Annual governance report

The risk and control framework

The system of internal control is based on an ongoing risk management process designed to identify the principal risks to the achievement of the Trust’s objectives; to evaluate the nature and extent of those risks; and to manage them efficiently, effectively and economically.

The key elements of the risk management strategy are that:

• The Board agrees its risk appetite and sets and manages its tolerance levels toward key strategic risks within the Board Assurance Framework.
• Risk identification and management is a key trust wide responsibility.
• All staff accept the management of risks as one of their fundamental duties.
• All staff are committed to identifying and reducing risks.

This promotes a duty of candour in which there is transparency and openness where mistakes are made. Untoward incidents are identified quickly and dealt within a positive and responsive way and lessons learnt are communicated throughout the organisation and best practice adopted.

The Trust uses the ‘5 x 5’ matrix for risk quantification. Risks may be identified on an ongoing basis via:

• incident reporting p rocedures
• complaints
• claims
• freedom to speak up
• control audits
• risk assessments.

These processes are monitored to ensure that any risks are identified and acted upon in a timely manner. 

Risks that are assessed as low are managed through routine procedures. Moderate risks require specific management responsibility and action.  High risks require senior management attention. Extreme risks require immediate action and necessitate informing the Board of Directors.

Assurance on how effectively the risk management system is working is monitored through inspections – such as, environmental, infection control, security and workplace safety – and through health and safety and clinical governance activities, which include: 

• Display screen equipment awareness.
• Control of Substances Hazardous to Health (CoSHH) regulations.
• Awareness raising of the management of violence and aggression.
• Clinical risk assessment.
• Moving and handling training.
• Lone working.
• Record keeping audits.
• Incident reporting and reviews.
• Infection control including the COVID-19 infection prevention and control, board assurance framework.
• Safeguarding children and adults.
• Key equality legal requirements.
• Information governance.
• Health and safety, and fire inspections.

These all form part of the Trust’s induction programme for all new members of staff, training updates and individual training as a result of needs assessments. The Trust’s performance management framework includes the effective management of risk as a key element. The organisation undertakes equality impact assessments on all functions it carries out to ensure that service delivery and employment practices comply with legal requirements.

The Trust involves key stakeholders in the management of risks; these include:

• Service users and their carers.
• Members of the Trust and the general public through consultations.
• Council of Governors and foundation trust members.
• Health and social care commissioners through performance management of contracts.
• Staff and management joint consultative negotiation committee.
• Local negotiating committee for consultants.
• Health and safety committee.
• Lincolnshire health scrutiny and overview committee.
• NHS England / Improvement.
• Care Quality Commission (CQC).
• The Lincolnshire Resilience Forum.
• Other system providers in primary care, secondary care and the third sector.

The Board of Directors determines the strategic objectives of the Trust.  These are monitored by performance management through the Board’s committee structure. Strategic risks, which potentially threaten the achievement of strategic objectives, are identified and key controls put in place to manage these risks. The Board of Directors either directly or via its committees is provided with reports to enable it to monitor the effectiveness of each element of the assurance framework.

The Board of Directors considers the key controls in place to identify risks and assesses whether these are adequate.  Where gaps in controls have been identified, action plans are put in place to address any weaknesses.

Since February 2020 the Board of Directors has put in place, maintained and regularly updated extra-ordinary measures to manage the Trust’s response to, and support the whole community’s response to, the COVID-19 pandemic. 

These measures included the adoption of a command structure in line with the recognised best practices defined within the Civil Contingencies Act and related guidance. These measures included the use of the Emergency Powers set out within the Trust’s Constitution and standing orders. The normal governance processes were modified as and when necessary to address critical needs within the Trust and wider health and social care system, support social distancing and other government enforced restrictions.  Time was prioritised to enable officers of the Trust to focus on essential matters.  Records of deferred business have been kept to ensure control of the governance process is maintained.

