiently experienced to answer enquiries
Sarah Bedwell Not started
Low 7 a) Identify FAQ’s that could be dealt with by Assistants Sarah Bedwell Not started
7 b) Review and update SOP’s provided to Assistants Victoria Marshment
Not started
Low 8 a) Investigate via Skype the volume on unanswered calls Richard Sydee Not started
8 b) Implement fall back arrangements for unanswered calls Richard Sydee Not started
8 c) Perform spot checks on phones to ensure arrangements are in place
Richard Sydee Not started
PwC – Board Effectiveness
Medium 1 Better induction training for new Members to include LOD cases and decision making
Allan Marriot-Smith
Not started
Low 2 To discuss with DH possible flexibility in the term of appointment for members to benefit both experience and fresh perspective
Allan Marriot-Smith
Not started
Low 3 To ensure board papers are succinct, clear and relevant to the Boards strategic role
Allan Marriot-Smith
Not started
Low 4 To clarify process for annual objectives and appraisals Allan Marriot-Smith
Not started
PwC – People and Workforce
Low 1 To review organisation structure for increased hierarchy within RM’s
Heads of Regulation
Not started
Low 2 a) to make clear communication when actions are taken from the People strategy and b) update staff on progress against the People Strategy
Diane Galbraith Diane Galbraith
Completed as planned In progress as planned
Low 3 Obtain feedback on the people strategy from 1-2-1 meetings
Diane Galbraith In progress as planned
Low 4 To report feedback from new starters and leavers regarding possible improvements
Diane Galbraith In progress as planned
Total 19
5
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2015/16
PwC – Data retention
1 - Review the Information Asset Register - ensure compliance with the Data Protection Act 1998 and align with the Department of Health Records Management Code of Practice and The national Archives best practice guidance.
Design and Governance of Document Retention procedures at the HTA Review current retention periods and the content of the Information Asset Register by collating information from business units, following best practice guidance from The National Archives. Align minimum retention periods to the Department of Health Records Management Code of Practice where applicable. Ensure that documents under the scope of the Public Records Act 1958 or the Freedom of Information Act 2000 are identified and retained appropriately based on the requirements of this legislation. If necessary, consult with The National Archives to obtain advice on how to apply the selection criteria. Ensure that records containing personal data are not retained for longer than required, in line with principal five of the Data Protection Act 1998.
We accept all of the recommendations and will implement these through a comprehensive piece of work that we’ll need to plan carefully, involving staff throughout the HTA, alongside other current priorities. We will determine retention periods for personal data and ensure records that fall outside these are destroyed. Target date – April 2016
Feb-2016 Information Assets and the associated retention dates have been reviewed. Personal data which had passed its retention dates has been destroyed throughout December and January. Further work to be undertaken looking at shared drives and IMPACT. May-2016 Work has been done on this and the vast majority of data held has been reviewed. The remaining work to be completed is within HR which is currently in progress. Nov 2016 Work underway with HR documents but yet to be completed Feb 2017 HR to determine what should be retained for a summary staff record before all other records can be destroyed.
Jamie Munro In progress Jamie Munro In progress Diane / Jamie In progress Diane Galbraith
In progress
6
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2015/16
PwC – Living Organ Donation 4 - Introduce a process and guidance for the recruitment, training and termination of an IA between HTA and NHS Trusts
Appointment, accreditation and training of assessors Responsibility for the recruitment of Independent Assessors is not formally agreed between the HTA and the individual Trusts The HTA should consider the introduction of a process to be formally notified of leavers by Trusts or otherwise directly by leavers. For example, it could specify the process for informing HTA of a leaving date with sufficient notice within its guidance documents to IAs. The HTA should consider introducing standard agreements between Trusts and itself which clearly set out responsibilities for recruitment and proactively identifying demand for IAs.
Update guidance to state that the HTA must be informed when an IA will be leaving the role. Write to Trusts to clearly set out responsibilities for recruitment and proactively identifying demand for IAs. Target date – March 2016
May 16 A letter was sent to Trusts in February 2016. This outlined a number of issues including that recruitment of IAs was the responsibility of the Trust and not the HTA. The guidance is due to be updated and published in August 2016 and this will include new advice about the HTA being informed of IAs that leave the position. Nov 2016 Guidance delayed and will go out 1st week of November 2016 Feb 2016 Guidance to be issued in the January newsletter to IA’s and further correspondence to go out to all trusts in March 2017.
Chitvan Amin In progress Chitvan Amin In progress Jess Porter In progress
7
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2015/16
PwC – Living Organ Donation 6 - Update the re-accreditation process for IA’s with high numbers of red or amber reports
Appointment, accreditation and training of assessors The current design of re-accreditation process does not allow for timely response to quality issues, and may not identify all assessors in need of further training The HTA should consider updating the re-accreditation process to ensure that: - There is a consistent approach to the treatment of IAs with a high number of (non-consecutive) red or amber reports versus those with a consecutive, low number of such reports; - Refresher training is provided on a timely basis in response to known quality issues; and IA’s - Where IAs are not automatically re-accredited, they should not perform assessments until refresher training is provided
HTA will move to a system of continuous accreditation which will allow for closer monitoring throughout the year
Nov-15 In progress - changes being made to CRM to support close monitoring of IA reports throughout the year. Feb-16 This is a priority and to be included in the Phase 1 of the next CRM development. Update May 2016 meeting - Some minor tweaks to support this have been made as part of phase 1 changes to CRM however, the broader scoping work will take place later this year. Nov-16 Ongoing with part of CRM upgrade project
8
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2015/16
PwC – Living Organ Donation 9 - To record time taken for case decisions to be made after receipt by HTA
Decision making KPIs in place do not currently measure the time taken between initial referral to HTA and a regulatory decision being made The HTA should monitor the time taken from the point of the initial referral to the date a regulatory decision is made. Where the key points of the assessment and/or decision-making process take longer than the expected period, the HTA should investigate the root cause and take action to avoid recurrence. The HTA should consider undertaking a Key Person Dependency Assessment to identify overreliance on any individuals whose roles cannot be carried out by other staff in their absence
To be introduced in the rare cases that a case reaches the stage of RDM. Piece of work to be undertaken on retrospective cases that have reached RDM. Add to the SOP.
Nov-15 Not started. Feb-16 Not as relevant as other recommendations - we will consider whether it is appropriate or realistic to implement. May 2016 This is not considered a concern by stakeholders or the LDAT so has not been prioritised. Scoping work will begin soon to decide how to address this. Nov 2016 Linked to previous recommendation regarding delay in assessing cases. Agreed that no further action is required on this.
9
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2015/16
PwC – Business Continuity 4 - Provide training to all staff on the BCP
Decision making KPIs in place do not currently measure the time taken between initial referral to HTA and a regulatory decision being made The HTA should monitor the time taken from the point of the initial referral to the date a regulatory decision is made. Where the key points of the assessment and/or decision-making process take longer than the expected period, the HTA should investigate the root cause and take action to avoid recurrence. The HTA should consider undertaking a Key Person Dependency Assessment to identify overreliance on any individuals whose roles cannot be carried out by other staff in their absence
To be introduced in the rare cases that a case reaches the stage of RDM. Piece of work to be undertaken on retrospective cases that have reached RDM. Add to the SOP. Target date – March 2016
Nov-15 Not started. Feb-16 Not as relevant as other recommendations - we will consider whether it is appropriate or realistic to implement. May 2016 This is not considered a concern by stakeholders or the LDAT so has not been prioritised. Scoping work will begin soon to decide how to address this. Nov 2016 Linked to previous recommendation regarding delay in assessing cases. Agreed that no further action is required on this. Feb 2017 BCP has been completed and approved and training provided to all staff and specific training delivered to all role owners ahead of a planned incident test.
Jamie Munro Delayed Jamie Munro Delayed Jamie Munro Delayed Jamie Munro Delated Jamie Munro Completed later than planned
10
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – Enquiries 1 – a) to reconfigure the notification workflow and b) to make ‘category’ and ‘channel’ fields mandatory
a) The notification workflow should be reconfigured to enable correct functionality of notifications. Consideration should be given to increasing the number of notifications to include notifications at one, two and/or three days prior to due date, as well as an escalation with later emails being sent to a more senior staff member as well.
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Richard Sydee
b) ‘Category’ and ‘Channel’ should be made mandatory fields for completion, and if not possible due to expense, guidance should be issued to Assistants and RMs to ensure that this information is completely captured
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Richard Sydee
11
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – Enquiries 2 – a) Update enquiries SOP regarding time scale for passing an enquiry to a RM, the definition of an enquiry, the relevant stages of dealing with and communicating an enquiry and including a reference number on all enquiries and b) to regularly review the enquiries SOP
a) The SOP should be updated to include the following:
Provide guidance on the time in which the various stages of the emails/website enquiries should be forwarded to the RMs, including time to open email or answer call, time to convert to a case and time to forward to RM. Management may find it beneficial to develop a process map which covers the process.
A clear definition of what constitutes an enquiry should be made, including whether a case has to be logged in certain scenarios. Consideration should be given to requiring all enquiries to immediately be logged in CRM as this avoids possibility of cases being lost or not followed up. However consideration should be given to the costs of such a system.
All relevant stages of the Enquiry Management process to be shared with all those involved to clearly communicate roles and responsibilities. This could be in the form of a more detailed process map.
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Victoria Marshment
12
That the enquiry reference number should be provided to the enquirer who can then cite this when following up on an enquiry. To support this, a notification of receipt email should be provided to the sender on all email and website enquiries.
b) SOP documentation should also undergo regular review with future dates of review set and maintained, for example on an annual basis or earlier where procedures change.
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Victoria Marshment
13
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – Enquiries 3 – a) to reconfigure CRM to include mandatory fields to record if enquiries are from a licenced provider and b) to monitor and manage deletion dates for enquiries on an automated basis
a) CRM should be reconfigured to include a mandatory field which requires information on whether the enquiry is from a licensed provider or not. If not possible due to expense, consideration could be given to capturing this information in the ‘Channel’ or ‘Category’ fields, if deemed suitable
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Richard Sydee
b) Deletion dates for enquiries should then be monitored, to ensure that all relevant data is deleted in line with HTA guidance and in accordance with the DPA, ideally on an automated basis.
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Richards Sydee
14
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – Enquiries 4 – a) to consider further KPI’s for more effective monitoring and b) improve custom report for KPI%
a) Consider what further KPIs would enable more effective monitoring of enquiry management (and are practicable to gather data on), for example, number of cases open longer than 10 days.
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Victoria Marshment
b) Improve custom report to allow KPI% to be easily calculated without a need for manual adjustments
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Victoria Marshment
15
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – Enquiries 5 – a) to agree a method of collecting FAQ’s efficiently to reduce workload and b) consider separating enquiries from license holders
a) A decision needs to be made as to best method going forward in collecting information regarding FAQs and using it efficiently to reduce staff workload. This information once collated could be provided internally through the HTA intranet to allow future enquiries to be dealt with more easily and in a more consistent fashion. The external website could also include the FAQs to reduce the burden of enquiries on HTA.
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Victoria Marshment
b) Consider whether/how to separate enquiries from license holders from general enquiries. This could be through creating an enquiries portal for license holders only, which then creates a case automatically.
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Richard Sydee
16
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – Enquiries 6 – a) consider QA checks on enquiry responses, b) consider a standard format for enquiry responses and c) create a clear process by which RM’s become sufficiently experienced to answer enquiries
a) Consider Quality Assurance (QA) checks in relation to answers provided to enquiries for all RMs, for example through sampling a small number of responses on a periodic basis and feeding back on both positive aspects and areas for improvement. Evidence of review should be retained, if possible, this would be captured within CRM to provide an effective audit trail
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Sarah Bedwell
b) Consider whether a standard style or format of response could be applied across the organisation or departments
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Victoria Marshment
c) Create a clear and documented process by which an RM becomes sufficiently experienced to answer enquiries independently and maintain evidence of each individual’s progress. We appreciate that there will need to be some flexibility in the time scales applied
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Sarah Bedwell
17
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – Enquiries 7 – a) identify FAQ’s that could be dealt with by Assistants and b) review and update SOP’s provided to Assistants
a) Identify whether there are more FAQs that Assistants could be trained to answer and incorporate this into refreshed and more formal training to be provided to Assistants before they start to take calls and open emails
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Sarah Bedwell
b) The SOPs provided to assistants should be reviewed and updated where necessary
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Victoria Marshment
18
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – Enquiries 8 – a) Investigate via Skype the volume on unanswered calls, b) implement fall back arrangements for unanswered calls and c) perform spot checks on phones to ensure arrangements are in place
a) Investigate with Skype where applicable, how many calls ‘ring through’ without being answered and whether forwarding is set up on all accounts
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Richard Sydee
b) Require all staff to set up fall back arrangements that will ensure if their phone is not answered and it is not routed and answered via mobile it will fall back to switchboard
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Richard Sydee
c) If it is not possible to confirm this is in place for all phones, spot checks may need to be performed or confirmation gathered.
Recommendation agreed and action added to project plan for implementation Target date – June 2017
Feb 2017 – Actions to be taken forward by a project team.
Richard Sydee
19
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – Board Effectiveness 1 - Better induction training for new Members to include LOD cases and decision making
Ensure that induction training provides sufficient time, focus and examples of decision making for the living organ donation process and that after it board members feel that they have sufficient clarity and confidence to fulfil their role in the decision making process. Establish a forum for the new board members to enable discussions on the more complex living organ donations cases. Review the training for board members to include attendance at inspections (possibly as part of the induction process) and evaluate if any other training) would be beneficial.
Yet to be agreed Allan Marriot-Smith
20
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – Board Effectiveness 2 - To discuss with DH possible flexibility in the term of appointment for members to benefit both experience and fresh perspective
Consider discussions with the Department of Health on the importance of achieving the appropriate balance of change and, if required, having some flexibility in the appointment process (such as 4+2 years appointments) and spreading out end dates to enable the Authority to respond flexibly to the need for experience and expertise whilst still benefiting from fresh perspectives.
Yet to be agreed Allan Marriot-Smith
21
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – Board Effectiveness 3 - To ensure board papers are succinct, clear and relevant to the Boards strategic role
As planned, ensure papers are formatted to be suitably brief and clear, focusing on the key points for discussion and agreement relevant to the board’s strategic role. A similar approach should apply to presentations. Once the new approach is fully in place, it may be appropriate to take further soundings from members on whether the objectives of the change have been achieved.
Yet to be agreed Allan Marriot-Smith
22
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – Board Effectiveness 4 - To clarify process for annual objectives and appraisals
Clarify the process for agreement of annual objectives and annual appraisals with new members. Confirm that new members are content that they understand their objectives and how they should focus in the period through to their first individual appraisal.
Yet to be agreed Allan Marriot-Smith
23
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – People and Workforce 1 – To review organisation structure for increased hierarchy within RM’s
Undertake a review of the organisation’s structure to identify where additional layers of seniority could be implemented and might be of benefit. Specifically consider the scope for increased hierarchy in the Regulation Manager group.
Investigation into the possibility of stratification within the Regulation Manager role will be undertaken. Due to the size of our organisation, we do not feel it is possible to add an additional hierarchy level outside of the Regulation Manager posts. Target date – April 2017
Feb 2017 – to be completed Heads of Regulations Not started
24
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – People and Workforce 2 – a) to make clear communication when actions are taken from the People strategy and b) update staff on progress against the People Strategy
a) Where actions are taken as a result of the People Strategy, ensure that the link to the People Strategy is made clear in communications, for example including wording about which part of the Strategy it is responding to
a) Going forward communication and documents that relate to the People Strategy will advise of the link to the People Strategy and include the ‘People Strategy’ branding
Target date – March 2017
Feb 2017 – recommendation fully implemented
Diane Galbraith Completed as planned
b) Provide an update to staff on progress against the People Strategy, for example in a ‘You said…. We did…’ format
b) Provide an update Target date – March 2017
Feb 2017 – to be completed Diane Galbraith In progress as planned
25
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – People and Workforce 3 – Obtain feedback on the people strategy from 1-2-1 meetings
Consider obtaining feedback on the implementation and impact of the People Strategy from staff, for example through one to one meetings with Line Managers.
Feedback will be sought from staff on the People Strategy during annual PDP discussions as well as the staff survey. Target date – April 2017
Feb 2017 – to be completed Diane Galbraith In progress as planned
26
RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION
2016/17
PwC – People and Workforce 4 – To report feedback from new starters and leavers regarding possible improvements
Implement regular reporting on new joiner feedback and investigate where improvements may be required, for example were instances of expectation gaps are cited (including as a reason for leaving after only a short time) and act on this accordingly.
Six monthly report to SMT to be implemented. Target date – March 2017
Feb 2017 – to be completed Diane Galbraith In progress as planned
Health Group
Internal Audit
AUD165-16
January 2017
Health Group Internal Audit provides an objective and independent assurance, analysis and consulting service to the Department of Health and its arm’s length bodies, bringing a disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.
The focuses on business priorities and key risks, delivering its service through three core approaches across all corporate and programme activity:
Review and evaluation of internal controls and processes;
Advice to support management in making improvements in risk management, control and governance; and
Analysis of policies, procedures and operations against good practice.
Our findings and recommendations:
Form the basis of an independent opinion to the Accounting Officers and Audit Committees of the Department of Health and its arm’s length bodies on the degree to which risk management, control and governance support the achievement of objectives; and
Add value to management by providing a basis and catalyst for improving operations.
INTERNAL AUDIT PROGRESS
REPORT
For further information please contact:
Cameron Robson - 01132 54 6083
1N16 Quarry House, Quarry Hill,
Leeds, LS2 7UE
Health Group
Internal Audit
Our work has been conducted and our report prepared solely for the benefit of the Department of
Health and its arm’s length bodies and in accordance with a defined and agreed terms of
reference. In doing so, we have not taken into account the considerations of any third parties.
Accordingly, as our report may not consider issues relevant to such third parties, any use they
may choose to make of our report is entirely at their own risk and we accept no responsibility
whatsoever in relation to such use. Any third parties, requiring access to the report may be
required to sign ‘hold harmless’ letters.
Health Group
Internal Audit
For further information please contact:
Cameron Robson - 01132 54 6083
6 Quarry House, Quarry Hill, CONTENTS PAGE
1. Introduction 2
2. Progress against 2016/17 Internal Audit Plan 2
2.1 Status of agreed plan 2
2.2 Summary of reports issued since the last Audit and Risk Assurance Committee 4
2.3 Follow up work 4
2.4 Impact on Annual Governance Statement 5
Appendix 1: Report Rating Definitions 6
Appendix 2: Limitations and responsibilities 7
Health Group
Internal Audit
HTA Internal Audit Progress Report January 2017
1) Introduction
This paper sets out the progress in completing the 2016/17 Internal Audit Plan since the last meeting of the Audit and Risk Assurance
Committee in November 2016.
2) Progress against 2016/17 Internal Audit Plan
2.1 Status of agreed plan:
The table below summarises the progress against each of the review areas in the 2016/17 Audit Plan:
Reviews per 201/17 IA plan
Audit scope Status Findings Overall report rating
Audit days per plan
Actual audit days
High Medium Low
Enquiries Management (Additional review)
This audit focussed on how enquiries are received and managed through to the provision of a response, and the monitoring and reporting on performance.
