What keeps CCG Governing Bodies awake at night?...MIAA Insight CCG Assurance Framework Benchmarking P a g e | 3 3. Overall Risk Profile The overall risk profiles of the CCGs varied

What keeps CCG Governing

Bodies awake at night? (2016 Edition) Clinical Commissioning Group Assurance Framework

Benchmarking

MIAA Insight CCG Assurance Framework Benchmarking

P a g e | 1

The overall purpose of the insight is to enable individual CCGs to understand how key elements

of their Assurance Frameworks compare with others.

1. Context

Good governance lies at the heart of all successful organisations and can help protect them

from poor decisions and exposure to significant risks. An efficient and effective Assurance

Framework is a fundamental component of good governance, providing a tool for Governing

Bodies to identify and ensure that there is sufficient, continuous and reliable assurance on

organisational stewardship and the management of the major risks to organisational success.

Whilst traditionally the Assurance Framework focussed on risks, controls and assurances within

the organisation, there is an increasing need for a much wider focus across organisation

boundaries to reflect the environment within which Clinical Commissioning Groups are

operating.

The insights provided below are from a detailed review of 54 CCG Assurance Frameworks

(September 2016). Whilst it is recognised that there will be differences in CCG risk profiles, the

analysis sets out some interesting comparisons and offers the opportunity to question

inclusions, omissions and risk scores at a local level. In addition,

comparison is made to the previous annual MIAA

benchmarking exercises.

2. Top 10 Strategic Risks

In grouping all the risks within the assurance framework, there

was a clear ‘top 10’ in terms of the most frequent risk theme

areas. The top 10 themes accounted for almost 78% of all risks

documented within the assurance frameworks.

Of all the assurance frameworks

only two CCGs had risks across all of the ‘top 10’ themes.

twenty four (44%) covered at least seven of the ‘top 10’

risk themes, an increase from last year’s figure of 29%.

forty one (76%) covered at least five of the ‘top 10’ risk

themes. The majority of CCGs with risks in less than five

of the themes had Assurance Frameworks with a low

number of risks in total.

1. Corporate Systems and

Processes

2. Partnership Working

3. Reconfiguration and

Redesign of Services

4. Commissioning

5. Quality Assurance of

Providers

6. Financial Duties

7. Public and Patient

Engagement

8. Access to Services

9. Performance Targets

10. Primary Care

TOP 10 RISK THEMES


P a g e | 2

The top two themes of ‘Corporate Systems and Processes’ and ‘Partnership Working’ were clear

leaders and, between them, comprised 25% of the total number of risks.

The table below compares the ‘top 10’ risk themes for 2016 against the results for 2014 and

2015. It is evident that the ‘top 10’ themes are very consistent. In fact, from 2014, the only

change to the Top 10 is that ‘Primary Care’ replaces ‘CSU Support’ (perhaps reflecting the

changes in CSU service provision, the increased role of CCGs, challenges to primary care

capacity and the advent of the new Primary Care contract).

‘Reconfiguration and Redesign of Services’ is more prominent in 2016 reflecting developments

of New Models of Care, Vanguards and the Sustainability and Transformation Plans (STPs).

Closely linked with this, ‘Partnership Working’ continues to feature prominently.

The ‘QIPP’ risk theme was just outside the Top 10, showing much more prominence than in

previous years which is not unexpected given the financial challenges facing the NHS as a

whole.

Interestingly, the areas with the greatest number of high risk areas (as outlined at Section 4)

are relatively low in the ‘top 10’, these being ‘Financial Duties’, ‘Quality Assurance of Providers’

and ‘Performance Targets’.

Figure 1: Top Ten Risk Themes – 3 year comparison

Q: Does your Governing Body Assurance Framework consider the breadth of these themes?

2016 2015 2014


Processes



Providers

4. Financial Duties

5. Commissioning



Engagement




10.Primary Care


Processes


Providers



5. Financial Duties


7. Commissioning



9. CSU Support

10.Patient and Public

Engagement


Processes




4. Commissioning


Providers

6. Financial Duties


Engagement



10.Primary Care


P a g e | 3

3. Overall Risk Profile

The overall risk profiles of the CCGs varied significantly in terms of numbers and risk scores.

