Accountability report

Last updated on 12 Jul 2019

Corporate governance report: Director's report

Governance

The HRA was established in December 2011 by Statutory Instrument signed by the authority of the Secretary of State for Health.

Our relationship with the Department of Health and Social Care (DHSC) acting on behalf of the Secretary of State is regulated by a Framework Agreement that sets out the respective roles and responsibilities of each party, the shared principles that underpin the relationship and the arrangements for ensuring that the DHSC is able to discharge its responsibilities as sponsor and in relation to accountability. It also explains the HRA’s governance arrangements as well as clarifying the lines of accountability for its performance.

As an arm's-length body (ALB), we work in close partnership with the DHSC to deliver its objectives. While the HRA is responsible for its operational decisions and the way in which it discharges its functions, the Framework Agreement helps to describe how the DHSC will assure itself of our performance without being involved in its day-to-day decision making.

The DHSC’s Science, Research and Evidence Directorate acts as Sponsors for the HRA and provide assurance to the Department’s Permanent Secretary and the Secretary of State that it is meeting its obligations.

The HRA is governed by a Board that is its corporate decision-making body. It is composed of five non-executive directors (including the Chair, Professor Sir Jonathan Montgomery) and three executive directors (including the Chief Executive, Teresa Allen). Two further directors attend the Board. We are committed to openness and transparency with Board meetings held in public and papers and minutes available on our website

Declaration of interests

The HRA maintains a formal register of Board members’ interests as set out in the Code of Accountability for the NHS. Board members are asked to confirm any declarations of interest at each Board meeting and at any time that changes take place. This includes any interests in relation to specific items on a Board agenda. Board members are also asked to declare any spouse / partner interests. The register, showing current declarations made by the Board, is updated on a regular basis and made available to the public on our list and registers page.

Remuneration to auditors

The accounts have been prepared according to accounts direction of the Secretary of State, with approval of HM Treasury. The accounts have been audited by the Comptroller and Auditor General under the Care Act 2014 at the cost of £35,000. The audit certificate can be found in the Parliamentary accountability and audit report section.


Statement of accounting officer's responsibilities 

Under the Care Act 2014, Section 109 (Schedule 7, paragraph 20) the Secretary of State has directed the HRA to prepare a financial statement of accounts for each year in the form and on the basis set out in the Accounts Direction. 

The accounts are prepared on an accruals basis and must give a true and fair view of the state of affairs of the HRA and of its income and expenditure, statement of financial position and cash flows for the financial year. 

In preparing the accounts, the Accounting Officer is required to comply with the requirements of the Government Financial Reporting Manual issued by HM Treasury and in particular to: 

  • observe the Accounts Direction issued by the Secretary of State, with the approval of HM Treasury, including the relevant accounting and disclosure requirements and apply sensible accounting policies on a consistent basis
  • make judgements and estimates on a reasonable basis
  • state whether applicable accounting standards as set out in the Government Financial Reporting Manual have been followed and disclose and explain any material departures in the accounts
  • prepare the accounts on a going concern basis
  • confirm that the annual report and accounts as a whole is fair, balanced and understandable
  • confirm that the Accounting Officer takes personal responsibility for the annual report and accounts and the judgments required for determining that it is fair, balanced and understandable.

The Accounting Officer of the DHSC has designated the Chief Executive, Teresa Allen as Accounting Officer of the HRA. The responsibilities of an Accounting Officer, including responsibility for the propriety and regularity of the public finances, for keeping proper records and for safeguarding the HRA's assets, are set out in Managing Public Money published by the HM Treasury. Accounting Officer responsibilities have been undertaken by the Chief Executive for the full reporting period.

As far as the Chief Executive is aware, there is no relevant audit information of which the entity’s auditors are unaware and the Chief Executive has taken all the steps that they ought to have taken to make them aware of any relevant audit information and to establish that the entity’s auditors are aware of that information.