Final report issued
0 4 4 Moderate 0 5.0
Board Effectiveness
This review assesses Board effectiveness via surveys and follow-up interviews.
Final draft report issued 4th January, awaiting management action plan to finalise.
0 1 3 - 8 8.0
Quality Controls Systems
We will focus on how HTA ensures consistency through the application of its Quality Management System, and what checks are in place. We will also consider as part of this review whether there are opportunities for the QMS to be more efficient and to deliver improved consistency.
Scoping meeting planned for week commencing 23rd January.
10 0.5
Health Group
Internal Audit
Reviews per 201/17 IA plan
Audit scope Status Findings Overall report rating
Audit days per plan
Actual audit days
High Medium Low
Management propose that the days assigned to Information Guidance and Enquiries Assurance Mapping are combined with this review to allow for Assurance Mapping over the Quality Control system, which will then be supported with some additional testing.
Crisis management
We will consider how HTA would manage a crisis scenario through observation of a crisis management exercise. This will be a limited scope review and will be undertaken in the form of an observation exercise.
Date for management’s exercise had been confirmed, but due to unforeseen circumstances this had to be postponed. Revised date to be agreed as soon as possible.
3 1.0
People and Workforce
HTA has an established KPI to reduce attrition rates through improved staff selection and targeted measures to retain staff. Our review will focus on how the Board obtains assurance that the appropriate actions are being undertaken to address the issues identified in accordance with agreed action plans.
Final report issued.
0 0 5 Moderate 6 6.0
Information Guidance and Enquiries (Assurance Mapping)
Management have proposed that no further work is carried out on Information Guidance and Enquiries. The budget so released will in part offset the cost of the additional Enquiries Management review.
3 0.0
Health Group
Internal Audit
Reviews per 201/17 IA plan
Audit scope Status Findings Overall report rating
Audit days per plan
Actual audit days
High Medium Low
Audit Management
All aspects of audit management to include:
Attendance at liaison meetings and HTA Audit and Risk Assurance committee;
Drafting committee papers/progress reports;
Follow-up work;
Resourcing and risk management; and
Contingency.
Ongoing Not applicable 6 4.5
Total Findings: 0 4 4
Total days
36 25.0
2.2 Summary of reports issued since the last Audit and Risk Assurance Committee:
Since the last Audit and Risk Assurance Committee in November 2016 we have issued the final report on People and Workforce and the
draft report on Board Effectiveness. The People and Workforce report accompanies this progress paper and the Board Effectiveness
report will be circulated once management action plan has been agreed, as all other queries have been resolved on the draft report.
2.3 Follow-up work:
The HTA performs its own follow-up work, reviewing the status of agreed audit actions and reporting progress to the Audit and Risk
Assurance Committee. As such, Internal Audit has been asked to provide independent assurance of the completion of agreed actions
only over those actions which relate to high priority recommendations. This approach was agreed with the former Director of Finance and
Resources.
Health Group
Internal Audit
No high priority actions have resulted from us undertaking the 2016/17 audit reviews to date. As reported in our November 2016
Progress Report, the one outstanding recommendation at the start of the year, arising from the Living Organ Donation Internal Audit
report (ref HTA2015/16001), was subject to follow up testing and has been confirmed as completed.
2.4 Impact on Annual Governance Statement:
All reports issued with an overall Limited or Unsatisfactory rating, or with report findings that are individually rated high priority, should be
considered for their possible impact on the Authority’s Annual Governance Statement (AGS). To date, no Limited reports and no high
priority issues have been raised as a result of us completing the work forming part of the 2016/17 audit plan and all actions relating to
previous high priority issues have been completed. Accordingly, there are no further matters arising from our work to date that we believe
may require reference in the AGS, beyond those previously noted in the November 2016 Progress Report.
Health Group
Internal Audit
Appendix 1 – Report Rating Definitions
Risk Ratings of individual findings:
Priority Description
HIGH
Fundamental weaknesses in control which expose the Accounting Officer / Director to high risk or significant loss or exposure in terms of failure to achieve key objectives, impropriety or fraud. Senior managers are expected to oversee the prompt implementation of agreed actions, or to confirm in writing that they accept the risks of not implementing a high priority internal audit recommendation.
MEDIUM
Significant weaknesses in control, which, although not fundamental, expose the Accounting Officer / Director to a risk of loss, exposure or poor value for money. Managers are expected to oversee the prompt implementation of agreed actions, or to confirm in writing that they accept the risks of not implementing a medium priority internal audit recommendation. Failure to implement recommendations to mitigate these risks could result in the risk moving to the High category.
LOW Minor weakness in control which expose the Accounting Officer / Director to relatively low risk of loss or exposure. However, there is the opportunity to improve the control environment by complying with best practice. Suggestions made if adopted would mitigate the low level risks identified.
Ratings of audit reports
Substantial In Internal Audit’s opinion, the framework of governance, risk management and control is adequate and
effective.
Moderate In Internal Audit’s opinion, some improvements are required to enhance the adequacy and effectiveness
of the framework of governance, risk management and control.
Limited In Internal Audit’s opinion, there are significant weaknesses in the framework of governance, risk
management and control such that it could be or could become inadequate and ineffective.
Unsatisfactory In Internal Audit’s opinion, there are fundamental weaknesses in the framework of governance, risk
management and control such that it is inadequate and ineffective or is likely to fail.
Health Group
Internal Audit
Appendix 2 - Limitations and responsibilities
Internal control
Internal control systems, no matter how well designed and operated, are affected by inherent limitations. These include the possibility of poor judgment in decision-making, human error, control processes being deliberately circumvented by employees and others, management overriding controls and the occurrence of unforeseeable circumstances.
Future periods
Historic evaluation of effectiveness is not relevant to future periods due to the risk that:
- the design of controls may become inadequate because of changes in operating environment, law, regulation or other; or
- the degree of compliance with policies and procedures may deteriorate.
Responsibilities of management and internal auditors
It is management’s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the prevention and detection of irregularities and fraud. Internal audit work should not be seen as a substitute for management’s responsibilities for the design and operation of these systems. We endeavour to plan our work so that we have a reasonable expectation of detecting significant control weaknesses and, if detected, we shall carry out additional work directed towards identification of consequent fraud or other irregularities. However, internal audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected. Accordingly, our examinations as internal auditors should not be relied upon solely to disclose fraud, defalcations or other irregularities which may exist.
Health Group Internal Audit
Reference: DH216010004 FINAL REPORT
Human Tissue Authority January 2017
AUD-165-16 (Annex A)
Health Group Internal Audit provides an objective and independent assurance, analysis and consulting service to the Department of Health and its arms length bodies, bringing a disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.
The focuses on business priorities and key risks, delivering its service through three core approaches across all corporate and programme activity:
Review and evaluation of internal controls and processes;
Advice to support management in making improvements in risk management, control and governance; and
Analysis of policies, procedures and operations against good practice.
Our findings and recommendations:
Form the basis of an independent opinion to the Accounting Officers and Audit Committees of the Department of Health and its arms length bodies on the degree to which risk management, control and governance support the achievement of objectives; and
Add value to management by providing a basis and catalyst for improving operations.
Report Name: People and Workforce Status: Final
For further information please contact:
Cameron Robson - 01132 54 5515
1N16 Quarry House, Quarry Hill,
Leeds, LS2 7UE
Health Group Internal Audit
Our work has been conducted and our report prepared solely for the benefit of the Department of Health and its arms length bodies and in accordance with a defined and agreed terms of
reference. In doing so, we have not taken into account the considerations of any third parties. Accordingly, as our report may not consider issues relevant to such third parties, any use they may choose to make of our report is entirely at their own risk and we accept no responsibility whatsoever in relation to such use. Any third parties, requiring access to the report may be
required to sign ‘hold harmless’ letters.
Health Group Internal Audit
CONTENTS PAGE
Date fieldwork completed:
1st draft report issued:
Management responses received:
Final report issued
13/12/2016
06/01/2017
D14/01/2024/01/2017
Report Author: Habiba Marsh
Version №: Final V1
1. Introduction 1
2. Review Conclusion 2
3. Summary of Findings 2
4. Next steps 3
5. Recommendations 4
6. Findings and Observations
6
Appendix – Priority and Report Ratings
9
Health Group Internal Audit
Distribution List – Draft Report Main recipient(s)
Allan Marriott-Smith
Chief Executive Officer
Diane Galbraith Head of HR Cc(s)
Morounke Akingbola Head of Finance Richard Sydee
Director of Finance and Resources
Cameron Robson Group Chief Head of Internal Audit Distribution List – Final Report
As above
Health Group Internal Audit 1
EXECUTIVE SUMMARY
1. Introduction
1.1 HTA’s key strategic objective is to maintain and further enhance public confidence in the
removal, storage and use of human tissue and organs by ensuring that it is undertaken safely and ethically, and with proper consent.
1.2 HTA has fully recognised that a key asset to delivering this objective is its people, but the HTA has historically struggled to meet its annual target to maintain a turnover rate of less than 18%.
1.3 Two key risks have been identified as a consequence: ‘Insufficient capacity and/or capability, including insufficient expertise, due to staff attrition, inadequate contingency planning, difficulty in recruiting (including Independent Assessors (IAs))’; and ‘Failure to utilise people, data and business technology capabilities effectively.
1.4 In 2015 HTA published its two year People Strategy which included an employment lifecycle, identifying eight key features of working for HTA that would be experienced by its staff. It was intended that improving the staff experience would help to maintain turnover within target. Against each of the features a series of actions were proposed to enhance each staff member’s experience, including actions to address specific staff feedback gathered from exit interviews and the staff survey, which is completed annually. Management provided a People Strategy Progress Report to the Board in March 2016 setting out their progress against these actions.
1.5 The objective of this review was to independently assess, and seek evidence of,
management’s progress against the actions detailed within the 2015-17 People Strategy, focussing on the ongoing actions in three of the key areas; Recruitment, Selection, Induction & Embedding; Recognition & Wellbeing; and Managing for High Performance; plus one related key action within the Inspire and Motivate area.
1.6 We have also captured and provided observations on the impact of the People Strategy following interviews with a small sample of staff. In these interviews we sought to ascertain their understanding of the Strategy, their experience of it being delivered, and any suggestions for further areas of improvement that they would like to see.
1.7 We independently selected staff for interview to have a range of experience at HTA and seniority. However, it is important to note that our findings from this element of the work are based on interviews with only approximately 10% of the workforce (5 individuals), and therefore not all views or themes identified are necessarily pervasive throughout the business. We have assessed the comments made by staff and reported these where appropriate as key themes arising from the interviews, having considered the context and corroborating evidence gathered from other areas of the review.
Health Group Internal Audit 2
EXECUTIVE SUMMARY
2. Review Conclusion
2.1 The overall rating for the report is MODERATE - some improvements are required to enhance the adequacy and effectiveness of the framework of governance, risk management and control.
2.2 HTA has been able to evidence the progress made against the planned actions as reported
by management, in those areas in scope for our review. The Strategy is designed to endure for three years until 2017. Where actions have not yet been started, we have verified that this is for practical reasons and confirmed a new start date. A good level of supporting documents were provided to support the development of policies, learning and development opportunities and continual communication to staff. Overall therefore, there appears to have been good progress.
2.3 There are, however, some actions that management could take to optimise benefits of the
People Strategy at its current stage. In addition, feedback from our staff interviews identified some clear areas that we believe would benefit from further focus by management. Failure to implement these recommendations may not impact on the progress of planned actions but may make it harder for HTA to embed the strategy effectively into HTA culture and behaviours.
3. Summary of Findings
3.1 The findings in this report are based on the available supporting evidence provided to us as part of the review and the findings from the five staff interviews performed. The work is intended to help the Head of Human Resources (Head of HR) and the Chief Executive Officer (CEO) better enhance the effectiveness of the People Strategy by providing an independent and objective view of progress against planned actions, supplemented by some independently gathered feedback. The above conclusions and findings summarised below should be seen in this context.
3,2 The findings from our work are summarised below, and more detail is provided in the Findings
and Observations section:
The people structure of the HTA is relatively flat, and as such a common concern of staff and reason for leaving, we understand, is lack of opportunity for progression, both financially and professionally. This was a common theme from our interviews and is apparent from review of the structure chart. It is something that management is well aware of. Although the organisation is restricted by Government pay restraints in terms of awarding increments, there may be potential to respond to this through a review of roles. In particular, for Regulation Managers it might be possible to introduce an additional layer of seniority providing opportunities for progression, something management has identified as a possibility.
There is scope to improve the clarity of the link between the People Stragey and the actions being taken as a result of it.
Management have not yet gathered specific feedback from staff on the impact and progress of the People Strategy, although there are multiple avenues of communication open to staff which, per our own assessment and staff feedback, appear to be largely being used effectively.
Health Group Internal Audit 3
EXECUTIVE SUMMARY
New joiner surveys have been collated and a report to the Senior Management Team will be prepared in the first half of 2017 by the Head of HR. The form and frequency of future reporting in this area has, however, not yet been decided. We would encourage annual reporting of key trends as well as actions taken to address any areas for improvement, for example addressing any expectation gaps in terms of role or salary.
3.2 Overall, management are making good progress in implementing the People Strategy against
the actions identified in the planned activities, with staff providing largely positive feedback on it’s implementation.
3.3 The table below summaries the number of recommendations by rating and review area. Please note that there are multiple recommendations to some findings and therefore more than four recommendations:
Total Recs High Medium Low
Recognition & wellbeing 1 - - 1
Impact of the People Strategy 3 - - 3
Recruitment, selection, induction & embedding
1 - - 1
Total 5 - - 5
4. Next Steps
4.1 To support the continued progress of the People Strategy objectives and embedding into HTA and the provision of a meaningful report to the Audit and Risk Assurance Committee management are now required to:
Consider the recommendations made in Section 3; and
Complete Section 5 (Recommendations Table: Agreed Action Plan) detailing what action you are intending to take to address the individual recommendations, the owner of the planned actions and the planned implementation date.
4.2 The agreed action plan will then form the basis of subsequent audit activity to verify that high priority recommendations have been implemented effectively and for management to monitor implementation of all recommendations.
4.3 If management do not accept any of the recommendations made then a clear reason should
be provided in the action plan. 4.4 Finally, we would like to thank management for their help and assistance during this review.
Health Group Internal Audit 4
RECOMMENDATIONS TABLE
5. Recommendations
Customer to provide details of planned action; owner and implementation date. Action taken will later be assessed by Health Group Internal Audit, and therefore the level of detail provided needs to be sufficient to allow for the assessment of the adequacy of action taken to implement the recommendation to take place.
№
RA
TIN
G
RECOMMENDATIONS MANAGEMENT RESPONSE
AGREED ACTION PLAN:
OWNER & PLANNED IMPLEMENTATION
DATE
1. L Undertake a review of the
organisation’s structure to identify where additional layers of seniority could be implemented and might be of benefit.
Specifically consider the scope for increased hierarchy in the Regulation Manager group.
Investigation into the possibility of stratification within the Regulation Manager role will be undertaken.
Due to the size of our organisation, we do not feel it is possible to add an additional hierarchy level outside of the Regulation Manager posts.
Heads of Regulation.
30 April 2017
2. L a) Where actions are taken as
a result of the People Strategy, ensure that the link to the People Strategy is made clear in communications, for example including wording about which part of the Strategy it is responding to.
Going forward communication and documents that relate to the People Strategy will advise of the link to the People Strategy and include the ‘People Strategy’ branding.
Complete
L b) Provide an update to staff on progress against the People Strategy, for example in a ‘You said…. We did…’ format.
Provide an update. 30 March 2017
3. L Consider obtaining feedback on
the implementation and impact of the People Strategy from staff, for example through one to one meetings with Line Managers.
Feedback will be sought from staff on the People Strategy during annual PDP discussions.
Feedback will be sought via the staff survey.
30 April 2017
Autumn 2017
Health Group Internal Audit 5
RECOMMENDATIONS TABLE
№ R
AT
ING
RECOMMENDATIONS MANAGEMENT
RESPONSE AGREED ACTION
PLAN:
OWNER & PLANNED IMPLEMENTATION
DATE
4. L Implement regular reporting on
new joiner feedback and investigate where improvements may be required, for example were instances of expectation gaps are cited (including as a reason for leaving after only a short time) and act on this accordingly.
Six monthly report to SMT to be implemented.
30 March 2017.
Health Group Internal Audit 6
FINDINGS/OBSERVATIONS
6. Findings and Observations
1. FINDING/OBSERVATION:
Consider scope to introduce additional tiers to the resource structure so as to allow more opportunity for progression
RISK RATING: LOW
The people structure of the HTA is relatively flat, and as such a common concern of staff and reason for leaving, we understand, is lack of opportunity for progression, both financially and professionally. This was a common theme from our interviews and something that management are well aware of. Although the organisation is restricted by Government pay restraints in terms of awarding increments, there may be potential to address this through a review of roles, in particular at Regulation Manager level where an additional layer of seniority may give more opportunities, something management is considering.
Having more of a hierarchy for Regulation Managers could provide an opportunity to create a more dynamic business structure within Regulation, which represents the largest proportion of staff in the HTA.
RISK/IMPLICATION:
Staff may be unable to see scope for career progression which could lead to dissatisfaction, and therefore continued staff turnover.
RECOMMENDATION:
Undertake a review of the organisation’s structure to identify where additional layers of seniority could be implemented and might be of benefit to the organisation. Specifically consider the scope for additional hierarchy in the Regulation Manager group.
2. FINDING/OBSERVATION:
Highlighting the impact of the People Strategy in staff communications
RISK RATING: LOW
There is scope to improve the clarity of the link between the People Strategy and the actions taken as a result of it.
There was a clear trend from the interviews that we conducted that although the actions being taken are communicated, for example new policies and other announcements being included in staff newsletters and staff forum meetings, staff are not always aware of the link between these actions and the People Strategy.
Management have already taken some action in this area, for example communications regarding the Strategy have recently been branded with the employment lifecycle wheel. However, there was a clear theme from our interviews and we therefore believe that another look at this topic would be beneficial.
It should be noted that overall, feedback from our interviews in relation to the People Strategy was very positive.
Health Group Internal Audit 7
FINDINGS/OBSERVATIONS
2. FINDING/OBSERVATION:
Highlighting the impact of the People Strategy in staff communications
RISK/IMPLICATION:
Staff do not see the link between the People Strategy and improvement actions taken because of it. This could lead to the illusion that the People Strategy is simply a document and that actions are taken at random rather than being a very clear response to staff feedback and designed to deliver an improved experience overall. Staff may continue to feel that their feedback is not being understood or taken on board by management, possibly leading to continued staff turnover.
RECOMMENDATION:
a) Where actions are taken as a result of the People Strategy, ensure that the link to the People Strategy is made clear in communications, for example including wording about which part of the Strategy it is responding to.
b) Provide an update to staff on progress against the People Strategy, for example in a ‘You said…. We did…’ format.
