Annual Governance Statement

The purpose of the system of internal control

The system of internal control is designed to manage risk to a reasonable level rather than to eliminate all risk of failure to achieve policies, aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness. The system of internal control is based on an ongoing process designed to identify and prioritise the risks to the achievement of the policies, aims and objectives of Lincolnshire Partnership NHS Foundation Trust, to evaluate the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively and economically. The system of internal control has been in place in Lincolnshire Partnership NHS Foundation Trust for the year ended 31 March 2024 and up to the date of approval of the annual report and accounts.

The Audit Committee and the Board annually reviews the effectiveness of the Trust’s governance arrangements (system of internal control). This review covers all material controls, including financial, clinical, operational, organisational development and compliance controls and risk management systems. The review is confirmed in the Board papers and minutes which are published on the Trust’s website.

Capacity to handle risk

The Board of Directors provides leadership on the overall governance agenda. On the Board’s behalf, the Audit Committee has maintained, and kept under review, a policy for the management of risk. Our Board of Directors is supported by a range of Committees that scrutinise and review assurances on internal control.

Our Executive Team focuses on all high or significant risk exposures and oversees risk treatment to ensure:

• the correct strategy is adopted for managing risk
• controls are present and effective
• action plans are robust for those risks that remain intolerant

The Chief Executive has overall responsibility for the management of risk by the Trust. All Executive Directors have responsibility to identify and manage risk within their specific areas of control, in line with the management and accountability arrangements in the Trust.

The role of each Executive Director is to ensure that appropriate arrangements are in place for the:

• Identification and assessment of risks and hazards.
• Elimination or reduction of risk to an acceptable level.
• Compliance with internal policies and procedures, and statutory and external requirements.
• Integration of functional risk management systems and development of the assurance framework.

These responsibilities are managed operationally through divisional and service managers supporting the Executive Directors and working with designated lead managers within operational divisions.

The Trust has a Board Escalation and Assurance Framework that sits alongside the Trust’s Reporting and Management of Risk Policy, both of which will be reviewed in 2024/25, to ensure that they take into consideration the comprehensive review of the organisation’s governance framework and structure, which took place during 2023/24, and is referred to later in this Statement. The framework and policy define risk and identify individual and collective responsibility for risk management within the organisation. It also sets out the Trust’s approach to the identification, assessment, scoring, treatment, and monitoring of risk.

Staff are equipped to manage risk in a variety of ways and at different levels of strategic and operational functioning. These include:

• Formal in-house training for all staff in dealing with specific everyday risk, e.g. clinical risk, fire safety, health and safety, moving and handling, infection control, information governance and security.
• Training and induction in incident investigation, including documentation, root cause analysis, steps to prevent or minimise recurrence and reporting requirements.
• Developing shared understanding of broader business, financial, environmental and clinical risks through collegiate clinical, professional and managerial groups (such as professional advisory groups, the Board Quality Committee and the subcommittee structure that sits in place to support the delivery of quality).

The risk and control framework

The foundation trust is fully compliant with the registration requirements of the Care Quality Commission.

The foundation trust has published on its website an up-to-date register of interests, including gifts and
hospitality, for decision-making staff (as defined by the rust with reference to the guidance) within the past twelve months as required by the Managing Conflicts of Interest in the NHS guidance.

As an employer with staff entitled to membership of the NHS Pension Scheme, control measures are in place to ensure all employer obligations contained within the Scheme regulations are complied with. This includes ensuring that deductions from salary, employer’s contributions and payments into the Scheme are in accordance with the Scheme rules, and that member Pension Scheme records are accurately updated in accordance with the timescales detailed in the Regulations.

Control measures are in place to ensure that all the organisation’s obligations under equality, diversity and human rights legislation are complied with. The foundation trust has undertaken risk assessments on the effects of climate change and severe weather and has developed a Green Plan following the guidance of the Greener NHS programme. The trust ensures that its obligations under the Climate Change Act and the Adaptation Reporting requirements are complied with.

