System risk in Staffordshire and Stoke-on-Trent

The Staffordshire and Stoke-on-Trent (SSoT) integrated care system (ICS) is responsible for delivering health and care services to around 1.1 million people across an area that brings together 10 local government councils (two county and eight district or borough), six clinical commissioning groups, two major acute hospital trusts, 25 primary care networks, 145 GP practices, two mental health trusts, 331 care homes, one community trust, one ambulance trust, two voluntary sector networks and two health and wellbeing boards.

The team responsible for building a coherent system of governance to align this disparate collection of organisations was led by Sally Young, who was, until her recent retirement, SSoT Director of Corporate Governance. The other key players are Paul Winter, Associate Director of Corporate Governance and the data protection officer for the SSoT integrated care board (ICB); Claire Cotton, Associate Director of Governance for the University Hospitals of North Midlands (UHNM); and Rob Grant, Associate Director of Safety, Risk and Compliance with Midlands Partnership NHS Foundation Trust (MPFT).

The first job for the team was getting to know each other. Sally says: “Until two years ago, I had only met Claire once. I've been working in the CCG in Staffordshire since before the CCGs came into to being, and I met Rob as a result of doing this, but I was involved, as was Paul, in doing the transition arrangements from CCGs into the new ICB.

“One of the things that quickly became apparent was that it would be good to get a network together, so we did, with our system partners, calling it the governance network to start with. It was based on all the documentation we had to create to initially set up the ICB – and there was a lot of it.”

The three main NHS system partners are UHNM, MPFT and North Staffordshire Combined Healthcare NHS Trust. There’s also University Hospitals of Derby and Burton (UHDB) which sits just outside the system border but was included because system partners have a lot of patients at the Burton Hospital between them.

After spending some time working through the development of a constitution, policies, terms of reference, and schemes of delegation, Sally says the group sought a bigger challenge. She says: “We got to August after the ICB had formed and we thought ‘let's take a big issue and see what we can do together’. We chose to go with risk management and the board assurance framework (BAF).”

Teething issues

One of the first hurdles was ironing out the anomalies in the way they worked – even in the words they used to describe that work. Sally says: “We started with the sense-checking bit. Do we even use the same language for things? Claire and Rob both spoke differently about what they did and how they did it.”

Paul Winter offers an example: “In our CCG environment we often confused and conflated risks and issues, which was something Claire and Rob were very clear on. We very quickly got to grips with the fundamentals, which made life a bit easier when talking to our ex-commissioning colleagues who got a bit confused about the difference between the two, even though we're all risk managers at heart.”

Claire Cotton says: “One of the things that Rob and I came together on was the way in which we'd worked with our organisations in describing risks and formulating risk descriptions. So Rob and I used a similar approach, where we break it down into an ‘if… then… resulting in…’ type description, which many organisations will be familiar with. And that wasn't something that the CCG had used previously.

“The risk register that had almost been inherited by the CCG was a bit of a mishmash, in terms of risk descriptions. It was really beneficial to agree how we were going to word our risks. We did a piece of work where we challenged one another to redescribe the risks on the risk register and that’s been adopted by the ICB. I think just being able to have that similarity of language got us onto the same page quite quickly.”

Rob Grant says coming to terms with these cultural and language differences required openness and collaboration. He says: “Part of it was coming together, not being defensive and really supporting each other to just chew over the differences to create a common language. We also had to recognise that moving from provider and organisational board assurance up to a system approach was about understanding that everything is in layers within your organisation, then building up those layers into the system. Some of the things that you might have as strategic risks in a provider organisation are pretty small fry when you get to the system, whereas others are much bigger. So it was about trying to understand how those two things interplayed, so that what happens within system board assurance made sense to the system rather than each of its parts, and how we layered that up.

“It was a mutual journey of learning for all of us in terms of testing both our board assurance processes within the organisations that we work for and building that up to a system.”

Ambulance waiting times

Claire offers the example of ambulance waiting times to illustrate how risks might be assessed differently at different organisational levels. She says: “Obviously, ambulance delays are a massive issue nationally. And there were people within my own organisation saying that we needed a specific risk on the board assurance framework about ambulances, responding to the national pressure that all NHS boards are under to address this issue. But we pushed back, saying that actually ambulances are just one element of a broader strategic risk around capacity and flow through the organisation and the work that we're doing in relation to ambulance holds is one of the control mechanisms to support that broader strategic risk. I know at ICB level there were similar conversations. Eventually we got to a place where we were able to reference ambulance holds but it wasn't the strategic risk itself – it was a product of a broader strategic problem.”