3. FINDING/OBSERVATION:
Gathering feedback from staff on the People Strategy
RISK RATING: LOW
Multiple avenues of communication open to staff including the annual staff survey, team meetings, one to ones, exit meetings, and new joiner feedback. Per our own assessment and staff feedback, these appear to be largely being used effectively and this review also provides some additional feedback. However management have not yet gathered specific feedback from staff on the impact and progress of the People Strategy and some specific discussion of the impact of the Strategy may be of benefit to the organisation in fine tuning its approach and identifying any areas of misunderstanding or miscommunication.
This may also be an opportunity to remind staff of their responsibilities within the People Strategy and therefore to obtain further support and buy in for the actions taken.
This also links to finding two above, as it could assist in underlining the link between the People Strategy and the actions taken as a result of it.
RISK/IMPLICATION:
Without understanding staff feedback on the implementation and impact of the People Strategy, the risk exists that management actions, whilst being delivered, may not be fully embedding into the HTA as expected. In addition, further suggestions for actions that could be taken may not be identified, missing the opportunity to further improve the staff experience.
RECOMMENDATION:
Consider obtaining feedback on the implementation and impact of the People Strategy from staff, for example through one to one meetings with Line Managers or as part of annual survey.
Health Group Internal Audit 8
FINDINGS/OBSERVATIONS
4. FINDING/OBSERVATION:
Capturing and reporting feedback from new joiners
RISK RATING: LOW
New joiner surveys have been collated and a report to the Senior Management Team will be prepared in the first half of 2017 by the Head of HR. However, the form and frequency of future reporting in this area has not yet been decided. We would support annual reporting of key trends, as well as on actions taken to address any areas for improvement. Over the last 12 months, the Head of HR has improved the clarity of the recruitment process to ensure that both role and salary expectations are clear to applicants before they apply or accept a role and feedback from staff has improved in this area. However, one of interviewees we spoke with identified that there had been a joiner in the last six months who experienced a large expectation gap in terms of the role requirements and subsequently left the organisation within a few months. There may be an opportunity to review this case and identify any learning.
RISK/IMPLICATION:
If feedback from the joining process is not monitored, and acted upon where necessary, this may result in the organisation continuing to miss its target of maintaining staff turnover at below 18% and/or may impact on the efficiency and effectiveness of recruitment activity. There may also be reputational damage to the HTA, impinging on its ability to recruit staff with the appropriate skills and expertise.
RECOMMENDATION:
Implement regular reporting on new joiner feedback and investigate where improvements may be required, for example were instances of expectation gaps are cited (including as a reason for leaving after only a short time) and act on this accordingly.
Health Group Internal Audit 9
APPENDIX - PRIORITY AND REPORT RATING DEFINITIONS
Appendix – Priority and Report Rating Definitions Priority Rating - Definitions
Priority Description
HIGH
Fundamental weaknesses in control which expose the Accounting Officer / Director to high risk or significant loss or exposure in terms of failure to achieve key objectives, impropriety or fraud. Senior managers are expected to oversee the prompt implementation of agreed actions, or to confirm in writing that they accept the risks of not implementing a high priority internal audit recommendation.
MEDIUM
Significant weaknesses in control, which, although not fundamental, expose the Accounting Officer / Director to a risk of loss, exposure or poor value for money. Managers are expected to oversee the prompt implementation of agreed actions, or to confirm in writing that they accept the risks of not implementing a medium priority internal audit recommendation. Failure to implement recommendations to mitigate these risks could result in the risk moving to the High category.
LOW
Minor weakness in control which expose the Accounting Officer / Director to relatively low risk of loss or exposure. However, there is the opportunity to improve the control environment by complying with best practice. Suggestions made if adopted would mitigate the low level risks identified.
Report Rating – Definitions
Rating
Description
SUBSTANTIAL In Internal Audit’s opinion, the framework of governance, risk management and control is adequate and effective.
MODERATE In Internal Audit’s opinion, some improvements are required to enhance the adequacy and effectiveness of the framework of governance, risk management and control.
LIMITED In Internal Audit’s opinion, there are significant weaknesses in the framework of governance, risk management and control such that it could be or could become inadequate and ineffective.
UNSATISFACTORY In Internal Audit’s opinion, there are fundamental weaknesses in the framework of governance, risk management and control such that it is inadequate and ineffective or is likely to fail.
Health Group Internal Audit
Reference number: DHX 216010001
FINAL REPORT
Human Tissue Authority
January 2017
Health Group Internal Audit provides an objective and independent assurance, analysis and consulting service to the Department of Health and its arms length bodies, bringing a disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.
The focuses on business priorities and key risks, delivering its service through three core approaches across all corporate and programme activity:
Review and evaluation of internal controls and processes;
Advice to support management in making improvements in riskmanagement, control and governance; and
Analysis of policies, procedures and operations against good practice.
Our findings and recommendations:
Form the basis of an independent opinion to the Accounting Officers and Audit Committees of the Department of Health and its arms length bodieson the degree to which risk management, control and governance support the achievement of objectives; and
Add value to management by providing a basis and catalyst for improvingoperations.
Report Name: Board
Effectiveness Self-
Assessment
For further information please contact:
Cameron Robson - 01132 54 5515
1N16 Quarry House, Quarry Hill,
Leeds, LS2 7UE
Health Group Internal Audit
Our work has been conducted and our report prepared solely for the benefit of the Department of Health and its arms length bodies and in accordance with a defined and agreed terms of
reference. In doing so, we have not taken into account the considerations of any third parties. Accordingly, as our report may not consider issues relevant to such third parties, any use they
may choose to make of our report is entirely at their own risk and we accept no responsibil ity whatsoever in relation to such use. Any third parties, requiring access to the report may be
required to sign ‘hold harmless’ letters.
AUD 165-16 (ANNEX B)
Health Group Internal Audit
CONTENTS PAGE
Date fieldwork completed:
1st draft report issued:
Management responses received:
2nd draft report issued:
Management responses received:
Final report issued
9 November 2016
28 November 2016
5 December 2016
20 December 2016
30 January 2017
31 January 2017
Report Author: Lenka Marvanova
Version №: Final V1
1. Introduction 1
2. Review Conclusion 1
3. Summary of Findings 2
4. Next Steps 3
5. Recommendations Table 4
6. Findings and Observations
6
Appendix 1 – Summary of Survey Results
10
Appendix 2 – Risk and Report Ratings 12
Health Group Internal Audit
HTA (02a/17)
Distribution List – Draft Report Main recipient(s) Sharmila Nebhrajani Chair
Cc(s)
Allan Marriott-Smith Chief Executive
Morounke Akingbola Head of Finance
Richard Sydee Director of Finance and Resources
Cameron Robson Group Chief Head of Internal Audit
Distribution List – Final Report As above
Health Group Internal Audit 1
1. Introduction
1.1 Within the context of an organisation’s purpose, the board has a key role in setting strategy
and developing and implementing action plans to achieve objectives. It also has the vital role of monitoring performance and challenging management where that might be improved. An effective board is a key part of governance, risk management and assurance arrangements along with contributing to the development and promotion of the collective vision of the organisation’s purpose, culture, values and the behaviours. There needs to be effective engagement between independent members and the executive to lead the organisation, whilst avoiding the board becoming too operational and focused on decisions and actions that should be the responsibility of management.
1.2 The Human Tissue Authority (HTA) is an Executive non-Departmental Public Body sponsored by the Department of Health. The Chair and nine of the board members are appointed by the Secretary of State for Health, with one further member appointed by the Welsh Minister and one by the Northern Ireland Health Minister. The board therefore has 12 members in total. Eight of the board members (including the Chair) are lay members, with the four remaining members being professionals with current or recent past involvement in activities or organisations licenced under the Human Tissue Act. While the structure has not changed, board membership has undergone some change during 2016, with five new members appointed to the board in April 2016 in place of those whose terms of office had expired.
1.3 Supporting the board, the HTA has two statutory committees (the Audit and Risk Assurance Committee and the Remuneration Committee) and three groups (Stakeholder Group, Histopathology Working Group and Transplantation Advisory Group) . The focus of this review has been on the performance of the board and we have not covered the operations of these other committees and groups.
1.4 The objective of this review was to consider the effectiveness of the HTA board by undertaking the following:
Carrying out a self-assessment (via an online survey) completed by each board member,
Analysis of the results of the survey (based on the collective results), Benchmark the results against other organisations including other ALB’s, and
Undertaking targeted interviews with a sample of four board members, informed by the output of the self-assessment questionnaire.
1.5 Our work was performed during October and November 2016.
2. Review Conclusion
2.1 The findings in this report are based on the self-assessment results and follow-up
discussions. The work is intended to help the Chair and the board to further enhance the effectiveness of how the board operates through self-assessment review and assessment. Given the limited audit evidence gathered during this review, we are not able to provide a formal assurance conclusion in this report.
2.2 The combined results of the board self-assessment and sample of interviews did not identify
any significant weaknesses that may impact on the board operating effectively and indicate that in the view of the Authority board members the board is operating effectively. Some
EXECUTIVE SUMMARY
Health Group Internal Audit 2
areas of good practice have been identified during our review and these have been highlighted below.
3. Summary of Findings
3.1 Our review has identified a small number of areas for consideration where there may be scope to further enhance the operating effectiveness of the board.
3.2 The average results from the board effectiveness survey have been summarised in Appendix 1. 3.3 The overall average result for the survey was 5.08 (on a scale of 1-6 with 6 being the most
positive assessment), which is a strong indication that the overall effectiveness and operation of the board is viewed as positive by the board members.
3.4 Lower than average results were received in the following categories:
Performance Monitoring (4.77)
Decision Making (5.05)
Individual and Whole Board (4.79) Development and Succession Plans (4.31)
3.5 Benchmarking the results indicated that the HTA board is assessed to be performing above the
benchmark average, with the exception of the Engaging & Improving category. This latter item reflects the weaker results in the Individual & Whole Board and Development & Succession Plans categories. The results of the benchmarking exercise are also included in the Appendix 1.
3.6 During our review of the survey results and interviews, we noted number of positive
comments about the board’s effectiveness:
Relationships – we received a number of comments about the positive relationships and working environment at the board meetings between the board members and the Executive, which is seen to lead to open and diverse discussions. The comments also confirmed that the board operates in a professional environment and is seen to provide an appropriate level of challenge to the Executive team, but in a positive atmosphere.
Chair – both the survey and the interviews indicated the view that the Chair is very effective in managing the board meetings, setting the right tone and encouraging positive and open discussions. The work of the Chair was also seen as pivotal to securing a good mix of skills and experience at the board.
Stakeholder engagement – There were also positive comments about the weekly email updates shared with the board members, including an internal newsletter, sector updates and news digest updates.
3.7 We have raised four recommendations which have been summarised below:
Induction training for new board members on living organ donation should be extended (Medium priority): Both the survey and interviews indicated that the level of induction training with regards to living organ donations was not felt to be sufficient to give the board members confidence in understanding and delivery of decisions in this area;
Succession planning and board member appointment process (Low priority): The need to replace a proportion of board members at once represents a challenge to the Authority’s corporate memory, effective board performance and the ability to manage the
Health Group Internal Audit 3
change. Therefore, discussions should be held with the Department of Health about enabling a more flexible approach to the future board appointments and re-appointments.
There should be a more strategic focus in board papers and discussions (Low priority): Steps were already being taken towards papers and presentations being more strategically focused and these changes should be fully implemented so that the level of detail in the board papers and presentations does not detract from the board having sufficient time for robust and strategic discussions; and
Setting objectives for individual board members (Low priority): Both survey and interview results indicated a lack of clarity among new board members about the objective setting and appraisal process. Clarification should be provided and confirmation obtained that new members are content that they understand what is being expected of them.
3.8 The table below summaries the number of recommendations by rating and review area:
Total Recs
High Medium Low
Board Effectiveness – self assessment
4 0 1 3
4. Next Steps
4.1 To support the provision of a meaningful report to the Audit and Risk Assurance Committee you
are now required to:
consider the recommendations made in Section 3; and
complete section 5 (Recommendations Table: Agreed Action Plan) detailing what action you are intending to take to address the individual recommendations, the owner of the planned actions and the planned implementation date.
4.2 The agreed action plan will form the basis of subsequent activity to verify that the recommendations have been implemented effectively. If management do not accept any of the
recommendations made then a clear reason should be provided in the action plan.
4.3 Management should implement the agreed recommendations before or by the agreed due
dates and advise HGIAS that the actions have been completed.
4.4 Any high priority recommendations are routinely followed up by HGIAS and any such outstanding actions will be reported to the Audit and Risk Assurance Committee.
4.5 Finally, we would like to thank management for their help and assistance during this review.
Health Group Internal Audit 4
5. Recommendations Table Customer to provide details of planned action; owner and implementation date. Action taken will later be assessed by Health Group Internal
Audit, and therefore the level of detail provided needs to be sufficient to allow for the assessment of the adequacy of actio n taken to implement the recommendation to take place.
№
RA
TIN
G RECOMMENDATIONS MANAGEMENT
RESPONSE
AGREED ACTION PLAN:
OWNER & PLANNED IMPLEMENTATION DATE
1. M Ensure that induction training provides sufficient time, focus and examples of decision making for the living organ donation process and that after it board members feel that they have sufficient clarity and confidence to fulfil their role in the decision making process.
Establish a forum for the new board members to enable discussions on the more complex living organ donations cases.
Review the training for board members to include attendance at inspections (possibly as part of the induction process) and evaluate if any other training would be beneficial.
When new Members start the living organ donation training will be a full day. Followed up by a session as needs dictate 3-6 months later.
First forum on 30 January.
Those wishing to observe an inspection are being assigned slots as and when suitable.
Training budget in pace for Members during 2017/18 and discussion on training at one-to-ones with Chair.
Nicholas Baré (Head of Corporate Policy and Strategy)
As new Members start
Jessica Porter (Head of Regulation)
Actioned
Nicholas Baré (Head of Corporate Policy and Strategy)
Actioned
2. L Consider discussions with the Department of Health on the importance of achieving the appropriate balance of change and, if required, having some flexibility in the appointment process (such as 4+2 years appointments) and spreading out end dates to enable the Authority to respond flexibly to the need for experience and expertise whilst still benefiting from fresh perspectives.
Consideration given to such a discussion with DH on upcoming re-appointments.
Victoria Marshment (Director of Policy, Strategy and Communications)
End 2017
RECOMMENDATIONS TABLE
Health Group Internal Audit 5
№ R
AT
ING
RECOMMENDATIONS MANAGEMENT RESPONSE
AGREED ACTION PLAN:
OWNER & PLANNED IMPLEMENTATION DATE
3. L As planned, ensure papers are formatted to be suitably brief and clear, focusing on the key points for discussion and agreement relevant to the board’s strategic role. A similar approach should apply to presentations.
Once the new approach is fully in place, it may be appropriate to take further soundings from members on whether the objectives of the change have been achieved.
Move to more focussed papers and presentations already made.
Feedback sought on reporting and amendments made.
Feedback to be a permanent feature of the refinement process.
Nicholas Baré (Head of Corporate Policy and Strategy)
Actioned
4. L Clarify the process for agreement of annual objectives and annual appraisals with new members.
Confirm that new members are content that they understand their objectives and how they should focus in the period through to their first individual appraisal.
Communication issued to Members on process for appraisals.
Process to be clearly flagged and explained to incoming Members with check to ensure it is understood.
Nicholas Baré (Head of Corporate Policy and Strategy)
Actioned.
Health Group Internal Audit 6
6. Findings and Observations
6.1 Based on the survey and interviews, we have identified the following findings:
1. FINDING/OBSERVATION:
Induction Training re Living Organ Donations
RISK RATING: MEDIUM
Both the survey and interviews identified that while induction training was provided for the recently appointed board members, it was felt that insufficient attention was given to the role of the board members in the living organ donation decision making process. Further investigation established that while training was given on the technicalities of how to undertake the living organ donation reviews, the board members desired more training on how to deal with the complexities of the cases, and would welcome a more example-based approach to the training.
The board members felt that there has not been sufficient time allocated for discussion of living organ donations and that they would benefit from a forum to discuss some of the more complex cases.
This issue had been raised prior to this assessment and recognised by the Executive team. As a result, a workshop for board members on living organ donations had already been scheduled for November 2016, which was due to include discussion on enabling the board members to share knowledge about completed and ongoing living organ donation cases.
The board members also observed that where available, attendance at inspections was valuable to their development and understanding of regulatory duties. An observation was made that it would be helpful to attend inspections as part of the induction process or in the early stages of their board membership.
RISK/IMPLICATION:
Without robust and comprehensive induction training on more complex aspects of the board members roles and responsibilities, the board members may feel not sufficiently equipped to deal with some individual cases, which may lead to delays in decision-making for organ donation cases.
RECOMMENDATION:
Ensure that induction training provides sufficient time, focus and examples of decision making for the living organ donation process and that after it board members feel that they have sufficient clarity and confidence to fulfil their role in the decision making process.
Establish a forum for the new board members to enable discussions on the more complex living organ donation cases.
Review the training for board members to include attendance at inspections (possibly as part of the induction process) and evaluate if any other training would be beneficial.
FINDING/OBSERVATION
Health Group Internal Audit 7
2. FINDING/OBSERVATION:
Succession planning and board member appointment process
RISK RATING: LOW
The board has undergone some change in the current financial year, with five new members appointed to the board in April 2016. The survey and interviews results highlighted the board members’ concerns about the impact that a significant level of change at the board level could have on maintaining robust corporate memory and expertise. In particular, the requirement to refresh the board membership every three years could be perceived as potentially limiting the effectiveness of the board if there was to be significant change that did not then allow for maintaining memory and expertise on the board. While the board members expressed confidence that the appointment process is well managed and that there is value in rotation of membership, there was awareness that the three year appointment period could be limiting of the period in which board members are contributing most effectively to the Authority’s regulatory activities. We recognise that while the Authority makes recommendations for board member appointments, the appointments are reviewed by the Department of Health and the final decision on appointments is made by the Secretary of State. Also, as noted there is value in refreshing membership to an appropriate level. Particularly for organisations such as HTA where members are closely involved in decision-making though, it is important to ensure that there is appropriate balance between renewing membership and retaining knowledge and experience.
RISK/IMPLICATION:
Changes to board membership without adequate consideration of the need of the Authority for experience and expertise could have a negative impact on the effectiveness of the board, could lead to loss of corporate memory and impact the decision making process for living organ donations.
RECOMMENDATION:
Consider discussions with the Department of Health on the importance of achieving the appropriate balance of change and, if required, having some flexibility in the appointment process (such as 4+2 years appointments) and spreading out end dates to enable the Authority to respond flexibly to the need for experience and expertise whilst still benefiting from fresh perspectives.
Health Group Internal Audit 8
3. FINDING/OBSERVATION:
Strategic focus in board papers and presentations
RISK RATING: LOW
While it was reported that the board meetings were well managed, comments were raised by the board members in both the survey and interviews about the balance of time spent on presentations to the members and the time spent on discussions. It was felt that while the presentations and papers contain a great level of detail, this may detract from taking the strategic view of the topic and that perhaps the level of detail could be reduced.
We understand that these matters were identified prior to the board effectiveness survey and that the focus in the November board papers had already shifted to a more strategic approach, aggregated around the Authority’s strategic p lan objectives. Feedback provided by the Chair also confirmed that the shift to the more strategic approach was being managed to ensure that in the short term the new board members were receiving adequate explanation of the background of the topics, even if this meant slightly more information was being provided and shared.