The system of internal control is based on an ongoing risk management process designed to identify the principal risks to the achievement of the Trust’s objectives; to evaluate the nature and extent of those risks, and to manage them efficiently, effectively and economically.

The key elements of the risk management strategy are that:

• Risk identification and management is a key trust wide responsibility.
• All staff accept the management of risks as one of their fundamental duties.
• All staff are committed to identifying and reducing risks.

This promotes a duty of candour in which there is transparency and openness where mistakes are made. Untoward incidents are identified quickly and dealt with in a positive and responsive way and lessons learnt are communicated throughout the organisation and best practice adopted.

The Trust uses the ‘5 x 5’ matrix for risk quantification. Risks may be identified on an ongoing basis via incident reporting procedures, complaints, claims, freedom to speak up, control audits, and risk assessments. These processes are monitored to ensure that any risks are identified and acted upon in a timely manner.

Risks that are assessed as low are managed through routine procedures. Moderate risks require specific management responsibility and action. High risks require senior management attention. Extreme risks
require immediate action and necessitate informing the Board of Directors.

Assurance on how effectively the risk management system is working is monitored through inspections, such as, environmental, infection control, security, and workplace safety, and through health and safety and clinical governance activities, which include:

• Display screen equipment awareness.
• Control of Substances Hazardous to Health (CoSHH) regulations.
• Awareness raising of the management of violence and aggression.
• Clinical risk assessment.
• Moving and handling training.
• Lone working.
• Record keeping audits.
• Incident reporting and reviews.
• Infection control including for COVID-19 infection prevention and control, board assurance framework.
• Safeguarding children and adults.
• Key equality legal requirements.
• Information governance.
• Health and safety, and fire inspections.

These all form part of the Trust’s induction programme for all new members of staff, training updates and individual training as a result of needs assessments. The Trust’s performance management framework includes the effective management of risk as a key element. The organisation undertakes equality impact assessments on all functions it carries out to ensure that service delivery and employment practices comply with legal requirements.

The Trust involves key stakeholders in the management of risks; these include:

• Service users and their carers.
• Members of the Trust and the general public through consultations.
• Council of Governors and foundation trust members.
• Health and social care commissioners and providers within and outside the Lincolnshire system
• Staff and management joint consultative negotiation committee.
• Local Negotiating Committee for consultants.
• Health and Safety Committee.
• Lincolnshire Health Scrutiny Committees.
• The Lincolnshire Resilience Forum.
• Other system providers in primary care, secondary care and the third sector (voluntary, community and social enterprise).
• NHS England.
• The Care Quality Commission (CQC).

The Board of Directors determines the strategic objectives of the Trust. These are monitored by performance management through the Board’s committee structure. Strategic risks, which potentially threaten the achievement of strategic objectives, are identified and key controls are put in place to manage these risks. The Board of Directors, either directly or via its committees, is provided with reports to enable it to monitor the effectiveness of each element of the assurance framework.

The Board of Directors considers the key controls in place to identify risks and assesses whether these are adequate. Where gaps in controls have been identified, action plans are put in place to address any weaknesses.

The Board committee structures, and terms of reference, are ordinarily reviewed annually to maintain the provision of adequate assurance mechanisms and in 2020 the committee structure was revised to reflect the Trust’s strategic priorities and this structure was maintained for the majority of 2023/24. Following the establishment of integrated care systems during 2022/23, and a resultant changing landscape, the directors commenced a process to develop a new Trust Strategy and engaged with a range of stakeholders, including, but not limited to, Trust staff, the council of governors, service users and carers, and system partners. The Board of Directors approved the new Strategy in July 2023.

Additionally, and as described in more detail further on, in January 2023 the Trust commenced a Well-led self-assessment. This included a comprehensive review of the organisation’s existing governance structure, and resulted in a proposed revised structure, which was socialised and consulted on in the latter part of the year. The revised structure will be reviewed by the Audit Committee in mid-April 2024 and recommended for approval by the Board of Directors in July 2024. Revised terms of reference, to reflect the revised structure, will be reviewed by their respective committees and also presented for approval by the Board.

