NIFRS Assurance Framework

Transcription

1 NIFRS Assurance Framework March 2014

2 CONTENTS Page 1 Introduction 1 2 Planning & Risk Assessment 2 3 Building an Assurance Framework 2 4 Roles & Responsibilities 5 5 Assessing the Assurance Framework 7 Appendix 1 - Draft Assurance Framework Document 8 Appendix 2 - Board Assurance A Quick Reference Guide 11 VERSION CONTROL Version Number: 1 Original Issue Date: March 2014 Review and Revised: - Linked Policy Documents/Statements: NIFRS Corporate Risk Management Strategy NIFRS Corporate Risk Management Policy.

3 Introduction 1.1 The Northern Ireland Fire & Rescue Service (NIFRS) Assurance Framework is based on Department of Health, Social Services & Public Safety (DHSSPS) Guidance entitled An Assurance Framework: a Practical Guide for Boards of DHSSPS Arm s Length Bodies (April 2009). 1.2 DHSSPS through the Assurance Framework process aim to improve the effectiveness of systems of internal control by evidencing controls and detailing how they will be marshalled, tested and strengthened. 1.3 Criterion 6 of the Governance Standard states: The board must ensure that it has proper and independent assurances on the soundness and effectiveness of the systems and processes in place for meeting its objectives and delivering appropriate outcomes. To meet this criterion, the NIFRS Board needs to develop a process to support its Chief Executive in making a balanced, fully informed Governance Statement one that describes both the achievements in the embedding of risk management and the work that remains to be done. 1.4 This Framework document supplies the Board with an instrument for making fuller use of the existing governance capacity: in terms of how the various aspects of governance relate to organisational responsibilities, accountability and to each other; in relation to the information they need to discharge their responsibilities and accountability; to know how the different facets of governance are working; and to ensure the effective management of risk. 1.5 Responsibility for managing risk lies, not with the Board but with the Corporate Management Team (CMT), and the requirement for the Chief Executive to sign a Governance Statement heightens the need for the Board to demonstrate that they have been properly and continuously kept informed about the totality of their risks. 1.6 An effective Assurance Framework provides a clear, concise structure for reporting key information to the Board. 1.7 It identifies, which of the organisation s objectives are at risk because of inadequacies in the operation of controls, or where the organisation has insufficient assurance about them. 1.8 It also provides a structured assurance about how risks are managed to effectively deliver agreed objectives whilst looking at the four broad domains of accountability, namely: Corporate/Organisational Control - the arrangements by which NIFRS directs and controls its functions and relates to stakeholders. This domain 1 P a g e

4 encompasses the policies, procedures, practices and internal structures which are meant to give assurance that the entity is fulfilling its essential obligations as a public body. Safety and Quality the arrangements for ensuring that public safety services are safe and effective and meet people s needs. Finance - the arrangements for ensuring the financial stability of the Department s arm s length bodies, for securing value for money and for ensuring that resources allocated by the Minister/Department are deployed fully in achievement of agreed outcomes. Operational Performance and Service Improvement fulfilling the Departmental requirements for ensuring achievement of Ministerial/Departmental objectives, standards and targets. Planning & Risk Assessment 2.1 In generating the Annual Corporate Business Plan, CMT will take cognisance of the: Internal/external operating environment; Opportunities & threats in terms of political, economic, sociological, technological, environmental and legislative influences; DHSSPS and other key stakeholder requirements & targets; and High level key risks by Directorate 2.2 Each individual director will determine what is required from their directorate to attain NIFRS agreed six strategic aims and will put forward a list of key business tasks for consideration by CMT when generating the Corporate Business Plan. 2.3 The key business tasks will then be risk assessed using the process outlined within the NIFRS Corporate Risk Management Policy and a Corporate Risk Register generated which records risks; mitigations; and risk assessment by strategic aim. 2.4 In addition, the planning process allows for the identification and risk assessment of new and emerging high level risks both at the beginning and throughout the year. These will be recorded on a High-Level Directorate Level Risk Register. 2.5 It is the responsibility of each individual director to ensure that identified high level risks are linked to business tasks, which when completed will mitigate in part or full all known risks. Building an Assurance Framework 3.1 The Assurance Framework should provide NIFRS with a simple but comprehensive method for effectively managing the principal risks to meeting its objectives. It also provides a structure for acquiring and examining the evidence to support the Governance Statement, and by contributing to more pertinent board reporting and the prioritisation of action plans, the Framework will, in turn, allow for more effective performance management. 2 P a g e