The Board committee structures, and terms of reference are reviewed annually to maintain the provision of adequate assurance mechanisms. During 2020/21 the Board consulted on and significantly revised the Trust’s strategies which it has since implemented during 2021/22.  The committee structure was in turn reviewed and revised to reflect the Trust’s strategic priorities. 

The Trust uses external bodies to provide assurance, where necessary, and targets the internal audit programme at specific areas where a gap is identified and no other source of assurance is available. The Board of Directors recognises that this will and does result in a number of “limited assurance” reports which then enable robust action plans to be identified and implemented to produce improvements in control and assurance.

The Trust ensures a strong relationship is maintained between the assurance framework and risk register.

Sections of the Assurance Framework have been assigned to the committees of the Board to ensure that there is clear oversight of all areas. Where lack of assurance, or gaps in control are identified, these are escalated to the Board of Directors. The Audit Committee is responsible for maintaining an overview of the framework, and considers this document, and makes recommendations to the Board, at every meeting.

Throughout 2021/22 the Board of Directors has reviewed and approved its assurance framework each quarter to provide assurance that the risks to the strategic objectives are being managed.

The directors are required to satisfy themselves that the Trust’s annual quality report is fairly stated. In doing so the Trust has established a system of internal control to ensure that proper arrangements are in place. The Director of Nursing, AHPs and Quality leads and advises on all matters relating to the preparation of the Trust’s annual quality report. To ensure that the quality report presents a properly balanced view of clinical performance over the year, the Trust has an established Quality Committee that is accountable to the Board of Directors to provide scrutiny and challenge over Trust clinical performance.

The Trust has also held quarterly quality meetings with its main commissioner, and has shared the draft quality report with governors, commissioners and the Lincolnshire health scrutiny and overview committee and Healthwatch Lincolnshire for comment.

The Board of Directors receive safe staffing reports that is based on the Hirst staffing model with the subsequent application of clinical judgement. The reports describe the safe staffing levels required and achieved in accordance with the Developing Workforce Safeguards.  The reports enable the Board to receive assurance that safe and effective specialist mental health services staffing levels have been created, reviewed and sustained.

The Deputy Director of Nursing, AHPs and Quality leads a process to make the link between the decisions on staffing that the Board makes and the knowledge and expertise of the clinical teams within the divisions. The Trust applies the systematic approach set out in the Developing Workforce Safeguards for identifying the organisational, managerial and environmental factors that support safe staffing in order to ensure improved service user outcomes.

The top risks faced by the Trust in 2021/22 and going forward into 2022/23 are set out in the table below: 

Care Quality Commission (CQC)

In November and December 2018 the Care Quality Commission inspected four of the Trust’s core services and conducted a well-led review.  The Overall rating of the Trust remained Good, with a significant number of key lines of enquiry in each of the core services improving from Requires Improvement to Good.  The provision of safe services in every core service was rated as Good.  The Trust achieved an overall Outstanding rating for “well-led”. The Board of Directors approved and oversaw the completion of an action plan to address areas that were identified for further improvement.  

The CQC was very positive about the continuing strengthening of a positive culture and leadership within the Trust.  The evidence of significant, consecutive improvement from the last six years’ staff surveys supported this observation.

The CQC returned in March 2020 to carry out the inspection of one core service to be followed by a well-led review.  The core inspection of in-patient rehabilitation services occurred but due to the COVID-19 pandemic the well-led review was cancelled.  The Trust received the report on the core service visit in June 2020.  An action plan was produced, and its implementation has been overseen by the Quality Committee of the Board.  In 2021/22 part of the service inspected in June 2020 was temporally closed and an alternative model of service introduced to address areas that were identified as requiring improvement in the CQC’s “effective” domain.

The foundation trust is fully compliant with the registration requirements of the Care Quality Commission.

The foundation trust has published on its website an up-to-date register of interests, including gifts and hospitality, for decision-making staff (as defined by the trust with reference to the guidance) within the past twelve months as required by the “Managing Conflicts of Interest in the NHS” guidance.