The Trust uses external bodies to provide assurance, where necessary, and targets the internal audit programme at specific areas where there are known areas of weakness, and no other source of assurance is available. The Board of Directors recognises that this will and does result in a number of “limited assurance” reports which then enable robust action plans to be identified and implemented to produce improvements in control and assurance.

Sections of the Assurance Framework have been assigned to the committees of the Board to ensure that there is clear oversight of all areas. Where lack of assurance, or gaps in control are identified, these are escalated to the Board of Directors. The Audit Committee considers the framework at each of its quarterly meetings, as part of its responsibility to oversee the overall governance framework, risk management and internal control, and makes recommendations to the Board.

Throughout 2023/24 the Board of Directors has reviewed and approved its assurance framework at each of its meetings to provide assurance that the risks to the strategic objectives are being managed.

Following an internal audit review of the assurance framework in 2022/23, which received a partial assurance rating, revisions to the Board assurance report were made, to ensure it reflected gaps in assurance and control. A review of the Board Assurance Framework, to ensure it aligned with the Trust’s new Strategy and the organisational risk register, was also undertaken.

A further internal audit of the assurance framework and risk management was carried out in 2023/24 which received a limited assurance rating. A management plan to respond to the identified areas of weakness is now in place, in order to ensure an effective process for identification of risk as well as the facilitation of risk management training for relevant staff. Additionally, the Trust’s risk tolerance and appetite will be reviewed during 2024/25 and the Board Assurance Framework will be further developed, in order to positively impact the effectiveness of assurance.

The directors are required to satisfy themselves that the Trust’s annual quality report is fairly stated. In doing so the Trust has established a system of internal control to ensure that proper arrangements are in place. The Director of Nursing and Quality leads and advises on all matters relating to the preparation of the Trust’s annual quality report. To ensure that the quality report presents a properly balanced view of clinical performance over the year, the Trust has an established Quality Committee that is accountable to the Board of Directors to provide scrutiny and challenge over Trust clinical performance. The Trust has a strong working relationship with the Lincolnshire Integrated Care Board, and a representative attends the Trust’s Quality Committee meetings, and also takes part in regular quality assurance visits.

The Board of Directors receive safe staffing reports that describe the safe staffing levels required and achieved in accordance with the Developing Workforce Safeguards. The reports enable the Board to receive assurance that safe and effective specialist mental health services staffing levels have been created, reviewed, and sustained.

The Director of Nursing and Quality leads a process to make the link between the decisions on staffing that the Board makes and the knowledge and expertise of the clinical teams within the divisions. The Trust applies the systematic approach set out in the Developing Workforce Safeguards for identifying the organisational, managerial, and environmental factors that support safe staffing in order to ensure improved service user outcomes.

The top risks faced by the Trust in 2023/24 and going forward into 2024/25 are set out in the table next.

The top risks faced by the Trust in 2023/24 and going forward into 2024/25

Care Quality Commission

In November and December 2018, the Care Quality Commission inspected four of the Trust’s core services and conducted a well-led review. The overall rating of the Trust remained Good, with a significant number of key lines of enquiry in each of the core services improving from Requires Improvement to Good. The provision of safe services in every core service was rated as Good. The Trust achieved an overall Outstanding rating for “well-led”. The Board of Directors approved and oversaw the completion of an action plan to address areas that were identified for further improvement.

The Care Quality Commission was very positive about the continuing strengthening of a positive culture and leadership within the Trust. The evidence of significant, consecutive improvement from the last six years’ staff surveys supported this observation.

