320 likes | 442 Views
Assurance Frameworks. Dr John Bullivant. 2007s. Assurance Framework definition.
E N D
Assurance Frameworks Dr John Bullivant 2007s
Assurance Framework definition • The Assurance Framework provides a structure and process that enables the organisation to focus on the risks to achieving its most important (principal) annual objectives and map out both the key controls in place to manage them and also how they have gained sufficient assurance about their effectiveness
Assurance Framework: Benefits Benefits • encourages individuals and groups within the organisation to think about and plan for the achievement of their objectives in a proactive manner, • highlights any gaps in control and assurance that may hinder the achievement of these objectives. • requires the active involvement of many people in the Trust, including the Trust Board, to make it work effectively.
• Board Code of Conduct based on Nolan principles and a system for communicating the Code • Induction process for new directors and senior staff • Induction process(es) for all staff • Scheme of delegation and schedule of reserved decisions • Register of interests • System of Integrated Governance • Statement of internal control which identifies the sources of assurance • Financial Standing Orders • Financial limits and budgetary control systems • Internal audit arrangements to include non financial audit and management audit • Audit Committee -according to recommendations of Audit Committee Handbook • Assurance Framework • Accountability arrangements for partnerships and networks • Governance and Risk Management Policy/Strategy; over-arching to cover all services • Process for identifying Corporate Objectives (for all services and operations) and identifying obstacles and risks to their achievement • Approved policy on risk management including acceptability of risk; to Have sustainable systems outlining accountability and arrangements,including
Assurance Framework & Risk Sensitivity • What are our top 10 strategic objectives? • Have we identified the risks which might compromise the achievement of these? • Are there gaps in controls? • Are there gaps in assurance? • Are there plans to mitigate these?
Scoring RisksRisks are scored using the matrix below. The level of consequence is decided which gives a sum between 1 (trivial) and 5 (fatal); the probability of the risk happening is then decided which gives a sum between 1(remote) and 5 (certain). Multiplying the 2 sums together will give the risk score, eg consequence Major x probability Possible would be 3 x 3 = risk score 9. The risk scores are given on the matrix below. The Assessment Score Probability Likelihood Consequences/severity
BUILDING THE ASSURANCE FRAMEWORKA PRACTICAL GUIDE FOR NHS BOARDS (DH March 2003)-Gatelog Reference 1054 • Establish principal objectives • Identify the principal risks that may threaten the achievement of these objectives • Identify and evaluate the design of key controls • Set out the arrangements for obtaining assurance on the effectiveness of key controls • Evaluate the assurance across all areas of principal risk • Identify positive assurances and areas where there are gaps • Put in place plans to take corrective action where gaps have been identified • Maintain dynamic risk management arrangements including, crucially, a well founded risk register • re Principal Objectives show the link between Strategic and Directorate level objectives.
The AF provides organisations with: • a simple but comprehensive method for the effective and focused management of the principal risks that arise in meeting their objectives. • a structure for the evidence to support the SIC. • simplified Board reporting and prioritisation, which in turn allows more effective performance management. • Means of reporting key information to Boards, providing it is maintained as a dynamic document. • Identification of which of the organisation’s objectives are at risk because of inadequacies in the operation of controls or where the organisation has insufficient assurance. • structured assurances about where risks are being managed effectively and objectives are being delivered. • Means for Boards to determine where to make most efficient use of their resources and address the issues identified in order to improve the quality and safety of care. • Identification of priorities for the Board. The organisation is able to understand its capacity to deliver within defined limits and the Board has an accurate understanding of the risks the organisation faces. (IG Handbook)
Assurance Framework at St Mary's • An Assurance Framework must be driven by the objectives of the organisation, as clear strategic and operational objectives need to be identified before an effective system of internal control can be established. • Without clear objectives, the Trust will be unable to identify and evaluate the risks that threaten the achievement of its goals and design and operate a system of internal control to manage those risks. • The principal objectives will have been determined by the Board, based on organisational local and national priorities, stated in the Business Plan and other related documents. • The principal objectives are periodically reviewed and updated in consultation with all stakeholders and reviewed by the Trust Board and Executive Board. • The Company Secretary and Head of Performance and Modernisation will ensure there is parity between the Principle Objectives outlined in the Business plan and those providing the framework for the Assurance Framework.
