Risk Appetite Matrix



BSO 81/2017 26 October 2017Board - Corporate Risk and Assurance Report 2017-18Purpose of this reportThe purpose of this report is to provide Board with an update on the Corporate Risk and Assurance Report and to outline progress made to date on risk actions (as at end September). In line with the new risk management reporting process for 2017/18, this paper was considered by GAC on 17th October. Changes to the Corporate Risk RegisterFollowing the approval of the revised BSO Risk Management Strategy and the Procedure for the Management of Risk Registers in June 2017, the risk matrix has been updated and a risk appetite has been assigned to each corporate risk. Changes to Corporate RisksNew Risks – One new risk has been proposed: Risk 14: The increasing levels of sophistication used in cyber-attacks along the widespread access to capability to develop and deploy exploits as zero day attacks mean that the current levels of investment, resourcing and the processes used in cybersecurity are insufficient to manage the increasing level of threat and the potential impact of cyber-attacks. The impact is the potential loss of critical infrastructure, data and ICT services which support critical operational clinical and business services leading to widespread disruption to those services across all HSC organizations as well as reputational damage to BSO and the wider HSC.Revised Risks – All risks have been updated Removed Risks – The following risks are proposed for removal:Risk 6: Benefits of the new FPPS system fail to be realised due to:Contactors declining to use web based portal, leading to an inability to reduce numbers in accordance with plan;Required system fixes for defects and/or change controls not being applied, leading to an inability to reduce staff numbers in accordance with plan.Benefits Realisation is now completeRisk 10: Inability to complete the Guaranteed Minimum Payment reconciliation exercise due to limited resources results in a reputational impact on the BSOThe GMP exercise is being effectively managed in year and the risk will continue to be managed through the Pensions service risk register. Horizon ScanningNo changes are proposed to the Horizon Scanning sectionStrategic Objective: To Deliver Value for Money Services to our CustomersRisk:1. Levels of savings in the overall environment for HSC are so great that BSO service provision to customers are negatively affected and/or we fail to breakeven. The Leadership Centre may be particularly affected by a reduced level of client income e.g. HSCBRisk ScoreL:4 I:4 S:16 HighTarget Score L:2 I:4 S:8 HighDate added to registerc.2010Risk Trend Risk AppetiteAdverseRisk OwnerDoF, CExRisk CategoryFinancialControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentBudgetary Process Breakeven Budget with specified savings programmeRegular forecastingService Offering 17/18 completeMeetings held with DoH sponsor branchSLA costings 17/18 issued with SLAs May 2017Budgetary Monitoring (I) SMT Accountability to CX (I) External Audit - Report to those charged with Governance (E) Budgetary Control process (I) Directorate Service Team Meetings (I) Financial Accountability Reviews with Directors (I) Financial Management Standard (I) & (E) Risk Reporting & Review (I) CX Review of Dirs Objectives (I) Dept Accountability Review (E) MIPB AssessmentAdjustments to 2017/18 budgets depending on final allocation letter from DoH.Savings plan approval BSO Board and DOHSeptember 2017Service Offering approved by SMT March 2017 and sent to DoH for information. BSO received an indicative RRL allocation on the 4th July 2017 with a 6.4% reduction in recurrent RRL i.e. a ?254k reduction. A draft version of a savings plan to meet this reduction was forwarded to DoH on 24th July, and was approved by BSO Board in August. Final DoH approval is still outstanding.2017/18 service offering and SLAs have been issued and SLA meetings with customers are almost complete. Work continues on the realignment of SLA charges.Strategic Objective: To Deliver Value for Money Services to our CustomersRisk:2. Inability to prove quality, productivity and VFM, and show that we are competitive and addressing customer expectations.Risk ScoreL:1 I:4 S:4 LowTarget ScoreL:1 I:3 S:MediumDate added to registerc. 