RISK/IMPLICATION:
The board may be unable to focus their discussions on the areas of strategic importance and instead get drawn in to more detailed operational management of the Authority.
RECOMMENDATION:
As planned, ensure papers are formatted to be suitably brief and clear, focusing on the key points for discussion and agreement relevant to the board’s strategic role. A similar focus should apply to presentations. Once the new approach is fully in place, it may be appropriate to take further soundings from members on whether the objectives of the change have been achieved.
Health Group Internal Audit 9
4. FINDING/OBSERVATION:
Individual board member objectives
RISK RATING: LOW
Both the survey and interviews indicated that new board members had lower awareness of the board objectives and the objective setting process. The new board members also indicated they had expectations that they would meet with the Chair to discuss more personalised objectives for their board roles. The feedback we received indicated that instead they had received objectives by email, and these were objectives for the HTA board as a whole without the opportunity to personalise them.
Further conversation with the Chair confirmed that the new board members were not part of the regular annual performance review cycle as they only joined recently. As a result, whereas those in post at the end of the prior year had personal appraisals new members had introductory meetings and then the annual board objectives were circulated to them by email.
It was also confirmed that the objectives for each member are those applying to the board as a whole, reflecting collective responsibility, rather than setting individual objectives. The consideration of personal contribution towards the board objectives forms, and will form, part of the annual personal appraisal process.
It therefore appears that there has been some lack of clarity around the objective setting and appraisal process for the new board members.
RISK/IMPLICATION:
Without clarity about the objective setting and appraisal process, and if there was to be any lack of understanding about how the board members will contribute to achievement of the board objectives, the board may be less effective and new members may feel unsure about what should be their key areas of focus over the coming year.
RECOMMENDATION:
Clarify the process for agreement of annual objectives and annual appraisals with new members.
Confirm that new members are content that they understand their objectives and how they should focus in the period through to their first individual appraisal. .
Health Group Internal Audit 10
Appendix 1 – Summary of Survey Results 1.1 Survey and interview results
Board Effectiveness Survey Category Average survey score Benchmark category
Purpose 5.18 Foundations
Composition and Structure 5.27
Role Clarity 5.18
Relationships 5.06
Strategy 5.36
Performance Monitoring 4.77 Board Focus
Risk & finance 5.11
Decision making 5.05
Stakeholder engagement 5.11 Engaging & Improving
Individual & whole Board 4.79
Development & Succession Plans 4.31
Chair 5.53 Chair
Total survey average 5.08
Survey scores used: 1 Strongly Disagree; 2 Disagree; 3 Slightly Disagree; 4 Slightly Agree; 5 Agree; 6 Strongly Agree 2.1 Benchmarking exercise The benchmarking exercise shows the following results in the four categories:
Overall Effectiveness
Foundations Board Effectiveness
Engaging & Improving
Chair
Health Group Internal Audit 11
Health Group Internal Audit 12
Appendix 2 – Risk and Report Ratings Risk Ratings:
Priority Description
HIGH
Fundamental weaknesses in control which expose the Accounting Officer / Director to high risk or significant loss or exposure in terms of failure to achieve key objectives, impropriety or fraud. Senior managers are expected to oversee the prompt implementation of agreed actions, or to confirm in writing that they accept the
risks of not implementing a high priority internal audit recommendation.
MEDIUM
Significant weaknesses in control, which, although not fundamental, expose the Accounting Officer / Director to a risk of loss, exposure or poor value for money. Managers are expected to oversee the prompt implementation of agreed actions, or to confirm in writing that they accept the risks of not implementing a medium priority internal audit recommendation. Failure to implement recommendations to mitigate
these risks could result in the risk moving to the High category.
LOW
Minor weakness in control which expose the Accounting Officer / Director to relatively low risk of loss or exposure. However, there is the opportunity to improve the control environment by complying with best practice. Suggestions made if adopted would mitigate the low level risks identified.
Report Rating – Definitions
Substantial
In Internal Audit’s opinion, the framework of governance, risk management and control is adequate and effective.
Moderate In Internal Audit’s opinion, some improvements are required to enhance the adequacy and effectiveness of the framework of governance, risk management and control.
Limited In Internal Audit’s opinion, there are significant weaknesses in the framework of governance, risk management and control such that it could be or could become inadequate and ineffective.
Unsatisfactory In Internal Audit’s opinion, there are fundamental weaknesses in the framework of governance, risk management and control such that it is inadequate and ineffective or is likely to fail.
1
Audit and Risk Assurance Committee Paper
Date 8 February 2017 Paper reference AUD 165-16 (Annex C)
Agenda item 7 Author Richard Sydee
Enquiries Management Project
Background
1. At the last ARAC meeting the findings from the recent Internal Audit of the HTA
approach to enquiries management was presented. Management had
requested Internal Audit’s assistance in reviewing the Enquiry Management
process from a desire to gain reassurance that the process is appropriately
designed to achieve the objectives of providing accurate and timely responses,
following concerns raised by some users that enquiries were not being
responded to effectively.
2. The report made 8 overall recommendations and Management accepted all
recommendations in principle with a committment to a further assessment of
the recommendations and a plan for their implementation during the 2017
calendar year. This further review and outlineplan is now presented for ARAC
approval
Actions Required
3. Members are invited to:
note the detailed review of recommendations and proposed action and
explore the area of risk relating to staff attrition
Report
The attached appendix details the discussion that has subsequently taken
place with all Department heads in relation to the recommendation and actions
that should be taken in order to address the report findings. In summary the
majority of recommendations were accepted as presented with only
recommendation 3 challenged in terms of priority.
2
4. The actions within the attached appendix will now become a formal project for
HTA with Richard Sydee, Director of Resources, as Senior Responsible Officer
and Matthew Silk as Project Manager. Given other resourcing priorities
through to July 2017 it is proposed that the majority of recommendations be
implemented during the latter half of 2017. A formal project plan will be
produced and ARAC will continue to receive updates on specific
recommendation through the recommendations tracker.
Annex A – Enquiry management recommendations and comments
Annex A – Enquiry management recommendations and comments
FINDING/OBSERVATION 1
Recommendations
FINDING/OBSERVATION 2
Recommendations
FINDING/OBSERVATION 3
Recommendations
a) The SOP should be updated to include the following:
- Provide guidance on the time in which the various stages of the emails/website enquiries should be forwarded to the RMs, including time to open email or
answer call, time to convert to a case and time to forward to RM. Management may find it beneficial to develop a full process map which covers the process.
- A clear definition of what constitutes an enquiry should be made, including whether a case has to be logged in certain scenarios. Consideration should be
given to requiring all enquiries to immediately be logged in CRM as this avoids possibility of cases being lost
- All relevant stages of the Enquiry Management process and be shared with all those involved to clearly communicate roles and responsibilities. This could be
in the form of a more detailed process map. This could be in the form of a more detailed process map.
- That the enquiry reference number should be provided to all enquirers who can then cite this when following up on an enquiry. To support this, a
notification of receipt email should be provided to the sender for all email and website enquiries.
The CRM system does not effectively capture whether an enquiry is from a licensed provider or not, which reduces the ability of HTA to support effective enquiry management and without this information
data retention guidelines cannot be complied with.
RISK RATING:
MEDIUM
a) CRM should be reconfigured to include a mandatory field which requires information on whether the enquiry is from a licensed provider or not. If not
possible due to expense, consideration could be given to capturing this information in the ‘Channel’ or ‘Category’ fields, if deemed suitable.
For technical reasons, a mandatory field cannot be added to
the form, so this recommendation cannot be achieved. Heads
did not understand why licence and non-licence related
enquiries need to be differentiated. All enquiries should have
the same importance attached to them. Heads suggested that
it would be more useful to differentiate enquiries by those
that include personal data and those that do not, to allow
deletion (in line with the DPA) to be automated. All other
enquiries should be kept on file for the sake of institutional
memory.
b) Deletion dates for enquiries should then be monitored, to ensure that all relevant data is deleted in line with HTA guidance and in accordance with the DPA,
ideally on an automated basis.
Head’s felt that these recommendations were common sense,
and noted that there are already plans in place to review all
corporate documents in early 2017/18. However, they
accepted that work needs to take place to define what an
enquiry is; this has been considered in the past but never
resolved. The risk rating should be lowered to low.
b) SOP documentation should be subject to regular review in line with planned review dates.
The current Standard Operating Procedure (SOP) documents are out of date and the processes within them require improvement, for example they do not currently make roles and responsibilities clear and
not all stages of the process are included
RISK RATING:
MEDIUM
The CRM system requires reconfiguring; email alerts to Regulation Managers (RMs) reminding them of deadlines to respond to enquiries are not being routinely sent and the number of mandatory fields
needs enhancing to support more effective enquiry management.
RISK RATING:
MEDIUM
a) The notification workflow should be reconfigured to enable the sending of email notifications. Consideration should also be given to increasing the number
of notifications to include notifications at one, two and/or three days prior to due date, as well as an escalation with later emails also being sent to a more
b) ‘Category’ and ‘Channel’ should be made mandatory fields for completion. If this is not possible due to expense, guidance should be issued to Assistants and
RMs to ensure that this information is completely captured.
Heads agreed with these findings. The problem is that those
logging enquiries are not adding the ‘channel’ field, which
generates the notification. This should become a mandatory
field. However, Heads were less keen on increasing the
number of notifications.
FINDING/OBSERVATION 4
Recommendations
FINDING/OBSERVATION 5
Recommendations
FINDING/OBSERVATION 6
Recommendations
a) A decision needs to be made as to best method going forwards in collecting information regarding FAQs and using it efficiently to reduce staff workloads.
This information once collated could be provided internally through the HTA intranet to allow future enquiries to be dealt with more easily and in a more Heads agreed with this finding. FAQs need to be monitored
and reviewed through improvements that will be made to HTA
quality assurance in 2017/18. However, again, heads did not
understand the rationale for separating out enquiries from
licence holders. This also related to points raised for Finding 3.
c) Create a clear and documented process by which an RM becomes sufficiently experienced to answer enquiries independently and maintain evidence of each
individual’s progress. We appreciate that there will need to be some flexibility in the time scales applied.
Heads agreed with these findings. However, they considered
the risk rating to be high (not low). They also considered that
the focus of the findings could be improved. The fact that
enquirers receive incorrect information in the first place is the
crux of the issue. Our focus should be on this, in addition to
quality assessment of incorrect information that was sent out.
ssistants have already started to improve their processes for
enquiries, relating to these findings. However, these is no
formal system for peer review, set out in the standard
operating procedure. New starters are monitored, but after six
months, this stops. Similarly, responses generated by Heads
are not peer reviewed. Peer review results of these reviews
could be monitored as group indicators in team plans.
b) Consider whether/how to separate enquiries from license holders from general enquiries. This could be through creating an enquiries portal for license
holders only, which might then create a case automatically.
The Quality Assurance (QA) processes could be improved; QA is currently only consistently performed for less experienced RMs who are new to their role RISK RATING:
Low
a) Consider QA checks in relation to answers provided to enquiries for all RMs, for example through sampling a small number of responses on a periodic basis
and feeding back on both positive aspects and areas for improvement. Evidence of review should be retained, and if possible this would be captured within
b) Consider whether a standard style or format of response could be applied across the organisation or departments.
Management of frequently asked questions (FAQs) could be improved and improvements could be made to provide specific information to licensed users to better support licensed enquiries
RISK RATING:
Low
The design of the current single Key Performance Indicator (KPI) for enquiry management does not allow effective monitoring of performance and requires extensive manual intervention to be calculated
RISK RATING:
MEDIUM
a) Consider what further KPIs and management information would enable more effective monitoring of enquiry management (and are practicable to gather
data on), for example, number of cases open longer than 10 days. Heads considered that this finding would be address by an
activity in the 2017/18 business plan to develop quality
assurance systems / indicators, in addition to the time-based
indicator. Head of communications noted that work could be
completed to improve the complicated way the current KPI is
calculated through CRM changes. These improvements could
be also be defined in the standard operating procedure.
b) Improve custom reporting to allow KPI% to be easily calculated without a need for manual adjustments.
FINDING/OBSERVATION 7
Recommendations
FINDING/OBSERVATION 8
Recommendations
Better use could be made of Assistants to answer simple enquiries and improved training provided to help the flow of enquiry information.
RISK RATING:
Low
a) Investigate with Skype where applicable, how many calls ‘ring through’ without being answered and whether forwarding is set up on all accounts. Head of IT is aware of this problem and is addressing it.
b) Require all staff to set up fall back arrangements that will ensure if their phone is not answered and it is not routed and answered via mobile it will fall back
to switchboard.
c) If it is not possible to confirm this is in place for all phones, spot checks may need to be performed or confirmation gathered.
a) Identify whether there are more FAQs that the Assistants could be trained to answer and incorporate this into refreshed and more formal training to be
provided to Assistants before they start to take calls and open emails. Heads agreed with these findings. Improvements need to be
made to the standard operating procedures. Work on a
“decision tree” has already been completed. b) The SOPs provided to assistants should be reviewed and updated where necessary (see finding 2).
The current utilisation of phone services provided by Skype allows calls to ‘ring out’ without provision of a voicemail service. RISK RATING:
Low
1
Audit and Risk Assurance Committee Paper
Date 30 January 2017 Paper reference AUD 166-16
Agenda item 8 Author Richard Sydee
Risk Update
Purpose of paper
1. This paper presents the latest strategic risk register and risk management
strategy. It also sets the scene for the exploration of the area of risk: Sector
risks and the HTA’s approach to protect public confidence.
Recommendations
2. Members are invited to:
comment on the strategic risks and assurances at Annex A
explore the area of risk relating to sector risks
approve the risk management strategy as it currently stands
Strategic Risk Register
3. The strategic risks are reviewed by the Senior Management Team (SMT)
monthly and the register updated. The strategic risk register that was updated
at the beginning of January is at Annex A. This version is the same to be
presented to the Authority in February.
4. As reported at the meeting in November, there are three amber risks: failure to
regulate appropriately (risk one); failure to manage expectations (risk three):
and failure to utilise our capabilities (risk four).
5. Risk one remains our highest rated risk and there has been no change in its
rating since November 2016.
6. The risk of failure to manage expectations of regulation (risk three) had
increased in December because of the uncertainty about the timing of
implementing the Import and Coding Directives. Communication with our
sponsors and stakeholders help mitigate this risk. The uncertainty surrounding
Brexit brings its own challenges which add to this risk
2
7. The risk of failure to utilise our capabilities effectively (risk four) has remained
stable since November. This is evidenced by the progress of newer staff in post
whose skills we are able to utilise and the fullfulment of key management posts.
We have also gone live with the early phases of our CRM and Portal.
8. There have been no other significant changes to the level of risk.
9. SMT is content that the strategic risk register is complete and accept the level
of risk identified, subject to the planned actions taking place.
HTA Inspection rationale
10. Hazel Lofty, Head of Regulatory Development will introduce this item,
explaining how we protect public confidence and our inspection rationale.
11. Members are invited to explore further with them how these areas are
managed.
Risk Management Strategy
12. At Annex B is the latest Risk Management Strategy and Policy. At the last
ARAC meeting it was agreed that the strategy needed refreshing and that this
could be done in conjunction with the impending risk workshop in February
2017.
13. The strategy therefore has a few amendments notably the paragraphs relating
to risk interdependencies which is a current focus for the Department of Health
and its ALBs.
Annex A – Strategic risk register – January 2017
Annex B – Sector risks and the HTA’s approach to public confidence
Annex C – Risk Management Policy and Strategy
Annex D – Department of Health Risk Interdependencies
AUD 166-16 (Annex A)
Nov 2016 Dec 2016 Jan 2017
Impact
5. Catastrophe
4. Significant
3. Moderate
2. Minor
1. Almost None
1. Rare 2. Unlikely 4. Likely 5. Almost Certain Likelihood
5 - Insufficient financial resources
(Deployment b)
Comments
A good regulatory framework and processes are in place and continuous improvement is planned. It is important to identify changes and
remain agile to adapt to these.
Plans are in place to manage an incident. These plans are now complete and will be tested in Q4 of 2016/17.
We continue to communicate our remit and advise where appropriate. There is ongoing dialogue with DH and stakeholders about
emerging issues. The HTA has written to the Department to highlight the risks of continued uncertainty about the timing of the
implementation of the Coding and Import Directives . Brexit means that uncertainty has increased and the HTA faces greater challenges
in managing expectations.
We contnue to be in a positon to use the skills of our newer recruits more fully. All key management posts are filled, and no staff are
working their notice. CRM and Portal development went live successfully in mid-October.
Latest projections predict that the year will end within budget.
Risk
1 - Failure to regulate appropriately
(Risk to Delivery a-c & e and
Development a-d)
2 - Failure to manage an incident
(Delivery, Development and
Deployment)
3 - Failure to manage expectations
of regulation
(Risk to Delivery d)
4 - Failure to utilise our capabilities
effectively
(Delivery a-d)
(Development a-d)
(Deployment a & c)
Strategic Objectives
Delivery – to deliver the right mix of activity to main public and professional confidence
a) To deliver right-touch regulation and high quality advice and guidance, targeting our resources where there is most likelihood of non-compliance and greatest risk to the public
b) To be consistent and transparent in our decision making and regulatory action, supporting those licence holders who are committed to achieving high quality and dealing firmly and fairly with those who do not comply with our standards
c) To deliver effective regulation of living donation
d) To inform and involve people with a professional or personal interest in the areas we regulate in matters that are important to them and influence them in matters that are important to us
e) To maintain our strategic relationships with other regulators operating in the health sector
Development – to make the right investment in development to continuously improve delivery
a) To reduce regulatory burden where risks to public confidence are lowest
b) To make it clearer how to achieve compliance with new and existing regulatory requirements
c) To make continuous improvements to our systems and processes to minimise wasted or duplicated effort
d) To take opportunities to better inform and involve the public
Deployment – to make the most effective use of our people and resources in pursuit of our goals
a) To manage and develop our people in line with the HTA’s People Strategy
b) To ensure the continued financial viability of the HTA while charging fair and transparent licence fees and providing value for money
c) To provide a suitable working environment and effective business technology
3 - Independent of the HTA
Risks are assessed by using the grid below
Lines of defence are:
1 - Embedded in the business operation
2 - Corporate oversight functions
HTA Strategic Risk Register
January 2017Overview: Risks reflect the strategy for 2016-19. Our highest risk is failure to regulate appropriately, as this would have a significant impact should it materialise.
Other notable risks: Final delivery of some of one of the HTA's key projects (Coding and Import) remains in the hands of others. The HTA can deliver our part but is not in control of other actions necessary before implementation. Any delays will affect the attitude of our stakeholders and the HTA's reputation. Further uncertainty is caused by Brexit.
A number of more recently recruited Regulation Managers are now approaching sign off and recruitment to key posts has now been completed. This will increasingly have a mitigating impact.
