Corporate Risk and Assurance Report 2016-17

Paper BSO 101/2016

22 December2016

Board

Corporate Risk and Assurance Report 2016-17

1. Purpose of this report

The purpose of this report is to record changes to the Corporate Risk & Assurance Report made between September and December 2016 and to outline progress made to date on risk actions.

2Changes to Corporate Risks

New Risks – HMRC have requested that public sector pension schemes undertake a reconciliation exercise by December 2018 to ensure that contracted out employment details match those held by HMRC. This work carries a substantial resource requirement for which the HSC Pensions Service is not funded.Failure to proceed with the reconciliation could result in HSC Pension Service using incorrect Guaranteed Minimum Pension details when calculating and paying member’s benefits and potentially using GMP details that should have been attributed to another scheme. Cases of this type could result in a substantial cost to the HSC Pension Service Scheme. There is a reputational risk associated with this activity.

Risk 12: Inability to complete the Guaranteed Minimum Payment reconciliation exercise due to limited resources results in a reputational impact on the BSO.

Revised Risks–All risks have been updated and/or re-numbered with changesshown in red.

Removed Risks – The Director of Operations has proposed the removal of the following risk:

11. There is a risk that delay in providing information to HSC employees on Choice 2 following introduction of new Pension arrangements

The required information has now been issued with 20000 Choice 2 letters having been circulated, and the associated FAQs, factsheets and examples on Pensions website. Responses to the letters are expected January 2017.

1

1

Corporate Objective No 1: To Deliver Value for Money Services to our Customers

Report on Board Action Plan
Risk Description
(Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
End
Date / Comment
L / I / S / Rate
1. Levels of savings in the overall environment for HSC are so great that BSO service provision to customers are negatively affected and/or we fail to breakeven.
The Leadership Centre may be particularly affected by a reduced level of client income e.g. HSCB
Risk Owner(s)
DoF
CX / Dirs
Type of risk:
Economic & Financial / 4 / 4 / 16 / High
 / Budgetary Process Breakeven Budget with specified savings programme
Latest Best Estimates
Service Offering
Meetings held with DHSSPS sponsor branch / Budgetary Monitoring (I) SMT Accountability to CX (I) External Audit - Report to those charged with Governance (E) Budgetary Control process (I) Directorate Service Team Meetings (I) Financial Accountability Reviews with Directors (I) Financial Management Standard (I) & (E) Risk Reporting & Review (I) CX Review of Dirs Objectives (I) Dept Accountability Review (E) MIPB Assessment / . / DoF/ADFM / BSO received a 2016/17 DHSSPSNI allocation letter on 16 March 2016, providing formal confirmation that a 15% cut to the BSO recurrent RRL had been applied, effective from April 2016. 2016/17 budget was approved at Board meeting on 26th May.
Monthly budgetary control process indicates that savings are being delivered in accordance with plans and a break even position is forecast

Risk Score Legend: L for Likelihood / I for Impact / S for Score – Risk Trend: =  No Change /  Risk Increasing / = Risk Decreasing

Assurance Legend: I for Internal Assurance / E for External Assurance

1

Corporate Objective No 1: To Deliver Value for Money Services to our Customers

Report on Board Action Plan
Risk Description (Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
End
Date / Comment
L / I / S / Rate
2. Inability to prove quality, productivity
and VFM, and show that we are competitive and addressing customer expectations.
Risk Owner(s)
DoCCP
Dirs
Type of risk:Financial, Customer/Citizen & Partnership Contractual / 2 / 4 / 8 / High
 / Existing Processes to measure Quality Standards; SLA’S;
KPI’s; Framework /Scorecard;
Monthly report to Customers;
Internal Audit programme;
Audit Control Process;
Annual Quality report.
Benchmarking performance reported to Business Committee / Accredited Bodies - ISO/Lexcel (E) Monthly Reports to Customers (I) Scorecard monitoring SLA Monitoring (I) Financial Management Standard (I) & (E) Customer Survey (E) SMT Meetings (I) GAC Audit Control Review (I) Dept Accountability Review (E) MIPB Assessment / Further participation of BSO Services in Benchmarking programme for 2016-17.
Annual customer surveys / DoCCP
January 2017 / Further areas are undertaking benchmarking questionnaires
2016/17 SLAs have been issued. 14 of 18 have been signed and returned. SLA customer meetings are nearing completion.
Surveys have been reviewed and are being distributed throughout November and December.

