Trust Assurance Framework Reviews (Structure, Engagement and Alignment 217/18)
The overall purpose of the insight is to summarise the results of the 217/18 Assurance Framework reviews, highlight good practice examples and key areas for enhancement. 1. Context All government bodies, including the NHS, are required to have processes in place to provide a full annual governance statement (AGS) each year. The Assurance Framework is a key piece of evidence to support the Board in reaching their conclusions on the effectiveness of their internal control systems. The regulatory frameworks for NHS organisations have also increasingly re-emphasised the importance of organisations determining and managing the nature and extent of their strategic risks. Whilst the principles of assurance frameworks have been in place for a number of years, there has been a continued focus on ensuring the embeddedness of these processes and the extent they are used by the Board. The context of assurance rather than reassurance is one that has been played out in a number of organisations, and more than ever, there is a need to demonstrate that the Assurance Framework is at the heart of Board reporting supporting the Board in ensuring the required assurances are sought and received. This paper summarises the results from the detailed individual reviews of the Assurance Frameworks across the trusts (acute, foundation, mental health and ambulance) in MIAA s client base which were undertaken in support of the 217/18 Director of Audit Opinions. The review assessed distinct areas: - The structure of the Assurance Framework; - Board engagement in the review and use of the Assurance Framework; - The quality of the content of the Assurance Framework and whether it demonstrates clear connectivity with the Board agenda and external environment. Each of the criteria above was tested for each Trust and the results were RAG rated as follows: KEY: GREEN Fully meets AMBER Partially meets RED Does not meet We also compared the results to our 216/17 benchmarking exercise in this area to show the differences in the number of Trusts which are now fully compliant with each criteria. Our review of the 216/17 Assurance Frameworks had found all to be at least partially compliant with each criteria.
2. Summary of Good Practice From our review of the Assurance Frameworks across the client base, the best examples demonstrated the following: - Each risk has been linked to one or more of the strategic objectives of the organisation and to any associate corporate risk register risks. Each risk would assign a lead director and any responsible committee whom are charged with reducing gaps in control and receiving assurance. - Increasingly, organisations are using dashboards and graphs to provide an overview of the Assurance Framework risks, including movement in the risk profile (new risks, and increasing/ decreasing scores). - The controls and assurances that are in place to mitigate the risks are listed and a distinction is made between internal and external sources of assurance. - Some organisations have a wider focus across organisation boundaries with an increase in external risks to reflect the environment within which organisations are operating. - Positive assurances that are gained are included within the Assurance Framework and signposted back to the report that provided the assurance and the date when it was reviewed by a committee of the board. - There is a clear section dedicated to list any identified gaps in control and assurance that are used to drive the action plan. - An action plan is included against each risk in the Assurance Framework and includes timescales for completion and a responsible officer is assigned to highlight whom is accountable for the implementation of an action. Some organisations have developed their Assurance Framework to track the delivery of actions and reflect this in the AF update. - The Assurance Framework is regularly presented to the Board (at least quarterly) - The Board minutes demonstrate regular discussion and update of the Assurance Framework. - Discussion and update of the Assurance Framework is embedded into the work programme of the Board committees, with an increasing expectation that other committees ensure oversight of risks within their terms of reference. - There is a clear link between Board agenda items and the Assurance Framework (this can be made through more explicit reference to the Assurance Framework and clear identification of the Assurance Framework risks on agenda item cover sheets).
. Review Results The following provides an overview of the findings from the detailed assessments..1 Structure: Testing Criteria Red Amber Green The structure of the Assurance Framework meets the NHS requirements in respect of defining objectives, risks, controls, assurances and gaps 1 2 97 The objectives within the Assurance Framework align with those in the strategic plan. 7 21 26 79 The format of the Assurance Framework provides an action plan/ place to address the gaps 2 6 1 94 Almost all Assurance Framework formats (97) included the NHS requirements of defining the objectives, risks to achieving objectives, controls in place and gaps in control, and assurances. Our 216/17 benchmarking exercise found 1 to be fully compliant with NHS requirements in respect of structure, demonstrating a small drop during the year. Most Trusts included risk scoring and the AF included current risks, target risks and initial risk. Those containing the least detail in this respect, indicated the initial risk score and the residual risk score, with regard to the current controls in place. However, there were instances of Assurance Frameworks including details of the risk score/ categorisation (high/ moderate/ low) in previous periods (usually quarters) and/or a visual representation of the direction of travel eg arrows or lines indicating increase, decrease or unchanged risk rating. There was a decrease in the number of Trusts who linked the risks on their assurance frameworks to their strategic objectives. (87 in 216/17 to 79 in 217/18). 94 of Assurance Frameworks provided an action plan, this compares to 9 against 216/17 benchmarking. In a number of Trusts, the organisation s Assurance Framework included reference to the movement of risks/ risk profile and the organisation s progress against actions. Good practice evidenced in a number of Trusts show target risk scores had been set and included in the Assurance Frameworks, but a lesser number included the proposed date for achievement of this target score. There was a large variation in the level of detail contained therein within Assurance Frameworks. The most detailed assurances referenced specific reports demonstrating where actual assurances had been provided, although in some documents the assurances were more
