february audit and risk assurance committee agenda meeting pack 08... · audit and risk assurance...

Audit and Risk Assurance Committee Agenda

Date 08 February 2017

Time 10.30 am – 14.00 pm (Lunch will be provided at 12:30 pm to 13:00 pm)

Venue Boardrooms 1/2, 2nd floor, 151 Buckingham Palace Road

Private session for members only starts at 10.00am

Agenda items

10.00am ARAC Members private session

10.10am -10.30am Confidential meeting with Internal and External Auditors

10.30am-12.30pm ARAC Meeting

1. Welcome and apologies

2. Declarations of interest

3. Minutes of 10 November 2016 (AUD163-16) 4. Matters arising (RS) (Oral)

5. ARAC Chair’s update

6. Audit tracker report (MA) (AUD164-16)

7. Internal audit (PF/AB)

Progress report and plan for rest of year (AUD165-16)

People and Workforce Report (Annex A)

Board Effectiveness Report (Annex B)

Audit follow-up/closure of Living Donation Audit

Management response to Enquiries Management Audit (RS) (Annex C)

8. Risk update (RS) (AUD166-16)

Strategic risk register (Annex A)

Exploration of risk area: Sector risks and public confidence – HTA Inspection Rationale (HL) (Annex B)

Update on Risk Management policy and strategy (MA) (Annex C)

Department of Health Risk Interdependencies (Annex D)

2

9. External audit (NAO) (Oral)

Update on current audit work

10. Reserves policy and update on policy review (MA) (AUD167-16)

HTA-POL-49 Reserves Policy February 2016 (Annex A)

ARAC Policies and Procedures Summary (Annex B)

11. Review of ARAC performance (Oral)

12. Review of gifts and hospitality register (MA) (AUD168-16)

13. HTA’s arrangements to address the recommendations arising from the Caldicott Review (RS) (AUD 169-16)

14. Appointment of internal auditors (RS) (Oral)

15. Reports on grievances, disputes, fraud and other information (Oral) 16. Topics for future risk discussions (discussion) 17. Future ARAC training (discussion) 18. Any other business 12.30pm – 1.00pm Lunch 1pm - 2pm Joint ARAC/Management Training Session: Risk assurance mapping 2pm-2.30pm ARAC Members and RS Performance Discussion Next meeting – 18 May 2017.

1

Minutes of the Audit Risk and Assurance Committee

Date 10 November 2016 Paper AUD 163 -16

Venue 151 Buckingham Palace Road, Boardroom 1&2

Protective

Marking

OFFICIAL

Present

Members

Amanda Gibbon - Chair

William Horne

Glenn Houston

In attendance

Allan Marriott-Smith (CEO)

Richard Sydee (Director of Resources)

Morounke Akingbola (Head of Finance &

Governance)

Kevin Wellard (Quality and Corporate

Governance Manager)

Diane Galbraith (Head of Human Resources)

Apologies

Andrew Hall (Member)

Stuart Dollow (Member)

Karen Finlayson (PwC)

External Attendees

Patrick Irwin (DH)

George Smiles (NAO)

Sarah Edwards (NAO)

Paul Foreman (PwC)

Item 1 – Welcome and apologies

1. AG welcomed Richard Sydee (RS) and Kevin Wellard (KW) to their first HTA

ARAC meeting. There were apologies for absence from AH, KF and the newly

appointed, fifth member of ARAC, Stuart Dollow (SD).

Item 2 – Declaration of interest

2. There were no declarations of interest.

Item 3 – Minutes of 18 May 2016 ARAC meeting

2

3. The minutes of the 18 May 2016 meeting were agreed.

Item 4 – Matters arising

4. Action 4 from 11 February 2016: the business continuity and crisis

management response plan has been drafted and will be circulated to ARAC

Members.

5. Action 6 from 11 February 2016 (raise the risk within DH of IAs continuing to

operate without DBS checks) – is completed

6. Action 14 from 18 May 2016: (add to November ARAC agenda an item on

turnover in the Communications Team) – is completed. This item was revised

after the last ARAC meeting and the risk discussion will be widened to reflect

staff turnover across the HTA.

7. Item 18 from 18 May 2016: (add to November ARAC agenda the risks of

complaints to the HTA and the HTAs handling of complaints) - this issue was

discussed at the November Authority meeting so is now complete. AMS gave

the meeting a brief outline of some further background to this item.

Action 1 – RS to circulate a copy of the business continuity and crisis

management response plan to ARAC members.

Action 2 – ARAC members to receive an update on the risk of complaints

and complaints handling at the HTA at the ARAC meeting in November

2017.

Item 5 – ARAC Chair’s update

8. AG provided an update of meetings she has attended, including the ARAC

chairs’ event hosted by the National Audit Office. A key theme of this event

was the need for increased focus on risk interdependencies arising across the

DH health group. AG advised that she and AMS will be attending the DH Audit

Committee meeting on 16 November 2016.

9. AG reminded ARAC members that the Internal audit contract is due for renewal

in March 2017 and received assurance from RS that members of ARAC would

be involved in the contract renewal process. The DH are currently finalising the

Invitation to Tender (ITT) which has had input from HTA.

Item 6 – Internal Audit

3

Progress report and plan for the remainder of the year

10. PF presented this report, which included reference to the enquiries

management audit and time allocated in the forward plan to review crisis

management. The committee discussed the feasibility of delivering the

remaining elements of the plan within budget. It was estimated that an

additional £2.5k will be required to deliver the crisis management audit

scheduled to occur once the HTA’s internal testing event has concluded. It was

agreed that Executive Officers should consider/identify the additional costs

required to implement the plan and if possible approve the plan and provide an

update/clarification to members of ARAC via email.

11. PF drew the committee’s attention to the section of the report reviewing

progress against the recommendations arising from the Living Donation

Internal Audit report and asked members of ARAC to consider whether they

were content to accept the remaining gaps in information/progress as

acceptable risks. It was agreed that management should seek clarification

from the relevant establishment and provide feedback to ARAC members on

the reasons for the one remaining IA without a completed DBS check.

Action 3 – RS to discuss the remainder of the 2016/17 internal audit plan

with the Exec and advise ARAC of any amendments via email

Action 4 - management should seek clarification from the relevant

establishment and provide feedback to ARAC members on the reasons

for the one remaining IA without a completed DBS check.

Action 5 – ARAC to reconsider the findings of the Living organ donation

follow-up audit once the item in Action 4 has been further clarified.

Enquiries management audit

12. PF presented the internal audit report into the handling of enquiries at the HTA.

PF gave an overview of the recommendations arising from the audit and

advised the meeting that an overall rating of moderate risk had been

concluded. Members concurred with the recommendation to reconfigure the

CRM system having experienced inconsistency within the CRM system in

terms of the email alerts/reminders set as prompts for ongoing actions.

13. Members of ARAC were assured that a proportionate, resource efficient,

project plan will be developed to address the recommendations arising from the

audit. This will include greater emphasis on quality measures and upgrades to

4

the CRM system. Members were further assured that both ARAC and the

Authority at large would be given appropriate oversight concerning the

monitoring of actions.

Item 7 Audit Tracker report

14. MA presented an overview of the Audit Tracker Report and members were

given updates on actions that remain in progress. There was discussion on the

need to improve the presentation of the tracker, and for the executive to

provide greater information on expected dates of completion for matters that

remain in progress.

15. Members were advised that the completion of item 4 in the business continuity

section of the tracker is subject to an exercise to test the revised Business

Continuity Plan but were assured that this item will be completed by the

deadline.

Item 8 Risk update

16. AMS presented an update on the HTA Strategic Risk Register. AMS advised

that while risk 3 remained amber, the risk likelihood was felt to be increasing as

a result of the continuing uncertainty around the timing of the implementation of

EU directives on coding and import. This work cannot be progressed by the

HTA until ministerial approval is received for DH to proceed with the

consultation on the draft Regulations and, as a result, the task of

implementation by the current April deadline is increasingly challenging. It is

estimated that implementation will require an absolute minimum of three

months but this timeframe carries considerable reputational risk given the

limitations this shortened period would place on providing proper stakeholder

consultation and delivery safeguards. PI advised that the DH is still awaiting

political guidance on this issue. AMS advised that amendments will be made to

this section of the register to further consider the mitigation of risks arising from

the HTA’s potential failure to implement the regulations by the April deadline.

Members were advised that AMS and the HTA Chair will be raising the HTA’s

concerns on this matter when they meet Lord Prior.

17. There was discussion on whether risk items assessed as green should remain

in the risk register. Members were advised that these items remain in the

register to enable ongoing sensitivity analysis and adjustment of identified risks.

RS advised that he will be considering a move to exception reporting for the

monitoring of risks with an opportunity for members to be given less frequent

oversight of the register in its entirety. Members were advised of the need to

refocus risk five to reflect its more stable status but this exercise will remain on

5

hold for the time being to allow for the implementation and bedding down of the

new fees structure.

18. Members noted the improved position in relation to risk 4 concerning the

retention and utilisation of staff.

HTA’s Approach to staff turnover

19. AMS and DG advised members that, despite positive staff attitudes to the HTA,

staff turnover continues to pose a strategic risk to the organisation. Analysis of

the exit interview results and more anecdotal evidence suggests that the root

causes of this are the organisation’s relatively flat organisational structure and

the public sector pay constraints, which together limit staff opportunities to

progress their careers or significantly increase their salaries within the HTA.

20. The HTA response to the issue of staff turnover is contained within the People

Strategy which describes the offering we make to our people and what we

expect in return. It presents our view of what can be done to keep people for

longer and the limits on this Good progress has been achieved on the

deliverables from the Strategy (which runs until April 2017), with the most

significant facet still to be delivered being the structured Learning and

Development Framework, linked to the objectives of the corporate business

plan. This includes encouragement for staff to gain wider skills and experience

via secondments. Members were advised that there had been a reduction in

take-up for the organisation’s career investment scheme.

21. DG circulated a copy of the organisational structure detailing staff by length of

service. Discussion followed on the need for further refinement of the

presentation of this data to also identify the amount of time served by staff in

their current posts.

22. AMS noted that competition between internal candidates for recent vacancies

has provided promotion opportunities for some but has inevitably disappointed

others. AMS also noted that opportunities and different pay structures across

the wider Health Group creates further opportunities for individuals but also a

further threat to HTA staff retention.

23. In terms of stress management, DG advised that despite stretching workloads

there is limited evidence of staff working longer hours to cope with this. The

HTA has recently instituted a policy for payment of travel time outside of normal

working hours to address a particular concern expressed by regulation

managers. Members were advised that ‘work life balance’ scored high within

the staff survey.

6

24. Staff exit interviews are offered to gain an insight into staff perceptions at the

point of their leaving the HTA. Of the ten staff offered an exit interview in the

last year three declined the offer. An issue emerging from the exit interviews is

a perception of new regulation managers being paid higher salaries than

existing members of staff. It is very difficult to overcome any misperceptions in

this area as this would require the sharing of salary data for individuals, which

is not something that we would consider. A revised and updated remuneration

policy was recently circulated to staff to give greater transparency about the

HTA pay scale structure and the method for setting starting salary. This will

now be benchmarked annually with comparable agencies.

25. DG advised that most absence tends to be short-term (i.e. one or two days’

sickness) but there are currently five long-term absences. The committee

received assurance over the reasons for these absences.

26. Members were given an update on staffing within the Communications Team.

A new Head of Communication joined the team four months ago and has

experience in media enquiries. The current Stakeholder and Engagement

Manager has been in post for a year and with the HTA for two years. The

Communications Development Officer role was internally filled, approximately

six-months ago, although the Website and Communications Officer role

recently became vacant. The latter post is currently under review. There are

plans to provide training on fielding media enquiries for the Stakeholder and

Engagement Manager to augment the availability of two Regulatory Heads of

Service who have already undergone this training.

27. The meeting noted that internal auditors will be looking at staff retention later in

the current financial year.

Risk Management Policy and Strategy

28. MA presented a revised HTA Risk Management Policy and Strategy, containing

initial draft tracked changes, and asked those present to provide feedback and

comments.

29. MA was advised to:

give greater prominence to the sections on the HTA’s role within the

wider DH context and the alignment of the organisation’s risks with its

objectives by moving these to the start of the report;

add time-scales to “Type of risk” table to reflect current and next year.

make it clearer in paragraph 43 that risk owners need to reflect the

responsibilities identified, within the risk register;

7

reflect the HTA’s approach to addressing wider risk interdependencies

within the report.

30. Members noted that time has been set aside within the forward plan for the

committee to discuss risk interdependencies at its meeting on 18 May 2017.

31. The updated version of the Risk Management Policy and Strategy will be

brought to the next meeting

Action 6 – Add an agenda item to the agenda for the February ARAC

meeting for members to receive an update on the review of the Risk

Management Policy and Strategy.

Item 9 – Review of ARAC Handbook

32. MA presented the ARAC Handbook and took the committee through the

minimum amendments to it. The committee made one recommendation to

remove the extra “approach” from para 4 under section 7.

Item 10 – External Audit Planning Report

33. GS gave members an overview commentary of the lnternal Audit Planning

report. GS drew the committee’s attention to areas that the NAO consider to be

of risk and these were agreed.

Item 11 – Updates on the Training of Designated Individuals and using

inspection templates in the Post Mortem sector

34. AMS undertook to provide an email update to members on these issues after

the meeting. In the meantime, he advised that an initial pilot for the training of

Designated Individuals (DIs) will begin in quarter four, within the ongoing

project to implement the new codes and standards. AG suggested that

members might wish to consider this as a prospective topic for a future deep

dive session. The committee also discussed the possibility of charging for some

(non-core) training to establishments in future.

Action 7 - AMS to provide members of ARAC with an email update on the

training of DIs and using inspection templates in the Post Mortem sector.

Item 12 – Reports on grievances, disputes, fraud and other information

35. Members were assured that there were no matters to report under this agenda

item.

8

Item 13 – Topics for future risk discussions

36. AG advised members that a discussion on the timing and dates of future

meetings and possible topics for future deep dive sessions will follow

immediately after lunch.

The agreed Deep dive risk sessions are as follows:

37. February - ARAC to look at the risks posed by the sectors regulated by the

HTA and the regulatory/inspection approach it takes to protect public

confidence in the face of those risks. The starting point will be Caroline

Browne’s paper on the HTA’s inspection rationale.

38. May - Following the Authority’s seminar on the Human Application sector at its

February meeting ARAC will look in more detail at the HA sector - its breadth of

activity, the HTA’s regulatory approach and risk assessments for various

aspects of the sector. Rob Watson will lead on this. We may refine our

approach to this session following the Authority’s session.

Item 14 – Future ARAC training

39. It was agreed that there should be a joint member/management team training

seminar following the February 2017 ARAC meeting on what to consider and

be aware of when undertaking risk assurance mapping and bearing in mind risk

interdependency across the wider health group. AG suggested that the May

2017 training might cover value for money auditing and how to think about the

optimal deployment of HTA resources.

Item 15 – A.O.B.

40. AG asked that a report addressing the HTA’s compliance with the

recommendations of the July 2016 National Data Guardian report (Review of

Data Security, Consent and Opt-outs) be brought to the ARAC meeting in

February 2017.

Action 8 - Add an agenda item to the agenda for the February ARAC

meeting for members to consider the HTA’s arrangements to address the

recommendations emerging from the Caldicott review.

41. AG noted that this was the last HTA ARAC meeting to be attended by PI. PI is

due to retire from his post at the DH in the new year. Colleagues expressed

9

their best wishes and a note of gratitude and appreciation to PI for all of his

help and support to the HTA and ARAC.

42. The next ARAC meeting is scheduled for 8 February 2017. Future meetings

were scheduled for 18 May 2017 and 2 November 2017.

1

Audit and Risk Assurance Committee Paper

Date 23 January 2017 Paper reference AUD 164-16

Agenda item 6 Author Nicola Fookes

Protective Marking

PROTECT

Audit Tracker Purpose of paper

1. The purpose of this paper is to update the Audit and Risk Assurance Committee on the progress made in response to external and internal audit recommendations.

Decisions made to date 2. As detailed in the progress sections of this paper

Actions required 3. That the Committee notes progress.

1

Summary of all recommendations Recommendation Source Total Completed as

planned Completed later than

expected In progress as

planned In progress with

some delay Not started

IA – Data Retention 2 1 0 0 1 0

IA – Living Organ Donation 11 4 5 0 2 0

IA – Business Continuity 4 0 4 0 0 0

IA – Enquiries 8 0 0 0 0 8

IA – Board Effectiveness 4 0 0 0 0 4

IA – People and Workforce 4 0 0 3 0 1

COUNT 33 5 9 3 3 13

IA – Internal Audit - PwC EA – External Audit - NAO

2

Completed since last meeting

Year Audit Category Rec # Recommendation Manager Status 2015-16 PwC – Business

Continuity Medium 4 Provide training to all staff on the BCP Martin Cranefield Completed

Later than planned

Total 1

3

Summary of outstanding recommendations

Year Audit Category Rec # Recommendation Manager Status 2015-16 PwC – Data retention Medium 1 Review the Information Asset Register - ensure

compliance with the Data Protection Act 1998 and align with the Department of Health Records Management Code of Practice and The national Archives best practice guidance.

Jamie Munro In progress with some delay

PwC – Living Organ Donation

Low 6 Update the re-accreditation process for IA’s with high numbers of red or amber reports

Jessica Porter In progress with some delay

Low 9 To record time taken for case decisions to be made after receipt by HTA

Jessica Porter In progress with some delay

2016/17 PwC – Enquiries Medium 1 a) To reconfigure the notification workflow Richard Sydee Not started

1 b) To make ‘category’ and ‘channel’ fields mandatory Richard Sydee Not started

Medium 2 a) Update enquiries SOP regarding time scale for passing an enquiry to a RM, the definition of an enquiry, the relevant stages of dealing with and communicating an enquiry and including a reference number on all enquiries

Victoria Marshment

Not started

2 b) To regularly review the enquiries SOP Victoria Marshment

Not started

Medium 3 a) To reconfigure CRM to include mandatory fields to record if enquiries are from a licenced provider

Richard Sydee Not started

3 b) To monitor and manage deletion dates for enquiries on an automated basis


Medium 4 a) To consider further KPI’s for more effective monitoring Victoria Marshment

Not started

4 b) To improve custom report for KPI% Victoria Marshment

Not started

Low 5 a) To agree a method of collecting FAQ’s efficiently to reduce workload

Victoria Marshment

Not started

5 b) Consider separating enquiries from license holders Richard Sydee Not started

4

Low 6 a) Consider QA checks on enquiry responses Sarah Bedwell Not started

6 b) Consider a standard format for enquiry responses Victoria Marshment

Not started

6 c) Create a clear process by which RM’s become sufficiently experienced to answer enquiries

Sarah Bedwell Not started

Low 7 a) Identify FAQ’s that could be dealt with by Assistants Sarah Bedwell Not started

7 b) Review and update SOP’s provided to Assistants Victoria Marshment

Not started

Low 8 a) Investigate via Skype the volume on unanswered calls Richard Sydee Not started

8 b) Implement fall back arrangements for unanswered calls Richard Sydee Not started

8 c) Perform spot checks on phones to ensure arrangements are in place


PwC – Board Effectiveness

Medium 1 Better induction training for new Members to include LOD cases and decision making

Allan Marriot-Smith

Not started

Low 2 To discuss with DH possible flexibility in the term of appointment for members to benefit both experience and fresh perspective

Allan Marriot-Smith

Not started

Low 3 To ensure board papers are succinct, clear and relevant to the Boards strategic role

Allan Marriot-Smith

Not started

Low 4 To clarify process for annual objectives and appraisals Allan Marriot-Smith

Not started

PwC – People and Workforce

Low 1 To review organisation structure for increased hierarchy within RM’s

Heads of Regulation

Not started

Low 2 a) to make clear communication when actions are taken from the People strategy and b) update staff on progress against the People Strategy

Diane Galbraith Diane Galbraith

Completed as planned In progress as planned

Low 3 Obtain feedback on the people strategy from 1-2-1 meetings

Diane Galbraith In progress as planned

Low 4 To report feedback from new starters and leavers regarding possible improvements

Diane Galbraith In progress as planned

Total 19

5

RECOMMENDATION AGREED ACTIONS PROGRESS OWNER / COMPLETION

2015/16

PwC – Data retention

1 - Review the Information Asset Register - ensure compliance with the Data Protection Act 1998 and align with the Department of Health Records Management Code of Practice and The national Archives best practice guidance.

Design and Governance of Document Retention procedures at the HTA Review current retention periods and the content of the Information Asset Register by collating information from business units, following best practice guidance from The National Archives. Align minimum retention periods to the Department of Health Records Management Code of Practice where applicable. Ensure that documents under the scope of the Public Records Act 1958 or the Freedom of Information Act 2000 are identified and retained appropriately based on the requirements of this legislation. If necessary, consult with The National Archives to obtain advice on how to apply the selection criteria. Ensure that records containing personal data are not retained for longer than required, in line with principal five of the Data Protection Act 1998.