Figure 2 – CCG risk profiles as captured within their Assurance Frameworks

The overall proportions of high, moderate and low risks have remained reasonably consistent

with the previous year though high risks now comprise 25% of the total risks compared to 22%

in 2015.

Four CCGs had an assurance framework without any risk scores. Three Assurance Frameworks

had insignificant risks included on their assurance framework, and over half had low risks

recorded. The average number of risks was 16 (range 3-56).

The overall results should be considered in the light of the different ways in which CCGs

articulate their risks in their assurance frameworks. Some CCGs have a very small number of

risks which encompass a number of sub-risks where as others have a greater number of more

specific risks. This will influence both the risk profile results and the categorisation of risks (as

a single risk covering a range of issues can be categorised within a number of risk themes).

Q: Have you considered the overall risk profile within your organisation and is the number of

risks on the Governing Body Assurance Framework manageable in terms of scrutiny and

oversight?


P a g e | 4

4. High Risks

The highest risks (risk score 20-25) identified across the assurance framework covered a wide

range of areas and are combined and summarised below.

Table 1 – Highest risks within CCG Assurance Frameworks

Risk Current Risk

Score

CCG underlying financial position 25

Provider trust financial position 25

Better Care Fund 25

Clinical workforce capacity 20

QIPP savings 20

Achievement of financial surplus position 20

Emergency ambulance performance 20

Demand and capacity (non elective care) 20

Transformation programme and availability of transformation funding 20

Lack of mental health inpatient beds for children and young people 20

High mortality rates 20

Seasonal planning 20

Achievement A&E targets 20

Statutory duty to consult not adhered to 20

Lack of financial resources within local authorities 20

C Difficile target 20

Quality assurance arrangements for Continuing Health Care (CHC) 20

Of the highest risks (scored at 20 and 25), the greatest percentage (25%) were within the

‘Financial Duties’ risk theme, generally relating to the achievement of the financial position

against the backdrop of funding challenges, increased demand for services etc. The 2015

analysis also reflected financial risks as those with the largest percentage of high risks with

20%.

For 2016, QIPP also had 14% of the highest risks where as primary care, commissioning and

performance targets were less prevalent than in 2015 with access to services more prevalent

with 12% of the highest rated 2016 risks.


P a g e | 5

In terms of how the overall high risks (risk score 15-25) translated into the risk theme areas, it

can be seen that seven of the ‘top 10’ themes collectively accounted for the majority (74%) of

high risks. All of the ‘top 10’ themes had at least one high risk.

Figure 3 – Percentage of high risks within CCG Assurance Frameworks in relation to risk themes

The average number of high risks (risk score 15-25) in an assurance framework was 4 (the

range being between 0-14). This compares to an average number of 3 with a range of 1-10 in

our 2015 benchmarking exercise.

Q: Are there any high risks identified here that need to be considered by your organisation, either

in terms of omission within the Governing Body Assurance Framework or in the current risk

impact and likelihood scores?

Financial Duties

Quality Assurance of Providers

Access to services

Performance TargetsCorporate Services and

Policies

QIPP

Reconfiguration and Redesign

Commissioning

Primary Care

Partnership Working

Other

High Risks Scores (15-25) within the Risk Themes

Otherincludes:-Continuing Healthcare-Better Care Fund-Medicines Management-Safeguarding-Mortality-Public and Patient Engagement-CSU Support-Deprivation of LIberties


P a g e | 6

5. Risks Facing CCGs

There were a wide variety of risks within each of the ‘top 10’ risk themes and the section below

provides further narrative regarding each category and an overview of the risks identified

within the assurance frameworks.

Corporate Systems and Policies

Corporate systems and processes continued to be the top risk theme, retaining its position

from the 2014 and 2015 reviews. This in part reflects the plethora of areas that it covers

although the high risks tended to be more isolated issues for individual CCGs. Around 74% of

assurance frameworks included at least 1 risk within this theme. The range of risks covered

remained broadly similar to that in the previous year. Particularly prevalent in the medium

rated risks were issues around information governance and procurement. Risks around the

capacity of CCG staff were also common, particularly given the need to contribute to

transformation agendas and STPs in addition to business as usual processes. Lower rated risks

included compliance with statutory requirements (some AFs made reference to specific

legislation such as mental health law), equality duties and mandatory training.