5 3.2 In line with best practice, the NIFRS Assurance Framework (See Appendix 1) has been developed in six stages by the Performance Management Unit as follows: Identify principal corporate objectives to achieve outcomes across all relevant business areas organisational, safety and quality, financial, and performance 3.3 NIFRS has identified, consulted upon, agreed and plans against six primary strategic aims covering organisational; safety and quality; financial; and performance business areas. 3.4 The six primary aims are: Respond to Emergencies - Provide an efficient, effective and resilient emergency response with resources aligned to risk. Develop a Safer Community - Reduce the incidence of fire and other emergencies by the provision of a targeted efficient and effective safety education, advice and legal enforcement service. Manage Resources & Monitoring Performance - Ensure the effective and efficient use of resources to provide value for money based on integrated risk management planning. Support Our People - Provide a well- equipped, competent & highly motivated workforce which reflects the community we serve. Governance & Accountability - In line with our values, and robust governance and scrutiny, operate in accordance with appropriate legislation, ensuring safety, sustainability and partnership are central to all our activities. Manage Change & Drive Improvement - Manage change and improvement through identification of best practice in line with the needs and expectations of all our stakeholders. Identify principal corporate risks which threaten achievement of the principal objectives and ensure these risks are effectively managed 3.5 During the annual planning process and again as part of the quarterly review process, the risk aligned to each business task is evaluated and updated in line with the NIFRS Corporate Risk Management Policy. 3.6 The resultant Corporate Risk Register will therefore document: Known risks aligned to each individual business task; Existing mitigations and controls; Risk assessment based on likelihood and impact should, given the existing controls, the internal control system fail; and Links to the Corporate Business Plan which outlines planned actions to further mitigate risk. 3.7 In addition, the planning process allows for the identification and risk assessment of new and emerging high level risks both at the beginning and 3 P a g e

6 throughout the year. These will be recorded on a High-Level Directorate Level Risk Register. 3.8 Both risk assessments will be used to inform the Assurance Framework. Document the key controls in place to manage identified risks 3.9 The NIFRS Corporate Risk Management Policy facilitates the identification of risks, mitigations and links to the links to the Corporate Business Plan which outlines planned actions to further mitigate risk. Determine the independent assurance required for the organization to be governed effectively. Consider types of assurance available, coordinate these effectively and identify areas where further assurance is required tailoring assurance to the organization s needs 3.10 In building an Assurance Framework the Board will determine what level of independent assurance reporting is appropriate, given the risks and controls that have been identified Such assurances may be provided by an adequately resourced internal audit function operating to agreed Public Sector Internal Audit Standards (PSIAS) and supported by external audit, but may also include independent assurance from Fire Service Inspectors/Advisors or Peer Reviewers. Report key information to the board, including positive information on controls and assurance, identification of inadequate controls or where insufficient assurance exists 3.12 The NIFRS Board through the Audit & Risk Management Committee will be provided with a copy of the Corporate Risk Register and the High-Level Directorate Level Risk Registers. This will provide them with an overview of the risks aligned to the achievement of annual business tasks broken down by each of the six primary strategic aims and will also allow the identification of high level risks as identified by lead directors These documents when combined, considered and discussed will provide a full risk picture for NIFRS. Action plans to be agreed by the board to address gaps in controls and assurance with proposals to take corrective, restorative or remedial steps, as required The NIFRS Assurance Framework will be designed to allow the board to concentrate on a limited number of top-level risks, but without restricting its freedom to maintain a watch on the full array of risks to principal objectives However, as the Framework incorporates all of an organization s principal objectives and related risks, its basic content does not immediately direct 4 P a g e