Rob continues: “That mapping process helped us to understand which risks would be strategically significant for a system. Part of that was recognising that those strategic risks – risks that affect your chances of delivering your objectives – are long- and medium-term rather than those quick operational risks we talk about. Our task was to move the system culture away from being reactive more towards looking at the longer-term planning and strategic work that takes time and planning and controls to manage.

“That was the cultural journey we were trying to embark on ourselves, and encouraging our system colleagues and the board to do the same. People were easily distracted back to big, meaty issues that preoccupied them at the time. But it's about trying to bring it back to that strategic conversation about the wider determinants of health, inequalities and other things that are so important within a system context.”

Sally feels there’s been a breakthrough in focusing on the right things. She says: “We had a conversation with our NEDs because previously, we'd been taking our risk register and our BAF to the board and every time the BAF wasn't getting attention, the risk register was. Everybody was piling into a huge maul, wrestling with the detail of it and our NEDs said: ‘actually we don't want the risk register at strategic level’. That's been really helpful.”

Eight strategic risks

One of the ways the team moved things on was by encouraging the integrated care board to identify eight strategic risks, which were then used to agree a framework for the 2023/24 BAF. The eight risks were informed by the risks identified at an organisational level and they’re not set in stone, but they helped the ICB to focus their thinking.

Claire says: “I have used this approach for a number of years now and it was useful to be able to present ours to the ICB, during the conversation we had around agreeing theirs, as food for thought. It makes the whole thing a two-way process, where what's happening on the ground influences the ICB strategy and vice versa.”

Sally says it was no small achievement to identify the eight strategic risks. She says: “Claire came along to do a presentation to our execs. She had just 45 minutes to get these eight strategic objectives out of them – it was originally an hour and a half, but the agenda was pinched and pushed – but my gosh she pushed them hard!

“Claire coming in was really useful. With her long history of doing board risk at UHNM, she was able to be really challenging with my execs, which she did in a really good, positive way. She was cheeky, she pushed a bit, she went a bit further and a bit harder than someone working in the organisation would be able to.”

Another breakthrough was achieved in the early stages of working together, when the team jointly developed a risk management strategy and signed up to a risk appetite statement that is used across the system. Sally says: “We know that risk appetite is one of those areas that some are not as comfortable with as others. And I think we'll probably look to refine the strategy and statement as we go forward and really start to gauge people's understanding of appetite tolerance. But we've now got a starting point – that important building block is there in our risk management strategy.”

Sharing learning

Turning to some of the lessons learned, Claire points to the way the team have adapted the three lines of defence model that will be familiar to any organisational risk specialist. She says: “We've done some thinking around what the three lines model might look like at a system level, with a view to utilising existing assurances, because we find ourselves in this new landscape of systems and anyone working in a provider organisation will feel the frustration at times at being asked for different things for different meetings. So we've applied the three lines model at a system level whereby the system BAF as a first line of assurance is available from our providers, so we're not asking for different information.

“The first line of defence is what’s available and used as a source of assurance at provider level, then the second line of defence is at the system level. An example might be that we all have our own financial plans as provider organisations and that is a source of assurance. But collectively as a system we've done a lot of good work around the development of a system financial strategy. The third line of defence is unchanged – it’s that assurance is available from external sources such as regulators.

“We've presented this as a concept initially to the ICB and it's made some pennies drop in terms of how they might start to build on that and start to use existing assurances from our providers as that first line. We're hoping this is going to be really useful and something that we'd look to share if it works well.”

Another point of learning has been around a system of process bells the team introduced. Claire says: “When we talk about risk, there are two parts of the conversation that I like to drive. There’s an ‘are we managing the risk in line with our policy?’ conversation. But then there's also the detail of the specific risk. But risk registers are ugly documents to look at, aren't they? There's a lot of information in an Excel spreadsheet. It tends to be dependent on how you've exported it, and it's very difficult to you understand. So, to drive the process element of the conversation, we've introduced a system of alarm bells.

“The first bell is triggered if a risk score hasn't changed in six months. Another will flag if actions haven't been identified, because that was a common problem – people putting something on the risk register, but failing to add any future actions. And the third trigger is when a risk has not been reviewed in line with policy, so it’s sat on the risk register for X months and nobody's even looked at it.

