ASSURANCE FRAMEWORK. A framework to assure the Board that it is delivering the best possible service for its citizens SEPTEMBER 2010.

Transcription

1 ASSURANCE FRAMEWORK A framework to assure the Board that it is delivering the best possible service for its citizens SEPTEMBER 2010 V3 Draft 1

2 SECTION NO. ASSURANCE FRAMEWORK CONTENTS 1. INTRODUCTION 3 2. WHAT IS ASSURANCE? 4 3. WHAT IS AN ASSURANCE FRAMEWORK? 4 4. HYWEL DDA HEALTH BOARD ASSURANCE FRAMEWORK 5 5. MAINTENANCE 9 6. FURTHER INFORMATION 9 APPENDIX PAGE NO. 1 BOARD STRATEGIC OBJECTIVES 10 2 BOARD ASSURANCE FRAMEWORK REPORT 11 3 TARGETS FOR INCLUSION IN THE BOARD ASSURANCE FRAMEWORK REPORT 4 GLOSSARY V3 Draft 2

3 1. INTRODUCTION The Welsh Assembly Government s Citizen Centred Governance principles embody what the Welsh Assembly Government wants public services to be, focused on the needs of citizens, with citizens who are engaged and involved in the development of services and who receive services which are efficient, effective and innovative in their design and implementation. The principles are: Putting the citizen first Putting the citizen at the heart of everything and focusing on their needs and experiences; making the organisation s purpose the delivery of a high quality service Knowing who does what and why making sure that everyone involved in the delivery chain understands each other s roles and responsibilities and how together they can deliver the best possible outcomes Engaging with others working in constructive partnerships to deliver the best outcome for the citizen Living public sector values being a value-driven organisation, rooted in Nolan principles and high standards of public life and behaviour, including openness, customer service standards, diversity and engaged leadership Fostering innovative delivery being creative and innovative in the delivery of public services working from evidence, and taking managed risks to achieve better outcomes Being a learning organisation always learning and always improving service delivery Achieving value for money looking after taxpayers resources properly, and using them carefully to deliver high quality, efficient services. These principles establish the standards of good governance for the NHS in Wales and are designed to ensure: Clarity for everyone working within the NHS system, those working in partnership with the NHS, those receiving NHS services themselves; and carers and relatives of those receiving NHS services; Responsibility is placed with those who are best equipped to meet those responsibilities; Recognition for those achieving their objectives; and Action to ensure activities remain on track. The extent to which individual NHS organisations are able to demonstrate their alignment with the citizen centred governance principles will contribute to the Minister for Health & Social Services annual review of NHS bodies performance. V3 Draft 3

4 2. WHAT IS ASSURANCE? There are many definitions of assurance, most of which centre around common themes of confidence and certainty. Assurance in respect of Hywel Dda Health Board can be defined as follows: Assurance provides Board members with the evidence that the Health Board is operating effectively, achieving desired outcomes, delivering on its strategic vision, meeting its strategic objectives through effective risk management, in a manner which upholds the Citizen Centred Principles and is in accordance with all statutory requirements. Reasonable Assurance However, the Board will need to recognise that any assurance, whatever its source, will not be a guarantee that offers absolute certainty. As such the Board must look to gain reasonable assurance that Hywel Dda Health Board s ways of working enable it to perform effectively across the full range of its activities (the breadth of assurance) in order to deliver its strategic vision. Defining what is considered reasonable provides the Board with the opportunity to discuss and debate the importance of assurance in a meaningful way, taking into account the nature of the Health Board s activities and its core values, as well as the views of its citizens, community partners and other stakeholders on what reasonable might mean to them. The result of the Board s deliberations will determine the level of assurance that it requires (the depth of assurance) in relation to particular activities. Specifying both the breadth and depth of assurance required is sometimes described as risk appetite. Statement of Internal Control NHS organisations are required to produce an annual, formal statement of assurance known as a Statement on Internal Control, published as part of its annual accounts. The statement on internal control provides citizens and other stakeholders with a level of confidence on the way in which an organisation is led, the efficiency and effectiveness of its operations and ultimately, its ability to deliver its strategic vision, aims and objectives. 3. WHAT IS AN ASSURANCE FRAMEWORK? The Assurance Framework provides a structure and process that enables the organisation to focus on the risks to achieving its most important strategic objectives and map out both the key controls in place to manage them and also how they have gained sufficient assurance about their effectiveness. The attributes of having an Assurance Framework are to: Encourage individuals and groups within the organisation to think about and plan for the achievement of their objectives in a proactive manner. Highlight any gaps in control and assurance that may hinder the achievements of these objectives. Requires the active involvement throughout the Health Board, including the Board, to make it work more effectively. V3 Draft 4

