Good board practice

“Badness you can get easily, in quantity; the road is smooth, and it lies close by, but in front of excellence the immortal gods have put sweat, and long and steep is the way to it.” – Hesiod, Greek poet

The past decade has seen significant development in board practice in NHS Wales. Further improvements will include  consideration of compliance units and the development of the board as the first line regulator.

Key points

Board Assurance is a key but underused tool by boards. As an encapsulation of the key strategic aims of a board, together with the management of the risks associated in delivering those goals, Board Assurance should be the board agenda for board activity.

Compliance should not be an end in its own right, but a bi-product of an effective quality system. Boards should feel confident at all times that they understand and are alerted to any significant failures in controls. The aim of a compliance unit is to ensure a policy of ‘no surprises’.

As public bodies NHS organisations are appropriately subject to scrutiny and review, but no external body can be as effective in that role as the local board. The board should have in its mind that it is the first line regulator on behalf of the public.

Assurance

The Welsh Assembly Government says there are many definitions of assurance, most of which centre around common themes of confidence and certainty.  As described by one Chief Executive in the NHS “it’s about being able to sleep at night”.

The Assembly asserts that it is about establishing a clear understanding within your organisation on what you mean by ‘assurance’. Boards need to recognise that any assurance, whatever its source, will not be a guarantee that offers absolute certainty.

Boards must therefore look to gain ‘reasonable’ assurance that the organisation’s ways of working enable it to perform effectively across the full range of its activities in order to deliver their set strategic direction.

Read more and information and the Assembly’s draft Risk and Assurance Framework using the links below:
Trusts http://www.nhswalesgovernance.com/display/Home.aspx?a=328&s=11&m=206&d=0&p=207
LHBs http://www.nhswalesgovernance.com/display/Home.aspx?a=100&s=11&m=200&d=0&p=201

The Audit Commission’s Report relating to the NHS in England, Taking it on Trust: A Review of How Boards of NHS Trusts and Foundation Trusts Get Their Assurance, contains a lot of valuable advice and insight that is relevant to us here in Wales.  Here, we summarise some of the Commission's main findings.

The report is not about the governance structures and processes that trust boards should use to assure themselves that their organisation is operating effectively and meeting its strategic objectives. All organisations have structures and processes in place and there is a great deal of guidance – over 1,000 pages – on the subject. It is about the rigour with which they operate the processes and get the assurance they need.

Healthcare is inherently complex and risky, boards therefore need to assure themselves that their organisations are well managed, providing safe and appropriate care and are, in short, places where patients would want to be treated. How they do this is described as the ‘system of internal control’.

Internal control is ‘a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • effectiveness and efficiency of operations,
  • reliability of financial reporting, and
  • compliance with applicable laws and regulations.

The assumption is that such systems operate effectively but there is evidence to the contrary.

Taken together, these factors indicated that trust boards need to increase the rigour with which they assure themselves about the strength of their internal controls.

Effective assurance requires a number of elements to be present together:

  • the right governance framework and risk culture and a clear understanding of strategic objectives and risks,
  • good internal controls,
  • evidence that internal controls are operating effectively, and
  • good data quality.

The Audit Commission review showed that:

  • Controls and assurances were often poorly defined, making it difficult to see how boards could be clear that the controls were working effectively and that assurances were sound. Risks and controls were not always aligned to strategic objectives.
  • Greater attention needed to be paid to compliance mechanisms and these needed to be more clearly distinguished from internal audit, which should review the effectiveness of the compliance framework, not be a substitute for it.
  • Use of internal audit could be improved, with greater emphasis given to the quality of the assurance derived from it rather than cost minimisation. Its use should also be placed in a wider framework of review as there are alternatives to internal audit in many cases; use of clinical audit as part of the BAF (Board Assurance Framework) was poorly developed. This is a significant weakness. Few trusts could set out how clinical audit was being used in a systematic way to address risks with the results reported to the board through the BAF.
  • Many trusts had elements of assurance processes in place for data quality but very few were comprehensive and very few boards saw this as a significant issue. There was limited evidence of formally planned audit or review programmes to verify the accuracy of data reported.
  • Greater effort was made to review and assess assurances provided in respect of self-assessments for compliance with health standards for Better Health. Even so, these efforts were not wholly successful as judged by the results of follow-up inspections by the Healthcare Commission.