I L I L
Ongoing Regulatory model 5 31 2 3
HTA Strategy 2016 to 2019 clearly
articulates the HTA's regulatory modelX Preventative
Authority developed and
approved the HTA Strategy
HTA Strategy published on 1
April
Regulatory decision making framework X PreventativeReports to Authority of key
decisions in Delivery Report
Satisfactory report made in
November 2016
Annual scheduled review of Strategy X X Preventative
Outputs from annual strategy
review translate into revised
annual Strategy
Last review undertaken in
September 2016, next scheduled
for September 2017
Approved HTA Business Plan 2016-17
identifies a balanced programme of
regulatory activity and continuous
improvement
X X X Preventative
Sign off of the business plan by
the Chair on behalf of the
Authority and by sponsor
Department
HTA Business Plan published on
1 April and approved by the
Department of Health
Quality management systems
HTA quality management system contains
decision making framework, policies and
Standard Operating Procedures to
achieve adherence to the regulatory
model
XPreventative/
Monitoring
Individual staff Member
responsible for QMS,
automated review reminders,
management oversight of
progress on updates
Management are aware of
limitations in the QMS and have
further work planned in 2016/17
to address these
People
Training and development of professional
competenceX Preventative
Annual PDPs, RM proposals to
SMT
Regulation training plan agreed
by SMT in June. Training records
added onto Simply Personnel
and monthly HR updates
presented at SMT.
Specialist expertise identified at
recruitment to ensure we maintain a broad
range of knowledge across all sectors and
in developing areas
X XPreventative/
Monitoring
SMT assessment of skills
requirements and gaps as
vacancies occur, Recruitment
policy
Staffing levels and risks reported
quarterly to the Authority
Strengthening arrangements for managing
reputation in response to regulatory
incident - sourcing press office support
from MHRA
Regulatory modelThe following to be refined
when controls in place
Implementation of the HTA People StrategyDelivery of Licensing and inspection review
projects to strengthen our regulatory model
(VM) 2017/18
X Preventative
Extension of reporting arrangements to
adverse events in the Research sector
(SB) Proposals developed by March 2017
X Preventative
Quality management systems
Internal audit of quality management
system adequacy and adherence
(VM) by March 2017
XMonitoring/
Detective
People
Delivery of the People Strategy road map
(AMS) by end of March 2017 X PreventativePeople Strategy Progress report
produced end March 2016
Other
Strengthening horizon scanning
arrangements
(VM) by March 2017
X Preventative
X Detective
Embed Better Regulation initiatives in the
regulatory model
(VM) by March 2017
X Preventative
REF
INHERENT
RISK
PRIORITYRISK/RISK OWNER PROXIMITY
RESIDUAL
RISK
PRIORITYCAUSE AND EFFECTSEXISTING
CONTROLS/MITIGATIONS
ASSURANCE OVER
CONTROLASSURED POSITION
LINE OF
DEFENCEACTIONS TO IMPROVE MITIGATION
TYPE OF
CONTROL
1 5 4Causes
• Failure to identify regulatory non-compliance
• Regulation is not transparent, accountable, proportionate, consistent and targeted
• Regulation is not sufficiently agile to respond to changes in sectors
• Insufficient capacity and/or capability, including insufficient expertise, due to staff attrition, inadequate contingency planning, difficulty in recruiting (includingIndependent Assessors (IAs)).
• Inadequate adherence to agreed policies and procedures in particular in relation to decision making
• Poor quality or out of date policies and procedures
• Failure to identify new and emerging issues within HTA remit
• Failure to properly account for Better Regulation
Effects
• Loss of public confidence
• Compromises to patient safety
• Loss of respect from regulated sectors potentially leading to challenge to decisions and non-compliance
• Reputational damage
Failure to regulatein a manner that maintains public safety and confidence and is appropriate
(Risk to Delivery objectives a-c & eDevelopment objectives a-d)
Risk Owner:
Allan Marriott-Smith
I L I L
2 5 3
Future, should event
occur Filled identified business-critical roles
3 2
1
X
2 3
Preventative Monthly reports to HTAMG Last report October 2016
Critical incident response plan, SOPs
and guidance in place, regularly
reviewed, including by annual
training, and communicated to staff
X X Preventative
Policies etc reviewed
annually, training specification
and notes after incident
reviews
Plan updated and agreed
September 2016
Media handling policy and guidance
in place, including regular media
training for key staff & Members with
relevant scenarios, to supplement
media release and enquiries SOPs
X Preventative
Policy reviewed annually,
training specifications
Reports on media issues in
Delivery Report
Media policy to be
reviewed.
Delivery reoprt to Authority
meeting November -
satisfactory
Accessible lines to take and key
messages for likely scenariosX Preventative
Documented, incidents
reported to Chair and in
Delivery Report
Delivery reoprt to Authority
meeting November -
satisfactory
Availability of legal advice X Preventative
Lawyers specified in Critical
Incident Repsonse Plan, SMT
updates
In place
Fit for purpose Police Referrals Policy X Preventative
Annual review of policy
(minimum), usage recorded in
SMT minutes
Significnatly revised policy
presented to November
Authority meeting
Onward delegation scheme and
decision making framework agreed
by the Authority
X X PreventativeStanding Orders and
Authority minutes
SO reviewed and agreed
in October 2015
Regulatory decision making
frameworkX Preventative
Reports to Authority of key
decisions in Delivery Report
Satisfactory reports made
in November 2016
IT security controls and information
risk managementX X All
SIRO annual review and
report
Internal audit reports
SIRO report made in May
2016. Last internal audit
review of IT security 2014
Business continuity plan regularly
reviewed and testedX X Preventative
Critical Incident Repsonse
Plan and notes of test,
reported to SMT
Test to be undertaken in
Q4 of 2016/17
Evaluate test exercise of
incident and feedback to all
staff (SB)
March 2017
X Preventative
ASSURED POSITIONRISK/RISK OWNER
RESIDUAL
RISK
PRIORITY
LINE OF
DEFENCE
TYPE OF
CONTROL
ASSURANCE OVER
CONTROL
ACTIONS TO
IMPROVE MITIGATIONREF CAUSE AND EFFECTS
INHERENT
RISK
PRIORITYPROXIMITY
EXISTING
CONTROLS/MITIGATIONS
Cause
• Insufficient capacity and/or capability (for instance, staffavailability, multiple incidents or ineffective knowledge management)
• Failure to recognise the potential risk caused by an incident (for instance poor decision making, lack of understanding of sector, poor horizon scanning)
• Failure to work effectively with partners/other organisations
• Breach of data security
• IT failure or attack incident affecting access to HTA office
Effect
• Loss of public confidence
• Reputational damage
• Legal action against the HTA
• Intervention by sponsor
Inability to manage an incident impacting on the delivery of HTA strategic objectives. This might be an incident:
• relating to an activity we regulate (such as retention of tissue or serious injury or death to a person resulting from a treatment involving processes regulated by the HTA)
• caused by deficiency in the HTA’s regulation or operation
• where we need to regulate, such as with emergency mortuaries
• that causes business continuity issues
(Risk to all Delivery Development and Deployment objectives)
Risk owner:
Sarah Bedwell
I L I L
Ongoing
1 2 3
Active management of issues raised
by the media – including the
development of the HTA position on
issues
XPreventative/
Detective
Quarterly reports to Authority on
communication (including media)
activities
Last report in Nov 2016 - satisfactory
Legal advice now gives a clearer view
of our Schedule 2, s. 20 powers X Preventative Legal advice to be followed Legal advice September 2016
Codes of practice and standards project – provides
greater clarity on matters inside and outside of
regulatory scope
April 2017
X Preventative
Proactive horizon scanning and development of policy
in emerging/complex areas March2017
X PreventativeRegular audit of function and any
gaps in policy provision
Implementation of triennial review recommendations
March 2017
X
Preventative
and remedial
Plan to develop and strengthen the relationship with
DIs by Quarter 4 2016/17x
Preventative
Taphonomy -
To have policy in place
DH comfortable wioth policy approach
Implement regulatory changes, scheduling
purposes and prevention
X
X
X
RESIDUAL RISK
PRIORITYLINE OF
DEFENCE
TYPE OF
CONTROL
ASSURANCE OVER
CONTROL
EXISTING
CONTROLS/MITIGATIONSACTIONS TO IMPROVE MITIGATIONREF RISK/RISK OWNER CAUSE AND EFFECTS
INHERENT
RISK PRIORITY PROXIMITY ASSURED POSITION
Log in place and reviewed at HTAMG
quarterly. New issues identified in causes
and effects
Preventative/
Detective
Stakeholder Group meeting
minutes
Authority minutes (including Public
Authority Meeting)
Last stakeholder group meeting in October
2016, Authority meeting in November 2016
Monitoring Ongoing log
Duty and its uses understood by
SMT and Chair
The duty has not been acted upon in the
curretn business year
Quarterly Accountability meetings
with DH
Last accountability meeting in September
2016 - satisfactory.
Action where we believe it will support
public confidence (eg publication of
pregnancy remains guidance)
X Preventative
Published guidance for particular
issues (eg pregnancy remains,
and shortly, cord blood)
Pregnancy remains guidance published
March 2015
Cord blood guidance issued in March 2016
Regular reporting to DH sponsorship
team on matters which risk public and
professional confidence
Monitoring
Clear view of use of s.15 duty to
report issues directly to Ministers in
England, Wales and Northern Ireland
as new issues emerge PreventativeX
4443
3
Log of issues known to the HTA with
respect to the legislation to inform DH
and manage messages
Active management of professional
stakeholders through a variety of
channels including advice about
relevant materials in and out of scope
Cause
External factors
• No scheduled review of Human Tissue Act and associated regulations
• Rapidly advancing life sciences
• Potential move away from the UK as base for some regulated establishments/sectors due to Brexit and changes in exchange rates
Matters which certain stakeholder groups believe require review
• Scope of relevant material e.g. waste products
• Licensing requirements e.g. transplantation research
• Regulation relating to child bone marrow donors
• Issues raised by emergence of social media e.g. non-related donors
• Strengthening of civil sanctions for non-compliance
• Implementation of the coding and import directives in light of Brexit
Matters which stakeholders/public may expect to be inside regulatory scope
• Efficacy of clinical treatment from banked tissue
• Police holdings
• Products of conception and fetal remains
• Data generated from human tissue
• Funeral directors
• Forensic research facilities
• Cryonics
• Body stores / Taphonomy
• Imported material
• Other
• Inadequate stakeholder management
Effect
• Diminished professional confidence in the adequacy of the legislation
• Reduced public confidence in regulation of matters relating to human tissue
• Reputational damage
Failure to managepublic and professional expectations of human tissue regulation in particularstemming from limitations in current legislation or misperception of HTA regulatory reach
(Risk to Delivery objective d)
Risk Owner:
Vicky Marshment
I L I L
44 4 People 4 3
1 2 3
Regularly reviewed set of people-
related policies cover all
dimensions of the employee
lifecycle
X XPreventative/
Monitoring
QMS reminders as policies due for
review. SMT review of all revised
policies
Currently in the middle of a regular
review cycle
Established annual Performance
Development Planning (PDP)
process supported by mandated in
year processes (1-2-1s and mid
year review)
Standard objectives for all line
managers
X XPreventative/
Monitoring
PDP guidance reviewed annually and
approved by SMT, newly introduced
countersigning officer check
Guidance issued April 2016
Regular review of HTA
organisational structure and job
descriptions
X X Preventative
Recruiting to the currently agreed
organisational structure and approved
job descriptions
Last review completed in Autumn
2015. Job descriptions reviewed as
posts become vacant
Feedback from HTA people about
work, management and leadershipX X
Monitoring/
Detective
Staff survey, exit interviews, staff
forum (attended by SMT Member and
Head of HR)
Report of exit interview presented to
Authority, Staff Survey launched in
May 2016. Findings reported to the
Authority in November . ARAC chair
regularly discusses staff issues with
chair of staff forum.
Data
Data relating to establishments
securely stored with the Customer
Relationship Management System
(CRM)
X XPreventative/
Monitoring
Upgrades to CRM, closely managed
changes to CMR development.
Internal audit of personal data
security.
Actions from the audit of personal
data security completed April 2016.
Business technology
Staff training in key business
systemsX Preventative
Systems training forms part of the
induction process for new starters
Ongoing records of all new starters
trained in key business systems
IT systems protected and
assurances received from 3rd
party suppliersthat protection is up
to date
X X XPreventative/
Monitoring
Quartly assurance reports from
suppliers. Monthly operational cyber
risk assessments. Annual SIRO
report
Cyber risk updated and reported to
HTAMGin May 2016. SIRO report to
ARAC in May 2016.
People
Strengthen the PDP process by introducing
structured 180 degree feedback
(AMS) 2017/18
X X All
Range of projects within the People Strategy
relating to managing and leading people, in
particular more structured management and
leadership training and development
(AMS) by March 2017
X Preventative
Currently identifying opportunities to
collaborate with others in the ALB
sector to tap into these opportunities
Data
Plans to be developed
(RS) by March 2017
Business technology
Identify refresher training and targeted
software specific training needs
(RS) by Q4 2016/17
X Preventative
ASSURANCE OVER CONTROL ASSURED POSITIONREF RISK/RISK OWNER CAUSE AND EFFECTS
INHERENT
RISK
PRIORITYPROXIMITY
EXISTING
CONTROLS/MITIGATIONS
RESIDUAL
RISK
PRIORITYACTIONS TO IMPROVE MITIGATION
LINE OF
DEFENCE
TYPE OF
CONTROL
• CauseLack of knowledge about individuals' expertise
• Poor job and organisational designresulting in skills being under used
• Poor line management practices
• Poor leadership from SMT and Heads
• Data holdings poorly managed and under-exploited
• Inadequate business technology or training in the technology available
Effect • Poor deployment of staff
leading to inefficient working
• Disaffected staff
• Increased turnover leading to loss of staff
• Knowledge and insight that can be obtained from data holdings results in poor quality regulation or opportunities for improvement being missed
• Poor use of technology resulting in inefficient ways of working
• Inadequate balance between serving Delivery and Development objectives
Failure to utilise people, data and business technology capabilities effectively
(Risk to Delivery objectives a-d Development objectives a-dDeploymentobjectives a & c)
Risk Owner:
Allan Marriott-Smith
I L I L
5 4 4
Ongoing
Budget management framework to
control and review spend and take
early action
3 2
1
X
2
X
3
AllBudgetary control policy reviewed
annually and agreed by SMT
Last review February
2016
Financial projections, cash flow
forecasting and monitoringX Monitoring
Monthly finance reports to SMT and
quarterly to Authority. Quarterly
reports to DH
Last quarterly report
October 2016
Licence fee modelling Preventative Annual update to fees model
Update agreed by the
Authority November
2016
Rigorous debt recovery procedure X PreventativeMonthly finance reports to SMT and
quarterly to Authority
Last quarterly report
October 2016
Reserves policy and levels
reservesX Monitoring
Reserves policy reviewed annually
and agreed by ARAC
Last agreed February
2016
Delegation letters set out
responsibilitiesX X Preventative Delegation letters issued annually Issued in April 2016
Prioritisation when work
requirements changeX Preventative
Agreed business plan, monthly
HTAMG and SMT reports
Last HTAMG report May
2016
Fees model provides cost/income
information for planningX Preventative
Annual review of fees model, reported
to SMT and Authority
Update agreed by the
Authority November
2016
Annual external audit X Detective NAO report annuallyLast report in May 2016 -
clean opinion
Monitoring of income and
expenditure (RS)
Ongoing
X Detective
Monthly finance reports to SMT and
quarterly to Authority. Quarterly
reports to DH
Last quarterly report
October 2016
Horizon scanning for changes to
DH Grant-in-aid levels and
arrangements (RS)
Ongoing
X X DetectiveQuarterly Finance Directors and
Accountability meetings
Last FDs meeting Q1
2016
ASSURED
POSITIONREF RISK/RISK OWNER CAUSE AND EFFECTS
INHERENT
RISK
PRIORITYPROXIMITY
RESIDUAL
RISK
PRIORITY
ACTIONS TO IMPROVE
MITIGATION
LINE OF
DEFENCE
TYPE OF
CONTROLASSURANCE OVER CONTROL
EXISTING
CONTROLS/MITIGATIONS
Cause
• Fee payers unable to pay
• Licence fee structure doesn’t bring in sufficient fee income
• Establishments change leading to less fee income
• Increase in regulatory responsibilities
• Increased costs
• Poor budget and/or cash-flow management
Effect
• Payments delayed
• Reductions in staff and other expenditure
• Increased licence fees
• Request for further public funding
• Draw on reserves
Leading to:
• Inability to deliver operations and carry out statutory remit
• Reputational damage
Insufficient financial resources
(Risk to Deploymentobjective b
Risk Owner:
Richard Sydee
1
(AUD166-16) ANNEX B
Audit and Risk Assurance Committee Paper
Date 8 February 2017 Paper reference (AUD 166-16)
Agenda item 8 Author(s) Richard Sydee/Hazel Lofty
Sector risks and HTA’s approach to public confidence
Background
1. This paper and presentation forms part of an overall programme to familiarise
Authority and ARAC members with the approach undertaken by HTA in terms
of sector specific risks and the regulatory tools available to the Authority.
2. This is the beginning of a process of looking at risk in the context of the HTA’s
inspection and regulatory regime and this session is going to look at the overall
approach before we move on to a more sector specific approaches.
3. The programme should provide assurance to the Authority and ARAC that the
approach taken in terms of HTA resources applied to sectors is appropriate to
the risk posed by each sector to the issue of public confidence.
Actions Required
4. Members are invited to:
note approaches outlined and consider whether they are consistent with
their understanding of the risks in each sector, and
consider what further work might be done with the wider Authority in
relation to assessing and targeting resource allocation.
Error! Use the Home tab to apply Filename and path to the text that you want to appear here.
2
Annex B – HTA Regulatory Strategy and Inspection Rationale
HTA ARAC Exploration of Risk Area: Sector risks and the HTA’s approach to protect
public confidence.
In order to inform discussion with members, the following paper sets out our current
approach to Regulation (as it appears in our current strategy) and an outline of the
rationale we use in determining the resource we deploy on inspections. ARAC
should consider this work in progress towards setting our regulatory strategy more
formally.
Extract from the HTA Strategy
The HTA aims to be a right-touch regulator which complies with the principles of better
regulation, and supports the Government’s aims with regard to deregulation.
That means that we focus our regulation on those establishments which carry out activities
with inherently greater risk to public confidence if standards are not maintained, and those
which we have assessed as being at the greatest risk of non-compliance. This approach
means that we target our resources at those areas which have the greatest impact on our
overall goal.
We undertake licensing as required by legislation to a set of licensing standards, which
are aligned with our principles and designed to promote public confidence. Assurance that
standards are being met is achieved through a variety of mechanisms.
HTA inspections take place in each sector according to the legislative requirements and
the regulatory risk in that sector, as well as the risk specific to each establishment. The
HTA’s current approach is to work with an establishment to schedule an inspection at a
mutually convenient time. We recognise the significant level of compliance and
transparency across our sectors and believe that this approach enables us to reduce the
burden of the inspection without increasing the risk of non-compliance. We do, however,
have a right of entry to licensed establishments (except those in the transplantation sector)
and, where we believe it is justified to do so, will conduct a short-notice or unannounced
inspection.
We also place reporting requirements on licensed establishments to inform us of
incidents and events posing the highest risk to public confidence and patient safety. This
allows us to take appropriate action, should things go wrong, and to ensure that lessons
learnt can be shared.