Governance statement

This Governance Statement sets out the framework utilised by the HRA to regulate its activities and to ensure delivery of its functions and objectives. In addition to setting out the governance structure, it outlines;

  • the way in which performance is managed and reviewed 
  • the risk management processes 
  • the process for setting Directors Remuneration. 

The HRA complies with the requirements of HM Treasury Corporate Governance in Central Government Departments: Code of Good Practice (2017) insofar as they relate to public bodies.

The Accounting Officer has responsibility for maintaining a sound system of internal control that supports the achievement of the HRA's policies, aims and objectives, whilst safeguarding public funds and its assets for which the Accounting Officer is personally responsible, in accordance with the responsibilities assigned in HM Treasury: Managing Public Money.

For the year ended 31 March 2019 Teresa Allen was the Accounting Officer. The Accounting Officer is accountable for the discharge of functions to the Authority’s Board and ensuring appropriate arrangements are in place for the appropriate discharge of all statutory functions attached to the HRA. 

The Accounting Officer is also accountable to the Secretary of State at the DHSC. This line of accountability is managed through a Framework Agreement between the DHSC and the HRA, an Annual Accountability Review with the Minister through quarterly reviews with officials at the DHSC and close working on a day-to-day basis between HRA staff and those in the DHSC Sponsor Branch.

Governance Structure 

The Board membership attendance over the period was as follows:

Key areas of business considered by the Board, in addition to standing items over the reporting period such as performance reporting (including financial analysis) and risk management, include:

  • the governance and regular monitoring of the Transformation Programme (including the Service Improvement Programme and the Research IT Systems Programme to deliver the new Integrated Research Application System (IRAS)) 
  • arrangements to put in place simple, streamlined and standardised operational processes for the research community to support compliance with the General Data Protection Regulations and maximise consistency for sponsors and sites
  • consideration of the HRA’s own corporate preparedness for the General Data Protection Regulations 
  • review of the HRA’s continued work on improving research transparency to protect and promote patients’ and the public interest in research and consideration of recommendations from the House of Commons Science and Technology Committee – Research Integrity: Clinical Trials Transparency
  • social care research and the HRA’s role in its governance and approval
  • consideration of findings from deep dives undertaken by the HRA Audit and Risk Committee, in particular, research IT system procurement process and EU Exit preparedness.

The Board is committed to improving its performance and effectiveness with seminars often held prior to the main Board meeting. Topics covered in these seminars include:

  • 2018/19 performance metrics
  • proportionate governance of evaluation of quality improvement projects
  • Board effectiveness
  • stakeholder engagement to support strategic delivery
  • development of HRA’s Strategic Risk Register
  • House of Commons Science and Technology Committee – Research Integrity: Clinical Trials Transparency findings and the HRA’s Transparency Strategy

• Government Communication Headquarters (GCHQ) Certified Cyber Security Board Briefing.

The Board reviews a key performance indicator report on a quarterly basis. The report provides the Board with an overview of the status of the HRA Business Plan 2018/19 deliverables as well as detailed management information relating to these objectives.

In addition to the strategic risk register, corporate level risks and their mitigation and management are considered via the HRA corporate risk register on a quarterly basis by the Board. The Board has the opportunity to consider potential future risks and ensure these are captured on the register with the mitigations detailed appropriately and the strategic and reputational impacts discussed fully.

Declaration of interests are declared and formally recorded and all Board members’ expenses are published.

The Board has two sub committees; the Audit and Risk Committee and the Pay and Remuneration Committee.

Audit and Risk Committee

The HRA Audit and Risk Committee has continued to deliver its role to advise the HRA’s Accounting Officer and the HRA Board on risk management, corporate governance and assurance arrangements in the HRA.