Figure 4 – Corporate systems and policies risks within CCG Assurance Frameworks


P a g e | 7

Partnership Working

The effectiveness of joint working arrangements together with the supporting governance

structures continue to represent prominent risk areas particularly given the changing NHS

landscape and wider political landscape over the last year, for example the introduction of STPs

and the advent of devolution in several areas of the country.

70% of the assurance frameworks identified at least one strategic risk in this. High risks

identified were around joint strategic commissioning, partner engagement and devolution.

Development and delivery of STPs was represented, generally as a medium risk. The need to

formalise partnership arrangements was reflected in risks around having appropriate

governance structures and delegated authority.

Figure 5 – Partnership working risks within CCG Assurance Frameworks


P a g e | 8

Reconfiguration and Redesign of Services

Reconfiguration and redesign has become a much more prevalent risk for CCGs compared to

2015, moving from ninth in the top 10 up to third. This aligns with developments around

vanguards, devolution and STPs and links to other areas, including ‘Partnership Working’,

‘Patient and Public Involvement’ and ‘Commissioning’.

72% of the assurance frameworks identified at least one strategic risk in this area. High risks

related to funding of transformation, designing new models of care and ensuring redesigned

services are financially sustainable and of high quality.

Figure 6 – Reconfiguration and redesign risks within CCG Assurance Frameworks


P a g e | 9

Commissioning

Commissioning is a fundamental area of CCG strategic objectives and in addition to direct risks

this was also a secondary factor in other risk themes (e.g. partnership working, financial duties

and primary care services). 65% of the assurance frameworks identified at least one strategic

risk in this area. The highest risks continued to be around the financial stability within provider

organisations as was the case in 2015. Moderate risks reflect aspects of the commissioning

cycle around failure to identify population needs, targeting resourcing towards need and

effectively measuring outcomes as well as more specific aspects such as co-commissioning

and specialised commissioning.

Figure 7 – Commissioning risks within CCG Assurance Frameworks


P a g e | 10

Quality Assurance of Providers

The quality assurance of providers is a key role delivered by CCGs and the breadth and

complexity of this role was identified across the assurance frameworks reviewed. 69% of the

assurance frameworks identified at least one strategic risk in this area. High risks were generally

around provider failure and the provision of poor quality services. Quality of domiciliary care

was also noted as a specific high risk. Other risks were themed around quality in specific care

settings such as nursing homes, community services and primary care or locally identified risks

around quality such as infection control, pressure ulcers and handovers and other risks relating

to specific issues at local providers such as poor maternity or cardiac care. Inadequate

mechanisms for identifying potential quality issues were also noted as a risk.

Figure 8 – Quality assurance of providers risks within CCG Assurance Frameworks


P a g e | 11

Financial Duties

70% of assurance frameworks included a risk within this theme. As was the case in 2015,

financial risks were also the most prevalent high risks (scoring 20 and 25). The CCG’s financial

position and achievement of financial balance was specifically referenced and this is reflective

of the increasingly challenging economic climate and NHS funding position. Financial aspects

were also noted in some of the other risks themes such as ‘Reconfiguration and Redesign of

Services’.

Interestingly, we included Cost Improvement Programmes as a separate risk theme and, for

2016, this climbed to 11, just outside of the top 10 and was noticeably more prevalent as a

specific risk area than was the case in 2015.

Figure 9 – Financial duties risks within CCG Assurance Frameworks


P a g e | 12

Patient and Public Engagement

Public and patient engagement is fundamental to the ethos of the way in which CCGs are

expected to operate. 57% of the assurance frameworks identified at least one strategic risk in

this area. There were a limited number of high risks with the highest score being around the

statutory duty to consult which is becoming increasingly important as transformation

programmes take shape aiming to change the way that services are delivered.