As an employer with staff entitled to membership of the NHS Pension Scheme, control measures are in place to ensure all employer obligations contained within the Scheme regulations are complied with. This includes ensuring that deductions from salary, employer’s contributions and payments into the Scheme are in accordance with the Scheme rules, and that member Pension Scheme records are accurately updated in accordance with the timescales detailed in the Regulations.

Control measures are in place to ensure that all the organisation’s obligations under equality, diversity and human rights legislation are complied with.

The foundation trust has undertaken risk assessments and has plans in place which take account of the ‘Delivering a Net Zero Health Service’ report under the Greener NHS programme.  The Trust ensures that its obligations under the Climate Change Act and the Adaptation Reporting requirements are complied with.

ReReview of economy, efficiency and effectiveness of the use of resources

The Trust uses a range of key performance indicators (KPIs), which include non-financial measures, to manage its day to day business.  This approach helps to provide a comprehensive and balanced view of performance.  (More information about KPIs can be found in our Quality Report which will be separately published on the Trust’s website).

The Trust has in place a forward planning process that ensures the appropriate planning of services with commissioners and other key stakeholders prior to submission of effective and agreed forward plans to NHS England / Improvement.

A robust Cost Improvement Programme and Quality Impact Assessment process involving Commissioners and service user representation is in place.

During the year the Board of Directors has received regular integrated performance reports providing information on the economy, efficiency and effectiveness of the use of resources. The Board has engaged with NHS England / Improvement to develop and expand on the methodology for reporting with the adoption of statistical process control reporting enabling a more informed use of the data.  The Board has undertaken additional training in the use of data and reporting delivered by NHS Providers.

Internal Audit has reviewed the systems and processes in place during the year and published reports detailing the required actions within specific areas to ensure economy, efficiency and effectiveness of the use of resources is maintained.  The internal audit reports provide an assessment of assurance in these areas.  The Head of Internal Audit Opinion is included in the section below titled "Review of effectiveness".

Information Governance

The Trust commissions its Internal Audit Service Provider, Grant Thornton, to undertake annual audits of the evidence collated for its yearly online submission of evidence for the Data Security and Protection Toolkit (DSPT).

The DSPT is an online tool that enables organisations to measure their performance against data security and information governance requirements which reflect legal rules and Department of Health policy.

The toolkit provides a framework for assuring that organisations that have access to NHS patient information are implementing the 10 Data Security Standards clustered under three leadership obligations to meet their statutory obligations on data protection and data security.

• Leadership Obligation 1: People: Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles;
• Leadership Obligation 2: Process: Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses; and
• Leadership Obligation 3: Technology: Ensure technology is secure and up-to-date.

These 10 Data Security Standards also incorporate evidence of compliance with General Data Protection Regulation (GDPR) and Data Protection Act 2018 requirements.

The Trust has achieved ‘Significant Assurance with some improvement required’ in the audit report from its internal auditors Grant Thornton for this year’s audit of the 2021/22 Data Security and Protection Toolkit (DSPT) evidence, in line with the Trust’s baseline self-assessment as at 31st March 2022. However it should be noted that in line with changes in deadlines made due to the COVID-19 pandemic the Trust is not yet due to undertake its final submission of the toolkit until 30 June 2022.

In 2020, in recognition of the effect the COVID pandemic was having on services, NHS Digital delayed the final submission of evidence for the annual Data Security and Protection Toolkit. This has remained the situation with submission now set and likely to remain at 30 June annually.

As at 28 April 2022 Grant Thornton have provided an assurance rating of low risk. Their conclusion reflects the fact that the final submission is not required until 30 June 2022. This allows sufficient time to complete the four actions which are outstanding but in progress and submit the evidence into the toolkit.   

All NHS Foundation Trusts must report any incidents of data security and data protection breaches on the DSPT and also in their respective annual reports. These incidents are classified in guidance provided by NHS Digital on Data Security and Protection Incidents.  Incidents of the Security of Network & Information Systems Regulations 2018 (NIS Regulations) breaches must also be reported on the DSPT. 

