What is your risk appetite exploring personal and

“What is your risk appetite? ” exploring personal and organisational attitudes to risk

Today’s task 1. Do you know your own risk appetite? 2. Do you know your organisation’s risk appetite? Has it been defined, communicated and been understood at all levels? 3. What does the MIAA benchmarking review of Assurance Frameworks reveal in terms of: • Inconsistent risk appetites • Variations in methodology • Diverse board engagement

l a n o s r k Pe s i r o t s e d u t atti

Risk scenarios 1. As an individual reach a decision and record on the sheet; 2. In your groups appoint a Chair and share your personal decisions to understand the range of positions; 3. Reach a consensus view on each scenario; 4. Feedback on what you have decided and how the process of reaching a consensus was managed.

Consider a 50 -50 gamble in which you can lose £ 10. What is the smallest gain that makes this gamble attractive? 1. 2. 3. 4. 5. 6. £ 9 £ 10 £ 12 £ 15 £ 20 I wouldn’t take the gamble

Which do you choose: 1. Get £ 900 for certain OR 2. Take a 90% chance to get £ 1000 Which do you choose: 1. Lose £ 900 for certain OR 2. Take a 90% chance to lose £ 1000

How often would you exceed the speed limit on a motorway? : 1. 2. 3. 4. 5. Never Rarely Sometimes Regularly As often as I can

You want to order food in a pub you have not been in before and you are asked to leave your credit card behind the bar. Do you 1. Refuse and go elsewhere 2. Agree after asking about the security of your card 3. Agree and say nothing

A cash machine overpays you by £ 20. Do you 1. Go into the bank and repay the money 2. Keep the overpayment 3. Have another go –it’s free cash!

You have some building work done in your home and the builder tells you he can lower the price (equivalent to the VAT rate) if you pay him cash. Do you 1. Refuse as you do not want to be party to any tax evasion 2. Ask him directly about why he wants to be paid in cash before deciding 3. Pay in cash to get the cheaper price

Understanding and expressing risk appetite Willingness to take risk • How much risk are you prepared to take to achieve your objectives? • A simple question – but very difficult to answer. • A risk appetite statement may be helpful in aligning decision-making and risk taking. • Producing a statement is a particular focus of the financial sector. Low 1 Quality 2 3 High 4 x x Reputation Safety x Regulation x Market share Med x 5

Risk Appetite and Tolerance Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so. Risk tolerance is the accepted level of variation relative to the achievement of a specific objective

What would it look like • Reflective of strategy including organisational objectives, business plans and stakeholder expectations • Reflective of all key aspects of the Trust • Acknowledges a willingness and capacity to take on risk • Is documented as a formal risk appetite • Considers the skills, resources and technology to manage and monitor risk exposure in the context of risk appetite • Is inclusive of a tolerance for loss or negative events that can be reasonably quantified • Is approved by the board and is periodically reviewed

Risk Appetite challenges What is it? Why is it important? Who is responsible? How can it be defined and at what level(s) in the organisation? • How can it add value, particularly in relation to setting strategy and underpinning decision-making? • How is it best communicated? • •

A definition “The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style…Risk appetite guides resource allocation…Risk appetite [assists the organisation] in aligning the organisation, people, and processes in [designing the] infrastructure necessary to effectively respond to and monitor risks. ” COSO’s ERM-Integrated Framework

Risk appetite: key points • Is strategic and is related to the pursuit of organisational objectives; • Forms an integral part of corporate governance; • Guides the allocation of resources; • Guides an organisation’s infrastructure, supporting its activities related to recognising, assessing, responding to, and monitoring risks in pursuit of organisational objectives; • Influences the organisation’s attitude towards risk; • Is multi-dimensional, including when applied to the pursuit of value in the short term and the longer term of the strategic planning cycle; and • Requires effective monitoring of the risk itself and of the organisation’s continuing risk appetite

Example risk appetite statement “The Trust operates within a low overall risk range. The Trust’s lowest risk appetite relates to patient and employee safety and compliance/regulatory objectives with a marginally higher risk appetite towards our strategic, reporting and operations objectives. Our highest risk appetite relates to our transformation and innovation objectives. ” This statement does three things: • Communicates with sufficient precision, that the organisation wants to sustain its business over a long period of time • Expresses a low risk appetite in pursuing all the organisation’s objectives apart from transformation and innovation • Expresses a very low appetite for risks associated with safety and compliance

Organisational impact • is stated precisely enough that it can be communicated throughout the organization, effectively monitored, and adjusted over time; • helps with setting acceptable tolerances for risk, thereby identifying the parameters of acceptable risks; • facilitates alignment of people, processes, and infrastructure in pursuing organizational objectives within acceptable ranges of risk; • recognizes that the organization has a portfolio of projects and objectives, as well as a portfolio of risks to manage, implying that risk appetite has meaning at the individual objective level and at the portfolio level.