2010Risk TrendRisk AppetiteOpenRisk OwnerDir of CCPRisk CategoryOperationalControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentExisting Processes to measure Quality Standards; SLA’S;KPI’s; Framework /Scorecard;Monthly report to Customers;Internal Audit programme;Audit Control Process;Annual Quality report.Benchmarking performance reported to Business Committee 2016/17 customer surveys2017/18 SLAs issuedAccredited Bodies - ISO/Lexcel (E) Monthly Reports to Customers (I) Scorecard monitoring SLA Monitoring (I) Financial Management Standard (I) & (E) Customer Survey (E) SMT Meetings (I) GAC Audit Control Review (I) Dept Accountability Review (E) MIPB AssessmentFurther participation of BSO Services in Benchmarking programme for 2017-18.November 2017A paper was submitted to Business and Development Committee which included Internal Audit, Legal, PaLS, Finance and Pensions. Further areas are undertaking benchmarking questionnaires and updates will be reported to Business and Development Committee in November 2017 (delayed from September due to management changes). 2017/18 SLAs have been issued and meetings are ongoing. 16 of 19 have been signed and returned. Strategic Objective: To Deliver Value for Money Services to our CustomersRisk:3. Risk of not achieving the agreed Shared Services business case outcomes for HR and Finance systems leading to financial and reputational damage.Risk ScoreL:4 I:3 S:12 HighTarget ScoreL:4 I:2 LowDate added to register28/02/2012Risk TrendRisk AppetiteCautiousRisk OwnerHead of SSRisk CategoryOperationalControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentDepartmental oversight of BSF Fortnightly departmental meetingsMonthly AD forumMonthly Finance AD forumMonthly HR AD forumQuarterly regional orgs customer forumBSTP programme boardSEHSCT migration completeDepartmental oversight of BSFMonitoring of service delivery against KPIsABS briefing to SMT group July 2017WHSCT migrationOctober 2017Execute BSF workplanMarch 2018FPL upgrade Oct 2017WHSCT deployment of eRec was completed March 2016. Migration plan for WHSCT was agreed April 2017 and is now operational with a target completion date of October 2017. Implementation of FPL Version 5 has been deferred, following a readiness assessment which took place on 31st May 2017. Target date has changed from September 2017 to October 2017. The migration plan for WHSCT and implementation of FPL Version 5 are progressing on track.Strategic Objective: To Deliver Value for Money Services to our CustomersRisk:4. HSC restructuring leads to a reduced level of SLA income from HSCB who are currently our largest customers. If HSCB functions are split across a range of organisations there is a risk to the stability of this income source, and therefore BSO’s ability to effectively deliver the servicesRisk ScoreL:3 I:4 S:12 HighTarget ScoreL:2 I:2 S:4 Low Date added to register9/12/2015Risk Trend Risk AppetiteOpenRisk OwnerCExRisk CategoryFinancialControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentCX is a member of Transformation Implementation Group (TIG) which is a mechanism for delivering HSC re-organisation.? Monitor proposals for potential impact on BSOSLA/ funding realignment to be identified and progressed following clarity on redistribution of services.December 2017TIG continues to be advised of developments. No specific impacts on BSO identified at this stage. CSO CX has engaged with DoH around proposed changes to eHealth. Board received verbal update June 2017. TIG is expecting a draft paper on HSB realignment by end September. Awaiting decisions around where services will be re-distributed to, in order to assess the impact on SLA arrangements. Ministerial Statement signaling that people/services will transfer without loss of jobs is encouraging in the context of BSO income.Strategic Objective: To Pursue and Deliver Excellence through Continuous ImprovementRisk:5. Failure of key ITS Applications & Infrastructure impacting delivery of Critical Services to Customers and resulting in reputational damage for BSO and our customers. Risk ScoreL:3 I:4 S:12 HighTarget ScoreL:2 I:3 S:6 MediumDate added to register28/02/2012Risk TrendRisk AppetiteCautiousRisk OwnerDir of CCPRisk CategoryOperationalControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentSecurity Procedures;Testing of Business Continuity Plan;Change Control Process;Testing and planning associated with significant change.Engagement of professional report (Gartner).Actions from Gartner report completed