HSE Audit and Risk Committee Meeting Minutes 10th November 2022

Members Present

Brendan Lenihan (Chair), Fergus Finlay, Michelle O’Sullivan, Ann Markey, Martin Pitt, Colm Campbell & Pat Kirwan

HSE Executive Attendance

Mairead Dolan (Interim CFO), Dean Sullivan (CSO), Tom Malone (Interim ND Internal Audit), Patrick Lynch (ND G&R/CRO), Mr Damien McCallion (COO), Dara Purcell (Corporate Secretary)

Joined the Meeting

Elaine Kilroe (AND Enterprise Risk Management)(Item 3.2), Mr Joe Ryan (ND

Operational Performance & Integration)(Item 3.3), Rosemary Grey (AND Governance & Compliance)(Item 4.1),Colum Maddox (Asst CFO)(Item 5), Tim Cummins (Head of Treasury and Capital)(Item 5.2), Colm Waters (Head of Tax)(Item 5.4), Ms Mary Day (ND Acutes) & Ms Yvonne O’Neill (ND Community Operations)(Item 5.5), Brian Long (AND Procurement)(Item 8.3).

Minutes reflect the order in which items were considered and are numbered in accordance with the original agenda.

The Chairman welcomed the Committee members to the meeting and held a private session to consider the agenda and papers and the approach to conducting the meeting.

EMT joined the meeting at 13.20pm.

2.1 No conflicts of interest were declared

2.2 Minutes

• the committee approved the minutes of 13 October 2022
• the minutes of the Special meeting of 09 November 2022 re Draft Capital Plan 2023 will be considered at the next Committee meeting

2.3 Action Log

The Chair advised that the Committee reviewed the Action Log during private members discussion.

2.4 Briefing notes / Updates

2.4 a Cost of Care in Public Nursing Homes – verbal update

The CFO advised the Committee that a briefing note was brought to their meeting in April 2022. She advised that this programme of work is being led by Community Operations, who have been liaising with the DoH. The Committee requested that a paper be brought to the Committee’s meeting in December 2022.

2.5 b PPE Audit

The Chair noted that a paper will be brought to their meeting in December 2022.

Elaine Kilroe, AND Enterprise Risk Management joined the meeting.

3.1 Board Annual approval of Corporate Risk Register

The Committee decided that the Q3 2022 Corporate Risk Register (CRR) report, which was previously considered by the Committee at their meeting in October 2022 would be presented to the Board at its December meeting for its annual consideration of the HSE’s principal risks.

The CRO proposed to the Committee that in future years (i.e. from 2023 onwards) the Q4 CRR will be the version considered by the Board for approval, which will align the Board approval process with the Annual Report cycle. This will mean the Board approves the Quarter 4 Register in March of the following year. The CRO also proposed that the review of the Risk Appetite Statement would be concluded in Q1 2023 in parallel with the revision of the HSE’s risk policy. The Committee agreed to both proposals.

3.2 Review of HSE Integrated Risk Management Policy

The CRO introduced the newly appointed AND Enterprise Risk Management to the Committee.

The CRO presented the draft Enterprise Risk Management Policy to the Committee noting the review is well advanced and the revised draft has been widely circulated as part of the final consultation phase. The revised policy has been informed by the HSE’s Risk Reviews 2019 and 2021 (Moody Review), the key developments in Risk Management thinking internationally since 2017, feedback from health service staff, and relevant inputs from the HSE’s new risk team.

He advised that the draft has also issued to funded agencies for feedback, and meetings took place with Committee members Pat Kirwan and Colm Campbell, who provided their comments. P Kirwan advised that he has arranged for Risk Experts in the State Claims Agency to provide feedback by the end of the month.

The Committee reviewed the draft and a discussion took place. The Committee welcomed the engagement with health service staff and the Section 38s and 39 agencies and emphasized the importance of the policy being widely communicated across the HSE and funded agencies. The CRO advised that a roadshow to communicate the new Policy will be planned once the policy is approved.