Risk appetite workshops • Board level: – Understand principles; – Frame an organisational risk appetite statement; – Set risk appetite for each of the corporate objectives; – Agree communication. • Portfolio level (Innovation Programme/Strategic Staircase) – Understand principles; – Apply Board risk appetite to individual programmes to set risk tolerances and parameters; – Agree development and review processes.

What keeps you awake at night? MIAA Assurance Framework and AGS Benchmarking review 2015

The Assurance Framework components Strategic Objectives Key Risks Key Controls Assurances Board Evaluation The Assurance Framework is an important part of a Trust’s overall risk management and governance framework. The assessment of the strategic risks facing an organisation, control mitigations in place and the assurances received by the Board form the basis for the Assurance Framework. Effectively utilising an Assurance Framework provides the Board with: a key piece of evidence to conclude on the effectiveness of internal control systems for regulatory purposes ie AGS, risk assessment framework, annual planning, wellled, code of governance; a dynamic tool to define risk appetite and map risk, control and assurance to better drive the business.

The questions that an effective BAF can answer • Are you confident in the Board declarations being made in your name? • Are you clear on what assurance is to be received by the Board and when it will be received? • Is there sufficient understanding and ownership of risk and assurance throughout the organisation? • Is the Board sufficiently aware of risks to quality? • Is there an informed consideration of risk at board and committee level that underpins organisational strategy, decision-making and the allocation of resources? • Has the Board’s risk appetite been sufficiently explored? • Does the current risk and assurance reporting to the Board fulfil regulatory requirements?

Features of a good Assurance Framework • Risks are identified that impact on the organisation’s ability to achieve its objectives and make board declarations • There is clear distinction between controls and assurances, and gaps in assurance • A broad range of assurances have been considered, • The “actual” assurance being received is identified rather than the aspiration • The timings of assurance are identified • Action plans required to close gaps in assurance are clearly identified or referenced • The Assurance Framework is regularly reviewed and updated to ensure it is a “live” document.

Board leadership: 3 key roles 1. Formulating strategy for the organisation underpinned by an informed consideration of risk. 2. Ensuring accountability by holding the organisation to account for the delivery of the strategy and through seeking assurance that systems of control are robust and reliable. 3. Shaping a positive culture for the governing body and the organisation

Current Assurance Framework

Board/ Governing Body Assurance Framework Benchmarking 2015 • Assessed 43 Trusts and 45 Clinical Commissioning Groups • Identified top risk themes and comparisons to our 2014 exercise

Top 10 Strategic Risk Themes CCG TOP 10 RISK THEMES 2015 1. Corporate Systems and Processes ↔ 2. Partnership Working ↑ 3. Quality Assurance of Providers ↓ 4. Financial Duties ↑ 5. Commissioning ↑ 6. Performance Targets ↓ 7. Public and Patient Engagement ↑ 8. Access to Services ↓ 9. Reconfiguration and Redesign of Services ↓ 10. Primary Care Services ↑ TRUST TOP 10 RISK THEMES 2015 1. Transformation & Service Redesign ↑ 2. Staff Capacity & Capability ↑ 3. IMT, Data Quality & New System Implementation ↓ 4. Financial Duties, Continuity of Services & CIP ↑ 5. Performance Targets ↔ 6. Quality of Services ↓ 7. Regulatory Standards ↔ 8. Human Resources, Organisational Development and Employment Framework ↑ 9. Business Development & Growth ↑ 10. Estates (including H&S and Maintenance) ↑

5 Delivering Transformation Developing Urgent Care Change Management/ Modernisation Incomplete Pathway of Care 4 Impact on Staff Morale/ Satisfaction Impact Public Consultation Transform Services Diagnostic review Competitive Threat Clinical Model Lack of Progress Loss of Services through Tendering Cancer Care Integrated Care Programme Managing Admissions, Stay and Discharge Retention of Community Services Influence Service Resilience Service Quality Reconfiguration Lack of Agreement/ Clinical Opinion Failure to Implement Care in Community Patient Flow Scale and Pace of Disinvestment Impact on Organisation Development Integration Doesn’t Release Capacity Pathways Programme 2 Patient Centred Care Vulnerability of Surgical Services De-commissioning/ Loss of Contracts Viability of other Providers Trust Sustainability Fragmented Patient Pathways New Pathways and Models of Care 3 Pace of Change and Sustainability Transformation Fails to Deliver Benefits Uncertainty of Long Term Commissioning Intentions Impact of Private Providers TRUST Risk Theme 1. Transformation and Service Redesign (including loss of services) 1 1 2 3 Likelihood 4 5

5 Waste and inefficiency Procurement Financial Sustainability Financial Penalties Redundancies CIP Systems 4 Financial Governance National and Local Tariffs Income Uncertainty Cashflow Financial Performance Containing Expenditure Efficiency Savings Financial Stability Delivery of CIP Liquidity and Working Capital Trading gap Financial Viability Return to Recurrent Surplus Balancing Finance and Quality Continuity of Services Risk Rating Delivery of Financial Plan Agreement of Financial Plan Impact Service Line Management 3 2 TRUST Risk Theme 4. Delivery of Financial Duties, Continuity of Services rating and CIP 1 1 2 3 Likelihood 4 5