We have a statutory duty to give advice and guidance to establishments. We place great
emphasis on this so that we can bring them to compliance in partnership, rather than
dealing solely with non-compliance. This approach has enabled us to develop strong links
Error! Use the Home tab to apply Filename and path to the text that you want to appear here.
3
with representatives of the sectors we regulate. This means we are able to engage with
them about issues across the sector and gain a better understanding of the challenges they
face and, in turn, inform our regulatory policy development. Similarly, it gives them a better
understanding of our requirements. It also means that we use significant regulatory
action when appropriate and in the public interest.
HTA Inspection Rationale
Since its inception, site-visit inspections have played a key role in providing
assurance to the HTA of compliance with statutory and regulatory requirements.
There are three factors that govern inspection scheduling. Firstly, the inspection
programme is based on an assessment of risk. By risk we mean: (i) the inherent
risk associated with the licensed activities taking place in each sector, and (ii) the
risk of non-compliance presented by individual establishments by virtue of the
complexity or volume of activity they are undertaking or their history of compliance.
So, there is a sector-wide and an individual approach to risk assessment. Biennial
compliance updates are a major source of information that inform risk assessments,
with the Head of each sector deciding on the particular approach that should be
taken at each reporting round.
The second factor is any non-risk related drivers that need to be taken into account.
For example, in the Human Application Sector, the Quality and Safety Regulations
dictate that each establishment is inspected every two years, and in the PM sector,
the opportunity to undertake a joint inspection with UKAS may influence the
including of an inspection, either bringing it forward, or pushing it back, if our
assessment of risk allows.
The third and final factor in considering the scheduling of inspections is the
Regulation Manager resource available.
As a public body, we are obliged to ensure that we are efficient and economical,
focusing our resources on where regulatory action is most needed. We
acknowledge the importance of minimising regulatory and financial impacts
wherever possible, and this is a key tenet of our risk-based approach.
In 2015/16, as in the previous business year, we aimed to deliver an inspection
programme comprising around 180 site visits, including main site and satellite sites.
This is based on the resources we have had available and consideration of other
business plan priorities. In reality, in 2015/16, we conducted 233 site visits as the
intended number increased substantially once non-routine inspections, Licence
Application Assessment Visits and CAPA follow up visits had been included. Whilst
we managed to achieve this operational requirement, it placed pressure on the
resources that we had available.
Error! Use the Home tab to apply Filename and path to the text that you want to appear here.
4
Post Mortem (PM) Sector
Summary
The PM Sector has high inherent risk because of the special sensitivities around
dealing with the deceased, the potential for media interest and public concern when
things go wrong and the growing pressures on the coroners’ service, which are
impacting on mortuaries, in particular in relation to body storage. The Sector
currently comprises 247 establishments (182 main sites and 65 satellites). The
majority are within NHS Trusts, with only 22 mortuaries remaining under Local
Authority control. They undertake around 100,000 PM examinations each year.
Mortuaries are licensed for three activities: PM examination, removal of tissue from
the body of a deceased person for use for a scheduled purpose (SP) and storage of
bodies and tissue for use for a SP. There are exemptions: (i) body stores, as these
are not storing prior to disposal, which is not a SP; (ii) storage for criminal justice
purposes (although we do include these in our inspections under an agreement with
the Home Office); and specialist centres which undertake analysis for a licensed
establishment. All of these activities are subject to the consent provisions, except
when there is coroner involvement.
Risk
An assessment of risk of the potential for a serious incident informs our inspection
scheduling, using information obtained in our biennial compliance updates. Our
current prioritisation is based on a number of factors, including: the establishment’s
overall compliance score; the number of ‘red flag’ answers; the date of the last
inspection; whether the Trust is in special measures; the frequency/duration of use
of the establishment’s contingency plan in the last 12 months; HTARI history
(including lack of reports) and HTARI team members’ knowledge of establishments;
and whether there has been a recent change of DI.
Approach to inspections
We conduct around 40 PM inspections a year, bringing the cycle of inspections to
around 4 ½ years, and gather compliance information every other year. The most
recent compliance questionnaire included a scoring system that used a system of
red flags to highlight the potential for the occurrence of an HTARI based on the
responses to key questions. In also included specific questions around capacity and
contingency. Inspections typically following the standard ‘two RMs for one day’
format, although this may vary depending on the size and nature of the
establishment, and the and mix of activities – for example, if tissue for research is
stored under a PM sector licence. Occasionally, we undertake non-routine visits,
for example as the result of information we receive or the incidence of HTARIs. We
also undertake a small cohort of joint inspections with UKAS.
Error! Use the Home tab to apply Filename and path to the text that you want to appear here.
5
Other compliance activity
We require the reporting of serious incidents; we have an established process for
reviewing and responding to these and have various mechanisms for sharing the
learning gained from them with the inspection team and across the sector.
Research sector
Summary
Our licensing role in research is limited to licensing premises, such as tissue banks,
to store tissue from the living and the deceased. We also license establishments,
including establishments in the post mortem sector, for tissue to be removed from
the deceased for research. We do not license the ‘use’ of tissue for research or
approve individual research projects or clinical trials. Neither do we have a role in
the ethical approval of research although regulations to the Act allow human tissue
held for a specific research project approved by a recognised REC (or where
approval is pending) to be stored on premises without a HTA licence.
Due to the number of associated satellite sites, the total number of licensed sites in
our research sector is currently around 290, making it the largest sector we regulate
in terms of licensed sites. This figure grows each year but gives only a partial
picture of human tissue research activities, which are widely spread throughout the
establishments licensed in our other sectors. Due to the proportionate approach in
which we license, establishments licensed in our other sectors are permitted to
store human material for research and a substantial proportion of these do that.
Risk
Summary reports (of inspection and compliance update data) have confirmed that
our research establishments are highly compliant with our regulation. As the
research sector has been considered to be of low regulatory risk, inspections of
research establishments have been scheduled across longer periods of time than in
other sectors. Research establishments are selected and prioritised for inspection,
taking into account the following factors: compliance update score (linked to level of
compliance); analysis of individual responses to the compliance update questions,
including the number of what we have marked as ‘red flags’ (linked to risks); time
since the last inspection; and, incorporating establishments which were poorly
compliant with the compliance update process or where other regulatory issues had
come up in the interim.
Approach to inspections
There are relatively small number of inspections (approx. 20 each year), and long
intervals between them meaning that full inspections are carried out and there are
currently no plans to undertake limited scope or thematic site visit inspections.
Research activities cut across into other sectors so we also undertake
Error! Use the Home tab to apply Filename and path to the text that you want to appear here.
6
representative scrutiny of related research activities when inspecting relevant
establishments in other sectors.
Other compliance activity
Biennial compliance updates are collected and contribute to inspection
prioritisation, sector oversight and strategic planning.
Anatomy Sector
Summary
We license 36 establishments in our anatomy sector (approximately 50 licensed
sites when satellites are included), making it one of the smallest of the sectors we
regulate. In addition to anatomical examination, many facilities store and use
human tissue for other purposes, such as surgical training and research.
The anatomy sector is also involved in sensitive activities involving the bodies of
deceased people but licensed establishments are very compliant with our
regulatory framework.
Risk
Summary reports (of inspection and compliance update data) have confirmed that
our anatomy establishments are highly compliant with our regulation. As the
anatomy sector has been considered to be of lower regulatory risk, inspections of
anatomy establishments have been scheduled across longer periods of time than in
other sectors.
Anatomy establishments are selected and prioritised for inspection, taking into
account the following factors:
Biennial compliance update score (linked to level of compliance);
analysis of individual responses to the compliance update questions,
including the number of what we have marked as ‘red flags’ (linked to risks);
time since the last inspection;
incorporating establishments which were poorly compliant with the
compliance update process or where other regulatory issues had come up in
the interim.
Approach to inspections
Because there are a proportionately small number of inspections (3-5 each year),
and long intervals between them, full inspections are carried out and there are
currently no plans to undertake limited scope or thematic site visit inspections. Two
unannounced inspections have taken place in the anatomy sector over the past
decade, both of which related to concerns about the dignity of the deceased being
compromised.
Error! Use the Home tab to apply Filename and path to the text that you want to appear here.
7
Other compliance activity
Biennial compliance updates are collected and contribute to inspection
prioritisation, sector oversight and strategic planning.
Public Display Sector
Summary
We currently license 14 establishments in our public display sector (16 licensed
sites, including satellites), which is the smallest of our regulated sectors. It is
considered to be low risk because of the static nature of museum collections and
the fact that many of the establishments are accredited by Arts Council England,
whose comprehensive standards include many of our requirements. The exception
to this is temporary exhibitions which take place on premises other than those of a
museum, for example Body Worlds.
Risk
The licensing requirements in this sector relate to tissue from the deceased only, so
there is always an element public interest and the possibility of an adverse
response from the public and the media. From compliance updates and inspection
findings, we know that established museums are compliant with our standards and
subject to very little change. Against this background, it is challenging to maintain a
system of regulatory oversight that is proportionate and reflective of risk, whilst
providing the sector with recognisable value for money.
New PD establishments are inspected as part of our licensing process, whilst
existing establishments are selected and prioritised for inspection, taking into
account the following factors:
biennial compliance update score (linked to level of compliance);
any concerns that we have about specific establishments and
the time that has elapsed since the last inspection.
Approach to inspections
We undertake a small number of PD inspections every year (an average, over the
last 3 years, of five per year), to maintain visibility in the sector. It is rare that we
identify a shortfall, and when we do it usually relates to aspects of governance and
quality, most commonly risk management. Often, the consent and disposal
standards are not applicable, because collections are neither being expanded or
reduced. This means that our inspections focus on governance and quality
systems, including collections management and traceability, along with premises,
facilities and equipment.
All newly-licensed establishments are subject to a site-visit inspection prior to the
material they are displaying being put on show to the public. In this way we are
Error! Use the Home tab to apply Filename and path to the text that you want to appear here.
8
able to assure ourselves that standards are met and provide advice and guidance,
usually on matters relating to the dignity of the deceased.
Other compliance activity
Biennial compliance updates are collected and contribute to inspection
prioritisation, sector oversight and strategic planning. Establishments that are
accredited by Arts Council England are required to provide less information,
reducing the burden on them of this regular information-gathering exercise.
Human Application Sector
Summary
Under the Human Tissue (Quality and Safety for Human Application) Regulations
2007 (Q&S Regulations), the HTA licenses and inspects approximately 150
establishments that undertake the procurement, testing, processing, storage,
distribution, import and export of tissues and cells for intended for human
application (HA). The HA sector is currently considered to be our highest risk
sector. In part, this is due to the potential impact that regulatory non-compliance
could have on patient safety and clinical outcomes. However, it also reflects the
complexity and diversity of the work undertaken in this sector and the heterogeneity
of the organisations licensed in this sector, which includes many commercial
organisations.
Risk
In addition to inherent risk, the HTA’s assessment of risk in this sector is based on a
number of factors including:
- recent non-routine regulatory action (e.g. RDMs, issuing of Directions /
Conditions);
- changes to a licence (e.g. change of DI, addition of new sites/activities);
- reports of serious adverse events and reactions (SAEARs) (see below);
and
- complaints / investigations.
Approach to inspections
In the HA sector, there is a statutory requirement for inspections to be carried out at
an interval that does not exceed two years. As a result of this, the HTA undertakes
approximately 70 HA inspections each year. This equates to approximately 100 site
visits each year once satellite sites are factored in. Inspections may be general
system-oriented inspections or thematic depending on the assessment of risk for an
individual establishment and can range from one-day visits involving a single
inspector for simple, low-risk establishments (i.e. a single site carrying out limited
licensable activities with only one tissue type), through to multi-day visits involving
several inspectors for more complex sites (i.e. those carrying out the full range of
licensable activities across multiple tissue types and on several sites). Our current
Error! Use the Home tab to apply Filename and path to the text that you want to appear here.
9
inspection strategy in the HA sector includes the carrying out of joint or linked
inspections with other regulators such as the MHRA, HFEA and CQC, as well as
carrying out licence application assessment visits (LAAVs) prior to granting new
licences. Non-routine inspections may be carried out in response to significant
regulatory non-compliance (i.e. critical shortfalls), SAEARs, or in relation to any on-
going regulatory action.
Other compliance activity
As in the PM sector, we require the reporting of serious incidents (termed
SAEARs); we have an established process for reviewing and responding to these
and have various mechanisms for sharing the learning gained from them with the
inspection team and across the sector. HA establishments are also required to
submit annual activity data.
Organ Donation and Transplantation sector
Summary
Inspections are referred to as audits in this sector. The HTA began regulating and
licensing this sector in August 2012 as a result of the EU Directive on the standards
of quality and safety of human organs intended for transplantation. We currently
license 37 establishments and licensing covers activities involving the procurement
and transplantation of organs. One round of audits has been undertaken so far
(2012/13) during which all 37 establishments licensed under the new regulatory
framework were audited and found to be largely compliant with our regulatory
framework.
Risk
This sector is considered high risk due to the nature and breadth of the activities
being undertaken across both living and deceased organ donation and
transplantation. In particular, regulatory non-compliance could have a serious
adverse effect on patient safety and clinical outcomes for those giving and receiving
organ and tissue transplants. Adverse outcomes and, on occasion, widespread
media attention means there is a very real risk in terms of the loss of public
confidence if standards are not met and maintained across the sector.
Biennial compliance updates are collected and contribute to audit prioritisation e.g.
the establishment’s overall compliance score, and also provide sector oversight.
This data is useful in identifying particular areas where the HTA may wish to seek
assurance during the audits.
Approach to inspections
We audit establishments against specific criteria and gather evidence through a
combination of inspection, review, and interviews with staff involved in each aspect
of the ‘organ pathway’, this includes both living and deceased donation. The EU
Error! Use the Home tab to apply Filename and path to the text that you want to appear here.
10
Directive requires that “the framework for quality and safety should include auditing
where necessary”.
The second round of audits will begin in October 2016 as planned and this will
again include all licensed establishments in the sector. The size of the audit team
and length of audit varies depending on the complexity of the activities at the
establishment, for example the audit of an establishment transplanting kidneys only
will be shorter than the audit of an establishment transplanting multiple organs.
Other compliance activity
We have a service level agreement (SLA) with NHS Blood and Transplant
(NHSBT). This sets out a number of functions that NHSBT performs on behalf of
the HTA to assist us in meeting our obligations as the Competent Authority under
the EU Directive. Significantly, this includes the management, reporting and
investigation of Serious Adverse Events and Reactions (SAEARs) on our behalf.
These are reported to the HTA and closed once we are satisfied that appropriate
measures have been taken to prevent the SAEAR occurring again, and that shared
learning has taken place where appropriate.
1
AUD 166-16 (Annex C)
HTA Risk Management Strategy and Policy
Reference HTA-POL-025 Author Morounke Akingbola
Version 13.0 Owner Director of Resources
Date approved November 2015February 2017
Reviewed by SMT
Distribution HTA Internal Approved by Audit and Risk Assurance Committee
Next review due November 201February 2018
Purpose
1. The purpose of this document is to define the Human Tissue Authority’s strategic intent
for risk management and set out the roles and procedures for risk management at the
HTA now and in the future. It will be reviewed and updated formally on an annual basis.
2. The Human Tissue Authority strives to be an organisation that demonstrates good
governance practices. The environment that we operate within requires us to have in
place a proportionate and strategic approach to the day to day management of risk. The
objective is to ensure that when risks arise they will be dealt with in a manner that is
consistent with the principles and processes outlined in this document.
3. This document applies to all employees of the HTA and those seconded to work in the
HTA. There should be an active lead from managers at all levels to ensure that risk
management is a fundamental part of the overall approach to regulation, service
delivery and corporate governance.
What is risk management?
4. HM Treasury in The Orange Book Management of Risk - Principles and Concepts
describes risk as follows:
5. ‘Risk is defined as the uncertainty of outcome, whether a positive opportunity or a
negative threat, of actions and events. The risk has to be assessed in respect of the
combination of the likelihood of something happening, and the impact which arises if it
does actually happen. Risk management includes identifying and assessing risks (the
“inherent risks”) and then responding to them.’
6. Risk management is essentially about identifying and managing key obstacles to the
achievement of strategic and business objectives. It is a tool that is an integral part of
effective and efficient management and planning.
Types of risk
Strategic
Those current business risks that, if realised, could fundamentally affect the way
in which we exist or provide services in the next one to five years. These risks
will have a detrimental effect on the achievement of our strategic objectives. The
risk realisation will lead to failure, loss or lost opportunity.
Operational
Those current business risks that, if realised, could affect the way in which we
operate or provide services in the nextw year. These risks will have a detrimental
effect on our achievement of our business plan. The risk realisation will lead to
failure, loss or lost opportunity.
Project
Those business risks that, if realised, could affect the way in which we deliver
any specific project. The risk realisation will lead to failure, loss or lost
opportunity.
Strategic intent
7. The Authority recognises that risk management is an integral part of good governance
and management practice and to be most effective should be part of the HTA’s culture.
The Authority is committed to ensuring that risk management forms an integral part of
the HTA’s philosophy, planning and practice, rather than being viewed or practised as a
separate activity, and that responsibility for risk management is accepted at all levels of
the organisation.
8. The HTA aims to take all reasonable steps in the management of risk with the overall
objective of achieving its strategic and business objectives and protecting staff,
stakeholders, the public and assets.
9. The HTA recognises that the outcome of a risk management approach will not eliminate
risk totally. Rather it provides the means to identify, prioritise and manage the risks and
provide a balance between the cost of managing and treating risks, and the anticipated
benefits that will be derived from doing so. Risk management should not be so rigid that
it stifles innovation and imaginative use of limited resources in order to achieve
objectives.
Accepted risks
10. The HTA considers that any risk with no further action planned to address it is an
accepted risk, providing assurance is received that the controls relied upon to manage it
are in place. It is reasonable to accept a risk that under normal circumstances would be
unacceptable if the risk of all other alternatives, including doing nothing, is even greater.
11. The HTA is not willing to accept risks that may result in compromising the protection of
the public’s interests that the removal, storage and use of human tissue and organs are
undertaken safely and ethically, and with proper consent. The HTA is not willing to
accept risks that may result in financial loss or exposure, major breakdown in
information systems or information integrity, significant incidents(s) of regulatory non-
compliance, potential risk of injury to staff or contractors or reputation damage.
Risk appetite
12. The total list of accepted risks forms the HTA’s risk appetite. The HTA does not set a
defined level of risk appetite for each type of risk.
Tolerated risks
13. The HTA tolerates risks that have been managed as far as is considered to be
reasonably practicable and have adequate control mechanisms in place.
14. Tolerated risks are not accepted risks. The HTA will live with tolerated risks, to secure
certain benefits or because they arise from external factors, providing they are properly
managed. If the risk gives rise to potential benefits, these outweigh the potential harm.
Tolerated risks are not disregarded – they are reviewed with the aim of reducing further
risk.