A full Disaster Recovery (DR) test was completed in May 2015, May 2016 and March 2017.Internal Audit (E) External Audit (E) SMT Review of ICT Programme (I) Systems Risk Assessment (I)Go live of new data centre facilitiesAugust 2016 – March 2019A further desktop DR/BC exercise was completed in March 2017 and a ‘lessons learned’ review was completed May 2017. Data Centre migration is on track to complete slightly ahead of schedule A costed proposal for enhanced out of hours support for BSO supported systems was submitted to the eHealth Strategic Programme board on the 15th September. HSCB EHealth director to take decision on way forward.Strategic Objective: To Pursue and Deliver Excellence through Continuous ImprovementRisk:6. Benefits of the new FPPS system fail to be realised due to:(i) Contractors declining to use the web based portal, leading to an inability to reduce staff numbers in accordance with plan(ii)Required system fixes for defects and/or change controls not being applied, leading to an inability to reduce staff numbers in accordance with plan;Risk ScoreL:2 I:3 S:6 MediumTarget ScoreL:1 I:3 S:3 LowDate added to register17/06/2015Risk TrendRisk AppetiteRisk OwnerDir of OpsRisk CategoryOperationalControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentOperational and service review group to manage prioritisation and execution of fixes and change controls. HSCB encouragement of contractors use of portal at project board. Prioritised change list has been presented to ITS and is subject to weekly service review by FPS and ITS – final pharmacy portal infras delivered to FPS for testingDental Payment Systems Road Shows (Feb – April 2017) – FPS provide training on Dental Payment System Portal.FPS project board (benefits realisation) will monitor the progress and consider means of increasing uptake if necessaryQuarterly report to SMT on use of portalFPPS post project evaluation report March 2017Reduction of staff in line with benefits realisation planDir of OpsJune 2017FPS to develop an interim contingency plan to resource system impacts in the event of contractors not using the portal.Majority of benefits have been realised as per the FPPS post project evaluation report.GMS Payment Portal - 99% of practices have submitted at least one Enhanced Service Claim through the GMS payment Portal for the month of March 2017FPPS Pharmacy Portal – V1 of the pharmacy portal is LIVE, three early adopter sites trialled the portal in April / May 2017.Strategic Objective: To Pursue and Deliver Excellence through Continuous ImprovementRisk:7. Fail to implement robust information governance process and adapt to new GDPR regulations.Risk ScoreL:2 I:3 S:6 MediumTarget ScoreL:2 I:2 S:4Date added to registerc.2010Risk TrendRisk AppetiteMinimalistRisk OwnerDir of HRCSRisk CategoryComplianceControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentPolicy & ProceduresInformation Governance / Records MgtCA StandardAudit ControlRisk Register/ Action PlansIG policies in place.IGMG to maintain and progress action plan sub-group established to review the new standard and compare with the current standard.Audits of local record management policiesIG risk on all service risk registersTraining mechanisms in placeGDPR action plan in placeCAS Assessment - Records Management /ICT/Governance (I) & (E) Information Governance Group Report (I) Service Risk Reporting & Review (I) GAC Audit Control Review (I) other CA Standards Assessment (I) & (E) Mid-Year Assurance Statement / GS (I) GAC Report (I) CX Review of Dirs Objectives (I)SIRO annual assurance letter to Permanent SecretaryRegular progress reports to SMT/Board regarding action plans (I)IG update to Business Committee on a regular basis.GDPR overview presented to Board Aug 17Action plan being implemented and evidence gathered on ongoing basis. Regular progress reports to SMT.March 2018Ensure provision of the new GDPR regulations are suitably addressed.Dir of HRCSMarch 2018Action plan update reported to SMT February 2017. Substantive compliance achieved in controls assurance standard 2016/17 (self-assessed). 