general e.g. listing the committees which should provide assurance. Frameworks set out with one risk per page rather than in a tabular format enabled more detailed recording within the Assurance Framework document, including a list of actions in respect of the risk, ownership, timescales, status and updates on progress against each action. Others, whilst identifying actions, were in some cases limited to this, with omissions including timescales, ownership of the action (although risk owners were documented) and updates on progress against actions. Some Trusts had included a summary within the Assurance Framework, particularly where the format was set out to show one objective or risk per page, rather than a shorter document with all risks included in a table. Examples of these summaries were heat maps, indicating where risks sit on the risk matrix, or summary sheets. For example one summary listed the key risk against each objective, the initial and current risk score and key changes since the last update..2 Engagement: Testing Criteria Red Amber Green The Assurance Framework is regularly presented to the Board. 1 The minutes of the Board clearly demonstrate discussion, review and update of the Assurance Framework 9 91 The minutes of Board Committees clearly demonstrate 6 27 consideration of the Assurance Framework and associated risks 2 8 The number of Trusts regularly presenting the Assurance Framework to the Board was 1 (216/17 97). There was variation in the manner Assurance Framework was presented and discussed at Trust Boards, in order to test this we reviewed Board and committee minutes for evidence that the organisation demonstrates the use of the Assurance Framework as one of its tools in achieving its strategic objectives. The majority 91 (an improvement for the 74 benchmark position to 216/17) of Trusts were rated as Green, Trusts were rated as Amber typically because either: o The Board minutes demonstrated that there could be greater visibility of the use of the Assurance Framework by the Board. For example the Assurance Framework is to be
o presented bi-monthly to the Trust Board, as the Trust Board meets bi-monthly this should be a standing item, it was not presented at the required meeting. Whilst the Assurance Framework presented is detailed in its content, the minutes did not reflect a full discussion, limited challenge on risk status and risk mitigation activities or assurances received. With regard to the evidence that the Board minutes clearly demonstrate consideration of the Assurance Framework and associated risks 27 (8) Trusts demonstrate good practice and have clear oversight of the risks within their terms of reference. Sub-committees provide assurances to the Board with regard to the risks within the Assurance Framework and therefore reporting and minutes should clearly reflect discussions surrounding these. We noted that in some cases the sub-committee minutes presented to the Board demonstrated discussions surrounding the Assurance Framework risk topics but the minutes did not link these discussions to the Assurance Framework, which could indicate limited use of the Assurance Framework document at committee level. Where the Board does not receive full sub-committee minutes from all committees there is a need to demonstrate discussion of the Assurance Framework at committee level. This is particularly relevant where there is reporting by exception or highlight reports which do not include detail of the full discussion surrounding the risks. We recommended that Trusts considered developments in this area including ensuring that minutes of the Board are more detailed in respect of the discussion around the Assurance Framework and clearly reflect the links to the Assurance Framework and that the reporting format from sub-committees into the Board is appropriate to provide the assurances expected and is clear to assist the Board in identifying the relevant information. Trusts should also ensure greater visibility of the Assurance Framework at committee level to ensure collective ownership of the document.. Quality and Alignment: Testing Criteria Red Amber Green The risks within the Assurance Framework are visible on the Board agenda. 1 The risks identified within the Board minutes are reflected in the Assurance Framework. 1
Board assurances are clearly identified within the Assurance Framework. 1 1 9 19 58 Controls are clearly defined within the Assurance Framework. 1 2 97 Gaps are clearly identified within the Assurance Framework and actions detailed. 1 2 6 91 There was a high level of compliance with these criteria demonstrating that for many Trusts the Board agenda is focused upon the key strategic risks of the organisation and the Assurance Framework is maintained and updated to ensure that it reflects the strategic risks identified by the Board. In particular, the visibility of the risks within the Board agenda has improved since 216/17, when 97 of Trusts fully met the criteria compared to 1 for 217/18. For 217/18 1 of Trusts adequately evidenced that the Board agenda is driven by the full Assurance Framework, to facilitate discussion on all key risks of the organisation. For 217/18 58 of Trusts evidenced clear identified assurance within the Assurance Framework with clearly defined controls in place as part of the organisation Assurance Framework for 97 of Trusts. For 91 of Trusts gaps are clearly defined as part of the Assurance Framework action plan (or equivalent). Best practice considerations also included greater clarity within papers and documents of the link to the Assurance Framework risks and executive leads ensuring that they highlight key discussions within the meetings, and the risks which are being addressed, and that this connection is recorded in the minutes. 4. Risks The table below shows the top 1 risk themes identified from a wider benchmarking exercise undertaken by MIAA in 217. A similar review was undertaken in 216 which provides a comparison of the changes in the prominence of risk themes. TOP 1 Trust AF Risk Themes 217 TOP 1 Trust AF Risk Themes 216 1. Financial Duties, Continuity of Services & CIP 1. Quality of Services & Patient Safety 2. Staff Capacity & Capability (incl. leadership) 2. Staff Capacity & Capability (incl. leadership). Quality of Services and Patient Safety. Financial Duties, Continuity of Services & CIP
TOP 1 Trust AF Risk Themes 217 TOP 1 Trust AF Risk Themes 216 4. IMT, Data Quality & New System 4. Transformation & Service Redesign Implementation 5. Transformation & Service Redesign 5. Regulatory Standards 6. Performance targets 6. IMT, Data Quality & New System Implementation 7. Regulatory standards 7. Contracts and Demand 8. Contracts and Demand 8. Performance targets 9. Strategic Partnerships and Partnership 9. Patient Experience, Feedback & Complaints Working 1. Staff Engagement and Culture 1. Staff Engagement and Culture Trusts may wish to review their AF risks to consider whether any risks with regard to the above list should be included. 5. Next Steps The Insight summarises the results of the 217/18 Assurance Framework reviews, highlighting areas of good practice examples and also key areas for enhancement. It provides information to support organisations in understanding how their approach to the Assurance Framework compares to others. It is intended to prompt and inform discussions on this important aspect of Trust governance. Organisations should: Review the outcomes of the benchmarking to establish if there are any learning points for your organisation. Contact MIAA for further information on the issues raised, or please speak to your Senior Audit Manager for information and support. For more information or to request a benchmarking topic please speak to your Senior Audit Manager or contact: Louise Cobain, Assistant Director r&d@miaa.nhs.uk