5 This Assurance Framework describes the processes by which Hywel Dda Health Board can be confident that: Systems, policies and staff are operating in a safe and effective manner, focused on the organisation s key risks and driving the delivery of its strategic objectives There is a framework for reporting key information to the Board which provides a structured level of assurance in respect of the management of risks in relation to the achievement of the Board s objectives There is a structured process in place to provide evidence to support the Annual Statement on Internal Control. 4. HYWEL DDA HEALTH BOARD ASSURANCE FRAMEWORK In order to ensure the Health Board has a robust Assurance Framework the following key activities need to be undertaken: 4.1 Step 1 - Establish and effective Governance Framework The way in which the Board is led is critical to its likelihood of achieving success in the manner required and responsibility for this lies firmly with the Board. Before the Board is able to seek assurance on how well others are delivering on its behalf, it must first establish an effective governance framework within the organisation that meets the standards set for the NHS in Wales. The resulting framework should ensure a strong focus on the culture and behaviours necessary for success and the introduction and operation of the rights systems and processes. With this Governance framework the Board will need to: Establish a clear strategic vision for the Health Board, described within meaningful strategic aims and objectives that are clearly cascaded and understood throughout the organisation. Objectives are not necessarily confined to targets set by the Assembly Government (e.g. 5 year Service, Workforce & Financial Strategic Framework) and they should set the context for the Health Board s overall performance and development across the range of its long term activities. Strategic objectives should strike the right balance in terms of the number and type and as a rule of thumb the number of strategic objectives should be no more than 10. Objectives should focus not only on what the Board wants to achieve in terms of performance against its strategic objectives but also the manner in which those objectives have been delivered. The strategic objectives for the Board will be underpinned by Directorate objectives, supported in turn by those of departments and individuals. The Board s Strategic Objectives are set out in Appendix 1 Put in place a practical scheme of delegation for roles and responsibilities with identified lead executive, committees and others. The Board should establish appropriate arrangements for certain functions to be carried out on its behalf with subsequent reporting structure to assure itself that matters delegated to others are effectively carried out. These V3 Draft 5

6 arrangements should establish a clear framework for decision making so that the day to day business of the organisation may be carried out effectively, and in a manner that secures the achievement of the organisation s strategic objectives. The Board scheme of delegation should be in accordance with its Standing Orders, and in particular its Scheme of Reservation & Delegation of Powers. Establish and embed a clear, organisation wide focus on actively identifying and managing risks (both strategic and operational) so that the Health Board is able to maximise its opportunities and at the same time mitigate any threats to the achievement of its purpose, aims and objectives. The risk management process should set the right tone from the top so that risk management engenders innovation and improvement by being embedded into the operations and culture of the whole organisation, starting at Board level. (Ref Risk Management Strategy & Policy and Risk Assessment to Risk Register Policy (to be revised as Risk Management Procedure)) Once the Board has: Set its strategic direction Delegated powers to act on its behalf Identified the risks (opportunities and threats), determined action to manage those risks, and Agree the level and type of assurance its needs it will need to make effective arrangements to receive that assurance in a coordinated way. 4.2 Step 2 - Identify where the Board will get its assurance from The Board will need to seek and receive assurance from a wide range of sources within the organisation, both directly and through the operation of its committees. The Board will need to agree the level and type of assurance it needs and should seek this assurance from a variety of key sources internally within the organisation. This will be applied through the implementation of the three lines of defence approach which has three underlying concepts of ownership by frontline staff, accountability to corporate and executive processes and separate scrutiny. First line of defence is at departmental level with frontline staff understanding roles and responsibilities enabling them to be carried out properly and safely, with controls designed into systems and processes. Compliance with policies and procedures both in terms of service delivery and decision making processes are routinely verified from within the department and key risks and control measures identified. Second line of defence is a corporate governance framework, incorporating compliance and risk management functions, which reviews the operation of the internal control framework. The committee structure (including sub committees) of the Hywel Dda Health Board enables compliance with policies, working practices and operational arrangements to be monitored, thereby overseeing the outcomes from the first line of defence. V3 Draft 6