We accept all of the recommendations and will implement these through a comprehensive piece of work that we’ll need to plan carefully, involving staff throughout the HTA, alongside other current priorities. We will determine retention periods for personal data and ensure records that fall outside these are destroyed. Target date – April 2016

Feb-2016 Information Assets and the associated retention dates have been reviewed. Personal data which had passed its retention dates has been destroyed throughout December and January. Further work to be undertaken looking at shared drives and IMPACT. May-2016 Work has been done on this and the vast majority of data held has been reviewed. The remaining work to be completed is within HR which is currently in progress. Nov 2016 Work underway with HR documents but yet to be completed Feb 2017 HR to determine what should be retained for a summary staff record before all other records can be destroyed.

Jamie Munro In progress Jamie Munro In progress Diane / Jamie In progress Diane Galbraith

In progress

6


2015/16

PwC – Living Organ Donation 4 - Introduce a process and guidance for the recruitment, training and termination of an IA between HTA and NHS Trusts

Appointment, accreditation and training of assessors Responsibility for the recruitment of Independent Assessors is not formally agreed between the HTA and the individual Trusts The HTA should consider the introduction of a process to be formally notified of leavers by Trusts or otherwise directly by leavers. For example, it could specify the process for informing HTA of a leaving date with sufficient notice within its guidance documents to IAs. The HTA should consider introducing standard agreements between Trusts and itself which clearly set out responsibilities for recruitment and proactively identifying demand for IAs.

Update guidance to state that the HTA must be informed when an IA will be leaving the role. Write to Trusts to clearly set out responsibilities for recruitment and proactively identifying demand for IAs. Target date – March 2016

May 16 A letter was sent to Trusts in February 2016. This outlined a number of issues including that recruitment of IAs was the responsibility of the Trust and not the HTA. The guidance is due to be updated and published in August 2016 and this will include new advice about the HTA being informed of IAs that leave the position. Nov 2016 Guidance delayed and will go out 1st week of November 2016 Feb 2016 Guidance to be issued in the January newsletter to IA’s and further correspondence to go out to all trusts in March 2017.

Chitvan Amin In progress Chitvan Amin In progress Jess Porter In progress

7


2015/16

PwC – Living Organ Donation 6 - Update the re-accreditation process for IA’s with high numbers of red or amber reports

Appointment, accreditation and training of assessors The current design of re-accreditation process does not allow for timely response to quality issues, and may not identify all assessors in need of further training The HTA should consider updating the re-accreditation process to ensure that: - There is a consistent approach to the treatment of IAs with a high number of (non-consecutive) red or amber reports versus those with a consecutive, low number of such reports; - Refresher training is provided on a timely basis in response to known quality issues; and IA’s - Where IAs are not automatically re-accredited, they should not perform assessments until refresher training is provided

HTA will move to a system of continuous accreditation which will allow for closer monitoring throughout the year

Nov-15 In progress - changes being made to CRM to support close monitoring of IA reports throughout the year. Feb-16 This is a priority and to be included in the Phase 1 of the next CRM development. Update May 2016 meeting - Some minor tweaks to support this have been made as part of phase 1 changes to CRM however, the broader scoping work will take place later this year. Nov-16 Ongoing with part of CRM upgrade project

8


2015/16

PwC – Living Organ Donation 9 - To record time taken for case decisions to be made after receipt by HTA

Decision making KPIs in place do not currently measure the time taken between initial referral to HTA and a regulatory decision being made The HTA should monitor the time taken from the point of the initial referral to the date a regulatory decision is made. Where the key points of the assessment and/or decision-making process take longer than the expected period, the HTA should investigate the root cause and take action to avoid recurrence. The HTA should consider undertaking a Key Person Dependency Assessment to identify overreliance on any individuals whose roles cannot be carried out by other staff in their absence

To be introduced in the rare cases that a case reaches the stage of RDM. Piece of work to be undertaken on retrospective cases that have reached RDM. Add to the SOP.

Nov-15 Not started. Feb-16 Not as relevant as other recommendations - we will consider whether it is appropriate or realistic to implement. May 2016 This is not considered a concern by stakeholders or the LDAT so has not been prioritised. Scoping work will begin soon to decide how to address this. Nov 2016 Linked to previous recommendation regarding delay in assessing cases. Agreed that no further action is required on this.

9


2015/16

PwC – Business Continuity 4 - Provide training to all staff on the BCP

Decision making KPIs in place do not currently measure the time taken between initial referral to HTA and a regulatory decision being made The HTA should monitor the time taken from the point of the initial referral to the date a regulatory decision is made. Where the key points of the assessment and/or decision-making process take longer than the expected period, the HTA should investigate the root cause and take action to avoid recurrence. The HTA should consider undertaking a Key Person Dependency Assessment to identify overreliance on any individuals whose roles cannot be carried out by other staff in their absence

To be introduced in the rare cases that a case reaches the stage of RDM. Piece of work to be undertaken on retrospective cases that have reached RDM. Add to the SOP. Target date – March 2016

Nov-15 Not started. Feb-16 Not as relevant as other recommendations - we will consider whether it is appropriate or realistic to implement. May 2016 This is not considered a concern by stakeholders or the LDAT so has not been prioritised. Scoping work will begin soon to decide how to address this. Nov 2016 Linked to previous recommendation regarding delay in assessing cases. Agreed that no further action is required on this. Feb 2017 BCP has been completed and approved and training provided to all staff and specific training delivered to all role owners ahead of a planned incident test.

Jamie Munro Delayed Jamie Munro Delayed Jamie Munro Delayed Jamie Munro Delated Jamie Munro Completed later than planned

10


2016/17

PwC – Enquiries 1 – a) to reconfigure the notification workflow and b) to make ‘category’ and ‘channel’ fields mandatory

a) The notification workflow should be reconfigured to enable correct functionality of notifications. Consideration should be given to increasing the number of notifications to include notifications at one, two and/or three days prior to due date, as well as an escalation with later emails being sent to a more senior staff member as well.

Recommendation agreed and action added to project plan for implementation Target date – June 2017

Feb 2017 – Actions to be taken forward by a project team.

Richard Sydee

b) ‘Category’ and ‘Channel’ should be made mandatory fields for completion, and if not possible due to expense, guidance should be issued to Assistants and RMs to ensure that this information is completely captured



Richard Sydee

11


2016/17

PwC – Enquiries 2 – a) Update enquiries SOP regarding time scale for passing an enquiry to a RM, the definition of an enquiry, the relevant stages of dealing with and communicating an enquiry and including a reference number on all enquiries and b) to regularly review the enquiries SOP

a) The SOP should be updated to include the following:

Provide guidance on the time in which the various stages of the emails/website enquiries should be forwarded to the RMs, including time to open email or answer call, time to convert to a case and time to forward to RM. Management may find it beneficial to develop a process map which covers the process.

A clear definition of what constitutes an enquiry should be made, including whether a case has to be logged in certain scenarios. Consideration should be given to requiring all enquiries to immediately be logged in CRM as this avoids possibility of cases being lost or not followed up. However consideration should be given to the costs of such a system.

All relevant stages of the Enquiry Management process to be shared with all those involved to clearly communicate roles and responsibilities. This could be in the form of a more detailed process map.



Victoria Marshment

12

That the enquiry reference number should be provided to the enquirer who can then cite this when following up on an enquiry. To support this, a notification of receipt email should be provided to the sender on all email and website enquiries.

b) SOP documentation should also undergo regular review with future dates of review set and maintained, for example on an annual basis or earlier where procedures change.



Victoria Marshment

13


2016/17

PwC – Enquiries 3 – a) to reconfigure CRM to include mandatory fields to record if enquiries are from a licenced provider and b) to monitor and manage deletion dates for enquiries on an automated basis

a) CRM should be reconfigured to include a mandatory field which requires information on whether the enquiry is from a licensed provider or not. If not possible due to expense, consideration could be given to capturing this information in the ‘Channel’ or ‘Category’ fields, if deemed suitable



Richard Sydee

b) Deletion dates for enquiries should then be monitored, to ensure that all relevant data is deleted in line with HTA guidance and in accordance with the DPA, ideally on an automated basis.



Richards Sydee

14


2016/17

PwC – Enquiries 4 – a) to consider further KPI’s for more effective monitoring and b) improve custom report for KPI%

a) Consider what further KPIs would enable more effective monitoring of enquiry management (and are practicable to gather data on), for example, number of cases open longer than 10 days.



Victoria Marshment

b) Improve custom report to allow KPI% to be easily calculated without a need for manual adjustments



Victoria Marshment

15


2016/17

PwC – Enquiries 5 – a) to agree a method of collecting FAQ’s efficiently to reduce workload and b) consider separating enquiries from license holders

a) A decision needs to be made as to best method going forward in collecting information regarding FAQs and using it efficiently to reduce staff workload. This information once collated could be provided internally through the HTA intranet to allow future enquiries to be dealt with more easily and in a more consistent fashion. The external website could also include the FAQs to reduce the burden of enquiries on HTA.



Victoria Marshment

b) Consider whether/how to separate enquiries from license holders from general enquiries. This could be through creating an enquiries portal for license holders only, which then creates a case automatically.



Richard Sydee

16


2016/17

PwC – Enquiries 6 – a) consider QA checks on enquiry responses, b) consider a standard format for enquiry responses and c) create a clear process by which RM’s become sufficiently experienced to answer enquiries

a) Consider Quality Assurance (QA) checks in relation to answers provided to enquiries for all RMs, for example through sampling a small number of responses on a periodic basis and feeding back on both positive aspects and areas for improvement. Evidence of review should be retained, if possible, this would be captured within CRM to provide an effective audit trail



Sarah Bedwell

b) Consider whether a standard style or format of response could be applied across the organisation or departments



Victoria Marshment

c) Create a clear and documented process by which an RM becomes sufficiently experienced to answer enquiries independently and maintain evidence of each individual’s progress. We appreciate that there will need to be some flexibility in the time scales applied



Sarah Bedwell

17


2016/17

PwC – Enquiries 7 – a) identify FAQ’s that could be dealt with by Assistants and b) review and update SOP’s provided to Assistants

a) Identify whether there are more FAQs that Assistants could be trained to answer and incorporate this into refreshed and more formal training to be provided to Assistants before they start to take calls and open emails



Sarah Bedwell

b) The SOPs provided to assistants should be reviewed and updated where necessary



Victoria Marshment

18


2016/17

PwC – Enquiries 8 – a) Investigate via Skype the volume on unanswered calls, b) implement fall back arrangements for unanswered calls and c) perform spot checks on phones to ensure arrangements are in place

a) Investigate with Skype where applicable, how many calls ‘ring through’ without being answered and whether forwarding is set up on all accounts



Richard Sydee

b) Require all staff to set up fall back arrangements that will ensure if their phone is not answered and it is not routed and answered via mobile it will fall back to switchboard



Richard Sydee

c) If it is not possible to confirm this is in place for all phones, spot checks may need to be performed or confirmation gathered.



Richard Sydee

19


2016/17

PwC – Board Effectiveness 1 - Better induction training for new Members to include LOD cases and decision making

Ensure that induction training provides sufficient time, focus and examples of decision making for the living organ donation process and that after it board members feel that they have sufficient clarity and confidence to fulfil their role in the decision making process. Establish a forum for the new board members to enable discussions on the more complex living organ donations cases. Review the training for board members to include attendance at inspections (possibly as part of the induction process) and evaluate if any other training) would be beneficial.

Yet to be agreed Allan Marriot-Smith

20


2016/17

PwC – Board Effectiveness 2 - To discuss with DH possible flexibility in the term of appointment for members to benefit both experience and fresh perspective

Consider discussions with the Department of Health on the importance of achieving the appropriate balance of change and, if required, having some flexibility in the appointment process (such as 4+2 years appointments) and spreading out end dates to enable the Authority to respond flexibly to the need for experience and expertise whilst still benefiting from fresh perspectives.


21


2016/17

PwC – Board Effectiveness 3 - To ensure board papers are succinct, clear and relevant to the Boards strategic role

As planned, ensure papers are formatted to be suitably brief and clear, focusing on the key points for discussion and agreement relevant to the board’s strategic role. A similar approach should apply to presentations. Once the new approach is fully in place, it may be appropriate to take further soundings from members on whether the objectives of the change have been achieved.


22


2016/17

PwC – Board Effectiveness 4 - To clarify process for annual objectives and appraisals

Clarify the process for agreement of annual objectives and annual appraisals with new members. Confirm that new members are content that they understand their objectives and how they should focus in the period through to their first individual appraisal.


23


2016/17

PwC – People and Workforce 1 – To review organisation structure for increased hierarchy within RM’s

Undertake a review of the organisation’s structure to identify where additional layers of seniority could be implemented and might be of benefit. Specifically consider the scope for increased hierarchy in the Regulation Manager group.

Investigation into the possibility of stratification within the Regulation Manager role will be undertaken. Due to the size of our organisation, we do not feel it is possible to add an additional hierarchy level outside of the Regulation Manager posts. Target date – April 2017

Feb 2017 – to be completed Heads of Regulations Not started

24


2016/17

PwC – People and Workforce 2 – a) to make clear communication when actions are taken from the People strategy and b) update staff on progress against the People Strategy

a) Where actions are taken as a result of the People Strategy, ensure that the link to the People Strategy is made clear in communications, for example including wording about which part of the Strategy it is responding to

a) Going forward communication and documents that relate to the People Strategy will advise of the link to the People Strategy and include the ‘People Strategy’ branding

Target date – March 2017

Feb 2017 – recommendation fully implemented

Diane Galbraith Completed as planned

b) Provide an update to staff on progress against the People Strategy, for example in a ‘You said…. We did…’ format

b) Provide an update Target date – March 2017

Feb 2017 – to be completed Diane Galbraith In progress as planned

25


2016/17

PwC – People and Workforce 3 – Obtain feedback on the people strategy from 1-2-1 meetings

Consider obtaining feedback on the implementation and impact of the People Strategy from staff, for example through one to one meetings with Line Managers.

Feedback will be sought from staff on the People Strategy during annual PDP discussions as well as the staff survey. Target date – April 2017


26


2016/17

PwC – People and Workforce 4 – To report feedback from new starters and leavers regarding possible improvements

Implement regular reporting on new joiner feedback and investigate where improvements may be required, for example were instances of expectation gaps are cited (including as a reason for leaving after only a short time) and act on this accordingly.

Six monthly report to SMT to be implemented. Target date – March 2017


Health Group

Internal Audit

AUD165-16

January 2017

Health Group Internal Audit provides an objective and independent assurance, analysis and consulting service to the Department of Health and its arm’s length bodies, bringing a disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.

The focuses on business priorities and key risks, delivering its service through three core approaches across all corporate and programme activity:

Review and evaluation of internal controls and processes;

Advice to support management in making improvements in risk management, control and governance; and

Analysis of policies, procedures and operations against good practice.

Our findings and recommendations:

Form the basis of an independent opinion to the Accounting Officers and Audit Committees of the Department of Health and its arm’s length bodies on the degree to which risk management, control and governance support the achievement of objectives; and

Add value to management by providing a basis and catalyst for improving operations.

INTERNAL AUDIT PROGRESS

REPORT

For further information please contact:

Cameron Robson - 01132 54 6083

1N16 Quarry House, Quarry Hill,

Leeds, LS2 7UE

Health Group

Internal Audit

Our work has been conducted and our report prepared solely for the benefit of the Department of

Health and its arm’s length bodies and in accordance with a defined and agreed terms of

reference. In doing so, we have not taken into account the considerations of any third parties.

Accordingly, as our report may not consider issues relevant to such third parties, any use they

may choose to make of our report is entirely at their own risk and we accept no responsibility

whatsoever in relation to such use. Any third parties, requiring access to the report may be

required to sign ‘hold harmless’ letters.

Health Group

Internal Audit



6 Quarry House, Quarry Hill, CONTENTS PAGE

1. Introduction 2

2. Progress against 2016/17 Internal Audit Plan 2

2.1 Status of agreed plan 2

2.2 Summary of reports issued since the last Audit and Risk Assurance Committee 4

2.3 Follow up work 4

2.4 Impact on Annual Governance Statement 5

Appendix 1: Report Rating Definitions 6

Appendix 2: Limitations and responsibilities 7

Health Group

Internal Audit

HTA Internal Audit Progress Report January 2017

1) Introduction

This paper sets out the progress in completing the 2016/17 Internal Audit Plan since the last meeting of the Audit and Risk Assurance

Committee in November 2016.

2) Progress against 2016/17 Internal Audit Plan

2.1 Status of agreed plan:

The table below summarises the progress against each of the review areas in the 2016/17 Audit Plan:

Reviews per 201/17 IA plan

Audit scope Status Findings Overall report rating

Audit days per plan

Actual audit days

High Medium Low

Enquiries Management (Additional review)

This audit focussed on how enquiries are received and managed through to the provision of a response, and the monitoring and reporting on performance.

Final report issued

0 4 4 Moderate 0 5.0

Board Effectiveness

This review assesses Board effectiveness via surveys and follow-up interviews.

Final draft report issued 4th January, awaiting management action plan to finalise.

0 1 3 - 8 8.0

Quality Controls Systems

We will focus on how HTA ensures consistency through the application of its Quality Management System, and what checks are in place. We will also consider as part of this review whether there are opportunities for the QMS to be more efficient and to deliver improved consistency.

Scoping meeting planned for week commencing 23rd January.

10 0.5

Health Group

Internal Audit



Audit days per plan

Actual audit days

High Medium Low

Management propose that the days assigned to Information Guidance and Enquiries Assurance Mapping are combined with this review to allow for Assurance Mapping over the Quality Control system, which will then be supported with some additional testing.

Crisis management

We will consider how HTA would manage a crisis scenario through observation of a crisis management exercise. This will be a limited scope review and will be undertaken in the form of an observation exercise.

Date for management’s exercise had been confirmed, but due to unforeseen circumstances this had to be postponed. Revised date to be agreed as soon as possible.

3 1.0

People and Workforce

HTA has an established KPI to reduce attrition rates through improved staff selection and targeted measures to retain staff. Our review will focus on how the Board obtains assurance that the appropriate actions are being undertaken to address the issues identified in accordance with agreed action plans.

Final report issued.

0 0 5 Moderate 6 6.0

Information Guidance and Enquiries (Assurance Mapping)

Management have proposed that no further work is carried out on Information Guidance and Enquiries. The budget so released will in part offset the cost of the additional Enquiries Management review.

3 0.0

Health Group

Internal Audit



Audit days per plan

Actual audit days

High Medium Low

Audit Management

All aspects of audit management to include:

Attendance at liaison meetings and HTA Audit and Risk Assurance committee;

Drafting committee papers/progress reports;

Follow-up work;

Resourcing and risk management; and

Contingency.

Ongoing Not applicable 6 4.5

Total Findings: 0 4 4

Total days

36 25.0

2.2 Summary of reports issued since the last Audit and Risk Assurance Committee:

Since the last Audit and Risk Assurance Committee in November 2016 we have issued the final report on People and Workforce and the

draft report on Board Effectiveness. The People and Workforce report accompanies this progress paper and the Board Effectiveness

report will be circulated once management action plan has been agreed, as all other queries have been resolved on the draft report.

2.3 Follow-up work:

The HTA performs its own follow-up work, reviewing the status of agreed audit actions and reporting progress to the Audit and Risk

Assurance Committee. As such, Internal Audit has been asked to provide independent assurance of the completion of agreed actions

only over those actions which relate to high priority recommendations. This approach was agreed with the former Director of Finance and

Resources.

Health Group

Internal Audit

No high priority actions have resulted from us undertaking the 2016/17 audit reviews to date. As reported in our November 2016

Progress Report, the one outstanding recommendation at the start of the year, arising from the Living Organ Donation Internal Audit

report (ref HTA2015/16001), was subject to follow up testing and has been confirmed as completed.

2.4 Impact on Annual Governance Statement:

All reports issued with an overall Limited or Unsatisfactory rating, or with report findings that are individually rated high priority, should be

considered for their possible impact on the Authority’s Annual Governance Statement (AGS). To date, no Limited reports and no high

priority issues have been raised as a result of us completing the work forming part of the 2016/17 audit plan and all actions relating to

previous high priority issues have been completed. Accordingly, there are no further matters arising from our work to date that we believe

may require reference in the AGS, beyond those previously noted in the November 2016 Progress Report.

Health Group

Internal Audit

Appendix 1 – Report Rating Definitions

Risk Ratings of individual findings:

Priority Description

HIGH

Fundamental weaknesses in control which expose the Accounting Officer / Director to high risk or significant loss or exposure in terms of failure to achieve key objectives, impropriety or fraud. Senior managers are expected to oversee the prompt implementation of agreed actions, or to confirm in writing that they accept the risks of not implementing a high priority internal audit recommendation.