The HRA Audit and Risk Committee has met five times in the year to 31 March 2019. The committee membership attendance over the period was: 

  • Graham Clarke (Chair, NED) (5/5), 
  • Professor Deirdre Kelly (NED) (3/4), 
  • Professor Nalin Thakker (NED) (3/4), 
  • Marc Taylor (Audit and Risk Committee member) (4/5)
  • Richard Cooper (1/1)
  • Professor Andrew George (1/1)

In addition, individuals from the HRA, Health Group Internal Audit and the National Audit Office were invited and regularly attended the committee.

One inquorate meeting was held (1 August 2018) however any recommendations made at the meeting were ratified, out of session via correspondence, by a quorate Audit & Risk Committee.

This year, the Audit and Risk Committee reviewed and approved the annual report and accounts, as well as the committee’s terms of reference, audit manual and audit timetable. The committee regularly reviews the HRA corporate risk register, internal and external audit reports, corporate gift and hospitality reports, single tender actions and loss and compensation reports. 

New developments this year that the committee reviewed and supported include:

  • the review of the findings from an emergency incident exercise testing the HRA’s response to a ransomware scenario
  • the HRA’s preparedness for EU Exit
  • the development of the HRA’s strategic risk register
  • the development of the HRA’s new research IT system.

The committee reviewed its effectiveness in September 2018 with findings largely positive and an improvement from the previous year. Improvements in the way the committee meetings are held alongside a greater focus regarding risk at meetings was noted.

Pay and Remuneration Committee

The membership of the Pay and Remuneration Committee is made up of the Chair and non-executive directors. The business conducted by the Pay and Remuneration Committee over the period includes:

i. Advising the Board about appropriate remuneration and terms of service for the Chief Executive and any Directors on Very Senior Managers Terms and Conditions of Service to ensure they are fairly rewarded for their individual contribution to the Authority, having proper regard to the Authority’s circumstances and performance and to the provisions of any national arrangements for such staff including:

a. all aspects of salary (including any performance-related elements/bonuses);

b. provisions for other benefits, including pensions and cars; 

c. arrangements for termination of employment and other contractual terms.

ii. Having oversight in relation to remuneration and terms of service for those directors and other staff who are covered under Agenda for Change terms and conditions who are direct line reports of the Chief Executive.

iii. Proper calculation and scrutiny of termination payments taking account of such national guidance as is appropriate, advise on and oversee appropriate contractual arrangements for such staff.

iv. Consideration of the requirements including interview panel for the substantive recruitment to the HRA’s Chief Executive post.

The committee met five times in the reporting period in order to deliver its functions for the HRA. The Chief Executive is normally invited to attend the committee unless discussions relate to the remuneration and terms of services of the Chief Executive. 

HRA Senior Leadership Team

The Senior Leadership Team (SLT) is the senior executive decision-making body of the HRA responsible for managing HRA business within agreed objectives, resources and according to the HRA / DHSC framework agreement and standing orders. The SLT is accountable to the Chief Executive. 

The SLT is responsible for ensuring an effective bridge from executive to Board business and the formulation of HRA strategy.

The SLT has delegated responsibility to the Leadership Team (LT) for the management of day to day, routine corporate business within agreed objectives, resources and according to the HRA / DHSC framework agreement and standing orders.

Effectiveness

The system of performance monitoring in place throughout the year is designed to ensure appropriate delegation and segregation of duties. The following sections describe the operation.

The risk and control framework and capacity to handle risk

The HRA Board has overall responsibility for risk management throughout the HRA. Its responsibilities include:

  • agreeing the risk management policy
  • assigning a responsible senior manager for risk management
  • ensuring risk management processes are effective and embedded throughout the work of the HRA
  • reviewing significant programme, strategic and operational / project risks
  • reviewing critical risk management activities / controls and their verification.