7 board attention to the most currently severe risks. For that to happen, there must be rigorous testing and filtering of the information on risk The Board can ensure the necessary focus using the following process: the organization s Corporate Management Team will meet periodically to debate the content of the Corporate Risk Register - In order that the outcome should straightforwardly present the live risks to business, it is essential that discussion should be frank and detailed; the revised Corporate Risk Register, together with minutes of the Corporate Management Team meeting, will then be submitted to an Audit & Risk Management committee. It is not the committee s job to appraise the risks per se; rather, the Audit & Risk Management Committee will check that the systems for identifying and assessing risk are being conscientiously operated, and for evidence from the minutes of sufficiently serious and forensic examination of the issues; the Audit & Risk Management Committee s view is formally reported to the board; in parallel, the Corporate Management Team will table for board consideration the Assurance Framework adjusted to take account of the just-debated changes to the Corporate Risk Register and containing, typically, those risks classified as Critical Risk ; the NIFRS Board will then decide what action to take on these Critical risks although the Board retains the right to address more or different risks to overall progress towards business objectives. In coming to a decision, the board may ask itself: do we accept the conclusions put to us or do we need additional or more objective verification? - the result will be soundly-based, board-led action plan. Roles & Responsibilities Corporate Management Team 4.1 To comply with the requirements of the NIFRS Assurance Framework, CMT members will: As part of the planning process generate and review at least quarterly a list of (i) key business tasks; and (ii) high level risks, and carry out a risk assessment for each using the NIFRS Corporate Risk Management Policy; Facilitate the generation of a draft Corporate Risk Register; Meet to quarterly to: debate the content of the draft Corporate Risk Register and to determine the continued validity of identified risks, mitigations, planning actions and risk assessments; and consider the outcomes from independent assurance sources (e.g. Internal/external audit, peer reviewers etc.) and consider whether these provide a positive assurance or whether they are such, that gaps in controls and/or assurances have been identified. The outcome of this discussion should be used to populate the Assurance columns on the Assurance Framework This meeting should be minuted; 5 P a g e

8 Schedule revised Corporate Risk Register and CMT minutes for consideration by the Audit & Risk Management Committee; and Schedule revised Corporate Risk Register (Critical Risks) for discussion by full NIFRS Board. Performance Management Unit 4.2 To comply with the requirements of the NIFRS Assurance Framework, the Performance Management Unit will: As part of the planning process, assist CMT on at least a quarterly basis in generating and reviewing a list of (i) key business tasks; and (ii) high level risks, and carrying out a risk assessment for each using the NIFRS Corporate Risk Management Policy; Facilitate the generation of a draft Corporate Risk Register; Attending the quarterly CMT Assurance Framework meeting recording and processing all required amendments and populating the Assurance columns on the Assurance Framework; Generate the revised Corporate Risk Register and CMT minutes for consideration by the Audit & Risk Management Committee; and Generate revised Corporate Risk Register (Critical Risks) for discussion by full NIFRS Board. NIFRS Audit & Risk Management Committee 4.3 To comply with the requirements of the NIFRS Assurance Framework, the Audit & Risk Management Committee Members will: Check that the systems for identifying and assessing risk are being conscientiously operated, and that evidence exists from CMT minutes that sufficiently serious and forensic examination of issues has taken place. Determine if NIFRS are able to demonstrate that Board agreed minimum levels of assurance are in place. Review the content of the bi-annual Governance Statement to ensure continued understanding of the links in NIFRS assurance chain and to monitor the effectiveness of the systems of internal control. Review and challenge the Corporate Risk Register and related CMT minutes. NIFRS Board 4.4 To comply with the requirements of the NIFRS Assurance Framework, the NIFRS Board will: Establish the principle of reasonable rather than absolute assurance, and reach consensus on what reasonableness means for NIFRS. Determine the level of assurance required to manage NIFRS principal risks and take stock of the various forms of assurance available before setting minimum levels of assurance for NIFRS Demonstrate that they have been able to: identify their objectives; manage the principal risks to achieving them; understand the links in NIFRS assurance chain; and 6 P a g e