MEDIUM

Significant weaknesses in control, which, although not fundamental, expose the Accounting Officer / Director to a risk of loss, exposure or poor value for money. Managers are expected to oversee the prompt implementation of agreed actions, or to confirm in writing that they accept the risks of not implementing a medium priority internal audit recommendation. Failure to implement recommendations to mitigate these risks could result in the risk moving to the High category.

LOW Minor weakness in control which expose the Accounting Officer / Director to relatively low risk of loss or exposure. However, there is the opportunity to improve the control environment by complying with best practice. Suggestions made if adopted would mitigate the low level risks identified.

Ratings of audit reports

Substantial In Internal Audit’s opinion, the framework of governance, risk management and control is adequate and

effective.

Moderate In Internal Audit’s opinion, some improvements are required to enhance the adequacy and effectiveness

of the framework of governance, risk management and control.

Limited In Internal Audit’s opinion, there are significant weaknesses in the framework of governance, risk

management and control such that it could be or could become inadequate and ineffective.

Unsatisfactory In Internal Audit’s opinion, there are fundamental weaknesses in the framework of governance, risk

management and control such that it is inadequate and ineffective or is likely to fail.

Health Group

Internal Audit

Appendix 2 - Limitations and responsibilities

Internal control

Internal control systems, no matter how well designed and operated, are affected by inherent limitations. These include the possibility of poor judgment in decision-making, human error, control processes being deliberately circumvented by employees and others, management overriding controls and the occurrence of unforeseeable circumstances.

Future periods

Historic evaluation of effectiveness is not relevant to future periods due to the risk that:

- the design of controls may become inadequate because of changes in operating environment, law, regulation or other; or

- the degree of compliance with policies and procedures may deteriorate.

Responsibilities of management and internal auditors

It is management’s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the prevention and detection of irregularities and fraud. Internal audit work should not be seen as a substitute for management’s responsibilities for the design and operation of these systems. We endeavour to plan our work so that we have a reasonable expectation of detecting significant control weaknesses and, if detected, we shall carry out additional work directed towards identification of consequent fraud or other irregularities. However, internal audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected. Accordingly, our examinations as internal auditors should not be relied upon solely to disclose fraud, defalcations or other irregularities which may exist.

Health Group Internal Audit

Reference: DH216010004 FINAL REPORT

Human Tissue Authority January 2017

AUD-165-16 (Annex A)

Health Group Internal Audit provides an objective and independent assurance, analysis and consulting service to the Department of Health and its arms length bodies, bringing a disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.



Advice to support management in making improvements in risk management, control and governance; and



Form the basis of an independent opinion to the Accounting Officers and Audit Committees of the Department of Health and its arms length bodies on the degree to which risk management, control and governance support the achievement of objectives; and

Add value to management by providing a basis and catalyst for improving operations.

Report Name: People and Workforce Status: Final




Leeds, LS2 7UE


Our work has been conducted and our report prepared solely for the benefit of the Department of Health and its arms length bodies and in accordance with a defined and agreed terms of

reference. In doing so, we have not taken into account the considerations of any third parties. Accordingly, as our report may not consider issues relevant to such third parties, any use they may choose to make of our report is entirely at their own risk and we accept no responsibility whatsoever in relation to such use. Any third parties, requiring access to the report may be



CONTENTS PAGE

Date fieldwork completed:

1st draft report issued:

Management responses received:

Final report issued

13/12/2016

06/01/2017

D14/01/2024/01/2017

Report Author: Habiba Marsh

Version №: Final V1

1. Introduction 1

2. Review Conclusion 2

3. Summary of Findings 2

4. Next steps 3

5. Recommendations 4

6. Findings and Observations

6

Appendix – Priority and Report Ratings

9


Distribution List – Draft Report Main recipient(s)

Allan Marriott-Smith

Chief Executive Officer

Diane Galbraith Head of HR Cc(s)

Morounke Akingbola Head of Finance Richard Sydee

Director of Finance and Resources

Cameron Robson Group Chief Head of Internal Audit Distribution List – Final Report

As above

Health Group Internal Audit 1

EXECUTIVE SUMMARY

1. Introduction

1.1 HTA’s key strategic objective is to maintain and further enhance public confidence in the

removal, storage and use of human tissue and organs by ensuring that it is undertaken safely and ethically, and with proper consent.

1.2 HTA has fully recognised that a key asset to delivering this objective is its people, but the HTA has historically struggled to meet its annual target to maintain a turnover rate of less than 18%.

1.3 Two key risks have been identified as a consequence: ‘Insufficient capacity and/or capability, including insufficient expertise, due to staff attrition, inadequate contingency planning, difficulty in recruiting (including Independent Assessors (IAs))’; and ‘Failure to utilise people, data and business technology capabilities effectively.

1.4 In 2015 HTA published its two year People Strategy which included an employment lifecycle, identifying eight key features of working for HTA that would be experienced by its staff. It was intended that improving the staff experience would help to maintain turnover within target. Against each of the features a series of actions were proposed to enhance each staff member’s experience, including actions to address specific staff feedback gathered from exit interviews and the staff survey, which is completed annually. Management provided a People Strategy Progress Report to the Board in March 2016 setting out their progress against these actions.

1.5 The objective of this review was to independently assess, and seek evidence of,

management’s progress against the actions detailed within the 2015-17 People Strategy, focussing on the ongoing actions in three of the key areas; Recruitment, Selection, Induction & Embedding; Recognition & Wellbeing; and Managing for High Performance; plus one related key action within the Inspire and Motivate area.

1.6 We have also captured and provided observations on the impact of the People Strategy following interviews with a small sample of staff. In these interviews we sought to ascertain their understanding of the Strategy, their experience of it being delivered, and any suggestions for further areas of improvement that they would like to see.

1.7 We independently selected staff for interview to have a range of experience at HTA and seniority. However, it is important to note that our findings from this element of the work are based on interviews with only approximately 10% of the workforce (5 individuals), and therefore not all views or themes identified are necessarily pervasive throughout the business. We have assessed the comments made by staff and reported these where appropriate as key themes arising from the interviews, having considered the context and corroborating evidence gathered from other areas of the review.


EXECUTIVE SUMMARY

2. Review Conclusion

2.1 The overall rating for the report is MODERATE - some improvements are required to enhance the adequacy and effectiveness of the framework of governance, risk management and control.

2.2 HTA has been able to evidence the progress made against the planned actions as reported

by management, in those areas in scope for our review. The Strategy is designed to endure for three years until 2017. Where actions have not yet been started, we have verified that this is for practical reasons and confirmed a new start date. A good level of supporting documents were provided to support the development of policies, learning and development opportunities and continual communication to staff. Overall therefore, there appears to have been good progress.

2.3 There are, however, some actions that management could take to optimise benefits of the

People Strategy at its current stage. In addition, feedback from our staff interviews identified some clear areas that we believe would benefit from further focus by management. Failure to implement these recommendations may not impact on the progress of planned actions but may make it harder for HTA to embed the strategy effectively into HTA culture and behaviours.

3. Summary of Findings

3.1 The findings in this report are based on the available supporting evidence provided to us as part of the review and the findings from the five staff interviews performed. The work is intended to help the Head of Human Resources (Head of HR) and the Chief Executive Officer (CEO) better enhance the effectiveness of the People Strategy by providing an independent and objective view of progress against planned actions, supplemented by some independently gathered feedback. The above conclusions and findings summarised below should be seen in this context.

3,2 The findings from our work are summarised below, and more detail is provided in the Findings

and Observations section:

The people structure of the HTA is relatively flat, and as such a common concern of staff and reason for leaving, we understand, is lack of opportunity for progression, both financially and professionally. This was a common theme from our interviews and is apparent from review of the structure chart. It is something that management is well aware of. Although the organisation is restricted by Government pay restraints in terms of awarding increments, there may be potential to respond to this through a review of roles. In particular, for Regulation Managers it might be possible to introduce an additional layer of seniority providing opportunities for progression, something management has identified as a possibility.

There is scope to improve the clarity of the link between the People Stragey and the actions being taken as a result of it.

Management have not yet gathered specific feedback from staff on the impact and progress of the People Strategy, although there are multiple avenues of communication open to staff which, per our own assessment and staff feedback, appear to be largely being used effectively.


EXECUTIVE SUMMARY

New joiner surveys have been collated and a report to the Senior Management Team will be prepared in the first half of 2017 by the Head of HR. The form and frequency of future reporting in this area has, however, not yet been decided. We would encourage annual reporting of key trends as well as actions taken to address any areas for improvement, for example addressing any expectation gaps in terms of role or salary.

3.2 Overall, management are making good progress in implementing the People Strategy against

the actions identified in the planned activities, with staff providing largely positive feedback on it’s implementation.

3.3 The table below summaries the number of recommendations by rating and review area. Please note that there are multiple recommendations to some findings and therefore more than four recommendations:

Total Recs High Medium Low

Recognition & wellbeing 1 - - 1

Impact of the People Strategy 3 - - 3

Recruitment, selection, induction & embedding

1 - - 1

Total 5 - - 5

4. Next Steps

4.1 To support the continued progress of the People Strategy objectives and embedding into HTA and the provision of a meaningful report to the Audit and Risk Assurance Committee management are now required to:

Consider the recommendations made in Section 3; and

Complete Section 5 (Recommendations Table: Agreed Action Plan) detailing what action you are intending to take to address the individual recommendations, the owner of the planned actions and the planned implementation date.

4.2 The agreed action plan will then form the basis of subsequent audit activity to verify that high priority recommendations have been implemented effectively and for management to monitor implementation of all recommendations.

4.3 If management do not accept any of the recommendations made then a clear reason should

be provided in the action plan. 4.4 Finally, we would like to thank management for their help and assistance during this review.


RECOMMENDATIONS TABLE

5. Recommendations

Customer to provide details of planned action; owner and implementation date. Action taken will later be assessed by Health Group Internal Audit, and therefore the level of detail provided needs to be sufficient to allow for the assessment of the adequacy of action taken to implement the recommendation to take place.

№

RA

TIN

G

RECOMMENDATIONS MANAGEMENT RESPONSE

AGREED ACTION PLAN:

OWNER & PLANNED IMPLEMENTATION

DATE

1. L Undertake a review of the

organisation’s structure to identify where additional layers of seniority could be implemented and might be of benefit.

Specifically consider the scope for increased hierarchy in the Regulation Manager group.

Investigation into the possibility of stratification within the Regulation Manager role will be undertaken.

Due to the size of our organisation, we do not feel it is possible to add an additional hierarchy level outside of the Regulation Manager posts.

Heads of Regulation.

30 April 2017

2. L a) Where actions are taken as

a result of the People Strategy, ensure that the link to the People Strategy is made clear in communications, for example including wording about which part of the Strategy it is responding to.

Going forward communication and documents that relate to the People Strategy will advise of the link to the People Strategy and include the ‘People Strategy’ branding.

Complete

L b) Provide an update to staff on progress against the People Strategy, for example in a ‘You said…. We did…’ format.

Provide an update. 30 March 2017

3. L Consider obtaining feedback on

the implementation and impact of the People Strategy from staff, for example through one to one meetings with Line Managers.

Feedback will be sought from staff on the People Strategy during annual PDP discussions.

Feedback will be sought via the staff survey.

30 April 2017

Autumn 2017



№ R

AT

ING

RECOMMENDATIONS MANAGEMENT

RESPONSE AGREED ACTION

PLAN:

OWNER & PLANNED IMPLEMENTATION

DATE

4. L Implement regular reporting on

new joiner feedback and investigate where improvements may be required, for example were instances of expectation gaps are cited (including as a reason for leaving after only a short time) and act on this accordingly.

Six monthly report to SMT to be implemented.

30 March 2017.


FINDINGS/OBSERVATIONS


1. FINDING/OBSERVATION:

Consider scope to introduce additional tiers to the resource structure so as to allow more opportunity for progression

RISK RATING: LOW

The people structure of the HTA is relatively flat, and as such a common concern of staff and reason for leaving, we understand, is lack of opportunity for progression, both financially and professionally. This was a common theme from our interviews and something that management are well aware of. Although the organisation is restricted by Government pay restraints in terms of awarding increments, there may be potential to address this through a review of roles, in particular at Regulation Manager level where an additional layer of seniority may give more opportunities, something management is considering.

Having more of a hierarchy for Regulation Managers could provide an opportunity to create a more dynamic business structure within Regulation, which represents the largest proportion of staff in the HTA.

RISK/IMPLICATION:

Staff may be unable to see scope for career progression which could lead to dissatisfaction, and therefore continued staff turnover.

RECOMMENDATION:

Undertake a review of the organisation’s structure to identify where additional layers of seniority could be implemented and might be of benefit to the organisation. Specifically consider the scope for additional hierarchy in the Regulation Manager group.


Highlighting the impact of the People Strategy in staff communications

RISK RATING: LOW

There is scope to improve the clarity of the link between the People Strategy and the actions taken as a result of it.

There was a clear trend from the interviews that we conducted that although the actions being taken are communicated, for example new policies and other announcements being included in staff newsletters and staff forum meetings, staff are not always aware of the link between these actions and the People Strategy.

Management have already taken some action in this area, for example communications regarding the Strategy have recently been branded with the employment lifecycle wheel. However, there was a clear theme from our interviews and we therefore believe that another look at this topic would be beneficial.

It should be noted that overall, feedback from our interviews in relation to the People Strategy was very positive.




Highlighting the impact of the People Strategy in staff communications

RISK/IMPLICATION:

Staff do not see the link between the People Strategy and improvement actions taken because of it. This could lead to the illusion that the People Strategy is simply a document and that actions are taken at random rather than being a very clear response to staff feedback and designed to deliver an improved experience overall. Staff may continue to feel that their feedback is not being understood or taken on board by management, possibly leading to continued staff turnover.

RECOMMENDATION:

a) Where actions are taken as a result of the People Strategy, ensure that the link to the People Strategy is made clear in communications, for example including wording about which part of the Strategy it is responding to.

b) Provide an update to staff on progress against the People Strategy, for example in a ‘You said…. We did…’ format.


Gathering feedback from staff on the People Strategy

RISK RATING: LOW

Multiple avenues of communication open to staff including the annual staff survey, team meetings, one to ones, exit meetings, and new joiner feedback. Per our own assessment and staff feedback, these appear to be largely being used effectively and this review also provides some additional feedback. However management have not yet gathered specific feedback from staff on the impact and progress of the People Strategy and some specific discussion of the impact of the Strategy may be of benefit to the organisation in fine tuning its approach and identifying any areas of misunderstanding or miscommunication.

This may also be an opportunity to remind staff of their responsibilities within the People Strategy and therefore to obtain further support and buy in for the actions taken.

This also links to finding two above, as it could assist in underlining the link between the People Strategy and the actions taken as a result of it.

RISK/IMPLICATION:

Without understanding staff feedback on the implementation and impact of the People Strategy, the risk exists that management actions, whilst being delivered, may not be fully embedding into the HTA as expected. In addition, further suggestions for actions that could be taken may not be identified, missing the opportunity to further improve the staff experience.

RECOMMENDATION:

Consider obtaining feedback on the implementation and impact of the People Strategy from staff, for example through one to one meetings with Line Managers or as part of annual survey.




Capturing and reporting feedback from new joiners

RISK RATING: LOW

New joiner surveys have been collated and a report to the Senior Management Team will be prepared in the first half of 2017 by the Head of HR. However, the form and frequency of future reporting in this area has not yet been decided. We would support annual reporting of key trends, as well as on actions taken to address any areas for improvement. Over the last 12 months, the Head of HR has improved the clarity of the recruitment process to ensure that both role and salary expectations are clear to applicants before they apply or accept a role and feedback from staff has improved in this area. However, one of interviewees we spoke with identified that there had been a joiner in the last six months who experienced a large expectation gap in terms of the role requirements and subsequently left the organisation within a few months. There may be an opportunity to review this case and identify any learning.

RISK/IMPLICATION:

If feedback from the joining process is not monitored, and acted upon where necessary, this may result in the organisation continuing to miss its target of maintaining staff turnover at below 18% and/or may impact on the efficiency and effectiveness of recruitment activity. There may also be reputational damage to the HTA, impinging on its ability to recruit staff with the appropriate skills and expertise.

RECOMMENDATION:

Implement regular reporting on new joiner feedback and investigate where improvements may be required, for example were instances of expectation gaps are cited (including as a reason for leaving after only a short time) and act on this accordingly.


APPENDIX - PRIORITY AND REPORT RATING DEFINITIONS

Appendix – Priority and Report Rating Definitions Priority Rating - Definitions


HIGH

Fundamental weaknesses in control which expose the Accounting Officer / Director to high risk or significant loss or exposure in terms of failure to achieve key objectives, impropriety or fraud. Senior managers are expected to oversee the prompt implementation of agreed actions, or to confirm in writing that they accept the risks of not implementing a high priority internal audit recommendation.

MEDIUM

Significant weaknesses in control, which, although not fundamental, expose the Accounting Officer / Director to a risk of loss, exposure or poor value for money. Managers are expected to oversee the prompt implementation of agreed actions, or to confirm in writing that they accept the risks of not implementing a medium priority internal audit recommendation. Failure to implement recommendations to mitigate these risks could result in the risk moving to the High category.

LOW

Minor weakness in control which expose the Accounting Officer / Director to relatively low risk of loss or exposure. However, there is the opportunity to improve the control environment by complying with best practice. Suggestions made if adopted would mitigate the low level risks identified.

Report Rating – Definitions

Rating

Description

SUBSTANTIAL In Internal Audit’s opinion, the framework of governance, risk management and control is adequate and effective.

MODERATE In Internal Audit’s opinion, some improvements are required to enhance the adequacy and effectiveness of the framework of governance, risk management and control.

LIMITED In Internal Audit’s opinion, there are significant weaknesses in the framework of governance, risk management and control such that it could be or could become inadequate and ineffective.

UNSATISFACTORY In Internal Audit’s opinion, there are fundamental weaknesses in the framework of governance, risk management and control such that it is inadequate and ineffective or is likely to fail.


Reference number: DHX 216010001

FINAL REPORT

Human Tissue Authority

January 2017

Health Group Internal Audit provides an objective and independent assurance, analysis and consulting service to the Department of Health and its arms length bodies, bringing a disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.



Advice to support management in making improvements in riskmanagement, control and governance; and



Form the basis of an independent opinion to the Accounting Officers and Audit Committees of the Department of Health and its arms length bodieson the degree to which risk management, control and governance support the achievement of objectives; and

Add value to management by providing a basis and catalyst for improvingoperations.

Report Name: Board

Effectiveness Self-

Assessment




Leeds, LS2 7UE


Our work has been conducted and our report prepared solely for the benefit of the Department of Health and its arms length bodies and in accordance with a defined and agreed terms of

reference. In doing so, we have not taken into account the considerations of any third parties. Accordingly, as our report may not consider issues relevant to such third parties, any use they

may choose to make of our report is entirely at their own risk and we accept no responsibil ity whatsoever in relation to such use. Any third parties, requiring access to the report may be


AUD 165-16 (ANNEX B)


CONTENTS PAGE

Date fieldwork completed:

1st draft report issued:


2nd draft report issued:


Final report issued

9 November 2016

28 November 2016

5 December 2016

20 December 2016

30 January 2017

31 January 2017

Report Author: Lenka Marvanova

Version №: Final V1

1. Introduction 1

2. Review Conclusion 1

3. Summary of Findings 2

4. Next Steps 3

5. Recommendations Table 4


6

Appendix 1 – Summary of Survey Results

10

Appendix 2 – Risk and Report Ratings 12


HTA (02a/17)

Distribution List – Draft Report Main recipient(s) Sharmila Nebhrajani Chair

Cc(s)

Allan Marriott-Smith Chief Executive

Morounke Akingbola Head of Finance

Richard Sydee Director of Finance and Resources

Cameron Robson Group Chief Head of Internal Audit

Distribution List – Final Report As above


1. Introduction

1.1 Within the context of an organisation’s purpose, the board has a key role in setting strategy

and developing and implementing action plans to achieve objectives. It also has the vital role of monitoring performance and challenging management where that might be improved. An effective board is a key part of governance, risk management and assurance arrangements along with contributing to the development and promotion of the collective vision of the organisation’s purpose, culture, values and the behaviours. There needs to be effective engagement between independent members and the executive to lead the organisation, whilst avoiding the board becoming too operational and focused on decisions and actions that should be the responsibility of management.

1.2 The Human Tissue Authority (HTA) is an Executive non-Departmental Public Body sponsored by the Department of Health. The Chair and nine of the board members are appointed by the Secretary of State for Health, with one further member appointed by the Welsh Minister and one by the Northern Ireland Health Minister. The board therefore has 12 members in total. Eight of the board members (including the Chair) are lay members, with the four remaining members being professionals with current or recent past involvement in activities or organisations licenced under the Human Tissue Act. While the structure has not changed, board membership has undergone some change during 2016, with five new members appointed to the board in April 2016 in place of those whose terms of office had expired.