The Care Quality Commission returned in March 2020 to carry out the inspection of one core service to be followed by a well-led review. The core inspection of inpatient rehabilitation services occurred but, due to the Covid-19 pandemic, the well-led review was cancelled. The Trust received the report on the core service visit in June 2020. An action plan was produced, and its implementation was overseen by the Quality Committee of the Board. The foundation trust is fully compliant with the registration requirements of the Care Quality Commission.

The foundation trust has published on its website an up-to-date register of interests, including gifts and hospitality, for decision-making staff (as defined by the trust with reference to the guidance) within the past twelve months as required by the ‘Managing Conflicts of Interest in the NHS’ guidance.

As an employer with staff entitled to membership of the NHS Pension Scheme, control measures are in place to ensure all employer obligations contained within the Scheme regulations are complied with. This includes ensuring that deductions from salary, employer’s contributions and payments into the 80 Scheme are in accordance with the Scheme rules, and that member Pension Scheme records are accurately updated in accordance with the timescales detailed in the Regulations.

Control measures are in place to ensure that all the organisation’s obligations under equality, diversity and human rights legislation are complied with.

The foundation trust has undertaken risk assessments on the effects of climate change and severe weather and has developed a Green Plan following the guidance of the Greener NHS Programme. The Trust ensures that its obligations are met in line with the Climate Change Act, the NHS net zero targets under the Health & Care Act 2022, and its standard NHS contract. Additionally, the organisation ensures compliance with NHS England’s Adaptation reporting requirements.

Review of economy, efficiency and effectiveness of the use of resources

The Trust uses a range of key performance indicators (KPIs), which include non-financial measures, to manage its day-to-day business. This approach helps to provide a comprehensive and balanced view of performance. (More information about KPIs can be found in our Quality Report which will be separately published on the Trust’s website).

The Trust has in place a forward planning process that ensures the appropriate planning of services with commissioners and other key stakeholders prior to submission of effective and agreed forward plans to NHS England.

A robust Cost Improvement Programme and Quality Impact Assessment process involving commissioners and service user representation is in place. During the year the Board of Directors has received regular integrated performance reports providing information on the economy, efficiency and effectiveness of the use of resources.

Internal Audit has reviewed the systems and processes in place during the year and published reports detailing the required actions within specific areas to ensure economy, efficiency, and effectiveness of the use of resources is maintained. The internal audit reports provide an assessment of assurance in these areas.

The Head of Internal Audit Opinion is included next.

Information governance

The Trust commissions its Internal Audit Service Provider, TIAA, to undertake annual audits of the evidence collated for its yearly online submission of evidence for the Data Security and Protection Toolkit (DSPT).

The DSPT is an online tool that enables organisations to measure their performance against data security and information governance requirements which reflect legal rules and Department of Health and Social Care policy.

The toolkit provides a framework for assuring that organisations that have access to NHS patient information are implementing the 10 Data Security Standards clustered under three leadership obligations to meet their statutory obligations on data protection and data security.

• Leadership Obligation 1: People: Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
• Leadership Obligation 2: Process: Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses, and
• Leadership Obligation 3: Technology: Ensure technology is secure and up-to-date.

These 10 Data Security Standards also incorporate evidence of compliance with General Data Protection Regulation (GDPR) and Data Protection Act 2018 requirements.

The Trust is undergoing a two-part review with the auditors in advance of the final submission in June 2024. The Part 1 review is advisory, with the Part 2 review resulting in a full report showing DSS risk scores. Following the Part 1 review in March 2024 there are 6 elements identified which require additional evidence submitting and these will be further reviewed in May 2024 when the auditors complete the part 2 review which will contain the auditor’s overall compliance risk levels. All six items are categorised by the auditor as low risk, but evidence is already being compiled for full assurance before the Part 2 review.

In 2020, in recognition of the effect the Covid-19 pandemic was having on services, NHS Digital delayed the final submission of evidence for the annual Data Security and Protection Toolkit, and this has remained the situation with submission now set, and likely to remain at 30 June annually.