The Healthcare Commission’s report on its investigation into Mid Staffordshire NHS Foundation Trust shows that processes without intelligent and rigorous scrutiny are not enough. Governance arrangements that are persuasive on paper must work in practice. The aim of board assurance is to give confidence that the trust is providing high quality care in a safe environment for patients by staff who have received the appropriate training; that it is complying with legal and regulatory requirements; and that it is meeting its strategic objectives.

On the evidence seen, many board members would not be able to have that confidence. Trusts may indeed be meeting all these requirements but it is not evident from the material presented to the board. This is an important issue for regulators as the regulatory framework is increasingly dependent on self-assessments and self-certification. Mid Staffordshire NHS Foundation Trust certified that it was compliant with all core standards except that relating to waste disposal, but it subsequently became clear that it was very far from providing safe, high quality care. Internal controls and board assurances are often not up to the weight now being placed on them by the regulatory framework.

It was observed that NHS trusts have the processes and arrangements in place, but greater attention now needs to be paid to the rigour and effectiveness with which the processes and arrangements are applied. Below are a number of recommendations that they consider will help to bring this about.

Trusts should:

  • ensure that their strategic aims and objectives are clearly defined and few in number so they can be widely understood and clearly cascaded throughout the organisation, and that their strategic risks are identified and aligned to their strategic objectives;
  • review their risk management arrangements – including the way in which risks are reported to the board – in line with the findings of this report and consider how best to promote and demonstrate the value of risk management work to staff;
  • ensure they have systems in place to comply with all statutory, regulatory, clinical and contractual requirements;
  • consider cascading the SIC through the organisation by sub- certification by managers. To avoid this becoming simply a bureaucratic exercise it should be allied with a more effective compliance function, performance information and performance management;
  • review how they identify and then evidence assurances on the operation of controls and how these are then evaluated;
  • review and increase the assurances they receive from sources other than internal audit, including clinical audit, and in doing so ensure that their full portfolio of risk is covered;
  • maximise the assurance obtained from internal audit by reviewing the scope of internal audit plans and improving its commissioning;
  • better align clinical audit programmes to key strategic and operational risks to maximise the assurance provided by the clinical audit function; strengthen their compliance mechanisms and distinguish them more clearly from internal audit, which should review the effectiveness of the compliance framework;
  • ensure they have robust arrangements for assuring the quality of their data by assessing themselves against the standards for better data quality set out in the Commission’s Figures You Can Trust briefing and by developing systematic and formalised review programmes for their data, including checking accuracy back to records;
  • develop policies and guidance on data quality and assurance processes, including defining and allocating responsibility for data quality, to promote consistency and improve awareness of board members.

Questions for board members to ask themselves

1.Good assurance requires the right governance framework to be in place

  • How clear are we about what the organisationis trying to achieve? What strategic aims and objectives have we set out for the trust? Are they clearly defined?
  • How do we provide leadership to the staff delivering the objectives that we have set? What process do we have in place for translating the objectives into the contribution expected from divisions, care groups and frontline staff and how will their performance will be monitored?
  • Are the governance structures clear and straightforward with minimal overlap? How well do we understand them and how do we think current governance arrangements could be improved?
  • How do we oversee the strategy for achieving our objectives? How do we ensure that the systems of internal control are operating robustly? Is our board agenda dynamic and focused on the right things: the strategy and its implementation? How much time do we spend on strategic issues at board meetings? To what extent do we have the right information prepared for board meetings to allow us to monitor this? Have we considered and acted on The Intelligent Board Dr Foster report 2006?
  • Are board meetings managed effectively? What improvements could be made to ensure that we operate as a team? Do we have trust and respect between executive and non-executive directors?
  • What skills do we need as a board? To what extent do we have the right skills? How clear are we about what the role of the chair and non-executive directors should be? Do we delegate responsibilities effectively and appropriately?