1.3 Supporting the board, the HTA has two statutory committees (the Audit and Risk Assurance Committee and the Remuneration Committee) and three groups (Stakeholder Group, Histopathology Working Group and Transplantation Advisory Group) . The focus of this review has been on the performance of the board and we have not covered the operations of these other committees and groups.

1.4 The objective of this review was to consider the effectiveness of the HTA board by undertaking the following:

Carrying out a self-assessment (via an online survey) completed by each board member,

Analysis of the results of the survey (based on the collective results), Benchmark the results against other organisations including other ALB’s, and

Undertaking targeted interviews with a sample of four board members, informed by the output of the self-assessment questionnaire.

1.5 Our work was performed during October and November 2016.

2. Review Conclusion

2.1 The findings in this report are based on the self-assessment results and follow-up

discussions. The work is intended to help the Chair and the board to further enhance the effectiveness of how the board operates through self-assessment review and assessment. Given the limited audit evidence gathered during this review, we are not able to provide a formal assurance conclusion in this report.

2.2 The combined results of the board self-assessment and sample of interviews did not identify

any significant weaknesses that may impact on the board operating effectively and indicate that in the view of the Authority board members the board is operating effectively. Some

EXECUTIVE SUMMARY


areas of good practice have been identified during our review and these have been highlighted below.

3. Summary of Findings

3.1 Our review has identified a small number of areas for consideration where there may be scope to further enhance the operating effectiveness of the board.

3.2 The average results from the board effectiveness survey have been summarised in Appendix 1. 3.3 The overall average result for the survey was 5.08 (on a scale of 1-6 with 6 being the most

positive assessment), which is a strong indication that the overall effectiveness and operation of the board is viewed as positive by the board members.

3.4 Lower than average results were received in the following categories:

Performance Monitoring (4.77)

Decision Making (5.05)

Individual and Whole Board (4.79) Development and Succession Plans (4.31)

3.5 Benchmarking the results indicated that the HTA board is assessed to be performing above the

benchmark average, with the exception of the Engaging & Improving category. This latter item reflects the weaker results in the Individual & Whole Board and Development & Succession Plans categories. The results of the benchmarking exercise are also included in the Appendix 1.

3.6 During our review of the survey results and interviews, we noted number of positive

comments about the board’s effectiveness:

Relationships – we received a number of comments about the positive relationships and working environment at the board meetings between the board members and the Executive, which is seen to lead to open and diverse discussions. The comments also confirmed that the board operates in a professional environment and is seen to provide an appropriate level of challenge to the Executive team, but in a positive atmosphere.

Chair – both the survey and the interviews indicated the view that the Chair is very effective in managing the board meetings, setting the right tone and encouraging positive and open discussions. The work of the Chair was also seen as pivotal to securing a good mix of skills and experience at the board.

Stakeholder engagement – There were also positive comments about the weekly email updates shared with the board members, including an internal newsletter, sector updates and news digest updates.

3.7 We have raised four recommendations which have been summarised below:

Induction training for new board members on living organ donation should be extended (Medium priority): Both the survey and interviews indicated that the level of induction training with regards to living organ donations was not felt to be sufficient to give the board members confidence in understanding and delivery of decisions in this area;

Succession planning and board member appointment process (Low priority): The need to replace a proportion of board members at once represents a challenge to the Authority’s corporate memory, effective board performance and the ability to manage the


change. Therefore, discussions should be held with the Department of Health about enabling a more flexible approach to the future board appointments and re-appointments.

There should be a more strategic focus in board papers and discussions (Low priority): Steps were already being taken towards papers and presentations being more strategically focused and these changes should be fully implemented so that the level of detail in the board papers and presentations does not detract from the board having sufficient time for robust and strategic discussions; and

Setting objectives for individual board members (Low priority): Both survey and interview results indicated a lack of clarity among new board members about the objective setting and appraisal process. Clarification should be provided and confirmation obtained that new members are content that they understand what is being expected of them.

3.8 The table below summaries the number of recommendations by rating and review area:

Total Recs

High Medium Low

Board Effectiveness – self assessment

4 0 1 3

4. Next Steps

4.1 To support the provision of a meaningful report to the Audit and Risk Assurance Committee you

are now required to:

consider the recommendations made in Section 3; and

complete section 5 (Recommendations Table: Agreed Action Plan) detailing what action you are intending to take to address the individual recommendations, the owner of the planned actions and the planned implementation date.

4.2 The agreed action plan will form the basis of subsequent activity to verify that the recommendations have been implemented effectively. If management do not accept any of the

recommendations made then a clear reason should be provided in the action plan.

4.3 Management should implement the agreed recommendations before or by the agreed due

dates and advise HGIAS that the actions have been completed.

4.4 Any high priority recommendations are routinely followed up by HGIAS and any such outstanding actions will be reported to the Audit and Risk Assurance Committee.

4.5 Finally, we would like to thank management for their help and assistance during this review.


5. Recommendations Table Customer to provide details of planned action; owner and implementation date. Action taken will later be assessed by Health Group Internal

Audit, and therefore the level of detail provided needs to be sufficient to allow for the assessment of the adequacy of actio n taken to implement the recommendation to take place.

№

RA

TIN

G RECOMMENDATIONS MANAGEMENT

RESPONSE

AGREED ACTION PLAN:

OWNER & PLANNED IMPLEMENTATION DATE

1. M Ensure that induction training provides sufficient time, focus and examples of decision making for the living organ donation process and that after it board members feel that they have sufficient clarity and confidence to fulfil their role in the decision making process.

Establish a forum for the new board members to enable discussions on the more complex living organ donations cases.

Review the training for board members to include attendance at inspections (possibly as part of the induction process) and evaluate if any other training would be beneficial.

When new Members start the living organ donation training will be a full day. Followed up by a session as needs dictate 3-6 months later.

First forum on 30 January.

Those wishing to observe an inspection are being assigned slots as and when suitable.

Training budget in pace for Members during 2017/18 and discussion on training at one-to-ones with Chair.

Nicholas Baré (Head of Corporate Policy and Strategy)

As new Members start

Jessica Porter (Head of Regulation)

Actioned


Actioned

2. L Consider discussions with the Department of Health on the importance of achieving the appropriate balance of change and, if required, having some flexibility in the appointment process (such as 4+2 years appointments) and spreading out end dates to enable the Authority to respond flexibly to the need for experience and expertise whilst still benefiting from fresh perspectives.

Consideration given to such a discussion with DH on upcoming re-appointments.

Victoria Marshment (Director of Policy, Strategy and Communications)

End 2017



№ R

AT

ING

RECOMMENDATIONS MANAGEMENT RESPONSE

AGREED ACTION PLAN:

OWNER & PLANNED IMPLEMENTATION DATE

3. L As planned, ensure papers are formatted to be suitably brief and clear, focusing on the key points for discussion and agreement relevant to the board’s strategic role. A similar approach should apply to presentations.

Once the new approach is fully in place, it may be appropriate to take further soundings from members on whether the objectives of the change have been achieved.

Move to more focussed papers and presentations already made.

Feedback sought on reporting and amendments made.

Feedback to be a permanent feature of the refinement process.


Actioned

4. L Clarify the process for agreement of annual objectives and annual appraisals with new members.

Confirm that new members are content that they understand their objectives and how they should focus in the period through to their first individual appraisal.

Communication issued to Members on process for appraisals.

Process to be clearly flagged and explained to incoming Members with check to ensure it is understood.


Actioned.



6.1 Based on the survey and interviews, we have identified the following findings:


Induction Training re Living Organ Donations

RISK RATING: MEDIUM

Both the survey and interviews identified that while induction training was provided for the recently appointed board members, it was felt that insufficient attention was given to the role of the board members in the living organ donation decision making process. Further investigation established that while training was given on the technicalities of how to undertake the living organ donation reviews, the board members desired more training on how to deal with the complexities of the cases, and would welcome a more example-based approach to the training.

The board members felt that there has not been sufficient time allocated for discussion of living organ donations and that they would benefit from a forum to discuss some of the more complex cases.

This issue had been raised prior to this assessment and recognised by the Executive team. As a result, a workshop for board members on living organ donations had already been scheduled for November 2016, which was due to include discussion on enabling the board members to share knowledge about completed and ongoing living organ donation cases.

The board members also observed that where available, attendance at inspections was valuable to their development and understanding of regulatory duties. An observation was made that it would be helpful to attend inspections as part of the induction process or in the early stages of their board membership.

RISK/IMPLICATION:

Without robust and comprehensive induction training on more complex aspects of the board members roles and responsibilities, the board members may feel not sufficiently equipped to deal with some individual cases, which may lead to delays in decision-making for organ donation cases.

RECOMMENDATION:

Ensure that induction training provides sufficient time, focus and examples of decision making for the living organ donation process and that after it board members feel that they have sufficient clarity and confidence to fulfil their role in the decision making process.

Establish a forum for the new board members to enable discussions on the more complex living organ donation cases.

Review the training for board members to include attendance at inspections (possibly as part of the induction process) and evaluate if any other training would be beneficial.

FINDING/OBSERVATION



Succession planning and board member appointment process

RISK RATING: LOW

The board has undergone some change in the current financial year, with five new members appointed to the board in April 2016. The survey and interviews results highlighted the board members’ concerns about the impact that a significant level of change at the board level could have on maintaining robust corporate memory and expertise. In particular, the requirement to refresh the board membership every three years could be perceived as potentially limiting the effectiveness of the board if there was to be significant change that did not then allow for maintaining memory and expertise on the board. While the board members expressed confidence that the appointment process is well managed and that there is value in rotation of membership, there was awareness that the three year appointment period could be limiting of the period in which board members are contributing most effectively to the Authority’s regulatory activities. We recognise that while the Authority makes recommendations for board member appointments, the appointments are reviewed by the Department of Health and the final decision on appointments is made by the Secretary of State. Also, as noted there is value in refreshing membership to an appropriate level. Particularly for organisations such as HTA where members are closely involved in decision-making though, it is important to ensure that there is appropriate balance between renewing membership and retaining knowledge and experience.

RISK/IMPLICATION:

Changes to board membership without adequate consideration of the need of the Authority for experience and expertise could have a negative impact on the effectiveness of the board, could lead to loss of corporate memory and impact the decision making process for living organ donations.

RECOMMENDATION:

Consider discussions with the Department of Health on the importance of achieving the appropriate balance of change and, if required, having some flexibility in the appointment process (such as 4+2 years appointments) and spreading out end dates to enable the Authority to respond flexibly to the need for experience and expertise whilst still benefiting from fresh perspectives.



Strategic focus in board papers and presentations

RISK RATING: LOW

While it was reported that the board meetings were well managed, comments were raised by the board members in both the survey and interviews about the balance of time spent on presentations to the members and the time spent on discussions. It was felt that while the presentations and papers contain a great level of detail, this may detract from taking the strategic view of the topic and that perhaps the level of detail could be reduced.

We understand that these matters were identified prior to the board effectiveness survey and that the focus in the November board papers had already shifted to a more strategic approach, aggregated around the Authority’s strategic p lan objectives. Feedback provided by the Chair also confirmed that the shift to the more strategic approach was being managed to ensure that in the short term the new board members were receiving adequate explanation of the background of the topics, even if this meant slightly more information was being provided and shared.

RISK/IMPLICATION:

The board may be unable to focus their discussions on the areas of strategic importance and instead get drawn in to more detailed operational management of the Authority.

RECOMMENDATION:

As planned, ensure papers are formatted to be suitably brief and clear, focusing on the key points for discussion and agreement relevant to the board’s strategic role. A similar focus should apply to presentations. Once the new approach is fully in place, it may be appropriate to take further soundings from members on whether the objectives of the change have been achieved.



Individual board member objectives

RISK RATING: LOW

Both the survey and interviews indicated that new board members had lower awareness of the board objectives and the objective setting process. The new board members also indicated they had expectations that they would meet with the Chair to discuss more personalised objectives for their board roles. The feedback we received indicated that instead they had received objectives by email, and these were objectives for the HTA board as a whole without the opportunity to personalise them.

Further conversation with the Chair confirmed that the new board members were not part of the regular annual performance review cycle as they only joined recently. As a result, whereas those in post at the end of the prior year had personal appraisals new members had introductory meetings and then the annual board objectives were circulated to them by email.

It was also confirmed that the objectives for each member are those applying to the board as a whole, reflecting collective responsibility, rather than setting individual objectives. The consideration of personal contribution towards the board objectives forms, and will form, part of the annual personal appraisal process.

It therefore appears that there has been some lack of clarity around the objective setting and appraisal process for the new board members.

RISK/IMPLICATION:

Without clarity about the objective setting and appraisal process, and if there was to be any lack of understanding about how the board members will contribute to achievement of the board objectives, the board may be less effective and new members may feel unsure about what should be their key areas of focus over the coming year.

RECOMMENDATION:

Clarify the process for agreement of annual objectives and annual appraisals with new members.

Confirm that new members are content that they understand their objectives and how they should focus in the period through to their first individual appraisal. .


Appendix 1 – Summary of Survey Results 1.1 Survey and interview results

Board Effectiveness Survey Category Average survey score Benchmark category

Purpose 5.18 Foundations

Composition and Structure 5.27

Role Clarity 5.18

Relationships 5.06

Strategy 5.36

Performance Monitoring 4.77 Board Focus

Risk & finance 5.11

Decision making 5.05

Stakeholder engagement 5.11 Engaging & Improving

Individual & whole Board 4.79

Development & Succession Plans 4.31

Chair 5.53 Chair

Total survey average 5.08

Survey scores used: 1 Strongly Disagree; 2 Disagree; 3 Slightly Disagree; 4 Slightly Agree; 5 Agree; 6 Strongly Agree 2.1 Benchmarking exercise The benchmarking exercise shows the following results in the four categories:

Overall Effectiveness

Foundations Board Effectiveness

Engaging & Improving

Chair


Appendix 2 – Risk and Report Ratings Risk Ratings:


HIGH

Fundamental weaknesses in control which expose the Accounting Officer / Director to high risk or significant loss or exposure in terms of failure to achieve key objectives, impropriety or fraud. Senior managers are expected to oversee the prompt implementation of agreed actions, or to confirm in writing that they accept the

risks of not implementing a high priority internal audit recommendation.

MEDIUM

Significant weaknesses in control, which, although not fundamental, expose the Accounting Officer / Director to a risk of loss, exposure or poor value for money. Managers are expected to oversee the prompt implementation of agreed actions, or to confirm in writing that they accept the risks of not implementing a medium priority internal audit recommendation. Failure to implement recommendations to mitigate

these risks could result in the risk moving to the High category.

LOW

Minor weakness in control which expose the Accounting Officer / Director to relatively low risk of loss or exposure. However, there is the opportunity to improve the control environment by complying with best practice. Suggestions made if adopted would mitigate the low level risks identified.

Report Rating – Definitions

Substantial

In Internal Audit’s opinion, the framework of governance, risk management and control is adequate and effective.

Moderate In Internal Audit’s opinion, some improvements are required to enhance the adequacy and effectiveness of the framework of governance, risk management and control.

Limited In Internal Audit’s opinion, there are significant weaknesses in the framework of governance, risk management and control such that it could be or could become inadequate and ineffective.

Unsatisfactory In Internal Audit’s opinion, there are fundamental weaknesses in the framework of governance, risk management and control such that it is inadequate and ineffective or is likely to fail.

1


Date 8 February 2017 Paper reference AUD 165-16 (Annex C)

Agenda item 7 Author Richard Sydee

Enquiries Management Project

Background

1. At the last ARAC meeting the findings from the recent Internal Audit of the HTA

approach to enquiries management was presented. Management had

requested Internal Audit’s assistance in reviewing the Enquiry Management

process from a desire to gain reassurance that the process is appropriately

designed to achieve the objectives of providing accurate and timely responses,

following concerns raised by some users that enquiries were not being

responded to effectively.

2. The report made 8 overall recommendations and Management accepted all

recommendations in principle with a committment to a further assessment of

the recommendations and a plan for their implementation during the 2017

calendar year. This further review and outlineplan is now presented for ARAC

approval

Actions Required

3. Members are invited to:

note the detailed review of recommendations and proposed action and

explore the area of risk relating to staff attrition

Report

The attached appendix details the discussion that has subsequently taken

place with all Department heads in relation to the recommendation and actions

that should be taken in order to address the report findings. In summary the

majority of recommendations were accepted as presented with only

recommendation 3 challenged in terms of priority.

2

4. The actions within the attached appendix will now become a formal project for

HTA with Richard Sydee, Director of Resources, as Senior Responsible Officer

and Matthew Silk as Project Manager. Given other resourcing priorities

through to July 2017 it is proposed that the majority of recommendations be

implemented during the latter half of 2017. A formal project plan will be

produced and ARAC will continue to receive updates on specific

recommendation through the recommendations tracker.

Annex A – Enquiry management recommendations and comments

Annex A – Enquiry management recommendations and comments

FINDING/OBSERVATION 1

Recommendations


Recommendations


Recommendations

a) The SOP should be updated to include the following:

- Provide guidance on the time in which the various stages of the emails/website enquiries should be forwarded to the RMs, including time to open email or

answer call, time to convert to a case and time to forward to RM. Management may find it beneficial to develop a full process map which covers the process.

- A clear definition of what constitutes an enquiry should be made, including whether a case has to be logged in certain scenarios. Consideration should be

given to requiring all enquiries to immediately be logged in CRM as this avoids possibility of cases being lost

- All relevant stages of the Enquiry Management process and be shared with all those involved to clearly communicate roles and responsibilities. This could be

in the form of a more detailed process map. This could be in the form of a more detailed process map.

- That the enquiry reference number should be provided to all enquirers who can then cite this when following up on an enquiry. To support this, a

notification of receipt email should be provided to the sender for all email and website enquiries.

The CRM system does not effectively capture whether an enquiry is from a licensed provider or not, which reduces the ability of HTA to support effective enquiry management and without this information

data retention guidelines cannot be complied with.

RISK RATING:

MEDIUM

a) CRM should be reconfigured to include a mandatory field which requires information on whether the enquiry is from a licensed provider or not. If not

possible due to expense, consideration could be given to capturing this information in the ‘Channel’ or ‘Category’ fields, if deemed suitable.

For technical reasons, a mandatory field cannot be added to

the form, so this recommendation cannot be achieved. Heads

did not understand why licence and non-licence related

enquiries need to be differentiated. All enquiries should have

the same importance attached to them. Heads suggested that

it would be more useful to differentiate enquiries by those

that include personal data and those that do not, to allow

deletion (in line with the DPA) to be automated. All other

enquiries should be kept on file for the sake of institutional

memory.

b) Deletion dates for enquiries should then be monitored, to ensure that all relevant data is deleted in line with HTA guidance and in accordance with the DPA,

ideally on an automated basis.

Head’s felt that these recommendations were common sense,

and noted that there are already plans in place to review all

corporate documents in early 2017/18. However, they

accepted that work needs to take place to define what an

enquiry is; this has been considered in the past but never

resolved. The risk rating should be lowered to low.

b) SOP documentation should be subject to regular review in line with planned review dates.

The current Standard Operating Procedure (SOP) documents are out of date and the processes within them require improvement, for example they do not currently make roles and responsibilities clear and

not all stages of the process are included

RISK RATING:

MEDIUM

The CRM system requires reconfiguring; email alerts to Regulation Managers (RMs) reminding them of deadlines to respond to enquiries are not being routinely sent and the number of mandatory fields

needs enhancing to support more effective enquiry management.

RISK RATING:

MEDIUM

a) The notification workflow should be reconfigured to enable the sending of email notifications. Consideration should also be given to increasing the number

of notifications to include notifications at one, two and/or three days prior to due date, as well as an escalation with later emails also being sent to a more

b) ‘Category’ and ‘Channel’ should be made mandatory fields for completion. If this is not possible due to expense, guidance should be issued to Assistants and

RMs to ensure that this information is completely captured.

Heads agreed with these findings. The problem is that those

logging enquiries are not adding the ‘channel’ field, which

generates the notification. This should become a mandatory

field. However, Heads were less keen on increasing the

number of notifications.


Recommendations


Recommendations


Recommendations

a) A decision needs to be made as to best method going forwards in collecting information regarding FAQs and using it efficiently to reduce staff workloads.

This information once collated could be provided internally through the HTA intranet to allow future enquiries to be dealt with more easily and in a more Heads agreed with this finding. FAQs need to be monitored

and reviewed through improvements that will be made to HTA

quality assurance in 2017/18. However, again, heads did not

understand the rationale for separating out enquiries from

licence holders. This also related to points raised for Finding 3.

c) Create a clear and documented process by which an RM becomes sufficiently experienced to answer enquiries independently and maintain evidence of each

individual’s progress. We appreciate that there will need to be some flexibility in the time scales applied.

