Feature / Taking it on trust

Events such as those at Maidstone and Tunbridge and Mid Staffordshire can be seen as isolated incidents, but future governance failures in the NHS are likely to occur unless trusts up their game, argues the Audit Commission’s Andy McKeon

In October 2007, the Healthcare Commission published its investigation into outbreaks of clostridium difficile (C. difficile) at Maidstone and Tunbridge Wells NHS Trust in which 90 patient deaths were found to be ‘probably or definitely’ a result of the bacteria.

There was perhaps a view that this was a one-off event unlikely to be repeated. Recent Healthcare Commission reports of its investigations at Mid Staffordshire NHS Foundation Trust and Birmingham Children’s NHS Foundation Trust have disabused us of that comfortable notion. Boards of NHS trusts and foundation trusts need to be absolutely confident that their organisation is well run and providing safe and appropriate care.

The Maidstone and Tunbridge Wells report was one of the catalysts for the Audit Commission’s review of how boards of NHS trusts and foundation trusts get assurance that their systems of internal control are working effectively. The Audit Commission’s April report, Taking it on trust – a review of how boards of NHS trusts and foundation trusts get their assurance, highlights weaknesses that indicate future governance failures are likely to occur unless trusts improve their game and take a more systematic approach to managing key risks.

A mix of trusts

The report was based on a review of arrangements at 15 trusts, a mixture of NHS trusts and foundation trusts (collectively referred to as trusts in this article and the report). The trusts were chosen to represent a broad spectrum. At one end were those considered to be leaders in governance and risk management with well developed arrangements. At the other end were one or two known to have governance weaknesses.

The review focused on trusts’ governance structures, how they set and monitored progress on achieving their strategic objectives and how the risks to achieving those objectives were identified and managed.

Sources of assurance used by trusts to provide evidence that the controls in place to manage and mitigate the risks were operating effectively were reviewed. How these sources of assurance were identified and evaluated were also looked at, along with the quality of data used by trusts to monitor performance and support decision making.

NHS regulators increasingly rely on self-assessments by trusts and these too have been found lacking of late. The Healthcare Commission’s inspection of trusts’ self-declarations on complying with the Department of Health’s standards for better health have shown that trusts often declare themselves to be compliant when they are subsequently found not to be. This is another indicator that internal controls are not operating as they should.

So how do boards of NHS trusts assure themselves that they are making sound declarations based on robust evidence?

NHS trusts and foundation trusts are required to have in place board assurance frameworks that set out the trusts’ strategic objectives, the key risks to achieving the objectives, the controls in place to manage the risks and the assurances that the controls are working effectively and identify any gaps in assurance.

Trusts should also have plans to remove any gaps in controls or assurances. Although all the trusts visited had the structures and processes in place to do this, the way in which it was done and the rigour with which the processes were managed, varied enormously.

Some trusts had what appeared to be an unmanageable number of objectives and associated risks. Few had a clear and systematic approach to identifying risks and sources of assurance. Fewer still had a systematic approach to evaluating assurances, although a number were developing ways of doing this. In the worst cases it was a paperchase, done to satisfy governance conventions.

Work carried out by a trust’s internal auditors and its clinical audit function would be expected to provide prime sources of assurance. The review found that the use of internal audit as a source of assurance was variable and rarely focused on maximising the potential assurance that internal audit could provide. This was usually due to poor commissioning of internal audit, although internal audit providers do not always have the full range of skills available to them.

Clinical audit is carried out – to varying degrees and usually at considerable cost in terms of clinicians’ time – at all trusts. The work is usually focused on nationally determined priorities and areas selected locally by consultants. However, the extent to which it provides the board with assurance as to the quality of care provided by the trust was unclear at most of the trusts visited. Few non-executives seemed aware of the content of clinical audit programmes or the outcomes of clinical audit work.

A further concern was the quality of data produced by trusts, both for regulatory purposes and also to facilitate timely and effective decision making. Boards either assumed the data that the trusts produced was of good quality or, conversely, that the data was questionable or unreliable. Few had adopted a systematic approach to test the accuracy of their data or appeared to consider the implications of data quality when making key decisions. A separate briefing by the Audit Commission, entitled Figures you can trust, highlights these concerns. Important initiatives such as a more refined tariff and quality accounts are at risk of being undermined by poor data quality. The data quality briefing contains five tests that all boards should apply to their organisation.

We did find some good and innovative practice. One trust had developed a risk based clinical audit strategy with input from its internal auditors. Two trusts had developed systematic approaches to evaluate the quality of sources of assurance and one had developed assurance registers that enabled individual departments to identify potential sources of assurance resulting from visits by a wide range of inspecting bodies. Another trust had developed a comprehensive reporting system that linked its board assurance framework and performance report in a user-friendly way.

We have distilled the good practice into some case studies and checklists in the report that you may find helpful.

Leadership and an organisational culture that encourages and supports staff to identify potential risk and alerts management to concerns over patient and staff safety are vital. But they are not sufficient in themselves. Nor is process enough. Rigorous and intelligent application by sharp and questioning (but supportive) people is essential.

Even one of our expert advisers said that it was sometimes hard to stifle a yawn when governance was on the agenda. Getting your teeth into the latest mega-million capital project is so much more interesting.

But at its heart, board assurance is about giving confidence that the trust is providing safe and appropriate care in a safe environment for patients by staff who are properly trained, that it is meeting its legal and other duties, and that it is meeting its strategic objectives.

From the information we saw, very few board members of the trusts we visited could have that absolute hand-on-heart confidence. The disastrous consequences of not having a rigorous approach have become all too clear in the NHS and elsewhere – like banking.

As one non-executive director told the review team: ‘Boards need a sense of danger and a willingness to do something about it.’ Recent governance failures should have provided the sense of danger. It’s down to boards to do something about it.

To download a pdf of this article as it appeared in Healthcare Finance, click here