7 Third line of defence is independent review, overseeing the first two outlined above and which monitors overall compliance and risk management. This is a key role for Internal Audit but is not limited to that function as other sources can also be used. Review findings are considered by the appropriate scrutiny committee (not limited to Audit Committee) who can ensure that the Executive Team is addressing any identified weaknesses on behalf of the Board. The value which the Board receives from external assurance activity should not be under estimated as its role is to validate the effectiveness of the Board s arrangements. External assurance activity within Hywel Dda Health Board will be used to provide a level of assurance, both positive and negative, around its systems of control, identify any gaps in systems of control and ensure that relevant and effective action is undertaken to address the identified gaps. The key sources of assurance available relating to internal assurance (external validation is also listed for information purposes) are as follows: INTERNAL ASSURANCE Internal audit KPIs Performance stocktakes and other reviews Committee reports Stakeholder Reference Group reports Healthcare Professionals Group reports Local counter fraud work Compliance audit reports Clinical audit Staff satisfaction surveys Staff appraisals Training records Training evaluation reports Results of internal investigations Serious Untoward Incident reports Feedback, comments and Complaints records Infection control reports Healthcare Standards selfassessment Information governance toolkit selfassessment Patient advice and liaison services reports Human resource reports Internal benchmarking Risk register EXTERNAL VALIDATION External audit reports / reviews Healthcare Inspectorate Wales reports / reviews Welsh Risk Pool WAG reports/reviews NLIAH reports / reviews Royal College visits Deanery visits External benchmarking Accreditation schemes Peer reviews External advisors Local networks (for example, cancer networks) Investors in People WAG Corporate Health at Work standard Community Health Council visits V3 Draft 7

8 4.3 Step 3: Operational process for Board assurance The Assurance Framework of Hywel Dda Health Board provides a simple framework for reporting key information to the Board. It identifies which of the organisation s objectives are at risk because of inadequacies in the operation of controls or where the organisation has insufficient assurance about them. At the same time it provides structured assurances about where risks are being managed effectively and objectives are being delivered. This allows the Board to determine where to make efficient use of their resources and address the issues identified in order to improve the quality and safety of care. The Heath Board s risk register details all of the risks (strategic and operational) identified throughout the organisation with each risk assigned to a committee/sub committee for scrutiny purposes. The Corporate Risk Register identifies the organisation s high or extreme risks, including those which threaten the achievement of strategic objectives. By focusing on these principal risks, the Board s assurance committees can give priority to routinely report on the current high level risk issues to the Board. This will ensure that risk management becomes firmly embedded as a Board responsibility. In addition to providing opportunities to improve the effectiveness of management, this will provide the evidence to support the annual Statement on Internal Control. The diagram below outlines the components of the assurance framework, what part they play in the overall assurance framework of assurance, and how they link together. Figure 1: Assurance Framework components Strategic Objectives Strategic and local priorities, Core and developmental standards National and local targets Principal Risks Potential risks to meeting objectives Key Controls Assurance on Controls Board reports Board action plan Reasonable management to deliver the objectives and manage the risks External audit, Internal audit, Service reviews and inspections, Management, Checks, Clinical audit, Accreditation schemes Information provided to the Board or its committees on meeting objectives or mitigating risk, SIC, To improve control, ensure delivery of principal objectives, ensure good/integrated governance V3 Draft 8