Heads agreed with these findings. However, they considered

the risk rating to be high (not low). They also considered that

the focus of the findings could be improved. The fact that

enquirers receive incorrect information in the first place is the

crux of the issue. Our focus should be on this, in addition to

quality assessment of incorrect information that was sent out.

ssistants have already started to improve their processes for

enquiries, relating to these findings. However, these is no

formal system for peer review, set out in the standard

operating procedure. New starters are monitored, but after six

months, this stops. Similarly, responses generated by Heads

are not peer reviewed. Peer review results of these reviews

could be monitored as group indicators in team plans.

b) Consider whether/how to separate enquiries from license holders from general enquiries. This could be through creating an enquiries portal for license

holders only, which might then create a case automatically.

The Quality Assurance (QA) processes could be improved; QA is currently only consistently performed for less experienced RMs who are new to their role RISK RATING:

Low

a) Consider QA checks in relation to answers provided to enquiries for all RMs, for example through sampling a small number of responses on a periodic basis

and feeding back on both positive aspects and areas for improvement. Evidence of review should be retained, and if possible this would be captured within

b) Consider whether a standard style or format of response could be applied across the organisation or departments.

Management of frequently asked questions (FAQs) could be improved and improvements could be made to provide specific information to licensed users to better support licensed enquiries

RISK RATING:

Low

The design of the current single Key Performance Indicator (KPI) for enquiry management does not allow effective monitoring of performance and requires extensive manual intervention to be calculated

RISK RATING:

MEDIUM

a) Consider what further KPIs and management information would enable more effective monitoring of enquiry management (and are practicable to gather

data on), for example, number of cases open longer than 10 days. Heads considered that this finding would be address by an

activity in the 2017/18 business plan to develop quality

assurance systems / indicators, in addition to the time-based

indicator. Head of communications noted that work could be

completed to improve the complicated way the current KPI is

calculated through CRM changes. These improvements could

be also be defined in the standard operating procedure.

b) Improve custom reporting to allow KPI% to be easily calculated without a need for manual adjustments.


Recommendations


Recommendations

Better use could be made of Assistants to answer simple enquiries and improved training provided to help the flow of enquiry information.

RISK RATING:

Low

a) Investigate with Skype where applicable, how many calls ‘ring through’ without being answered and whether forwarding is set up on all accounts. Head of IT is aware of this problem and is addressing it.

b) Require all staff to set up fall back arrangements that will ensure if their phone is not answered and it is not routed and answered via mobile it will fall back

to switchboard.

c) If it is not possible to confirm this is in place for all phones, spot checks may need to be performed or confirmation gathered.

a) Identify whether there are more FAQs that the Assistants could be trained to answer and incorporate this into refreshed and more formal training to be

provided to Assistants before they start to take calls and open emails. Heads agreed with these findings. Improvements need to be

made to the standard operating procedures. Work on a

“decision tree” has already been completed. b) The SOPs provided to assistants should be reviewed and updated where necessary (see finding 2).

The current utilisation of phone services provided by Skype allows calls to ‘ring out’ without provision of a voicemail service. RISK RATING:

Low

1




Risk Update

Purpose of paper

1. This paper presents the latest strategic risk register and risk management

strategy. It also sets the scene for the exploration of the area of risk: Sector

risks and the HTA’s approach to protect public confidence.

Recommendations


comment on the strategic risks and assurances at Annex A

explore the area of risk relating to sector risks

approve the risk management strategy as it currently stands

Strategic Risk Register

3. The strategic risks are reviewed by the Senior Management Team (SMT)

monthly and the register updated. The strategic risk register that was updated

at the beginning of January is at Annex A. This version is the same to be

presented to the Authority in February.

4. As reported at the meeting in November, there are three amber risks: failure to

regulate appropriately (risk one); failure to manage expectations (risk three):

and failure to utilise our capabilities (risk four).

5. Risk one remains our highest rated risk and there has been no change in its

rating since November 2016.

6. The risk of failure to manage expectations of regulation (risk three) had

increased in December because of the uncertainty about the timing of

implementing the Import and Coding Directives. Communication with our

sponsors and stakeholders help mitigate this risk. The uncertainty surrounding

Brexit brings its own challenges which add to this risk

2

7. The risk of failure to utilise our capabilities effectively (risk four) has remained

stable since November. This is evidenced by the progress of newer staff in post

whose skills we are able to utilise and the fullfulment of key management posts.

We have also gone live with the early phases of our CRM and Portal.

8. There have been no other significant changes to the level of risk.

9. SMT is content that the strategic risk register is complete and accept the level

of risk identified, subject to the planned actions taking place.

HTA Inspection rationale

10. Hazel Lofty, Head of Regulatory Development will introduce this item,

explaining how we protect public confidence and our inspection rationale.

11. Members are invited to explore further with them how these areas are

managed.

Risk Management Strategy

12. At Annex B is the latest Risk Management Strategy and Policy. At the last

ARAC meeting it was agreed that the strategy needed refreshing and that this

could be done in conjunction with the impending risk workshop in February

2017.

13. The strategy therefore has a few amendments notably the paragraphs relating

to risk interdependencies which is a current focus for the Department of Health

and its ALBs.

Annex A – Strategic risk register – January 2017

Annex B – Sector risks and the HTA’s approach to public confidence

Annex C – Risk Management Policy and Strategy

Annex D – Department of Health Risk Interdependencies

AUD 166-16 (Annex A)

Nov 2016 Dec 2016 Jan 2017

Impact

5. Catastrophe

4. Significant

3. Moderate

2. Minor

1. Almost None

1. Rare 2. Unlikely 4. Likely 5. Almost Certain Likelihood

5 - Insufficient financial resources

(Deployment b)

Comments

A good regulatory framework and processes are in place and continuous improvement is planned. It is important to identify changes and

remain agile to adapt to these.

Plans are in place to manage an incident. These plans are now complete and will be tested in Q4 of 2016/17.

We continue to communicate our remit and advise where appropriate. There is ongoing dialogue with DH and stakeholders about

emerging issues. The HTA has written to the Department to highlight the risks of continued uncertainty about the timing of the

implementation of the Coding and Import Directives . Brexit means that uncertainty has increased and the HTA faces greater challenges

in managing expectations.

We contnue to be in a positon to use the skills of our newer recruits more fully. All key management posts are filled, and no staff are

working their notice. CRM and Portal development went live successfully in mid-October.

Latest projections predict that the year will end within budget.

Risk

1 - Failure to regulate appropriately

(Risk to Delivery a-c & e and

Development a-d)

2 - Failure to manage an incident

(Delivery, Development and

Deployment)

3 - Failure to manage expectations

of regulation

(Risk to Delivery d)

4 - Failure to utilise our capabilities

effectively

(Delivery a-d)

(Development a-d)

(Deployment a & c)

Strategic Objectives

Delivery – to deliver the right mix of activity to main public and professional confidence

a) To deliver right-touch regulation and high quality advice and guidance, targeting our resources where there is most likelihood of non-compliance and greatest risk to the public

b) To be consistent and transparent in our decision making and regulatory action, supporting those licence holders who are committed to achieving high quality and dealing firmly and fairly with those who do not comply with our standards

c) To deliver effective regulation of living donation

d) To inform and involve people with a professional or personal interest in the areas we regulate in matters that are important to them and influence them in matters that are important to us

e) To maintain our strategic relationships with other regulators operating in the health sector

Development – to make the right investment in development to continuously improve delivery

a) To reduce regulatory burden where risks to public confidence are lowest

b) To make it clearer how to achieve compliance with new and existing regulatory requirements

c) To make continuous improvements to our systems and processes to minimise wasted or duplicated effort

d) To take opportunities to better inform and involve the public

Deployment – to make the most effective use of our people and resources in pursuit of our goals

a) To manage and develop our people in line with the HTA’s People Strategy

b) To ensure the continued financial viability of the HTA while charging fair and transparent licence fees and providing value for money

c) To provide a suitable working environment and effective business technology

3 - Independent of the HTA

Risks are assessed by using the grid below

Lines of defence are:

1 - Embedded in the business operation

2 - Corporate oversight functions

HTA Strategic Risk Register

January 2017Overview: Risks reflect the strategy for 2016-19. Our highest risk is failure to regulate appropriately, as this would have a significant impact should it materialise.

Other notable risks: Final delivery of some of one of the HTA's key projects (Coding and Import) remains in the hands of others. The HTA can deliver our part but is not in control of other actions necessary before implementation. Any delays will affect the attitude of our stakeholders and the HTA's reputation. Further uncertainty is caused by Brexit.

A number of more recently recruited Regulation Managers are now approaching sign off and recruitment to key posts has now been completed. This will increasingly have a mitigating impact.

I L I L

Ongoing Regulatory model 5 31 2 3

HTA Strategy 2016 to 2019 clearly

articulates the HTA's regulatory modelX Preventative

Authority developed and

approved the HTA Strategy

HTA Strategy published on 1

April

Regulatory decision making framework X PreventativeReports to Authority of key

decisions in Delivery Report

Satisfactory report made in

November 2016

Annual scheduled review of Strategy X X Preventative

Outputs from annual strategy

review translate into revised

annual Strategy

Last review undertaken in

September 2016, next scheduled

for September 2017

Approved HTA Business Plan 2016-17

identifies a balanced programme of

regulatory activity and continuous

improvement

X X X Preventative

Sign off of the business plan by

the Chair on behalf of the

Authority and by sponsor

Department

HTA Business Plan published on

1 April and approved by the

Department of Health

Quality management systems

HTA quality management system contains

decision making framework, policies and

Standard Operating Procedures to

achieve adherence to the regulatory

model

XPreventative/

Monitoring

Individual staff Member

responsible for QMS,

automated review reminders,

management oversight of

progress on updates

Management are aware of

limitations in the QMS and have

further work planned in 2016/17

to address these

People

Training and development of professional

competenceX Preventative

Annual PDPs, RM proposals to

SMT

Regulation training plan agreed

by SMT in June. Training records

added onto Simply Personnel

and monthly HR updates

presented at SMT.

Specialist expertise identified at

recruitment to ensure we maintain a broad

range of knowledge across all sectors and

in developing areas

X XPreventative/

Monitoring

SMT assessment of skills

requirements and gaps as

vacancies occur, Recruitment

policy

Staffing levels and risks reported

quarterly to the Authority

Strengthening arrangements for managing

reputation in response to regulatory

incident - sourcing press office support

from MHRA

Regulatory modelThe following to be refined

when controls in place

Implementation of the HTA People StrategyDelivery of Licensing and inspection review

projects to strengthen our regulatory model

(VM) 2017/18

X Preventative

Extension of reporting arrangements to

adverse events in the Research sector

(SB) Proposals developed by March 2017

X Preventative

Quality management systems

Internal audit of quality management

system adequacy and adherence

(VM) by March 2017

XMonitoring/

Detective

People

Delivery of the People Strategy road map

(AMS) by end of March 2017 X PreventativePeople Strategy Progress report

produced end March 2016

Other

Strengthening horizon scanning

arrangements

(VM) by March 2017

X Preventative

X Detective

Embed Better Regulation initiatives in the

regulatory model

(VM) by March 2017

X Preventative

REF

INHERENT

RISK

PRIORITYRISK/RISK OWNER PROXIMITY

RESIDUAL

RISK

PRIORITYCAUSE AND EFFECTSEXISTING

CONTROLS/MITIGATIONS

ASSURANCE OVER

CONTROLASSURED POSITION

LINE OF

DEFENCEACTIONS TO IMPROVE MITIGATION

TYPE OF

CONTROL

1 5 4Causes

• Failure to identify regulatory non-compliance

• Regulation is not transparent, accountable, proportionate, consistent and targeted

• Regulation is not sufficiently agile to respond to changes in sectors

• Insufficient capacity and/or capability, including insufficient expertise, due to staff attrition, inadequate contingency planning, difficulty in recruiting (includingIndependent Assessors (IAs)).

• Inadequate adherence to agreed policies and procedures in particular in relation to decision making

• Poor quality or out of date policies and procedures

• Failure to identify new and emerging issues within HTA remit

• Failure to properly account for Better Regulation

Effects

• Loss of public confidence

• Compromises to patient safety

• Loss of respect from regulated sectors potentially leading to challenge to decisions and non-compliance

• Reputational damage

Failure to regulatein a manner that maintains public safety and confidence and is appropriate

(Risk to Delivery objectives a-c & eDevelopment objectives a-d)

Risk Owner:


I L I L

2 5 3

Future, should event

occur Filled identified business-critical roles

3 2

1

X

2 3

Preventative Monthly reports to HTAMG Last report October 2016

Critical incident response plan, SOPs

and guidance in place, regularly

reviewed, including by annual

training, and communicated to staff

X X Preventative

Policies etc reviewed

annually, training specification

and notes after incident

reviews

Plan updated and agreed

September 2016

Media handling policy and guidance

in place, including regular media

training for key staff & Members with

relevant scenarios, to supplement

media release and enquiries SOPs

X Preventative

Policy reviewed annually,

training specifications

Reports on media issues in

Delivery Report

Media policy to be

reviewed.

Delivery reoprt to Authority

meeting November -

satisfactory

Accessible lines to take and key

messages for likely scenariosX Preventative

Documented, incidents

reported to Chair and in

Delivery Report

Delivery reoprt to Authority

meeting November -

satisfactory

Availability of legal advice X Preventative

Lawyers specified in Critical

Incident Repsonse Plan, SMT

updates

In place

Fit for purpose Police Referrals Policy X Preventative

Annual review of policy

(minimum), usage recorded in

SMT minutes

Significnatly revised policy

presented to November

Authority meeting

Onward delegation scheme and

decision making framework agreed

by the Authority

X X PreventativeStanding Orders and

Authority minutes

SO reviewed and agreed

in October 2015

Regulatory decision making

frameworkX Preventative

Reports to Authority of key

decisions in Delivery Report

Satisfactory reports made

in November 2016

IT security controls and information

risk managementX X All

SIRO annual review and

report

Internal audit reports

SIRO report made in May

2016. Last internal audit

review of IT security 2014

Business continuity plan regularly

reviewed and testedX X Preventative

Critical Incident Repsonse

Plan and notes of test,

reported to SMT

Test to be undertaken in

Q4 of 2016/17

Evaluate test exercise of

incident and feedback to all

staff (SB)

March 2017

X Preventative

ASSURED POSITIONRISK/RISK OWNER

RESIDUAL

RISK

PRIORITY

LINE OF

DEFENCE

TYPE OF

CONTROL

ASSURANCE OVER

CONTROL

ACTIONS TO

IMPROVE MITIGATIONREF CAUSE AND EFFECTS

INHERENT

RISK

PRIORITYPROXIMITY

EXISTING


Cause

• Insufficient capacity and/or capability (for instance, staffavailability, multiple incidents or ineffective knowledge management)

• Failure to recognise the potential risk caused by an incident (for instance poor decision making, lack of understanding of sector, poor horizon scanning)

• Failure to work effectively with partners/other organisations

• Breach of data security

• IT failure or attack incident affecting access to HTA office

Effect

• Loss of public confidence


• Legal action against the HTA

• Intervention by sponsor

Inability to manage an incident impacting on the delivery of HTA strategic objectives. This might be an incident:

• relating to an activity we regulate (such as retention of tissue or serious injury or death to a person resulting from a treatment involving processes regulated by the HTA)

• caused by deficiency in the HTA’s regulation or operation

• where we need to regulate, such as with emergency mortuaries

• that causes business continuity issues

(Risk to all Delivery Development and Deployment objectives)

Risk owner:

Sarah Bedwell

I L I L

Ongoing

1 2 3

Active management of issues raised

by the media – including the

development of the HTA position on

issues

XPreventative/

Detective

Quarterly reports to Authority on

communication (including media)

activities

Last report in Nov 2016 - satisfactory

Legal advice now gives a clearer view

of our Schedule 2, s. 20 powers X Preventative Legal advice to be followed Legal advice September 2016

Codes of practice and standards project – provides

greater clarity on matters inside and outside of

regulatory scope

April 2017

X Preventative

Proactive horizon scanning and development of policy

in emerging/complex areas March2017

X PreventativeRegular audit of function and any

gaps in policy provision

Implementation of triennial review recommendations

March 2017

X

Preventative

and remedial

Plan to develop and strengthen the relationship with

DIs by Quarter 4 2016/17x

Preventative

Taphonomy -

To have policy in place

DH comfortable wioth policy approach

Implement regulatory changes, scheduling

purposes and prevention

X

X

X

RESIDUAL RISK

PRIORITYLINE OF

DEFENCE

TYPE OF

CONTROL

ASSURANCE OVER

CONTROL

EXISTING

CONTROLS/MITIGATIONSACTIONS TO IMPROVE MITIGATIONREF RISK/RISK OWNER CAUSE AND EFFECTS

INHERENT

RISK PRIORITY PROXIMITY ASSURED POSITION

Log in place and reviewed at HTAMG

quarterly. New issues identified in causes

and effects

Preventative/

Detective

Stakeholder Group meeting

minutes

Authority minutes (including Public

Authority Meeting)

Last stakeholder group meeting in October

2016, Authority meeting in November 2016

Monitoring Ongoing log

Duty and its uses understood by

SMT and Chair

The duty has not been acted upon in the

curretn business year

Quarterly Accountability meetings

with DH

Last accountability meeting in September

2016 - satisfactory.

Action where we believe it will support

public confidence (eg publication of

pregnancy remains guidance)

X Preventative

Published guidance for particular

issues (eg pregnancy remains,

and shortly, cord blood)

Pregnancy remains guidance published

March 2015

Cord blood guidance issued in March 2016

Regular reporting to DH sponsorship

team on matters which risk public and

professional confidence

Monitoring

Clear view of use of s.15 duty to

report issues directly to Ministers in

England, Wales and Northern Ireland

as new issues emerge PreventativeX

4443

3

Log of issues known to the HTA with

respect to the legislation to inform DH

and manage messages

Active management of professional

stakeholders through a variety of

channels including advice about

relevant materials in and out of scope

Cause

External factors

• No scheduled review of Human Tissue Act and associated regulations

• Rapidly advancing life sciences

• Potential move away from the UK as base for some regulated establishments/sectors due to Brexit and changes in exchange rates

Matters which certain stakeholder groups believe require review

• Scope of relevant material e.g. waste products

• Licensing requirements e.g. transplantation research

• Regulation relating to child bone marrow donors

• Issues raised by emergence of social media e.g. non-related donors

• Strengthening of civil sanctions for non-compliance

• Implementation of the coding and import directives in light of Brexit

Matters which stakeholders/public may expect to be inside regulatory scope

• Efficacy of clinical treatment from banked tissue

• Police holdings

• Products of conception and fetal remains

• Data generated from human tissue

• Funeral directors

• Forensic research facilities

• Cryonics

• Body stores / Taphonomy

• Imported material

• Other

• Inadequate stakeholder management

Effect

• Diminished professional confidence in the adequacy of the legislation

• Reduced public confidence in regulation of matters relating to human tissue


Failure to managepublic and professional expectations of human tissue regulation in particularstemming from limitations in current legislation or misperception of HTA regulatory reach

(Risk to Delivery objective d)

Risk Owner:

Vicky Marshment

I L I L

44 4 People 4 3

1 2 3

Regularly reviewed set of people-

related policies cover all

dimensions of the employee

lifecycle

X XPreventative/

Monitoring

QMS reminders as policies due for

review. SMT review of all revised

policies

Currently in the middle of a regular

review cycle

Established annual Performance

Development Planning (PDP)

process supported by mandated in

year processes (1-2-1s and mid

year review)

Standard objectives for all line

managers

X XPreventative/

Monitoring

PDP guidance reviewed annually and

approved by SMT, newly introduced

countersigning officer check

Guidance issued April 2016

Regular review of HTA

organisational structure and job

descriptions

X X Preventative

Recruiting to the currently agreed

organisational structure and approved

job descriptions

Last review completed in Autumn

2015. Job descriptions reviewed as

posts become vacant

Feedback from HTA people about

work, management and leadershipX X

Monitoring/

Detective

Staff survey, exit interviews, staff

forum (attended by SMT Member and

Head of HR)

Report of exit interview presented to

Authority, Staff Survey launched in

May 2016. Findings reported to the

Authority in November . ARAC chair

regularly discusses staff issues with

chair of staff forum.

Data

Data relating to establishments

securely stored with the Customer

Relationship Management System

(CRM)

X XPreventative/

Monitoring

Upgrades to CRM, closely managed

changes to CMR development.

Internal audit of personal data

security.

Actions from the audit of personal

data security completed April 2016.

Business technology

Staff training in key business

systemsX Preventative

Systems training forms part of the

induction process for new starters

Ongoing records of all new starters

trained in key business systems

IT systems protected and

assurances received from 3rd

party suppliersthat protection is up

to date

X X XPreventative/

Monitoring

Quartly assurance reports from

suppliers. Monthly operational cyber

risk assessments. Annual SIRO

report

Cyber risk updated and reported to

HTAMGin May 2016. SIRO report to

ARAC in May 2016.