There have been two serious information governance breaches which required reporting to the Information Commissioners Office through the online data security protection toolkit. Both incidents related to confidentiality breaches. The incidents were investigated using route cause analysis internally within the Trust. The findings of the investigations were shared with the Information Commissioner as part of the wider scrutiny of the occurrences. Both cases were reviewed by the Information Commissioner who was satisfied with the actions taken by the Trust and the cases were closed without any formal action from the Commissioner.

The Director of Finance and Information has overall responsibility for:

• Information Governance (IG)
• Data Security
• Data Protection compliance

in his capacity as Senior Information Risk Owner (SIRO).

The Medical Director is the Caldicott Guardian, the senior member of Trust staff responsible for protecting the confidentiality of patient information and enabling appropriate patient information sharing.

The Board has been assured by the SIRO, in the bi-annual SIRO Report, that effective arrangements are in place to manage and control risks to information and data security.

The Trust had four Data Security and Protection incidents as defined the NHS Digital guidance. These incidents were reported to NHS Digital on the DSPT and were automatically reported via the DSPT to the Information Commissioner’s Office (ICO). The ICO did not identify the need to undertake any further investigation being satisfied that the Trust had put in relevant risk mitigations to manage these. Relevant IG communications have been shared across the Trust in order to learn lessons from these incidents including the development of a Social Media Policy.

The Trust continuously reviews its systems and procedures for the confidentiality, integrity and security of personal and confidential data. As a result of investigations into these incidents, and reviews of IG, Data Security and Records Incidents by Information Governance and Records Management Group (IG&RM Group), measures are taken to ensure the procedures and policies on Information Governance and Data Security are updated to enable compliance.

The Trust has systems and processes in place to govern access to confidential data and to ensure guidance and standards are followed when staff are using or accessing confidential data. Any new system or process is required to meet these standards as does any hardware (E.g., computers or software). All system developments whether new or existing need to follow a process and have a data protection impact assessment undertaken and be signed off by the DPO and SIRO to ensure they meet the required criteria and that hardware and software are compatible.

The Trust monitors its IG and Data Security risks through the IG & RM Group. Incidents and risks are managed in accordance with Trust policy. Serious IG, Records and Data Security risks are escalated through either IM&T Committee or more urgent ones through the Executive Team, Board of Directors, and on to NHS Digital, NHS England / Improvement, NHS England or the ICO when required.

During 2021/22 there were two serious information governance breaches which required reporting to the Information Commissioner’s Office through the online data security protection toolkit.   Both incidents related to confidentiality breaches.   The incidents were investigated using route cause analysis internally within the Trust and the findings of the investigations were shared with the Information Commissioner as part of the wider scrutiny of the occurrences.  Both cases were reviewed by the Information Commissioner who was satisfied with the actions taken by the Trust and the cases were closed without any formal action from the Commissioner. 

Lessons from information breaches are incorporated into data protection and cyber security training delivered to staff in mandatory induction and annual updates.

Review of effectiveness

As Accounting Officer, I have responsibility for reviewing the effectiveness of the system of internal control. My review of the effectiveness of the system of internal control is informed by the work of the internal auditors, clinical audit and the executive managers and clinical leads within the NHS foundation trust. They have responsibility for the development and maintenance of the internal control framework. I have drawn on performance information available to me.

My review is also informed by comments made by the external auditors in their management letter and other reports. I have been advised on the implications of the result of my review of the effectiveness of the system of internal control by the Board, the audit committee and the quality committee, and a plan to address weaknesses and ensure continuous improvement of the system is in place.

The Head of Internal Audit provides me with an opinion on the overall arrangements for gaining assurance. The head of internal audit opinion for 1 April 2021 to 31 March 2022 is as follows:

My overall opinion for the period 1 April 2021 to 31 March 2022 is that based on the scope of reviews undertaken and the sample tests completed during the period, significant assurance with some improvement required can be given on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control.