Corporate Objective No 1: To Deliver Value for Money Services to our Customers

Report on Board Action Plan
Risk Description (Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
End
Dates / Comment
L / I / S / Rate
3. Risk of not achieving the agreed business case outcomes for HR and Finance systems leading to financial and reputational damage.
Risk Owner
Head of SS
Type of risk:Financial
Reputational / 3 / 4 / 12 / High
 / Fortnightly departmental meetings
Monthly AD forum
Monthly Finance AD forum
Monthly HR AD forum
Quarterly regional orgs customer forum
BSTP programme board / Departmental oversight of BSF
Monitoring of service delivery against KPIs / WHSCT migration
SEHSCT migration
Execute BSF workplan
FPL upgrade / Head of Shared Services
March 2017
Head of Shared Services
January 2017
Head of Shared Services
Mar 18
Head of Shared Services
Sept 17 / WHSCT deployment of eRecwas completed March 2016. Further work is pending implementation decision by WHSCT and DoH.
Rollout commenced Feb 2016 and has recommenced November 2016
It is anticipated that the 5th and final drop will be completed January 2017.
Date amended to satisfy customer achievement of stabilisation.
Upgrade has been delayed by the supplier. Phase 1 is due to be completed June 2017 and Phase 2 by September 2017

Corporate Objective No 1: To Deliver Value for Money Services to our Customers

Report on Board Action Plan
Risk Description (Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
End
Date / Comment
L / I / S / Rate
4. HSC restructuring leads to negative impact on overall SLA funding
Risk Owner(s)
SMT
Type of risk:Financial, Customer/Citizen & Partnership Contractual
Risk added:
9.12.2015 / 3 / 4 / 12 / High
 / CEx is a member of the HSC Restructuring Programme Board. / Engage as early as possible to identify to which organisation(s) current HSCB services will transfer.
SLA/ funding realignment to be identified and progressed following clarity on redistribution of services. / DoCCP
March 2018
DoCCP
DoF
2017/18- TBC / The CEx is a member of the HSC Restructuring Programme Board. The design phase is ongoing.
Implementation of the programme plan is likely to commence during 2017/18 with completion planned for early 2018/19.

Risk Score Legend: L for Likelihood / I for Impact / S for Score – Risk Trend: =  No Change /  Risk Increasing / = Risk Decreasing

Assurance Legend: I for Internal Assurance / E for External Assurance

1

Corporate Objective No 2: To Grow our Services and Customer Base

Report on Board Action Plan
Risk Description (Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
End
Date / Comment
L / I / S / Rate
5. There is a risk that BSO will be unable to implement the Social Care Procurement project resulting in slippage in procurement programme to address the new light-touch regime detailed in regulations 74-77 of the Public Contracts Regulations 2015
Risk Owner
Dir of Ops
Type of risk:
Partnership / Contractual;
Legislative / regulatory;
Risk Added:
24/05/2016 / 3 / 4 / 12 / High
 / PRINCE2 Project methodology and project structure in place including project control strategy
Oversight by Regional Procurement Board
Governance structure
Strategic Plan / Updates provided by Project Board Chairman to SMT / Team recruitment
Confirm accommodation arrangements
Support Other HSC Organisations including development of SCP manual / anuary 2017
December 2016
December 2016 / Recruitment currently underway. Job evaluations completed and posts approved for trawling by SMT 17/8/16- first tranche posts appointed and candidates are expected to be in post in January 2017.
SMT confirmed Pinewood Villa as accommodation. Bids for VOIP approved. Bid approved for alterations to Pinewood to ensure fit for purpose.SHSCT Estates engaged to provide plans and costs.
Draft manual to be updated. Recruitment of eTendersNI support approved by SMT.

Risk Score Legend: L for Likelihood / I for Impact / S for Score – Risk Trend: =  No Change /  Risk Increasing / = Risk Decreasing

Assurance Legend: I for Internal Assurance / E for External Assurance

1

Corporate Objective No 3: To Pursue and Deliver Excellence through Continuous Improvement

Report on Board Action Plan
Risk Description (Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
End
Date / Comment
L / I / S / Rate
6. Benefits of the new FPPS system fail to be realisedresulting in not achieving budgeted headcount and subsequent financial pressures. This could be caused by:
(i) Contractors declining to use the web based portal, leading to an inability to reduce staff numbers in accordance with business case
(ii)Required system fixes for defects and/or change controls not being applied, leading to an inability to reduce staff numbers in accordance with business case;
Risk Owner
Dir of Ops
Type of risk:
Technological; Performance Management
Risk Added: 17.06.2015 / 3 / 4 / 12 / High
 / -Operational & Service Review Group to manage prioritisation and execution of fixes and change controls
-HSCB encouragement of contractors use of portal at project board / FPS Project Board (Benefits Realisation) will monitor the progress and consider means of increasing uptake if necessary
Quarterly report to SMT on use of portal / Reduction of staff in line with benefits realisation plan
FPS has planned training events and will use roadshows and other meetings with contractor and their representatives to promote the benefits to contractor of using the portal;
FPS to develop an interim contingency plan to resource system impacts in the event of contractors not using the portal.
Prioritised change list has been presented to ITS and is subject to weekly service review by FPS and ITS. / Dir of Ops
June 2017
December 2016
Dec 16 / FPS have requested that staff are released between March and June 2017
Dental practices are currently registering for portal.
ITS have advised that final Pharmacy Portal Infras will be delivered to FPS by 30/11/16 for testing.
The timescale for Phase 2 of the Benefits Realisation plan is being adjusted to include time for the necessary changes to the system to be designed, developed, tested and implemented.
Issue of FPS resource availability to engage with testing and further development is under review.

Corporate Objective No 3: To Pursue and Deliver Excellence through Continuous Improvement

Report on Board Action Plan
Risk Description (Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
End
Date / Comment
L / I / S / Rate
7. Failure of key ITS Applications & Infrastructure impacting delivery of Critical Services to Customers.
Risk Owner
Dir of CCP
Type of risk:
Technological & Customer / Citizen / 3 / 4 / 12 / High
 / Security Procedures;
Testing of Business Continuity Plan;
Change Control Process;
Testing and planning associated with significant change.
Engagement of professional report (Gartner).
Actions from Gartner report completed / Internal Audit (E) External Audit (E) SMT Review of ICT Programme (I) Systems Risk Assessment (I) / Additional assurances
Go live of new data centre facilities / Dir of Finance/ Dir CCP
March 2017
August 2016 – March 2019 / A full Disaster Recovery (DR) test was completed in May 2015 based on a scenario of having to evacuate Centre House and carry on operations from the DR site at Boucher Crescent. This was successfully repeated on 19 May 2016.A further desktop DR/Continuity exercise is planned for later in 2016/2017.
The mobile DR Unit was positioned within the yard in Boucher as part of the test exercise. It has been confirmed that the unit can be connected to the HSC network and the GP OOH solution has been restored from the third copy and tested within the DR unit.
Final Gartner actions have been marked as complete. Any further restructuring of ITS will take place in the context of the wider shared services project.
A range of options around 24/7 cover have been developed and have been initially costed.As per former CEx direction, these will be discussed further in a potential shared services context.

Corporate Objective No 3: To Pursue and Deliver Excellence through Continuous Improvement

Report on Board Action Plan
Risk Description (Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
End
Date / Comment
L / I / S / Rate
8. Fail to implement
robust information governance process.
Risk Owner
Dir of HRCS
Dirs
Type of risk:
Legislative / Regulatory & Performance Management / 3 / 3 / 9 / Medium
 / Policy & Procedures
Information Governance / Records Mgt
CA Standard
Audit Control
Risk Register/ Action Plans
A range of IG policies renewed and agreed by Board over 2014/15 and 2015/16.
IGMG to maintain and progress action plansub-group established to review the new standard and compare with the current standard.
Audits of local record management policies underway as part of IG Improvement Plan (on-going to March 2016). / CAS Assessment - Records Management /ICT/Governance (I) & (E) Information Governance Group Report (I) Service Risk Reporting & Review (I) GAC Audit Control Review (I) other CA Standards Assessment (I) & (E) Mid-Year Assurance Statement / GS (I) GAC Report (I) CX Review of Dirs Objectives (I)
SIRO annual assurance letter to Permanent Secretary
Regular progress reports to SMT/Board regarding action plans (I)IG update to Business Committee on a regular basis. / Ensure regular update on Data Protection and refresher training is available.
Action plan being implemented and evidence gathered on ongoing basis. Regular progress reports to SMT. / DoHRCS
Apr -Mar 2017
DoHRCS
Apr -Mar 2017

Corporate Objective No 3: To Pursue and Deliver Excellence through Continuous Improvement