People

Strengthen the PDP process by introducing

structured 180 degree feedback

(AMS) 2017/18

X X All

Range of projects within the People Strategy

relating to managing and leading people, in

particular more structured management and

leadership training and development

(AMS) by March 2017

X Preventative

Currently identifying opportunities to

collaborate with others in the ALB

sector to tap into these opportunities

Data

Plans to be developed

(RS) by March 2017

Business technology

Identify refresher training and targeted

software specific training needs

(RS) by Q4 2016/17

X Preventative

ASSURANCE OVER CONTROL ASSURED POSITIONREF RISK/RISK OWNER CAUSE AND EFFECTS

INHERENT

RISK

PRIORITYPROXIMITY

EXISTING


RESIDUAL

RISK

PRIORITYACTIONS TO IMPROVE MITIGATION

LINE OF

DEFENCE

TYPE OF

CONTROL

• CauseLack of knowledge about individuals' expertise

• Poor job and organisational designresulting in skills being under used

• Poor line management practices

• Poor leadership from SMT and Heads

• Data holdings poorly managed and under-exploited

• Inadequate business technology or training in the technology available

Effect • Poor deployment of staff

leading to inefficient working

• Disaffected staff

• Increased turnover leading to loss of staff

• Knowledge and insight that can be obtained from data holdings results in poor quality regulation or opportunities for improvement being missed

• Poor use of technology resulting in inefficient ways of working

• Inadequate balance between serving Delivery and Development objectives

Failure to utilise people, data and business technology capabilities effectively

(Risk to Delivery objectives a-d Development objectives a-dDeploymentobjectives a & c)

Risk Owner:


I L I L

5 4 4

Ongoing

Budget management framework to

control and review spend and take

early action

3 2

1

X

2

X

3

AllBudgetary control policy reviewed

annually and agreed by SMT

Last review February

2016

Financial projections, cash flow

forecasting and monitoringX Monitoring

Monthly finance reports to SMT and

quarterly to Authority. Quarterly

reports to DH

Last quarterly report

October 2016

Licence fee modelling Preventative Annual update to fees model

Update agreed by the

Authority November

2016

Rigorous debt recovery procedure X PreventativeMonthly finance reports to SMT and

quarterly to Authority


October 2016

Reserves policy and levels

reservesX Monitoring

Reserves policy reviewed annually

and agreed by ARAC

Last agreed February

2016

Delegation letters set out

responsibilitiesX X Preventative Delegation letters issued annually Issued in April 2016

Prioritisation when work

requirements changeX Preventative

Agreed business plan, monthly

HTAMG and SMT reports

Last HTAMG report May

2016

Fees model provides cost/income

information for planningX Preventative

Annual review of fees model, reported

to SMT and Authority

Update agreed by the

Authority November

2016

Annual external audit X Detective NAO report annuallyLast report in May 2016 -

clean opinion

Monitoring of income and

expenditure (RS)

Ongoing

X Detective

Monthly finance reports to SMT and

quarterly to Authority. Quarterly

reports to DH


October 2016

Horizon scanning for changes to

DH Grant-in-aid levels and

arrangements (RS)

Ongoing

X X DetectiveQuarterly Finance Directors and

Accountability meetings

Last FDs meeting Q1

2016

ASSURED

POSITIONREF RISK/RISK OWNER CAUSE AND EFFECTS

INHERENT

RISK

PRIORITYPROXIMITY

RESIDUAL

RISK

PRIORITY

ACTIONS TO IMPROVE

MITIGATION

LINE OF

DEFENCE

TYPE OF

CONTROLASSURANCE OVER CONTROL

EXISTING


Cause

• Fee payers unable to pay

• Licence fee structure doesn’t bring in sufficient fee income

• Establishments change leading to less fee income

• Increase in regulatory responsibilities

• Increased costs

• Poor budget and/or cash-flow management

Effect

• Payments delayed

• Reductions in staff and other expenditure

• Increased licence fees

• Request for further public funding

• Draw on reserves

Leading to:

• Inability to deliver operations and carry out statutory remit


Insufficient financial resources

(Risk to Deploymentobjective b

Risk Owner:

Richard Sydee

1

(AUD166-16) ANNEX B


Date 8 February 2017 Paper reference (AUD 166-16)

Agenda item 8 Author(s) Richard Sydee/Hazel Lofty

Sector risks and HTA’s approach to public confidence

Background

1. This paper and presentation forms part of an overall programme to familiarise

Authority and ARAC members with the approach undertaken by HTA in terms

of sector specific risks and the regulatory tools available to the Authority.

2. This is the beginning of a process of looking at risk in the context of the HTA’s

inspection and regulatory regime and this session is going to look at the overall

approach before we move on to a more sector specific approaches.

3. The programme should provide assurance to the Authority and ARAC that the

approach taken in terms of HTA resources applied to sectors is appropriate to

the risk posed by each sector to the issue of public confidence.

Actions Required


note approaches outlined and consider whether they are consistent with

their understanding of the risks in each sector, and

consider what further work might be done with the wider Authority in

relation to assessing and targeting resource allocation.

Error! Use the Home tab to apply Filename and path to the text that you want to appear here.

2

Annex B – HTA Regulatory Strategy and Inspection Rationale

HTA ARAC Exploration of Risk Area: Sector risks and the HTA’s approach to protect

public confidence.

In order to inform discussion with members, the following paper sets out our current

approach to Regulation (as it appears in our current strategy) and an outline of the

rationale we use in determining the resource we deploy on inspections. ARAC

should consider this work in progress towards setting our regulatory strategy more

formally.

Extract from the HTA Strategy

The HTA aims to be a right-touch regulator which complies with the principles of better

regulation, and supports the Government’s aims with regard to deregulation.

That means that we focus our regulation on those establishments which carry out activities

with inherently greater risk to public confidence if standards are not maintained, and those

which we have assessed as being at the greatest risk of non-compliance. This approach

means that we target our resources at those areas which have the greatest impact on our

overall goal.

We undertake licensing as required by legislation to a set of licensing standards, which

are aligned with our principles and designed to promote public confidence. Assurance that

standards are being met is achieved through a variety of mechanisms.

HTA inspections take place in each sector according to the legislative requirements and

the regulatory risk in that sector, as well as the risk specific to each establishment. The

HTA’s current approach is to work with an establishment to schedule an inspection at a

mutually convenient time. We recognise the significant level of compliance and

transparency across our sectors and believe that this approach enables us to reduce the

burden of the inspection without increasing the risk of non-compliance. We do, however,

have a right of entry to licensed establishments (except those in the transplantation sector)

and, where we believe it is justified to do so, will conduct a short-notice or unannounced

inspection.

We also place reporting requirements on licensed establishments to inform us of

incidents and events posing the highest risk to public confidence and patient safety. This

allows us to take appropriate action, should things go wrong, and to ensure that lessons

learnt can be shared.

We have a statutory duty to give advice and guidance to establishments. We place great

emphasis on this so that we can bring them to compliance in partnership, rather than

dealing solely with non-compliance. This approach has enabled us to develop strong links


3

with representatives of the sectors we regulate. This means we are able to engage with

them about issues across the sector and gain a better understanding of the challenges they

face and, in turn, inform our regulatory policy development. Similarly, it gives them a better

understanding of our requirements. It also means that we use significant regulatory

action when appropriate and in the public interest.

HTA Inspection Rationale

Since its inception, site-visit inspections have played a key role in providing

assurance to the HTA of compliance with statutory and regulatory requirements.

There are three factors that govern inspection scheduling. Firstly, the inspection

programme is based on an assessment of risk. By risk we mean: (i) the inherent

risk associated with the licensed activities taking place in each sector, and (ii) the

risk of non-compliance presented by individual establishments by virtue of the

complexity or volume of activity they are undertaking or their history of compliance.

So, there is a sector-wide and an individual approach to risk assessment. Biennial

compliance updates are a major source of information that inform risk assessments,

with the Head of each sector deciding on the particular approach that should be

taken at each reporting round.

The second factor is any non-risk related drivers that need to be taken into account.

For example, in the Human Application Sector, the Quality and Safety Regulations

dictate that each establishment is inspected every two years, and in the PM sector,

the opportunity to undertake a joint inspection with UKAS may influence the

including of an inspection, either bringing it forward, or pushing it back, if our

assessment of risk allows.

The third and final factor in considering the scheduling of inspections is the

Regulation Manager resource available.

As a public body, we are obliged to ensure that we are efficient and economical,

focusing our resources on where regulatory action is most needed. We

acknowledge the importance of minimising regulatory and financial impacts

wherever possible, and this is a key tenet of our risk-based approach.

In 2015/16, as in the previous business year, we aimed to deliver an inspection

programme comprising around 180 site visits, including main site and satellite sites.

This is based on the resources we have had available and consideration of other

business plan priorities. In reality, in 2015/16, we conducted 233 site visits as the

intended number increased substantially once non-routine inspections, Licence

Application Assessment Visits and CAPA follow up visits had been included. Whilst

we managed to achieve this operational requirement, it placed pressure on the

resources that we had available.


4

Post Mortem (PM) Sector

Summary

The PM Sector has high inherent risk because of the special sensitivities around

dealing with the deceased, the potential for media interest and public concern when

things go wrong and the growing pressures on the coroners’ service, which are

impacting on mortuaries, in particular in relation to body storage. The Sector

currently comprises 247 establishments (182 main sites and 65 satellites). The

majority are within NHS Trusts, with only 22 mortuaries remaining under Local

Authority control. They undertake around 100,000 PM examinations each year.

Mortuaries are licensed for three activities: PM examination, removal of tissue from

the body of a deceased person for use for a scheduled purpose (SP) and storage of

bodies and tissue for use for a SP. There are exemptions: (i) body stores, as these

are not storing prior to disposal, which is not a SP; (ii) storage for criminal justice

purposes (although we do include these in our inspections under an agreement with

the Home Office); and specialist centres which undertake analysis for a licensed

establishment. All of these activities are subject to the consent provisions, except

when there is coroner involvement.

Risk

An assessment of risk of the potential for a serious incident informs our inspection

scheduling, using information obtained in our biennial compliance updates. Our

current prioritisation is based on a number of factors, including: the establishment’s

overall compliance score; the number of ‘red flag’ answers; the date of the last

inspection; whether the Trust is in special measures; the frequency/duration of use

of the establishment’s contingency plan in the last 12 months; HTARI history

(including lack of reports) and HTARI team members’ knowledge of establishments;

and whether there has been a recent change of DI.

Approach to inspections

We conduct around 40 PM inspections a year, bringing the cycle of inspections to

around 4 ½ years, and gather compliance information every other year. The most

recent compliance questionnaire included a scoring system that used a system of

red flags to highlight the potential for the occurrence of an HTARI based on the

responses to key questions. In also included specific questions around capacity and

contingency. Inspections typically following the standard ‘two RMs for one day’

format, although this may vary depending on the size and nature of the

establishment, and the and mix of activities – for example, if tissue for research is

stored under a PM sector licence. Occasionally, we undertake non-routine visits,

for example as the result of information we receive or the incidence of HTARIs. We

also undertake a small cohort of joint inspections with UKAS.


5

Other compliance activity

We require the reporting of serious incidents; we have an established process for

reviewing and responding to these and have various mechanisms for sharing the

learning gained from them with the inspection team and across the sector.

Research sector

Summary

Our licensing role in research is limited to licensing premises, such as tissue banks,

to store tissue from the living and the deceased. We also license establishments,

including establishments in the post mortem sector, for tissue to be removed from

the deceased for research. We do not license the ‘use’ of tissue for research or

approve individual research projects or clinical trials. Neither do we have a role in

the ethical approval of research although regulations to the Act allow human tissue

held for a specific research project approved by a recognised REC (or where

approval is pending) to be stored on premises without a HTA licence.

Due to the number of associated satellite sites, the total number of licensed sites in

our research sector is currently around 290, making it the largest sector we regulate

in terms of licensed sites. This figure grows each year but gives only a partial

picture of human tissue research activities, which are widely spread throughout the

establishments licensed in our other sectors. Due to the proportionate approach in

which we license, establishments licensed in our other sectors are permitted to

store human material for research and a substantial proportion of these do that.

Risk

Summary reports (of inspection and compliance update data) have confirmed that

our research establishments are highly compliant with our regulation. As the

research sector has been considered to be of low regulatory risk, inspections of

research establishments have been scheduled across longer periods of time than in

other sectors. Research establishments are selected and prioritised for inspection,

taking into account the following factors: compliance update score (linked to level of

compliance); analysis of individual responses to the compliance update questions,

including the number of what we have marked as ‘red flags’ (linked to risks); time

since the last inspection; and, incorporating establishments which were poorly

compliant with the compliance update process or where other regulatory issues had

come up in the interim.


There are relatively small number of inspections (approx. 20 each year), and long

intervals between them meaning that full inspections are carried out and there are

currently no plans to undertake limited scope or thematic site visit inspections.

Research activities cut across into other sectors so we also undertake


6

representative scrutiny of related research activities when inspecting relevant

establishments in other sectors.


Biennial compliance updates are collected and contribute to inspection

prioritisation, sector oversight and strategic planning.

Anatomy Sector

Summary

We license 36 establishments in our anatomy sector (approximately 50 licensed

sites when satellites are included), making it one of the smallest of the sectors we

regulate. In addition to anatomical examination, many facilities store and use

human tissue for other purposes, such as surgical training and research.

The anatomy sector is also involved in sensitive activities involving the bodies of

deceased people but licensed establishments are very compliant with our

regulatory framework.

Risk

Summary reports (of inspection and compliance update data) have confirmed that

our anatomy establishments are highly compliant with our regulation. As the

anatomy sector has been considered to be of lower regulatory risk, inspections of

anatomy establishments have been scheduled across longer periods of time than in

other sectors.

Anatomy establishments are selected and prioritised for inspection, taking into

account the following factors:

Biennial compliance update score (linked to level of compliance);

analysis of individual responses to the compliance update questions,

including the number of what we have marked as ‘red flags’ (linked to risks);

time since the last inspection;

incorporating establishments which were poorly compliant with the

compliance update process or where other regulatory issues had come up in

the interim.


Because there are a proportionately small number of inspections (3-5 each year),

and long intervals between them, full inspections are carried out and there are

currently no plans to undertake limited scope or thematic site visit inspections. Two

unannounced inspections have taken place in the anatomy sector over the past

decade, both of which related to concerns about the dignity of the deceased being

compromised.


7



prioritisation, sector oversight and strategic planning.

Public Display Sector

Summary

We currently license 14 establishments in our public display sector (16 licensed

sites, including satellites), which is the smallest of our regulated sectors. It is

considered to be low risk because of the static nature of museum collections and

the fact that many of the establishments are accredited by Arts Council England,

whose comprehensive standards include many of our requirements. The exception

to this is temporary exhibitions which take place on premises other than those of a

museum, for example Body Worlds.

Risk

The licensing requirements in this sector relate to tissue from the deceased only, so

there is always an element public interest and the possibility of an adverse

response from the public and the media. From compliance updates and inspection

findings, we know that established museums are compliant with our standards and

subject to very little change. Against this background, it is challenging to maintain a

system of regulatory oversight that is proportionate and reflective of risk, whilst

providing the sector with recognisable value for money.

New PD establishments are inspected as part of our licensing process, whilst

existing establishments are selected and prioritised for inspection, taking into

account the following factors:

biennial compliance update score (linked to level of compliance);

any concerns that we have about specific establishments and

the time that has elapsed since the last inspection.


We undertake a small number of PD inspections every year (an average, over the

last 3 years, of five per year), to maintain visibility in the sector. It is rare that we

identify a shortfall, and when we do it usually relates to aspects of governance and

quality, most commonly risk management. Often, the consent and disposal

standards are not applicable, because collections are neither being expanded or

reduced. This means that our inspections focus on governance and quality

systems, including collections management and traceability, along with premises,

facilities and equipment.

All newly-licensed establishments are subject to a site-visit inspection prior to the

material they are displaying being put on show to the public. In this way we are


8

able to assure ourselves that standards are met and provide advice and guidance,

usually on matters relating to the dignity of the deceased.



prioritisation, sector oversight and strategic planning. Establishments that are

accredited by Arts Council England are required to provide less information,

reducing the burden on them of this regular information-gathering exercise.

Human Application Sector

Summary

Under the Human Tissue (Quality and Safety for Human Application) Regulations

2007 (Q&S Regulations), the HTA licenses and inspects approximately 150

establishments that undertake the procurement, testing, processing, storage,

distribution, import and export of tissues and cells for intended for human

application (HA). The HA sector is currently considered to be our highest risk

sector. In part, this is due to the potential impact that regulatory non-compliance

could have on patient safety and clinical outcomes. However, it also reflects the

complexity and diversity of the work undertaken in this sector and the heterogeneity

of the organisations licensed in this sector, which includes many commercial

organisations.

Risk

In addition to inherent risk, the HTA’s assessment of risk in this sector is based on a

number of factors including:

- recent non-routine regulatory action (e.g. RDMs, issuing of Directions /

Conditions);

- changes to a licence (e.g. change of DI, addition of new sites/activities);

- reports of serious adverse events and reactions (SAEARs) (see below);

and

- complaints / investigations.


In the HA sector, there is a statutory requirement for inspections to be carried out at

an interval that does not exceed two years. As a result of this, the HTA undertakes

approximately 70 HA inspections each year. This equates to approximately 100 site

visits each year once satellite sites are factored in. Inspections may be general

system-oriented inspections or thematic depending on the assessment of risk for an

individual establishment and can range from one-day visits involving a single

inspector for simple, low-risk establishments (i.e. a single site carrying out limited

licensable activities with only one tissue type), through to multi-day visits involving

several inspectors for more complex sites (i.e. those carrying out the full range of

licensable activities across multiple tissue types and on several sites). Our current


9

inspection strategy in the HA sector includes the carrying out of joint or linked

inspections with other regulators such as the MHRA, HFEA and CQC, as well as

carrying out licence application assessment visits (LAAVs) prior to granting new

licences. Non-routine inspections may be carried out in response to significant

regulatory non-compliance (i.e. critical shortfalls), SAEARs, or in relation to any on-

going regulatory action.


As in the PM sector, we require the reporting of serious incidents (termed

SAEARs); we have an established process for reviewing and responding to these

and have various mechanisms for sharing the learning gained from them with the

inspection team and across the sector. HA establishments are also required to

submit annual activity data.

Organ Donation and Transplantation sector

Summary

Inspections are referred to as audits in this sector. The HTA began regulating and

licensing this sector in August 2012 as a result of the EU Directive on the standards

of quality and safety of human organs intended for transplantation. We currently

license 37 establishments and licensing covers activities involving the procurement

and transplantation of organs. One round of audits has been undertaken so far

(2012/13) during which all 37 establishments licensed under the new regulatory

framework were audited and found to be largely compliant with our regulatory

framework.

Risk

This sector is considered high risk due to the nature and breadth of the activities

being undertaken across both living and deceased organ donation and

transplantation. In particular, regulatory non-compliance could have a serious

adverse effect on patient safety and clinical outcomes for those giving and receiving

organ and tissue transplants. Adverse outcomes and, on occasion, widespread

media attention means there is a very real risk in terms of the loss of public

confidence if standards are not met and maintained across the sector.

Biennial compliance updates are collected and contribute to audit prioritisation e.g.

the establishment’s overall compliance score, and also provide sector oversight.

This data is useful in identifying particular areas where the HTA may wish to seek

assurance during the audits.


We audit establishments against specific criteria and gather evidence through a

combination of inspection, review, and interviews with staff involved in each aspect

of the ‘organ pathway’, this includes both living and deceased donation. The EU


10

Directive requires that “the framework for quality and safety should include auditing

where necessary”.

The second round of audits will begin in October 2016 as planned and this will

again include all licensed establishments in the sector. The size of the audit team

and length of audit varies depending on the complexity of the activities at the

establishment, for example the audit of an establishment transplanting kidneys only

will be shorter than the audit of an establishment transplanting multiple organs.


We have a service level agreement (SLA) with NHS Blood and Transplant

(NHSBT). This sets out a number of functions that NHSBT performs on behalf of

the HTA to assist us in meeting our obligations as the Competent Authority under

the EU Directive. Significantly, this includes the management, reporting and

investigation of Serious Adverse Events and Reactions (SAEARs) on our behalf.

These are reported to the HTA and closed once we are satisfied that appropriate

measures have been taken to prevent the SAEAR occurring again, and that shared

learning has taken place where appropriate.

1

AUD 166-16 (Annex C)

HTA Risk Management Strategy and Policy

Reference HTA-POL-025 Author Morounke Akingbola

Version 13.0 Owner Director of Resources

Date approved November 2015February 2017

Reviewed by SMT

Distribution HTA Internal Approved by Audit and Risk Assurance Committee

Next review due November 201February 2018

Purpose

1. The purpose of this document is to define the Human Tissue Authority’s strategic intent

for risk management and set out the roles and procedures for risk management at the

HTA now and in the future. It will be reviewed and updated formally on an annual basis.