The Committee noted that during Q1 2023 the final draft will go to EMT for approval and will then be brought back to the Committee prior to its submission to the Board.

In response to questions from the Committee on the potential risk of bird flu transferring to humans the CRO advised he would review same. The Committee also requested an update on the up take of Covid 19 vaccinations.

3.3 Shortage in Fuel & Electricity

ND OPI joined the meeting.

Further to discussions at the previous ARC meeting the ND OPI informed the Committee that a planning sub- group of the National Crisis Management Team has been established, which he chairs, and includes representatives from Acute and Community Operations, National Ambulance Service, Emergency Management, Estates, Procurement and HR. This group will coordinate planning for threats to energy supply and provide guidance for HSE services in the context of monitoring the potential risks of power outages and fuel shortages this winter that have the potential to impact critical service areas. He advised the Committee that they have been working with suppliers to ensure there is priority status for electricity and fuel supplies for all critical services.

The Committee welcomed the actions taken, and the ND OPI agreed to the suggestion from the Committee to consider third party suppliers, such as taxis that bring patients to hospitals, and shortage of fuel for healthcare staff, residential care homes and those that are vulnerable, for inclusion in priority status for electricity and fuel supplies.

Rosemary Grey AND Governance & Compliance joined the meeting

4.1 Protected Disclosures

The ND GR advised the Committee that Protected Disclosures (PDs) are currently being dealt with by the AND Governance & Compliance and team. The recruitment process for the General Manager for PDs has been completed, and the GM is due to take up the role in December 2022.

The Committee reviewed the Protected Disclosures report circulated to the Committee prior to the meeting. The Committee advised that the backlog of open PDs is the initial priority and the Committee’s focus, and requested a report on PDs that remain open from 2017 to 2022. The Committee agreed that it reserves the right to request Commissioning Managers to attend ARC in early 2023 to discuss the reports outlining why the PDs remain open and what are the planned actions in place to close them. The Committee requested that the ND GR report to the Committee twice yearly with an update. 2-3 case histories of substantiated PDs and one that led to learning was also requested by the Committee for a future meeting.

The ND GR advised that the new Protected Disclosures Act due to commence on 1st January 2023 will place greater reporting obligations on the HSE. He advised the Committee that the interim guidance for public bodies and prescribed persons has been received from DPER and that the PD Working Group are reviewing at present and will incorporate into HSE guidelines for December 2022. Training for HSE staff is also scheduled for December.

The Committee requested that a further report on PDs be provided in 2023 when the new legislation has commenced.

4.2 Data Retention - Update with regards to implementation of policy

ND OPI provided a briefing to the Committee on the work being done in respect of the Scally Report and the Irish Data Protection Commissioner's (DPC) Report in 2018 which highlighted gaps in the implementation of the Records Retention Policy which was last revised in 2013. The HSE Records Retention Policy Revision 2022 is now complete, and will require a national lead to provide leadership in what is a complex policy that will need extensive engagement by all services within the HSE. He outlined a number of issues that will impact on the implementation of this policy, and that a transitionary period will be required between the two policies.

The Chair noted that an IA Report brought to a previous Committee meeting was one of the drivers in this review. The Committee welcomed the update and the focus on robust implementation, and requested that the policy and implementation plan be brought the Committee for their meeting in December, and the Chair will engage with the Board Chair for inclusion in a future Board meeting.

4.3 Memorandum of Understanding with the Charities Regulator

The ND OPI provided an update to the Committee, outlining that the draft Memorandum of Understanding (MOU) with the Charities Regulator has been finalized and noted that a separate Data Sharing Agreement (DSA) is being developed and that a Standard Operating Procedure to support the MOU is put in place so that any matters that may warrant disclosure of information, where required, to the Charities Regulator will be handled in a standard manner.

The Committee welcomed the MOU and requested that the provisions in relation to the role of the ARC in the MOU be amended to include a power for the Committee to refer matters directly to the Charities Regulator to reflect its role in the HSE’s governance structure. It was agreed that the Chair would review the reference made and update the provisions in the MOU in relation to the Committee. A further update would be brought back to the Committee at their meeting in December.