9 The Board Assurance Framework Report will link principal objectives to the principal risks, key controls, assurances and board reports and each of the Health Board s strategic objectives will be included. The Board Assurance Framework Report shown at Appendix 2 will be aligned to the strategic vision and objectives. The Board Assurance Framework Report highlights the key objective, lead executive, key controls, assurances on control, gaps in assurances and controls, level of assurance and where appropriate any resulting principal risks will be transferred to the risk register. The risk register will identify the action plan developed to address the gaps in control and gaps in assurance. The Board Assurance Framework Report and risk register will be updated on a bi-monthly basis and cross referenced accordingly. The overall programme of Board and Committee business requires development in such a way that it delivers on the assurance framework. As such the Assurance Framework and Board Assurance Framework Report will be considered at Board/Committee level as follows: Board The overarching Assurance Framework will be reviewed annually to ensure that it continues to be fit for purpose. The Board Assurance Framework Report will be considered annually to coincide with the approval of the Health Board s aims and objectives for the forthcoming year. Audit Committee The Audit Committee will be the responsible for ensuring the regular review of the Board Assurance Framework Report and, if required, may delegate review to relevant subsidiary committees. 5. MAINTENANCE 5.1 The lead for the Assurance Framework is the Director of Corporate Services supported by the Executive Directors for their designated areas of responsibility. 6. FURTHER INFORMATION 6.1 For further information on this Framework, or other supporting Governance documents, please contact Christopher Wright, Director of Corporate Services on christopher.wright@wales.nhs.uk. V3 Draft 9

10 APPENDIX 1 HYWEL DDA HEALTH BOARD STRATEGIC OBJECTIVES Principles Personalised, promoting health, equitable, sustainable, promoting independence and self care Vision Ensure the NHS delivers a world class health care system of the highest quality with improved outcomes for the people of Hywel Dda Aims Objectives Improve the health and wellbeing for all of the Hywel Dda population 1. Ensure people live longer 2. Reduce the impact of illness on people s quality of life Optimise the delivery of quality health and social care in the most appropriate setting 4. Delivering quality health and health services efficiently within a sustainable system 5. Identify health and social care needs better and respond creatively Be recognised as Wales leading health system 7. Improve the efficiency of the health service through improved productivity and value for money 8. Secure the necessary skills and lead by example 3. Reduce lifestyle related illness 6. Work closely with partners to ensure delivery of integrated and innovative health, social and community services 9. Involve and engage our citizens and effectively communicate what we are doing 10. Manage our reputation V3 Draft 10

11 APPENDIX 2 BOARD ASSURANCE FRAMEWORK REPORT Ref Detailed Objective Lead Executive Key Controls Assurance on Controls Gaps in Control Board reporting Gaps in Assurance Level of assurance Resulting Principal risk (full details of risk and action plan will be included in risk register) Risk Risk rating RR Ref Individual objective underpinning strategic objective Lead Executive Director whose portfolio has responsibility for this objective Controls/ systems we have in place to assist in securing delivery of our objective e.g. policies, procedures, processes Those internal or external reporting arrangements that provide assurance to the Board that controls are effective Areas where controls are not in place or are ineffective Areas where there is insufficient evidence that our existing systems of control are effective Must state whether High, Medium, Low or Inadequate What prevents the objective being achieved? Scoring as per Risk Strategy - Red, Amber, Yellow or Green Strategic Objectives (approved by the Board) V3 Draft 11

12 APPENDIX 3 TARGETS FOR INCLUSION IN THE BOARD ASSURANCE FRAMEWORK REPORT INTERNAL Performance Management Framework Foundations 4 Change 5 Year Plan Annual Operating Framework Quality & Safety Clinical Quality Strategy 1000 Lives Plus Healthcare Standards Statutory Duties Welsh Language Equality & Diversity Complaints/Redress Internal Audit reports EXTERNAL Healthcare Inspectorate Wales (HIW): - Healthcare Standards for Wales - HIW inspection reports Welsh Risk Pool - Claims Management - High Risk Clinical Areas: i) Maternity ii) Operating Department Services iii) A&E External Audit reports National Patient Safety Association reviews Other external body reviews e.g. Nursing & Midwifery Council, General Medical Council, Health & Safety Executive, CSSiW WAG Directives e.g. Ministerial letters V3 Draft 12