2. The Human Tissue Authority strives to be an organisation that demonstrates good

governance practices. The environment that we operate within requires us to have in

place a proportionate and strategic approach to the day to day management of risk. The

objective is to ensure that when risks arise they will be dealt with in a manner that is

consistent with the principles and processes outlined in this document.

3. This document applies to all employees of the HTA and those seconded to work in the

HTA. There should be an active lead from managers at all levels to ensure that risk

management is a fundamental part of the overall approach to regulation, service

delivery and corporate governance.

What is risk management?

4. HM Treasury in The Orange Book Management of Risk - Principles and Concepts

describes risk as follows:

5. ‘Risk is defined as the uncertainty of outcome, whether a positive opportunity or a

negative threat, of actions and events. The risk has to be assessed in respect of the

combination of the likelihood of something happening, and the impact which arises if it

does actually happen. Risk management includes identifying and assessing risks (the

“inherent risks”) and then responding to them.’

6. Risk management is essentially about identifying and managing key obstacles to the

achievement of strategic and business objectives. It is a tool that is an integral part of

effective and efficient management and planning.

Types of risk

Strategic

Those current business risks that, if realised, could fundamentally affect the way

in which we exist or provide services in the next one to five years. These risks

will have a detrimental effect on the achievement of our strategic objectives. The

risk realisation will lead to failure, loss or lost opportunity.

Operational

Those current business risks that, if realised, could affect the way in which we

operate or provide services in the nextw year. These risks will have a detrimental

effect on our achievement of our business plan. The risk realisation will lead to

failure, loss or lost opportunity.

Project

Those business risks that, if realised, could affect the way in which we deliver

any specific project. The risk realisation will lead to failure, loss or lost

opportunity.

Strategic intent

7. The Authority recognises that risk management is an integral part of good governance

and management practice and to be most effective should be part of the HTA’s culture.

The Authority is committed to ensuring that risk management forms an integral part of

the HTA’s philosophy, planning and practice, rather than being viewed or practised as a

separate activity, and that responsibility for risk management is accepted at all levels of

the organisation.

8. The HTA aims to take all reasonable steps in the management of risk with the overall

objective of achieving its strategic and business objectives and protecting staff,

stakeholders, the public and assets.

9. The HTA recognises that the outcome of a risk management approach will not eliminate

risk totally. Rather it provides the means to identify, prioritise and manage the risks and

provide a balance between the cost of managing and treating risks, and the anticipated

benefits that will be derived from doing so. Risk management should not be so rigid that

it stifles innovation and imaginative use of limited resources in order to achieve

objectives.

Accepted risks

10. The HTA considers that any risk with no further action planned to address it is an

accepted risk, providing assurance is received that the controls relied upon to manage it

are in place. It is reasonable to accept a risk that under normal circumstances would be

unacceptable if the risk of all other alternatives, including doing nothing, is even greater.

11. The HTA is not willing to accept risks that may result in compromising the protection of

the public’s interests that the removal, storage and use of human tissue and organs are

undertaken safely and ethically, and with proper consent. The HTA is not willing to

accept risks that may result in financial loss or exposure, major breakdown in

information systems or information integrity, significant incidents(s) of regulatory non-

compliance, potential risk of injury to staff or contractors or reputation damage.

Risk appetite

12. The total list of accepted risks forms the HTA’s risk appetite. The HTA does not set a

defined level of risk appetite for each type of risk.

Tolerated risks

13. The HTA tolerates risks that have been managed as far as is considered to be

reasonably practicable and have adequate control mechanisms in place.

14. Tolerated risks are not accepted risks. The HTA will live with tolerated risks, to secure

certain benefits or because they arise from external factors, providing they are properly

managed. If the risk gives rise to potential benefits, these outweigh the potential harm.

Tolerated risks are not disregarded – they are reviewed with the aim of reducing further

risk.

Duties and responsibilities

Role of the Authority

15. The Authority has ultimate responsibility for the management of the HTA’s risks. It

monitors the HTA’s approach to the management of risk, and its effectiveness in

managing risk. Predominantly, it considers the risks facing the HTA at the strategic

level. Its role includes:

instilling a culture of risk management:

o determining the HTA’s ‘risk appetite’ across the whole organisation or on any

relevant single issue, and reviewing this periodically as part of the strategic

planning cycle

o determining which risks are acceptable and which are not

o determining the appropriate level of risk exposure.

satisfying itself that risks are managed appropriately:

o considering the external environment and identifying emerging strategic risks

o approving the overall risk management arrangements

o approving decisions which have a major impact on the HTA’s risk profile or

exposure and satisfying itself that the HTA’s actual level of risk exposure does

not exceed that agreed

o monitoring the management of significant risks and assuring itself that risks

are tolerable

o satisfying itself that the less significant risks are being actively managed, and

that the appropriate controls in place are working effectively

o reviewing the approach to risk management and approving key changes or

improvements to processes and procedures.

Role of the Audit and Risk Assurance Committee

16. The Audit and Risk Assurance Committee reviews and tests the establishment and

maintenance of an effective system of internal control and risk management. This

process is underpinned by the internal audit function, which provides an opinion on

internal control.

17. It is the Audit and Risk Assurance Committee’s role to advise the Authority on the

effectiveness of the HTA’s internal control arrangements. As part of this role it will

advise the Authority:

annually on the HTA’s approach to risk management and overall risk management

arrangements, approving the Risk Management Strategy and Policy

periodically on the management of significant risks (following discussion with the

Senior Management Team on specific risks)

on the implications of internal audit reports

on the implications of the recommendations made by the external auditors.

Role of the SMT

18. As the SMT is the authoritative decision-making body within the HTA’s management

structure, it has the ultimate management responsibility for risk and implementation of

the HTA’s risk management strategy and reporting requirements.

19. The SMT takes the lead in ensuring that the strategy and practice remain appropriate

and fit for purpose. The SMT ensures that assessment and management of risk are an

integral feature when authorising and managing existing and new work. SMT members

are risk owners of strategic risks.

20. Specifically, SMT is responsible for:

establishing and maintaining a coherent and practical HTA-wide approach to the

management of risk, using the procedures set out in this document

maintaining the HTA’s Risk Management Strategy and Policy

identifying and managing the strategic risks faced by the HTA for consideration by

the Authority

reviewing strategic risks on a monthly basis

periodic review of the effectiveness of the HTA’s risk management arrangements

SMT delegates responsibility to Heads for identifying and managing the operational

and project risks faced by the HTA.

Role of HTAMG

21. Chaired by the Chief ExecutiveStrategy & Quality, the HTA Management Group

(HTAMG) consists of SMT and Heads. It meets monthly and reviews performance on

objectives, risk and progress on projects. HTAMG ensures that operational and project

risks are reported, managed and escalated as necessary.

22. Specifically, HTAMG is responsible for:

monthly review of the management of operational risks and maintenance of the

operational risk register

quarterly oversight of operational risks alongside strategic risks to ensure the two

remain aligned and to provide a mechanism whereby operational risks can be

escalated to strategic risks should this prove necessary.

HTA Groups

Groups that the HTA has set up that include stakeholders (Stakeholder Group,

Histopathology Working Group, Transplant Advisory Group) provide a valuable opportunity

to gain stakeholders’ views on risks. The lead HTA member of staff for each of these groups

should ensure that the group has an opportunity to identify and review relevant risks for the

HTA.

Director of Resources

23. The Director of Resources acts as central reference point for all risk management

issues within the HTA. The Director facilitates and oversees the risk management

processes, but does not act as the “risk manager” for all risks, as the HTA recognises

that risk management forms an integral part of all functions.

24. The Director is responsible for the maintenance of the Strategic Risk Register.

24.

HTA in a wider risk context

25. The HTA engages with the Department of Health ALB Risk Network which

meets regularly throughout the year. This is a forum for discussing common risk

issues and systemic risks and the approach of the Department towards risk

management.

26. HTA have committed to consider system-wide and common, interdependent,

risks

Formatted: List Paragraph, Line spacing: single

Formatted: Indent: Left: 0.8 cm, No bullets or numbering

Procedures

Approach to risk management

25.27. The starting point for risk management is a clear understanding of what the

organisation is trying to achieve. Risk management is about managing the threats that

may hinder delivery of priorities and core functions, and maximising opportunities that

will help to deliver them. It should take into account the environment within which the

HTA operates

26.28. The risk management process should be kept as simple and straightforward as

possible. It should:

start from objectives

put the primary focus on significant risks and related controls

record details in risk registers

regularly monitor progress

allocate risk management responsibilities to individuals

link actions to manage risks to personal and business plans

not be so complicated that it alienates management and staff.

27.29. Risk management involves a 5-stage process, as shown below:

Stage 1 – Risk identification

28.30. The first step is to identify the ‘key’ risks that could have a significant adverse affect

on us or prevent key strategic or business objectives from being met. It is important that

those involved with the process clearly understand the service or organisation’s key

business objectives i.e. ‘what it wants to achieve’ in order to be able to identify ‘the

barriers to achievement’.

29.31. Details of any new risks should be raised with the Director or the Head concerned to

be considered for recording on the Strategic or the Operational Risk Register

respectively. Project risks are recorded by the project manager, using the system in

place for specific projects, and are escalated to the operational and strategic risk

registers through HTAMG and SMT as necessary.

30.32. SMT should consider the current portfolio of risk in coming to a decision whether to

accept new strategic risk and HTAMG should do the same for operational risks. SMT or

HTAMG will also confirm or make changes to the new risk, assign a risk owner and

agree any further action to be taken to manage the risk.

33. Risk identification also includes identifying opportunities, where the outcome is

uncertain, and these may be managed using the process set out here. However,

strategic considerations about whether to exploit opportunities are made by the

Authority.

The risk management cycle

Analysis

Prioritisation

Management

Monitoring

Identification Analysis

Prioritisation

Management

Monitoring

Identification

Formatted: Normal, Line spacing: single

Risk interdependencies

34. Extended Enterprise is the term used to describe risk interdependencies between

organisations. As part of a wider group consisting of the DH and all its ALB’s, a review

of three types of risk needs to be undertaken as part of the risk identification process.

Furthermore, escalation of any such risks needs to be factored into our process.

35. The three types of risk to identify are:

1) Type 1. A system-wide risk that affects a number of different ALBs (or in some cases all of them including DH, e.g. cyber security);

2) Type 2. A risk identified in one ALB or DH that will affect another; and 3) Type 3. A risk caused by processes and controls in place at one ALB or DH

that may lead to a risk in another ALB or DH.

36. Whilst the HTA needs to ensure the above is conducted consistently, there must also

be a means of communicating or feeding back any risks that have materialised from the

above. The forum or process for this will be via an ALB wide forum (see para 44).

Stage 2 – Risk analysis

31.37. There are three important principles for analysing risk:

consider the likelihood and impact for each risk

be clear about the difference between inherent and residual risk

record the assessment of risk in a way which facilitates monitoring and prioritisation

of risks.

32.38. Having identified new risks, the following details should be provided to SMT or

HTAMG so that they can be recorded in the relevant risk register. The implications of

project risks should be considered and significant ones included in the appropriate

register. The details should include:

A description of the risk, its cause and the effect on the HTA if the risk

materialised

An assessment of the inherent1 impact of the risk if there were no mitigating

strategies in place to manage the risk. This should be measured on a scale of 1 to

5 as detailed in the following table

1 The concept of inherent and residual impact and likelihood is taken from the Orange Book.

Formatted: Indent: Left: 0 cm, Hanging: 0.8 cm, No bulletsor numbering

Formatted: Font: 11 pt

Formatted: Indent: Left: 0.8 cm, No bullets or numbering


Formatted: 1. Paragraph HTA, Line spacing: single


Formatted: Font: (Default) Arial, 11 pt

Formatted: Font: (Default) Arial, 11 pt

Formatted: Indent: Left: 1.9 cm, Line spacing: single, Nobullets or numbering


Impact

Finance

Service

Quality/Objective

Health &

Safety Reputation

(5)

Catastrophic

Above £2.1m

(50+%)

Complete failure of

services.

Patient death due

to HTA negligence.

Fatality (Staff,

members and

visitors etc…).

Significant reputation

damage is causing

government

intervention e.g.

inquiry, Management

and/or Authority re-

structure.

(4)

Major

£1m to £2.1m

(15 to 50%)

Significant

reduction in service

quality expected.

Not delivering

statutory remit.

Serious injury

occurring.

Reputation damage

occurs with the Key

Stakeholders

(Opinion Leaders)

such that their

overall confidence in

HTA is affected.

(3)

Moderate

£500k to £1m

(7.5 to 15%)

Service quality

impaired leading

temporary

suspension of non-

statutory remit.

Very minor

injury.

Localised

reputational damage

e.g. within a

sector/geographical

area.

(2)

Minor

£50k to £500k

(0.75 to 7.5%)

Marginally

impaired,

stakeholder

expectations are

not met (non-

statutory).

No injury.

Temporary

reputational

damage, (e.g.

practitioner

confidence/local

media/individuals).

(1)

Almost None

Below £50k

(less than

0.75%)

Negligible effects

on service quality.

No effects on

reputation.

NB. The above figures are calculated as an approximate percentage of the HTA’s turnover

(total annual income) of £4.2m.

An assessment of the inherent likelihood of the risk materialising. This should

also be measured on a scale of 1 to 5 as detailed below:

Likelihood

(5)

Almost certain Above 90% chance of occurring

(4)

Likely 50 – 90%

(3)

Possible 10 – 50%

(2)

Unlikely 3 – 10%

(1)

Rare Less than 3% chance of occurring

A summary of the controls in place and assurance sources that will confirm

whether key controls are operating effectively

An indication of the residual impact and likelihood using the same scoring system

shown above. The residual score indicates the level of the risk once the controls

have been put in place and action has been taken

A suggested owner for the risk.

33.39. SMT or HTAMG will record the details of the new risk in the relevant risk register and

calculate an inherent score and residual score by multiplying the scores for impact and

likelihood using the risk matrix shown below.

Risk matrix

Imp

act

(5)

Catastrophic

5 10 15 20 25

(4)

Major

4 8 12 16 20

(3)

Moderate

3 6 9 12 15

(2)

Minor

2 4 6 8 10

(1)

Almost None

1

2 3 4 5

(1)

Rare

(2)

Unlikely

(3)

Possible

(4)

Likely

(5)

Almost

certain

Likelihood

Stage 3 - Risk prioritisation

34.40. Once risks have been identified and analysed, they require a priority to be applied.

35.41. In line with the colour coded quadrants of the risk matrix above, once risks have been

assigned a score they will fall into one of the following four groups which will determine

the manner in which they will need to be managed:

Primary Group (red) – Where risk management should focus most of its time.

Risks that fall into this group will require immediate attention. Both the status of the

risk will require to be monitored with regard to effect on the organisations activities

and the progress of action taken to ensure its effective completion.

Contingency Group (amber) – Where risk management will ensure that

contingency plans are in place. Risks that fall into this group may require

immediate action but will require to be monitored for any changes in the risk or

control environment which may result in the risk attracting a higher score.

House Keeping Group (yellow) – Basic mechanisms should be in place, (risk

management will confirm). Risks that fall into this group will require to be monitored

by management.

Negligible Group (green) – Where risk is so minimal it does not demand specific

attention. Risks that fall into this group will require review only, but no further

action.

36.42. New risks that are classified as primary should be bought to the attention of the SMT

immediately to enable the risk to be reviewed and actions to be quickly identified.

Stage 4 - Risk Management

37.43. Once a risk has been identified, analysed and prioritised, it will be possible for the

organisation to decide whether to take further action to address the risk and if so what

type of action. When deciding how best to manage risks, it is useful to ask the following

questions:

how to prevent it from happening - either by putting some controls/counter-

measures in place or putting the project or activity in a position where it would have

no impact

how to reduce the risk - what action is needed to reduce the probability of the risk

happening

how to maximise opportunities

what to do to if the risk does occur - outline some contingent activities

what are the implications of accepting the risk - ensuring that all the stakeholders

are aware of the possible consequences.

38.44. There are several response options that can be taken to address the risks that have

been identified. These are set out in the following table. The final two seek to maximise

opportunities.

Response

options to risks

and opportunities

Description

Terminate or

avoid

An informed decision not to be involved in, or to withdraw from, an activity,

in order not to be exposed to a particular risk. Used if risks are not

acceptable or outweigh the benefits.

Treat - reduce or

mitigate Take action to reduce the likelihood of a risk, or its impact if it does arise.

Transfer or share

This option aims to pass at least part of the risk to a third party. Insurance is

the classic form of transfer, where the insurer picks up the cost if the risk

materialises, but the insured retains the impact on other objectives.

Contracting or working in partnership are other means.

Tolerate

Tolerated risks are risks that the organisation lives with and keeps under

review. The risks have been managed as far as is considered to be

reasonably practicable and have adequate control mechanisms in place.

Formatted: Left

Accept

Here the organisation “takes the chance” that the risk will occur, with its full

impact if it did. There is no change to residual risk, or no actions, with this

option, but neither are any costs incurred now to manage the risk, or to

prepare to manage the risk in future.

Enhance

The opportunity equivalent of mitigating a risk. Enhancing an opportunity

seeks to increase the likelihood of it occurring and/or the impact of the

opportunity in order to maximize the benefits.

Exploit

The opportunity equivalent of avoiding a risk. Exploiting an opportunity

seeks to make the opportunity definitely happen (i.e. increase likelihood to

100%). Aggressive measures are taken which seek to ensure that the

benefits from this opportunity are realised.

39.45. The risk owner will be responsible for:

managing the risk and ensuring that any agreed controls and/or actions to manage

the risk are planned and carried out

evaluating the effectiveness of the controls in place, any subsequent actions

required and considering whether further action is needed

updating the Risk Register and informing SMT or HTAMG about any changes

made to reflect changes in circumstances.

40.46. The risk owner is also responsible for periodic action to obtain the assurances

specified and to report on their effectiveness.

Stage 5 - Monitoring

41.47. The Risk Registers should be monitored regularly to be able to close risks down

when their likelihood has passed or to add new risks in the light of new

information. Additionally, levels of inherent and residual risk should be assessed and

controls added or amended as appropriate, separated between those planned and

those implemented.

42.48. The Risk Registers serve as an essential tool for monitoring and reporting on the

actions selected to address risks. Some of the actions may have only been to monitor

the identified risk for signs of a change in its status. Monitoring risks will also consist of:

checking that execution of the planned actions is having the desired effect

watching for the early warning signs that a risk is developing

modelling trends, predicting potential risks or opportunities

checking that the overall management of risk is being applied effectively.

49. It should be noted that as risk management is an on-going and iterative process, the

status of existing risks will change and new risks will arise. This means it will be

necessary from time to time to return to any one of the five stages of the process as

outlined above in relation to a particular risk.


Sources of aAssurance

43.50. The strategic risk register provides for controls to be categorised into lines of defence

and whether they are preventative or detective. In this way, the balance of controls can

be identified in order to determine how appropriate and effective controls might be.

44.51. The three lines of defence are:

1 – embedded in the business operation, such as policies or management checks

2 – corporate oversight, such as review by the Authority

3 – independent of the HTA, such as internal or external audit reviews, or assurance

gained by the Department of Health

45.52. Assurance that controls are operating effectively may be gained from:

Internal audit reports

External audit reports

Feedback from the Department of Health

Other feedback following review (e.g. external or peer)

HTA documents (e.g. minutes, SMT or Authority papers reporting performance)

Reports from Directors and staff, orally or in writing

Checklists.

53. The key sources of assurance used to monitor the effectiveness of controls to manage

specific risks are set out in the HTA’s risk registers.

46.54. The strategic risk register includes the assured position - when assurance that the

control is working properly was last obtained and in what form. Gaps are identified in

red text for further action.

Alignment of risks with organisational objectives

47.55. All risks should be mapped or aligned with the organisational objectives contained in

the HTA Strategy and Business Plan. The linkage between objectives and risks should

be documented on the risk registers and in the strategic and business plans of the

organisation.

48.56. Failure to align strategic objectives with strategic risks, and business objectives with

business (operational/project) risks will result in a reduced likelihood that all risks

relating to organisational objectives have been identified and are subject to appropriate

mitigation.

57. Management should also review the relationship between strategic and business

objectives and strategic, operational and project based risks to ensure that all risks

relevant to the objectives have been identified and that all risks currently monitored are

genuinely risks.

1


Date 8 February 2017 Paper reference AUD 166-16 (Annex D)


Department of Health Risk Interdependencies

Background

1. In June 2016 a Department of Health Internal Audit report outlined a number of

significant weaknesses in the reporting and understanding of risk

interdependency between the Department and its Arms Length Bodies (ALBs),

2. The full report has been attached for information, for convenience an extract

outlining the main findings and recommendations is provided below,

Review conclusion

2.1 The overall rating for the report is LIMITED – there are significant weaknesses

in the framework of ‘risk interdependencies’ governance, risk management and

control such that it could be or could become inadequate and ineffective.