2017/18 action plan in place. IGMG dropped frequency to monthly meetings. Strategic Objective: To Pursue and Deliver Excellence through Continuous ImprovementRisk:8. Risk to Data Centres from unstable hospital power / environment may cause further outages.Risk ScoreL:4 I:5 S:20 ExtremeTarget ScoreL:2 I:5 S:10 HighDate added to register12/12/2012Risk TrendRisk AppetiteAdverseRisk OwnerDir of CCPRisk CategoryOperationalControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentSecurity proceduresBusiness Continuity Plan.SIB has appointed a Project Director for the Data Centres.Surge Protectors have been installed and are operational.Gartner sub-group to reconvene with revised remit to include strategic direction for transfer of data to 3rd data copy.Board presentation on project Subscription to HP Mobile Data Centre solution has been implemented on a 2 year contract. A full recovery test from third site copy has been completed and a repeat test was successfully carried out on 19 May 2016. Contracts for 2 Tier 3 Data Centres have been signed.? The centres were acquired August 2016.Gartner technical work streams.An SLA has been agreed with BHSCT Estates for support of the regional data centre.Disaster Recovery PlanReview of all other elements of SLA to be carried out.The plan for technical set up is agreed and?the migration project has commenced.? Migration due to be completed March 2019. Phase 1 of the move to the new data centres is complete (provision of new data centres) and phase 2 is underway (migration). Data Centre migration is currently on track to complete slightly ahead of schedule.Strategic Objective: To Pursue and Deliver Excellence through Continuous ImprovementRisk:9. There is a risk that delays in the recruitment and selection process leads to failure to meet performance targets and significant reputational damage. Risk ScoreL:2 I:4 S:8 MediumTarget ScoreL:2 I:3 S:6 MediumDate added to register16/03/2016Risk TrendRisk AppetiteCautiousRisk OwnerHead of SSRisk CategoryOperationalControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentRecovery team established Review of processes, systems and organisational structures completedDelivery of full stabilisation planTask and finish group concluded Senior HR resourcing syndicate established April 2017 and workstreams identifiedFormal closure report submitted to SMT September 2017Weekly reports of progress against recovery plan to SMT and BSTP programme board.Reports also sent to BSF AD forum and the regional Directors forum chaired by Michael McBride. Approval of project closure by BoardSeptember 2017Task and Finish Group concluded 1st June 2017. Closure report delayed to 30 August 2017 due to annual leave. HSC project to lead on end to end process commenced April 2017. BSO are leading a Standardization work stream. Strategic Objective: To Pursue and Deliver Excellence through Continuous ImprovementRisk:10. Inability to complete the Guaranteed Minimum Payment reconciliation exercise due to limited resources results in a reputational impact on the BSO Risk ScoreL:2 I:3 S:6 MediumTarget ScoreL:1 I:2 S:LowDate added to register30/11/2016Risk TrendRisk AppetiteCautiousRisk OwnerDir of OpsRisk CategoryOperationalControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentLetter sent to the DoH August 2016 requesting funding.Issue raised at Ground Clearing meeting Nov 2016.Initial matching analysis completedIssue raised at ground clearing and at a meeting with Dept and DoF in April 2017. Raised at Ground clearing meeting May 2017.Raised with Pension Board April 2017Report to SMT completed 3rd May. Continue to seek response from the DepartmentAn agreement has been reached with DoH that BSO will continue this exercise and assume RRL funding in the interim, until the 2017/18 budget position is confirmed.This work is progressing, as agreed between DoH and BSO. The source of additional RRL funding required is currently being finalised between BSO and the Department.Strategic Objective: To Pursue and Deliver Excellence through Continuous ImprovementRisk:11. Issues with the Family Practitioner Payment System (FPPS) may lead to inaccurate payments resulting in financial and reputational implicationsRisk ScoreL:4 I:4 S:16 HighTarget ScoreL:2 I:4 S:HighDate added to register23/03/2017Risk TrendRisk AppetiteCautiousRisk OwnerDir of OpsRisk CategoryOperationalControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentFPS identification and resolution of system defects and enhancements is carried out through the joint Operational Service Group & Service Review Group.Priortised changed list has been agreed between FPS and ITS and is subject to weekly service review. Stabilisation Plan to