Risks • Potential principal risks to the achievement of the Trust’s objectives are identified in two ways: • the ‘top down’ proactive identification of risks that directly affect the Trust’s achievement of its principal objectives, and • ‘bottom up’ assessment through the Trust’s Risk Register. • High-level risks in the Trust Risk Register, (scored 15 and above), will be reported to the Trust Board for consideration. The Company Secretary (custodian of the Assurance Framework) and Associate Director of Quality and Risk (custodian of the Risk Register) in liaison with the Trust Executive Directors, will ensure that where felt necessary there is cross-over from Risk Register to Assurance Framework and vice-versa. • Therefore high-level risks from the Risk Register will filter up for inclusion in the Assurance Framework, and specific risks from the Assurance Framework will filter down for inclusion in the Risk Register. All risks should be rated in line with guidance included in the Trust’s Risk Management Policy and Strategy.
Scoring RisksRisks are scored using the matrix below. The level of consequence is decided which gives a sum between 1 (trivial) and 5 (fatal); the probability of the risk happening is then decided which gives a sum between 1(remote) and 5 (certain). Multiplying the 2 sums together will give the risk score, eg consequence Major x probability Possible would be 3 x 3 = risk score 9. The risk scores are given on the matrix below. The Assessment Score Probability Likelihood Consequences/severity
Controls, Assurances and Action Plans • Controls are the many different things that are in place to mitigate risk and assist in securing the delivery of objectives; they should make a risk less likely to happen, or reduce (mitigate) its effect if it does happen. • The Assurance Framework requires the Trust to consider the effectiveness of each control through the process of obtaining assurances that the control is in place and is operating effectively. These assurances are obtained from a variety of sources, such as management reports, internal and external audit and other external assessors
Controls, Assurances and Action Plans • A gap in control is deemed to exist where adequate controls are not in place, or where collectively they are not sufficiently effective. • A gap in assurance is deemed to exist where there is a failure to gain evidence that the controls are effective. • Wherever gaps in control or assurance are identified, action plans must be defined and allocated to appropriate lead directors. • These gaps in controls and assurance will be reviewed both internally and externally,
Trust Board Involvement in England • Guidance from the DoH states that the Board must be appropriately engaged in developing and maintaining the Board Assurance Framework. It is the duty of the whole Board, executive, and non-executive directors alike, to probe, discuss and advise so that the Board can confirm, revise or update action plans as required. • Scrutiny is therefore particularly important to the Assurance Framework process; unless the handling of the Trust’s principal strategic risks are both reviewed and challenged, it will add no value and become merely a ‘tick box’ exercise. • Given the focus of the Board Assurance Framework upon principal objectives and the fact that it should be maintained to reflect current circumstances, it should be a key driver for the agenda of Board meetings. The Annual Plan for the Board and Audit and Assurance Committee meetings is therefore explicitly linked to it and summary sheets for agenda papers cross-referenced to it.
Trust Board Involvement in England • It is the duty of Board members to ensure that they appropriately monitor the Trust’s significant risks and the associated controls and assurances. In particular, the Board should focus upon the progress of action plans to address gaps in control and assurance. The Board should ensure that all systems, processes and procedures required for the Board Assurance Framework function effectively, including where elements have been delegated to subcommittees that these complete and report on their specific responsibilities as defined in this document. • Each year, the DoH, through the Strategic Health Authority (SHA) and Internal Audit, verifies that the Trust Board is in sufficient control of its activities through monitoring and reviewing Board Assurance Framework reporting, particularly at Board level. In this way the Board Assurance Framework informs the Statement on Internal Control (SIC), which is signed by the Chief Executive of the Trust.
