NHS audit chairs forum: summary of key themes

18 December 2024

We were delighted to welcome guests to our NHS audit chairs forum from a range of NHS Integrated Care Boards (ICBs), Integrated Care Systems (ICSs) and Trusts. We would like to thank our panellists for their valuable insights. The session looked at how ICBs, individual health bodies and ICSs can thrive through closer working, improved risk management, and alignment of objectives and ambitions across each ICS.

Successful collaboration at the system and provider level

During the session, an example was shared of an approach to developing a system Board Assurance Framework (BAF) that looks at risk as a system rather than as individual organisations. 

Key steps included:

  • Establishment of a governance and risk network, bringing together governance leads across the system, including providers outside of the system, experts from the local authority, and organisations officially in neighbouring ICBs but active in that ICS. 
  • Development of governance structures and a risk management strategy, focusing on managing risk across the system and collaboratively developing a system-wide BAF.
  • Overhaul of the risk register: what constitutes a system or an organisational risk, how to describe that risk – a real focus on the causes and effects so that these could be more clearly managed.
  • System strategy based on the four main objectives of systems published nationally, helping organisations to work together towards a small set of strategic aims and focus on the causes and effects of the related risks. 

How were practical obstacles tackled?

  • Gained ICB buy-in for linking relevant executive leads to populate the system BAF document.
  • Undertook a strategic system risk mapping exercise: reviewing the strategic risks from organisations in the system, where they intersect and expected actions.
  • Focused on the effect of actions on the system BAF on the overall risk score: eg the risk score wouldn’t be reduced if the risk was on the BAF due to a gap in assurance that wasn’t going to change. 
  • Used bell icons to highlight risks on the register for the audit committee to focus on, redirecting committee questions from governance colleagues to risk owners. 
  • Introduced longer trajectories, assessing the level of current risk against the target to develop mitigating actions – the framework of assurances aligned with the business cycles. 
  • The ICB's role was facilitative, encouraging a culture of innovation for providers to find solutions. The energy from providers helped the ICB to drive changes forward; the system risk group was chaired by a provider and not the ICB.
  • Applied the three lines of assurance model at a system level, using existing sources of assurance available through existing mechanisms to avoid duplication.

Key themes from the NHS audit chairs forum

Balancing assurance over ICB-specific risks with system-wide risk management

For risks on the ICB, BAF mitigations were long-term and lacked short-term movement, leading to frustration where projects are long-term and depend on capital funding that the system may not control. To reduce ICB risks, the ICB chose to look at a broader set of risks rather than a pure BAF due to the inability to influence mitigations which were dependent on individual providers.

It is also important not to forget risks linked to primary care, place and borough level, and with local authorities. The aim is to get providers to buy into the solution, sharing risks, how they can help each other and reduce each other's risks. Sharing information between providers requires trust to be built over time; establishing a governance and risk network can help.

Supporting system working: the role of ICBs

ICBs should facilitate and provide an environment whereby system-wide conversations can take place. Removing some of the hierarchical barriers and creating a shared space is essential.

The ICB has a unique role in bringing together organisations and directing meetings to support system working. Regional audit chairs' meetings can be useful to share risks, progress and develop collaboration at a non-executive director (NED) level.

Supporting ICBs in system working: the role of providers

As ICBs plan for future healthcare needs and how to deal with associated risks, they should create opportunities for providers to collaborate and develop solutions with mutual accountability. 

What does success look like for system working over the next 12-18 months?

Success in the next 12-18 months would involve breaking down more system barriers. There is an opportunity for governance and risk owners in individual organisations to collaborate, using and understanding the language of system risk and how they can work together.

With the four main principles of the ICB system agreed, the 12-18 month aim is to break this down into responsibilities for organisations in the system to achieve incremental improvements on the four principles. Clarity is needed on roles where there are blurred lines to avoid confusion. Adopting ‘system first’ as a principle enables the system to focus on its deliverables and allows organisations to focus on their own deliverables.

The following key challenges were identified during the session:

  • Different stakeholders (ICBs, providers, NEDs, primary care) with conflicting views and objectives can impede cooperation. 
  • It's difficult to switch to being an open organisation sharing information with parties that have recently been competitors.
  • Commonly, BAFs risks are at a high level and not quantified, making it more difficult to focus on mitigating actions.
  • Capital funding is limited. Some funding can be outside of the system’s control.

The importance of the NED role

One ICB audit chair had supported presenting system risks/BAF at provider audit committees in the system. This helped to raise visibility of system risks and break down barriers. 

There is an important opportunity to focus on defining risks appropriately at the system level, identifying risk causes and mitigation, and understanding the impact of when things go wrong and the mitigating actions.

NEDs need to ensure the risks are clear on the factors that are controllable and understand those which sit outside of control – transparency again allows for focus on the right issues. 

Assurance mapping: the three lines of defence model

System assurance mapping (within and across organisations) starts with identifying provider risks, which frequently highlights common areas such as finance and workforce, or specific issues, for example around waiting lists, overcrowding, or hospital discharges. At RSM, our assurance mapping approach covers both the BAF and key business processes. Our three lines of defence model includes:

  • Line one: how are you managing this risk and what management information sources are being utilised? 
  • Line two: how are your committees getting internal assurance and how can you compare at that level?
  • Line three: what third-party external assurance are you bringing in?

This mapping process is overlaid with system risks. To gain understanding of who is best placed to give assurance and encourage risk ownership, we look at where information comes from, who owns the risk within the system, how it’s being managed, and what controls are in place. 

How we can help

At RSM, our specialist NHS team works with over 80 NHS ICBs and provider trust clients. Our experts are here to support you with developing your system assurance map, internal audit and controls, fraud risk, tax services and tax risk governance, technology and cyber risk, and transformation projects.

For further information, please contact Clive Makombera or Nick Atkinson.