13 APPENDIX 4 GLOSSARY Assurance TERM Assurance Committee Assurance Framework DEFINITION Confidence, based on sufficient evidence, that internal controls are in place, operating effectively and objectives are being achieved A board level committee with overarching responsibility for ensuring appropriate assurance is gained on the management of all principal risks. This may be an existing committee such as a governance, or risk management committee A structure within which boards identify the principal risks to the organisation meeting its principal objectives and map out both the key controls in place to manage them and also how they have gained sufficient assurance about their effectiveness Board Assurance Action Plan An action plan approved by the board to improve its key controls to manage its principal risks, and gain assurances where required Board Assurance Reports Controls Assurance Directorate Level Objective Effective Control External Assurance Gap in Assurance Gap in Control Key information reported to the board on the assurance framework, providing details of positive assurances and significant gaps in internal controls and assurances relating to principal risks. In addition to providing information leading to a board assurance action plan this will also provide evidence to support the annual Statement on Internal Control A holistic concept based on best governance practice. It is a process designed to provide evidence that NHS organisations are doing their reasonable best to manage themselves so as to meet their objectives and protect patients, staff, the public and other stakeholders against risks of all kinds How the organisation translates an overall goal into deliverables at directorate (or equivalent) level A control that is properly designed, and delivers the intended objective Assurances provided by reviewers, auditors and inspectors from outside the organisation, such as External Audit, HIW, or Royal Colleges for example Failure to gain sufficient evidence that policies, procedures, practices or organisational structures on which reliance is placed are operating effectively Failure to put in place sufficient effective policies, procedures, practices or organisational structures to manage risks and achieve objectives V3 Draft 13

14 Head of Internal Audit Opinion Independent Assurance Internal Assurance Internal Control Key Control Mapping of Assurance Positive Assurance Principal Objectives Principal Risk Prioritisation of Risk Reasonable Best Risk Risk Assessment Risk Management Sources of Assurance An annual opinion provided to inform the Board in completing their Statement on Internal Control. This provides opinions on (a) the overall assurance framework and (b) the effectiveness of that part of the system of internal control reviewed by Internal Audit during the year Assurances provided by (a) reviewers external to the organisation and (b) internal reviewers working to government standards, such as Internal Audit Assurances provided by reviewers, auditors and inspectors who are part of the organisation, such as Clinical Audit or management peer review The ongoing policies, procedures, practices and organisational structures designed to provide reasonable assurance that objectives will be achieved and that undesired events will be prevented or detected and corrected A control to manage one or more principal risks A process, providing a clear management trail, that links principal objectives to principal risks principal risks to key controls key controls to assurances Evidence that shows risks are being reasonably managed and objectives are being achieved Objectives set at strategic and directorate (or equivalent) level A risk which threatens the achievement of Principal Objectives A process by which risks are graded in order based on the likelihood of their occurrence and the impact of their consequences A decision or course of action, agreed by the board, that is based on sufficient evidence The possibility of suffering some form of loss or damage. The possibility that objectives will not be achieved The identification and analysis of relevant risks to the achievement of objectives A systematic process by which potential risks are identified, assessed, managed and monitored The various reviewers, auditors and inspectors, both internal and external, who carry out work at NHS organisations (see Internal Assurance and External Assurance). Boards will have to determine which sources of assurance are relevant to principal risks and to what extent they are sufficient V3 Draft 14

15 Statement on Internal Control (SIC) Strategic Objective System of Internal Control An annual statement signed by the Accountable Officer on behalf of the board that forms part of the Annual Financial Statements for the year. The SIC provides public assurances about the effectiveness of the organisation s system of internal control An overall goal of the organisation A system, maintained by the board, that supports the achievement of the organisation s objectives. This should be based on an ongoing risk management process that is designed to identify the principal risks to the organisation s objectives, to evaluate the nature and extent of those risks, and to manage them efficiently, effectively and economically V3 Draft 15