Current responsibilities are as follows:

  • ensuring appropriate risk management systems are in place: Chief Executive, Director of Finance, Procurement & Estates, Head of Corporate Governance and Risk
  • scheduling and facilitating Internal Audit activities: Director of Finance, Procurement & Estates
  • regularly reviewing and following-up risk management activities with all parties. This will include ensuring the verification / assurance of risk management activities and key controls/contingencies: Head of Corporate Governance and Risk
  • writing the Governance Statement: Chief Executive, Director of Finance and Head of Corporate Governance & Risk
  • ensuring the appropriate risk structure is in place including the Audit and Risk Committee: Head of Corporate Governance and Risk
  • monitoring risk performance.  As part of the routine progress reports the Audit and Risk Committee receives information on the risk performance in terms of the current risk profile, risk management activity performance, and implementation and verification of risk management controls and contingencies: Head of Corporate Governance and Risk.

The HRA aims to maximise the impact of its operations within the resources available to it. In so doing it aims to manage risks at all levels in the organisation from the top strategic level to the bottom operational / project levels without dampening innovation, including the projects delivered by partner organisations. This requires consideration of a full cross section of risks to the organisation including; reputational risks, financial risks, organisational risks, health and safety risks and risks to the achievement of the organisation’s objectives. 

Each directorate holds its own risk register and reviews it on a regular basis. Any significant risks are subsequently escalated to the Leadership Team for discussion and further escalation to the Board, Audit and Risk Committee and DHSC sponsor team as required.

In addressing issues relating to risk, the HRA seeks to be as transparent and open as possible and, through this approach, aims to identify and address those areas where there is a need for improvement in the risk management processes and / or controls and contingencies.

The Audit and Risk Committee reviews and ensures that systems are in place to ensure effective risk management. The Internal Audit function forms part of the review process and provides assurance on the risk management process and advises the Audit and Risk Committee accordingly. 

The Audit and Risk Committee also undertakes regular risk ‘deep dives’ into specific areas to better understand the issues. NEDs who are not formal members of the committee are invited to attend for this part of the meeting. The Audit and Risk Committee undertook the following ‘deep dives’ during this reporting period:

  • the HRA’s preparedness for EU Exit and the introduction of the EU Clinical Trials Regulation
  • the HRA’s internal preparedness for GDPR and the HRA’s role in developing GDPR guidance for the wider research community
  • an evaluation of the HRA’s new research IT system procurement exercise 
  • a consideration of the workload pressures affecting staff and an assessment of progress from the 2017 staff survey action plan
  • the HRA’s strategic risk register.

Quality Assurance

The HRA has given careful consideration to the requirements and coverage of the best practice guide ‘The Aqua Book’ produced by the working group set up following the Macpherson recommendations, as well as direct discussions with the modelling oversight committee within DHSC. With the endorsement of that committee we have confirmed that the HRA does not operate any business-critical models. We have sought separate views on our broader quality assurance processes and to the extent they are able to comment, the modelling oversight committee has observed that the processes appear thorough and well developed. We are therefore fully compliant with the Macpherson recommendations.

Information Governance

The HRA has an established Information Governance structure:

  • the Board has designated the Director of Finance, Procurement and Estates as Senior Responsible Information Officer (SIRO) with responsibility for the system of safeguarding and protecting personally identifiable, confidential and sensitive data
  • the Information Governance Lead is also the Director of Finance, Procurement and Estates
  • Ian Cook, Director of Transformation and Corporate Services is the Caldicott Guardian 
  • NHS Business Services Authority provides Data Protection Officer services for the HRA (Chris Gooday 1 June 2018 – 31 March 2019; Chris Dunn from 1 April 2019)
  • directors and managers are Information Asset Owners (IAOs) as appropriate.

The Information Governance Steering Group (IGSG) is a formal sub-committee of the Leadership Team. Its purpose is to coordinate, supervise and direct the work of others, as appropriate, to ensure the HRA maintains a coordinated approach to Information Governance. It meets four times annually and implements organisational and managerial structures that support appropriate consideration of Information Governance issues to sustain continual improvement.