Information used by the Board Assurance Framework • The Trust Board and subsidiary committees will review the Trust’s Board Assurance Framework regularly. Examples of the information required to produce these reports is set out below: • The principal objectives of the Trust; • The principal risks identified from a ‘top down’ review of the Trust’s principal objectives and ‘bottom up’ risks from Directorate Business Plans and activities; • The source of each principal risk and its risk rating; • The type of each principal risk: Financial, Clinical, Statutory and Reputation; • The owner of each principal risk: the person responsible for ensuring that adequate controls are identified to mitigate the risk, and adequate sources of assurance are identified to confirm that the controls are effective; • The controls associated with each principal risk: the things in place to mitigate the risk and assist in securing delivery of the objective - these must be robust and specific, and properly match their associated objective; • Gaps in control: wherever adequate controls are not in place or not operating; • Source of assurance: where evidence can be found that the controls are effective – this must identify specific documentary evidence, and be relevant to the associated control(s); • Assurance status: indicates the actual value of the assurance, i.e. the result of the assessment, investigation or audit. • Gaps in assurance: where evidence is inadequate that controls are effective; • Action Plan: what will/is being done to address the gap(s) in control/assurance; • Action owner: person(s) tasked with completing the action; • Target date: date by which the action should be completed.
WEST SUSSEX PRIMARY CARE TRUSTBOARD ASSURANCE FRAMEWORK 2007 • PCTs are required to identify their Principal Objectives, the risks to delivery of those objectives and the control and assurance processes they • have put in place to manage the risks. Following advice from the PCT’s Internal Auditors the Board Assurance Framework contains only those • risks which are seen as significant. Other, lower level risks are included in the Corporate Risk Register. • The Executive Management Team • continues to work towards ensuring that adequate assurance processes are in place for all the identified risks. • This BAF is the result of merging those of the previous 5 PCTs and whilst it has been extensively updated is still under review.
‘’although the elephant is enormous, at least we can see it!! ‘’ • Locally we’ve been trying to map all the major assurance frameworks, to see how they inter-relate and how we can best approach them – given our slimmed-down corporate workforce, we need to look closely at not duplicating effort etc, so by creating an evidence data base we can more easily provide supporting documentation etc for the various bodies. It also means we can use our centralised governance team (we’ve set up a Corporate Assurance Team – informally at present, pending the restructuring outcomes) to help take forward the overall programmes of work. (WSussexPCT)
Mapping • Provide and manage the assurance processes within West Sussex PCT, to sustain safety • Develop and facilitate the assurance business timetable • Carry out random spot checks of progress and evidence for any given standard • Avoid duplication of evidence gathering and associated effort • Centralise evidence collation, and classify/categorise as appropriate to ensure easy retrieval • Clarify assurance terminology • Map and cross-refer evidence from any baseline assessment • Provide feedback as part of an iterative process to identify any highlighted issues or gaps in assurance • Streamline the reporting of such issues from relevant committees or working group
SIPOC Completing a SIPOC exercise creates an ability to manage expectations and quickly identify and communicate: • who the process serves (clients) • required inputs to make the process successful (inputs) • who provides the required inputs (suppliers) • steps involved to complete the task (process) • the results that the process delivers (outputs)
Issues for you • Be Proactive • Focus on the detail, complete the AF • Working Document- not once or twice a year • Validated scores- watch out for estates managers • It may difficult to get the Board excited about playing a key role in this
Next Steps • Central Guidance? • Board development? • Whole health economy assurance frameworks • Who would decide, set controls and assurance, action plans? • Who would be accountable?
Whole Health Economy Assurance Frameworks Questions to ask • Can the LHB afford the activity we are providing? • What assurance do we have that private providers meet the standards we expect? • Do we have clinical engagement for the reforms we are making? • Do we have political, public and media buy in to the changes? • Are we (and our partners) being brave enough? • Do we (and our partners) follow through on our decisions?
Contact details Dr John Bullivant Jbullivant@iqa.org 07775524390 Michael.deighan@ncgst.nhs.uk