Moderate risks were around listening to and understanding the public (including hard to reach

groups), poor communication of initiatives and reaction and opposition to change. Practical

elements such as engagement and communications capacity within the CCG and the ability to

deal with the media were also present.

Figure 10 – Patient and public engagement risks within CCG Assurance Frameworks


P a g e | 13

Access to Services

54% of the assurance frameworks identified at least one strategic risk in this area. Non

elective/urgent and emergency care featured in the high risks both in relation to seasonal

spikes in demand and the financial implications of activity delivered above planned levels.

Capacity of mental health services also featured prominently (as it did in the 2015 risk analysis),

including perinatal mental health.

There were a number of instances where CCGs identified local risks for specific services and

these were included as moderate or high risks. System wide capacity issues were also

highlighted as risks reflecting the challenges of ensuring sufficient primary care and

community services capacity to be able to shift activity from secondary care services.

Figure 11 – Access to services risks within CCG Assurance Frameworks


P a g e | 14

Performance Targets

Performance targets remain a challenge for provider organisations and this was reflected in a

number of CCG assurance frameworks. 52% of the assurance frameworks identified at least

one strategic risk in this area, compared to 49% last year. The highest risks related to the A&E

waiting times, ambulance response times, stroke and cancer targets.

Other moderate risks were related to mental health performance (access to psychological

therapy and out of area treatments as well as other aspects of the patient journey), referral to

treatment, diagnostics and discharge.

Figure 12 – Performance targets risks within CCG Assurance Frameworks


P a g e | 15

Primary Care Services

37% of assurance frameworks reflected a risk within this theme. The highest risks were

identified around the recruitment of GPs and nurses (and consequent effect on primary care

capacity), a well recognised national issue. In addition the transformation and long term

sustainability of primary care, and primary care support services were also included as high

risks. Moderate risks included quality issues (e.g. CQC ratings) and operational issues such as

aggressive patients and GP IT budgets.

Risks in relation to the failure to manage conflicts of interest within primary care/ co-

commissioning were also featured in a small number of CCG assurance frameworks (these were

categorised under a separate ‘conflict of interest’ theme).

Figure 13 – Primary care risks within CCG Assurance Frameworks

Q: Do you recognise the types of risk identified within each of the risk themes and are these

applicable to your organisation?


P a g e | 16

6. Risk Appetite and Target Risk Scores

46% (25/54) Assurance Frameworks included reference to risk appetite or target risk score.

This compares to 31% last year which may indicate that organisations are evolving their

approach to risk appetite. This reflects a developing focus on reduction and mitigation of risks,

alongside the acceptance that there are inherent risks that will remain and need to be a

continued focus for the Governing Body. The table below summarises the number of current

risk scores and target risk scores at each level.

Table 2 – Current and target risk scores

Risk Current Risk Score

(No.)

Target Risk Score

(No).

High (15-25) 119 7

Moderate (8-12) 185 184

Low (4-6) 49 128

Insignificant (1-3)

Not scored

0

0

26

7

TOTAL 352 352

As would be expected, there is a clear focus to high risks. However there remains a relatively

high risk appetite, with CCGs recognising that a significant number of risks would remain within

the moderate risk rating.

Figure 14 shows the current risk profiles for each CCG and Figure 15 shows the target risk

profiles.


P a g e | 17

Figure 14 – Current risk profiles within CCG Assurance Frameworks

Figure 15 –Target risk profiles within CCG Assurance Frameworks

Q: Have you considered risk appetite and identified target risk levels within your organisation?

0

5

10

15

20

25

30

35

CCG Current Risk Profiles NotScored

Insignificant (1-3)

Low (4-6)

Moderate(8-12)

High risks(15-25)

0

5

10

15

20

25

30

35

CCG Target Risk ScoresNot Scored

Insignificant(1-3)

Low (4-6)

Moderate(8-12)

High risks(15-25)


P a g e | 18

7. Other Observations

There were some general observations from the detailed review and analysis which are

provided below, and cover common areas and divergence in terms of the structure and content

of the assurance frameworks.

Structure A number of the assurance frameworks had a narrative covering paper or

dashboard, with the best of these showing movement of risk and a quick

glance summary of the risk profile.