All NHS Foundation Trusts must report any serious incidents of data security and data protection breaches on the DSPT and also in their respective annual reports. These incidents are classified in guidance provided by NHS Digital on Data Security and Protection Incidents. Incidents of the Security of Network & Information Systems Regulations 2018 (NIS Regulations) breaches must also be reported on the DSPT. There have been four serious information governance breaches which have required reporting through the online data security protection toolkit during the last 12 months.

Data quality and governance

The Director of Finance, Digital and Estates has overall responsibility for Information Governance (IG), Data Security, and Data Protection compliance in his capacity as Senior Information Risk Owner (SIRO). The Medical Director is the Caldicott Guardian, the senior member of Trust staff responsible for protecting the confidentiality of patient information and enabling appropriate and lawful patient information sharing.

The Board has been assured by the SIRO, in the biannual SIRO reports, that effective arrangements are in place to manage and control risks to information and data security. The Trust continuously reviews its systems and procedures for the confidentiality, integrity and security of personal and confidential data. As a result of investigations into incidents, and reviews of Information Governance, Cyber Security, Data Security and Records Incidents by Digital and Data Services Group and Business Intelligence Group, measures are taken to ensure the procedures and policies on Information Governance and Data Security are updated to enable compliance.

The Trust has systems and processes in place to govern access to confidential data and to ensure guidance and standards are followed when staff are using or accessing confidential data. Any new system or process is required to meet these standards as does any hardware (eg, computers and technology devices or software). All system developments whether new or existing need to follow a process and have a data protection impact assessment undertaken and be signed off by the Data Protection Officer and SIRO to ensure they meet the required criteria, and that hardware and software are compatible.

The Trust monitors its IG and data security risks through the Digital and Data Group. Incidents and risks are managed in accordance with Trust policy and serious IG, records and data security risks are escalated through either the Digital and Data Committee or more urgent ones through the Executive Team, Board of Directors, and on to NHS England, The Department of Health and Social Care, the National Cyber Security Centre and the CQC, plus the Information Commissioner’s Office (ICO) as required.

The Trust monitors its data quality risks and issues though the Business Intelligence Group and risks are escalated through to the Digital and Data Committee.

The Trust uses a data quality kite mark to measure assurance on data accuracy, completeness and timeliness on the national mental health operational planning targets that are reported in our Integrated Performance Report to the Board.

Operational managers regularly review waiting lists and have identified appropriate contact points in their standard operating processes whilst someone remains on a waiting list that is suitable for the service and type of intervention the person is waiting for. This applies to service users waiting for assessment and for treatment. Any quality or accuracy issues identified with this data are raised through the Business Intelligence Group.

Well-led framework

The Trust commenced an internal evaluation of its Board and organisational governance using the Well-led framework in January 2023, and an external review will commence during 2024/25.

The self-assessment process resulted in a comprehensive action plan, which focussed on a number of key priority areas, including the Trust Strategy, the governance framework, the Board Assurance Framework, and performance reporting. Significant progress has been made to address the areas of improvement identified, particularly in relation to the Trust’s Strategy, which, as referred to earlier, was approved by the Board of Directors in July 2023.

A comprehensive review of the Trust’s existing governance structure identified a gap in relation to performance reporting and, in March 2023, the Board of Directors approved the establishment of a new Board level Performance Committee. This will provide a structured forum for receiving, scrutinising, and triangulating the main sources of evidence across the Trust, to enable the Board to assess its level of confidence in the assurances provided regarding the Trust’s values and culture, the organisation’s financial and operational performance, the quality of services across the organisation (including clinical effectiveness, patient experience and safety), and the appropriate identification, assessment and management of risks.

Review of effectiveness

As Accounting Officer, I have responsibility for reviewing the effectiveness of the system of internal control. My review of the effectiveness of the system of internal control is informed by the work of the internal auditors, clinical audit and the executive managers and clinical leads within the NHS foundation trust who have responsibility for the development and maintenance of the internal control framework. I have drawn on performance information available to me. My review is also informed by comments made by the external auditors in their management letter and other reports. I have been advised on the implications of the result of my review of the effectiveness of the system of internal control by the Board, the Audit Committee and the Quality Committee, and a plan to address weaknesses and ensure continuous improvement of the system is in place.