5 Constitutional standards IT systems and access to data 4 Information Governance Progress against strategic aims Ineffective Planning Mechanisms Estates Strategy Innovation and Development Data security Impact Success Monitoring EPRR requirements Workforce 3 Sound business practices Leadership arrangements Procurement competition IM+T Service Capacity and capability Culture Internal Relationships Operational Development Inability to maximise R+D Opportunities Statutory duties Estates Strategy and Plan Decision making/ service remodelling IT Infrastructure Business Intelligence Procurement IT systems 2 Compliance with policies Inability to maintain workforce Organisational Development Business Intelligence Staff Recruitment and Retention 1 1 2 CCG Risk Theme 1. Corporate Systems and Policies 3 Likelihood 4 5

Development of Financial Strategy 5 PBR CHC and Prescribing Demands Scoping of savings plan Securing best value 4 Impact Delivery within financial allocation Financial Strategy Implementation Prescribing Budget CCG strategy and statutory requirement misalignment Delivering management functions and objectives within the running cost limit 3 Financial pressures across health and social care Individual Patient Activity Primary Care Commissioning Budget Over performance against contract Future NHS Funding Delivery of financial duties beyond current year Recommissioning/ decommissioning plans releasing savings Over performance on cost and volume type budgets Unexpected changes to property costs 2 CCG Risk Theme 4. Financial Duties 1 1 2 3 Likelihood 4 5

Trust ‘Highest’ Risks (scored 25 -20)

CCG ‘Highest’ Risks (scored 25 -20)

Assurance Framework Summary Observations Structure • Structure including objectives, risks, controls, assurances and gaps. Increasingly includes risk appetite/ target scores • Engagement with Board/ Governing Body, Committees and Officers varies significantly • Alignment to Board/ Governing Body agenda and strategic risks is critical to making it meaningful • Alignment of Assurance Framework with the Annual Governance Statement and other declarations on risk and control Engagement Quality & Alignment

Trust Annual Governance Statements 14/15 9 pages Average length of the AGS within a range of 3 to 19 pages. Principal Risks • • • Clinical and Financial Viability Performance and Regulatory Standards Staff Capacity and Capability Health Economy Risks and Commissioning Intentions Board Stability, Leadership and Governance declared Significant Control Issues including: 31% • • • Financial Deficit, Sustainability, Turnaround and Cost Improvement Plans Regulatory Compliance, Access Targets, Quality of Services and Enforcement Action Governance, Stewardship and Culture Failures

CCG Annual Governance Statements 14/15 17 pages Average length of the AGS within a range of 8 to 38 pages. 63% Of organisations identified and reported on Significant risks within their AGS Principal Risks • • • Capacity Engagement Financial Challenges and QIPP Provider Performance and Sustainability Commissioning Support Unit Arrangements Health and Social Care Reform Service gaps Information Sharing and IT Systems Conflicts of Interest

AGS Considerations for 15/16 Checklist……. • Some system/ processes description but greater focus on outcomes and actual assurances throughout the AGS. • Strategic risks focussed on a smaller number with good narrative context of the risk and mitigation. • Use of formatting, tables and figures to break up the text. • Mandated elements covered and grouped within using sub headings where appropriate. • Signposting of ongoing and future strategic risks and challenges. • Full tables/ extracts from the AF but without supporting narrative to explain. • Traditional headings with significant narrative, little formatting and duplication making the AGS lengthy and difficult to read. • Extensive lists of risks without context or mitigations. • Lists of limited assurances without context or confirmation of actions taken. • Significant risks and issues detailed within the AGS, and overall conclusion of ‘no significant issues’ without context of how this has been determined.

Reflections…… • Does your Board/ Governing Body Assurance Framework consider the breadth of the risk themes? • Are financial risks reflective of the current environment (in both content and risk score)? • Is there a shift needed in terms of moving the AGS away from detailed system narrative to greater focus on how the organisation is assured that the systems of internal control are effective and how the risks faced are being managed? • For CCG AGSs is there a need to ensure more focus and alignment with the risks and challenges of local provider organisations and the implications for the CCG? • How can you make your AGS more meaningful?

Discussion: to what extent do the following statements apply to your organisation’s AF? • Risks are identified that impact on the organisation’s ability to achieve its objectives and make governing body declarations, • There is clear distinction between controls and assurances, and gaps in assurance, • The organisation’s risk appetite is reflected in the scoring of risks, • Action plans required to close gaps in assurance are clearly identified or referenced, • The Assurance Framework is regularly reviewed and updated to ensure it is a “live” document.

For more information please contact : Tim Crowley Managing Director Mersey Internal Audit Agency Regatta Place Brunswick Business park Liverpool L 3 4 BL Tel: 0151 285 4513 Mobile: 07768 131789 Email: tim. crowley@miaa. nhs. uk