7.1 CRR Q4 2022 Report
The CRO presented the Corporate Risk Review (CRR) Q4 2022 End of Year report to the Committee.
The Committee noted that there are currently 21 risks on the Register, up from 19 risks reported in Q3, with the addition of Data Protection and Workplace Violence and Aggression, of which 16 have residual risk rating of Red and 5 as Amber.
In relation to the two new risks added to the CRR following the advices of the Committee, CRR 020 Workplace Violence and Aggression was added. This related to CRR009 Health, wellbeing, resilience and safety of staff, which was reviewed in Q4 and a decision was made that given the risks relating to violence and aggression in the workplace, it should be recorded as a specific risk on the CRR. The Committee agreed to monitor this risk and if required escalate the matter to the Board in the event of there being a requirement to bring it to the attention of the Minister to strengthen legislation to protect health care workers.
In relation to CRR 021 Data Protection, as a result of the extraction of personal data at the time of the 2021 cyber-attack on the HSE’s systems, it was decided that a specific Data Protection risk should be included on the CRR, which the Committee welcomed.
The Committee were updated on the movement in residual risk ratings between Q3 and Q4 2022 and noted that in relation to CRR 002 Future trajectory of COVID, the risk description had been expanded to include the compounding effect of surges of more than one pathogen at the same time, with the residual risk rating revised upwards from 12 to 16.
In relation to CRR13 Internal controls and financial management, the Committee noted that following previous discussions the risk description had been expanded to reflect economic uncertainty risks. The residual risk rating was revised upwards from 10 to 15 (due to continuing economic uncertainty and known shortfall in budget allocated for 2023). The Committee advised that the risk as previously described, focused on the HSE’s management of its control environment and budgets. Widening the risk to include areas outside of its control, which resulted in the higher rating, could be viewed as a HSE failure to implement effective internal controls and budget management. The CFO agreed to consider the advice of the Committee as part of the Q1 2023 CRR Review.
The Committee noted that the CRO expects that both ratings for CRR002 and CRR13 will come back down in the next quarter, and that the Safety & Quality Committee were reviewing CRR 08 Safety Incidents Leading to Harm to Patients at their meeting that was taken place today.
The Committee highlighted that there was no change recorded for CRR 001 Major Disruption to Clinical and Non Clinical Service Continuity, and in light of the exceptional pressures on Emergency Departments, acute hospitals and the wider health system this winter, they would have expected to see the increased level of risk to have been reflected. The CRO agreed to feedback their comments to the Risk Owner and EMT.
In reviewing the CRR, the Committee emphasised the importance of understanding that risk concerns the effect that uncertainty has on the HSE’s objectives. As such, corporate risks should ideally fall out of those objectives. The Committee agreed that the current Corporate Plan needed to be updated, and advised that work on its successor Plan should start as early as possible and that the Strategy should be informed by risk which should in turn guide the application of resources. The Committee requested that the CRO bring this advice to the attention of the EMT.
The Committee noted the delay in approving the National Service Plan 2023, which is core to addressing and monitoring the treatment of risk, and requested that the CRO advise the EMT of their concern.
The Committee were advised by the CRO that the EMT held its annual Corporate Risk Workshop on 25 January 2023, and outlined that in relation to Reflecting on the HSE’s Corporate Risk Process, a number of practical ‘back to basics’ risk workshops are to be arranged, and two initial workshops will focus on Current CRR Risk - Access to care and a new risk with regard to Implementing RHAs.
The Workshop also looked at the review of the HSE’s Corporate Risks and Risk Appetite Statement, including new or emerging risks and current corporate risks. The Committee thanked the CRO for the update and it was agreed that the Committee will seek to align their review of the risks designated to them with the review of Internal Audit identified risks.
7.2 Mental Health Commission CAMHS report - operation of the risk management system - verbal update
The Chair referred to the Interim report of the ‘Independent Review of the provision of Child and Adolescent Mental Health Services (CAMHS) in the State by the Inspector of Mental Health Services’ which was submitted to the HSE in January 2023. Concerns were identified in four out of five CHOs, and the operation of a risk management system was highlighted as one of the areas of concerns within CAMHS.