2.Good assurance requires good internal controls, effective risk management and a good assurance framework

  • How can we be sure that we have identified all of our strategic risks? Are we monitoring them properly and what level of independent scrutiny or constructive challenge from within the organisation is there?
  • How timely and relevant is the performance information that we use to monitor risks? What reports do we receive that provide evidence of the effectiveness of risk management and progress in achieving strategic objectives?
  • How do we provide leadership on risk management? Do we monitor the organisation's main operational risks? How can we be sure that the risk management processes in place will avoid operational risks becoming strategic risks? How clear are we about our risk appetite? Do we quantify risk appropriately? Do we have an accountability framework for the trust that sets out the level of risk that is expected to be managed at each level of the trust?
  • Have we devolved risk management sufficiently and how can we be sure that it is embedded within operational processes and that there is ownership of risk?
  • Do we understand what risk culture we are trying to embed? Do we know what a good risk culture looks and feels like? How and when do we communicate this?

3.Good assurance is required on internal controls

  • How are we using the internal audit function to obtain assurance on internal controls? Is the scope and level of investment in internal audit appropriate? How are we maximising the assurances we can gain from internal audit and do internal audit staff have the right skills and experience? Are we making best use of other independent forms of assurance?
  • Do we need to establish or increase investment in a separate compliance function to ensure operations comply with laws, rules, regulatory requirements and our policies?
  • To what extent do we use the clinical audit function appropriately? Is it systematic and focused on our own risks as well as on nationally identified issues? Are the results regularly reported to the board through the assurance framework? Does it give us a comprehensive view of the quality of clinical services across the trust’s portfolio? What are our potential sources of assurance? Do we use these appropriately, balancing them across the risk profile of the trust? How have we satisfied ourselves that they are not skewed towards big and topical projects and that we keep our eye on the ball more widely? How do we systematically test and evaluate the sources of assurance?
  • Where have we set out the roles and responsibilities of sub- committees to the board and do we receive full and appropriate reports from them? Specifically, how will the audit committee programme enable it to meet the board’s expectations? Do all non-executive directors have the opportunity to communicate with those on the sub-committees?

4.Good assurance requires good data quality

  • Is there a corporate framework in place for the management and accountability of data quality? Is there a commitment to secure a culture of data quality throughout the organisation? How have we made clear the responsibility for data quality governance and accountability at all levels of the organisation? Do our clinicians understand the purpose and use of the data collected?
  • What policies or procedures are in place to secure the quality of the data used for reporting? What policies and guidance on data quality do we have? Are they appropriate?
  • What policies or procedures are in place to secure the quality of the data used as part of the normal business activity of the organisation? How has the trust ensured that staff have the knowledge, competencies and capacity in relation to data quality? What kind of training is made available on data quality issues?
  • What arrangements are there to ensure that data supporting reported information are actively used in the decision-making process? Are they subject to a system of internal control and validation?
  • What controls do we have to ensure that the quality of data used for decision making is good enough? Is the quantity and timeliness of information we receive for board meetings adequate? How do our board reports explain the assurance process for the data contained in them? Do they clearly highlight any issues?

Read the report in full here: http://www.audit-commission.gov.uk/nationalstudies/health/financialmanagement/Pages/takingitontrust29april2009.aspx

The Intelligent Board

Dr Foster’s report The Intelligent Board (2006) presents a set of principles and model framework for structuring information to support strategy development and oversight of business delivery and effectiveness. It also suggests practical ways in which boards might use the framework proposed.

The report is structured as follows:

  • The Information Challenge: discussion of the growing pressure on boards to raise their game and the need to improve the information they receive and how they use it.
  • Intelligent information for the board: some key principles that should govern information for the board, together with a proposed framework and minimum data set for reviewing trust performance, supporting decision-making and considering strategy.
  • Putting the framework into practice: improving the structure of agendas for the board; developing a “dashboard” of routine performance indicators; informing the annual cycle of board meetings.

This report is a must read!

Link: http://www.networks.nhs.uk/uploads/westyorks/intelligent_board_report_v6.pdf

Mid Staffordshire NHS Foundation Trust: A review of lessons learnt for commissioners and performance managers following the Healthcare Commission investigation

Dr David Colin Thomé’s report looked at the issue of ensuring governance and clarity of accountability of all the different organisations in the system.

A number of organisations have been the subject of investigation and review in the Mid Staffordshire case, including the hospital trust, the PCTs, SHAs and regulators.

There are lessons to be learnt by all, but there are also lessons for the wider system. A key lesson has been about clarity of role and responsibility so as to ensure that each organisation understands where it fits and what accountability it has. This was not clear in Mid Staffordshire and there were cases of issues falling between organisations. There were also issues of poor handover when organisations were reconfigured and a lack of formal documentation of decisions compounding the problem. This likely contributed to the ongoing failures in patient care.