address outstanding issues has been developed.Consistency checks on payments issued Phase one (and End of year enhancements) completeWeekly reports to Assistant Director of FPS Regular ITS and FPS meetingsITS to provide FPS with regular reports – FPPS Systems Delivery Report for Operational Service Review Group.Phase 2 of agreed stabilisation planSeptember 2017Internal Audit to carry out audit December 2017Stabilisation will be completed by end of September 2017 – 82 items in scope. Stand-alone work-package on Dental Automation is in UAT after further minor development amendments. Strategic Objective: To Pursue and Deliver Excellence through Continuous ImprovementRisk:12. BSO is unable to deliver a payroll service due to performance of HRPTS managed service leading to reputational damageRisk ScoreL:2 I:4 S:8 MediumTarget ScoreL:2 I:4 S:8 MediumDate added to register23/03/2017Risk TrendRisk AppetiteMinimalistRisk OwnerHead of SSRisk CategoryOperationalControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentITS and HCL both have early alert mechanisms in placeMonthly service delivery reviews with HCLRemediation plan in place and being monitored by ITSHCL Axon resolution plan phase one and two completeMonthly service review meetings continue and progress against the Performance Improvement Plan is being tracked.?Updates provided to SMT by HCLMonthly service delivery review meetings with supplierMonthly report to ITS and HoSSHCL Axon resolution plan and contingencies in response to a lack of HRPTS service availabilityPhase 3 - September 2017Options paper to be shared with BSFNovember 2017Final Phase 3 is on track for September 2017.In addition, a potential future proof solution is being developed. This involves HCL Axon delivering to a proposal for investment in the infrastructure that will maintain stability for the lifetime of the contract. Strategic Objective: To pursue and deliver excellence through continuous improvementRisk 13:There is a risk that Payroll Shared Services will fail to achieve satisfactory audit assurance due to on-going pressures in delivering service which could lead to reputational damage. Risk ScoreL:4 I:4 S:16 HighTarget Score L: 2 I: 2 S: 4 Date added to register23/05/17Risk Trend Risk AppetiteMinimalistRisk OwnerHead of SSRisk CategoryOperationalControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentBSO SMT UpdateProject Board ReportingAudit Assurance ReportingCustomer Performance ReportsFinancial Assurance ReportingTerms of Reference for Customer Advisory Board (CAB) agreedProject planBSO Internal AuditCustomer Performance Reports (KPIS)BSO SMT bi-monthly reportMonthly report to CABIdentify resource to coordinate the structure/management reviewOctober 2017Three work streams have been identified with an overall project action plan in place – structure /management review; quality review; HCL remediation review. Project manager and plan in place for quality reviewResources have been identified within the trusts to populate the project team Internal Audit is commenced follow-up to the year-end audit report at the end of August 2017.All other on-going sources of assurance have been provided on time Strategic Objective: To pursue and deliver excellence through continuous improvementRisk 14:The increasing levels of sophistication used in cyber-attacks along the widespread access to capability to develop and deploy exploits as zero day attacks mean that the current levels of investment, resourcing and the processes used in cybersecurity are insufficient to manage the increasing level of threat and the potential impact of cyber-attacks. The impact is the potential loss of critical infrastructure, data and ICT services which support critical operational clinical and business services leading to widespread disruption to those services across all HSC organizations as well as reputational damage to BSO and the wider HSC.Risk ScoreL:5 I:5 S:20 ExtremeTarget Score L:3 I:3 Date added to register28/06/17Risk Trend Risk AppetiteMinimalistRisk OwnerDir of CCPRisk CategoryOperationalControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentInternal audit cybersecurity baseline auditPenetration testingBusiness continuity testingBSO cybersecurity programme Emergency business case approved for funding by DoH to address identified gaps in this current Financial year e.g. Sophos InterceptX, Sandstorm, PKI.August 2017.Internal