My opinion is provided primarily on the basis of work undertaken within the Internal Audit Plan for the 2021/22 financial year and is limited to the scope of work that has been agreed with the Trust’s Executive Officers and shared with the Audit Committee as detailed within the final reports. Any opinion level provided must, therefore, be considered in terms of the agreed review scope only and no inference may be assumed by the Trust or other users of my report, that this opinion extends to the adequacy of controls and processes outside the scope agreed.

The basis of my opinion is as follows:

• an assessment of the design and operation of the underpinning Assurance Framework and supporting processes,
• an assessment of the range of individual assurances arising from our core and risk-based internal audit assignments that have been reported throughout the year. This assessment has taken account of the relative materiality of these areas, and
• the extent to which you have responded to audit recommendations

My opinion for the period 1 April 2021 to 31 March 2022 is as follows:

A compliance report presented by the Audit Committee to the Board of Directors provided assurance that the Trust met the requirements of its licence conditions in 2021/22.

The Board of Directors has identified the strategic risks facing the organisation during the period and has monitored the controls in place and the assurances available to ensure that these risks are being appropriately managed.

The Audit Committee provides the Board of Directors with an independent and objective view of arrangements for internal control within the Trust and to ensure the internal audit service complies with mandatory auditing standards, including the review of all fundamental financial systems.

Information provided to the Audit Committee in reports from internal and external sources and further work carried out by the committee to gain assurance about the control environment leads to the conclusion that there have been no major control issues during the year.

Conclusion

The Trust will continue to use the assurance framework to assure the Board of Directors and others that the Trust’s key controls to manage strategic risks are being assessed and improved continuously.  Where areas of concern are identified, action plans have been put in place to close the gaps in control or assurance.

The Trust has continued to take a robust approach to targeting Internal Audit into areas identified as being of potential concern and has identified weaknesses and established new controls to manage areas of concern.  Targeted approaches have enabled stronger controls to be implemented and assurance provided through additional internal control reports to the Audit Committee. 

The Trust’s continued approach to identifying risks, implementing mitigation plans, actively seeking gaps in control through audit and in delivering audit action plans provides the Board with assurance that there is an effective system of control in place. 

Internal control issues that have been identified through targeting internal audits at areas of known risk.  Where partial or no assurance has been identified robust management action plans have been agreed and delivered in a timely way.

Annual Governance Statement 1 April 2021 to 31 March 2022 and Directors’ statement of disclosure to the auditors

Annual Governance Statement: 1 April 2021 to 31 March 2022

Signed (on behalf of the Board of Directors)

Sarah Connery

Chief Executive                                                                   16 June 2022

Directors’ statement of disclosure to the auditors

For each individual director, at the time that this report was approved:

• So far as the director is aware, there is no relevant audit information of which Lincolnshire Partnership NHS Foundation Trust’s auditor is unaware, and
• The director has taken all the steps that they ought to have taken as a director in order to make themselves aware of any relevant audit information and to establish that Lincolnshire Partnership NHS Foundation Trust’s auditor is aware of that information.

Sarah Connery                                                                              16 June 2022
Chief Executive and Accounting Officer

Important events

The Board confirms the approval of its Annual Report and Accounts at its annual public meeting. The 2021 meeting took place on 29 September 2021 and accepted the Trust’s annual report and accounts for the year ending 31 March 2021. The 2022 meeting at which this document will be approved is set to take place on 15 September 2022.  A copy of the meeting programme will be published on our website nearer the actual date of the event. To register your attendance, please contact us on the telephone number or email address detailed below. 

There were no other important events affecting the Trust, since the end of the financial year that requires any further disclosure than has been made in the Annual Governance Statement included in the report.

Additional copies of the Annual Report and Accounts

Additional copies of the Annual Report and Accounts for the period from 1 April 2021 to 31 March 2022 can be obtained by writing to the Trust at the address below. Alternatively copies of this document can be downloaded from the Trust’s website www.lpft.nhs.uk . If you would like a copy of this document in an alternative format or another language, please contact the communications team on:

Telephone  01522 309194

Email LPFT.communications@nhs.net

Additional comments

If you would like to make comments on the annual report or would like any further information, please write to: