Corporate Risk and Assurance Report 2014-15

BSO 126/2014

18thDecember2014

Board

Corporate Risk and Assurance Report 2014-15

1. Purpose of this report

The purpose of this report is to record changes to the Corporate Risk & Assurance Report made between October and December2014, and to outline progress on risk actions.

At its meeting on 10thDecember 2014, SMT reviewed the report to ensure proportionate risk actions have been outlined.

2Changes to the Corporate Risks

New Risks

One new risk has been added to the register:

• Risk No 14 – Failure to implement Pension Reform by 1.04.2015 could lead to DHSSPSNI being fined £9.16m per month by Treasury,classification High.

Revised Risks–Since October 2014, all risks have been updated with changesshown in red. Board are asked to note in particular:

• Risk number 1 has been updated to include a reference to the Leadership Centre’s Extreme risk regarding a reduction in client income;
• Risk number 3 - the description of this risk has been re-worded to reflect the move to Benefits Realisation. Risk now reads“Lack of Resources to unlock the business case benefits for Finance, HR, Procurement and FPS Business Systems Replacement.”

Risks Removed

No risks have been removedfrom the Register.

1

Corporate Objective No 1To Improve Customer Experience

Report on Board Action Plan
Risk Description
(Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
Start – End
Dates / Comment
L / I / S / Rate
1. Levels of savings in the overall environment for HSC are so great that BSO service provision to customers are negatively affected and/or we fail to breakeven.
The Leadership Centre may be particularly affected by a reduced level of client income.
Risk Owner(s)
DoF
CX / Dirs
Type of risk:
Economic Financial / 4 / 4 / 16 / High
 / Budgetary Process Breakeven Budget with specified savings programme
Latest Best Estimates
Service Offering / Budgetary Monitoring (I) SMT Accountability to CX (I) External Audit - Report to those charged with Governance (E) Budgetary Control process (I) Directorate Service Team Meetings (I) Financial Accountability Reviews with Directors (I) Financial Management Standard (I) & (E) Risk Reporting & Review (I) CX Review of Dirs Objectives (I) Dept Accountability Review (E) MIPB Assessment / Meeting held with BSO DoF, BSO ADFM & DHSSPS DoF in Nov 2014 to discuss BSO draft response.
Final response due 5th Dec. Actions agreed by DHSSPS will be put into place to achieve specified levels of savings for 2015/16 and beyond. / March 2015 / DHSSPS requested that BSO develop a range of savings proposals for 2015/16 that could deliver the best possible outcomes under three scenarios: proposed reductions in RRL of 5%, 10% & 15%.

Risk Score Legend: L for Likelihood / I for Impact / S for Score – Risk Trend: =  No Change /  Risk Increasing / = Risk Decreasing

Assurance Legend: I for Internal Assurance / E for External Assurance

1

Corporate Objective No 1To Improve Customer Experience

Report on Board Action Plan
Risk Description(Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
Start – End
Dates / Comment
L / I / S / Rate
2. Inability to prove quality, productivity
and VFM, and show that we are competitive and addressing customer expectations.
Risk Owner(s)
DoCCP
Dirs
Type of risk:Financial, Customer/Citizen & Partnership Contractual / 2 / 4 / 8 / High
 / Existing Processes to measure Quality Standards. SLA’S
KPI’s Framework /Scorecard
Monthly report to Customers
Internal Audit programme
Audit Control Process / Accredited Bodies - ISO/Lexcel (E) Monthly Reports to Customers (I) Scorecard monitoring SLA Monitoring (I) Financial Management Standard (I) & (E) Customer Survey (E) SMT Meetings (I) GAC Audit Control Review (I) Dept Accountability Review (E) MIPB Assessment / Further participation of BSO Services in Benchmarking programme for 2014-15.
First BSO Quality Report to be produced. / DoCCP
March 2015
Sept 2014 / An update Report was presented to BSO Board in August 2014 and further reports will be presented as required in year.
Complete - the Report was approved by BSO Board for submission to DHSSPS at the September meeting.
DHSSPS have accepted the report as final and it was uploaded on the BSO website in November 2014.