2.2 We found that the risk management framework in place across the DH and

ALBs to facilitate reporting and escalation of risk interdependencies is inadequate;

and roles and responsibilities are not clearly understood or communicated………

2.4 Our conclusion is based on evidence from our fieldwork which found (in relation

to risk interdependencies):

DH is not considered to play an active role in facilitating identification and

management of risk interdependencies (finding 1);

Sponsor Teams play an inconsistent role in risk management (finding 2);

Neither the DH Risk Management Policy nor individual ALB risk policies

adequately cover risk interdependencies (finding 3);


2

The DH Strategic Risk Register does not include interdependencies and is

not shared with ALBs (finding 4);

ALBs work in silos and/or focus on bilateral relationships that arise on an

ad hoc basis (finding 5); and

There is a difference between assumed and actual activities at different

levels of the governance structure within each ALB (finding 6)……

3.4 Section 2 of this report includes specific and detailed recommendations against

observations. However, the recommendations below are a useful summary

encapsulating common themes:

Confirm the role of the Department and Sponsor Teams in the

identification and management of risk interdependencies amongst

ALBs

Confirm the role and responsibilities of the ALBs in managing risk

interdependencies

Strengthen risk management policy (at the DH and ALB levels) to

include specifc guidance on interdependencies

Facilitate regular meetings between counterparts of ALB sponsor

teams, risk management individuals, and Audit Chairs, to discuss

ALB objectives, plans and risks

Make modifications to risk registers in place to encourage the

identification of interdependencies and to ensure actions are

assigned.

HTA assessment of key risk interdependencies

3. HTA regulation has its own distinct statutory basis and is, to a significant

extent, ring-fenced from much of the wider system. As a result, relatively few of

the strategic risks managed by the HTA are risks to the wider health and care

system.

4. Having said this, in preparation for its attendance at the DH Audit and Risk

Committee, SMT did make an assessment of where it saw the key risk

interdependencies with the wider health system. It is important to note that the

risks identified as part of this assessment are already identified as strategic or

operational risks and do not, therefore, have a separate risk management

procedure.

5. The most significant risk to the HTA from the wider system remains the fact that

licence fees are funded in large part from public sector bodies, with NHSBT

being the single largest fee payer. Financial pressures on the NHS may result


3

in delays, or potentially defaults, in fee payment. This risk is managed as part

of strategic risk five.

6. The HTA also shares responsibility with DH for some system-wide risk (to

public confidence – if ineffectively managed) as a result of a number of issues

outside of our direct remit, but where we are considered the most appropriate

organisation to act. Examples include leading on and issuing guidance for

professionals on the disposal of pregnancy remains, working to agree an

approach to human tissue held by the police following investigations and the

emerging issues of cryonics and taphonomy.

7. The HTA also identifies risks that need to be brought to wider attention, or

managed elsewhere in the DH system. For example, we were able to identify

system-wide concerns about mortuary capacity during the winter months, or at

the time of a major incident, and now play an active role in information

gathering to support central planning. These risks are managed as part of

strategic risk three.

8. The HTA does mitigate some system-side risk, by regulating the use of human

tissue, especially for human application. Ensuring tissue and organs for human

application and transplantation is of a specified quality and there are processes

in place to ensure the safety of patients, makes us part of the value chain

across the NHS seeking to achieve high quality outcomes for patients.

9. The reporting processes in place for serious adverse events and reactions in

the human application and transplantation sectors allow us to ensure early

notification is provided to clinicians and patients, minimising risk.

10. Finally, we have formal joint working arrangements in place with a number of

other regulators: MHRA; CQC; HRA and HFEA, to ensure that, where

information is obtained by one regulator that may be relevant to the remit of

another, this is shared.

Actions Required


note the findings of the DH report, and

consider any actions that may be required by ARAC in order to support

the recommendations.

Appendix A

1



Agenda item 10 Author Morounke Akingbola

Reserves policy and update on policies and procedures review

Purpose of paper

1. The purpose of this paper is to give the Committee an overview of the finance

policies that SMT approve and to present the reviewed Reserves policy for

ARAC approval.

Action

2. The Committee is asked to:

approve the Reserves policy (Annex A)

note the reviews of other policies (Annex B)

Decision making process to date

3. SMT has agreed the Reserves policy, and approved the approach set out in

Annex B.

Background

4. All policies and procedures in the HTA should be reviewed periodically, at least

annually and sometimes more frequently. As a result, there is a culture of

ongoing review and a commitment to continuous improvement.

5. There is also good version control in existence, which enables anyone to track

any changes made.

2

Reserves Policy

6. The reserves policy has been reviewed by the Director of Resources and the

Head of Finance. No changes to minimum cash reserve levels are proposed.

The level of minimum cash reserves remains at £1.8m to reflect cashflow and

emergency needs.

7. Cash reserves at the start of 2016/17 were £2.7m, with total reserves standing

at £3.4m..

Other finance policies and procedures

8. Annex B sets out the full range of finance policy and procedure documents

approved by ARAC and SMT, together with their present status.

Annex A – Reserves policy

Annex B – Overview of policies and procedures

AUD167-16 ANNEX A

Reserves Policy Version number 15.0 Date last approved February 20176

Reference HTA-POL-049 Next review due February 20187

Author(s) Sue GalloneHead of

Finance

Owner Director of Resources

Reviewed by HTA SMT Distribution HTA SMT & Authority

Approved by Audit and Risk

Assurance Committee

Purpose

1. The purpose of this policy is to ensure that both the Executive and Authority of the HTA

are aware of the minimum level at which reserves need to be maintained and the

reasons for doing so.

Principle

2. An organisation should maintain enough cash reserves to continue business operations

on a day-to-day basis and in the event of unforeseen difficulty. It is best practice to

implement a reserves policy in order to guide key decision-makers.

Reserves Policy

3. The HTA has a reserves policy as this demonstrates:

a) transparency and accountability to licence fee payers and the Department of Health;

b) good financial management;

c) justification of the amount it has decided to keep as minimum reserves.

4. The following factors have been taken into account in setting this reserves policy:

a) risks associated with its two main income streams, licence fees and Grant-in-aid,

differing during the year from the levels budgeted;

b) likely variations in regulatory and other activity both in the short term and in the

future;

a) the HTA’s known and likely commitments.

5. The policy requires reserves to be maintained at a level that ensures the HTA’s core

operational activities continue on a day-to-day basis and, in a period of unforeseen

difficulty, for a suitable period (refer to para 10 and 11).

Reserves Policy HTA-POL-049

Version 15.0, last reviewed February 2015

2

Cashflow

6. To enable sufficient cover for day-to-day operations, a cash flow forecast is prepared at

the start of the financial year which takes into account the timing of when receipts are

expected and payments are to be made. Cash reserves are needed to ensure sufficient

working capital is available throughout the year.

7. Normally Tthe HTA experiences negative cashflow (more payments than receipts) in the

months July to August and again from November to April, due to the need to meet costs

before licence fees are received. On review of the 2016/17 cashflow, we have noticed a

slight change in that we are more efficient at collecting our debts which has increased

the number of months where we are in negative cashflow. This does not significantly

change our level of reserves. Our Ccash balances are at their lowest in April and

therefore our . Rreserves should be maintained such o that there is always a positive

cash balance.

8. The HTA is also mindful of the financial risks it faces, in particular that we may be

required to undertake additional activities not planned or make additional spend not

costed within budget. While every effort would be made to cover costs within the budget

allocated for the year, it may be necessary to use reserves to meet the cashflow needs

arising from additional necessary spend.

9. Funds of £1.2m are needed to provide for adequate cashflow.

Unforeseen difficulty

10. The level of reserves required for unforeseen difficulty is based on two elements:

salaries (including employer on-costs) and the cost of accommodation. These are

deemed to be fixed costs that would have to be paid in times of unforeseen difficulty with

all other of the HTA’s running costs being regarded as semi-variable or variable costs

and thus excluded from this calculation. These two areas currently represent 75% of the

HTA’s total annual budget.

11. The certainty and robustness of HTA’s key income streams and the predictability of fixed

costs, as well as the relationship with its sponsor, DH, indicate that 2 months’ salary and

accommodation costs is a prudent, but sufficient, minimum level of reserves to hold.

12. Based on the HTA’s current revenue budget, the combined monthly cost of salaries and

accommodation is around £300k. A reserve of two months would therefore be £600k.

Minimum reserves

13. The HTA’s minimum level of reserves for 20167/178 will be maintained at a level that

provides £600k for unforeseen difficulty, meets cashflow needs of £1.2m. The minimum

cash reserves required for 20167/178 is £1.8m. These reserves will be in a readily

realisable form at all times.

Commented [MA1]: Not proposing to increase this despite the slight shift n 2016/17

Commented [MA2]: This is based on 2017/18 staff budget but does not take into account potential rent increase

Reserves Policy HTA-POL-049

Version 15.0, last reviewed February 2015

3

14. Each month quarter the level of reserves will be reviewed by SMT as part of the HTA’s

ongoing monitoring of its cash flow.

15. Each autumn as part of the HTA’s business planning and budget setting process, the

required level of reserves for the following financial year will be reassessed.

16. In any assessment or reassessment of its reserves policy the following will be borne in

mind:

a) the level, reliability and source of future income streams;

b) forecasts of future, planned expenditure;

c) any change in future circumstances - needs, opportunities, contingencies, and risks –

which are unlikely to be met out of operational income;

d) an identification of the likelihood of such changes in these circumstances and the risk

that the HTA would not able to be able to meet them.

17. The HTA will include in its annual report and accounts a short statement about the level

of reserves held and the reasons for holding these.

18. HTA’s reserves policy will be reviewed annually by the Audit and Risk Assurance

Committee.

Revision history

19. Document each version or draft providing a simple audit trail to explain amendments.

Date Version Comments

30.07.09 0.3 Approved by the Authority

12.11.10 0.4 Approved by the Authority

31.01.12 0.5 Reviewed - minor change

31.12.12 0.6 Reviewed - minor change

07.02.13 0.6 Approved by Audit Committee

14.10.13 0.7 Amended

02.01.15 0.8 Amended

04.02.15 15.0 Approved by ARAC

22.01.16 15.1 Reviewed and amended

27.01.17 15.2 Reviewed and updated

(AUD 167-16) Annex B

1

Policy/Procedure &

document reference

Purpose of policy/procedure Status

Procurement Policy

Doc Ref HTA/POL/027

Policy covers the authorisation

process for purchases of different

values

Reviewed Jan-17 – no changes

Financial Policies and

Procedures Manual

HTA/POL/028

This is a compendium of key finance

policies in one document. There are

links and cross-references to

individual policies are made within this

document.

Reviewed in Aug-16. Cosmetic changes

Budgetary Control Policy

HTA/POL/031

Policy deals with the budget-setting

process of the HTA and includes a

draft timetable

Reviewed Jan-17 no changes

Expenses Policy

HTA/POL/032

Policy covers reimbursement of

Travel, Subsistence and other

expenses

Reviewed Aug-16, hyperlinks amended (links to forms

for staff).

Reserves Policy

HTA/POL/049

Policy states the minimum level of

cash reserves that the HTA should

ideally keep as a contingency

Due for ARAC review Feb-17 meeting

Antifraud Policy

HTA/POL/050

Policy covers definitions of fraud,

responsibilities of HTA employees

Reviewed Jan-17 – no significant changes

Whistle-blowing Policy

HTA/POL/017

Policy covers procedure to be

followed if they have concerns about

improper behaviour

Reviewed Jan-17 (late due to staff changes) – contacts

updated – change to ARAC Chair and Staff Champion

1



Agenda item 12 Author Morounke Akingbola

Review of gifts and hospitality register

Purpose of paper

This paper details the review conducted of the HTA’s gifts and hospitality register

Recommendations

Members are invited to:

Note the declared gifts and hospitality received by HTA staff

Agree the proposed minor changes to process

Gifts and Hospitality

3. HTA staff are aware that they have a responsibility to declare any gifts or

hospitality received. Our Expense Policy refers to this as does the Finance

Procedures manual.

4. The current process adopted for declaration requires that staff inform the Head

of Finance via email detailing from whom the gift/hospitality was offered or

received, the value if known and the date. This is to be done within 5 working

days of the offer.

5. Where gifts of offers of hospitality are above the deminimis limit (£25 or deemed

to be a working lunch), the Director of Resources should be informed and s/he

would consider whether the offer should be accepted and how any gift should be

retained or distributed.

6. From 2009 to present day, there have been 15 items declared. Of the 15, almost

half of these were below the deminimis value.

7. Below is an analysis of gifts and hospitality from the above period.

2

No. of Provison/receipt of

gifts or hospitality

Type (explanation) Value

£

2 Provison Lunch,teas, coffees for member of the public. This was provided as part of the Public Outreach Project

£196 (Sept 2011) £352 (Oct 2011)

1 Receipt Cases of wine – provided by company who hosted our website. Provided as a thankyou for work completed over Christmas

£171

1 Receipt Amazon voucher – participation in a survey

£100

3 Receipt Dinners attended by Directors; Internal Auditors, Law firm and Advocacy Group

Not specified

1 Receipt Afternoon tea, Spa day and Hotel Chocolat

£3 Chocolates, Dinner and Spa day unknown value.

7 Receipt Ranging from souvenir pens, ornamental chopsticks, wooden carvings of scences of Singapore

Value unknown

15 Total

8. In terms of adopting best practice we propose to make minor amendments to

HTA expenses policy to:

routinely remind staff of gifts and hospitality rules and ask them to ensure

that all offers, whether accepted or declined, are recorded

that any offers above the deminimis limit should be declined unless:

i. to do so would cause significant embarrassment or

ii. where acceptance of an offer of hospitality has clear reputational

or operational benefits to HTA

1

Audit and Risk Assurance Committee paper

Date 8 Fenruary 2017 Paper reference AUD 169-16


Caldicott Review 2016 - Review of Data Security, Consent and Opt-Outs

Background

1. The 2013 Information Governance Review, known as Caldicott, made a series

of recommendations which still hold good today. These included the need for

boards and leaders to actively ensure that their organisation is competent in

information governance practice, the inclusion of information governance as a

core part of training and continuous professional development, and

recommended actions to ensure the effective regulation of organisations’ use of

personal confidential data.

2. In January 2015, Dame Fiona Caldicott and her advisory panel published a

report examining the first year of implementation of the 2013 recommendations.

This report recommended that individuals must be able to opt out of data

sharing arrangements and be confident that their wishes are being respected

consistently across the system.

3. With respect to data security and consent, the 2016 Review (here) builds on

these two reports and makes a further 20 recommendations which are

contained in Annex A to this paper. It is suggested that recommendations 3,4,

6, 10 and 15 may have some relevance for HTA.

4. In addition Members will also wish to note the three leadership obligations on

page 22 of the report which provide a helpful summary of the data security

standards.

Recommendation

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/535024/data-security-review.PDF

2

5. Members are asked to

note the content of the recommendations contained in Annex A and

consider whether any specific recommendations should be adopted

ahead of the HTA’s annual Information Governance Report in May

2017.

Agree the appointment of Nicholas Bare as Caldicott Guardian for

HTA

Report

6. It is a Cabinet Office (CO) requirement that boards receive assurance about

information risk management. The Senior Information Risk Officer (SIRO)

makes an annual report to the Accounting Officer and this is due in May 2017.

7. In previous year the SIRO has reviewed the NHS Information Government

Toolkit (IGT), which is the main product from previous Caldicott reviews, and

concluded that the HMG Security Policy Framework (SPF) provides for the

most suitable assessment as HTA does not use the patient information in the

same way as the NHS institutions at which the IGT is aimed.

8. The HTA does store information on living organ donors and recipients as well

as some records from a small number of establishments who have revoked

their licence for traceability purposes. This does include patient information

and in 2014 we appointed Allan Marriot-Smith as Caldicott Guardian to help

protect that information. It is proposed that Nicholas Bare now take on this role.

9. As SIRO I share the view of my predecessor that the majority of these

recopmmendations are aimed at NHS bodies and as such to adopt the revised

IGT as our main tool for assessment would not be appropriate. However,

should the committee feel that upon review of these recommendfation we

should adopt some specific recommendations we will incoproate these in to the

May 2017 review.

10. There is a good understanding of the need to protect data and motivation to do

so at the HTA, and although we have an excellent track record in this area we

should not be complacent. We will continue to review our approach to this

important area and ensure that we monitor how we record, protect data and

make the public aware of the data we hold.

3

Annex A – Recomendations from 2016 Caldicott review

Data security

Recommendation 1: The leadership of every organisation should demonstrate clear

ownership and responsibility for data security, just as it does for clinical and

financial management and accountability.

Recommendation 2: A redesigned IG Toolkit should embed the new standards,

identify exemplar organisations to enable peer support and cascade lessons

learned. Leaders should use the IG Toolkit to engage staff and build

professional capability, with support from national workforce organisations and

professional bodies.

Recommendation 3: Trusts and CCGs should use an appropriate tool to identify

vulnerabilities such as dormant accounts, default passwords and multiple logins

from the same account. These tools could also be also used by the IT

companies that provide IT systems to GPs and social care providers.

Recommendation 4: All health and social care organisations should provide

evidence that they are taking action to improve cyber security, for example

through the ‘Cyber Essentials’ scheme. The ‘Cyber Essentials’ scheme should

be tested in a wider number of GP practices, Trusts and social care settings.

Recommendation 5: NHS England should change its standard financial contracts to

require organisations to take account of the data security standards. Local

government should also include this requirement in contracts with the

independent and voluntary sectors. Where a provider does not meet the

standards over a reasonable period of time, a contract should not be extended.

Recommendation 6: Arrangements for internal data security audit and external

validation should be reviewed and strengthened to a level similar to those

assuring financial integrity and accountability.

Recommendation 7: CQC should amend its inspection framework and inspection

approach for providers of registered health and care services to include

assurance that appropriate internal and external validation against the new

data security standards have been carried out, and make sure that inspectors

involved are appropriately trained. HSCIC should use the redesigned IG Toolkit

4

to inform CQC of ‘at risk’ organisations, and CQC should use this information to

prioritise action.

Recommendation 8: HSCIC should work with the primary care community to ensure

that the redesigned IG Toolkit provides sufficient support to help them to work

towards the standards. HSCIC should use the new toolkit to identify

organisations for additional support, and to enable peer support. HSCIC should

work with regulators to ensure that there is coherent oversight of data security

across the health and care system.

Recommendation 9: Where malicious or intentional data security breaches occur,

the Department of Health should put harsher sanctions in place and ensure the

actions to redress breaches proposed in the 2013 Review are implemented

effectively. 8. To share or not to share – The Independent Information

Governance Oversight Panel’s report to the Secretary of State for Health 10

Consent and Opt-Outs Consent/opt-out

Recommendation 10: The case for data sharing still needs to be made to the public,

and all health, social care, research and public organisations should share

responsibility for making that case.

Recommendation 11: There should be a new consent/ opt-out model to allow

people to opt out of their personal confidential data being used for purposes

beyond their direct care. This would apply unless there is a mandatory legal

requirement or an overriding public interest.

Recommendation 12: HSCIC should take advantage of changing its name to NHS

Digital to emphasise to the public that it is part of the NHS ‘family’, while

continuing to serve the social care and health system as a whole.

Recommendation 13: The Government should consider introducing stronger

sanctions to protect anonymised data. This should include criminal penalties for

deliberate and negligent re-identification of individuals.

Recommendation 14: The forthcoming Information Governance Alliance’s guidance

on disseminating health and social care data should explicitly refer to the

potential legal, financial, and reputational consequences of organisations failing

to have regard to the ICO’s Anonymisation Code of Practice by re-identifying

individuals.

Recommendation 15: People should continue to be able to give their explicit

consent, for example to be involved in research.

5

Recommendation 16: The Department of Health should look at clarifying the legal

framework so that health and social care organisations can access the

information they need to validate invoices, only using personal confidential data

when that is essential.

Recommendation 17: The Health Research Authority should provide the public with

an easily digestible explanation of the projects that use personal confidential

data and have been approved following advice from the Confidentiality

Advisory Group.

Recommendation 18: The Health and Social Care Information Centre (HSCIC)

should develop a tool to help people understand how sharing their data has

benefited other people. This tool should show when personal confidential data

collected by HSCIC has been used and for what purposes. Next steps

Recommendation 19: The Department of Health should conduct a full and

comprehensive formal public consultation on the proposed standards and opt-

out model. Alongside this consultation, the opt-out questions should be fully

tested with the public and professionals.

Recommendation 20: There should be ongoing work under the National Information

Board looking at the outcomes proposed by this consultation, and how to build

greater public trust in data sharing for health and social care.

february audit and risk assurance committee agenda meeting pack 08... · audit and risk assurance...

Documents