Colum Maddox, Asst CFO joined the meeting

5.1 Update note on progress on settling reporting requirements to DoH and DPER – verbal update

The CFO informed the Committee that the regular reporting meetings with DOH and DPER had recently not taken place but that the Asst CFO has been liaising with the DoH on this issue.

The Committee emphasised the need to ensure that proper reporting arrangements are agreed and documented between the HSE and DoH (ideally before year end) and requested the CFO’s to report back to the next Committee meeting on her engagement with the DoH to agree the necessary reporting arrangements in that timeframe.

5.2 Health Budget Oversight Group (HBOG) – verbal update

The CFO briefed the Committee of the discussions that took place at the meeting of HBOG. She advised that the meeting focused on additional reporting requirements for next year and expenditure control, and will forward the minutes to the Committee when available.

5.3 SIC Process for 2022 on Procurement Compliance Assessment Q1 and Q2 returns for 2022 – for mentioning

The Chair advised the Committee that this item was deferred to the Committee’s December meeting as these reports are not available.

5.4 Treasury banking projects approvals - Wave 2 and 3

Tim Cummins Head of Treasury & Capital (H T&C) joined the meeting

The Asst CFO provided a briefing to the Committee in relation to the opening of Wave 2 & 3 bank accounts and the approval of designated signatories with Danske Bank, as set out in the briefing papers circulated to the Committee prior to the meeting.

The Committee considered the paper presented, and agreed to recommend to the Board for approval.

5.5 YTD Expenditure - To include a breakdown of maximum expenditure limits with Hospital Groups (HGs) & Community Health Care Organisations (CHOs)

ND Acutes & ND Community Operations joined the meeting

The CFO provided a briefing to the Committee on the financial position year to date and the forecast to year end as set out in the briefing papers circulated to the Committee prior to the meeting.

She advised that the draft revenue I&E financial position at the end of September 2022 shows an YTD deficit of €1,005.2m or 6.6%, with a significant element of this being driven by the direct impact of COVID-19, as reflected in the €783.6m adverse variance on the COVID-19 reported costs and €221.6m adverse variance on core (Non- COVID 19) related costs.

Q3 detailed revenue I&E forecasting for Core Services are currently being prepared, which is a bottom up exercise based on YTD Sept actuals, with substantial divisional oversight and engagement. The consolidated full year I&E forecast will be available for circulation by Mid-Nov, with a full year cash forecast being prepared in line with the overall I&E forecast timeline.

A discussion took place in relation to the prospect of a Supplementary Estimate for 2022, and the CFO advised that engagement had started with the DoH, who were in discussions with DPER.

The Chair then welcomed the ND Acutes & ND Community Operations to discuss the Maximum Variance Limit (MVL) against Budget Projection for Acute and Community Operations to Y/E 2022.

The COO provided an update to the Committee on the forecasted position to year end based on the financial position at end September and senior management’s view of the likely outturn of the final quarter of the year. He advised that expenditure is being closely monitored and managed across all of the hospital groups and CHOs in order to contain spending within the agreed MVL. The Committee noted that the agreed MVL for Acute Operations is €207m, with the projected outturn of €26.91m above this limit, and the agreed MVL for Community Operations is €214.48m, with a forecast that CHOs will finish in line with their MVL with one CHO with an outcome at risk.

The COO advised the Committee that Integrated Operations will continue to place particular emphasis on achieving MVL as part of the monthly performance engagements with hospital groups and CHOs, and that particular focus is required in one Hospital Group where the MVL projected is significantly higher in deficit terms, to which Acute Operations are engaging with the Group concerned and finance on this matter.