Corporate Objective No 2To Grow and Develop

Report on Board Action Plan
Risk Description(Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
Start – End
Dates / Comment
L / I / S / Rate
3. Lack of Resources to unlock the business case benefits for Finance, HR, Procurement and FPS Business Systems Replacement.
Risk Owner
Dir of Ops
Dept SRO
Type of risk:Financial / 3 / 4 / 12 / High
 / Following completion of Procurement in October 2012 the updated OBC for FPL and HRPTS systems was approved by DHSSPS and DFP.
Revised governance arrangements in place. CXs members of Programme Board and HR & Finance Directors members of Implementation Board.
Money released for both systems.
Resources identified for FPS systems within HSC ICT budget
and OBC approved by DFP.
FPS governance transferred to HSC ICT programme.
FPL go-live – all organisations September 2013.
Gateway 4 (HRPTS) and Gateway 0 (BSTP) recommended a stream of work on benefits should be established. / Dept Accountability Review quarterly (E).
Programme Board Reporting monthly (I)
Implementation Board monitoring monthly.
Technical groups established and meet weekly.
Updated OBC for HRPTS & FPL to be submitted and approved before contract signature. / Programme Director to work with SRO & Capital Branch to ensure that reserved monies are released as required.
Workshops with functional groups will develop work packages including resource requirements. These will be presented to BRP and BSTP Project Boards as developed. / Dir of Ops / Benefits Realisation Manager
March 2015 / Issue of revenue costs for implementation of shared services systems remains unaddressed.
FPL contract reached last contract performance point in August 2014.
Benefits Realisation Project established with agreed capital and revenue budgets.
BRP PID waspresentedto RIB 30.09.2014approved by BSTP Programme Board 6.10.2014.
The following roles are currently being resourced:
-A Project Officer – BRP initiatives
-Project Support

Corporate Objective No 2To Grow and Develop

Report on Board Action Plan
Risk Description(Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
Start – End
Dates / Comment
L / I / S / Rate
4. Shared Services may not achieve business case outcomes.
Risk Owner
Dept SRO
Head of Shared Services
Dir of Finance (for charging/funding model)
Type of risk:Financial, Physical & Partnership /Contractual / 3 / 4 / 12 / High
 / Feasibility Study (2007) on Shared Services
Programme Board
Project Structure
Dept Review
Strategic Outline Case (2009/10) – DFP/Dept Assurance
Project re-plan presented to BSTP Programme Board on 2nd September 2013 and approval received. / Project Board (I) Programme Board Reporting (I) DFP/Dept OCB Reviewed (E) SS
SS Quality Assurance Group (E) Dept Accountability Review (E) MIPB Assessment
Engagement with Senior HSC Officers re design of Shared Services.
Public consultation closed end Feb. Ministerial decision announced on 14 May 2012. / SMT reviewing the implementation plan & progress on a fortnightly basis. / Head of Shared Services
March 2016 / Benefits Realisation Project established with agreed capital and revenue budgets.
The BRP PID was issued to BSO SMT for comment. It was presented to RIB 30.09.2014 & approved by BSTP Programme Board 6.10.2014.
The BRP team will work closely with Shared Services to assist in delivering best practice processes and system improvements to drive the expected benefits.

Risk Score Legend: L for Likelihood / I for Impact / S for Score – Risk Trend: =  No Change /  Risk Increasing / = Risk Decreasing

Assurance Legend: I for Internal Assurance / E for External Assurance

1

Corporate Objective No 2To Grow and Develop

Report on Board Action Plan
Risk Description(Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
Start – End
Dates / Comment
L / I / S / Rate
5. Inability to implement new Shared Service for Payroll, Payments, Income, Selection & Recruitment in line with Departmental timetable and customer expectations.
Risk of disruption to services and damage to reputation during period of transition due to system problems and inexperienced staff.
Risk Owner
Head of Shared Services
Dept SRO
Type of risk:Partnership / Contractual & Customer/Citizen / 5 / 4 / 20 / Extreme
 / BSTP Governance reporting processes.
BSO Shared Services Project oversight by BSO SMT.
Project operated using Prince methodology.
Project re-plan presented to BSTP Programme Board on 2nd September 2013 and approval received.
-Working Group/Project Boards in place with all organisations to deal with cut over activities
-SSIG & RIB monitoring / Strategic adviser appointed to assist BSO SMT.
BSTP Programme Board reporting.
PMO & reporting established bi-weekly.
BSTP Implementation Group – regular reporting and review of progress. / Central administration, resources and structures to be agreed.
Phased roll-out of shared services dependent on systems roll-out and stabilisation. / Head ofShared Services
May 2015 / FPL team addressing workarounds and final areas of functionality not yet delivered by ABS (including line level matching and self-billing). This will form part of Benefits Realisation work.
A review of Recruitment & Selection staffing levels across HSC organisations is underway which will inform a decision on the rollout of Recruitment & Selection Shared Services.
Income centre established with all Trusts and transition to Shared Services is complete except for Bank Reconciliation - proposedimplementation dates are:
NHSCT – planned for April 2015
SEHSCT – planned for December2014
SHSCT – complete
WHSCT – planned for March2015
BHSCT –planned for March 2015
Payments centre now fully established with all Trusts.
Payroll –transfers planned as follows:
SEHSCT –complete;
SHSCT – November 2014 & January 2015;
NHSCT - November 2014 & January 2015.