The majority of assurance frameworks were structured with objectives, risks,

controls, impact/ consequence and likelihood scores, assurances and

gaps/actions.

Risk owners or lead officers were also identified against each risk in most

cases.

Most assurance frameworks included risk scoring using a 5x5 matrix. Some

had the basic impact/ consequence x likelihood whilst others included

initial, current and target scores. 4 assurance frameworks did not score any

of the risks, compared to 2 in the 2015 benchmarking exercise.

Objectives Some assurance frameworks used the objectives as headings with risks

identified under each and others cross referenced the risks to

objective(s). Where risks were listed underneath objectives there was

greater clarity, yet where the risks were cross referenced it was clear there

was more flexibility (especially where one risk impacted more than one

objective).

The average number of objectives was 5 (range of 3-10). This is broadly

similar to the 2015 where there was an average of 5 objectives with a range

of 3-9.

Risks The average number of risks was 16 (range of 3-56). The comparable 2015

figures were an average of 13 and a range of 1-26. Some organisations had

a joint assurance framework and risk register with a significantly higher

number of risks. Omitting the frameworks with over 40 risks brings the

average number of risks down to 14 which is similar to the 2015 average.

6% of risks were not scored. There were a combination of assurance

frameworks where the format did not include risk scoring and a much

smaller number that looked like recent additions to the assurance

framework, probably awaiting formal review.

Some assurance frameworks used an overarching risk where others

provided separate risks (e.g. for each provider organisation).

Whilst approaches to describe risks and how detailed these were, overall

the risk descriptions were clear.


P a g e | 19

Controls The descriptions and details of the controls varied significantly. It wasn’t

clear whether the controls listed really mitigated the risk described or

whether every operational control in an area was listed without evaluation.

Controls included ‘Governing Body Committee’ and ‘engagement’ but

without further descriptors it wasn’t clear if these were actual controls (or

assurances) and how they would be evidenced.

Assurances Identification and recording of assurances was the area for greatest

development, with some assurance frameworks showing risks without the

assurances listed and others where the assurances were similar to the

controls.

Assurances identified were not always focussed at Governing Body Level

(i.e. operational assurances without the clarity of route to the Governing

Body).

Assurance descriptions were not always clear to evidence based assurance

suggesting reassurance rather than hard evidence.

Some assurance frameworks specified whether the assurance was from an

internal or external (and therefore independent) source.

Gaps/ Actions Some assurance frameworks regularly listed gaps/ actions and others had

very few identified.

Within the structure of the assurance framework it was not always clear how

progress against actions would be shown and challenged. The best

example described the action, assigned a responsible officer with a

timeframe and provided a progress update.

Q: Does your Governing Body Assurance Framework need further development and is there an

agreed plan to take this forward?


The Insight provides information to support CCGs

in understanding how key elements of their

Assurance Framework compare with others. It is

intended to prompt and inform discussions on this important

aspect of CCG governance.

1. Does your Governing Body Assurance Framework consider the

breadth of the risk themes?

2. Have you considered the overall risk profile within your

organisation and is the number of risks on the Assurance

Framework manageable in terms of Governing Body scrutiny

and oversight?

3. Are there any high risks identified that need to be considered by

your organisation, ether in terms of omission within the

Governing Body Assurance Framework or in the current risk

impact and likelihood scores?

4. Do you recognise the types of risk identified within each of the

risk themes and are these applicable to your organisation?

5. Have you considered risk appetite and identified target risk

levels within your organisation?

6. Does your Governing Body Assurance Framework need further

development and is there an agreed plan to take this forward?

We would be keen to hear your views on the issues raised and your

ideas on how further benchmarking in this or other areas would be

of benefit.

For more information or to request a benchmarking topic

please speak to your Senior Audit Manager or contact:

Louise Cobain, Assistant Director

r&[email protected]

mailto:r&[email protected]

Documents

What keeps CCG Governing Bodies awake at night?...MIAA Insight CCG Assurance Framework Benchmarking P a g e | 3 3. Overall Risk Profile The overall risk profiles of the CCGs varied