The CRO advised the Committee the Report outlined that in some areas reviewed, risk management was poor, with a lack of communication, lack of actions to mitigate risks, and a limited understanding as to what constituted a risk, how it was assessed, and how it was escalated. This led to frustrations in the teams, with risks then not being notified or escalated.
The Committee held a discussion in relation to the risk literacy issue, and the need to anticipate risks more effectively in the services. At the suggestion of Fergus Finlay, the CRO agreed as part of the new Risk Policy to develop a non-technical summary that could be used to increase the understanding across the system of how risks should be managed.
7.3 Draft Enterprise Risk Management Policy, Process and Guidance 2023 - ARC Review
Elaine Kilroe, AND Enterprise Risk Management joined the meeting.
The CRO presented to the Committee for their consideration, the penultimate draft of the revised HSE Enterprise Risk Management [ERM] Policy 2023, which was previously circulated. He advised that the HSE’s Risk Management Policy was last updated in 2017, and work on revising this Policy has concluded.
The Committee noted that the inputs to the Review included the findings and recommendations of the HSE’s Risk Reviews 2019 and 2021 (Moody Review); International Standards; the key developments in Risk Management thinking since 2017 and consideration of risk management documentation from other jurisdictions and the undertaken of a comprehensive and extensive two phase consultation process with health service staff and HSE funded agencies and their representative bodies. Committee members P Kirwan and C Campbell were also involved in the consultation process.
He advised that once the HSE ERM Policy 2023 is approved, a comprehensive communication programme will be rolled out, which will include a formal launch and an information road-show.
The Committee welcomed the update and noted that some additional amendments were being made including adding a summary section. The Committee requested that the CRO ensures that the Policy is contextualised so that it responds to the needs of front line staff including clinicians; that it strengthens the section on the need to engage on risk with bodies outside of the HSE, particularly where the ability to control the risk lies outside of the HSE’s power; that in parts of the policy the language needs to be strengthened, table 4 should include staff in its description and a FAQ document should be developed.
The Committee considered the Policy, and once their suggestions were included, which the CRO agreed to undertake, it was agreed that the final draft would be brought to the Committee in March 2023 in advance of it being tabled for approval by the Board.
The Committee outlined their thanks to Elaine Kilroe AND and Carol Clarke General Manager for all their work in the revision of the policy.
7.4 Protected Disclosures
Rosemary Grey, AND Compliance and Gary Russell, General Manager, Protected Disclosures joined the meeting.
The ND Governance and Risk presented to the Committee the following papers, as circulated prior to the meeting. 2022 End of Year Status Report, Proposed Future Status Reporting, Statutory return to the Minister for Public Expenditure and Reform and the HSE’s Protected Disclosures Annual Report 2022. The ND GR introduced Mr Gary Russell who has taken up the role as the Head of the National Office for Protected Disclosures [NOPD] and also welcomed Rosemary Grey AND Compliance and Authorised Person to the meeting.
Protected Disclosures 2022 End of Year Status Report
The Committee reviewed the Protected Disclosures 2022 End of Year Status Report, and reiterated that the backlog of open PDs is a priority for the Committee. It was noted that there were 366 Protected Disclosures received by the HSE between 2017 and 2022, with 68% of reports that have been closed, and 117 remain open. 310 cases were received between 2017 and 2021, with 71 remain open. The Committee acknowledged that the length of time it is taking to close out such a high proportion of cases is a concern.
The Committee were advised that as a priority action, an in depth review of all open cases listed on the protected disclosures activity log commenced in December 2022, and the Committee reviewed the methodology for the Review and validation, the status of the Review as of the end January 2023 and stage of decisions by the NOPD in relation to the Open cases.
Annual Statutory Reporting
The ND GR advised the Committee that under the Protected Disclosures (Amendment) Act 2022, the HSE is required to provide a Statutory return to the Minister for Public Expenditure and Reform by the 1 March each year, and prepare and publish a Protected Disclosures Annual Report by the 31 March each year.
The Committee noted the paper previously circulated and it was agreed that the ND GR review the draft Protected Disclosures Annual Report 2022 with a view to considering anything additional that can be added in terms of what we have done, impact and outcomes, and bring back to the Committee at the meeting in March 2023.