Corporate Objective No 2To Grow and Develop

Report on Board Action Plan
Risk Description(Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
Start – End
Dates / Comment
L / I / S / Rate
6. Inability to implement replacement systems for Finance, HR and Procurement in line with agreed plan.
Risk Owner
Dir of Ops
Type of risk: Partnership / Contractual / 4 / 4 / 16 / High
 / Fully resourced HRPTS and FPL teams in place.
Weekly Status
Reporting system in place for HLC AXON an AXON contractors.
Integrated regional Implementation Board established with members drawn from all key stakeholder groups.
Programme Risk Register and Report regular reviewed by Programme Board.
Programme have received conditional approval of addendum OBC from DFP Supply and DHSSPS. / Quarterly Dept Accountability Review (E)
Monthly Programme Board review
Implementation Board monitoring resource plans monthly
FPL, HRPTS and Integrated technical groups in place
Self-Assessment Gateway Review (I) Gateway Review (E)
CX Review of Dirs Objectives (I)
Reporting to BSO Board / Implementation in line with FPL corrective plan which was accepted 30th April by RIB and approved on 13th May by BSTP.
HRPTS re-plan activities and contractual discussion still on-going.
Relationship with AXON stabilised.
E-rostering issues – Trusts have agreed to continue to work with their roster providers to ensure that all issues are resolved. Scheduled UAT and volume testing, May2014. / Dir of Ops / Benefits Realisation Manager
March 2015 / HRPTS project working to revised project plan.
BSO SS SMT agreed on 30th July to proceed with the deployment of E-Rec. The deployment plan for E-Rec was approved by Regional Implementation Board (29th July) and BSTP Programme Board (4th August). This plan is in line with expected MSS deployment plans within Trusts.
Anticipated transition to eRecruit as follows:
Regional Orgs – completed October 2014
SHSCT–initial area completedNovember 2014.
WHSCT –auto-transfer of payroll data from roster system to HRPTS is now complete and implemented.
NHSCT- SMART UAT has been completed. A solution to move the file from local file share through to BSO FTP server is currently being worked on and expected to complete October 2014. The Trust plan to implement with the January 2015 payroll.

Risk Score Legend: L for Likelihood / I for Impact / S for Score – Risk Trend: =  No Change /  Risk Increasing / = Risk Decreasing

Assurance Legend: I for Internal Assurance / E for External Assurance

1

Corporate Objective No 3To Recognise and Embed Excellence & Innovation

Report on Board Action Plan
Risk Description (Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
Start – End
Dates / Comment
L / I / S / Rate
7. (a) In advance of FPSReplacement System, older more manually intensive systems fail to meet their objectives.
(b) BSO fails to realise financial savings from termination of Fujitsu contract.
Risk Owner
Dir of Ops
Type of risk:
Technological / 2 / 4 / 8 / High
 / -Primary Contracts Policies & Procedures
-FPS Project
-Gateway Reviews
-Contingency measures in place & in the event of system failure, make estimated payments;
-Director of Ops has adopted the SRO role for this project;
-Director of CCP/SRO to meet on a regular basis. / -Internal Audit (I)
-External Audit (E)
-SMT Review of ICT Programme (I)
-Systems Risk Assessment (I)
-User Acceptance Testing / (a)No further action required.
(b) Brief progress report monthly to SMTand Board. / Dir of Ops
February 2015 / Contingency measures in place & in the event of system failure, make estimated payments.
Due to additional development time and underestimated time required for user acceptance testing, the Dental go-live date was revised to December 2014.
This causedone month’s delay in the termination of the Fujitsu contract.
Notice has now been served on Fujitsu, with contract exit due 31.12.2014.

Corporate Objective No 3To Recognise and Embed Excellence & Innovation

Report on Board Action Plan
Risk Description(Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
Start – End
Dates / Comment
L / I / S / Rate
8. Failure of key ITS Applications & Infrastructure impacting delivery of Critical Services to Customers.
Risk Owner
Dir of CCP
Type of risk:
Technological & Customer / Citizen / 3 / 4 / 12 / High
 / Security Procedures;
Testing of Business Continuity Plan;
Change Control Process;
Testing and planning associated with significant change.
Engagement of professional report (Gartner). / Internal Audit (E) External Audit (E) SMT Review of ICT Programme (I) Systems Risk Assessment (I) / Additional assurances
Most of the Gartner actions have been achieved with the remainder on-going. / Dir of Finance/ DirCCP
December 2014 / Gartner Project underway and reporting to BSO Board sub-committee.
Additional storage for third copy of data has been deployed within Centre House. Take on of data is currently underway in stages.
Meeting to review DR arrangements held with CX in September 2014. OBC for contingency arrangements approved by SMT and was presented to Gartner sub-committee 30.10.2014.
OBC with HSCB awaiting approval of funding.