9 monitor the effectiveness of internal control systems and existing assurance reporting. Evaluate on an annual basis the quality and robustness of the NIFRS Assurance Framework. Review the High Level Corporate Risk Register on a quarterly basis deciding on what action needs to be taken to address highlighted risks. Assessing the Assurance Framework 5.1 It is important that the NIFRS Board can evaluate the quality and robustness of the Assurance Framework and has arrangements in place to keep itself updated in the light of evidence from reviews and achievements. 5.2 If, for example, NIFRS actual or apparent performance in a particular area seems at odds with the assessment from the Assurance Framework reports, the reasons for the discrepancy need to be investigated. Leaving aside the possibility of inaccurate reporting, it may be that: the objectives need to be revised; the risks reassessed and evaluated; or the assurance on the effectiveness of the controls reviewed. 5.3 The board s action plan should be updated to reflect the remedial or corrective steps to be taken. 5.4 A checklist to aid with the completion of an assessment of the Assurance Framework is included in Appendix 2. 7 P a g e

10 APPENDIX 1 DRAFT ASSURANCE FRAMEWORK DOCUMENT 8 P a g e

11 Consolidated Overall Objective Directorate Associated Risks Risk Mitigations Likelihood Personal ImpacQuality/SystemPublic ConfidenComplaint or ClFinancial Loss Impact Rating Risk Assessment Aim 3 - Manage Resources & Monitoring Performance - Ensure the effective and efficient use of resources to provide value for money based on integrated risk management planning. Ensure contract and procurement management is working in full Planning and Corporate -Procurement Policy/Strategy Possible (4) Major (4) Major (4) Moderate (3) Moderate (3) Major (4) Major (4) Critical compliance of legislation and regulatory frameworks and providing an Affairs Review -Functional review on-going effective and efficient service with an end-to-end process for procuring -Staffing and resources -On-going review of procurement goods and services to be in place (e.g. business case, planning and -Limited assurance that NIFRS processes procurement). are working within legislative and -Peer review of function to be To achieve this NIFRS will: compliance frameworks attained - Develop a Strategic Procurement plan to link with the Business Plan -NIFRS need to develop contract -Review of contract provisions - Ensure appropriate contract oversight and management is fully oversight and management currently on-going operational. process -NIFRS working with DHSSPS to - Ensure ICT programmes for procurement are fit for purpose and -NIFRS need to develop a establish a CoPE arrangement meet legislative and regulatory requirements stratgeic procurement plan linked to business plan -Delays in the issuing of contracts -Contract clauses need reviewed in terms of Business Continuity and Insolvency -Need to establish CoPE Ensure arrangements are in place for the effective management of Service assets. To achieve this NIFRS will: - Implement year 1 of the Operational Asset/Facilities Management Strategy which will include appropriate planned maintenance cycle and defect/maintenance management by appropriate targeting of finite resources. Environmental Management Strategy and targets will be incorporated. - Provide evidence of investment requirements to make assets/facilities fit for purpose. - Ensure all assets are contributing to delivery of core organisational business. - Provide a suite of appropriate KPIs for Operational Asset/Facilities management. - Review the asset management processes and develop an asset management database to include capital and inventory items including operational equipment and desirable items. - Ensure full utilisation of current ICT systems within estates for recording decision making and performance management Planning and Corporate Affairs -Resource issues (budget & staffing) -Process & system issues -Dependence on MTC provision -Reactive rather than proactive estate maintenance processes -Budget management -No operational asset/facilities management strategy -Uncertainty regarding profile and state of current estate assets/facilities -No performance measures e.g. KPIs -Review of Estates function ongoing -Standardised processes currently being established -Update to IT based management/maintenance programmes -MTC policies, processes and system under review -An Operational Asset Appraisal Survey (OAAS) is on-going -OAAS Strategy currently being generated for approval -Model for future builds being established Probable Major (4) Major (4) Moderate (3) Minor (2) Major (4) Moderate (3) Critical Positive Assurances Gaps in Controls Gaps in Assurance 9 P a g e