5.6 Update on Management Action Plan – High Earners Review - Consultants IA Report

The Chair requested an update from the COO in relation to the issue of the timeline slippage in the Action Plan. The COO advised the Committee that in response to the Internal Audit report High Earners Review – Consultants, the Executive Management Team approved an Action Plan on 28th June to address issues that were identified in relation to consultant pay compliance, which set out a series of actions to improve the control environment and an indicative timeline for delivery, which is now necessary to revisit. He advised that on average the delivery deadlines have moved by approximately 3 months, with implementation now expected to extend through to the end of Quarter 1, 2023 and is now presenting the revised timeline for consideration of the Committee.

The Committee discussed the revised timelines, and the reasons for the slippage, noting the significant changes in personnel, and that the programme governance has been re-established and a working group is now in place and active. The Committee were assured that the timelines would not slip again, and that there is work ongoing with the Chief Officers and CEO to ensure this work is completed by March 2023.

The Chair thanked the COO and colleagues for the update requested that an update be brought to the Committee at their meeting in April 2023 in line with the revised timelines for implementation of the recommendations.

5.7 NAS Strategy / Capital Commitments

The Chair noted the two papers brought to the Committee and agreed that the Provision of Ad hoc Ambulance Services to Transfer Low and Medium Acuity Patients Between Healthcare Facilities would be deferred.

The COO presented an update in relation to the Capital Plan requirements and planning process concerning National Ambulance Service (NAS) Strategic Plan 2021-2031, which was submitted to the Committee in advance of going to the Board.

The COO advised the Committee that the NAS Strategic Plan will build on evolving improvements, to ensure continued focus on the developments of strategic priorities being embedded under Vision 2020. Particular emphasis is on the continued development of alternative care pathways, specialist paramedic roles and progress towards meeting capacity and organisational development improvements. NAS aim is to increase capacity and support new developments in anticipation of the expected demand growth of 107% over a 10-year period from 2017 to 2027.

Given the scale and diversity of development and capacity required to meet current demand, support the shift in health service delivery, plan for the future and ensure the NAS organisational model is fit for purpose, the NAS revenue budget requires focused investment for an additional workforce of 4,615 WTEs (2022 – 2031).

The Committee welcomed the update report on the capital requirements and planning process concerning National Ambulance Service (NAS) Strategic Plan 2021-2031 and noted that the NAS strategy would also be considered at the next Performance & Delivery Committee, before going to the Board’s November meeting.

6.1 2020 and 2021 IA O/S Recommendations

As previously discussed by the Committee at their September meeting where it was noted of their concerns with the delay in implementing 2020 and 2021 IA recommendations. The Chair welcomed the ND Acutes and the ND Operations to the meeting who presented a detailed report which provided an updated position in respect of open items relating to 2021 and 2020.

The COO advised the Committee that services were focused over the past few years on the response to Covid 19 and the cyber-attack, but a renewed focus has now been put on implementing the outstanding IA recommendations which has seen progress to date, with Mike Corbett working on this area, the ND IA attending the Oversight Committee and also as an agenda item in Performance Review Process meetings, and they will continue to monitor and review the remaining open recommendations to ensure closure within the timelines specified.

The Committee held a discussion and queried what was the level of oversight in the individual areas for the implementation of the recommendations and reiterated that if there is no improvement, that named managers will be required to attend a Committee meeting to provide an explanation.

The Committee agreed that a follow up report be presented at their meeting in March 2023.

ND Acutes and ND Community Operations left the meeting.

6.2 Q3 IA Reports

David Langton, General Manager & Veronica Swan, Quality Assurance Improvement Programme Manager joined the meeting

The ND IA presented to the Committee Q3 – 2022 IA Report which was circulated prior to the meeting, which included the Activity Report, the IA Dashboard, the Status of Recommendations, the Key Internal Audit Reports issued and the Summary Internal Audit Reports issued.

He advised that as at the 30th September 2022 (Q3 2022) 121 reports were issued in Q3, 17 of which related to TUSLA. Included in the 104 HSE reports were 15 follow-up reports, and 10 reports in respect of funded agencies.

The top control issues identified were in relation to Governance, HR and Payroll. The ND IA referred to the Internal Audit Dashboard, which illustrates the types of control issues and the extent to which each control issue occurred in the quarter and YTD.