AuditApproval and resourcing of the 3 year programme and the ongoing enhanced levels of service.Availability of ITS cover outside of commissioned hours to restore systems in event of an attack.March 2018BSO Board kept appraised by Dir CCP (ITS)A costed proposal for extended ITS cover for BSO supported systems has been submitted to HSCB E health strategic programme board. Further actions to be agreed. Elements of the Emergency Business Case have been partially approved to take forward.The initial tranche of software has been purchased.Strategic Objective: To Enhance the Contribution and Development of our PeopleRisk: 15. BSO current skill mix does not meet future business needs.Risk ScoreL:2 I:3 S:6 MediumTarget ScoreL:2 I:2 S:4 LowDate added to registerc.2010Risk TrendRisk AppetiteOpenRisk OwnerDir of HRCSRisk CategoryOperationalControlsSources of AssuranceIdentified gaps and actions needed (including end date and responsible officer)CommentJob Description/Personal SpecificationStaff SurveyReview PaLS Skills gaps.Staff development / strong commitment to training.Workforce Plan for ITS has been completedAction plans in place for Shared Services alongside Corporate action plan.Outcome of HSC Staff Survey (E) Customer Surveys (E) SMT/Board Review of Surveys (I) Staff Appraisal - PDPs (I) CX Review of Dirs Objectives (I)A Sub-group has been established to consider a range of issues in PaLS including workforce issues.Business Case skills.Moving Forward Programme launched. Re-accreditation of IIP completeNew People strategyDir of HRCSSeptember 2017Workforce strategy was submitted to Business and Development Committee June 2017 and a final draft will be submitted to Board for approval September 2017. Discussions underway with Directors in respect of strategic work plans for the next 3 years.Workforce Planning ongoing in a number of Directorates. Scoping the direction of several Service Areas on behalf of DoH..PaLS workforce plan has been drafted Further work to identify recruitment issues.Profiling with directorates regarding skills requirements is underway. The outcomes will feed into the appraisal and PDP process and drafting the annual BSO training plan for 2017/18.BSO Corporate Risk Score MatrixCatastrophic5814Major42 9,124,51,11,13ImpactModerate36,7,10,1531447165159385Risk appetite line00Risk appetite lineMinor 2Insignificant112345RareUnlikelyPossibleLikelyAlmost certainLikelihood*Risk Classification / NumbersLOW1MEDIUM 6 RisksHIGH6 RisksEXTREME2 Risks*in accordance with AS/NZS 4360:2004 guidanceRisk Appetite MatrixThis matrix should be used as guidance for assessing risk appetite in conjunction with the Risk Appetite StatementAdverseMinimalistCautiousOpenHungryAvoidance of risk anduncertainty is a keyOrganisational objectivePreference for ultra-safebusiness delivery options thathave a low degree of inherentrisk and only have a potential for limited reward.Preference for safe deliveryoptions that have a low degree ofinherent risk and may only havelimited potential for reward.Willing to consider all potentialdelivery options and choose theone that is most likely to resultin successful delivery while alsoproviding an acceptable level of reward (and value for money etc.).Eager to be innovative and tochoose options offeringpotentially higher businessrewards (despite greaterinherent risk). ReputationMinimal tolerance for anydecisions that could lead to scrutiny of the Organisation, HSC, Government or the Department.Tolerance for risk taking limited to those events where there is no chance of any significant repercussion for the Organisation, HSC, Government or the Department.Tolerance for risk taking limited tothose events where there is littlechance of any significantrepercussion the Organisation, HSC Government orthe Department should there bea failure.Appetite to take decisions withpotential to expose the Organisation, HSC, Government orthe Department toadditional scrutiny but only whereappropriate steps have been takento minimise any exposure.Appetite to take decisions that arelikely to bring scrutiny of the Organisation, HSC, Government orthe Department but where potential benefits outweigh the risks.OperationalDefensive approach to objectives– aim to maintain or protect, rather than to create or innovate.Priority for tight managementcontrols and oversight with limited devolved decision making authority.General avoidance of systems / technology developments.Innovations always avoided unless essential.Decision making authority held by senior management.Only essential systems / technologydevelopments to protectTendency to stick to the status quo, innovations generally avoided unless necessary.Decision making authority generally held by senior management.Systems / technology developments limited to improvements to protection of current operations.Innovation supported, with demonstration of commensurate improvements in management control.Systems / technology developments considered to enable operational delivery.Responsibility for non-critical decisions may be devolvedInnovation pursued – desire to ‘break the mould’ and challenge current working practices.New technologies viewed as a key enabler of operational delivery.High levels of devolved authority – management by trust rather than tight control.FinancialAvoidance of financial loss is a key objective.Only willing to accept the low cost option.Resources withdrawn from nonessential activities.Only prepared to accept the possibility of very limited financial loss if essential.VfM is the primary concern.Prepared to accept the possibility of some limited financial loss.VfM still the primary concern but willing to also consider the benefits.Resources generally restricted to core operational targets.Prepared to invest for reward and minimise the possibility of financial loss by managing the risks to a tolerable level.Value and benefits considered (not just cheapest price). Resources allocated in order to capitalise on potential opportunities.Prepared to invest for the best possible reward and accept the possibility of financial loss (although controls may be in place).Resources allocated without firm guarantee of return – ‘investment capital’ type plianceAvoid anything which could bechallenged, even unsuccessfullyPlay safe.Want to be very sure we would win any challenge.Limited tolerance for sticking our neck out. Want to be reasonably sure we would win any challenge.Challenge will be problematic butwe are likely to win it and the gainwill outweigh the adverse consequences.Chances or losing are high and consequences serious. But a win would be seen as a great coup.Horizon ScanningPolitical instability – including Programme for Government, lack of 2017/18 budget and change of Minister for Health. Public Sector Shared Services HSC RestructuringImpact of EU Exit – including cross-border implications, clinical research, currency fluctuations (in terms of procurement), workforce implications (in terms of BSO staffing and potential impacts on performance in shared services recruitment)Clinical developmentsPace of IT developmentsChanging stakeholder expectations and needsFinancial pressuresAppendix AArchive Report of risks removed from Corporate Register 2017-2018Risk DescriptionRisk ScoreCorporate ObjectiveCommentLISRateRisk:5. There is a risk that BSO will be unable to implement the Social Care Procurement project resulting in slippage in procurement programme to address the new light-touch regime detailed in regulations 74-77 of the Public Contracts Regulations 20153412HighTo Grow our Services and Customer BaseRisks to the project are currently recorded on a project risk register and an escalation mechanism is in place via the project board and the regional procurement board. There are currently no risks associated with the project which need to be escalated to SMT/Board. Archive Report of Completed Risk Actions 2017-18Risk No / DescriptionCorporate ObjectiveActions CompletedRisk: 1. Levels of savings in the overall environment for HSC are so great that BSO service provision to customers are negatively affected and/or we fail to breakeven. The Leadership Centre may be particularly affected by a reduced level of client income e.g. HSCBTo Deliver value for money services to our customersDevelop 2017/18 service offeringMarch 2017SLA costingsApril 2017Risk:2. Inability to prove quality, productivity and VFM, and show that we are competitive and addressing customer expectations.To Deliver value for money services to our customers2016/17 customer surveysReported to SMT on 18th January 2017, Board March 2017 and Business and Development Committee April 2017. 