Link: http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_098660

Clinical Assurance and the Patient Experience

Failure to deliver the fundamentals of care can bring down an NHS board faster than failures of either finance or performance, and there have been recent examples of this. Despite this, there are still serious concerns about the lack of attention some NHS boards pay to the quality of clinical care. Such emphasis poses particular challenges for nurse executives. On the one hand, they are well placed to help boards assure themselves about the quality of clinical care. Yet when there are high-profile failings in patient care, it is often nurse executives who are blamed for failing to champion quality and patient safety at board level.

From Ward to Board is a King's Fund Publication 2009 written by Sue Machell, Pippa Gough and Katy Steward, which identifies good practice in the business of caring.

The issues discussed in the report and their implications for board and skills development include:

  1. How does a board assure itself of the quality of clinical care?
  2. What is the importance of context?
  3. What is the right clinical information?
  4. What are the key relationships in the boardroom?
  5. What is the right balance between effective board relationships and robust governance structures?
  6. What difference can the nurse executive make?
  7. When are board members ready to hear bad news?

Read the report in more detail at: http://www.kingsfund.org.uk/research/publications/from_ward_to_board.html

Managing Risk

Source Setting the Direction – A Board Member’s Guide – NLIAH/ WAG Publication Edition 4 (07/06)

  • How do you and your organisation know what risks you face? What are they?
  • What structures and processes does your organisation need in place to identify the risks?
  • How does your organisation provide robust responses to manage and minimise such risks?
  • What are the significant risks facing your partners in the health community?

What is a risk?

Risk is the threat that an event or action will adversely affect an organisation’s ability to achieve its objectives and to execute its strategies successfully.

Health and social care is, by its very nature, a risk activity. It is important that board decisions are taken using all available information on possible outcomes – this is risk management. Without this, there is a very real danger that patient care will suffer and, as a consequence, give rise to the potential for adverse publicity and, for example, medical negligence cases.

There are different types of risk, but they are usually classified under the following main headings:

  • Financial risks – for example, not having sufficient funding to meet all your commitments, possibly resulting in deficit at year end.
  • Clinical risks – for example, resulting from mistakes in the treatment of patients.
  • Reputational risks – for example, arising from adverse publicity about a failing within your organisation.
  • Legal risks – for example, due to a lack of understanding or implementation of legislation, or being sued by a patient.

Standing orders require you to have as a minimum the following structures supporting the board to help identify and manage risks:

  • Audit Committee – deals essentially with corporate governance, finance and probity. If a separate Risk Management Committee is not established the risk management function must be managed through the Audit Committee to provide the overarching view of risk for your organisation with particular emphasis on controls assurance.
  • Clinical Governance Committee – deals specifically with assessing whether risks associated with clinical matters are being identified and managed effectively.
  • Remuneration Committee – provides advice to the board about appropriate remuneration and terms of service for the chief executive and other officer members.

However the consequences of a single incident can be far-reaching and may involve all of the risks and all of the committees we have identified above. It is important that the structures you have in place for identifying and managing risk result in a clear understanding of all the risks you face. You and your directors will also need to agree the order in which you will tackle them. As new risks emerge, you will need to revisit your plans and consider if priorities need to change.

The independent member role in risk management

In looking at the role of an independent member in dealing with any risk-related committee, or when risk issues are discussed at board level, we see five common strands:

  1. If appropriate, ask why the risk was not identified before there was an incident or before the risk otherwise emerged – can your organisation’s risk management processes be improved?
  2. Challenge assumptions in any remedial action plan, including the timescale (are they too late or unrealistic?), the resources (are they sufficient and affordable?) and consider if the proposed actions will really address the risk.
  3. Review and monitor the results of all of this. Ask why action has not been achieved by the planned date and what remedial action is now necessary.
  4. Ensure there is a process for sharing the understanding of risk in your organisation and related organisations and learning from the experience of others.
  5. Make sure people understand the full implications of risk for other areas of your organisation.

Because of the overlapping nature of this work, there is great value in independent members sitting on more than one of these committees.

Useful links

LHB Board Effective Committees Good Practice Guide

Trust Board Effective Committees Good Practice Guide

Supporting Good Practice

.