The ND IA advised the Committee in relation to the Implementation of Internal Audit Recommendations the following were implemented or superseded by Q3 2022: 42% (427) of the total 2022 recommendations; 81%

(505) of the total 2021 recommendations, and 84% (598) of the total 2020 recommendations.

He gave an outline in relation to the HSE Audit Reports Progress as at 30th September 2022, stating that 203 reports have been completed or issued to date, and they are on target to the 250 which was set out in the 2022 annual plan.

The Committee held a discussion in relation to the key findings of the Summary Reports relating to Q3-22-ASD- 001: Procurement - National Ambulance Service (Unsatisfactory opinion); Q3-22-ASD-002: Children First Legislation - Galway University Hospital (GUH) (Unsatisfactory opinion); and Monitoring of Probation Controls (Unsatisfactory opinion);.

The ND IA advised that an audit was conducted in seven hospitals to determine the assurance level that can be given to management that the risk management at hospital level, and he presented to IA report relating to Q3- 22-ASD-006: Compliance with Risk Management - Wexford General Hospital; and Q3-22-ASD-013: Compliance with Risk Management - Acute Operations.

The Committee thanked the ND IA for the update and in view of their concern requested that the findings of the Q3-22-ASD-002: Children First Legislation - Galway University Hospital (GUH) and the Monitoring Probation controls report be brought to the People & Culture Committee.

6.3 IA Report - Risk Management

The ND IA presented to the Committee the Internal Audit Final Report re Verification of Controls, HSE Corporate Risk Register (DN049GAR1022). He advised the Committee that the audit findings indicate that the level of assurance that may be provided to management about the adequacy and effectiveness of the governance, risk management and internal control system in the area reviewed is limited, and the Committee were given an outline of the key audit findings.

The CRO noted his appreciation of the focus that IA have given to the risk process, emphasizing that the Q1 report was the first time that inherent and residual ratings were implemented, and that control descriptions are being amended.

The Committee commended the high quality reports, and it was suggested that the inclusion of what the rating means and achieves be included, the CRO advised that that it would be included in the Q4 report.

6.4 Internal Audit’s Review of funded agencies audit approach - verbal update

Veronica Swan, Quality Assurance Improvement Programme Manager presented a summary update of the current status of the review which has examined the audit process of Funded Agencies.

She advised that there has been engagement with HSE Stakeholders which included three members of the Committee, including the Chair, representatives of three CHOs, the Head of Service for Quality & Safety, Service management, CMSU management, Finance, CFO, Head of Compliance and team, and external parties. A meeting with the CEO is scheduled later this month.

The ND IA has sought, as part of the External Quality Assessment (EQA) being carried out by Mazars, an independent opinion on the audit process of Funded Agencies, and they will await the outcome of this.

She advised that the review remains in progress and a paper will be presented to the Committee in December 2022 which will include proposal(s) for consideration and approval, and to agree the appropriate transition arrangements in conjunction with relevant HSE divisions arising from the approved outcomes of this review in Q1 2023, which the Committee noted.

David Langton, General Manager & Veronica Swan, Quality Assurance Improvement Programme Manager left the meeting.

6.5 IA Plan 2023 - verbal update

The ND IA provided the Committee with an update, and stated that he was mindful of the Committee’s view with regard to a more strategic plan. He advised that there has been engagement John Moody and external providers to assist with their planning process. A different approach will be taken in terms of follow ups, which will be more proactive and include a risk based approach.

The Chair thanked the ND IA and Committee members to forward to him any specific area they want included. It was agreed that a paper would be presented to the Committee at their December meeting.

6.6 Review of the implementation of the Mandiant Recommendations in Voluntary Hospitals

The Chair advised that following the review of the implementation of recommendations, a number of control deficiencies were highlighted, and the voluntary hospitals stated they were unable to implement the recommended mandatory controls from Mandiant.

The Committee requested eHealth to re-engage with Mandiant to review the responses provided in the audit reports, and to assist with identifying any alternate or compensating controls and highlight any residual risk in relation to controls implemented.