2017/18 SLAs issuedRisk:3. Risk of not achieving the agreed Shared Services business case outcomes for HR and Finance systems leading to financial and reputational damage.To Deliver value for money services to our customersNIAS migration – went live 22nd May 2017Risk:4. HSC restructuring leads to a reduced level of SLA income from HSCB who are currently our largest customers. If HSCB functions are split across a range of organisations there is a risk to the stability of this income source, and therefore BSO’s ability to effectively deliver the servicesTo Deliver value for money services to our customersEngage as early as possible to identify to which organisation(s) current HSCB services will transfer to.March 2018Archived and replaced with more appropriate action as the process has changed with the launch of TIG.Risk:5. There is a risk that BSO will be unable to implement the Social Care Procurement project resulting in slippage in procurement programme to address the new light-touch regime detailed in regulations 74-77 of the Public Contracts Regulations 2015To Grow our services and customer baseComplete works on accommodationMarch 2017Risk:6. Benefits of the new FPPS system fail to be realised due to:(i) Contractors declining to use the web based portal, leading to an inability to reduce staff numbers in accordance with plan(ii)Required system fixes for defects and/or change controls not being applied, leading to an inability to reduce staff numbers in accordance with planTo Pursue and Deliver Excellence through Continuous ImprovementFPS has planned training events for Dentists and will use roadshows and other meetings with contractor and their representatives to promote the benefits to contractor of using the portal;March 2017Risk:7. Failure of key ITS Applications & Infrastructure impacting delivery of Critical Services to Customers and resulting in reputational damage for BSO and our customers. To Pursue and Deliver Excellence through Continuous ImprovementEnsure regular update on Data Protection and refresher training is available.March 2017 A further desktop DR/BC exercise is planned for later in 2016/2017.March 2017Risk: 8. There is a risk that delays in the recruitment and selection process leads to failure to meet performance targets and significant reputational damageTo Pursue and Deliver Excellence through Continuous ImprovementFormal closure report submitted to SMT September 2017Risk 10. Issues with the Family Practitioner Payment System (FPPS) may lead to inaccurate payments resulting in financial and reputational implicationsTo Pursue and Deliver Excellence through Continuous ImprovementPhase 1 of agreed stabilisation planRemaining End of Year fixes to be delivered by June 2017 – end of year enhancements complete – 41 in total. Risk:12. BSO is unable to deliver a payroll service due to unavailability of HRPTS managed service leading to reputational damageTo Pursue and Deliver Excellence through Continuous ImprovementHCL Axon resolution plan phase one and two completeSchedule HCL update to SMT – update paper provided 6th June 2017.Risk 13:There is a risk that Payroll Shared Services will fail to achieve satisfactory audit assurance due to on-going pressures in delivering service which could lead to reputational damage. To Pursue and Deliver Excellence through Continuous ImprovementTerms of Reference (DoF BSO) May 2017 - agreedProject Plan (HoSS BSO) May 2017 – draftedIdentify external resource to complete structure and management review (DoF BSO) August 2017 - It has been agreed in August 2017 that BSO will complete the review with external assurance.Risk 14:The increasing levels of sophistication used in cyber-attacks along the widespread access to capability to develop and deploy exploits as zero day attacks mean that the current levels of investment, resourcing and the processes used in cybersecurity are insufficient to manage the increasing level of threat and the potential impact of cyber-attacks. The impact is the potential loss of critical infrastructure, data and ICT services which support critical operational clinical and business services leading to widespread disruption to those services across all HSC organizations as well as reputational damage to BSO and the wider HSC.To Pursue and Deliver Excellence through Continuous ImprovementBSO cybersecurity programme – now in placeEmergency business case approved for funding by DoH to address identified gaps in this current Financial year e.g. Sophos InterceptX, Sandstorm, PKI.August 2017. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download