“So now, as well as having the detail, we frame a report that draws people's attention to: you've got this on the risk register, but you haven't identified any actions against it, or you've got this on the risk register, but you’re telling me that you've done all of this stuff, so why hasn't that changed the consequence or likelihood and therefore impacted on your score? Or finally, you've got this on the risk register, but you're not doing anything about it because you've not got any actions in. It’s worked really well for us here at UHNM and we're introducing it to ICB level as well for the risk register. Just to summarise it and focus attention a bit more on managing risks rather than just presenting a risk register.”

Rob adds: “If you're identifying that a risk hasn't changed for a period of time, this helps to prompt that risk appetite and tolerance conversation, where we ask: ‘Are we happy to tolerate a risk staying at the current level for a period of time? Are some of the controls out with our controllers and organisation and therefore do we keep it on the risk register, or do we recognise that we've got to accept that risk because it's outside our control?’ It all helps people to understand appetite and tolerance in a practical, working way.”

Paul sets out another challenge the system team faced: “We were starting out as a new organisation with certain documentation that was required as part of the establishment process, but we didn’t yet have something like an integrated care strategy as the big ‘why are we here and what have we got to address?’ document, which hamstrung us a bit in terms of generating aligned strategic objectives.

“That was a year-one problem that was probably to be expected given where we were. We addressed it by purposefully developing some simpler strategic objectives that were a bit more grandiose in nature by looking at the quadruple aims. That was very much the language everyone was using – they were coming together at board meetings and saying ‘okay, we've got these new quadruple aims – what are we doing about it?

“Now that we've done a lot of the substantive work on developing the integrated care strategy for the integrated care partnership, we're starting this 2023/24 year with eight objectives and risks that align to the emerging strategic imperatives of that document. So it's a lot easier to plot back on what we're doing and why. Why is this an issue? Why is this a risk? How does it link back to what are we here for? What's our core purpose?”

Rob adds: “Putting the BAF before the strategic plan might mean that you're almost artificially creating a BAF, but it gave us an opportunity to warm up those ICB execs to: ‘This is what a BAF looks and feels like; these are the ways that we need to consider tolerances and assurance’, and avoiding all the pitfalls of developing people so that they can use a BAF effectively. We got out of the way so that when we got to the point where we're creating the 2023/24 strategic objectives and the BAF, their knowledge was so much further ahead. That made it much easier to develop that product.”

Taking on the difficult conversations

Paul says the attitude of all system partners was also key. He says: “We also had a very early acceptance that we were going to not shy away from elephants in the room and difficult conversations. That could have been a challenge that would have held us back in doing a lot of the collaborative thinking and understanding. But we avoided it by being open and learning from each other – the show-and-tell, how are you doing this? Why do you do it like that? And genuinely learning from each other. That could have been a real challenge because people are sometimes not prepared to let go. It was great how quickly we put all that to one side.”

Reflecting on other lessons learned, Sally Young says: “Don't be precious about who does what. We all have the same aims and ambitions. Try and drop your frontiers around your own organisation and be honest and authentic. We knew we were all in the room to take things forward. We've talked about all sorts of really difficult stuff, but we can help ourselves with that and support each other through it.

“The other aspect where we had challenge was on the health inequalities risk. I think we were originally on a 20 there and the programme manager responsible for it dropped it to a 15 on the basis that we've got a strategy and we've had a few meetings. My NEDs hit the roof about that – just because you've got a strategy and you've been to a meeting it doesn't mean the person on the street is getting any better service. And we've had quite a hard battle about that because I understand the programme manager's point of view. They've only just started doing this piece of work; it's absolutely massive. And the fact that we've got a strategy signed off now it is great, but we've got to actually do something about it, haven't we? We’ve got to make it real.

“From that we've learnt that whatever's on our BAF needs to be smarter in some cases than it was last year, because it’s very difficult to measure progress if your objective is health inequalities because it's so big.”

Finally, Sally says there’s a lesson about what real collaboration means. She says: “We haven't always had full participation from our system partners. We've got one trust that's had some organisational change, and local authorities tend to dip in and out. But that doesn't matter. We've carried on anyway because we're working together rather than working as a provider coming to a meeting.

“We're not here to represent our organisations, we're here as a collective to do the same thing and do the right thing.”