The Committee discussed and stated their uneasiness with the conclusion of the assessment which states a moderate risk. The CIO advised that the risks will be tracked on a risk register and managed by the CEOs of the individual hospitals in an improvement plan.

The Committee noted the importance of adherence to the recommendations, and the Chair will discuss with the CIO and requested that the report be forwarded to the Technology and Transformation Committee.

7.1 Climate Strategy and Implementation Plan

Dr. Philip Crowley, Roisin Breen Programme Manager, Michael Quille Associate Director Ernst & Young joined the meeting

The CSO presented to the Committee with an update on the Climate Action and Sustainability Strategy and Implementation Plan which responds to and outlines a broader approach to the actions and targets set out in the Government’s Climate Action Plan 2021, and the Climate Action and Low Carbon Development Act (Amendment) 2021. He advised that the Strategy provides for a clear Climate Action and Sustainability Roadmap which outlines how the HSE intends to contribute to putting Ireland on a more sustainable path, cut emissions, create a healthier, cleaner, and greener society, and help protect and prepare the population from the health consequences of climate change, and is founded on six priority focus areas to achieve net-zero emissions no later than 2050.

He advised that the Strategy has been developed in a consultative manner with a range of internal and external stakeholders, reflecting a wide variety of viewpoints, and that the Strategy was accompanied by a detailed Implementation Plan to support the efficient and timely delivery of the Strategy.

The Committee thanked the CSO for the update and held a discussion noting that the Strategy and Implementation plan was comprehensive and well written. The Committee requested that refinements be made to the paper and include comments with regard to providing corporate reporting to the Committee and Board, to which the CSO agreed to include in the Implementation Plan and share with the Committee.

The Committee discussed the title of the Strategy – HSE Climate Action & Sustainability Strategy, and felt that it should be reviewed given the broader scope of ‘sustainability’ and outlined some further minor amendments to be made to the Strategy and once amended agreed to recommend the Strategy and Implementation Plan to the HSE Board for consideration.

8.1 Contracts

The CSO briefed the Committee on the following Contract circulated to the Committee prior to the meeting.

Proposed Award of Contract - Respiratory Assessment Unit, Midland Regional Hospital, Portlaoise

Following consideration and discussion, the Committee agreed to recommend the contract to the HSE Board for approval, but requested that amendments be made to the paper outlining further information regarding the other sub-contractors that were selected to submit tenders.

8.2 Properties

The Committee considered the detail for the proposed property transactions, and the Committee agreed to recommend the following to the HSE Board for approval.

• lease of Part Ground and First Floor, Santry, Dublin 9

the Committee considered the above, and queried the Memo of Understanding (MOU) with Tusla. CSO agreed to include a further note outlining the MOU when brought to the Board

• lease of newly constructed Palliative Care Hospice, Co Roscommon
• proposed Lease of Primary Care Centre, Fethard, Co. Tipperary
• proposed Lease of Primary Care Centre, Tullow, Co. Carlow
• proposed Lease of Primary Care Centre, Urlingford, Co. Kilkenny
• proposed acquisition of a building, Dublin 1
• proposed Lease of Primary Care Centre, Bishopstown, Co Cork.
• proposed Lease of Primary Care Centre, Douglas, Co Cork
• proposed Lease of Primary Care Centre Premises, Co Cavan
• proposed Lease of 2nd Floor, Letterkenny, Co. Donegal
• proposed lease of a Unit, Co Kilkenny, for Finance Shared Services - National Finance Division

8.3 CAR request from procurement

AND, Procurement joined the meeting.

The CFO and Procurement briefed the Committee on the following contract circulated to the Committee prior to the meeting.

Contract Approval Request for supply of Cylinder and Bulk Medical gases.

The Committee held a discussion concerning the contract and requested assurance in connection to international benchmark figures and insurance policy and bring back to the Committee at their December meeting.

There were no further business, and the meeting concluded at 5.30pm. Committee members held a private debrief session.