Report on Board Action Plan
Risk Description (Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
End
Date / Comment
L / I / S / Rate
9. Risk to Data Centres from unstable hospital power / environment may cause further outages.
Risk Owner
Dir of CCP
Type of risk:
Technological, Environmental, Physical & Partnership /Contractual
Risk Added: 12.12.12 / 4 / 5 / 20 / Extreme
 / Security procedures
Business Continuity Plan.
SIB has appointed a Project Director for the Data Centres.
Surge Protectors have been installed and are operational.
Gartner sub-group to reconvene with revised remit to include strategic direction for transfer of data to 3rd data copy.
Board presentation on project / Gartner technical work streams.
An SLA has been agreed with BHSCT Estates for support of the regional data centre.
Disaster Recovery Plan / Review of all other elements of SLA to be carried out.
Go live of new data centre facilities / Head of Infrastructure and Architecture
May 2013
To approval date
August 2016 - Mar 2019 / This Annual Review is underway.
Work with Belfast Trust Estates to implement UPS back-up for the air con units has been cancelled due to inability to acquire space in BCH and RVH sufficient to house required equipment.
Work is completed to transfer 350 Terabytes of data to secure 3rd data copy for retention in Centre House.
Subscription to HP Mobile Data Centre solution has been implemented on a 2 year contract. A full recovery test from third site copy has been completed and a repeat test was successfully carried out on 19 May 2016.
Contracts for 2 Tier 3 Data Centres have been signed. The centres were acquired August 2016. The plan for technical set up is agreed andthe migration project has commenced. Migration due to be completed mid-2018.
This may be delayed by 9 months or more if Centre House lease is not renewed beyond Nov-17 and resources need to be re-directed to re-location project and premisesconfiguration. An Accommodation Requirement Template is with DoH for consideration by DoF – this indicates a preference to extend lease for short term in light of this risk.

Corporate Objective No 3: To Pursue and Deliver Excellence through Continuous Improvement

Report on Board Action Plan
Risk Description (Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
End
Date / Comment
L / I / S / Rate
10. There is a risk that delays in the recruitment and selection process leads to failure to meet performance targets and significant reputational damage.
Risk Owner
Head of SS
Type of risk:
Partnership / Contractual; Customer/Citizen; Performance Management
Risk Added:
16.03.2016 / 4 / 4 / 16 / High
 / Recovery team established
Review of processes, systems and organisational structures completed
Task and finish group established to deliver the recovery and stabilisation of recruitment shared services. / Weekly reports of progress against recovery plan to SMT and BSTP programme board.
Reports also sent to BSF AD forum and the regional Directors forum chaired by Michael McBride. / Delivery of full recovery plan / HoSS
January 2017 / Customer organisations also have plans in place which align with the BSO recovery plan. SE Trust are proceeding with rollout whilst stabilisation is embedded. A number of change requests relating to reporting have been delayed due to availability of the environment.
Date amended to satisfy customer achievement of stabilisation.

Corporate Objective No 3: To Pursue and Deliver Excellence through Continuous Improvement

Report on Board Action Plan
Risk Description (Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
End
Date / Comment
L / I / S / Rate
11. There is a risk that delay in providing information to HSC employees on Choice 2 following introduction of new Pension arrangements
Risk Owner
Dir of Ops
Type of risk:
Partnership / Contractual; Customer/Citizen;
Risk Added:
22.06.2016 / 2 / 3 / 6 / Medium
 / Preparation of information for staff / Oversight of Pensions board / Issue of choice 2 letters
Availability of FAQs, factsheets and examples on Pensions website / Dir of Ops/Head of Pensions
September 2016
September 2016 / Originally planned for release May 2016 however decision was taken to delay by the Pensions advisory board.
Members will have 3 months to make their decision and respond to HSCPS.
The issue of Choice 2 letters has commenced and is expected to be complete by end of September.
Complete – now available online

Corporate Objective No 3: To Pursue and Deliver Excellence through Continuous Improvement

Report on Board Action Plan
Risk Description (Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
End
Date / Comment
L / I / S / Rate
12. Inability to complete the Guaranteed Minimum Payment reconciliation exercise due to limited resources results in a reputational impact on the BSO
Risk Owner
Dir of Ops
Type of risk:
Partnership / Contractual; Customer/Citizen;
Risk Added:
30.11.2016 / 3 / 3 / 9 / Medium
 / Letter sent to the DoH August 2016 requesting funding.
Issue raised at Ground Clearing meeting Nov 2016.
Initial matching analysis completed / Oversight of Pensions board

Corporate Objective No 4: To Enhance the Contribution and Development of our People