Duties and responsibilities
Role of the Authority
15. The Authority has ultimate responsibility for the management of the HTA’s risks. It
monitors the HTA’s approach to the management of risk, and its effectiveness in
managing risk. Predominantly, it considers the risks facing the HTA at the strategic
level. Its role includes:
instilling a culture of risk management:
o determining the HTA’s ‘risk appetite’ across the whole organisation or on any
relevant single issue, and reviewing this periodically as part of the strategic
planning cycle
o determining which risks are acceptable and which are not
o determining the appropriate level of risk exposure.
satisfying itself that risks are managed appropriately:
o considering the external environment and identifying emerging strategic risks
o approving the overall risk management arrangements
o approving decisions which have a major impact on the HTA’s risk profile or
exposure and satisfying itself that the HTA’s actual level of risk exposure does
not exceed that agreed
o monitoring the management of significant risks and assuring itself that risks
are tolerable
o satisfying itself that the less significant risks are being actively managed, and
that the appropriate controls in place are working effectively
o reviewing the approach to risk management and approving key changes or
improvements to processes and procedures.
Role of the Audit and Risk Assurance Committee
16. The Audit and Risk Assurance Committee reviews and tests the establishment and
maintenance of an effective system of internal control and risk management. This
process is underpinned by the internal audit function, which provides an opinion on
internal control.
17. It is the Audit and Risk Assurance Committee’s role to advise the Authority on the
effectiveness of the HTA’s internal control arrangements. As part of this role it will
advise the Authority:
annually on the HTA’s approach to risk management and overall risk management
arrangements, approving the Risk Management Strategy and Policy
periodically on the management of significant risks (following discussion with the
Senior Management Team on specific risks)
on the implications of internal audit reports
on the implications of the recommendations made by the external auditors.
Role of the SMT
18. As the SMT is the authoritative decision-making body within the HTA’s management
structure, it has the ultimate management responsibility for risk and implementation of
the HTA’s risk management strategy and reporting requirements.
19. The SMT takes the lead in ensuring that the strategy and practice remain appropriate
and fit for purpose. The SMT ensures that assessment and management of risk are an
integral feature when authorising and managing existing and new work. SMT members
are risk owners of strategic risks.
20. Specifically, SMT is responsible for:
establishing and maintaining a coherent and practical HTA-wide approach to the
management of risk, using the procedures set out in this document
maintaining the HTA’s Risk Management Strategy and Policy
identifying and managing the strategic risks faced by the HTA for consideration by
the Authority
reviewing strategic risks on a monthly basis
periodic review of the effectiveness of the HTA’s risk management arrangements
SMT delegates responsibility to Heads for identifying and managing the operational
and project risks faced by the HTA.
Role of HTAMG
21. Chaired by the Chief ExecutiveStrategy & Quality, the HTA Management Group
(HTAMG) consists of SMT and Heads. It meets monthly and reviews performance on
objectives, risk and progress on projects. HTAMG ensures that operational and project
risks are reported, managed and escalated as necessary.
22. Specifically, HTAMG is responsible for:
monthly review of the management of operational risks and maintenance of the
operational risk register
quarterly oversight of operational risks alongside strategic risks to ensure the two
remain aligned and to provide a mechanism whereby operational risks can be
escalated to strategic risks should this prove necessary.
HTA Groups
Groups that the HTA has set up that include stakeholders (Stakeholder Group,
Histopathology Working Group, Transplant Advisory Group) provide a valuable opportunity
to gain stakeholders’ views on risks. The lead HTA member of staff for each of these groups
should ensure that the group has an opportunity to identify and review relevant risks for the
HTA.
Director of Resources
23. The Director of Resources acts as central reference point for all risk management
issues within the HTA. The Director facilitates and oversees the risk management
processes, but does not act as the “risk manager” for all risks, as the HTA recognises
that risk management forms an integral part of all functions.
24. The Director is responsible for the maintenance of the Strategic Risk Register.
24.
HTA in a wider risk context
25. The HTA engages with the Department of Health ALB Risk Network which
meets regularly throughout the year. This is a forum for discussing common risk
issues and systemic risks and the approach of the Department towards risk
management.
26. HTA have committed to consider system-wide and common, interdependent,
risks
Formatted: List Paragraph, Line spacing: single
Formatted: Indent: Left: 0.8 cm, No bullets or numbering
Procedures
Approach to risk management
25.27. The starting point for risk management is a clear understanding of what the
organisation is trying to achieve. Risk management is about managing the threats that
may hinder delivery of priorities and core functions, and maximising opportunities that
will help to deliver them. It should take into account the environment within which the
HTA operates
26.28. The risk management process should be kept as simple and straightforward as
possible. It should:
start from objectives
put the primary focus on significant risks and related controls
record details in risk registers
regularly monitor progress
allocate risk management responsibilities to individuals
link actions to manage risks to personal and business plans
not be so complicated that it alienates management and staff.
27.29. Risk management involves a 5-stage process, as shown below:
Stage 1 – Risk identification
28.30. The first step is to identify the ‘key’ risks that could have a significant adverse affect
on us or prevent key strategic or business objectives from being met. It is important that
those involved with the process clearly understand the service or organisation’s key
business objectives i.e. ‘what it wants to achieve’ in order to be able to identify ‘the
barriers to achievement’.
29.31. Details of any new risks should be raised with the Director or the Head concerned to
be considered for recording on the Strategic or the Operational Risk Register
respectively. Project risks are recorded by the project manager, using the system in
place for specific projects, and are escalated to the operational and strategic risk
registers through HTAMG and SMT as necessary.
30.32. SMT should consider the current portfolio of risk in coming to a decision whether to
accept new strategic risk and HTAMG should do the same for operational risks. SMT or
HTAMG will also confirm or make changes to the new risk, assign a risk owner and
agree any further action to be taken to manage the risk.
33. Risk identification also includes identifying opportunities, where the outcome is
uncertain, and these may be managed using the process set out here. However,
strategic considerations about whether to exploit opportunities are made by the
Authority.
The risk management cycle
Analysis
Prioritisation
Management
Monitoring
Identification Analysis
Prioritisation
Management
Monitoring
Identification
Formatted: Normal, Line spacing: single
Risk interdependencies
34. Extended Enterprise is the term used to describe risk interdependencies between
organisations. As part of a wider group consisting of the DH and all its ALB’s, a review
of three types of risk needs to be undertaken as part of the risk identification process.
Furthermore, escalation of any such risks needs to be factored into our process.
35. The three types of risk to identify are:
1) Type 1. A system-wide risk that affects a number of different ALBs (or in some cases all of them including DH, e.g. cyber security);
2) Type 2. A risk identified in one ALB or DH that will affect another; and 3) Type 3. A risk caused by processes and controls in place at one ALB or DH
that may lead to a risk in another ALB or DH.
36. Whilst the HTA needs to ensure the above is conducted consistently, there must also
be a means of communicating or feeding back any risks that have materialised from the
above. The forum or process for this will be via an ALB wide forum (see para 44).
Stage 2 – Risk analysis
31.37. There are three important principles for analysing risk:
consider the likelihood and impact for each risk
be clear about the difference between inherent and residual risk
record the assessment of risk in a way which facilitates monitoring and prioritisation
of risks.
32.38. Having identified new risks, the following details should be provided to SMT or
HTAMG so that they can be recorded in the relevant risk register. The implications of
project risks should be considered and significant ones included in the appropriate
register. The details should include:
A description of the risk, its cause and the effect on the HTA if the risk
materialised
An assessment of the inherent1 impact of the risk if there were no mitigating
strategies in place to manage the risk. This should be measured on a scale of 1 to
5 as detailed in the following table
1 The concept of inherent and residual impact and likelihood is taken from the Orange Book.
Formatted: Indent: Left: 0 cm, Hanging: 0.8 cm, No bulletsor numbering
Formatted: Font: 11 pt
Formatted: Indent: Left: 0.8 cm, No bullets or numbering
Formatted: Font: 11 pt
Formatted: 1. Paragraph HTA, Line spacing: single
Formatted: Font: 11 pt
Formatted: Font: (Default) Arial, 11 pt
Formatted: Font: (Default) Arial, 11 pt
Formatted: Indent: Left: 1.9 cm, Line spacing: single, Nobullets or numbering
Formatted: Indent: Left: 0 cm, Hanging: 0.8 cm, No bulletsor numbering
Impact
Finance
Service
Quality/Objective
Health &
Safety Reputation
(5)
Catastrophic
Above £2.1m
(50+%)
Complete failure of
services.
Patient death due
to HTA negligence.
Fatality (Staff,
members and
visitors etc…).
Significant reputation
damage is causing
government
intervention e.g.
inquiry, Management
and/or Authority re-
structure.
(4)
Major
£1m to £2.1m
(15 to 50%)
Significant
reduction in service
quality expected.
Not delivering
statutory remit.
Serious injury
occurring.
Reputation damage
occurs with the Key
Stakeholders
(Opinion Leaders)
such that their
overall confidence in
HTA is affected.
(3)
Moderate
£500k to £1m
(7.5 to 15%)
Service quality
impaired leading
temporary
suspension of non-
statutory remit.
Very minor
injury.
Localised
reputational damage
e.g. within a
sector/geographical
area.
(2)
Minor
£50k to £500k
(0.75 to 7.5%)
Marginally
impaired,
stakeholder
expectations are
not met (non-
statutory).
No injury.
Temporary
reputational
damage, (e.g.
practitioner
confidence/local
media/individuals).
(1)
Almost None
Below £50k
(less than
0.75%)
Negligible effects
on service quality.
No effects on
reputation.
NB. The above figures are calculated as an approximate percentage of the HTA’s turnover
(total annual income) of £4.2m.
An assessment of the inherent likelihood of the risk materialising. This should
also be measured on a scale of 1 to 5 as detailed below:
Likelihood
(5)
Almost certain Above 90% chance of occurring
(4)
Likely 50 – 90%
(3)
Possible 10 – 50%
(2)
Unlikely 3 – 10%
(1)
Rare Less than 3% chance of occurring
A summary of the controls in place and assurance sources that will confirm
whether key controls are operating effectively
An indication of the residual impact and likelihood using the same scoring system
shown above. The residual score indicates the level of the risk once the controls
have been put in place and action has been taken
A suggested owner for the risk.
33.39. SMT or HTAMG will record the details of the new risk in the relevant risk register and
calculate an inherent score and residual score by multiplying the scores for impact and
likelihood using the risk matrix shown below.
Risk matrix
Imp
act
(5)
Catastrophic
5 10 15 20 25
(4)
Major
4 8 12 16 20
(3)
Moderate
3 6 9 12 15
(2)
Minor
2 4 6 8 10
(1)
Almost None
1
2 3 4 5
(1)
Rare
(2)
Unlikely
(3)
Possible
(4)
Likely
(5)
Almost
certain
Likelihood
Stage 3 - Risk prioritisation
34.40. Once risks have been identified and analysed, they require a priority to be applied.
35.41. In line with the colour coded quadrants of the risk matrix above, once risks have been
assigned a score they will fall into one of the following four groups which will determine
the manner in which they will need to be managed:
Primary Group (red) – Where risk management should focus most of its time.
Risks that fall into this group will require immediate attention. Both the status of the
risk will require to be monitored with regard to effect on the organisations activities
and the progress of action taken to ensure its effective completion.
Contingency Group (amber) – Where risk management will ensure that
contingency plans are in place. Risks that fall into this group may require
immediate action but will require to be monitored for any changes in the risk or
control environment which may result in the risk attracting a higher score.
House Keeping Group (yellow) – Basic mechanisms should be in place, (risk
management will confirm). Risks that fall into this group will require to be monitored
by management.
Negligible Group (green) – Where risk is so minimal it does not demand specific
attention. Risks that fall into this group will require review only, but no further
action.
36.42. New risks that are classified as primary should be bought to the attention of the SMT
immediately to enable the risk to be reviewed and actions to be quickly identified.
Stage 4 - Risk Management
37.43. Once a risk has been identified, analysed and prioritised, it will be possible for the
organisation to decide whether to take further action to address the risk and if so what
type of action. When deciding how best to manage risks, it is useful to ask the following
questions:
how to prevent it from happening - either by putting some controls/counter-
measures in place or putting the project or activity in a position where it would have
no impact
how to reduce the risk - what action is needed to reduce the probability of the risk
happening
how to maximise opportunities
what to do to if the risk does occur - outline some contingent activities
what are the implications of accepting the risk - ensuring that all the stakeholders
are aware of the possible consequences.
38.44. There are several response options that can be taken to address the risks that have
been identified. These are set out in the following table. The final two seek to maximise
opportunities.
Response
options to risks
and opportunities
Description
Terminate or
avoid
An informed decision not to be involved in, or to withdraw from, an activity,
in order not to be exposed to a particular risk. Used if risks are not
acceptable or outweigh the benefits.
Treat - reduce or
mitigate Take action to reduce the likelihood of a risk, or its impact if it does arise.
Transfer or share
This option aims to pass at least part of the risk to a third party. Insurance is
the classic form of transfer, where the insurer picks up the cost if the risk
materialises, but the insured retains the impact on other objectives.
Contracting or working in partnership are other means.
Tolerate
Tolerated risks are risks that the organisation lives with and keeps under
review. The risks have been managed as far as is considered to be
reasonably practicable and have adequate control mechanisms in place.
Formatted: Left
Accept
Here the organisation “takes the chance” that the risk will occur, with its full
impact if it did. There is no change to residual risk, or no actions, with this
option, but neither are any costs incurred now to manage the risk, or to
prepare to manage the risk in future.
Enhance
The opportunity equivalent of mitigating a risk. Enhancing an opportunity
seeks to increase the likelihood of it occurring and/or the impact of the
opportunity in order to maximize the benefits.
Exploit
The opportunity equivalent of avoiding a risk. Exploiting an opportunity
seeks to make the opportunity definitely happen (i.e. increase likelihood to
100%). Aggressive measures are taken which seek to ensure that the
benefits from this opportunity are realised.
39.45. The risk owner will be responsible for:
managing the risk and ensuring that any agreed controls and/or actions to manage
the risk are planned and carried out
evaluating the effectiveness of the controls in place, any subsequent actions
required and considering whether further action is needed
updating the Risk Register and informing SMT or HTAMG about any changes
made to reflect changes in circumstances.
40.46. The risk owner is also responsible for periodic action to obtain the assurances
specified and to report on their effectiveness.
Stage 5 - Monitoring
41.47. The Risk Registers should be monitored regularly to be able to close risks down
when their likelihood has passed or to add new risks in the light of new
information. Additionally, levels of inherent and residual risk should be assessed and
controls added or amended as appropriate, separated between those planned and
those implemented.
42.48. The Risk Registers serve as an essential tool for monitoring and reporting on the
actions selected to address risks. Some of the actions may have only been to monitor
the identified risk for signs of a change in its status. Monitoring risks will also consist of:
checking that execution of the planned actions is having the desired effect
watching for the early warning signs that a risk is developing
modelling trends, predicting potential risks or opportunities
checking that the overall management of risk is being applied effectively.
49. It should be noted that as risk management is an on-going and iterative process, the
status of existing risks will change and new risks will arise. This means it will be
necessary from time to time to return to any one of the five stages of the process as
outlined above in relation to a particular risk.
Formatted: Indent: Left: 0 cm, Hanging: 0.8 cm, No bulletsor numbering
Sources of aAssurance
43.50. The strategic risk register provides for controls to be categorised into lines of defence
and whether they are preventative or detective. In this way, the balance of controls can
be identified in order to determine how appropriate and effective controls might be.
44.51. The three lines of defence are:
1 – embedded in the business operation, such as policies or management checks
2 – corporate oversight, such as review by the Authority
3 – independent of the HTA, such as internal or external audit reviews, or assurance
gained by the Department of Health
45.52. Assurance that controls are operating effectively may be gained from:
Internal audit reports
External audit reports
Feedback from the Department of Health
Other feedback following review (e.g. external or peer)
HTA documents (e.g. minutes, SMT or Authority papers reporting performance)
Reports from Directors and staff, orally or in writing
Checklists.
53. The key sources of assurance used to monitor the effectiveness of controls to manage
specific risks are set out in the HTA’s risk registers.
46.54. The strategic risk register includes the assured position - when assurance that the
control is working properly was last obtained and in what form. Gaps are identified in
red text for further action.
Alignment of risks with organisational objectives
47.55. All risks should be mapped or aligned with the organisational objectives contained in
the HTA Strategy and Business Plan. The linkage between objectives and risks should
be documented on the risk registers and in the strategic and business plans of the
organisation.
48.56. Failure to align strategic objectives with strategic risks, and business objectives with
business (operational/project) risks will result in a reduced likelihood that all risks
relating to organisational objectives have been identified and are subject to appropriate
mitigation.
57. Management should also review the relationship between strategic and business
objectives and strategic, operational and project based risks to ensure that all risks
relevant to the objectives have been identified and that all risks currently monitored are
genuinely risks.
1
Audit and Risk Assurance Committee Paper
Date 8 February 2017 Paper reference AUD 166-16 (Annex D)
Agenda item 8 Author Richard Sydee
Department of Health Risk Interdependencies
Background
1. In June 2016 a Department of Health Internal Audit report outlined a number of
significant weaknesses in the reporting and understanding of risk
interdependency between the Department and its Arms Length Bodies (ALBs),
2. The full report has been attached for information, for convenience an extract
outlining the main findings and recommendations is provided below,
Review conclusion
2.1 The overall rating for the report is LIMITED – there are significant weaknesses
in the framework of ‘risk interdependencies’ governance, risk management and
control such that it could be or could become inadequate and ineffective.
2.2 We found that the risk management framework in place across the DH and
ALBs to facilitate reporting and escalation of risk interdependencies is inadequate;
and roles and responsibilities are not clearly understood or communicated………
2.4 Our conclusion is based on evidence from our fieldwork which found (in relation
to risk interdependencies):
DH is not considered to play an active role in facilitating identification and
management of risk interdependencies (finding 1);
Sponsor Teams play an inconsistent role in risk management (finding 2);
Neither the DH Risk Management Policy nor individual ALB risk policies
adequately cover risk interdependencies (finding 3);
Error! Use the Home tab to apply Filename and path to the text that you want to appear here.
2
The DH Strategic Risk Register does not include interdependencies and is
not shared with ALBs (finding 4);
ALBs work in silos and/or focus on bilateral relationships that arise on an
ad hoc basis (finding 5); and
There is a difference between assumed and actual activities at different
levels of the governance structure within each ALB (finding 6)……
3.4 Section 2 of this report includes specific and detailed recommendations against
observations. However, the recommendations below are a useful summary
encapsulating common themes:
Confirm the role of the Department and Sponsor Teams in the
identification and management of risk interdependencies amongst
ALBs
Confirm the role and responsibilities of the ALBs in managing risk
interdependencies
Strengthen risk management policy (at the DH and ALB levels) to
include specifc guidance on interdependencies
Facilitate regular meetings between counterparts of ALB sponsor
teams, risk management individuals, and Audit Chairs, to discuss
ALB objectives, plans and risks
Make modifications to risk registers in place to encourage the
identification of interdependencies and to ensure actions are
assigned.
HTA assessment of key risk interdependencies
3. HTA regulation has its own distinct statutory basis and is, to a significant
extent, ring-fenced from much of the wider system. As a result, relatively few of
the strategic risks managed by the HTA are risks to the wider health and care
system.