Data security risks are managed and monitored within the overall risk management framework, the HMG Security Policy Framework, overseen by the Information Governance Lead and IGSG to ensure security threats are followed up and appropriately managed. The HRA is also committed to the 10 Steps to Cyber Security and, where appropriate, the National Data Guardian’s Data Security Standards. 

The key risks the IGSG has addressed this year include:

  • corporate non-compliance of data protection legislation
  • EU Exit preparedness, particularly uncertainty about the type of EU Exit and the impact on data flows between countries 
  • staff inadvertently accessing confidential information which they are not authorised to view
  • under-reporting of information governance security incidents
  • HRA staff may not be properly trained in information governance.  

The IGSG is content that these risks are being appropriately managed and mitigated to an acceptable level.

All information assets and associated systems are identified and included in an information asset register and are subject to annual information asset assessments. These assessments inform the corporate and information risk registers and help ensure the HRA conforms to Data Protection legislation. The HRA has also completed the Data Security and Protection Toolkit this year for the first time and has met all mandatory requirements. 

The system of internal control

teresa-allen-small-cropped

As Accounting Officer, I have responsibility for reviewing the effectiveness of the system of internal control, which has been in place in the HRA for the period 1 April 2018 to 31 March 2019 and up to the date of approval of the annual report and accounts, and accords with Treasury guidance.

The Senior Leadership Team, led by myself, reviews and monitors progress with other management groups providing input as required. These include a recruitment control panel and management groups specifically for the information systems we provide and major programmes (HRA Approval, Transformation Board, Service Improvement Programme) or steering groups for significant projects.

Senior managers within the organisation who have responsibility for the development and maintenance of the system of internal control provide me with assurance. The assurance framework itself provides me with evidence that the effectiveness of controls that manage the risks to the organisation achieving its principal objectives have been reviewed and this aspect of the Authority’s activities has been subject to external review.

A Business Plan for 2019/20 has been developed and approved by the Board which sets out a clear purpose and business objectives for the HRA. Our controls assurance and risk management processes are closely aligned to the twin objectives of maintaining on-going activities and managing significant transformation issues.

Reports are provided to the Board on a quarterly basis on achievements and progress against the objectives and plans, and this report includes risks and controls in place to mitigate them.

The effectiveness of the system of internal control has been, and continues to be, subject to review by our internal auditors who, in liaison with HRA management, plan and carry out a programme of work that has been approved by the Audit and Risk Committee which external audit attends, to review the design and operation of the systems of internal control.

Where weaknesses are identified, these are reported to the Audit and Risk Committee and an action plan agreed with management to implement the recommendations agreed as part of this process.

The Head of Internal Audit provides me with an opinion, in accordance with Public Sector Internal Audit Standards, on the overall adequacy and effectiveness of the HRA’s risk management, control and governance processes.

Teresa Allen, HRA Chief Executive, 18 June 2019

"My overall opinion is that I can give moderate assurance to the Accounting Officer that the HRA has had adequate and effective systems of control, governance and risk management in place for the reporting year 2018/19."

Head of Internal Audit Opinion 2018/19

Compliance with NHS Pension Scheme Regulations

As an employer with staff entitled to membership of the NHS Pension Scheme, control measures are in place to ensure all employer obligations contained within the Scheme regulations are complied with. This includes ensuring that deductions from salary, employer contributions and payments into the Scheme are in accordance with the scheme rules and that member pension scheme records are accurately updated in accordance with the timescales detailed in regulations.

Summary

The HRA has delivered a substantial programme of work this year to enable achievement of our strategy and a step change in the approval and management of health and social care research. 

Collaboration with others is at the heart of all we do to ultimately make the UK a great place to do research while building confidence and participation in health and social care research and so improve the nation’s health. Core services have been maintained with key performance indicators achieved. The HRA has demonstrated the effective delivery of governance requirements with all key corporate governance functions being managed effectively, robustly and efficiently.

Back to annual report and accounts 2018/19