12 Review and implement NIFRS Replacement Strategy for fleet. To achieve this NIFRS will: - Implement year 1 of NIFRS Replacement Strategy for fleet. - Achieve ISO9001 for Transport activities. - Carry out testing in line with pre-determined testing schedules. - Research, develop and make recommendations regarding purchase of a system through which operational equipment can be tagged. Operational Support Services - Failure to respond (Legislative - Age profile of fleet within useful requirement) life span - Failure to meet response - Maintenance protocols in place standards - Station back-up arranges to - Fleet being maintained beyond ensure response useful life - Board approval for re-evaluation - Increased maintenance costs of tender & new supplier - NIFRS may be unaware of appointed equipment existence & location - Testing protocols in place and therefore fail to maintain - Project underway to identify - No method in place to monitor equipment and location location and testing of equipment - On-going equipment testing exchanged on fireground schedule by station (tracking) - Potential equipment failure in an operational environment which may result in injury or loss of life - Systems in place to provide robust evidence of maintenance & testing Possible (4) Major (4) Critical Review ICT operational management in terms of: - Structures, staffing & strategy; - Development of intranet; - Systems security; - Passwords; - Licensing; - Training; and - Development of KPIs Plan, develop, manage and support resilient Business Information and Communications Systems and technologies to deliver a robust Management Information Framework in line with NIFRS ICT Strategy (e.g. Unified Comms, GD92 and Replacement Command & Control System). Community Protection Community Protection - Issues have been identified in - Consultants are currently being respect of the need to update a sourced to carry out a review of range of ICT system to include ICT provision and o make the following systems and related recommendations in respect of interfaces: - MIS; - Human Resources; - Finance; - Estates; - E-procurement; - Performance Mgt; - Information Governance; and strategy and structure. - Directors currently reviewing ICT system requirements as part of their structural review. - Introducing interim ICT solutions - Agreement reached by CMT to establish an interim solution for stand-by and call-out for ICT. - IS/IT Security - Introduction of WAN - future ICT capability & linkages - Currently there is no provision for call-out or stand-by in terms of ICT provision. - Failure to respond/mobilise. - Currently procuring a - Failure to meet agreed response replacemnet GD92 system. standards. - Maintaining existing mobilisation - Failure to mobilise correct system. resources. - Established resilience - Failure to provide known processes in place. operational risk information (SOP12) to operational crews. - No system support for existing system. Probable Moderate (3) Major (4) Moderate (3) Major (4) Major (4) Major (4) Critical Probable Major (4) Critical 10 P a g e

13 APPENDIX 2 BOARD ASSURANCE A QUICK REFERENCE GUIDE 11 P a g e

14 BOARD ASSURANCE A QUICK REFERENCE GUIDE This summary enables Boards to quickly assess which parts of the Assurance Framework you have in place and which you might need to focus on in order to reduce risk. 1. Are your principal objectives defined? Yes/No Principal objectives are the strategic goals set for the organization, and will drive its response to risk. 2. Are your principal risks identified? Yes/No Principal risks will highlight any obstacles to achieving the principal objectives, as well as the associated consequences. 3. Do you have key controls in place to manage risks? Yes/No Are key controls are in place to manage the principal risks? Controls should relate directly to the principal risks and should be of practical application. 4. Is assurance provided on the effectiveness of controls? Yes/No This element is about gathering the evidence ideally independent on the effectiveness of the key controls. 5. Putting it all together Do all of the stages of the Assurance Framework should work together as a continuous process of identifying objectives, assessing risks, introducing controls and assessing whether these controls have been effective. Do board papers include all the above elements? Yes/No Organizations should ensure all the above elements are incorporated into their routine board reports. Assurance Framework assessment tool? Yes/No A tool to help assess where an organization currently is in terms of compliance against the Assurance Framework and to help identify areas to target improvement. Are effective delivery plans in place? Yes No Having assessed the current position, boards should have an action plan which is outcome focused, owned and measurable to improve its key controls to manage its principal risks and gain additional or stronger assurance where required. 12 P a g e