4. Having said this, in preparation for its attendance at the DH Audit and Risk
Committee, SMT did make an assessment of where it saw the key risk
interdependencies with the wider health system. It is important to note that the
risks identified as part of this assessment are already identified as strategic or
operational risks and do not, therefore, have a separate risk management
procedure.
5. The most significant risk to the HTA from the wider system remains the fact that
licence fees are funded in large part from public sector bodies, with NHSBT
being the single largest fee payer. Financial pressures on the NHS may result
Error! Use the Home tab to apply Filename and path to the text that you want to appear here.
3
in delays, or potentially defaults, in fee payment. This risk is managed as part
of strategic risk five.
6. The HTA also shares responsibility with DH for some system-wide risk (to
public confidence – if ineffectively managed) as a result of a number of issues
outside of our direct remit, but where we are considered the most appropriate
organisation to act. Examples include leading on and issuing guidance for
professionals on the disposal of pregnancy remains, working to agree an
approach to human tissue held by the police following investigations and the
emerging issues of cryonics and taphonomy.
7. The HTA also identifies risks that need to be brought to wider attention, or
managed elsewhere in the DH system. For example, we were able to identify
system-wide concerns about mortuary capacity during the winter months, or at
the time of a major incident, and now play an active role in information
gathering to support central planning. These risks are managed as part of
strategic risk three.
8. The HTA does mitigate some system-side risk, by regulating the use of human
tissue, especially for human application. Ensuring tissue and organs for human
application and transplantation is of a specified quality and there are processes
in place to ensure the safety of patients, makes us part of the value chain
across the NHS seeking to achieve high quality outcomes for patients.
9. The reporting processes in place for serious adverse events and reactions in
the human application and transplantation sectors allow us to ensure early
notification is provided to clinicians and patients, minimising risk.
10. Finally, we have formal joint working arrangements in place with a number of
other regulators: MHRA; CQC; HRA and HFEA, to ensure that, where
information is obtained by one regulator that may be relevant to the remit of
another, this is shared.
Actions Required
11. Members are invited to:
note the findings of the DH report, and
consider any actions that may be required by ARAC in order to support
the recommendations.
Appendix A
1
Audit and Risk Assurance Committee Paper
Date 27 January 2016 Paper reference AUD 167-16
Agenda item 10 Author Morounke Akingbola
Reserves policy and update on policies and procedures review
Purpose of paper
1. The purpose of this paper is to give the Committee an overview of the finance
policies that SMT approve and to present the reviewed Reserves policy for
ARAC approval.
Action
2. The Committee is asked to:
approve the Reserves policy (Annex A)
note the reviews of other policies (Annex B)
Decision making process to date
3. SMT has agreed the Reserves policy, and approved the approach set out in
Annex B.
Background
4. All policies and procedures in the HTA should be reviewed periodically, at least
annually and sometimes more frequently. As a result, there is a culture of
ongoing review and a commitment to continuous improvement.
5. There is also good version control in existence, which enables anyone to track
any changes made.
2
Reserves Policy
6. The reserves policy has been reviewed by the Director of Resources and the
Head of Finance. No changes to minimum cash reserve levels are proposed.
The level of minimum cash reserves remains at £1.8m to reflect cashflow and
emergency needs.
7. Cash reserves at the start of 2016/17 were £2.7m, with total reserves standing
at £3.4m..
Other finance policies and procedures
8. Annex B sets out the full range of finance policy and procedure documents
approved by ARAC and SMT, together with their present status.
Annex A – Reserves policy
Annex B – Overview of policies and procedures
AUD167-16 ANNEX A
Reserves Policy Version number 15.0 Date last approved February 20176
Reference HTA-POL-049 Next review due February 20187
Author(s) Sue GalloneHead of
Finance
Owner Director of Resources
Reviewed by HTA SMT Distribution HTA SMT & Authority
Approved by Audit and Risk
Assurance Committee
Purpose
1. The purpose of this policy is to ensure that both the Executive and Authority of the HTA
are aware of the minimum level at which reserves need to be maintained and the
reasons for doing so.
Principle
2. An organisation should maintain enough cash reserves to continue business operations
on a day-to-day basis and in the event of unforeseen difficulty. It is best practice to
implement a reserves policy in order to guide key decision-makers.
Reserves Policy
3. The HTA has a reserves policy as this demonstrates:
a) transparency and accountability to licence fee payers and the Department of Health;
b) good financial management;
c) justification of the amount it has decided to keep as minimum reserves.
4. The following factors have been taken into account in setting this reserves policy:
a) risks associated with its two main income streams, licence fees and Grant-in-aid,
differing during the year from the levels budgeted;
b) likely variations in regulatory and other activity both in the short term and in the
future;
a) the HTA’s known and likely commitments.
5. The policy requires reserves to be maintained at a level that ensures the HTA’s core
operational activities continue on a day-to-day basis and, in a period of unforeseen
difficulty, for a suitable period (refer to para 10 and 11).
Reserves Policy HTA-POL-049
Version 15.0, last reviewed February 2015
2
Cashflow
6. To enable sufficient cover for day-to-day operations, a cash flow forecast is prepared at
the start of the financial year which takes into account the timing of when receipts are
expected and payments are to be made. Cash reserves are needed to ensure sufficient
working capital is available throughout the year.
7. Normally Tthe HTA experiences negative cashflow (more payments than receipts) in the
months July to August and again from November to April, due to the need to meet costs
before licence fees are received. On review of the 2016/17 cashflow, we have noticed a
slight change in that we are more efficient at collecting our debts which has increased
the number of months where we are in negative cashflow. This does not significantly
change our level of reserves. Our Ccash balances are at their lowest in April and
therefore our . Rreserves should be maintained such o that there is always a positive
cash balance.
8. The HTA is also mindful of the financial risks it faces, in particular that we may be
required to undertake additional activities not planned or make additional spend not
costed within budget. While every effort would be made to cover costs within the budget
allocated for the year, it may be necessary to use reserves to meet the cashflow needs
arising from additional necessary spend.
9. Funds of £1.2m are needed to provide for adequate cashflow.
Unforeseen difficulty
10. The level of reserves required for unforeseen difficulty is based on two elements:
salaries (including employer on-costs) and the cost of accommodation. These are
deemed to be fixed costs that would have to be paid in times of unforeseen difficulty with
all other of the HTA’s running costs being regarded as semi-variable or variable costs
and thus excluded from this calculation. These two areas currently represent 75% of the
HTA’s total annual budget.
11. The certainty and robustness of HTA’s key income streams and the predictability of fixed
costs, as well as the relationship with its sponsor, DH, indicate that 2 months’ salary and
accommodation costs is a prudent, but sufficient, minimum level of reserves to hold.
12. Based on the HTA’s current revenue budget, the combined monthly cost of salaries and
accommodation is around £300k. A reserve of two months would therefore be £600k.
Minimum reserves
13. The HTA’s minimum level of reserves for 20167/178 will be maintained at a level that
provides £600k for unforeseen difficulty, meets cashflow needs of £1.2m. The minimum
cash reserves required for 20167/178 is £1.8m. These reserves will be in a readily
realisable form at all times.
Commented [MA1]: Not proposing to increase this despite the slight shift n 2016/17
Commented [MA2]: This is based on 2017/18 staff budget but does not take into account potential rent increase
Reserves Policy HTA-POL-049
Version 15.0, last reviewed February 2015
3
14. Each month quarter the level of reserves will be reviewed by SMT as part of the HTA’s
ongoing monitoring of its cash flow.
15. Each autumn as part of the HTA’s business planning and budget setting process, the
required level of reserves for the following financial year will be reassessed.
16. In any assessment or reassessment of its reserves policy the following will be borne in
mind:
a) the level, reliability and source of future income streams;
b) forecasts of future, planned expenditure;
c) any change in future circumstances - needs, opportunities, contingencies, and risks –
which are unlikely to be met out of operational income;
d) an identification of the likelihood of such changes in these circumstances and the risk
that the HTA would not able to be able to meet them.
17. The HTA will include in its annual report and accounts a short statement about the level
of reserves held and the reasons for holding these.
18. HTA’s reserves policy will be reviewed annually by the Audit and Risk Assurance
Committee.
Revision history
19. Document each version or draft providing a simple audit trail to explain amendments.
Date Version Comments
30.07.09 0.3 Approved by the Authority
12.11.10 0.4 Approved by the Authority
31.01.12 0.5 Reviewed - minor change
31.12.12 0.6 Reviewed - minor change
07.02.13 0.6 Approved by Audit Committee
14.10.13 0.7 Amended
02.01.15 0.8 Amended
04.02.15 15.0 Approved by ARAC
22.01.16 15.1 Reviewed and amended
27.01.17 15.2 Reviewed and updated
(AUD 167-16) Annex B
1
Policy/Procedure &
document reference
Purpose of policy/procedure Status
Procurement Policy
Doc Ref HTA/POL/027
Policy covers the authorisation
process for purchases of different
values
Reviewed Jan-17 – no changes
Financial Policies and
Procedures Manual
HTA/POL/028
This is a compendium of key finance
policies in one document. There are
links and cross-references to
individual policies are made within this
document.
Reviewed in Aug-16. Cosmetic changes
Budgetary Control Policy
HTA/POL/031
Policy deals with the budget-setting
process of the HTA and includes a
draft timetable
Reviewed Jan-17 no changes
Expenses Policy
HTA/POL/032
Policy covers reimbursement of
Travel, Subsistence and other
expenses
Reviewed Aug-16, hyperlinks amended (links to forms
for staff).
Reserves Policy
HTA/POL/049
Policy states the minimum level of
cash reserves that the HTA should
ideally keep as a contingency
Due for ARAC review Feb-17 meeting
Antifraud Policy
HTA/POL/050
Policy covers definitions of fraud,
responsibilities of HTA employees
Reviewed Jan-17 – no significant changes
Whistle-blowing Policy
HTA/POL/017
Policy covers procedure to be
followed if they have concerns about
improper behaviour
Reviewed Jan-17 (late due to staff changes) – contacts
updated – change to ARAC Chair and Staff Champion
1
Audit and Risk Assurance Committee Paper
Date 30 January 2017 Paper reference AUD 168-16
Agenda item 12 Author Morounke Akingbola
Review of gifts and hospitality register
Purpose of paper
This paper details the review conducted of the HTA’s gifts and hospitality register
Recommendations
Members are invited to:
Note the declared gifts and hospitality received by HTA staff
Agree the proposed minor changes to process
Gifts and Hospitality
3. HTA staff are aware that they have a responsibility to declare any gifts or
hospitality received. Our Expense Policy refers to this as does the Finance
Procedures manual.
4. The current process adopted for declaration requires that staff inform the Head
of Finance via email detailing from whom the gift/hospitality was offered or
received, the value if known and the date. This is to be done within 5 working
days of the offer.
5. Where gifts of offers of hospitality are above the deminimis limit (£25 or deemed
to be a working lunch), the Director of Resources should be informed and s/he
would consider whether the offer should be accepted and how any gift should be
retained or distributed.
6. From 2009 to present day, there have been 15 items declared. Of the 15, almost
half of these were below the deminimis value.
7. Below is an analysis of gifts and hospitality from the above period.
2
No. of Provison/receipt of
gifts or hospitality
Type (explanation) Value
£
2 Provison Lunch,teas, coffees for member of the public. This was provided as part of the Public Outreach Project
£196 (Sept 2011) £352 (Oct 2011)
1 Receipt Cases of wine – provided by company who hosted our website. Provided as a thankyou for work completed over Christmas
£171
1 Receipt Amazon voucher – participation in a survey
£100
3 Receipt Dinners attended by Directors; Internal Auditors, Law firm and Advocacy Group
Not specified
1 Receipt Afternoon tea, Spa day and Hotel Chocolat
£3 Chocolates, Dinner and Spa day unknown value.
7 Receipt Ranging from souvenir pens, ornamental chopsticks, wooden carvings of scences of Singapore
Value unknown
15 Total
8. In terms of adopting best practice we propose to make minor amendments to
HTA expenses policy to:
routinely remind staff of gifts and hospitality rules and ask them to ensure
that all offers, whether accepted or declined, are recorded
that any offers above the deminimis limit should be declined unless:
i. to do so would cause significant embarrassment or
ii. where acceptance of an offer of hospitality has clear reputational
or operational benefits to HTA
1
Audit and Risk Assurance Committee paper
Date 8 Fenruary 2017 Paper reference AUD 169-16
Agenda item 13 Author Richard Sydee
Caldicott Review 2016 - Review of Data Security, Consent and Opt-Outs
Background
1. The 2013 Information Governance Review, known as Caldicott, made a series
of recommendations which still hold good today. These included the need for
boards and leaders to actively ensure that their organisation is competent in
information governance practice, the inclusion of information governance as a
core part of training and continuous professional development, and
recommended actions to ensure the effective regulation of organisations’ use of
personal confidential data.
2. In January 2015, Dame Fiona Caldicott and her advisory panel published a
report examining the first year of implementation of the 2013 recommendations.
This report recommended that individuals must be able to opt out of data
sharing arrangements and be confident that their wishes are being respected
consistently across the system.
3. With respect to data security and consent, the 2016 Review (here) builds on
these two reports and makes a further 20 recommendations which are
contained in Annex A to this paper. It is suggested that recommendations 3,4,
6, 10 and 15 may have some relevance for HTA.
4. In addition Members will also wish to note the three leadership obligations on
page 22 of the report which provide a helpful summary of the data security
standards.
Recommendation
2
5. Members are asked to
note the content of the recommendations contained in Annex A and
consider whether any specific recommendations should be adopted
ahead of the HTA’s annual Information Governance Report in May
2017.
Agree the appointment of Nicholas Bare as Caldicott Guardian for
HTA
Report
6. It is a Cabinet Office (CO) requirement that boards receive assurance about
information risk management. The Senior Information Risk Officer (SIRO)
makes an annual report to the Accounting Officer and this is due in May 2017.
7. In previous year the SIRO has reviewed the NHS Information Government
Toolkit (IGT), which is the main product from previous Caldicott reviews, and
concluded that the HMG Security Policy Framework (SPF) provides for the
most suitable assessment as HTA does not use the patient information in the
same way as the NHS institutions at which the IGT is aimed.
8. The HTA does store information on living organ donors and recipients as well
as some records from a small number of establishments who have revoked
their licence for traceability purposes. This does include patient information
and in 2014 we appointed Allan Marriot-Smith as Caldicott Guardian to help
protect that information. It is proposed that Nicholas Bare now take on this role.
9. As SIRO I share the view of my predecessor that the majority of these
recopmmendations are aimed at NHS bodies and as such to adopt the revised
IGT as our main tool for assessment would not be appropriate. However,
should the committee feel that upon review of these recommendfation we
should adopt some specific recommendations we will incoproate these in to the
May 2017 review.
10. There is a good understanding of the need to protect data and motivation to do
so at the HTA, and although we have an excellent track record in this area we
should not be complacent. We will continue to review our approach to this
important area and ensure that we monitor how we record, protect data and
make the public aware of the data we hold.
3
Annex A – Recomendations from 2016 Caldicott review
Data security
Recommendation 1: The leadership of every organisation should demonstrate clear
ownership and responsibility for data security, just as it does for clinical and
financial management and accountability.
Recommendation 2: A redesigned IG Toolkit should embed the new standards,
identify exemplar organisations to enable peer support and cascade lessons
learned. Leaders should use the IG Toolkit to engage staff and build
professional capability, with support from national workforce organisations and
professional bodies.
Recommendation 3: Trusts and CCGs should use an appropriate tool to identify
vulnerabilities such as dormant accounts, default passwords and multiple logins
from the same account. These tools could also be also used by the IT
companies that provide IT systems to GPs and social care providers.
Recommendation 4: All health and social care organisations should provide
evidence that they are taking action to improve cyber security, for example
through the ‘Cyber Essentials’ scheme. The ‘Cyber Essentials’ scheme should
be tested in a wider number of GP practices, Trusts and social care settings.
Recommendation 5: NHS England should change its standard financial contracts to
require organisations to take account of the data security standards. Local
government should also include this requirement in contracts with the
independent and voluntary sectors. Where a provider does not meet the
standards over a reasonable period of time, a contract should not be extended.
Recommendation 6: Arrangements for internal data security audit and external
validation should be reviewed and strengthened to a level similar to those
assuring financial integrity and accountability.
Recommendation 7: CQC should amend its inspection framework and inspection
approach for providers of registered health and care services to include
assurance that appropriate internal and external validation against the new
data security standards have been carried out, and make sure that inspectors
involved are appropriately trained. HSCIC should use the redesigned IG Toolkit
4
to inform CQC of ‘at risk’ organisations, and CQC should use this information to
prioritise action.
Recommendation 8: HSCIC should work with the primary care community to ensure
that the redesigned IG Toolkit provides sufficient support to help them to work
towards the standards. HSCIC should use the new toolkit to identify
organisations for additional support, and to enable peer support. HSCIC should
work with regulators to ensure that there is coherent oversight of data security
across the health and care system.
Recommendation 9: Where malicious or intentional data security breaches occur,
the Department of Health should put harsher sanctions in place and ensure the
actions to redress breaches proposed in the 2013 Review are implemented
effectively. 8. To share or not to share – The Independent Information
Governance Oversight Panel’s report to the Secretary of State for Health 10
Consent and Opt-Outs Consent/opt-out
Recommendation 10: The case for data sharing still needs to be made to the public,
and all health, social care, research and public organisations should share
responsibility for making that case.
Recommendation 11: There should be a new consent/ opt-out model to allow
people to opt out of their personal confidential data being used for purposes
beyond their direct care. This would apply unless there is a mandatory legal
requirement or an overriding public interest.
Recommendation 12: HSCIC should take advantage of changing its name to NHS
Digital to emphasise to the public that it is part of the NHS ‘family’, while
continuing to serve the social care and health system as a whole.
Recommendation 13: The Government should consider introducing stronger
sanctions to protect anonymised data. This should include criminal penalties for
deliberate and negligent re-identification of individuals.
Recommendation 14: The forthcoming Information Governance Alliance’s guidance
on disseminating health and social care data should explicitly refer to the
potential legal, financial, and reputational consequences of organisations failing
to have regard to the ICO’s Anonymisation Code of Practice by re-identifying
individuals.
Recommendation 15: People should continue to be able to give their explicit
consent, for example to be involved in research.
5
Recommendation 16: The Department of Health should look at clarifying the legal
framework so that health and social care organisations can access the
information they need to validate invoices, only using personal confidential data
when that is essential.
Recommendation 17: The Health Research Authority should provide the public with
an easily digestible explanation of the projects that use personal confidential
data and have been approved following advice from the Confidentiality
Advisory Group.
Recommendation 18: The Health and Social Care Information Centre (HSCIC)
should develop a tool to help people understand how sharing their data has
benefited other people. This tool should show when personal confidential data
collected by HSCIC has been used and for what purposes. Next steps
Recommendation 19: The Department of Health should conduct a full and
comprehensive formal public consultation on the proposed standards and opt-
out model. Alongside this consultation, the opt-out questions should be fully
tested with the public and professionals.
Recommendation 20: There should be ongoing work under the National Information
Board looking at the outcomes proposed by this consultation, and how to build
greater public trust in data sharing for health and social care.