The Head of Internal Audit provides me with an opinion on the overall arrangements for gaining assurance. The head of internal audit opinion for 1 April 2023 to 31 March 2024 is as follows.

Head of Internal Audit Opinion

The purpose of my annual HoIA Opinion is to contribute to the assurances available to the Accountable Officer and the Board which underpin the Board’s own assessment of the effectiveness of the organisation’s system of internal control. This opinion will in turn assist the Board in the completion of its Annual Governance Statement (AGS).

My opinion is set out as follows:
1. Overall opinion;
2. Basis for the opinion;
3. Matters that have had an impact on the opinion; and
4. Commentary.

1. My overall opinion is that ‘Reasonable’ assurance can be given that there is a generally sound system of internal control, designed to meet the organisation’s objectives, and that controls are generally being applied consistently. However, some weakness in the design and/or inconsistent application of controls, put the achievement of particular objectives at risk.

2. The basis for forming my opinion is as follows:

i. An assessment of the design and operation of the underpinning Assurance Framework and supporting processes; and

ii. An assessment of the range of individual opinions arising from risk-based audit assignments, contained within internal audit risk-based plans that have been reported throughout the year. This assessment has taken account of the relative materiality of these areas and management’s progress in respect of addressing control weaknesses.

Additional areas of work that may support the opinion will be determined locally but are not required for NHS England / Department of Health purposes e.g. any reliance that is being placed upon Third Party Assurances.

3. There are no matters to bring to your attention which have had an impact on the Head of Internal Audit Opinion

The Head of Internal Audit opinion reflects the improvements which are required to be made by the organisation in both embedding risk management and implementing and sustaining a robust Board Assurance Framework assurance process through the Executive Team meeting, which, in my capacity as Chief Executive, I chair.

All the reports have been presented to the Audit Committee, and those reports which have received limited assurance have been highlighted to the Board. The Board is committed to improving the Trust’s internal audit process, which includes monitoring of actions and greater oversight of implementation of actions by the relevant Committees.

Management action plans from 2022/23 audits were completed during 2023/24, and management action plans for 2023/24 are progressing within the agreed timeframes, however, there are a small number of internal audit actions which have not been fully implemented and these are being reviewed by the Executive Team.

A quarterly compliance report presented by the Audit Committee to the Board of Directors provided assurance that the Trust met the requirements of its licence conditions in 2023/24.

The Board of Directors has identified the strategic risks facing the organisation during the period and has monitored the controls in place and the assurances available to ensure that these risks are being appropriately managed.

The Audit Committee provides the Board of Directors with an independent and objective view of arrangements for internal control within the Trust and to ensure the internal audit service complies with mandatory auditing standards, including the review of all fundamental financial systems.

Information provided to the Audit Committee in reports from internal and external sources, and further work carried out by the Committee to gain assurance about the control environment, leads to the conclusion that there have been no major control issues during the year.

Conclusion

The Trust will continue to use the assurance framework to assure the Board of Directors and others that the Trust’s key controls to manage strategic risks are being assessed and improved continuously. Where areas of concern are identified, action plans have been put in place to close the gaps in control or assurance.
The Trust has continued to take a robust approach to targeting Internal Audit into areas identified as being of potential concern and has identified weaknesses and established new controls to manage areas of concern. Targeted approaches enable stronger controls to be implemented and assurance provided through additional internal control reports to the Audit Committee.

The Trust’s continued approach to identifying risks, implementing mitigation plans, actively seeking gaps in control through audit and in delivering audit action plans provides the Board with assurance that there is an effective system of control in place.

No significant internal control issues have been identified throughout the year.

Sarah Connery, Chief Executive

20 June 2024