Corporate Objective No 3To Recognise and Embed Excellence & Innovation

Report on Board Action Plan
Risk Description(Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
Start – End
Dates / Comment
L / I / S / Rate
9.BSO current skill mix does not meet future business needs.
Risk Owner
Dir of HRCS
Dirs
Type of risk:
Managerial / Professional / 3 / 2 / 6 / Low
 / Revised Workforce Strategy approved by Board February 2014.
Job Description/
Personal Specification
Staff Survey
Review PaLS Skills gaps.
Staff development / strong commitment to training. / Outcome of HSC Staff Survey (E) Customer Surveys (E) SMT/Board Review of Surveys (I) Staff Appraisal - PDPs (I) CX Review of Dirs Objectives (I)
A Sub-group has been established to consider a range of issues in PaLS including workforce issues.
Business Case skills. / Further work to identify recruitment issues.
Workforce Planning ongoing in a number of Directorates. / DoHRCS
March 2015
March 2015 / Discussions underway with Directors in respect of strategic work plans for the next 3 years.
A number of specific skills areas to be addressed.
SAP skills training plan - final programme delivered w/c 27.10.2014.
Workforce Plan for ITS due to be finalisedDecember 2014.

Risk Score Legend: L for Likelihood / I for Impact / S for Score – Risk Trend: =  No Change /  Risk Increasing / = Risk Decreasing

Assurance Legend: I for Internal Assurance / E for External Assurance

1

Corporate Objective No 4To Ensure Good Governance

Report on Board Action Plan
Risk Description(Include DATE ADDED) / Current
Risk Score / Controls / Assurances / Action / By Whom
Start – End
Dates / Comment
L / I / S / Rate
10. Fail to implement
robust information governance process
Risk Owner
Dir of HRCS
Dirs
Type of risk:
Legislative / Regulatory & Performance Management
(a)Transfer of information as a conduit organisation (especially medical files relevant to FPS & Legal) / 2 / 3 / 6 / Medium
 / Policy & Procedures
Information Governance / Records Mgt
CA Standard
Audit Control
Risk Register/ Action Plans
A range of IG policies renewed and agreed at August, September & October 2013 Board meetings.
New IGMG sub-group established to review the new standard and compare with the current standard.
Assessment by Internal Audit February 2014 and development of action plan.
(a) Guidance to be sought from ICO on how to manage sensitive medical information in transit / CAS Assessment - Records Management /ICT/Governance (I) & (E) Information Governance Group Report (I) Service Risk Reporting & Review (I) GAC Audit Control Review (I) other CA Standards Assessment (I) & (E) Mid-Year Assurance Statement / GS (I) GAC Report (I) CX Review of Dirs Objectives (I)
New draft Information Management Controls Assurance Standard has been issued by DHSSPS who have asked HSC organisations for comments.
Audit planned for Autumn 2013 (I)
Regular progress reports to SMT/Board regarding action plans (I) / Ensure regular update on Data Protection and refresher training is available.
-Frequency of IGMG meetings increased
-Internal Audit assessment of progress late October/early November 2014;
-Draft exit report with DoHRCS for consideration and response.
(a)BSO to communicate with Info Owners to advise that all medical files to be checked before forwarding to BSO.
(b)Discussion with HSCB / DHSSPS on impact of greater deployment of mobile devices and access to systems such as ECR. / DoHRCS
Apr -Mar 2015
DoHRCS
Apr -Mar 2015 / Project Plan in process of implementation.
Initial assessment of BSO compliance with standard for 2013-14 provided ‘moderate’ compliance as required by DHSSPS.
Action plan being implemented and evidence gathered on ongoing basis. Regular progress reports to SMT.
DHSSPS expect Substantive compliance in 2014-15.
BSO to carry out periodic checks of files in transit.
Discussion with HSCB/DHSSPS led to understanding of shared data guardian roles and HSCB issuing a new HSC ICT Security Policy.

Risk Score Legend: L for Likelihood / I for Impact / S for Score – Risk Trend: =  No Change /  Risk Increasing / = Risk Decreasing